]> Git Repo - linux.git/blame - security/selinux/hooks.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
security: Add hook to invalidate inode security labels
[linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <[email protected]>
828dfe1d
EP		 7 * Chris Vance, <[email protected]>
8 * Wayne Salamon, <[email protected]>
9 * James Morris <[email protected]>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <[email protected]>
13 * Eric Paris <[email protected]>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <[email protected]>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <[email protected]>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <[email protected]>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
3c4ed7bd 32#include <linux/lsm_hooks.h>
1da177e4
LT		 33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
1da177e4 54#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 55#include <net/inet_connection_sock.h>
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
60063497 60#include <linux/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
77954983 64#include <net/netlink.h>
1da177e4
LT		 65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
44fc7ea0 83#include <linux/export.h>
40401530
AV		 84#include <linux/msg.h>
85#include <linux/shm.h>
1da177e4
LT		 86
87#include "avc.h"
88#include "objsec.h"
89#include "netif.h"
224dfbd8 90#include "netnode.h"
3e112172 91#include "netport.h"
d28d1e08 92#include "xfrm.h"
c60475bf 93#include "netlabel.h"
9d57a7f9 94#include "audit.h"
7b98a585 95#include "avc_ss.h"
1da177e4 96
d621d35e 97/* SECMARK reference count */
56a4ca99 98static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 99
1da177e4 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 101int selinux_enforcing;
1da177e4
LT		 102
103static int __init enforcing_setup(char *str)
104{
f5269710 105 unsigned long enforcing;
29707b20 106 if (!kstrtoul(str, 0, &enforcing))
f5269710 107 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 108 return 1;
109}
110__setup("enforcing=", enforcing_setup);
111#endif
112
113#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116static int __init selinux_enabled_setup(char *str)
117{
f5269710 118 unsigned long enabled;
29707b20 119 if (!kstrtoul(str, 0, &enabled))
f5269710 120 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 121 return 1;
122}
123__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 124#else
125int selinux_enabled = 1;
1da177e4
LT		 126#endif
127
e18b890b 128static struct kmem_cache *sel_inode_cache;
63205654 129static struct kmem_cache *file_security_cache;
7cae7e26 130
d621d35e
PM		 131/**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 140 *
141 */
142static int selinux_secmark_enabled(void)
143{
2be4d74f
CP		 144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145}
146
147/**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157static int selinux_peerlbl_enabled(void)
158{
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 160}
161
615e51fd
PM		 162static int selinux_netcache_avc_callback(u32 event)
163{
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171}
172
d84f4f99
DH		 173/*
174 * initialise the security for the init task
175 */
176static void cred_init_security(void)
1da177e4 177{
3b11a1de 178 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 179 struct task_security_struct *tsec;
180
89d155ef 181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 182 if (!tsec)
d84f4f99 183 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 184
d84f4f99 185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 186 cred->security = tsec;
1da177e4
LT		 187}
188
88e67f3b
DH		 189/*
190 * get the security ID of a set of credentials
191 */
192static inline u32 cred_sid(const struct cred *cred)
193{
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198}
199
275bb41e 200/*
3b11a1de 201 * get the objective security ID of a task
275bb41e
DH		 202 */
203static inline u32 task_sid(const struct task_struct *task)
204{
275bb41e
DH		 205 u32 sid;
206
207 rcu_read_lock();
88e67f3b 208 sid = cred_sid(__task_cred(task));
275bb41e
DH		 209 rcu_read_unlock();
210 return sid;
211}
212
213/*
3b11a1de 214 * get the subjective security ID of the current task
275bb41e
DH		 215 */
216static inline u32 current_sid(void)
217{
5fb49870 218 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 219
220 return tsec->sid;
221}
222
88e67f3b
DH		 223/* Allocate and free functions for each kind of security blob. */
224
1da177e4
LT		 225static int inode_alloc_security(struct inode *inode)
226{
1da177e4 227 struct inode_security_struct *isec;
275bb41e 228 u32 sid = current_sid();
1da177e4 229
a02fe132 230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 231 if (!isec)
232 return -ENOMEM;
233
23970741 234 mutex_init(&isec->lock);
1da177e4 235 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
275bb41e 239 isec->task_sid = sid;
1da177e4
LT		 240 inode->i_security = isec;
241
242 return 0;
243}
244
83da53c5
AG		 245/*
246 * Get the security label of an inode.
247 */
248static struct inode_security_struct *inode_security(struct inode *inode)
249{
250 return inode->i_security;
251}
252
253/*
254 * Get the security label of a dentry's backing inode.
255 */
256static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
257{
258 struct inode *inode = d_backing_inode(dentry);
259
260 return inode->i_security;
261}
262
3dc91d43
SR		 263static void inode_free_rcu(struct rcu_head *head)
264{
265 struct inode_security_struct *isec;
266
267 isec = container_of(head, struct inode_security_struct, rcu);
268 kmem_cache_free(sel_inode_cache, isec);
269}
270
1da177e4
LT		 271static void inode_free_security(struct inode *inode)
272{
273 struct inode_security_struct *isec = inode->i_security;
274 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
275
9629d04a
WL		 276 /*
277 * As not all inode security structures are in a list, we check for
278 * empty list outside of the lock to make sure that we won't waste
279 * time taking a lock doing nothing.
280 *
281 * The list_del_init() function can be safely called more than once.
282 * It should not be possible for this function to be called with
283 * concurrent list_add(), but for better safety against future changes
284 * in the code, we use list_empty_careful() here.
285 */
286 if (!list_empty_careful(&isec->list)) {
287 spin_lock(&sbsec->isec_lock);
1da177e4 288 list_del_init(&isec->list);
9629d04a
WL		 289 spin_unlock(&sbsec->isec_lock);
290 }
1da177e4 291
3dc91d43
SR		 292 /*
293 * The inode may still be referenced in a path walk and
294 * a call to selinux_inode_permission() can be made
295 * after inode_free_security() is called. Ideally, the VFS
296 * wouldn't do this, but fixing that is a much harder
297 * job. For now, simply free the i_security via RCU, and
298 * leave the current inode->i_security pointer intact.
299 * The inode will be freed after the RCU grace period too.
300 */
301 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 302}
303
304static int file_alloc_security(struct file *file)
305{
1da177e4 306 struct file_security_struct *fsec;
275bb41e 307 u32 sid = current_sid();
1da177e4 308
63205654 309 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 310 if (!fsec)
311 return -ENOMEM;
312
275bb41e
DH		 313 fsec->sid = sid;
314 fsec->fown_sid = sid;
1da177e4
LT		 315 file->f_security = fsec;
316
317 return 0;
318}
319
320static void file_free_security(struct file *file)
321{
322 struct file_security_struct *fsec = file->f_security;
1da177e4 323 file->f_security = NULL;
63205654 324 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 325}
326
327static int superblock_alloc_security(struct super_block *sb)
328{
329 struct superblock_security_struct *sbsec;
330
89d155ef 331 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 332 if (!sbsec)
333 return -ENOMEM;
334
bc7e982b 335 mutex_init(&sbsec->lock);
1da177e4
LT		 336 INIT_LIST_HEAD(&sbsec->isec_head);
337 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 338 sbsec->sb = sb;
339 sbsec->sid = SECINITSID_UNLABELED;
340 sbsec->def_sid = SECINITSID_FILE;
c312feb2 341 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 342 sb->s_security = sbsec;
343
344 return 0;
345}
346
347static void superblock_free_security(struct super_block *sb)
348{
349 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 350 sb->s_security = NULL;
351 kfree(sbsec);
352}
353
1da177e4
LT		 354/* The file system's label must be initialized prior to use. */
355
eb9ae686 356static const char *labeling_behaviors[7] = {
1da177e4
LT		 357 "uses xattr",
358 "uses transition SIDs",
359 "uses task SIDs",
360 "uses genfs_contexts",
361 "not configured for labeling",
362 "uses mountpoint labeling",
eb9ae686 363 "uses native labeling",
1da177e4
LT		 364};
365
366static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
367
368static inline int inode_doinit(struct inode *inode)
369{
370 return inode_doinit_with_dentry(inode, NULL);
371}
372
373enum {
31e87930 374 Opt_error = -1,
1da177e4
LT		 375 Opt_context = 1,
376 Opt_fscontext = 2,
c9180a57
EP		 377 Opt_defcontext = 3,
378 Opt_rootcontext = 4,
11689d47 379 Opt_labelsupport = 5,
d355987f 380 Opt_nextmntopt = 6,
1da177e4
LT		 381};
382
d355987f
EP		 383#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
384
a447c093 385static const match_table_t tokens = {
832cbd9a
EP		 386 {Opt_context, CONTEXT_STR "%s"},
387 {Opt_fscontext, FSCONTEXT_STR "%s"},
388 {Opt_defcontext, DEFCONTEXT_STR "%s"},
389 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 390 {Opt_labelsupport, LABELSUPP_STR},
31e87930 391 {Opt_error, NULL},
1da177e4
LT		 392};
393
394#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
395
c312feb2
EP		 396static int may_context_mount_sb_relabel(u32 sid,
397 struct superblock_security_struct *sbsec,
275bb41e 398 const struct cred *cred)
c312feb2 399{
275bb41e 400 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 401 int rc;
402
403 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
404 FILESYSTEM__RELABELFROM, NULL);
405 if (rc)
406 return rc;
407
408 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
409 FILESYSTEM__RELABELTO, NULL);
410 return rc;
411}
412
0808925e
EP		 413static int may_context_mount_inode_relabel(u32 sid,
414 struct superblock_security_struct *sbsec,
275bb41e 415 const struct cred *cred)
0808925e 416{
275bb41e 417 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 418 int rc;
419 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
420 FILESYSTEM__RELABELFROM, NULL);
421 if (rc)
422 return rc;
423
424 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
425 FILESYSTEM__ASSOCIATE, NULL);
426 return rc;
427}
428
b43e725d
EP		 429static int selinux_is_sblabel_mnt(struct super_block *sb)
430{
431 struct superblock_security_struct *sbsec = sb->s_security;
432
d5f3a5f6
MS		 433 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
434 sbsec->behavior == SECURITY_FS_USE_TRANS ||
435 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 436 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 437 /* Special handling. Genfs but also in-core setxattr handler */
438 !strcmp(sb->s_type->name, "sysfs") ||
439 !strcmp(sb->s_type->name, "pstore") ||
440 !strcmp(sb->s_type->name, "debugfs") ||
441 !strcmp(sb->s_type->name, "rootfs");
b43e725d
EP		 442}
443
c9180a57 444static int sb_finish_set_opts(struct super_block *sb)
1da177e4 445{
1da177e4 446 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 447 struct dentry *root = sb->s_root;
c6f493d6 448 struct inode *root_inode = d_backing_inode(root);
c9180a57 449 int rc = 0;
1da177e4 450
c9180a57
EP		 451 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
452 /* Make sure that the xattr handler exists and that no
453 error other than -ENODATA is returned by getxattr on
454 the root directory. -ENODATA is ok, as this may be
455 the first boot of the SELinux kernel before we have
456 assigned xattr values to the filesystem. */
457 if (!root_inode->i_op->getxattr) {
29b1deb2
LT		 458 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
459 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 460 rc = -EOPNOTSUPP;
461 goto out;
462 }
463 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
464 if (rc < 0 && rc != -ENODATA) {
465 if (rc == -EOPNOTSUPP)
466 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 467 "%s) has no security xattr handler\n",
468 sb->s_id, sb->s_type->name);
c9180a57
EP		 469 else
470 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 471 "%s) getxattr errno %d\n", sb->s_id,
472 sb->s_type->name, -rc);
c9180a57
EP		 473 goto out;
474 }
475 }
1da177e4 476
c9180a57 477 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 478 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
479 sb->s_id, sb->s_type->name);
1da177e4 480
eadcabc6 481 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 482 if (selinux_is_sblabel_mnt(sb))
12f348b9 483 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 484
c9180a57
EP		 485 /* Initialize the root inode. */
486 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 487
c9180a57
EP		 488 /* Initialize any other inodes associated with the superblock, e.g.
489 inodes created prior to initial policy load or inodes created
490 during get_sb by a pseudo filesystem that directly
491 populates itself. */
492 spin_lock(&sbsec->isec_lock);
493next_inode:
494 if (!list_empty(&sbsec->isec_head)) {
495 struct inode_security_struct *isec =
496 list_entry(sbsec->isec_head.next,
497 struct inode_security_struct, list);
498 struct inode *inode = isec->inode;
923190d3 499 list_del_init(&isec->list);
c9180a57
EP		 500 spin_unlock(&sbsec->isec_lock);
501 inode = igrab(inode);
502 if (inode) {
503 if (!IS_PRIVATE(inode))
504 inode_doinit(inode);
505 iput(inode);
506 }
507 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 508 goto next_inode;
509 }
510 spin_unlock(&sbsec->isec_lock);
511out:
512 return rc;
513}
1da177e4 514
c9180a57
EP		 515/*
516 * This function should allow an FS to ask what it's mount security
517 * options were so it can use those later for submounts, displaying
518 * mount options, or whatever.
519 */
520static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 521 struct security_mnt_opts *opts)
c9180a57
EP		 522{
523 int rc = 0, i;
524 struct superblock_security_struct *sbsec = sb->s_security;
525 char *context = NULL;
526 u32 len;
527 char tmp;
1da177e4 528
e0007529 529 security_init_mnt_opts(opts);
1da177e4 530
0d90a7ec 531 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 532 return -EINVAL;
1da177e4 533
c9180a57
EP		 534 if (!ss_initialized)
535 return -EINVAL;
1da177e4 536
af8e50cc
EP		 537 /* make sure we always check enough bits to cover the mask */
538 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
539
0d90a7ec 540 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 541 /* count the number of mount options for this sb */
af8e50cc 542 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 543 if (tmp & 0x01)
e0007529 544 opts->num_mnt_opts++;
c9180a57
EP		 545 tmp >>= 1;
546 }
11689d47 547 /* Check if the Label support flag is set */
0b4bdb35 548 if (sbsec->flags & SBLABEL_MNT)
11689d47 549 opts->num_mnt_opts++;
1da177e4 550
e0007529
EP		 551 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
552 if (!opts->mnt_opts) {
c9180a57
EP		 553 rc = -ENOMEM;
554 goto out_free;
555 }
1da177e4 556
e0007529
EP		 557 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
558 if (!opts->mnt_opts_flags) {
c9180a57
EP		 559 rc = -ENOMEM;
560 goto out_free;
561 }
1da177e4 562
c9180a57
EP		 563 i = 0;
564 if (sbsec->flags & FSCONTEXT_MNT) {
565 rc = security_sid_to_context(sbsec->sid, &context, &len);
566 if (rc)
567 goto out_free;
e0007529
EP		 568 opts->mnt_opts[i] = context;
569 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 570 }
571 if (sbsec->flags & CONTEXT_MNT) {
572 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
573 if (rc)
574 goto out_free;
e0007529
EP		 575 opts->mnt_opts[i] = context;
576 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 577 }
578 if (sbsec->flags & DEFCONTEXT_MNT) {
579 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
580 if (rc)
581 goto out_free;
e0007529
EP		 582 opts->mnt_opts[i] = context;
583 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 584 }
585 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 586 struct dentry *root = sbsec->sb->s_root;
587 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 588
c9180a57
EP		 589 rc = security_sid_to_context(isec->sid, &context, &len);
590 if (rc)
591 goto out_free;
e0007529
EP		 592 opts->mnt_opts[i] = context;
593 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 594 }
12f348b9 595 if (sbsec->flags & SBLABEL_MNT) {
11689d47 596 opts->mnt_opts[i] = NULL;
12f348b9 597 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 598 }
1da177e4 599
e0007529 600 BUG_ON(i != opts->num_mnt_opts);
1da177e4 601
c9180a57
EP		 602 return 0;
603
604out_free:
e0007529 605 security_free_mnt_opts(opts);
c9180a57
EP		 606 return rc;
607}
1da177e4 608
c9180a57
EP		 609static int bad_option(struct superblock_security_struct *sbsec, char flag,
610 u32 old_sid, u32 new_sid)
611{
0d90a7ec
DQ		 612 char mnt_flags = sbsec->flags & SE_MNTMASK;
613
c9180a57 614 /* check if the old mount command had the same options */
0d90a7ec 615 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 616 if (!(sbsec->flags & flag) ||
617 (old_sid != new_sid))
618 return 1;
619
620 /* check if we were passed the same options twice,
621 * aka someone passed context=a,context=b
622 */
0d90a7ec
DQ		 623 if (!(sbsec->flags & SE_SBINITIALIZED))
624 if (mnt_flags & flag)
c9180a57
EP		 625 return 1;
626 return 0;
627}
e0007529 628
c9180a57
EP		 629/*
630 * Allow filesystems with binary mount data to explicitly set mount point
631 * labeling information.
632 */
e0007529 633static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 634 struct security_mnt_opts *opts,
635 unsigned long kern_flags,
636 unsigned long *set_kern_flags)
c9180a57 637{
275bb41e 638 const struct cred *cred = current_cred();
c9180a57 639 int rc = 0, i;
c9180a57 640 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 641 const char *name = sb->s_type->name;
83da53c5
AG		 642 struct dentry *root = sbsec->sb->s_root;
643 struct inode_security_struct *root_isec = backing_inode_security(root);
c9180a57
EP		 644 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
645 u32 defcontext_sid = 0;
e0007529
EP		 646 char **mount_options = opts->mnt_opts;
647 int *flags = opts->mnt_opts_flags;
648 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 649
650 mutex_lock(&sbsec->lock);
651
652 if (!ss_initialized) {
653 if (!num_opts) {
654 /* Defer initialization until selinux_complete_init,
655 after the initial policy is loaded and the security
656 server is ready to handle calls. */
c9180a57
EP		 657 goto out;
658 }
659 rc = -EINVAL;
744ba35e
EP		 660 printk(KERN_WARNING "SELinux: Unable to set superblock options "
661 "before the security server is initialized\n");
1da177e4 662 goto out;
c9180a57 663 }
649f6e77
DQ		 664 if (kern_flags && !set_kern_flags) {
665 /* Specifying internal flags without providing a place to
666 * place the results is not allowed */
667 rc = -EINVAL;
668 goto out;
669 }
1da177e4 670
e0007529
EP		 671 /*
672 * Binary mount data FS will come through this function twice. Once
673 * from an explicit call and once from the generic calls from the vfs.
674 * Since the generic VFS calls will not contain any security mount data
675 * we need to skip the double mount verification.
676 *
677 * This does open a hole in which we will not notice if the first
678 * mount using this sb set explict options and a second mount using
679 * this sb does not set any security options. (The first options
680 * will be used for both mounts)
681 */
0d90a7ec 682 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 683 && (num_opts == 0))
f5269710 684 goto out;
e0007529 685
c9180a57
EP		 686 /*
687 * parse the mount options, check if they are valid sids.
688 * also check if someone is trying to mount the same sb more
689 * than once with different security options.
690 */
691 for (i = 0; i < num_opts; i++) {
692 u32 sid;
11689d47 693
12f348b9 694 if (flags[i] == SBLABEL_MNT)
11689d47 695 continue;
44be2f65 696 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 697 if (rc) {
44be2f65 698 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 699 "(%s) failed for (dev %s, type %s) errno=%d\n",
700 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 701 goto out;
702 }
703 switch (flags[i]) {
704 case FSCONTEXT_MNT:
705 fscontext_sid = sid;
706
707 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
708 fscontext_sid))
709 goto out_double_mount;
710
711 sbsec->flags |= FSCONTEXT_MNT;
712 break;
713 case CONTEXT_MNT:
714 context_sid = sid;
715
716 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
717 context_sid))
718 goto out_double_mount;
719
720 sbsec->flags |= CONTEXT_MNT;
721 break;
722 case ROOTCONTEXT_MNT:
723 rootcontext_sid = sid;
724
725 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
726 rootcontext_sid))
727 goto out_double_mount;
728
729 sbsec->flags |= ROOTCONTEXT_MNT;
730
731 break;
732 case DEFCONTEXT_MNT:
733 defcontext_sid = sid;
734
735 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
736 defcontext_sid))
737 goto out_double_mount;
738
739 sbsec->flags |= DEFCONTEXT_MNT;
740
741 break;
742 default:
743 rc = -EINVAL;
744 goto out;
1da177e4 745 }
c9180a57
EP		 746 }
747
0d90a7ec 748 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 749 /* previously mounted with options, but not on this attempt? */
0d90a7ec 750 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 751 goto out_double_mount;
752 rc = 0;
753 goto out;
754 }
755
089be43e 756 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 757 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
758
8e014720
SS		 759 if (!strcmp(sb->s_type->name, "debugfs") ||
760 !strcmp(sb->s_type->name, "sysfs") ||
761 !strcmp(sb->s_type->name, "pstore"))
134509d5 762 sbsec->flags |= SE_SBGENFS;
c9180a57 763
eb9ae686
DQ		 764 if (!sbsec->behavior) {
765 /*
766 * Determine the labeling behavior to use for this
767 * filesystem type.
768 */
98f700f3 769 rc = security_fs_use(sb);
eb9ae686
DQ		 770 if (rc) {
771 printk(KERN_WARNING
772 "%s: security_fs_use(%s) returned %d\n",
773 __func__, sb->s_type->name, rc);
774 goto out;
775 }
c9180a57 776 }
c9180a57
EP		 777 /* sets the context of the superblock for the fs being mounted. */
778 if (fscontext_sid) {
275bb41e 779 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 780 if (rc)
c9180a57 781 goto out;
1da177e4 782
c9180a57 783 sbsec->sid = fscontext_sid;
c312feb2
EP		 784 }
785
786 /*
787 * Switch to using mount point labeling behavior.
788 * sets the label used on all file below the mountpoint, and will set
789 * the superblock context if not already set.
790 */
eb9ae686
DQ		 791 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
792 sbsec->behavior = SECURITY_FS_USE_NATIVE;
793 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
794 }
795
c9180a57
EP		 796 if (context_sid) {
797 if (!fscontext_sid) {
275bb41e
DH		 798 rc = may_context_mount_sb_relabel(context_sid, sbsec,
799 cred);
b04ea3ce 800 if (rc)
c9180a57
EP		 801 goto out;
802 sbsec->sid = context_sid;
b04ea3ce 803 } else {
275bb41e
DH		 804 rc = may_context_mount_inode_relabel(context_sid, sbsec,
805 cred);
b04ea3ce 806 if (rc)
c9180a57 807 goto out;
b04ea3ce 808 }
c9180a57
EP		 809 if (!rootcontext_sid)
810 rootcontext_sid = context_sid;
1da177e4 811
c9180a57 812 sbsec->mntpoint_sid = context_sid;
c312feb2 813 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 814 }
815
c9180a57 816 if (rootcontext_sid) {
275bb41e
DH		 817 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
818 cred);
0808925e 819 if (rc)
c9180a57 820 goto out;
0808925e 821
c9180a57 822 root_isec->sid = rootcontext_sid;
6f3be9f5 823 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 824 }
825
c9180a57 826 if (defcontext_sid) {
eb9ae686
DQ		 827 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
828 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 829 rc = -EINVAL;
830 printk(KERN_WARNING "SELinux: defcontext option is "
831 "invalid for this filesystem type\n");
832 goto out;
1da177e4
LT		 833 }
834
c9180a57
EP		 835 if (defcontext_sid != sbsec->def_sid) {
836 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 837 sbsec, cred);
c9180a57
EP		 838 if (rc)
839 goto out;
840 }
1da177e4 841
c9180a57 842 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 843 }
844
c9180a57 845 rc = sb_finish_set_opts(sb);
1da177e4 846out:
c9180a57 847 mutex_unlock(&sbsec->lock);
1da177e4 848 return rc;
c9180a57
EP		 849out_double_mount:
850 rc = -EINVAL;
851 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 852 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 853 goto out;
1da177e4
LT		 854}
855
094f7b69
JL		 856static int selinux_cmp_sb_context(const struct super_block *oldsb,
857 const struct super_block *newsb)
858{
859 struct superblock_security_struct *old = oldsb->s_security;
860 struct superblock_security_struct *new = newsb->s_security;
861 char oldflags = old->flags & SE_MNTMASK;
862 char newflags = new->flags & SE_MNTMASK;
863
864 if (oldflags != newflags)
865 goto mismatch;
866 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
867 goto mismatch;
868 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
869 goto mismatch;
870 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
871 goto mismatch;
872 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 873 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
874 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 875 if (oldroot->sid != newroot->sid)
876 goto mismatch;
877 }
878 return 0;
879mismatch:
880 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
881 "different security settings for (dev %s, "
882 "type %s)\n", newsb->s_id, newsb->s_type->name);
883 return -EBUSY;
884}
885
886static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 887 struct super_block *newsb)
1da177e4 888{
c9180a57
EP		 889 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
890 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 891
c9180a57
EP		 892 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
893 int set_context = (oldsbsec->flags & CONTEXT_MNT);
894 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 895
0f5e6420
EP		 896 /*
897 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 898 * mount options. thus we can safely deal with this superblock later
0f5e6420 899 */
e8c26255 900 if (!ss_initialized)
094f7b69 901 return 0;
c9180a57 902
c9180a57 903 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 904 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 905
094f7b69 906 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 907 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 908 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 909
c9180a57
EP		 910 mutex_lock(&newsbsec->lock);
911
912 newsbsec->flags = oldsbsec->flags;
913
914 newsbsec->sid = oldsbsec->sid;
915 newsbsec->def_sid = oldsbsec->def_sid;
916 newsbsec->behavior = oldsbsec->behavior;
917
918 if (set_context) {
919 u32 sid = oldsbsec->mntpoint_sid;
920
921 if (!set_fscontext)
922 newsbsec->sid = sid;
923 if (!set_rootcontext) {
83da53c5 924 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 925 newisec->sid = sid;
926 }
927 newsbsec->mntpoint_sid = sid;
1da177e4 928 }
c9180a57 929 if (set_rootcontext) {
83da53c5
AG		 930 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
931 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 932
c9180a57 933 newisec->sid = oldisec->sid;
1da177e4
LT		 934 }
935
c9180a57
EP		 936 sb_finish_set_opts(newsb);
937 mutex_unlock(&newsbsec->lock);
094f7b69 938 return 0;
c9180a57
EP		 939}
940
2e1479d9
AB		 941static int selinux_parse_opts_str(char *options,
942 struct security_mnt_opts *opts)
c9180a57 943{
e0007529 944 char *p;
c9180a57
EP		 945 char *context = NULL, *defcontext = NULL;
946 char *fscontext = NULL, *rootcontext = NULL;
e0007529 947 int rc, num_mnt_opts = 0;
1da177e4 948
e0007529 949 opts->num_mnt_opts = 0;
1da177e4 950
c9180a57
EP		 951 /* Standard string-based options. */
952 while ((p = strsep(&options, "|")) != NULL) {
953 int token;
954 substring_t args[MAX_OPT_ARGS];
1da177e4 955
c9180a57
EP		 956 if (!*p)
957 continue;
1da177e4 958
c9180a57 959 token = match_token(p, tokens, args);
1da177e4 960
c9180a57
EP		 961 switch (token) {
962 case Opt_context:
963 if (context || defcontext) {
964 rc = -EINVAL;
965 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
966 goto out_err;
967 }
968 context = match_strdup(&args[0]);
969 if (!context) {
970 rc = -ENOMEM;
971 goto out_err;
972 }
973 break;
974
975 case Opt_fscontext:
976 if (fscontext) {
977 rc = -EINVAL;
978 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
979 goto out_err;
980 }
981 fscontext = match_strdup(&args[0]);
982 if (!fscontext) {
983 rc = -ENOMEM;
984 goto out_err;
985 }
986 break;
987
988 case Opt_rootcontext:
989 if (rootcontext) {
990 rc = -EINVAL;
991 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
992 goto out_err;
993 }
994 rootcontext = match_strdup(&args[0]);
995 if (!rootcontext) {
996 rc = -ENOMEM;
997 goto out_err;
998 }
999 break;
1000
1001 case Opt_defcontext:
1002 if (context || defcontext) {
1003 rc = -EINVAL;
1004 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1005 goto out_err;
1006 }
1007 defcontext = match_strdup(&args[0]);
1008 if (!defcontext) {
1009 rc = -ENOMEM;
1010 goto out_err;
1011 }
1012 break;
11689d47
DQ		 1013 case Opt_labelsupport:
1014 break;
c9180a57
EP		 1015 default:
1016 rc = -EINVAL;
1017 printk(KERN_WARNING "SELinux: unknown mount option\n");
1018 goto out_err;
1da177e4 1019
1da177e4 1020 }
1da177e4 1021 }
c9180a57 1022
e0007529
EP		 1023 rc = -ENOMEM;
1024 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1025 if (!opts->mnt_opts)
1026 goto out_err;
1027
1028 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1029 if (!opts->mnt_opts_flags) {
1030 kfree(opts->mnt_opts);
1031 goto out_err;
1032 }
1033
c9180a57 1034 if (fscontext) {
e0007529
EP		 1035 opts->mnt_opts[num_mnt_opts] = fscontext;
1036 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1037 }
1038 if (context) {
e0007529
EP		 1039 opts->mnt_opts[num_mnt_opts] = context;
1040 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1041 }
1042 if (rootcontext) {
e0007529
EP		 1043 opts->mnt_opts[num_mnt_opts] = rootcontext;
1044 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1045 }
1046 if (defcontext) {
e0007529
EP		 1047 opts->mnt_opts[num_mnt_opts] = defcontext;
1048 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1049 }
1050
e0007529
EP		 1051 opts->num_mnt_opts = num_mnt_opts;
1052 return 0;
1053
c9180a57
EP		 1054out_err:
1055 kfree(context);
1056 kfree(defcontext);
1057 kfree(fscontext);
1058 kfree(rootcontext);
1da177e4
LT		 1059 return rc;
1060}
e0007529
EP		 1061/*
1062 * string mount options parsing and call set the sbsec
1063 */
1064static int superblock_doinit(struct super_block *sb, void *data)
1065{
1066 int rc = 0;
1067 char *options = data;
1068 struct security_mnt_opts opts;
1069
1070 security_init_mnt_opts(&opts);
1071
1072 if (!data)
1073 goto out;
1074
1075 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1076
1077 rc = selinux_parse_opts_str(options, &opts);
1078 if (rc)
1079 goto out_err;
1080
1081out:
649f6e77 1082 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1083
1084out_err:
1085 security_free_mnt_opts(&opts);
1086 return rc;
1087}
1da177e4 1088
3583a711
AB		 1089static void selinux_write_opts(struct seq_file *m,
1090 struct security_mnt_opts *opts)
2069f457
EP		 1091{
1092 int i;
1093 char *prefix;
1094
1095 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1096 char *has_comma;
1097
1098 if (opts->mnt_opts[i])
1099 has_comma = strchr(opts->mnt_opts[i], ',');
1100 else
1101 has_comma = NULL;
2069f457
EP		 1102
1103 switch (opts->mnt_opts_flags[i]) {
1104 case CONTEXT_MNT:
1105 prefix = CONTEXT_STR;
1106 break;
1107 case FSCONTEXT_MNT:
1108 prefix = FSCONTEXT_STR;
1109 break;
1110 case ROOTCONTEXT_MNT:
1111 prefix = ROOTCONTEXT_STR;
1112 break;
1113 case DEFCONTEXT_MNT:
1114 prefix = DEFCONTEXT_STR;
1115 break;
12f348b9 1116 case SBLABEL_MNT:
11689d47
DQ		 1117 seq_putc(m, ',');
1118 seq_puts(m, LABELSUPP_STR);
1119 continue;
2069f457
EP		 1120 default:
1121 BUG();
a35c6c83 1122 return;
2069f457
EP		 1123 };
1124 /* we need a comma before each option */
1125 seq_putc(m, ',');
1126 seq_puts(m, prefix);
1127 if (has_comma)
1128 seq_putc(m, '\"');
a068acf2 1129 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1130 if (has_comma)
1131 seq_putc(m, '\"');
1132 }
1133}
1134
1135static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1136{
1137 struct security_mnt_opts opts;
1138 int rc;
1139
1140 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1141 if (rc) {
1142 /* before policy load we may get EINVAL, don't show anything */
1143 if (rc == -EINVAL)
1144 rc = 0;
2069f457 1145 return rc;
383795c2 1146 }
2069f457
EP		 1147
1148 selinux_write_opts(m, &opts);
1149
1150 security_free_mnt_opts(&opts);
1151
1152 return rc;
1153}
1154
1da177e4
LT		 1155static inline u16 inode_mode_to_security_class(umode_t mode)
1156{
1157 switch (mode & S_IFMT) {
1158 case S_IFSOCK:
1159 return SECCLASS_SOCK_FILE;
1160 case S_IFLNK:
1161 return SECCLASS_LNK_FILE;
1162 case S_IFREG:
1163 return SECCLASS_FILE;
1164 case S_IFBLK:
1165 return SECCLASS_BLK_FILE;
1166 case S_IFDIR:
1167 return SECCLASS_DIR;
1168 case S_IFCHR:
1169 return SECCLASS_CHR_FILE;
1170 case S_IFIFO:
1171 return SECCLASS_FIFO_FILE;
1172
1173 }
1174
1175 return SECCLASS_FILE;
1176}
1177
13402580
JM		 1178static inline int default_protocol_stream(int protocol)
1179{
1180 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1181}
1182
1183static inline int default_protocol_dgram(int protocol)
1184{
1185 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1186}
1187
1da177e4
LT		 1188static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1189{
1190 switch (family) {
1191 case PF_UNIX:
1192 switch (type) {
1193 case SOCK_STREAM:
1194 case SOCK_SEQPACKET:
1195 return SECCLASS_UNIX_STREAM_SOCKET;
1196 case SOCK_DGRAM:
1197 return SECCLASS_UNIX_DGRAM_SOCKET;
1198 }
1199 break;
1200 case PF_INET:
1201 case PF_INET6:
1202 switch (type) {
1203 case SOCK_STREAM:
13402580
JM		 1204 if (default_protocol_stream(protocol))
1205 return SECCLASS_TCP_SOCKET;
1206 else
1207 return SECCLASS_RAWIP_SOCKET;
1da177e4 1208 case SOCK_DGRAM:
13402580
JM		 1209 if (default_protocol_dgram(protocol))
1210 return SECCLASS_UDP_SOCKET;
1211 else
1212 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1213 case SOCK_DCCP:
1214 return SECCLASS_DCCP_SOCKET;
13402580 1215 default:
1da177e4
LT		 1216 return SECCLASS_RAWIP_SOCKET;
1217 }
1218 break;
1219 case PF_NETLINK:
1220 switch (protocol) {
1221 case NETLINK_ROUTE:
1222 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1223 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1224 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1225 case NETLINK_NFLOG:
1226 return SECCLASS_NETLINK_NFLOG_SOCKET;
1227 case NETLINK_XFRM:
1228 return SECCLASS_NETLINK_XFRM_SOCKET;
1229 case NETLINK_SELINUX:
1230 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1231 case NETLINK_ISCSI:
1232 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1233 case NETLINK_AUDIT:
1234 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1235 case NETLINK_FIB_LOOKUP:
1236 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1237 case NETLINK_CONNECTOR:
1238 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1239 case NETLINK_NETFILTER:
1240 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1241 case NETLINK_DNRTMSG:
1242 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1243 case NETLINK_KOBJECT_UEVENT:
1244 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1245 case NETLINK_GENERIC:
1246 return SECCLASS_NETLINK_GENERIC_SOCKET;
1247 case NETLINK_SCSITRANSPORT:
1248 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1249 case NETLINK_RDMA:
1250 return SECCLASS_NETLINK_RDMA_SOCKET;
1251 case NETLINK_CRYPTO:
1252 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1253 default:
1254 return SECCLASS_NETLINK_SOCKET;
1255 }
1256 case PF_PACKET:
1257 return SECCLASS_PACKET_SOCKET;
1258 case PF_KEY:
1259 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1260 case PF_APPLETALK:
1261 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1262 }
1263
1264 return SECCLASS_SOCKET;
1265}
1266
134509d5
SS		 1267static int selinux_genfs_get_sid(struct dentry *dentry,
1268 u16 tclass,
1269 u16 flags,
1270 u32 *sid)
1da177e4 1271{
8e6c9693 1272 int rc;
134509d5 1273 struct super_block *sb = dentry->d_inode->i_sb;
8e6c9693 1274 char *buffer, *path;
1da177e4 1275
828dfe1d 1276 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1277 if (!buffer)
1278 return -ENOMEM;
1279
8e6c9693
LAG		 1280 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1281 if (IS_ERR(path))
1282 rc = PTR_ERR(path);
1283 else {
134509d5
SS		 1284 if (flags & SE_SBPROC) {
1285 /* each process gets a /proc/PID/ entry. Strip off the
1286 * PID part to get a valid selinux labeling.
1287 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1288 while (path[1] >= '0' && path[1] <= '9') {
1289 path[1] = '/';
1290 path++;
1291 }
8e6c9693 1292 }
134509d5 1293 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1294 }
1da177e4
LT		 1295 free_page((unsigned long)buffer);
1296 return rc;
1297}
1da177e4
LT		 1298
1299/* The inode's security attributes must be initialized before first use. */
1300static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1301{
1302 struct superblock_security_struct *sbsec = NULL;
1303 struct inode_security_struct *isec = inode->i_security;
1304 u32 sid;
1305 struct dentry *dentry;
1306#define INITCONTEXTLEN 255
1307 char *context = NULL;
1308 unsigned len = 0;
1309 int rc = 0;
1da177e4 1310
6f3be9f5 1311 if (isec->initialized == LABEL_INITIALIZED)
1da177e4
LT		 1312 goto out;
1313
23970741 1314 mutex_lock(&isec->lock);
6f3be9f5 1315 if (isec->initialized == LABEL_INITIALIZED)
23970741 1316 goto out_unlock;
1da177e4
LT		 1317
1318 sbsec = inode->i_sb->s_security;
0d90a7ec 1319 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1320 /* Defer initialization until selinux_complete_init,
1321 after the initial policy is loaded and the security
1322 server is ready to handle calls. */
1323 spin_lock(&sbsec->isec_lock);
1324 if (list_empty(&isec->list))
1325 list_add(&isec->list, &sbsec->isec_head);
1326 spin_unlock(&sbsec->isec_lock);
23970741 1327 goto out_unlock;
1da177e4
LT		 1328 }
1329
1330 switch (sbsec->behavior) {
eb9ae686
DQ		 1331 case SECURITY_FS_USE_NATIVE:
1332 break;
1da177e4
LT		 1333 case SECURITY_FS_USE_XATTR:
1334 if (!inode->i_op->getxattr) {
1335 isec->sid = sbsec->def_sid;
1336 break;
1337 }
1338
1339 /* Need a dentry, since the xattr API requires one.
1340 Life would be simpler if we could just pass the inode. */
1341 if (opt_dentry) {
1342 /* Called from d_instantiate or d_splice_alias. */
1343 dentry = dget(opt_dentry);
1344 } else {
1345 /* Called from selinux_complete_init, try to find a dentry. */
1346 dentry = d_find_alias(inode);
1347 }
1348 if (!dentry) {
df7f54c0
EP		 1349 /*
1350 * this is can be hit on boot when a file is accessed
1351 * before the policy is loaded. When we load policy we
1352 * may find inodes that have no dentry on the
1353 * sbsec->isec_head list. No reason to complain as these
1354 * will get fixed up the next time we go through
1355 * inode_doinit with a dentry, before these inodes could
1356 * be used again by userspace.
1357 */
23970741 1358 goto out_unlock;
1da177e4
LT		 1359 }
1360
1361 len = INITCONTEXTLEN;
4cb912f1 1362 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1363 if (!context) {
1364 rc = -ENOMEM;
1365 dput(dentry);
23970741 1366 goto out_unlock;
1da177e4 1367 }
4cb912f1 1368 context[len] = '\0';
1da177e4
LT		 1369 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1370 context, len);
1371 if (rc == -ERANGE) {
314dabb8
JM		 1372 kfree(context);
1373
1da177e4
LT		 1374 /* Need a larger buffer. Query for the right size. */
1375 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1376 NULL, 0);
1377 if (rc < 0) {
1378 dput(dentry);
23970741 1379 goto out_unlock;
1da177e4 1380 }
1da177e4 1381 len = rc;
4cb912f1 1382 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1383 if (!context) {
1384 rc = -ENOMEM;
1385 dput(dentry);
23970741 1386 goto out_unlock;
1da177e4 1387 }
4cb912f1 1388 context[len] = '\0';
1da177e4
LT		 1389 rc = inode->i_op->getxattr(dentry,
1390 XATTR_NAME_SELINUX,
1391 context, len);
1392 }
1393 dput(dentry);
1394 if (rc < 0) {
1395 if (rc != -ENODATA) {
744ba35e 1396 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1397 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1398 -rc, inode->i_sb->s_id, inode->i_ino);
1399 kfree(context);
23970741 1400 goto out_unlock;
1da177e4
LT		 1401 }
1402 /* Map ENODATA to the default file SID */
1403 sid = sbsec->def_sid;
1404 rc = 0;
1405 } else {
f5c1d5b2 1406 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1407 sbsec->def_sid,
1408 GFP_NOFS);
1da177e4 1409 if (rc) {
4ba0a8ad
EP		 1410 char *dev = inode->i_sb->s_id;
1411 unsigned long ino = inode->i_ino;
1412
1413 if (rc == -EINVAL) {
1414 if (printk_ratelimit())
1415 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1416 "context=%s. This indicates you may need to relabel the inode or the "
1417 "filesystem in question.\n", ino, dev, context);
1418 } else {
1419 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1420 "returned %d for dev=%s ino=%ld\n",
1421 __func__, context, -rc, dev, ino);
1422 }
1da177e4
LT		 1423 kfree(context);
1424 /* Leave with the unlabeled SID */
1425 rc = 0;
1426 break;
1427 }
1428 }
1429 kfree(context);
1430 isec->sid = sid;
1431 break;
1432 case SECURITY_FS_USE_TASK:
1433 isec->sid = isec->task_sid;
1434 break;
1435 case SECURITY_FS_USE_TRANS:
1436 /* Default to the fs SID. */
1437 isec->sid = sbsec->sid;
1438
1439 /* Try to obtain a transition SID. */
1440 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1441 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1442 isec->sclass, NULL, &sid);
1da177e4 1443 if (rc)
23970741 1444 goto out_unlock;
1da177e4
LT		 1445 isec->sid = sid;
1446 break;
c312feb2
EP		 1447 case SECURITY_FS_USE_MNTPOINT:
1448 isec->sid = sbsec->mntpoint_sid;
1449 break;
1da177e4 1450 default:
c312feb2 1451 /* Default to the fs superblock SID. */
1da177e4
LT		 1452 isec->sid = sbsec->sid;
1453
134509d5 1454 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1455 /* We must have a dentry to determine the label on
1456 * procfs inodes */
1457 if (opt_dentry)
1458 /* Called from d_instantiate or
1459 * d_splice_alias. */
1460 dentry = dget(opt_dentry);
1461 else
1462 /* Called from selinux_complete_init, try to
1463 * find a dentry. */
1464 dentry = d_find_alias(inode);
1465 /*
1466 * This can be hit on boot when a file is accessed
1467 * before the policy is loaded. When we load policy we
1468 * may find inodes that have no dentry on the
1469 * sbsec->isec_head list. No reason to complain as
1470 * these will get fixed up the next time we go through
1471 * inode_doinit() with a dentry, before these inodes
1472 * could be used again by userspace.
1473 */
1474 if (!dentry)
1475 goto out_unlock;
1476 isec->sclass = inode_mode_to_security_class(inode->i_mode);
134509d5
SS		 1477 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1478 sbsec->flags, &sid);
f64410ec
PM		 1479 dput(dentry);
1480 if (rc)
1481 goto out_unlock;
1482 isec->sid = sid;
1da177e4
LT		 1483 }
1484 break;
1485 }
1486
6f3be9f5 1487 isec->initialized = LABEL_INITIALIZED;
1da177e4 1488
23970741
EP		 1489out_unlock:
1490 mutex_unlock(&isec->lock);
1da177e4
LT		 1491out:
1492 if (isec->sclass == SECCLASS_FILE)
1493 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1494 return rc;
1495}
1496
1497/* Convert a Linux signal to an access vector. */
1498static inline u32 signal_to_av(int sig)
1499{
1500 u32 perm = 0;
1501
1502 switch (sig) {
1503 case SIGCHLD:
1504 /* Commonly granted from child to parent. */
1505 perm = PROCESS__SIGCHLD;
1506 break;
1507 case SIGKILL:
1508 /* Cannot be caught or ignored */
1509 perm = PROCESS__SIGKILL;
1510 break;
1511 case SIGSTOP:
1512 /* Cannot be caught or ignored */
1513 perm = PROCESS__SIGSTOP;
1514 break;
1515 default:
1516 /* All other signals. */
1517 perm = PROCESS__SIGNAL;
1518 break;
1519 }
1520
1521 return perm;
1522}
1523
d84f4f99
DH		 1524/*
1525 * Check permission between a pair of credentials
1526 * fork check, ptrace check, etc.
1527 */
1528static int cred_has_perm(const struct cred *actor,
1529 const struct cred *target,
1530 u32 perms)
1531{
1532 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1533
1534 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1535}
1536
275bb41e 1537/*
88e67f3b 1538 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1539 * fork check, ptrace check, etc.
1540 * tsk1 is the actor and tsk2 is the target
3b11a1de 1541 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1542 */
1543static int task_has_perm(const struct task_struct *tsk1,
1544 const struct task_struct *tsk2,
1da177e4
LT		 1545 u32 perms)
1546{
275bb41e
DH		 1547 const struct task_security_struct *__tsec1, *__tsec2;
1548 u32 sid1, sid2;
1da177e4 1549
275bb41e
DH		 1550 rcu_read_lock();
1551 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1552 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1553 rcu_read_unlock();
1554 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1555}
1556
3b11a1de
DH		 1557/*
1558 * Check permission between current and another task, e.g. signal checks,
1559 * fork check, ptrace check, etc.
1560 * current is the actor and tsk2 is the target
1561 * - this uses current's subjective creds
1562 */
1563static int current_has_perm(const struct task_struct *tsk,
1564 u32 perms)
1565{
1566 u32 sid, tsid;
1567
1568 sid = current_sid();
1569 tsid = task_sid(tsk);
1570 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1571}
1572
b68e418c
SS		 1573#if CAP_LAST_CAP > 63
1574#error Fix SELinux to handle capabilities > 63.
1575#endif
1576
1da177e4 1577/* Check whether a task is allowed to use a capability. */
6a9de491 1578static int cred_has_capability(const struct cred *cred,
06112163 1579 int cap, int audit)
1da177e4 1580{
2bf49690 1581 struct common_audit_data ad;
06112163 1582 struct av_decision avd;
b68e418c 1583 u16 sclass;
3699c53c 1584 u32 sid = cred_sid(cred);
b68e418c 1585 u32 av = CAP_TO_MASK(cap);
06112163 1586 int rc;
1da177e4 1587
50c205f5 1588 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1589 ad.u.cap = cap;
1590
b68e418c
SS		 1591 switch (CAP_TO_INDEX(cap)) {
1592 case 0:
1593 sclass = SECCLASS_CAPABILITY;
1594 break;
1595 case 1:
1596 sclass = SECCLASS_CAPABILITY2;
1597 break;
1598 default:
1599 printk(KERN_ERR
1600 "SELinux: out of range capability %d\n", cap);
1601 BUG();
a35c6c83 1602 return -EINVAL;
b68e418c 1603 }
06112163 1604
275bb41e 1605 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1606 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1607 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1608 if (rc2)
1609 return rc2;
1610 }
06112163 1611 return rc;
1da177e4
LT		 1612}
1613
1614/* Check whether a task is allowed to use a system operation. */
1615static int task_has_system(struct task_struct *tsk,
1616 u32 perms)
1617{
275bb41e 1618 u32 sid = task_sid(tsk);
1da177e4 1619
275bb41e 1620 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1621 SECCLASS_SYSTEM, perms, NULL);
1622}
1623
1624/* Check whether a task has a particular permission to an inode.
1625 The 'adp' parameter is optional and allows other audit
1626 data to be passed (e.g. the dentry). */
88e67f3b 1627static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1628 struct inode *inode,
1629 u32 perms,
19e49834 1630 struct common_audit_data *adp)
1da177e4 1631{
1da177e4 1632 struct inode_security_struct *isec;
275bb41e 1633 u32 sid;
1da177e4 1634
e0e81739
DH		 1635 validate_creds(cred);
1636
828dfe1d 1637 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1638 return 0;
1639
88e67f3b 1640 sid = cred_sid(cred);
1da177e4
LT		 1641 isec = inode->i_security;
1642
19e49834 1643 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1644}
1645
1646/* Same as inode_has_perm, but pass explicit audit data containing
1647 the dentry to help the auditing code to more easily generate the
1648 pathname if needed. */
88e67f3b 1649static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1650 struct dentry *dentry,
1651 u32 av)
1652{
c6f493d6 1653 struct inode *inode = d_backing_inode(dentry);
2bf49690 1654 struct common_audit_data ad;
88e67f3b 1655
50c205f5 1656 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1657 ad.u.dentry = dentry;
19e49834 1658 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1659}
1660
1661/* Same as inode_has_perm, but pass explicit audit data containing
1662 the path to help the auditing code to more easily generate the
1663 pathname if needed. */
1664static inline int path_has_perm(const struct cred *cred,
3f7036a0 1665 const struct path *path,
2875fa00
EP		 1666 u32 av)
1667{
c6f493d6 1668 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1669 struct common_audit_data ad;
1670
50c205f5 1671 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1672 ad.u.path = *path;
19e49834 1673 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1674}
1675
13f8e981
DH		 1676/* Same as path_has_perm, but uses the inode from the file struct. */
1677static inline int file_path_has_perm(const struct cred *cred,
1678 struct file *file,
1679 u32 av)
1680{
1681 struct common_audit_data ad;
1682
1683 ad.type = LSM_AUDIT_DATA_PATH;
1684 ad.u.path = file->f_path;
19e49834 1685 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1686}
1687
1da177e4
LT		 1688/* Check whether a task can use an open file descriptor to
1689 access an inode in a given way. Check access to the
1690 descriptor itself, and then use dentry_has_perm to
1691 check a particular permission to the file.
1692 Access to the descriptor is implicitly granted if it
1693 has the same SID as the process. If av is zero, then
1694 access to the file is not checked, e.g. for cases
1695 where only the descriptor is affected like seek. */
88e67f3b
DH		 1696static int file_has_perm(const struct cred *cred,
1697 struct file *file,
1698 u32 av)
1da177e4 1699{
1da177e4 1700 struct file_security_struct *fsec = file->f_security;
496ad9aa 1701 struct inode *inode = file_inode(file);
2bf49690 1702 struct common_audit_data ad;
88e67f3b 1703 u32 sid = cred_sid(cred);
1da177e4
LT		 1704 int rc;
1705
50c205f5 1706 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 1707 ad.u.path = file->f_path;
1da177e4 1708
275bb41e
DH		 1709 if (sid != fsec->sid) {
1710 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1711 SECCLASS_FD,
1712 FD__USE,
1713 &ad);
1714 if (rc)
88e67f3b 1715 goto out;
1da177e4
LT		 1716 }
1717
1718 /* av is zero if only checking access to the descriptor. */
88e67f3b 1719 rc = 0;
1da177e4 1720 if (av)
19e49834 1721 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1722
88e67f3b
DH		 1723out:
1724 return rc;
1da177e4
LT		 1725}
1726
c3c188b2
DH		 1727/*
1728 * Determine the label for an inode that might be unioned.
1729 */
83da53c5 1730static int selinux_determine_inode_label(struct inode *dir,
c3c188b2
DH		 1731 const struct qstr *name,
1732 u16 tclass,
1733 u32 *_new_isid)
1734{
1735 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
83da53c5 1736 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1737 const struct task_security_struct *tsec = current_security();
1738
1739 if ((sbsec->flags & SE_SBINITIALIZED) &&
1740 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1741 *_new_isid = sbsec->mntpoint_sid;
1742 } else if ((sbsec->flags & SBLABEL_MNT) &&
1743 tsec->create_sid) {
1744 *_new_isid = tsec->create_sid;
1745 } else {
1746 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1747 name, _new_isid);
1748 }
1749
1750 return 0;
1751}
1752
1da177e4
LT		 1753/* Check whether a task can create a file. */
1754static int may_create(struct inode *dir,
1755 struct dentry *dentry,
1756 u16 tclass)
1757{
5fb49870 1758 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1759 struct inode_security_struct *dsec;
1760 struct superblock_security_struct *sbsec;
275bb41e 1761 u32 sid, newsid;
2bf49690 1762 struct common_audit_data ad;
1da177e4
LT		 1763 int rc;
1764
83da53c5 1765 dsec = inode_security(dir);
1da177e4
LT		 1766 sbsec = dir->i_sb->s_security;
1767
275bb41e 1768 sid = tsec->sid;
275bb41e 1769
50c205f5 1770 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1771 ad.u.dentry = dentry;
1da177e4 1772
275bb41e 1773 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1774 DIR__ADD_NAME | DIR__SEARCH,
1775 &ad);
1776 if (rc)
1777 return rc;
1778
c3c188b2
DH		 1779 rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
1780 &newsid);
1781 if (rc)
1782 return rc;
1da177e4 1783
275bb41e 1784 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1785 if (rc)
1786 return rc;
1787
1788 return avc_has_perm(newsid, sbsec->sid,
1789 SECCLASS_FILESYSTEM,
1790 FILESYSTEM__ASSOCIATE, &ad);
1791}
1792
4eb582cf
ML		 1793/* Check whether a task can create a key. */
1794static int may_create_key(u32 ksid,
1795 struct task_struct *ctx)
1796{
275bb41e 1797 u32 sid = task_sid(ctx);
4eb582cf 1798
275bb41e 1799 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1800}
1801
828dfe1d
EP		 1802#define MAY_LINK 0
1803#define MAY_UNLINK 1
1804#define MAY_RMDIR 2
1da177e4
LT		 1805
1806/* Check whether a task can link, unlink, or rmdir a file/directory. */
1807static int may_link(struct inode *dir,
1808 struct dentry *dentry,
1809 int kind)
1810
1811{
1da177e4 1812 struct inode_security_struct *dsec, *isec;
2bf49690 1813 struct common_audit_data ad;
275bb41e 1814 u32 sid = current_sid();
1da177e4
LT		 1815 u32 av;
1816 int rc;
1817
83da53c5
AG		 1818 dsec = inode_security(dir);
1819 isec = backing_inode_security(dentry);
1da177e4 1820
50c205f5 1821 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1822 ad.u.dentry = dentry;
1da177e4
LT		 1823
1824 av = DIR__SEARCH;
1825 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1826 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1827 if (rc)
1828 return rc;
1829
1830 switch (kind) {
1831 case MAY_LINK:
1832 av = FILE__LINK;
1833 break;
1834 case MAY_UNLINK:
1835 av = FILE__UNLINK;
1836 break;
1837 case MAY_RMDIR:
1838 av = DIR__RMDIR;
1839 break;
1840 default:
744ba35e
EP		 1841 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1842 __func__, kind);
1da177e4
LT		 1843 return 0;
1844 }
1845
275bb41e 1846 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1847 return rc;
1848}
1849
1850static inline int may_rename(struct inode *old_dir,
1851 struct dentry *old_dentry,
1852 struct inode *new_dir,
1853 struct dentry *new_dentry)
1854{
1da177e4 1855 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1856 struct common_audit_data ad;
275bb41e 1857 u32 sid = current_sid();
1da177e4
LT		 1858 u32 av;
1859 int old_is_dir, new_is_dir;
1860 int rc;
1861
83da53c5
AG		 1862 old_dsec = inode_security(old_dir);
1863 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1864 old_is_dir = d_is_dir(old_dentry);
83da53c5 1865 new_dsec = inode_security(new_dir);
1da177e4 1866
50c205f5 1867 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1868
a269434d 1869 ad.u.dentry = old_dentry;
275bb41e 1870 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1871 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1872 if (rc)
1873 return rc;
275bb41e 1874 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1875 old_isec->sclass, FILE__RENAME, &ad);
1876 if (rc)
1877 return rc;
1878 if (old_is_dir && new_dir != old_dir) {
275bb41e 1879 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1880 old_isec->sclass, DIR__REPARENT, &ad);
1881 if (rc)
1882 return rc;
1883 }
1884
a269434d 1885 ad.u.dentry = new_dentry;
1da177e4 1886 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1887 if (d_is_positive(new_dentry))
1da177e4 1888 av |= DIR__REMOVE_NAME;
275bb41e 1889 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1890 if (rc)
1891 return rc;
2c616d4d 1892 if (d_is_positive(new_dentry)) {
83da53c5 1893 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1894 new_is_dir = d_is_dir(new_dentry);
275bb41e 1895 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1896 new_isec->sclass,
1897 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1898 if (rc)
1899 return rc;
1900 }
1901
1902 return 0;
1903}
1904
1905/* Check whether a task can perform a filesystem operation. */
88e67f3b 1906static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1907 struct super_block *sb,
1908 u32 perms,
2bf49690 1909 struct common_audit_data *ad)
1da177e4 1910{
1da177e4 1911 struct superblock_security_struct *sbsec;
88e67f3b 1912 u32 sid = cred_sid(cred);
1da177e4 1913
1da177e4 1914 sbsec = sb->s_security;
275bb41e 1915 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1916}
1917
1918/* Convert a Linux mode and permission mask to an access vector. */
1919static inline u32 file_mask_to_av(int mode, int mask)
1920{
1921 u32 av = 0;
1922
dba19c60 1923 if (!S_ISDIR(mode)) {
1da177e4
LT		 1924 if (mask & MAY_EXEC)
1925 av |= FILE__EXECUTE;
1926 if (mask & MAY_READ)
1927 av |= FILE__READ;
1928
1929 if (mask & MAY_APPEND)
1930 av |= FILE__APPEND;
1931 else if (mask & MAY_WRITE)
1932 av |= FILE__WRITE;
1933
1934 } else {
1935 if (mask & MAY_EXEC)
1936 av |= DIR__SEARCH;
1937 if (mask & MAY_WRITE)
1938 av |= DIR__WRITE;
1939 if (mask & MAY_READ)
1940 av |= DIR__READ;
1941 }
1942
1943 return av;
1944}
1945
8b6a5a37
EP		 1946/* Convert a Linux file to an access vector. */
1947static inline u32 file_to_av(struct file *file)
1948{
1949 u32 av = 0;
1950
1951 if (file->f_mode & FMODE_READ)
1952 av |= FILE__READ;
1953 if (file->f_mode & FMODE_WRITE) {
1954 if (file->f_flags & O_APPEND)
1955 av |= FILE__APPEND;
1956 else
1957 av |= FILE__WRITE;
1958 }
1959 if (!av) {
1960 /*
1961 * Special file opened with flags 3 for ioctl-only use.
1962 */
1963 av = FILE__IOCTL;
1964 }
1965
1966 return av;
1967}
1968
b0c636b9 1969/*
8b6a5a37 1970 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1971 * open permission.
1972 */
8b6a5a37 1973static inline u32 open_file_to_av(struct file *file)
b0c636b9 1974{
8b6a5a37 1975 u32 av = file_to_av(file);
b0c636b9 1976
49b7b8de
EP		 1977 if (selinux_policycap_openperm)
1978 av |= FILE__OPEN;
1979
b0c636b9
EP		 1980 return av;
1981}
1982
1da177e4
LT		 1983/* Hook functions begin here. */
1984
79af7307
SS		 1985static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1986{
1987 u32 mysid = current_sid();
1988 u32 mgrsid = task_sid(mgr);
1989
1990 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
1991 BINDER__SET_CONTEXT_MGR, NULL);
1992}
1993
1994static int selinux_binder_transaction(struct task_struct *from,
1995 struct task_struct *to)
1996{
1997 u32 mysid = current_sid();
1998 u32 fromsid = task_sid(from);
1999 u32 tosid = task_sid(to);
2000 int rc;
2001
2002 if (mysid != fromsid) {
2003 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2004 BINDER__IMPERSONATE, NULL);
2005 if (rc)
2006 return rc;
2007 }
2008
2009 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2010 NULL);
2011}
2012
2013static int selinux_binder_transfer_binder(struct task_struct *from,
2014 struct task_struct *to)
2015{
2016 u32 fromsid = task_sid(from);
2017 u32 tosid = task_sid(to);
2018
2019 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2020 NULL);
2021}
2022
2023static int selinux_binder_transfer_file(struct task_struct *from,
2024 struct task_struct *to,
2025 struct file *file)
2026{
2027 u32 sid = task_sid(to);
2028 struct file_security_struct *fsec = file->f_security;
83da53c5
AG		 2029 struct dentry *dentry = file->f_path.dentry;
2030 struct inode_security_struct *isec = backing_inode_security(dentry);
79af7307
SS		 2031 struct common_audit_data ad;
2032 int rc;
2033
2034 ad.type = LSM_AUDIT_DATA_PATH;
2035 ad.u.path = file->f_path;
2036
2037 if (sid != fsec->sid) {
2038 rc = avc_has_perm(sid, fsec->sid,
2039 SECCLASS_FD,
2040 FD__USE,
2041 &ad);
2042 if (rc)
2043 return rc;
2044 }
2045
83da53c5 2046 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2047 return 0;
2048
2049 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2050 &ad);
2051}
2052
9e48858f 2053static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2054 unsigned int mode)
1da177e4 2055{
69f594a3 2056 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 2057 u32 sid = current_sid();
2058 u32 csid = task_sid(child);
2059 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 2060 }
2061
3b11a1de 2062 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 2063}
2064
2065static int selinux_ptrace_traceme(struct task_struct *parent)
2066{
5cd9c58f 2067 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 2068}
2069
2070static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2071 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2072{
b1d9e6b0 2073 return current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 2074}
2075
d84f4f99
DH		 2076static int selinux_capset(struct cred *new, const struct cred *old,
2077 const kernel_cap_t *effective,
2078 const kernel_cap_t *inheritable,
2079 const kernel_cap_t *permitted)
1da177e4 2080{
d84f4f99 2081 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 2082}
2083
5626d3e8
JM		 2084/*
2085 * (This comment used to live with the selinux_task_setuid hook,
2086 * which was removed).
2087 *
2088 * Since setuid only affects the current process, and since the SELinux
2089 * controls are not based on the Linux identity attributes, SELinux does not
2090 * need to control this operation. However, SELinux does control the use of
2091 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2092 */
2093
6a9de491
EP		 2094static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2095 int cap, int audit)
1da177e4 2096{
6a9de491 2097 return cred_has_capability(cred, cap, audit);
1da177e4
LT		 2098}
2099
1da177e4
LT		 2100static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2101{
88e67f3b 2102 const struct cred *cred = current_cred();
1da177e4
LT		 2103 int rc = 0;
2104
2105 if (!sb)
2106 return 0;
2107
2108 switch (cmds) {
828dfe1d
EP		 2109 case Q_SYNC:
2110 case Q_QUOTAON:
2111 case Q_QUOTAOFF:
2112 case Q_SETINFO:
2113 case Q_SETQUOTA:
88e67f3b 2114 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2115 break;
2116 case Q_GETFMT:
2117 case Q_GETINFO:
2118 case Q_GETQUOTA:
88e67f3b 2119 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2120 break;
2121 default:
2122 rc = 0; /* let the kernel handle invalid cmds */
2123 break;
1da177e4
LT		 2124 }
2125 return rc;
2126}
2127
2128static int selinux_quota_on(struct dentry *dentry)
2129{
88e67f3b
DH		 2130 const struct cred *cred = current_cred();
2131
2875fa00 2132 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2133}
2134
12b3052c 2135static int selinux_syslog(int type)
1da177e4
LT		 2136{
2137 int rc;
2138
1da177e4 2139 switch (type) {
d78ca3cd
KC		 2140 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2141 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2142 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2143 break;
d78ca3cd
KC		 2144 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2145 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2146 /* Set level of messages printed to console */
2147 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2148 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2149 break;
d78ca3cd
KC		 2150 case SYSLOG_ACTION_CLOSE: /* Close log */
2151 case SYSLOG_ACTION_OPEN: /* Open log */
2152 case SYSLOG_ACTION_READ: /* Read from log */
2153 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2154 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2155 default:
2156 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2157 break;
1da177e4
LT		 2158 }
2159 return rc;
2160}
2161
2162/*
2163 * Check that a process has enough memory to allocate a new virtual
2164 * mapping. 0 means there is enough memory for the allocation to
2165 * succeed and -ENOMEM implies there is not.
2166 *
1da177e4
LT		 2167 * Do not audit the selinux permission check, as this is applied to all
2168 * processes that allocate mappings.
2169 */
34b4e4aa 2170static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2171{
2172 int rc, cap_sys_admin = 0;
1da177e4 2173
b1d9e6b0
CS		 2174 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2175 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2176 if (rc == 0)
2177 cap_sys_admin = 1;
2178
b1d9e6b0 2179 return cap_sys_admin;
1da177e4
LT		 2180}
2181
2182/* binprm security operations */
2183
7b0d0b40
SS		 2184static int check_nnp_nosuid(const struct linux_binprm *bprm,
2185 const struct task_security_struct *old_tsec,
2186 const struct task_security_struct *new_tsec)
2187{
2188 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2189 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2190 int rc;
2191
2192 if (!nnp && !nosuid)
2193 return 0; /* neither NNP nor nosuid */
2194
2195 if (new_tsec->sid == old_tsec->sid)
2196 return 0; /* No change in credentials */
2197
2198 /*
2199 * The only transitions we permit under NNP or nosuid
2200 * are transitions to bounded SIDs, i.e. SIDs that are
2201 * guaranteed to only be allowed a subset of the permissions
2202 * of the current SID.
2203 */
2204 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2205 if (rc) {
2206 /*
2207 * On failure, preserve the errno values for NNP vs nosuid.
2208 * NNP: Operation not permitted for caller.
2209 * nosuid: Permission denied to file.
2210 */
2211 if (nnp)
2212 return -EPERM;
2213 else
2214 return -EACCES;
2215 }
2216 return 0;
2217}
2218
a6f76f23 2219static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2220{
a6f76f23
DH		 2221 const struct task_security_struct *old_tsec;
2222 struct task_security_struct *new_tsec;
1da177e4 2223 struct inode_security_struct *isec;
2bf49690 2224 struct common_audit_data ad;
496ad9aa 2225 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2226 int rc;
2227
a6f76f23
DH		 2228 /* SELinux context only depends on initial program or script and not
2229 * the script interpreter */
2230 if (bprm->cred_prepared)
1da177e4
LT		 2231 return 0;
2232
a6f76f23
DH		 2233 old_tsec = current_security();
2234 new_tsec = bprm->cred->security;
83da53c5 2235 isec = inode_security(inode);
1da177e4
LT		 2236
2237 /* Default to the current task SID. */
a6f76f23
DH		 2238 new_tsec->sid = old_tsec->sid;
2239 new_tsec->osid = old_tsec->sid;
1da177e4 2240
28eba5bf 2241 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2242 new_tsec->create_sid = 0;
2243 new_tsec->keycreate_sid = 0;
2244 new_tsec->sockcreate_sid = 0;
1da177e4 2245
a6f76f23
DH		 2246 if (old_tsec->exec_sid) {
2247 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2248 /* Reset exec SID on execve. */
a6f76f23 2249 new_tsec->exec_sid = 0;
259e5e6c 2250
7b0d0b40
SS		 2251 /* Fail on NNP or nosuid if not an allowed transition. */
2252 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2253 if (rc)
2254 return rc;
1da177e4
LT		 2255 } else {
2256 /* Check for a default transition on this program. */
a6f76f23 2257 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2258 SECCLASS_PROCESS, NULL,
2259 &new_tsec->sid);
1da177e4
LT		 2260 if (rc)
2261 return rc;
7b0d0b40
SS		 2262
2263 /*
2264 * Fallback to old SID on NNP or nosuid if not an allowed
2265 * transition.
2266 */
2267 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2268 if (rc)
2269 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2270 }
2271
50c205f5 2272 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 2273 ad.u.path = bprm->file->f_path;
1da177e4 2274
a6f76f23
DH		 2275 if (new_tsec->sid == old_tsec->sid) {
2276 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2277 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2278 if (rc)
2279 return rc;
2280 } else {
2281 /* Check permissions for the transition. */
a6f76f23 2282 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2283 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2284 if (rc)
2285 return rc;
2286
a6f76f23 2287 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2288 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2289 if (rc)
2290 return rc;
2291
a6f76f23
DH		 2292 /* Check for shared state */
2293 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2294 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2295 SECCLASS_PROCESS, PROCESS__SHARE,
2296 NULL);
2297 if (rc)
2298 return -EPERM;
2299 }
2300
2301 /* Make sure that anyone attempting to ptrace over a task that
2302 * changes its SID has the appropriate permit */
2303 if (bprm->unsafe &
2304 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2305 struct task_struct *tracer;
2306 struct task_security_struct *sec;
2307 u32 ptsid = 0;
2308
2309 rcu_read_lock();
06d98473 2310 tracer = ptrace_parent(current);
a6f76f23
DH		 2311 if (likely(tracer != NULL)) {
2312 sec = __task_cred(tracer)->security;
2313 ptsid = sec->sid;
2314 }
2315 rcu_read_unlock();
2316
2317 if (ptsid != 0) {
2318 rc = avc_has_perm(ptsid, new_tsec->sid,
2319 SECCLASS_PROCESS,
2320 PROCESS__PTRACE, NULL);
2321 if (rc)
2322 return -EPERM;
2323 }
2324 }
1da177e4 2325
a6f76f23
DH		 2326 /* Clear any possibly unsafe personality bits on exec: */
2327 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2328 }
2329
1da177e4
LT		 2330 return 0;
2331}
2332
828dfe1d 2333static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2334{
5fb49870 2335 const struct task_security_struct *tsec = current_security();
275bb41e 2336 u32 sid, osid;
1da177e4
LT		 2337 int atsecure = 0;
2338
275bb41e
DH		 2339 sid = tsec->sid;
2340 osid = tsec->osid;
2341
2342 if (osid != sid) {
1da177e4
LT		 2343 /* Enable secure mode for SIDs transitions unless
2344 the noatsecure permission is granted between
2345 the two SIDs, i.e. ahp returns 0. */
275bb41e 2346 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2347 SECCLASS_PROCESS,
2348 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2349 }
2350
b1d9e6b0 2351 return !!atsecure;
1da177e4
LT		 2352}
2353
c3c073f8
AV		 2354static int match_file(const void *p, struct file *file, unsigned fd)
2355{
2356 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2357}
2358
1da177e4 2359/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2360static inline void flush_unauthorized_files(const struct cred *cred,
2361 struct files_struct *files)
1da177e4 2362{
1da177e4 2363 struct file *file, *devnull = NULL;
b20c8122 2364 struct tty_struct *tty;
24ec839c 2365 int drop_tty = 0;
c3c073f8 2366 unsigned n;
1da177e4 2367
24ec839c 2368 tty = get_current_tty();
1da177e4 2369 if (tty) {
ee2ffa0d 2370 spin_lock(&tty_files_lock);
37dd0bd0 2371 if (!list_empty(&tty->tty_files)) {
d996b62a 2372 struct tty_file_private *file_priv;
37dd0bd0 2373
1da177e4 2374 /* Revalidate access to controlling tty.
13f8e981
DH		 2375 Use file_path_has_perm on the tty path directly
2376 rather than using file_has_perm, as this particular
2377 open file may belong to another process and we are
2378 only interested in the inode-based check here. */
d996b62a
NP		 2379 file_priv = list_first_entry(&tty->tty_files,
2380 struct tty_file_private, list);
2381 file = file_priv->file;
13f8e981 2382 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2383 drop_tty = 1;
1da177e4 2384 }
ee2ffa0d 2385 spin_unlock(&tty_files_lock);
452a00d2 2386 tty_kref_put(tty);
1da177e4 2387 }
98a27ba4
EB		 2388 /* Reset controlling tty. */
2389 if (drop_tty)
2390 no_tty();
1da177e4
LT		 2391
2392 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2393 n = iterate_fd(files, 0, match_file, cred);
2394 if (!n) /* none found? */
2395 return;
1da177e4 2396
c3c073f8 2397 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2398 if (IS_ERR(devnull))
2399 devnull = NULL;
2400 /* replace all the matching ones with this */
2401 do {
2402 replace_fd(n - 1, devnull, 0);
2403 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2404 if (devnull)
c3c073f8 2405 fput(devnull);
1da177e4
LT		 2406}
2407
a6f76f23
DH		 2408/*
2409 * Prepare a process for imminent new credential changes due to exec
2410 */
2411static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2412{
a6f76f23
DH		 2413 struct task_security_struct *new_tsec;
2414 struct rlimit *rlim, *initrlim;
2415 int rc, i;
d84f4f99 2416
a6f76f23
DH		 2417 new_tsec = bprm->cred->security;
2418 if (new_tsec->sid == new_tsec->osid)
2419 return;
1da177e4 2420
a6f76f23
DH		 2421 /* Close files for which the new task SID is not authorized. */
2422 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2423
a6f76f23
DH		 2424 /* Always clear parent death signal on SID transitions. */
2425 current->pdeath_signal = 0;
0356357c 2426
a6f76f23
DH		 2427 /* Check whether the new SID can inherit resource limits from the old
2428 * SID. If not, reset all soft limits to the lower of the current
2429 * task's hard limit and the init task's soft limit.
2430 *
2431 * Note that the setting of hard limits (even to lower them) can be
2432 * controlled by the setrlimit check. The inclusion of the init task's
2433 * soft limit into the computation is to avoid resetting soft limits
2434 * higher than the default soft limit for cases where the default is
2435 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2436 */
2437 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2438 PROCESS__RLIMITINH, NULL);
2439 if (rc) {
eb2d55a3
ON		 2440 /* protect against do_prlimit() */
2441 task_lock(current);
a6f76f23
DH		 2442 for (i = 0; i < RLIM_NLIMITS; i++) {
2443 rlim = current->signal->rlim + i;
2444 initrlim = init_task.signal->rlim + i;
2445 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2446 }
eb2d55a3
ON		 2447 task_unlock(current);
2448 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2449 }
2450}
2451
2452/*
a6f76f23
DH		 2453 * Clean up the process immediately after the installation of new credentials
2454 * due to exec
1da177e4 2455 */
a6f76f23 2456static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2457{
a6f76f23 2458 const struct task_security_struct *tsec = current_security();
1da177e4 2459 struct itimerval itimer;
a6f76f23 2460 u32 osid, sid;
1da177e4
LT		 2461 int rc, i;
2462
a6f76f23
DH		 2463 osid = tsec->osid;
2464 sid = tsec->sid;
2465
2466 if (sid == osid)
1da177e4
LT		 2467 return;
2468
a6f76f23
DH		 2469 /* Check whether the new SID can inherit signal state from the old SID.
2470 * If not, clear itimers to avoid subsequent signal generation and
2471 * flush and unblock signals.
2472 *
2473 * This must occur _after_ the task SID has been updated so that any
2474 * kill done after the flush will be checked against the new SID.
2475 */
2476 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2477 if (rc) {
2478 memset(&itimer, 0, sizeof itimer);
2479 for (i = 0; i < 3; i++)
2480 do_setitimer(i, &itimer, NULL);
1da177e4 2481 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2482 if (!fatal_signal_pending(current)) {
2483 flush_sigqueue(&current->pending);
2484 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2485 flush_signal_handlers(current, 1);
2486 sigemptyset(&current->blocked);
9e7c8f8c 2487 recalc_sigpending();
3bcac026 2488 }
1da177e4
LT		 2489 spin_unlock_irq(&current->sighand->siglock);
2490 }
2491
a6f76f23
DH		 2492 /* Wake up the parent if it is waiting so that it can recheck
2493 * wait permission to the new task SID. */
ecd6de3c 2494 read_lock(&tasklist_lock);
0b7570e7 2495 __wake_up_parent(current, current->real_parent);
ecd6de3c 2496 read_unlock(&tasklist_lock);
1da177e4
LT		 2497}
2498
2499/* superblock security operations */
2500
2501static int selinux_sb_alloc_security(struct super_block *sb)
2502{
2503 return superblock_alloc_security(sb);
2504}
2505
2506static void selinux_sb_free_security(struct super_block *sb)
2507{
2508 superblock_free_security(sb);
2509}
2510
2511static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2512{
2513 if (plen > olen)
2514 return 0;
2515
2516 return !memcmp(prefix, option, plen);
2517}
2518
2519static inline int selinux_option(char *option, int len)
2520{
832cbd9a
EP		 2521 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2522 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2523 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2524 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2525 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2526}
2527
2528static inline void take_option(char **to, char *from, int *first, int len)
2529{
2530 if (!*first) {
2531 **to = ',';
2532 *to += 1;
3528a953 2533 } else
1da177e4
LT		 2534 *first = 0;
2535 memcpy(*to, from, len);
2536 *to += len;
2537}
2538
828dfe1d
EP		 2539static inline void take_selinux_option(char **to, char *from, int *first,
2540 int len)
3528a953
CO		 2541{
2542 int current_size = 0;
2543
2544 if (!*first) {
2545 **to = '|';
2546 *to += 1;
828dfe1d 2547 } else
3528a953
CO		 2548 *first = 0;
2549
2550 while (current_size < len) {
2551 if (*from != '"') {
2552 **to = *from;
2553 *to += 1;
2554 }
2555 from += 1;
2556 current_size += 1;
2557 }
2558}
2559
e0007529 2560static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2561{
2562 int fnosec, fsec, rc = 0;
2563 char *in_save, *in_curr, *in_end;
2564 char *sec_curr, *nosec_save, *nosec;
3528a953 2565 int open_quote = 0;
1da177e4
LT		 2566
2567 in_curr = orig;
2568 sec_curr = copy;
2569
1da177e4
LT		 2570 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2571 if (!nosec) {
2572 rc = -ENOMEM;
2573 goto out;
2574 }
2575
2576 nosec_save = nosec;
2577 fnosec = fsec = 1;
2578 in_save = in_end = orig;
2579
2580 do {
3528a953
CO		 2581 if (*in_end == '"')
2582 open_quote = !open_quote;
2583 if ((*in_end == ',' && open_quote == 0) ||
2584 *in_end == '\0') {
1da177e4
LT		 2585 int len = in_end - in_curr;
2586
2587 if (selinux_option(in_curr, len))
3528a953 2588 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2589 else
2590 take_option(&nosec, in_curr, &fnosec, len);
2591
2592 in_curr = in_end + 1;
2593 }
2594 } while (*in_end++);
2595
6931dfc9 2596 strcpy(in_save, nosec_save);
da3caa20 2597 free_page((unsigned long)nosec_save);
1da177e4
LT		 2598out:
2599 return rc;
2600}
2601
026eb167
EP		 2602static int selinux_sb_remount(struct super_block *sb, void *data)
2603{
2604 int rc, i, *flags;
2605 struct security_mnt_opts opts;
2606 char *secdata, **mount_options;
2607 struct superblock_security_struct *sbsec = sb->s_security;
2608
2609 if (!(sbsec->flags & SE_SBINITIALIZED))
2610 return 0;
2611
2612 if (!data)
2613 return 0;
2614
2615 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2616 return 0;
2617
2618 security_init_mnt_opts(&opts);
2619 secdata = alloc_secdata();
2620 if (!secdata)
2621 return -ENOMEM;
2622 rc = selinux_sb_copy_data(data, secdata);
2623 if (rc)
2624 goto out_free_secdata;
2625
2626 rc = selinux_parse_opts_str(secdata, &opts);
2627 if (rc)
2628 goto out_free_secdata;
2629
2630 mount_options = opts.mnt_opts;
2631 flags = opts.mnt_opts_flags;
2632
2633 for (i = 0; i < opts.num_mnt_opts; i++) {
2634 u32 sid;
026eb167 2635
12f348b9 2636 if (flags[i] == SBLABEL_MNT)
026eb167 2637 continue;
44be2f65 2638 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2639 if (rc) {
44be2f65 2640 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2641 "(%s) failed for (dev %s, type %s) errno=%d\n",
2642 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2643 goto out_free_opts;
2644 }
2645 rc = -EINVAL;
2646 switch (flags[i]) {
2647 case FSCONTEXT_MNT:
2648 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2649 goto out_bad_option;
2650 break;
2651 case CONTEXT_MNT:
2652 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2653 goto out_bad_option;
2654 break;
2655 case ROOTCONTEXT_MNT: {
2656 struct inode_security_struct *root_isec;
83da53c5 2657 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2658
2659 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2660 goto out_bad_option;
2661 break;
2662 }
2663 case DEFCONTEXT_MNT:
2664 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2665 goto out_bad_option;
2666 break;
2667 default:
2668 goto out_free_opts;
2669 }
2670 }
2671
2672 rc = 0;
2673out_free_opts:
2674 security_free_mnt_opts(&opts);
2675out_free_secdata:
2676 free_secdata(secdata);
2677 return rc;
2678out_bad_option:
2679 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2680 "during remount (dev %s, type=%s)\n", sb->s_id,
2681 sb->s_type->name);
026eb167
EP		 2682 goto out_free_opts;
2683}
2684
12204e24 2685static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2686{
88e67f3b 2687 const struct cred *cred = current_cred();
2bf49690 2688 struct common_audit_data ad;
1da177e4
LT		 2689 int rc;
2690
2691 rc = superblock_doinit(sb, data);
2692 if (rc)
2693 return rc;
2694
74192246
JM		 2695 /* Allow all mounts performed by the kernel */
2696 if (flags & MS_KERNMOUNT)
2697 return 0;
2698
50c205f5 2699 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2700 ad.u.dentry = sb->s_root;
88e67f3b 2701 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2702}
2703
726c3342 2704static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2705{
88e67f3b 2706 const struct cred *cred = current_cred();
2bf49690 2707 struct common_audit_data ad;
1da177e4 2708
50c205f5 2709 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2710 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2711 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2712}
2713
808d4e3c 2714static int selinux_mount(const char *dev_name,
b5266eb4 2715 struct path *path,
808d4e3c 2716 const char *type,
828dfe1d
EP		 2717 unsigned long flags,
2718 void *data)
1da177e4 2719{
88e67f3b 2720 const struct cred *cred = current_cred();
1da177e4
LT		 2721
2722 if (flags & MS_REMOUNT)
d8c9584e 2723 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2724 FILESYSTEM__REMOUNT, NULL);
1da177e4 2725 else
2875fa00 2726 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2727}
2728
2729static int selinux_umount(struct vfsmount *mnt, int flags)
2730{
88e67f3b 2731 const struct cred *cred = current_cred();
1da177e4 2732
88e67f3b 2733 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2734 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2735}
2736
2737/* inode security operations */
2738
2739static int selinux_inode_alloc_security(struct inode *inode)
2740{
2741 return inode_alloc_security(inode);
2742}
2743
2744static void selinux_inode_free_security(struct inode *inode)
2745{
2746 inode_free_security(inode);
2747}
2748
d47be3df
DQ		 2749static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2750 struct qstr *name, void **ctx,
2751 u32 *ctxlen)
2752{
d47be3df
DQ		 2753 u32 newsid;
2754 int rc;
2755
c3c188b2
DH		 2756 rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
2757 inode_mode_to_security_class(mode),
2758 &newsid);
2759 if (rc)
2760 return rc;
d47be3df
DQ		 2761
2762 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2763}
2764
5e41ff9e 2765static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2766 const struct qstr *qstr,
2767 const char **name,
2a7dba39 2768 void **value, size_t *len)
5e41ff9e 2769{
5fb49870 2770 const struct task_security_struct *tsec = current_security();
5e41ff9e 2771 struct superblock_security_struct *sbsec;
275bb41e 2772 u32 sid, newsid, clen;
5e41ff9e 2773 int rc;
9548906b 2774 char *context;
5e41ff9e 2775
5e41ff9e 2776 sbsec = dir->i_sb->s_security;
5e41ff9e 2777
275bb41e
DH		 2778 sid = tsec->sid;
2779 newsid = tsec->create_sid;
2780
c3c188b2
DH		 2781 rc = selinux_determine_inode_label(
2782 dir, qstr,
2783 inode_mode_to_security_class(inode->i_mode),
2784 &newsid);
2785 if (rc)
2786 return rc;
5e41ff9e 2787
296fddf7 2788 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2789 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2790 struct inode_security_struct *isec = inode->i_security;
2791 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2792 isec->sid = newsid;
6f3be9f5 2793 isec->initialized = LABEL_INITIALIZED;
296fddf7 2794 }
5e41ff9e 2795
12f348b9 2796 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2797 return -EOPNOTSUPP;
2798
9548906b
TH		 2799 if (name)
2800 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2801
570bc1c2 2802 if (value && len) {
12b29f34 2803 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2804 if (rc)
570bc1c2 2805 return rc;
570bc1c2
SS		 2806 *value = context;
2807 *len = clen;
5e41ff9e 2808 }
5e41ff9e 2809
5e41ff9e
SS		 2810 return 0;
2811}
2812
4acdaf27 2813static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2814{
2815 return may_create(dir, dentry, SECCLASS_FILE);
2816}
2817
1da177e4
LT		 2818static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2819{
1da177e4
LT		 2820 return may_link(dir, old_dentry, MAY_LINK);
2821}
2822
1da177e4
LT		 2823static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2824{
1da177e4
LT		 2825 return may_link(dir, dentry, MAY_UNLINK);
2826}
2827
2828static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2829{
2830 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2831}
2832
18bb1db3 2833static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2834{
2835 return may_create(dir, dentry, SECCLASS_DIR);
2836}
2837
1da177e4
LT		 2838static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2839{
2840 return may_link(dir, dentry, MAY_RMDIR);
2841}
2842
1a67aafb 2843static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2844{
1da177e4
LT		 2845 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2846}
2847
1da177e4 2848static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2849 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2850{
2851 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2852}
2853
1da177e4
LT		 2854static int selinux_inode_readlink(struct dentry *dentry)
2855{
88e67f3b
DH		 2856 const struct cred *cred = current_cred();
2857
2875fa00 2858 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2859}
2860
bda0be7a
N		 2861static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2862 bool rcu)
1da177e4 2863{
88e67f3b 2864 const struct cred *cred = current_cred();
bda0be7a
N		 2865 struct common_audit_data ad;
2866 struct inode_security_struct *isec;
2867 u32 sid;
1da177e4 2868
bda0be7a
N		 2869 validate_creds(cred);
2870
2871 ad.type = LSM_AUDIT_DATA_DENTRY;
2872 ad.u.dentry = dentry;
2873 sid = cred_sid(cred);
83da53c5 2874 isec = inode_security(inode);
bda0be7a
N		 2875
2876 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2877 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 2878}
2879
d4cf970d
EP		 2880static noinline int audit_inode_permission(struct inode *inode,
2881 u32 perms, u32 audited, u32 denied,
626b9740 2882 int result,
d4cf970d 2883 unsigned flags)
1da177e4 2884{
b782e0a6 2885 struct common_audit_data ad;
d4cf970d
EP		 2886 struct inode_security_struct *isec = inode->i_security;
2887 int rc;
2888
50c205f5 2889 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2890 ad.u.inode = inode;
2891
2892 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 2893 audited, denied, result, &ad, flags);
d4cf970d
EP		 2894 if (rc)
2895 return rc;
2896 return 0;
2897}
2898
e74f71eb 2899static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2900{
88e67f3b 2901 const struct cred *cred = current_cred();
b782e0a6
EP		 2902 u32 perms;
2903 bool from_access;
cf1dd1da 2904 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2905 struct inode_security_struct *isec;
2906 u32 sid;
2907 struct av_decision avd;
2908 int rc, rc2;
2909 u32 audited, denied;
1da177e4 2910
b782e0a6 2911 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2912 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2913
b782e0a6
EP		 2914 /* No permission to check. Existence test. */
2915 if (!mask)
1da177e4 2916 return 0;
1da177e4 2917
2e334057 2918 validate_creds(cred);
b782e0a6 2919
2e334057
EP		 2920 if (unlikely(IS_PRIVATE(inode)))
2921 return 0;
b782e0a6
EP		 2922
2923 perms = file_mask_to_av(inode->i_mode, mask);
2924
2e334057 2925 sid = cred_sid(cred);
83da53c5 2926 isec = inode_security(inode);
2e334057
EP		 2927
2928 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2929 audited = avc_audit_required(perms, &avd, rc,
2930 from_access ? FILE__AUDIT_ACCESS : 0,
2931 &denied);
2932 if (likely(!audited))
2933 return rc;
2934
626b9740 2935 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 2936 if (rc2)
2937 return rc2;
2938 return rc;
1da177e4
LT		 2939}
2940
2941static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2942{
88e67f3b 2943 const struct cred *cred = current_cred();
bc6a6008 2944 unsigned int ia_valid = iattr->ia_valid;
95dbf739 2945 __u32 av = FILE__WRITE;
1da177e4 2946
bc6a6008
AW		 2947 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2948 if (ia_valid & ATTR_FORCE) {
2949 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2950 ATTR_FORCE);
2951 if (!ia_valid)
2952 return 0;
2953 }
1da177e4 2954
bc6a6008
AW		 2955 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2956 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 2957 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 2958
44d37ad3
JVS		 2959 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
2960 && !(ia_valid & ATTR_FILE))
95dbf739
EP		 2961 av |= FILE__OPEN;
2962
2963 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 2964}
2965
3f7036a0 2966static int selinux_inode_getattr(const struct path *path)
1da177e4 2967{
3f7036a0 2968 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 2969}
2970
8f0cfa52 2971static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2972{
88e67f3b
DH		 2973 const struct cred *cred = current_cred();
2974
b5376771
SH		 2975 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2976 sizeof XATTR_SECURITY_PREFIX - 1)) {
2977 if (!strcmp(name, XATTR_NAME_CAPS)) {
2978 if (!capable(CAP_SETFCAP))
2979 return -EPERM;
2980 } else if (!capable(CAP_SYS_ADMIN)) {
2981 /* A different attribute in the security namespace.
2982 Restrict to administrator. */
2983 return -EPERM;
2984 }
2985 }
2986
2987 /* Not an attribute we recognize, so just check the
2988 ordinary setattr permission. */
2875fa00 2989 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 2990}
2991
8f0cfa52
DH		 2992static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2993 const void *value, size_t size, int flags)
1da177e4 2994{
c6f493d6 2995 struct inode *inode = d_backing_inode(dentry);
83da53c5 2996 struct inode_security_struct *isec = backing_inode_security(dentry);
1da177e4 2997 struct superblock_security_struct *sbsec;
2bf49690 2998 struct common_audit_data ad;
275bb41e 2999 u32 newsid, sid = current_sid();
1da177e4
LT		 3000 int rc = 0;
3001
b5376771
SH		 3002 if (strcmp(name, XATTR_NAME_SELINUX))
3003 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3004
3005 sbsec = inode->i_sb->s_security;
12f348b9 3006 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3007 return -EOPNOTSUPP;
3008
2e149670 3009 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3010 return -EPERM;
3011
50c205f5 3012 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3013 ad.u.dentry = dentry;
1da177e4 3014
275bb41e 3015 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3016 FILE__RELABELFROM, &ad);
3017 if (rc)
3018 return rc;
3019
52a4c640 3020 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3021 if (rc == -EINVAL) {
d6ea83ec
EP		 3022 if (!capable(CAP_MAC_ADMIN)) {
3023 struct audit_buffer *ab;
3024 size_t audit_size;
3025 const char *str;
3026
3027 /* We strip a nul only if it is at the end, otherwise the
3028 * context contains a nul and we should audit that */
e3fea3f7
AV		 3029 if (value) {
3030 str = value;
3031 if (str[size - 1] == '\0')
3032 audit_size = size - 1;
3033 else
3034 audit_size = size;
3035 } else {
3036 str = "";
3037 audit_size = 0;
3038 }
d6ea83ec
EP		 3039 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3040 audit_log_format(ab, "op=setxattr invalid_context=");
3041 audit_log_n_untrustedstring(ab, value, audit_size);
3042 audit_log_end(ab);
3043
12b29f34 3044 return rc;
d6ea83ec 3045 }
12b29f34
SS		 3046 rc = security_context_to_sid_force(value, size, &newsid);
3047 }
1da177e4
LT		 3048 if (rc)
3049 return rc;
3050
275bb41e 3051 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3052 FILE__RELABELTO, &ad);
3053 if (rc)
3054 return rc;
3055
275bb41e 3056 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3057 isec->sclass);
1da177e4
LT		 3058 if (rc)
3059 return rc;
3060
3061 return avc_has_perm(newsid,
3062 sbsec->sid,
3063 SECCLASS_FILESYSTEM,
3064 FILESYSTEM__ASSOCIATE,
3065 &ad);
3066}
3067
8f0cfa52 3068static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3069 const void *value, size_t size,
8f0cfa52 3070 int flags)
1da177e4 3071{
c6f493d6 3072 struct inode *inode = d_backing_inode(dentry);
83da53c5 3073 struct inode_security_struct *isec = backing_inode_security(dentry);
1da177e4
LT		 3074 u32 newsid;
3075 int rc;
3076
3077 if (strcmp(name, XATTR_NAME_SELINUX)) {
3078 /* Not an attribute we recognize, so nothing to do. */
3079 return;
3080 }
3081
12b29f34 3082 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3083 if (rc) {
12b29f34
SS		 3084 printk(KERN_ERR "SELinux: unable to map context to SID"
3085 "for (%s, %lu), rc=%d\n",
3086 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3087 return;
3088 }
3089
aa9c2669 3090 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3091 isec->sid = newsid;
6f3be9f5 3092 isec->initialized = LABEL_INITIALIZED;
aa9c2669 3093
1da177e4
LT		 3094 return;
3095}
3096
8f0cfa52 3097static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3098{
88e67f3b
DH		 3099 const struct cred *cred = current_cred();
3100
2875fa00 3101 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3102}
3103
828dfe1d 3104static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3105{
88e67f3b
DH		 3106 const struct cred *cred = current_cred();
3107
2875fa00 3108 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3109}
3110
8f0cfa52 3111static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3112{
b5376771
SH		 3113 if (strcmp(name, XATTR_NAME_SELINUX))
3114 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3115
3116 /* No one is allowed to remove a SELinux security label.
3117 You can change the label, but all data must be labeled. */
3118 return -EACCES;
3119}
3120
d381d8a9 3121/*
abc69bb6 3122 * Copy the inode security context value to the user.
d381d8a9
JM		 3123 *
3124 * Permission check is handled by selinux_inode_getxattr hook.
3125 */
ea861dfd 3126static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3127{
42492594
DQ		 3128 u32 size;
3129 int error;
3130 char *context = NULL;
83da53c5 3131 struct inode_security_struct *isec = inode_security(inode);
d381d8a9 3132
8c8570fb
DK		 3133 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3134 return -EOPNOTSUPP;
d381d8a9 3135
abc69bb6
SS		 3136 /*
3137 * If the caller has CAP_MAC_ADMIN, then get the raw context
3138 * value even if it is not defined by current policy; otherwise,
3139 * use the in-core value under current policy.
3140 * Use the non-auditing forms of the permission checks since
3141 * getxattr may be called by unprivileged processes commonly
3142 * and lack of permission just means that we fall back to the
3143 * in-core context value, not a denial.
3144 */
b1d9e6b0
CS		 3145 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3146 SECURITY_CAP_NOAUDIT);
3147 if (!error)
3148 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3149 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 3150 if (!error)
3151 error = security_sid_to_context_force(isec->sid, &context,
3152 &size);
3153 else
3154 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3155 if (error)
3156 return error;
3157 error = size;
3158 if (alloc) {
3159 *buffer = context;
3160 goto out_nofree;
3161 }
3162 kfree(context);
3163out_nofree:
3164 return error;
1da177e4
LT		 3165}
3166
3167static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3168 const void *value, size_t size, int flags)
1da177e4 3169{
83da53c5 3170 struct inode_security_struct *isec = inode_security(inode);
1da177e4
LT		 3171 u32 newsid;
3172 int rc;
3173
3174 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3175 return -EOPNOTSUPP;
3176
3177 if (!value || !size)
3178 return -EACCES;
3179
20ba96ae 3180 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3181 if (rc)
3182 return rc;
3183
aa9c2669 3184 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3185 isec->sid = newsid;
6f3be9f5 3186 isec->initialized = LABEL_INITIALIZED;
1da177e4
LT		 3187 return 0;
3188}
3189
3190static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3191{
3192 const int len = sizeof(XATTR_NAME_SELINUX);
3193 if (buffer && len <= buffer_size)
3194 memcpy(buffer, XATTR_NAME_SELINUX, len);
3195 return len;
3196}
3197
d6335d77 3198static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3199{
83da53c5 3200 struct inode_security_struct *isec = inode_security(inode);
713a04ae
AD		 3201 *secid = isec->sid;
3202}
3203
1da177e4
LT		 3204/* file security operations */
3205
788e7dd4 3206static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3207{
88e67f3b 3208 const struct cred *cred = current_cred();
496ad9aa 3209 struct inode *inode = file_inode(file);
1da177e4 3210
1da177e4
LT		 3211 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3212 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3213 mask |= MAY_APPEND;
3214
389fb800
PM		 3215 return file_has_perm(cred, file,
3216 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3217}
3218
788e7dd4
YN		 3219static int selinux_file_permission(struct file *file, int mask)
3220{
496ad9aa 3221 struct inode *inode = file_inode(file);
20dda18b 3222 struct file_security_struct *fsec = file->f_security;
83da53c5 3223 struct inode_security_struct *isec = inode_security(inode);
20dda18b
SS		 3224 u32 sid = current_sid();
3225
389fb800 3226 if (!mask)
788e7dd4
YN		 3227 /* No permission to check. Existence test. */
3228 return 0;
788e7dd4 3229
20dda18b
SS		 3230 if (sid == fsec->sid && fsec->isid == isec->sid &&
3231 fsec->pseqno == avc_policy_seqno())
83d49856 3232 /* No change since file_open check. */
20dda18b
SS		 3233 return 0;
3234
788e7dd4
YN		 3235 return selinux_revalidate_file_permission(file, mask);
3236}
3237
1da177e4
LT		 3238static int selinux_file_alloc_security(struct file *file)
3239{
3240 return file_alloc_security(file);
3241}
3242
3243static void selinux_file_free_security(struct file *file)
3244{
3245 file_free_security(file);
3246}
3247
fa1aa143
JVS		 3248/*
3249 * Check whether a task has the ioctl permission and cmd
3250 * operation to an inode.
3251 */
1d2a168a 3252static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3253 u32 requested, u16 cmd)
3254{
3255 struct common_audit_data ad;
3256 struct file_security_struct *fsec = file->f_security;
3257 struct inode *inode = file_inode(file);
83da53c5 3258 struct inode_security_struct *isec = inode_security(inode);
fa1aa143
JVS		 3259 struct lsm_ioctlop_audit ioctl;
3260 u32 ssid = cred_sid(cred);
3261 int rc;
3262 u8 driver = cmd >> 8;
3263 u8 xperm = cmd & 0xff;
3264
3265 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3266 ad.u.op = &ioctl;
3267 ad.u.op->cmd = cmd;
3268 ad.u.op->path = file->f_path;
3269
3270 if (ssid != fsec->sid) {
3271 rc = avc_has_perm(ssid, fsec->sid,
3272 SECCLASS_FD,
3273 FD__USE,
3274 &ad);
3275 if (rc)
3276 goto out;
3277 }
3278
3279 if (unlikely(IS_PRIVATE(inode)))
3280 return 0;
3281
3282 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3283 requested, driver, xperm, &ad);
3284out:
3285 return rc;
3286}
3287
1da177e4
LT		 3288static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3289 unsigned long arg)
3290{
88e67f3b 3291 const struct cred *cred = current_cred();
0b24dcb7 3292 int error = 0;
1da177e4 3293
0b24dcb7
EP		 3294 switch (cmd) {
3295 case FIONREAD:
3296 /* fall through */
3297 case FIBMAP:
3298 /* fall through */
3299 case FIGETBSZ:
3300 /* fall through */
2f99c369 3301 case FS_IOC_GETFLAGS:
0b24dcb7 3302 /* fall through */
2f99c369 3303 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3304 error = file_has_perm(cred, file, FILE__GETATTR);
3305 break;
1da177e4 3306
2f99c369 3307 case FS_IOC_SETFLAGS:
0b24dcb7 3308 /* fall through */
2f99c369 3309 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3310 error = file_has_perm(cred, file, FILE__SETATTR);
3311 break;
3312
3313 /* sys_ioctl() checks */
3314 case FIONBIO:
3315 /* fall through */
3316 case FIOASYNC:
3317 error = file_has_perm(cred, file, 0);
3318 break;
1da177e4 3319
0b24dcb7
EP		 3320 case KDSKBENT:
3321 case KDSKBSENT:
6a9de491
EP		 3322 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3323 SECURITY_CAP_AUDIT);
0b24dcb7
EP		 3324 break;
3325
3326 /* default case assumes that the command will go
3327 * to the file's ioctl() function.
3328 */
3329 default:
fa1aa143 3330 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3331 }
3332 return error;
1da177e4
LT		 3333}
3334
fcaaade1
SS		 3335static int default_noexec;
3336
1da177e4
LT		 3337static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3338{
88e67f3b 3339 const struct cred *cred = current_cred();
d84f4f99 3340 int rc = 0;
88e67f3b 3341
fcaaade1 3342 if (default_noexec &&
892e8cac
SS		 3343 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3344 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3345 /*
3346 * We are making executable an anonymous mapping or a
3347 * private file mapping that will also be writable.
3348 * This has an additional check.
3349 */
d84f4f99 3350 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3351 if (rc)
d84f4f99 3352 goto error;
1da177e4 3353 }
1da177e4
LT		 3354
3355 if (file) {
3356 /* read access is always possible with a mapping */
3357 u32 av = FILE__READ;
3358
3359 /* write access only matters if the mapping is shared */
3360 if (shared && (prot & PROT_WRITE))
3361 av |= FILE__WRITE;
3362
3363 if (prot & PROT_EXEC)
3364 av |= FILE__EXECUTE;
3365
88e67f3b 3366 return file_has_perm(cred, file, av);
1da177e4 3367 }
d84f4f99
DH		 3368
3369error:
3370 return rc;
1da177e4
LT		 3371}
3372
e5467859 3373static int selinux_mmap_addr(unsigned long addr)
1da177e4 3374{
b1d9e6b0 3375 int rc = 0;
1da177e4 3376
a2551df7 3377 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3378 u32 sid = current_sid();
ed032189
EP		 3379 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3380 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3381 }
3382
98883bfd 3383 return rc;
e5467859 3384}
1da177e4 3385
e5467859
AV		 3386static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3387 unsigned long prot, unsigned long flags)
3388{
1da177e4
LT		 3389 if (selinux_checkreqprot)
3390 prot = reqprot;
3391
3392 return file_map_prot_check(file, prot,
3393 (flags & MAP_TYPE) == MAP_SHARED);
3394}
3395
3396static int selinux_file_mprotect(struct vm_area_struct *vma,
3397 unsigned long reqprot,
3398 unsigned long prot)
3399{
88e67f3b 3400 const struct cred *cred = current_cred();
1da177e4
LT		 3401
3402 if (selinux_checkreqprot)
3403 prot = reqprot;
3404
fcaaade1
SS		 3405 if (default_noexec &&
3406 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3407 int rc = 0;
db4c9641
SS		 3408 if (vma->vm_start >= vma->vm_mm->start_brk &&
3409 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3410 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3411 } else if (!vma->vm_file &&
3412 vma->vm_start <= vma->vm_mm->start_stack &&
3413 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3414 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3415 } else if (vma->vm_file && vma->anon_vma) {
3416 /*
3417 * We are making executable a file mapping that has
3418 * had some COW done. Since pages might have been
3419 * written, check ability to execute the possibly
3420 * modified content. This typically should only
3421 * occur for text relocations.
3422 */
d84f4f99 3423 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3424 }