]> Git Repo - linux.git/blame - security/selinux/hooks.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
LSM: Introduce inode_getsecid and ipc_getsecid hooks
[linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <[email protected]>
7 * Chris Vance, <[email protected]>
8 * Wayne Salamon, <[email protected]>
9 * James Morris <[email protected]>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <[email protected]>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <[email protected]>
effad8df
PM		 15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <[email protected]>
788e7dd4
YN		 17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <[email protected]>
1da177e4
LT		 19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
23 */
24
1da177e4
LT		 25#include <linux/init.h>
26#include <linux/kernel.h>
27#include <linux/ptrace.h>
28#include <linux/errno.h>
29#include <linux/sched.h>
30#include <linux/security.h>
31#include <linux/xattr.h>
32#include <linux/capability.h>
33#include <linux/unistd.h>
34#include <linux/mm.h>
35#include <linux/mman.h>
36#include <linux/slab.h>
37#include <linux/pagemap.h>
38#include <linux/swap.h>
1da177e4
LT		 39#include <linux/spinlock.h>
40#include <linux/syscalls.h>
41#include <linux/file.h>
42#include <linux/namei.h>
43#include <linux/mount.h>
44#include <linux/ext2_fs.h>
45#include <linux/proc_fs.h>
46#include <linux/kd.h>
47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 53#include <net/net_namespace.h>
d621d35e 54#include <net/netlabel.h>
1da177e4 55#include <asm/uaccess.h>
1da177e4 56#include <asm/ioctls.h>
d621d35e 57#include <asm/atomic.h>
1da177e4
LT		 58#include <linux/bitops.h>
59#include <linux/interrupt.h>
60#include <linux/netdevice.h> /* for network interface checks */
61#include <linux/netlink.h>
62#include <linux/tcp.h>
63#include <linux/udp.h>
2ee92d46 64#include <linux/dccp.h>
1da177e4
LT		 65#include <linux/quota.h>
66#include <linux/un.h> /* for Unix socket types */
67#include <net/af_unix.h> /* for Unix socket types */
68#include <linux/parser.h>
69#include <linux/nfs_mount.h>
70#include <net/ipv6.h>
71#include <linux/hugetlb.h>
72#include <linux/personality.h>
73#include <linux/sysctl.h>
74#include <linux/audit.h>
6931dfc9 75#include <linux/string.h>
877ce7c1 76#include <linux/selinux.h>
23970741 77#include <linux/mutex.h>
1da177e4
LT		 78
79#include "avc.h"
80#include "objsec.h"
81#include "netif.h"
224dfbd8 82#include "netnode.h"
3e112172 83#include "netport.h"
d28d1e08 84#include "xfrm.h"
c60475bf 85#include "netlabel.h"
1da177e4
LT		 86
87#define XATTR_SELINUX_SUFFIX "selinux"
88#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
89
c9180a57
EP		 90#define NUM_SEL_MNT_OPTS 4
91
1da177e4
LT		 92extern unsigned int policydb_loaded_version;
93extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 94extern int selinux_compat_net;
20510f2f 95extern struct security_operations *security_ops;
1da177e4 96
d621d35e
PM		 97/* SECMARK reference count */
98atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
1da177e4
LT		 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101int selinux_enforcing = 0;
102
103static int __init enforcing_setup(char *str)
104{
105 selinux_enforcing = simple_strtol(str,NULL,0);
106 return 1;
107}
108__setup("enforcing=", enforcing_setup);
109#endif
110
111#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
112int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
113
114static int __init selinux_enabled_setup(char *str)
115{
116 selinux_enabled = simple_strtol(str, NULL, 0);
117 return 1;
118}
119__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 120#else
121int selinux_enabled = 1;
1da177e4
LT		 122#endif
123
124/* Original (dummy) security module. */
125static struct security_operations *original_ops = NULL;
126
127/* Minimal support for a secondary security module,
128 just to allow the use of the dummy or capability modules.
129 The owlsm module can alternatively be used as a secondary
130 module as long as CONFIG_OWLSM_FD is not enabled. */
131static struct security_operations *secondary_ops = NULL;
132
133/* Lists of inode and superblock security structures initialized
134 before the policy was loaded. */
135static LIST_HEAD(superblock_security_head);
136static DEFINE_SPINLOCK(sb_security_lock);
137
e18b890b 138static struct kmem_cache *sel_inode_cache;
7cae7e26 139
d621d35e
PM		 140/**
141 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
142 *
143 * Description:
144 * This function checks the SECMARK reference counter to see if any SECMARK
145 * targets are currently configured, if the reference counter is greater than
146 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
147 * enabled, false (0) if SECMARK is disabled.
148 *
149 */
150static int selinux_secmark_enabled(void)
151{
152 return (atomic_read(&selinux_secmark_refcount) > 0);
153}
154
1da177e4
LT		 155/* Allocate and free functions for each kind of security blob. */
156
157static int task_alloc_security(struct task_struct *task)
158{
159 struct task_security_struct *tsec;
160
89d155ef 161 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 162 if (!tsec)
163 return -ENOMEM;
164
0356357c 165 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 166 task->security = tsec;
167
168 return 0;
169}
170
171static void task_free_security(struct task_struct *task)
172{
173 struct task_security_struct *tsec = task->security;
1da177e4
LT		 174 task->security = NULL;
175 kfree(tsec);
176}
177
178static int inode_alloc_security(struct inode *inode)
179{
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
182
a02fe132 183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 184 if (!isec)
185 return -ENOMEM;
186
23970741 187 mutex_init(&isec->lock);
1da177e4 188 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 189 isec->inode = inode;
190 isec->sid = SECINITSID_UNLABELED;
191 isec->sclass = SECCLASS_FILE;
9ac49d22 192 isec->task_sid = tsec->sid;
1da177e4
LT		 193 inode->i_security = isec;
194
195 return 0;
196}
197
198static void inode_free_security(struct inode *inode)
199{
200 struct inode_security_struct *isec = inode->i_security;
201 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
1da177e4
LT		 203 spin_lock(&sbsec->isec_lock);
204 if (!list_empty(&isec->list))
205 list_del_init(&isec->list);
206 spin_unlock(&sbsec->isec_lock);
207
208 inode->i_security = NULL;
7cae7e26 209 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 210}
211
212static int file_alloc_security(struct file *file)
213{
214 struct task_security_struct *tsec = current->security;
215 struct file_security_struct *fsec;
216
26d2a4be 217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 218 if (!fsec)
219 return -ENOMEM;
220
9ac49d22
SS		 221 fsec->sid = tsec->sid;
222 fsec->fown_sid = tsec->sid;
1da177e4
LT		 223 file->f_security = fsec;
224
225 return 0;
226}
227
228static void file_free_security(struct file *file)
229{
230 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 231 file->f_security = NULL;
232 kfree(fsec);
233}
234
235static int superblock_alloc_security(struct super_block *sb)
236{
237 struct superblock_security_struct *sbsec;
238
89d155ef 239 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 240 if (!sbsec)
241 return -ENOMEM;
242
bc7e982b 243 mutex_init(&sbsec->lock);
1da177e4
LT		 244 INIT_LIST_HEAD(&sbsec->list);
245 INIT_LIST_HEAD(&sbsec->isec_head);
246 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 247 sbsec->sb = sb;
248 sbsec->sid = SECINITSID_UNLABELED;
249 sbsec->def_sid = SECINITSID_FILE;
c312feb2 250 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 251 sb->s_security = sbsec;
252
253 return 0;
254}
255
256static void superblock_free_security(struct super_block *sb)
257{
258 struct superblock_security_struct *sbsec = sb->s_security;
259
1da177e4
LT		 260 spin_lock(&sb_security_lock);
261 if (!list_empty(&sbsec->list))
262 list_del_init(&sbsec->list);
263 spin_unlock(&sb_security_lock);
264
265 sb->s_security = NULL;
266 kfree(sbsec);
267}
268
7d877f3b 269static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 270{
271 struct sk_security_struct *ssec;
272
89d155ef 273 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 274 if (!ssec)
275 return -ENOMEM;
276
1da177e4 277 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 278 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 279 sk->sk_security = ssec;
280
f74af6e8 281 selinux_netlbl_sk_security_reset(ssec, family);
99f59ed0 282
1da177e4
LT		 283 return 0;
284}
285
286static void sk_free_security(struct sock *sk)
287{
288 struct sk_security_struct *ssec = sk->sk_security;
289
1da177e4
LT		 290 sk->sk_security = NULL;
291 kfree(ssec);
292}
1da177e4
LT		 293
294/* The security server must be initialized before
295 any labeling or access decisions can be provided. */
296extern int ss_initialized;
297
298/* The file system's label must be initialized prior to use. */
299
300static char *labeling_behaviors[6] = {
301 "uses xattr",
302 "uses transition SIDs",
303 "uses task SIDs",
304 "uses genfs_contexts",
305 "not configured for labeling",
306 "uses mountpoint labeling",
307};
308
309static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
310
311static inline int inode_doinit(struct inode *inode)
312{
313 return inode_doinit_with_dentry(inode, NULL);
314}
315
316enum {
31e87930 317 Opt_error = -1,
1da177e4
LT		 318 Opt_context = 1,
319 Opt_fscontext = 2,
c9180a57
EP		 320 Opt_defcontext = 3,
321 Opt_rootcontext = 4,
1da177e4
LT		 322};
323
324static match_table_t tokens = {
832cbd9a
EP		 325 {Opt_context, CONTEXT_STR "%s"},
326 {Opt_fscontext, FSCONTEXT_STR "%s"},
327 {Opt_defcontext, DEFCONTEXT_STR "%s"},
328 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
31e87930 329 {Opt_error, NULL},
1da177e4
LT		 330};
331
332#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
333
c312feb2
EP		 334static int may_context_mount_sb_relabel(u32 sid,
335 struct superblock_security_struct *sbsec,
336 struct task_security_struct *tsec)
337{
338 int rc;
339
340 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
341 FILESYSTEM__RELABELFROM, NULL);
342 if (rc)
343 return rc;
344
345 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
346 FILESYSTEM__RELABELTO, NULL);
347 return rc;
348}
349
0808925e
EP		 350static int may_context_mount_inode_relabel(u32 sid,
351 struct superblock_security_struct *sbsec,
352 struct task_security_struct *tsec)
353{
354 int rc;
355 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
356 FILESYSTEM__RELABELFROM, NULL);
357 if (rc)
358 return rc;
359
360 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
361 FILESYSTEM__ASSOCIATE, NULL);
362 return rc;
363}
364
c9180a57 365static int sb_finish_set_opts(struct super_block *sb)
1da177e4 366{
1da177e4 367 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 368 struct dentry *root = sb->s_root;
369 struct inode *root_inode = root->d_inode;
370 int rc = 0;
1da177e4 371
c9180a57
EP		 372 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
373 /* Make sure that the xattr handler exists and that no
374 error other than -ENODATA is returned by getxattr on
375 the root directory. -ENODATA is ok, as this may be
376 the first boot of the SELinux kernel before we have
377 assigned xattr values to the filesystem. */
378 if (!root_inode->i_op->getxattr) {
379 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
380 "xattr support\n", sb->s_id, sb->s_type->name);
381 rc = -EOPNOTSUPP;
382 goto out;
383 }
384 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
385 if (rc < 0 && rc != -ENODATA) {
386 if (rc == -EOPNOTSUPP)
387 printk(KERN_WARNING "SELinux: (dev %s, type "
388 "%s) has no security xattr handler\n",
389 sb->s_id, sb->s_type->name);
390 else
391 printk(KERN_WARNING "SELinux: (dev %s, type "
392 "%s) getxattr errno %d\n", sb->s_id,
393 sb->s_type->name, -rc);
394 goto out;
395 }
396 }
1da177e4 397
c9180a57 398 sbsec->initialized = 1;
1da177e4 399
c9180a57
EP		 400 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
401 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
402 sb->s_id, sb->s_type->name);
403 else
404 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
405 sb->s_id, sb->s_type->name,
406 labeling_behaviors[sbsec->behavior-1]);
1da177e4 407
c9180a57
EP		 408 /* Initialize the root inode. */
409 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 410
c9180a57
EP		 411 /* Initialize any other inodes associated with the superblock, e.g.
412 inodes created prior to initial policy load or inodes created
413 during get_sb by a pseudo filesystem that directly
414 populates itself. */
415 spin_lock(&sbsec->isec_lock);
416next_inode:
417 if (!list_empty(&sbsec->isec_head)) {
418 struct inode_security_struct *isec =
419 list_entry(sbsec->isec_head.next,
420 struct inode_security_struct, list);
421 struct inode *inode = isec->inode;
422 spin_unlock(&sbsec->isec_lock);
423 inode = igrab(inode);
424 if (inode) {
425 if (!IS_PRIVATE(inode))
426 inode_doinit(inode);
427 iput(inode);
428 }
429 spin_lock(&sbsec->isec_lock);
430 list_del_init(&isec->list);
431 goto next_inode;
432 }
433 spin_unlock(&sbsec->isec_lock);
434out:
435 return rc;
436}
1da177e4 437
c9180a57
EP		 438/*
439 * This function should allow an FS to ask what it's mount security
440 * options were so it can use those later for submounts, displaying
441 * mount options, or whatever.
442 */
443static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 444 struct security_mnt_opts *opts)
c9180a57
EP		 445{
446 int rc = 0, i;
447 struct superblock_security_struct *sbsec = sb->s_security;
448 char *context = NULL;
449 u32 len;
450 char tmp;
1da177e4 451
e0007529 452 security_init_mnt_opts(opts);
1da177e4 453
c9180a57
EP		 454 if (!sbsec->initialized)
455 return -EINVAL;
1da177e4 456
c9180a57
EP		 457 if (!ss_initialized)
458 return -EINVAL;
1da177e4 459
c9180a57
EP		 460 /*
461 * if we ever use sbsec flags for anything other than tracking mount
462 * settings this is going to need a mask
463 */
464 tmp = sbsec->flags;
465 /* count the number of mount options for this sb */
466 for (i = 0; i < 8; i++) {
467 if (tmp & 0x01)
e0007529 468 opts->num_mnt_opts++;
c9180a57
EP		 469 tmp >>= 1;
470 }
1da177e4 471
e0007529
EP		 472 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
473 if (!opts->mnt_opts) {
c9180a57
EP		 474 rc = -ENOMEM;
475 goto out_free;
476 }
1da177e4 477
e0007529
EP		 478 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
479 if (!opts->mnt_opts_flags) {
c9180a57
EP		 480 rc = -ENOMEM;
481 goto out_free;
482 }
1da177e4 483
c9180a57
EP		 484 i = 0;
485 if (sbsec->flags & FSCONTEXT_MNT) {
486 rc = security_sid_to_context(sbsec->sid, &context, &len);
487 if (rc)
488 goto out_free;
e0007529
EP		 489 opts->mnt_opts[i] = context;
490 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 491 }
492 if (sbsec->flags & CONTEXT_MNT) {
493 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
494 if (rc)
495 goto out_free;
e0007529
EP		 496 opts->mnt_opts[i] = context;
497 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 498 }
499 if (sbsec->flags & DEFCONTEXT_MNT) {
500 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
501 if (rc)
502 goto out_free;
e0007529
EP		 503 opts->mnt_opts[i] = context;
504 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 505 }
506 if (sbsec->flags & ROOTCONTEXT_MNT) {
507 struct inode *root = sbsec->sb->s_root->d_inode;
508 struct inode_security_struct *isec = root->i_security;
0808925e 509
c9180a57
EP		 510 rc = security_sid_to_context(isec->sid, &context, &len);
511 if (rc)
512 goto out_free;
e0007529
EP		 513 opts->mnt_opts[i] = context;
514 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 515 }
1da177e4 516
e0007529 517 BUG_ON(i != opts->num_mnt_opts);
1da177e4 518
c9180a57
EP		 519 return 0;
520
521out_free:
e0007529 522 security_free_mnt_opts(opts);
c9180a57
EP		 523 return rc;
524}
1da177e4 525
c9180a57
EP		 526static int bad_option(struct superblock_security_struct *sbsec, char flag,
527 u32 old_sid, u32 new_sid)
528{
529 /* check if the old mount command had the same options */
530 if (sbsec->initialized)
531 if (!(sbsec->flags & flag) ||
532 (old_sid != new_sid))
533 return 1;
534
535 /* check if we were passed the same options twice,
536 * aka someone passed context=a,context=b
537 */
538 if (!sbsec->initialized)
539 if (sbsec->flags & flag)
540 return 1;
541 return 0;
542}
e0007529 543
c9180a57
EP		 544/*
545 * Allow filesystems with binary mount data to explicitly set mount point
546 * labeling information.
547 */
e0007529
EP		 548static int selinux_set_mnt_opts(struct super_block *sb,
549 struct security_mnt_opts *opts)
c9180a57
EP		 550{
551 int rc = 0, i;
552 struct task_security_struct *tsec = current->security;
553 struct superblock_security_struct *sbsec = sb->s_security;
554 const char *name = sb->s_type->name;
555 struct inode *inode = sbsec->sb->s_root->d_inode;
556 struct inode_security_struct *root_isec = inode->i_security;
557 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
558 u32 defcontext_sid = 0;
e0007529
EP		 559 char **mount_options = opts->mnt_opts;
560 int *flags = opts->mnt_opts_flags;
561 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 562
563 mutex_lock(&sbsec->lock);
564
565 if (!ss_initialized) {
566 if (!num_opts) {
567 /* Defer initialization until selinux_complete_init,
568 after the initial policy is loaded and the security
569 server is ready to handle calls. */
570 spin_lock(&sb_security_lock);
571 if (list_empty(&sbsec->list))
572 list_add(&sbsec->list, &superblock_security_head);
573 spin_unlock(&sb_security_lock);
574 goto out;
575 }
576 rc = -EINVAL;
577 printk(KERN_WARNING "Unable to set superblock options before "
578 "the security server is initialized\n");
1da177e4 579 goto out;
c9180a57 580 }
1da177e4 581
e0007529
EP		 582 /*
583 * Binary mount data FS will come through this function twice. Once
584 * from an explicit call and once from the generic calls from the vfs.
585 * Since the generic VFS calls will not contain any security mount data
586 * we need to skip the double mount verification.
587 *
588 * This does open a hole in which we will not notice if the first
589 * mount using this sb set explict options and a second mount using
590 * this sb does not set any security options. (The first options
591 * will be used for both mounts)
592 */
593 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
594 && (num_opts == 0))
595 goto out;
596
c9180a57
EP		 597 /*
598 * parse the mount options, check if they are valid sids.
599 * also check if someone is trying to mount the same sb more
600 * than once with different security options.
601 */
602 for (i = 0; i < num_opts; i++) {
603 u32 sid;
604 rc = security_context_to_sid(mount_options[i],
605 strlen(mount_options[i]), &sid);
1da177e4
LT		 606 if (rc) {
607 printk(KERN_WARNING "SELinux: security_context_to_sid"
608 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 609 mount_options[i], sb->s_id, name, rc);
610 goto out;
611 }
612 switch (flags[i]) {
613 case FSCONTEXT_MNT:
614 fscontext_sid = sid;
615
616 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
617 fscontext_sid))
618 goto out_double_mount;
619
620 sbsec->flags |= FSCONTEXT_MNT;
621 break;
622 case CONTEXT_MNT:
623 context_sid = sid;
624
625 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
626 context_sid))
627 goto out_double_mount;
628
629 sbsec->flags |= CONTEXT_MNT;
630 break;
631 case ROOTCONTEXT_MNT:
632 rootcontext_sid = sid;
633
634 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
635 rootcontext_sid))
636 goto out_double_mount;
637
638 sbsec->flags |= ROOTCONTEXT_MNT;
639
640 break;
641 case DEFCONTEXT_MNT:
642 defcontext_sid = sid;
643
644 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
645 defcontext_sid))
646 goto out_double_mount;
647
648 sbsec->flags |= DEFCONTEXT_MNT;
649
650 break;
651 default:
652 rc = -EINVAL;
653 goto out;
1da177e4 654 }
c9180a57
EP		 655 }
656
657 if (sbsec->initialized) {
658 /* previously mounted with options, but not on this attempt? */
659 if (sbsec->flags && !num_opts)
660 goto out_double_mount;
661 rc = 0;
662 goto out;
663 }
664
665 if (strcmp(sb->s_type->name, "proc") == 0)
666 sbsec->proc = 1;
667
668 /* Determine the labeling behavior to use for this filesystem type. */
669 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
670 if (rc) {
671 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
dd6f953a 672 __func__, sb->s_type->name, rc);
c9180a57
EP		 673 goto out;
674 }
1da177e4 675
c9180a57
EP		 676 /* sets the context of the superblock for the fs being mounted. */
677 if (fscontext_sid) {
678
679 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
1da177e4 680 if (rc)
c9180a57 681 goto out;
1da177e4 682
c9180a57 683 sbsec->sid = fscontext_sid;
c312feb2
EP		 684 }
685
686 /*
687 * Switch to using mount point labeling behavior.
688 * sets the label used on all file below the mountpoint, and will set
689 * the superblock context if not already set.
690 */
c9180a57
EP		 691 if (context_sid) {
692 if (!fscontext_sid) {
693 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
b04ea3ce 694 if (rc)
c9180a57
EP		 695 goto out;
696 sbsec->sid = context_sid;
b04ea3ce 697 } else {
c9180a57 698 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
b04ea3ce 699 if (rc)
c9180a57 700 goto out;
b04ea3ce 701 }
c9180a57
EP		 702 if (!rootcontext_sid)
703 rootcontext_sid = context_sid;
1da177e4 704
c9180a57 705 sbsec->mntpoint_sid = context_sid;
c312feb2 706 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 707 }
708
c9180a57
EP		 709 if (rootcontext_sid) {
710 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
0808925e 711 if (rc)
c9180a57 712 goto out;
0808925e 713
c9180a57
EP		 714 root_isec->sid = rootcontext_sid;
715 root_isec->initialized = 1;
0808925e
EP		 716 }
717
c9180a57
EP		 718 if (defcontext_sid) {
719 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
720 rc = -EINVAL;
721 printk(KERN_WARNING "SELinux: defcontext option is "
722 "invalid for this filesystem type\n");
723 goto out;
1da177e4
LT		 724 }
725
c9180a57
EP		 726 if (defcontext_sid != sbsec->def_sid) {
727 rc = may_context_mount_inode_relabel(defcontext_sid,
728 sbsec, tsec);
729 if (rc)
730 goto out;
731 }
1da177e4 732
c9180a57 733 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 734 }
735
c9180a57 736 rc = sb_finish_set_opts(sb);
1da177e4 737out:
c9180a57 738 mutex_unlock(&sbsec->lock);
1da177e4 739 return rc;
c9180a57
EP		 740out_double_mount:
741 rc = -EINVAL;
742 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
743 "security settings for (dev %s, type %s)\n", sb->s_id, name);
744 goto out;
1da177e4
LT		 745}
746
c9180a57
EP		 747static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
748 struct super_block *newsb)
1da177e4 749{
c9180a57
EP		 750 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
751 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 752
c9180a57
EP		 753 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
754 int set_context = (oldsbsec->flags & CONTEXT_MNT);
755 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 756
c9180a57
EP		 757 /* we can't error, we can't save the info, this shouldn't get called
758 * this early in the boot process. */
759 BUG_ON(!ss_initialized);
760
c9180a57
EP		 761 /* how can we clone if the old one wasn't set up?? */
762 BUG_ON(!oldsbsec->initialized);
763
5a552617
EP		 764 /* if fs is reusing a sb, just let its options stand... */
765 if (newsbsec->initialized)
766 return;
767
c9180a57
EP		 768 mutex_lock(&newsbsec->lock);
769
770 newsbsec->flags = oldsbsec->flags;
771
772 newsbsec->sid = oldsbsec->sid;
773 newsbsec->def_sid = oldsbsec->def_sid;
774 newsbsec->behavior = oldsbsec->behavior;
775
776 if (set_context) {
777 u32 sid = oldsbsec->mntpoint_sid;
778
779 if (!set_fscontext)
780 newsbsec->sid = sid;
781 if (!set_rootcontext) {
782 struct inode *newinode = newsb->s_root->d_inode;
783 struct inode_security_struct *newisec = newinode->i_security;
784 newisec->sid = sid;
785 }
786 newsbsec->mntpoint_sid = sid;
1da177e4 787 }
c9180a57
EP		 788 if (set_rootcontext) {
789 const struct inode *oldinode = oldsb->s_root->d_inode;
790 const struct inode_security_struct *oldisec = oldinode->i_security;
791 struct inode *newinode = newsb->s_root->d_inode;
792 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 793
c9180a57 794 newisec->sid = oldisec->sid;
1da177e4
LT		 795 }
796
c9180a57
EP		 797 sb_finish_set_opts(newsb);
798 mutex_unlock(&newsbsec->lock);
799}
800
2e1479d9
AB		 801static int selinux_parse_opts_str(char *options,
802 struct security_mnt_opts *opts)
c9180a57 803{
e0007529 804 char *p;
c9180a57
EP		 805 char *context = NULL, *defcontext = NULL;
806 char *fscontext = NULL, *rootcontext = NULL;
e0007529 807 int rc, num_mnt_opts = 0;
1da177e4 808
e0007529 809 opts->num_mnt_opts = 0;
1da177e4 810
c9180a57
EP		 811 /* Standard string-based options. */
812 while ((p = strsep(&options, "|")) != NULL) {
813 int token;
814 substring_t args[MAX_OPT_ARGS];
1da177e4 815
c9180a57
EP		 816 if (!*p)
817 continue;
1da177e4 818
c9180a57 819 token = match_token(p, tokens, args);
1da177e4 820
c9180a57
EP		 821 switch (token) {
822 case Opt_context:
823 if (context || defcontext) {
824 rc = -EINVAL;
825 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
826 goto out_err;
827 }
828 context = match_strdup(&args[0]);
829 if (!context) {
830 rc = -ENOMEM;
831 goto out_err;
832 }
833 break;
834
835 case Opt_fscontext:
836 if (fscontext) {
837 rc = -EINVAL;
838 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
839 goto out_err;
840 }
841 fscontext = match_strdup(&args[0]);
842 if (!fscontext) {
843 rc = -ENOMEM;
844 goto out_err;
845 }
846 break;
847
848 case Opt_rootcontext:
849 if (rootcontext) {
850 rc = -EINVAL;
851 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
852 goto out_err;
853 }
854 rootcontext = match_strdup(&args[0]);
855 if (!rootcontext) {
856 rc = -ENOMEM;
857 goto out_err;
858 }
859 break;
860
861 case Opt_defcontext:
862 if (context || defcontext) {
863 rc = -EINVAL;
864 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
865 goto out_err;
866 }
867 defcontext = match_strdup(&args[0]);
868 if (!defcontext) {
869 rc = -ENOMEM;
870 goto out_err;
871 }
872 break;
873
874 default:
875 rc = -EINVAL;
876 printk(KERN_WARNING "SELinux: unknown mount option\n");
877 goto out_err;
1da177e4 878
1da177e4 879 }
1da177e4 880 }
c9180a57 881
e0007529
EP		 882 rc = -ENOMEM;
883 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
884 if (!opts->mnt_opts)
885 goto out_err;
886
887 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
888 if (!opts->mnt_opts_flags) {
889 kfree(opts->mnt_opts);
890 goto out_err;
891 }
892
c9180a57 893 if (fscontext) {
e0007529
EP		 894 opts->mnt_opts[num_mnt_opts] = fscontext;
895 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 896 }
897 if (context) {
e0007529
EP		 898 opts->mnt_opts[num_mnt_opts] = context;
899 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 900 }
901 if (rootcontext) {
e0007529
EP		 902 opts->mnt_opts[num_mnt_opts] = rootcontext;
903 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 904 }
905 if (defcontext) {
e0007529
EP		 906 opts->mnt_opts[num_mnt_opts] = defcontext;
907 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 908 }
909
e0007529
EP		 910 opts->num_mnt_opts = num_mnt_opts;
911 return 0;
912
c9180a57
EP		 913out_err:
914 kfree(context);
915 kfree(defcontext);
916 kfree(fscontext);
917 kfree(rootcontext);
1da177e4
LT		 918 return rc;
919}
e0007529
EP		 920/*
921 * string mount options parsing and call set the sbsec
922 */
923static int superblock_doinit(struct super_block *sb, void *data)
924{
925 int rc = 0;
926 char *options = data;
927 struct security_mnt_opts opts;
928
929 security_init_mnt_opts(&opts);
930
931 if (!data)
932 goto out;
933
934 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
935
936 rc = selinux_parse_opts_str(options, &opts);
937 if (rc)
938 goto out_err;
939
940out:
941 rc = selinux_set_mnt_opts(sb, &opts);
942
943out_err:
944 security_free_mnt_opts(&opts);
945 return rc;
946}
1da177e4
LT		 947
948static inline u16 inode_mode_to_security_class(umode_t mode)
949{
950 switch (mode & S_IFMT) {
951 case S_IFSOCK:
952 return SECCLASS_SOCK_FILE;
953 case S_IFLNK:
954 return SECCLASS_LNK_FILE;
955 case S_IFREG:
956 return SECCLASS_FILE;
957 case S_IFBLK:
958 return SECCLASS_BLK_FILE;
959 case S_IFDIR:
960 return SECCLASS_DIR;
961 case S_IFCHR:
962 return SECCLASS_CHR_FILE;
963 case S_IFIFO:
964 return SECCLASS_FIFO_FILE;
965
966 }
967
968 return SECCLASS_FILE;
969}
970
13402580
JM		 971static inline int default_protocol_stream(int protocol)
972{
973 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
974}
975
976static inline int default_protocol_dgram(int protocol)
977{
978 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
979}
980
1da177e4
LT		 981static inline u16 socket_type_to_security_class(int family, int type, int protocol)
982{
983 switch (family) {
984 case PF_UNIX:
985 switch (type) {
986 case SOCK_STREAM:
987 case SOCK_SEQPACKET:
988 return SECCLASS_UNIX_STREAM_SOCKET;
989 case SOCK_DGRAM:
990 return SECCLASS_UNIX_DGRAM_SOCKET;
991 }
992 break;
993 case PF_INET:
994 case PF_INET6:
995 switch (type) {
996 case SOCK_STREAM:
13402580
JM		 997 if (default_protocol_stream(protocol))
998 return SECCLASS_TCP_SOCKET;
999 else
1000 return SECCLASS_RAWIP_SOCKET;
1da177e4 1001 case SOCK_DGRAM:
13402580
JM		 1002 if (default_protocol_dgram(protocol))
1003 return SECCLASS_UDP_SOCKET;
1004 else
1005 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1006 case SOCK_DCCP:
1007 return SECCLASS_DCCP_SOCKET;
13402580 1008 default:
1da177e4
LT		 1009 return SECCLASS_RAWIP_SOCKET;
1010 }
1011 break;
1012 case PF_NETLINK:
1013 switch (protocol) {
1014 case NETLINK_ROUTE:
1015 return SECCLASS_NETLINK_ROUTE_SOCKET;
1016 case NETLINK_FIREWALL:
1017 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1018 case NETLINK_INET_DIAG:
1da177e4
LT		 1019 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1020 case NETLINK_NFLOG:
1021 return SECCLASS_NETLINK_NFLOG_SOCKET;
1022 case NETLINK_XFRM:
1023 return SECCLASS_NETLINK_XFRM_SOCKET;
1024 case NETLINK_SELINUX:
1025 return SECCLASS_NETLINK_SELINUX_SOCKET;
1026 case NETLINK_AUDIT:
1027 return SECCLASS_NETLINK_AUDIT_SOCKET;
1028 case NETLINK_IP6_FW:
1029 return SECCLASS_NETLINK_IP6FW_SOCKET;
1030 case NETLINK_DNRTMSG:
1031 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1032 case NETLINK_KOBJECT_UEVENT:
1033 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1034 default:
1035 return SECCLASS_NETLINK_SOCKET;
1036 }
1037 case PF_PACKET:
1038 return SECCLASS_PACKET_SOCKET;
1039 case PF_KEY:
1040 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1041 case PF_APPLETALK:
1042 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1043 }
1044
1045 return SECCLASS_SOCKET;
1046}
1047
1048#ifdef CONFIG_PROC_FS
1049static int selinux_proc_get_sid(struct proc_dir_entry *de,
1050 u16 tclass,
1051 u32 *sid)
1052{
1053 int buflen, rc;
1054 char *buffer, *path, *end;
1055
1056 buffer = (char*)__get_free_page(GFP_KERNEL);
1057 if (!buffer)
1058 return -ENOMEM;
1059
1060 buflen = PAGE_SIZE;
1061 end = buffer+buflen;
1062 *--end = '\0';
1063 buflen--;
1064 path = end-1;
1065 *path = '/';
1066 while (de && de != de->parent) {
1067 buflen -= de->namelen + 1;
1068 if (buflen < 0)
1069 break;
1070 end -= de->namelen;
1071 memcpy(end, de->name, de->namelen);
1072 *--end = '/';
1073 path = end;
1074 de = de->parent;
1075 }
1076 rc = security_genfs_sid("proc", path, tclass, sid);
1077 free_page((unsigned long)buffer);
1078 return rc;
1079}
1080#else
1081static int selinux_proc_get_sid(struct proc_dir_entry *de,
1082 u16 tclass,
1083 u32 *sid)
1084{
1085 return -EINVAL;
1086}
1087#endif
1088
1089/* The inode's security attributes must be initialized before first use. */
1090static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1091{
1092 struct superblock_security_struct *sbsec = NULL;
1093 struct inode_security_struct *isec = inode->i_security;
1094 u32 sid;
1095 struct dentry *dentry;
1096#define INITCONTEXTLEN 255
1097 char *context = NULL;
1098 unsigned len = 0;
1099 int rc = 0;
1da177e4
LT		 1100
1101 if (isec->initialized)
1102 goto out;
1103
23970741 1104 mutex_lock(&isec->lock);
1da177e4 1105 if (isec->initialized)
23970741 1106 goto out_unlock;
1da177e4
LT		 1107
1108 sbsec = inode->i_sb->s_security;
1109 if (!sbsec->initialized) {
1110 /* Defer initialization until selinux_complete_init,
1111 after the initial policy is loaded and the security
1112 server is ready to handle calls. */
1113 spin_lock(&sbsec->isec_lock);
1114 if (list_empty(&isec->list))
1115 list_add(&isec->list, &sbsec->isec_head);
1116 spin_unlock(&sbsec->isec_lock);
23970741 1117 goto out_unlock;
1da177e4
LT		 1118 }
1119
1120 switch (sbsec->behavior) {
1121 case SECURITY_FS_USE_XATTR:
1122 if (!inode->i_op->getxattr) {
1123 isec->sid = sbsec->def_sid;
1124 break;
1125 }
1126
1127 /* Need a dentry, since the xattr API requires one.
1128 Life would be simpler if we could just pass the inode. */
1129 if (opt_dentry) {
1130 /* Called from d_instantiate or d_splice_alias. */
1131 dentry = dget(opt_dentry);
1132 } else {
1133 /* Called from selinux_complete_init, try to find a dentry. */
1134 dentry = d_find_alias(inode);
1135 }
1136 if (!dentry) {
1137 printk(KERN_WARNING "%s: no dentry for dev=%s "
dd6f953a 1138 "ino=%ld\n", __func__, inode->i_sb->s_id,
1da177e4 1139 inode->i_ino);
23970741 1140 goto out_unlock;
1da177e4
LT		 1141 }
1142
1143 len = INITCONTEXTLEN;
869ab514 1144 context = kmalloc(len, GFP_NOFS);
1da177e4
LT		 1145 if (!context) {
1146 rc = -ENOMEM;
1147 dput(dentry);
23970741 1148 goto out_unlock;
1da177e4
LT		 1149 }
1150 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1151 context, len);
1152 if (rc == -ERANGE) {
1153 /* Need a larger buffer. Query for the right size. */
1154 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1155 NULL, 0);
1156 if (rc < 0) {
1157 dput(dentry);
23970741 1158 goto out_unlock;
1da177e4
LT		 1159 }
1160 kfree(context);
1161 len = rc;
869ab514 1162 context = kmalloc(len, GFP_NOFS);
1da177e4
LT		 1163 if (!context) {
1164 rc = -ENOMEM;
1165 dput(dentry);
23970741 1166 goto out_unlock;
1da177e4
LT		 1167 }
1168 rc = inode->i_op->getxattr(dentry,
1169 XATTR_NAME_SELINUX,
1170 context, len);
1171 }
1172 dput(dentry);
1173 if (rc < 0) {
1174 if (rc != -ENODATA) {
1175 printk(KERN_WARNING "%s: getxattr returned "
dd6f953a 1176 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1177 -rc, inode->i_sb->s_id, inode->i_ino);
1178 kfree(context);
23970741 1179 goto out_unlock;
1da177e4
LT		 1180 }
1181 /* Map ENODATA to the default file SID */
1182 sid = sbsec->def_sid;
1183 rc = 0;
1184 } else {
f5c1d5b2 1185 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1186 sbsec->def_sid,
1187 GFP_NOFS);
1da177e4
LT		 1188 if (rc) {
1189 printk(KERN_WARNING "%s: context_to_sid(%s) "
1190 "returned %d for dev=%s ino=%ld\n",
dd6f953a 1191 __func__, context, -rc,
1da177e4
LT		 1192 inode->i_sb->s_id, inode->i_ino);
1193 kfree(context);
1194 /* Leave with the unlabeled SID */
1195 rc = 0;
1196 break;
1197 }
1198 }
1199 kfree(context);
1200 isec->sid = sid;
1201 break;
1202 case SECURITY_FS_USE_TASK:
1203 isec->sid = isec->task_sid;
1204 break;
1205 case SECURITY_FS_USE_TRANS:
1206 /* Default to the fs SID. */
1207 isec->sid = sbsec->sid;
1208
1209 /* Try to obtain a transition SID. */
1210 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1211 rc = security_transition_sid(isec->task_sid,
1212 sbsec->sid,
1213 isec->sclass,
1214 &sid);
1215 if (rc)
23970741 1216 goto out_unlock;
1da177e4
LT		 1217 isec->sid = sid;
1218 break;
c312feb2
EP		 1219 case SECURITY_FS_USE_MNTPOINT:
1220 isec->sid = sbsec->mntpoint_sid;
1221 break;
1da177e4 1222 default:
c312feb2 1223 /* Default to the fs superblock SID. */
1da177e4
LT		 1224 isec->sid = sbsec->sid;
1225
1226 if (sbsec->proc) {
1227 struct proc_inode *proci = PROC_I(inode);
1228 if (proci->pde) {
1229 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1230 rc = selinux_proc_get_sid(proci->pde,
1231 isec->sclass,
1232 &sid);
1233 if (rc)
23970741 1234 goto out_unlock;
1da177e4
LT		 1235 isec->sid = sid;
1236 }
1237 }
1238 break;
1239 }
1240
1241 isec->initialized = 1;
1242
23970741
EP		 1243out_unlock:
1244 mutex_unlock(&isec->lock);
1da177e4
LT		 1245out:
1246 if (isec->sclass == SECCLASS_FILE)
1247 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1248 return rc;
1249}
1250
1251/* Convert a Linux signal to an access vector. */
1252static inline u32 signal_to_av(int sig)
1253{
1254 u32 perm = 0;
1255
1256 switch (sig) {
1257 case SIGCHLD:
1258 /* Commonly granted from child to parent. */
1259 perm = PROCESS__SIGCHLD;
1260 break;
1261 case SIGKILL:
1262 /* Cannot be caught or ignored */
1263 perm = PROCESS__SIGKILL;
1264 break;
1265 case SIGSTOP:
1266 /* Cannot be caught or ignored */
1267 perm = PROCESS__SIGSTOP;
1268 break;
1269 default:
1270 /* All other signals. */
1271 perm = PROCESS__SIGNAL;
1272 break;
1273 }
1274
1275 return perm;
1276}
1277
1278/* Check permission betweeen a pair of tasks, e.g. signal checks,
1279 fork check, ptrace check, etc. */
1280static int task_has_perm(struct task_struct *tsk1,
1281 struct task_struct *tsk2,
1282 u32 perms)
1283{
1284 struct task_security_struct *tsec1, *tsec2;
1285
1286 tsec1 = tsk1->security;
1287 tsec2 = tsk2->security;
1288 return avc_has_perm(tsec1->sid, tsec2->sid,
1289 SECCLASS_PROCESS, perms, NULL);
1290}
1291
b68e418c
SS		 1292#if CAP_LAST_CAP > 63
1293#error Fix SELinux to handle capabilities > 63.
1294#endif
1295
1da177e4
LT		 1296/* Check whether a task is allowed to use a capability. */
1297static int task_has_capability(struct task_struct *tsk,
1298 int cap)
1299{
1300 struct task_security_struct *tsec;
1301 struct avc_audit_data ad;
b68e418c
SS		 1302 u16 sclass;
1303 u32 av = CAP_TO_MASK(cap);
1da177e4
LT		 1304
1305 tsec = tsk->security;
1306
1307 AVC_AUDIT_DATA_INIT(&ad,CAP);
1308 ad.tsk = tsk;
1309 ad.u.cap = cap;
1310
b68e418c
SS		 1311 switch (CAP_TO_INDEX(cap)) {
1312 case 0:
1313 sclass = SECCLASS_CAPABILITY;
1314 break;
1315 case 1:
1316 sclass = SECCLASS_CAPABILITY2;
1317 break;
1318 default:
1319 printk(KERN_ERR
1320 "SELinux: out of range capability %d\n", cap);
1321 BUG();
1322 }
1323 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1da177e4
LT		 1324}
1325
1326/* Check whether a task is allowed to use a system operation. */
1327static int task_has_system(struct task_struct *tsk,
1328 u32 perms)
1329{
1330 struct task_security_struct *tsec;
1331
1332 tsec = tsk->security;
1333
1334 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1335 SECCLASS_SYSTEM, perms, NULL);
1336}
1337
1338/* Check whether a task has a particular permission to an inode.
1339 The 'adp' parameter is optional and allows other audit
1340 data to be passed (e.g. the dentry). */
1341static int inode_has_perm(struct task_struct *tsk,
1342 struct inode *inode,
1343 u32 perms,
1344 struct avc_audit_data *adp)
1345{
1346 struct task_security_struct *tsec;
1347 struct inode_security_struct *isec;
1348 struct avc_audit_data ad;
1349
bbaca6c2
SS		 1350 if (unlikely (IS_PRIVATE (inode)))
1351 return 0;
1352
1da177e4
LT		 1353 tsec = tsk->security;
1354 isec = inode->i_security;
1355
1356 if (!adp) {
1357 adp = &ad;
1358 AVC_AUDIT_DATA_INIT(&ad, FS);
1359 ad.u.fs.inode = inode;
1360 }
1361
1362 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1363}
1364
1365/* Same as inode_has_perm, but pass explicit audit data containing
1366 the dentry to help the auditing code to more easily generate the
1367 pathname if needed. */
1368static inline int dentry_has_perm(struct task_struct *tsk,
1369 struct vfsmount *mnt,
1370 struct dentry *dentry,
1371 u32 av)
1372{
1373 struct inode *inode = dentry->d_inode;
1374 struct avc_audit_data ad;
1375 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf
JB		 1376 ad.u.fs.path.mnt = mnt;
1377 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1378 return inode_has_perm(tsk, inode, av, &ad);
1379}
1380
1381/* Check whether a task can use an open file descriptor to
1382 access an inode in a given way. Check access to the
1383 descriptor itself, and then use dentry_has_perm to
1384 check a particular permission to the file.
1385 Access to the descriptor is implicitly granted if it
1386 has the same SID as the process. If av is zero, then
1387 access to the file is not checked, e.g. for cases
1388 where only the descriptor is affected like seek. */
858119e1 1389static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1390 struct file *file,
1391 u32 av)
1392{
1393 struct task_security_struct *tsec = tsk->security;
1394 struct file_security_struct *fsec = file->f_security;
44707fdf 1395 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 1396 struct avc_audit_data ad;
1397 int rc;
1398
1399 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1400 ad.u.fs.path = file->f_path;
1da177e4
LT		 1401
1402 if (tsec->sid != fsec->sid) {
1403 rc = avc_has_perm(tsec->sid, fsec->sid,
1404 SECCLASS_FD,
1405 FD__USE,
1406 &ad);
1407 if (rc)
1408 return rc;
1409 }
1410
1411 /* av is zero if only checking access to the descriptor. */
1412 if (av)
1413 return inode_has_perm(tsk, inode, av, &ad);
1414
1415 return 0;
1416}
1417
1418/* Check whether a task can create a file. */
1419static int may_create(struct inode *dir,
1420 struct dentry *dentry,
1421 u16 tclass)
1422{
1423 struct task_security_struct *tsec;
1424 struct inode_security_struct *dsec;
1425 struct superblock_security_struct *sbsec;
1426 u32 newsid;
1427 struct avc_audit_data ad;
1428 int rc;
1429
1430 tsec = current->security;
1431 dsec = dir->i_security;
1432 sbsec = dir->i_sb->s_security;
1433
1434 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1435 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1436
1437 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1438 DIR__ADD_NAME | DIR__SEARCH,
1439 &ad);
1440 if (rc)
1441 return rc;
1442
1443 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1444 newsid = tsec->create_sid;
1445 } else {
1446 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1447 &newsid);
1448 if (rc)
1449 return rc;
1450 }
1451
1452 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1453 if (rc)
1454 return rc;
1455
1456 return avc_has_perm(newsid, sbsec->sid,
1457 SECCLASS_FILESYSTEM,
1458 FILESYSTEM__ASSOCIATE, &ad);
1459}
1460
4eb582cf
ML		 1461/* Check whether a task can create a key. */
1462static int may_create_key(u32 ksid,
1463 struct task_struct *ctx)
1464{
1465 struct task_security_struct *tsec;
1466
1467 tsec = ctx->security;
1468
1469 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1470}
1471
1da177e4
LT		 1472#define MAY_LINK 0
1473#define MAY_UNLINK 1
1474#define MAY_RMDIR 2
1475
1476/* Check whether a task can link, unlink, or rmdir a file/directory. */
1477static int may_link(struct inode *dir,
1478 struct dentry *dentry,
1479 int kind)
1480
1481{
1482 struct task_security_struct *tsec;
1483 struct inode_security_struct *dsec, *isec;
1484 struct avc_audit_data ad;
1485 u32 av;
1486 int rc;
1487
1488 tsec = current->security;
1489 dsec = dir->i_security;
1490 isec = dentry->d_inode->i_security;
1491
1492 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1493 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1494
1495 av = DIR__SEARCH;
1496 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1497 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1498 if (rc)
1499 return rc;
1500
1501 switch (kind) {
1502 case MAY_LINK:
1503 av = FILE__LINK;
1504 break;
1505 case MAY_UNLINK:
1506 av = FILE__UNLINK;
1507 break;
1508 case MAY_RMDIR:
1509 av = DIR__RMDIR;
1510 break;
1511 default:
1512 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1513 return 0;
1514 }
1515
1516 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1517 return rc;
1518}
1519
1520static inline int may_rename(struct inode *old_dir,
1521 struct dentry *old_dentry,
1522 struct inode *new_dir,
1523 struct dentry *new_dentry)
1524{
1525 struct task_security_struct *tsec;
1526 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1527 struct avc_audit_data ad;
1528 u32 av;
1529 int old_is_dir, new_is_dir;
1530 int rc;
1531
1532 tsec = current->security;
1533 old_dsec = old_dir->i_security;
1534 old_isec = old_dentry->d_inode->i_security;
1535 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1536 new_dsec = new_dir->i_security;
1537
1538 AVC_AUDIT_DATA_INIT(&ad, FS);
1539
44707fdf 1540 ad.u.fs.path.dentry = old_dentry;
1da177e4
LT		 1541 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1542 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1543 if (rc)
1544 return rc;
1545 rc = avc_has_perm(tsec->sid, old_isec->sid,
1546 old_isec->sclass, FILE__RENAME, &ad);
1547 if (rc)
1548 return rc;
1549 if (old_is_dir && new_dir != old_dir) {
1550 rc = avc_has_perm(tsec->sid, old_isec->sid,
1551 old_isec->sclass, DIR__REPARENT, &ad);
1552 if (rc)
1553 return rc;
1554 }
1555
44707fdf 1556 ad.u.fs.path.dentry = new_dentry;
1da177e4
LT		 1557 av = DIR__ADD_NAME | DIR__SEARCH;
1558 if (new_dentry->d_inode)
1559 av |= DIR__REMOVE_NAME;
1560 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1561 if (rc)
1562 return rc;
1563 if (new_dentry->d_inode) {
1564 new_isec = new_dentry->d_inode->i_security;
1565 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1566 rc = avc_has_perm(tsec->sid, new_isec->sid,
1567 new_isec->sclass,
1568 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1569 if (rc)
1570 return rc;
1571 }
1572
1573 return 0;
1574}
1575
1576/* Check whether a task can perform a filesystem operation. */
1577static int superblock_has_perm(struct task_struct *tsk,
1578 struct super_block *sb,
1579 u32 perms,
1580 struct avc_audit_data *ad)
1581{
1582 struct task_security_struct *tsec;
1583 struct superblock_security_struct *sbsec;
1584
1585 tsec = tsk->security;
1586 sbsec = sb->s_security;
1587 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1588 perms, ad);
1589}
1590
1591/* Convert a Linux mode and permission mask to an access vector. */
1592static inline u32 file_mask_to_av(int mode, int mask)
1593{
1594 u32 av = 0;
1595
1596 if ((mode & S_IFMT) != S_IFDIR) {
1597 if (mask & MAY_EXEC)
1598 av |= FILE__EXECUTE;
1599 if (mask & MAY_READ)
1600 av |= FILE__READ;
1601
1602 if (mask & MAY_APPEND)
1603 av |= FILE__APPEND;
1604 else if (mask & MAY_WRITE)
1605 av |= FILE__WRITE;
1606
1607 } else {
1608 if (mask & MAY_EXEC)
1609 av |= DIR__SEARCH;
1610 if (mask & MAY_WRITE)
1611 av |= DIR__WRITE;
1612 if (mask & MAY_READ)
1613 av |= DIR__READ;
1614 }
1615
1616 return av;
1617}
1618
b0c636b9
EP		 1619/*
1620 * Convert a file mask to an access vector and include the correct open
1621 * open permission.
1622 */
1623static inline u32 open_file_mask_to_av(int mode, int mask)
1624{
1625 u32 av = file_mask_to_av(mode, mask);
1626
1627 if (selinux_policycap_openperm) {
1628 /*
1629 * lnk files and socks do not really have an 'open'
1630 */
1631 if (S_ISREG(mode))
1632 av |= FILE__OPEN;
1633 else if (S_ISCHR(mode))
1634 av |= CHR_FILE__OPEN;
1635 else if (S_ISBLK(mode))
1636 av |= BLK_FILE__OPEN;
1637 else if (S_ISFIFO(mode))
1638 av |= FIFO_FILE__OPEN;
1639 else if (S_ISDIR(mode))
1640 av |= DIR__OPEN;
1641 else
1642 printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
1643 "with unknown mode:%x\n", mode);
1644 }
1645 return av;
1646}
1647
1da177e4
LT		 1648/* Convert a Linux file to an access vector. */
1649static inline u32 file_to_av(struct file *file)
1650{
1651 u32 av = 0;
1652
1653 if (file->f_mode & FMODE_READ)
1654 av |= FILE__READ;
1655 if (file->f_mode & FMODE_WRITE) {
1656 if (file->f_flags & O_APPEND)
1657 av |= FILE__APPEND;
1658 else
1659 av |= FILE__WRITE;
1660 }
0794c66d
SS		 1661 if (!av) {
1662 /*
1663 * Special file opened with flags 3 for ioctl-only use.
1664 */
1665 av = FILE__IOCTL;
1666 }
1da177e4
LT		 1667
1668 return av;
1669}
1670
1da177e4
LT		 1671/* Hook functions begin here. */
1672
1673static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1674{
1da177e4
LT		 1675 int rc;
1676
1677 rc = secondary_ops->ptrace(parent,child);
1678 if (rc)
1679 return rc;
1680
0356357c 1681 return task_has_perm(parent, child, PROCESS__PTRACE);
1da177e4
LT		 1682}
1683
1684static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1685 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1686{
1687 int error;
1688
1689 error = task_has_perm(current, target, PROCESS__GETCAP);
1690 if (error)
1691 return error;
1692
1693 return secondary_ops->capget(target, effective, inheritable, permitted);
1694}
1695
1696static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1697 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1698{
1699 int error;
1700
1701 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1702 if (error)
1703 return error;
1704
1705 return task_has_perm(current, target, PROCESS__SETCAP);
1706}
1707
1708static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1709 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1710{
1711 secondary_ops->capset_set(target, effective, inheritable, permitted);
1712}
1713
1714static int selinux_capable(struct task_struct *tsk, int cap)
1715{
1716 int rc;
1717
1718 rc = secondary_ops->capable(tsk, cap);
1719 if (rc)
1720 return rc;
1721
1722 return task_has_capability(tsk,cap);
1723}
1724
3fbfa981
EB		 1725static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1726{
1727 int buflen, rc;
1728 char *buffer, *path, *end;
1729
1730 rc = -ENOMEM;
1731 buffer = (char*)__get_free_page(GFP_KERNEL);
1732 if (!buffer)
1733 goto out;
1734
1735 buflen = PAGE_SIZE;
1736 end = buffer+buflen;
1737 *--end = '\0';
1738 buflen--;
1739 path = end-1;
1740 *path = '/';
1741 while (table) {
1742 const char *name = table->procname;
1743 size_t namelen = strlen(name);
1744 buflen -= namelen + 1;
1745 if (buflen < 0)
1746 goto out_free;
1747 end -= namelen;
1748 memcpy(end, name, namelen);
1749 *--end = '/';
1750 path = end;
1751 table = table->parent;
1752 }
b599fdfd
EB		 1753 buflen -= 4;
1754 if (buflen < 0)
1755 goto out_free;
1756 end -= 4;
1757 memcpy(end, "/sys", 4);
1758 path = end;
3fbfa981
EB		 1759 rc = security_genfs_sid("proc", path, tclass, sid);
1760out_free:
1761 free_page((unsigned long)buffer);
1762out:
1763 return rc;
1764}
1765
1da177e4
LT		 1766static int selinux_sysctl(ctl_table *table, int op)
1767{
1768 int error = 0;
1769 u32 av;
1770 struct task_security_struct *tsec;
1771 u32 tsid;
1772 int rc;
1773
1774 rc = secondary_ops->sysctl(table, op);
1775 if (rc)
1776 return rc;
1777
1778 tsec = current->security;
1779
3fbfa981
EB		 1780 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1781 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1782 if (rc) {
1783 /* Default to the well-defined sysctl SID. */
1784 tsid = SECINITSID_SYSCTL;
1785 }
1786
1787 /* The op values are "defined" in sysctl.c, thereby creating
1788 * a bad coupling between this module and sysctl.c */
1789 if(op == 001) {
1790 error = avc_has_perm(tsec->sid, tsid,
1791 SECCLASS_DIR, DIR__SEARCH, NULL);
1792 } else {
1793 av = 0;
1794 if (op & 004)
1795 av |= FILE__READ;
1796 if (op & 002)
1797 av |= FILE__WRITE;
1798 if (av)
1799 error = avc_has_perm(tsec->sid, tsid,
1800 SECCLASS_FILE, av, NULL);
1801 }
1802
1803 return error;
1804}
1805
1806static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1807{
1808 int rc = 0;
1809
1810 if (!sb)
1811 return 0;
1812
1813 switch (cmds) {
1814 case Q_SYNC:
1815 case Q_QUOTAON:
1816 case Q_QUOTAOFF:
1817 case Q_SETINFO:
1818 case Q_SETQUOTA:
1819 rc = superblock_has_perm(current,
1820 sb,
1821 FILESYSTEM__QUOTAMOD, NULL);
1822 break;
1823 case Q_GETFMT:
1824 case Q_GETINFO:
1825 case Q_GETQUOTA:
1826 rc = superblock_has_perm(current,
1827 sb,
1828 FILESYSTEM__QUOTAGET, NULL);
1829 break;
1830 default:
1831 rc = 0; /* let the kernel handle invalid cmds */
1832 break;
1833 }
1834 return rc;
1835}
1836
1837static int selinux_quota_on(struct dentry *dentry)
1838{
1839 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1840}
1841
1842static int selinux_syslog(int type)
1843{
1844 int rc;
1845
1846 rc = secondary_ops->syslog(type);
1847 if (rc)
1848 return rc;
1849
1850 switch (type) {
1851 case 3: /* Read last kernel messages */
1852 case 10: /* Return size of the log buffer */
1853 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1854 break;
1855 case 6: /* Disable logging to console */
1856 case 7: /* Enable logging to console */
1857 case 8: /* Set level of messages printed to console */
1858 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1859 break;
1860 case 0: /* Close log */
1861 case 1: /* Open log */
1862 case 2: /* Read from log */
1863 case 4: /* Read/clear last kernel messages */
1864 case 5: /* Clear ring buffer */
1865 default:
1866 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1867 break;
1868 }
1869 return rc;
1870}
1871
1872/*
1873 * Check that a process has enough memory to allocate a new virtual
1874 * mapping. 0 means there is enough memory for the allocation to
1875 * succeed and -ENOMEM implies there is not.
1876 *
1877 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1878 * if the capability is granted, but __vm_enough_memory requires 1 if
1879 * the capability is granted.
1880 *
1881 * Do not audit the selinux permission check, as this is applied to all
1882 * processes that allocate mappings.
1883 */
34b4e4aa 1884static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1885{
1886 int rc, cap_sys_admin = 0;
1887 struct task_security_struct *tsec = current->security;
1888
1889 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1890 if (rc == 0)
1891 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2c3c05db
SS		 1892 SECCLASS_CAPABILITY,
1893 CAP_TO_MASK(CAP_SYS_ADMIN),
1894 0,
1895 NULL);
1da177e4
LT		 1896
1897 if (rc == 0)
1898 cap_sys_admin = 1;
1899
34b4e4aa 1900 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 1901}
1902
0356357c
RM		 1903/**
1904 * task_tracer_task - return the task that is tracing the given task
1905 * @task: task to consider
1906 *
1907 * Returns NULL if noone is tracing @task, or the &struct task_struct
1908 * pointer to its tracer.
1909 *
1910 * Must be called under rcu_read_lock().
1911 */
1912static struct task_struct *task_tracer_task(struct task_struct *task)
1913{
1914 if (task->ptrace & PT_PTRACED)
1915 return rcu_dereference(task->parent);
1916 return NULL;
1917}
1918
1da177e4
LT		 1919/* binprm security operations */
1920
1921static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1922{
1923 struct bprm_security_struct *bsec;
1924
89d155ef 1925 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1926 if (!bsec)
1927 return -ENOMEM;
1928
1da177e4
LT		 1929 bsec->sid = SECINITSID_UNLABELED;
1930 bsec->set = 0;
1931
1932 bprm->security = bsec;
1933 return 0;
1934}
1935
1936static int selinux_bprm_set_security(struct linux_binprm *bprm)
1937{
1938 struct task_security_struct *tsec;
3d5ff529 1939 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 1940 struct inode_security_struct *isec;
1941 struct bprm_security_struct *bsec;
1942 u32 newsid;
1943 struct avc_audit_data ad;
1944 int rc;
1945
1946 rc = secondary_ops->bprm_set_security(bprm);
1947 if (rc)
1948 return rc;
1949
1950 bsec = bprm->security;
1951
1952 if (bsec->set)
1953 return 0;
1954
1955 tsec = current->security;
1956 isec = inode->i_security;
1957
1958 /* Default to the current task SID. */
1959 bsec->sid = tsec->sid;
1960
28eba5bf 1961 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1962 tsec->create_sid = 0;
28eba5bf 1963 tsec->keycreate_sid = 0;
42c3e03e 1964 tsec->sockcreate_sid = 0;
1da177e4
LT		 1965
1966 if (tsec->exec_sid) {
1967 newsid = tsec->exec_sid;
1968 /* Reset exec SID on execve. */
1969 tsec->exec_sid = 0;
1970 } else {
1971 /* Check for a default transition on this program. */
1972 rc = security_transition_sid(tsec->sid, isec->sid,
1973 SECCLASS_PROCESS, &newsid);
1974 if (rc)
1975 return rc;
1976 }
1977
1978 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1979 ad.u.fs.path = bprm->file->f_path;
1da177e4 1980
3d5ff529 1981 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1da177e4
LT		 1982 newsid = tsec->sid;
1983
1984 if (tsec->sid == newsid) {
1985 rc = avc_has_perm(tsec->sid, isec->sid,
1986 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1987 if (rc)
1988 return rc;
1989 } else {
1990 /* Check permissions for the transition. */
1991 rc = avc_has_perm(tsec->sid, newsid,
1992 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1993 if (rc)
1994 return rc;
1995
1996 rc = avc_has_perm(newsid, isec->sid,
1997 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1998 if (rc)
1999 return rc;
2000
2001 /* Clear any possibly unsafe personality bits on exec: */
2002 current->personality &= ~PER_CLEAR_ON_SETID;
2003
2004 /* Set the security field to the new SID. */
2005 bsec->sid = newsid;
2006 }
2007
2008 bsec->set = 1;
2009 return 0;
2010}
2011
2012static int selinux_bprm_check_security (struct linux_binprm *bprm)
2013{
2014 return secondary_ops->bprm_check_security(bprm);
2015}
2016
2017
2018static int selinux_bprm_secureexec (struct linux_binprm *bprm)
2019{
2020 struct task_security_struct *tsec = current->security;
2021 int atsecure = 0;
2022
2023 if (tsec->osid != tsec->sid) {
2024 /* Enable secure mode for SIDs transitions unless
2025 the noatsecure permission is granted between
2026 the two SIDs, i.e. ahp returns 0. */
2027 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2028 SECCLASS_PROCESS,
2029 PROCESS__NOATSECURE, NULL);
2030 }
2031
2032 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2033}
2034
2035static void selinux_bprm_free_security(struct linux_binprm *bprm)
2036{
9a5f04bf 2037 kfree(bprm->security);
1da177e4 2038 bprm->security = NULL;
1da177e4
LT		 2039}
2040
2041extern struct vfsmount *selinuxfs_mount;
2042extern struct dentry *selinux_null;
2043
2044/* Derived from fs/exec.c:flush_old_files. */
2045static inline void flush_unauthorized_files(struct files_struct * files)
2046{
2047 struct avc_audit_data ad;
2048 struct file *file, *devnull = NULL;
b20c8122 2049 struct tty_struct *tty;
badf1662 2050 struct fdtable *fdt;
1da177e4 2051 long j = -1;
24ec839c 2052 int drop_tty = 0;
1da177e4 2053
b20c8122 2054 mutex_lock(&tty_mutex);
24ec839c 2055 tty = get_current_tty();
1da177e4
LT		 2056 if (tty) {
2057 file_list_lock();
2f512016 2058 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 2059 if (file) {
2060 /* Revalidate access to controlling tty.
2061 Use inode_has_perm on the tty inode directly rather
2062 than using file_has_perm, as this particular open
2063 file may belong to another process and we are only
2064 interested in the inode-based check here. */
3d5ff529 2065 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2066 if (inode_has_perm(current, inode,
2067 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2068 drop_tty = 1;
1da177e4
LT		 2069 }
2070 }
2071 file_list_unlock();
2072 }
b20c8122 2073 mutex_unlock(&tty_mutex);
98a27ba4
EB		 2074 /* Reset controlling tty. */
2075 if (drop_tty)
2076 no_tty();
1da177e4
LT		 2077
2078 /* Revalidate access to inherited open files. */
2079
2080 AVC_AUDIT_DATA_INIT(&ad,FS);
2081
2082 spin_lock(&files->file_lock);
2083 for (;;) {
2084 unsigned long set, i;
2085 int fd;
2086
2087 j++;
2088 i = j * __NFDBITS;
badf1662 2089 fdt = files_fdtable(files);
bbea9f69 2090 if (i >= fdt->max_fds)
1da177e4 2091 break;
badf1662 2092 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2093 if (!set)
2094 continue;
2095 spin_unlock(&files->file_lock);
2096 for ( ; set ; i++,set >>= 1) {
2097 if (set & 1) {
2098 file = fget(i);
2099 if (!file)
2100 continue;
2101 if (file_has_perm(current,
2102 file,
2103 file_to_av(file))) {
2104 sys_close(i);
2105 fd = get_unused_fd();
2106 if (fd != i) {
2107 if (fd >= 0)
2108 put_unused_fd(fd);
2109 fput(file);
2110 continue;
2111 }
2112 if (devnull) {
095975da 2113 get_file(devnull);
1da177e4
LT		 2114 } else {
2115 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
fc5d81e6
AM		 2116 if (IS_ERR(devnull)) {
2117 devnull = NULL;
1da177e4
LT		 2118 put_unused_fd(fd);
2119 fput(file);
2120 continue;
2121 }
2122 }
2123 fd_install(fd, devnull);
2124 }
2125 fput(file);
2126 }
2127 }
2128 spin_lock(&files->file_lock);
2129
2130 }
2131 spin_unlock(&files->file_lock);
2132}
2133
2134static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2135{
2136 struct task_security_struct *tsec;
2137 struct bprm_security_struct *bsec;
2138 u32 sid;
2139 int rc;
2140
2141 secondary_ops->bprm_apply_creds(bprm, unsafe);
2142
2143 tsec = current->security;
2144
2145 bsec = bprm->security;
2146 sid = bsec->sid;
2147
2148 tsec->osid = tsec->sid;
2149 bsec->unsafe = 0;
2150 if (tsec->sid != sid) {
2151 /* Check for shared state. If not ok, leave SID
2152 unchanged and kill. */
2153 if (unsafe & LSM_UNSAFE_SHARE) {
2154 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2155 PROCESS__SHARE, NULL);
2156 if (rc) {
2157 bsec->unsafe = 1;
2158 return;
2159 }
2160 }
2161
2162 /* Check for ptracing, and update the task SID if ok.
2163 Otherwise, leave SID unchanged and kill. */
2164 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
0356357c
RM		 2165 struct task_struct *tracer;
2166 struct task_security_struct *sec;
2167 u32 ptsid = 0;
2168
2169 rcu_read_lock();
2170 tracer = task_tracer_task(current);
2171 if (likely(tracer != NULL)) {
2172 sec = tracer->security;
2173 ptsid = sec->sid;
2174 }
2175 rcu_read_unlock();
2176
2177 if (ptsid != 0) {
2178 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2179 PROCESS__PTRACE, NULL);
2180 if (rc) {
2181 bsec->unsafe = 1;
2182 return;
2183 }
1da177e4
LT		 2184 }
2185 }
2186 tsec->sid = sid;
2187 }
2188}
2189
2190/*
2191 * called after apply_creds without the task lock held
2192 */
2193static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2194{
2195 struct task_security_struct *tsec;
2196 struct rlimit *rlim, *initrlim;
2197 struct itimerval itimer;
2198 struct bprm_security_struct *bsec;
2199 int rc, i;
2200
2201 tsec = current->security;
2202 bsec = bprm->security;
2203
2204 if (bsec->unsafe) {
2205 force_sig_specific(SIGKILL, current);
2206 return;
2207 }
2208 if (tsec->osid == tsec->sid)
2209 return;
2210
2211 /* Close files for which the new task SID is not authorized. */
2212 flush_unauthorized_files(current->files);
2213
2214 /* Check whether the new SID can inherit signal state
2215 from the old SID. If not, clear itimers to avoid
2216 subsequent signal generation and flush and unblock
2217 signals. This must occur _after_ the task SID has
2218 been updated so that any kill done after the flush
2219 will be checked against the new SID. */
2220 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2221 PROCESS__SIGINH, NULL);
2222 if (rc) {
2223 memset(&itimer, 0, sizeof itimer);
2224 for (i = 0; i < 3; i++)
2225 do_setitimer(i, &itimer, NULL);
2226 flush_signals(current);
2227 spin_lock_irq(&current->sighand->siglock);
2228 flush_signal_handlers(current, 1);
2229 sigemptyset(&current->blocked);
2230 recalc_sigpending();
2231 spin_unlock_irq(&current->sighand->siglock);
2232 }
2233
4ac212ad
SS		 2234 /* Always clear parent death signal on SID transitions. */
2235 current->pdeath_signal = 0;
2236
1da177e4
LT		 2237 /* Check whether the new SID can inherit resource limits
2238 from the old SID. If not, reset all soft limits to
2239 the lower of the current task's hard limit and the init
2240 task's soft limit. Note that the setting of hard limits
2241 (even to lower them) can be controlled by the setrlimit
2242 check. The inclusion of the init task's soft limit into
2243 the computation is to avoid resetting soft limits higher
2244 than the default soft limit for cases where the default
2245 is lower than the hard limit, e.g. RLIMIT_CORE or
2246 RLIMIT_STACK.*/
2247 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2248 PROCESS__RLIMITINH, NULL);
2249 if (rc) {
2250 for (i = 0; i < RLIM_NLIMITS; i++) {
2251 rlim = current->signal->rlim + i;
2252 initrlim = init_task.signal->rlim+i;
2253 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2254 }
2255 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2256 /*
2257 * This will cause RLIMIT_CPU calculations
2258 * to be refigured.
2259 */
2260 current->it_prof_expires = jiffies_to_cputime(1);
2261 }
2262 }
2263
2264 /* Wake up the parent if it is waiting so that it can
2265 recheck wait permission to the new task SID. */
2266 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2267}
2268
2269/* superblock security operations */
2270
2271static int selinux_sb_alloc_security(struct super_block *sb)
2272{
2273 return superblock_alloc_security(sb);
2274}
2275
2276static void selinux_sb_free_security(struct super_block *sb)
2277{
2278 superblock_free_security(sb);
2279}
2280
2281static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2282{
2283 if (plen > olen)
2284 return 0;
2285
2286 return !memcmp(prefix, option, plen);
2287}
2288
2289static inline int selinux_option(char *option, int len)
2290{
832cbd9a
EP		 2291 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2292 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2293 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2294 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
1da177e4
LT		 2295}
2296
2297static inline void take_option(char **to, char *from, int *first, int len)
2298{
2299 if (!*first) {
2300 **to = ',';
2301 *to += 1;
3528a953 2302 } else
1da177e4
LT		 2303 *first = 0;
2304 memcpy(*to, from, len);
2305 *to += len;
2306}
2307
3528a953
CO		 2308static inline void take_selinux_option(char **to, char *from, int *first,
2309 int len)
2310{
2311 int current_size = 0;
2312
2313 if (!*first) {
2314 **to = '|';
2315 *to += 1;
2316 }
2317 else
2318 *first = 0;
2319
2320 while (current_size < len) {
2321 if (*from != '"') {
2322 **to = *from;
2323 *to += 1;
2324 }
2325 from += 1;
2326 current_size += 1;
2327 }
2328}
2329
e0007529 2330static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2331{
2332 int fnosec, fsec, rc = 0;
2333 char *in_save, *in_curr, *in_end;
2334 char *sec_curr, *nosec_save, *nosec;
3528a953 2335 int open_quote = 0;
1da177e4
LT		 2336
2337 in_curr = orig;
2338 sec_curr = copy;
2339
1da177e4
LT		 2340 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2341 if (!nosec) {
2342 rc = -ENOMEM;
2343 goto out;
2344 }
2345
2346 nosec_save = nosec;
2347 fnosec = fsec = 1;
2348 in_save = in_end = orig;
2349
2350 do {
3528a953
CO		 2351 if (*in_end == '"')
2352 open_quote = !open_quote;
2353 if ((*in_end == ',' && open_quote == 0) ||
2354 *in_end == '\0') {
1da177e4
LT		 2355 int len = in_end - in_curr;
2356
2357 if (selinux_option(in_curr, len))
3528a953 2358 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2359 else
2360 take_option(&nosec, in_curr, &fnosec, len);
2361
2362 in_curr = in_end + 1;
2363 }
2364 } while (*in_end++);
2365
6931dfc9 2366 strcpy(in_save, nosec_save);
da3caa20 2367 free_page((unsigned long)nosec_save);
1da177e4
LT		 2368out:
2369 return rc;
2370}
2371
2372static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2373{
2374 struct avc_audit_data ad;
2375 int rc;
2376
2377 rc = superblock_doinit(sb, data);
2378 if (rc)
2379 return rc;
2380
2381 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf 2382 ad.u.fs.path.dentry = sb->s_root;
1da177e4
LT		 2383 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2384}
2385
726c3342 2386static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2387{
2388 struct avc_audit_data ad;
2389
2390 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf 2391 ad.u.fs.path.dentry = dentry->d_sb->s_root;
726c3342 2392 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2393}
2394
2395static int selinux_mount(char * dev_name,
2396 struct nameidata *nd,
2397 char * type,
2398 unsigned long flags,
2399 void * data)
2400{
2401 int rc;
2402
2403 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2404 if (rc)
2405 return rc;
2406
2407 if (flags & MS_REMOUNT)
4ac91378 2408 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
1da177e4
LT		 2409 FILESYSTEM__REMOUNT, NULL);
2410 else
4ac91378 2411 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
1da177e4
LT		 2412 FILE__MOUNTON);
2413}
2414
2415static int selinux_umount(struct vfsmount *mnt, int flags)
2416{
2417 int rc;
2418
2419 rc = secondary_ops->sb_umount(mnt, flags);
2420 if (rc)
2421 return rc;
2422
2423 return superblock_has_perm(current,mnt->mnt_sb,
2424 FILESYSTEM__UNMOUNT,NULL);
2425}
2426
2427/* inode security operations */
2428
2429static int selinux_inode_alloc_security(struct inode *inode)
2430{
2431 return inode_alloc_security(inode);
2432}
2433
2434static void selinux_inode_free_security(struct inode *inode)
2435{
2436 inode_free_security(inode);
2437}
2438
5e41ff9e
SS		 2439static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2440 char **name, void **value,
2441 size_t *len)
2442{
2443 struct task_security_struct *tsec;
2444 struct inode_security_struct *dsec;
2445 struct superblock_security_struct *sbsec;
570bc1c2 2446 u32 newsid, clen;
5e41ff9e 2447 int rc;
570bc1c2 2448 char *namep = NULL, *context;
5e41ff9e
SS		 2449
2450 tsec = current->security;
2451 dsec = dir->i_security;
2452 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2453
2454 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2455 newsid = tsec->create_sid;
2456 } else {
2457 rc = security_transition_sid(tsec->sid, dsec->sid,
2458 inode_mode_to_security_class(inode->i_mode),
2459 &newsid);
2460 if (rc) {
2461 printk(KERN_WARNING "%s: "
2462 "security_transition_sid failed, rc=%d (dev=%s "
2463 "ino=%ld)\n",
dd6f953a 2464 __func__,
5e41ff9e
SS		 2465 -rc, inode->i_sb->s_id, inode->i_ino);
2466 return rc;
2467 }
2468 }
2469
296fddf7
EP		 2470 /* Possibly defer initialization to selinux_complete_init. */
2471 if (sbsec->initialized) {
2472 struct inode_security_struct *isec = inode->i_security;
2473 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2474 isec->sid = newsid;
2475 isec->initialized = 1;
2476 }
5e41ff9e 2477
8aad3875 2478 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2479 return -EOPNOTSUPP;
2480
570bc1c2 2481 if (name) {
a02fe132 2482 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2483 if (!namep)
2484 return -ENOMEM;
2485 *name = namep;
2486 }
5e41ff9e 2487
570bc1c2
SS		 2488 if (value && len) {
2489 rc = security_sid_to_context(newsid, &context, &clen);
2490 if (rc) {
2491 kfree(namep);
2492 return rc;
2493 }
2494 *value = context;
2495 *len = clen;
5e41ff9e 2496 }
5e41ff9e 2497
5e41ff9e
SS		 2498 return 0;
2499}
2500
1da177e4
LT		 2501static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2502{
2503 return may_create(dir, dentry, SECCLASS_FILE);
2504}
2505
1da177e4
LT		 2506static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2507{
2508 int rc;
2509
2510 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2511 if (rc)
2512 return rc;
2513 return may_link(dir, old_dentry, MAY_LINK);
2514}
2515
1da177e4
LT		 2516static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2517{
2518 int rc;
2519
2520 rc = secondary_ops->inode_unlink(dir, dentry);
2521 if (rc)
2522 return rc;
2523 return may_link(dir, dentry, MAY_UNLINK);
2524}
2525
2526static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2527{
2528 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2529}
2530
1da177e4
LT		 2531static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2532{
2533 return may_create(dir, dentry, SECCLASS_DIR);
2534}
2535
1da177e4
LT		 2536static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2537{
2538 return may_link(dir, dentry, MAY_RMDIR);
2539}
2540
2541static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2542{
2543 int rc;
2544
2545 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2546 if (rc)
2547 return rc;
2548
2549 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2550}
2551
1da177e4
LT		 2552static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2553 struct inode *new_inode, struct dentry *new_dentry)
2554{
2555 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2556}
2557
1da177e4
LT		 2558static int selinux_inode_readlink(struct dentry *dentry)
2559{
2560 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2561}
2562
2563static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2564{
2565 int rc;
2566
2567 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2568 if (rc)
2569 return rc;
2570 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2571}
2572
2573static int selinux_inode_permission(struct inode *inode, int mask,
2574 struct nameidata *nd)
2575{
2576 int rc;
2577
2578 rc = secondary_ops->inode_permission(inode, mask, nd);
2579 if (rc)
2580 return rc;
2581
2582 if (!mask) {
2583 /* No permission to check. Existence test. */
2584 return 0;
2585 }
2586
2587 return inode_has_perm(current, inode,
b0c636b9 2588 open_file_mask_to_av(inode->i_mode, mask), NULL);
1da177e4
LT		 2589}
2590
2591static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2592{
2593 int rc;
2594
2595 rc = secondary_ops->inode_setattr(dentry, iattr);
2596 if (rc)
2597 return rc;
2598
2599 if (iattr->ia_valid & ATTR_FORCE)
2600 return 0;
2601
2602 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2603 ATTR_ATIME_SET | ATTR_MTIME_SET))
2604 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2605
2606 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2607}
2608
2609static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2610{
2611 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2612}
2613
b5376771
SH		 2614static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2615{
2616 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2617 sizeof XATTR_SECURITY_PREFIX - 1)) {
2618 if (!strcmp(name, XATTR_NAME_CAPS)) {
2619 if (!capable(CAP_SETFCAP))
2620 return -EPERM;
2621 } else if (!capable(CAP_SYS_ADMIN)) {
2622 /* A different attribute in the security namespace.
2623 Restrict to administrator. */
2624 return -EPERM;
2625 }
2626 }
2627
2628 /* Not an attribute we recognize, so just check the
2629 ordinary setattr permission. */
2630 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2631}
2632
1da177e4
LT		 2633static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2634{
2635 struct task_security_struct *tsec = current->security;
2636 struct inode *inode = dentry->d_inode;
2637 struct inode_security_struct *isec = inode->i_security;
2638 struct superblock_security_struct *sbsec;
2639 struct avc_audit_data ad;
2640 u32 newsid;
2641 int rc = 0;
2642
b5376771
SH		 2643 if (strcmp(name, XATTR_NAME_SELINUX))
2644 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2645
2646 sbsec = inode->i_sb->s_security;
2647 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2648 return -EOPNOTSUPP;
2649
3bd858ab 2650 if (!is_owner_or_cap(inode))
1da177e4
LT		 2651 return -EPERM;
2652
2653 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf 2654 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 2655
2656 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2657 FILE__RELABELFROM, &ad);
2658 if (rc)
2659 return rc;
2660
2661 rc = security_context_to_sid(value, size, &newsid);
2662 if (rc)
2663 return rc;
2664
2665 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2666 FILE__RELABELTO, &ad);
2667 if (rc)
2668 return rc;
2669
2670 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2671 isec->sclass);
2672 if (rc)
2673 return rc;
2674
2675 return avc_has_perm(newsid,
2676 sbsec->sid,
2677 SECCLASS_FILESYSTEM,
2678 FILESYSTEM__ASSOCIATE,
2679 &ad);
2680}
2681
2682static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2683 void *value, size_t size, int flags)
2684{
2685 struct inode *inode = dentry->d_inode;
2686 struct inode_security_struct *isec = inode->i_security;
2687 u32 newsid;
2688 int rc;
2689
2690 if (strcmp(name, XATTR_NAME_SELINUX)) {
2691 /* Not an attribute we recognize, so nothing to do. */
2692 return;
2693 }
2694
2695 rc = security_context_to_sid(value, size, &newsid);
2696 if (rc) {
2697 printk(KERN_WARNING "%s: unable to obtain SID for context "
f0115e6c 2698 "%s, rc=%d\n", __func__, (char *)value, -rc);
1da177e4
LT		 2699 return;
2700 }
2701
2702 isec->sid = newsid;
2703 return;
2704}
2705
2706static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2707{
1da177e4
LT		 2708 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2709}
2710
2711static int selinux_inode_listxattr (struct dentry *dentry)
2712{
2713 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2714}
2715
2716static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2717{
b5376771
SH		 2718 if (strcmp(name, XATTR_NAME_SELINUX))
2719 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2720
2721 /* No one is allowed to remove a SELinux security label.
2722 You can change the label, but all data must be labeled. */
2723 return -EACCES;
2724}
2725
d381d8a9
JM		 2726/*
2727 * Copy the in-core inode security context value to the user. If the
2728 * getxattr() prior to this succeeded, check to see if we need to
2729 * canonicalize the value to be finally returned to the user.
2730 *
2731 * Permission check is handled by selinux_inode_getxattr hook.
2732 */
42492594 2733static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2734{
42492594
DQ		 2735 u32 size;
2736 int error;
2737 char *context = NULL;
1da177e4 2738 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2739
8c8570fb
DK		 2740 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2741 return -EOPNOTSUPP;
d381d8a9 2742
42492594
DQ		 2743 error = security_sid_to_context(isec->sid, &context, &size);
2744 if (error)
2745 return error;
2746 error = size;
2747 if (alloc) {
2748 *buffer = context;
2749 goto out_nofree;
2750 }
2751 kfree(context);
2752out_nofree:
2753 return error;
1da177e4
LT		 2754}
2755
2756static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2757 const void *value, size_t size, int flags)
2758{
2759 struct inode_security_struct *isec = inode->i_security;
2760 u32 newsid;
2761 int rc;
2762
2763 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2764 return -EOPNOTSUPP;
2765
2766 if (!value || !size)
2767 return -EACCES;
2768
2769 rc = security_context_to_sid((void*)value, size, &newsid);
2770 if (rc)
2771 return rc;
2772
2773 isec->sid = newsid;
2774 return 0;
2775}
2776
2777static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2778{
2779 const int len = sizeof(XATTR_NAME_SELINUX);
2780 if (buffer && len <= buffer_size)
2781 memcpy(buffer, XATTR_NAME_SELINUX, len);
2782 return len;
2783}
2784
b5376771
SH		 2785static int selinux_inode_need_killpriv(struct dentry *dentry)
2786{
2787 return secondary_ops->inode_need_killpriv(dentry);
2788}
2789
2790static int selinux_inode_killpriv(struct dentry *dentry)
2791{
2792 return secondary_ops->inode_killpriv(dentry);
2793}
2794
1da177e4
LT		 2795/* file security operations */
2796
788e7dd4 2797static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2798{
7420ed23 2799 int rc;
3d5ff529 2800 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2801
2802 if (!mask) {
2803 /* No permission to check. Existence test. */
2804 return 0;
2805 }
2806
2807 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2808 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2809 mask |= MAY_APPEND;
2810
7420ed23
VY		 2811 rc = file_has_perm(current, file,
2812 file_mask_to_av(inode->i_mode, mask));
2813 if (rc)
2814 return rc;
2815
2816 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2817}
2818
788e7dd4
YN		 2819static int selinux_file_permission(struct file *file, int mask)
2820{
2821 struct inode *inode = file->f_path.dentry->d_inode;
2822 struct task_security_struct *tsec = current->security;
2823 struct file_security_struct *fsec = file->f_security;
2824 struct inode_security_struct *isec = inode->i_security;
2825
2826 if (!mask) {
2827 /* No permission to check. Existence test. */
2828 return 0;
2829 }
2830
2831 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2832 && fsec->pseqno == avc_policy_seqno())
2833 return selinux_netlbl_inode_permission(inode, mask);
2834
2835 return selinux_revalidate_file_permission(file, mask);
2836}
2837
1da177e4
LT		 2838static int selinux_file_alloc_security(struct file *file)
2839{
2840 return file_alloc_security(file);
2841}
2842
2843static void selinux_file_free_security(struct file *file)
2844{
2845 file_free_security(file);
2846}
2847
2848static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2849 unsigned long arg)
2850{
2851 int error = 0;
2852
2853 switch (cmd) {
2854 case FIONREAD:
2855 /* fall through */
2856 case FIBMAP:
2857 /* fall through */
2858 case FIGETBSZ:
2859 /* fall through */
2860 case EXT2_IOC_GETFLAGS:
2861 /* fall through */
2862 case EXT2_IOC_GETVERSION:
2863 error = file_has_perm(current, file, FILE__GETATTR);
2864 break;
2865
2866 case EXT2_IOC_SETFLAGS:
2867 /* fall through */
2868 case EXT2_IOC_SETVERSION:
2869 error = file_has_perm(current, file, FILE__SETATTR);
2870 break;
2871
2872 /* sys_ioctl() checks */
2873 case FIONBIO:
2874 /* fall through */
2875 case FIOASYNC:
2876 error = file_has_perm(current, file, 0);
2877 break;
2878
2879 case KDSKBENT:
2880 case KDSKBSENT:
2881 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2882 break;
2883
2884 /* default case assumes that the command will go
2885 * to the file's ioctl() function.
2886 */
2887 default:
2888 error = file_has_perm(current, file, FILE__IOCTL);
2889
2890 }
2891 return error;
2892}
2893
2894static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2895{
2896#ifndef CONFIG_PPC32
2897 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2898 /*
2899 * We are making executable an anonymous mapping or a
2900 * private file mapping that will also be writable.
2901 * This has an additional check.
2902 */
2903 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2904 if (rc)
2905 return rc;
2906 }
2907#endif
2908
2909 if (file) {
2910 /* read access is always possible with a mapping */
2911 u32 av = FILE__READ;
2912
2913 /* write access only matters if the mapping is shared */
2914 if (shared && (prot & PROT_WRITE))
2915 av |= FILE__WRITE;
2916
2917 if (prot & PROT_EXEC)
2918 av |= FILE__EXECUTE;
2919
2920 return file_has_perm(current, file, av);
2921 }
2922 return 0;
2923}
2924
2925static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 2926 unsigned long prot, unsigned long flags,
2927 unsigned long addr, unsigned long addr_only)
1da177e4 2928{
ed032189
EP		 2929 int rc = 0;
2930 u32 sid = ((struct task_security_struct*)(current->security))->sid;
1da177e4 2931
ed032189
EP		 2932 if (addr < mmap_min_addr)
2933 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2934 MEMPROTECT__MMAP_ZERO, NULL);
2935 if (rc || addr_only)
1da177e4
LT		 2936 return rc;
2937
2938 if (selinux_checkreqprot)
2939 prot = reqprot;
2940
2941 return file_map_prot_check(file, prot,
2942 (flags & MAP_TYPE) == MAP_SHARED);
2943}
2944
2945static int selinux_file_mprotect(struct vm_area_struct *vma,
2946 unsigned long reqprot,
2947 unsigned long prot)
2948{
2949 int rc;
2950
2951 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2952 if (rc)
2953 return rc;
2954
2955 if (selinux_checkreqprot)
2956 prot = reqprot;
2957
2958#ifndef CONFIG_PPC32
db4c9641
SS		 2959 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2960 rc = 0;
2961 if (vma->vm_start >= vma->vm_mm->start_brk &&
2962 vma->vm_end <= vma->vm_mm->brk) {
2963 rc = task_has_perm(current, current,
2964 PROCESS__EXECHEAP);
2965 } else if (!vma->vm_file &&
2966 vma->vm_start <= vma->vm_mm->start_stack &&
2967 vma->vm_end >= vma->vm_mm->start_stack) {
2968 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2969 } else if (vma->vm_file && vma->anon_vma) {
2970 /*
2971 * We are making executable a file mapping that has
2972 * had some COW done. Since pages might have been
2973 * written, check ability to execute the possibly
2974 * modified content. This typically should only
2975 * occur for text relocations.
2976 */
2977 rc = file_has_perm(current, vma->vm_file,
2978 FILE__EXECMOD);
2979 }