]> Git Repo - linux.git/blame - security/selinux/hooks.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'master' of git://git.infradead.org/users/pcmoore/selinux into next
[linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <[email protected]>
828dfe1d
EP		 7 * Chris Vance, <[email protected]>
8 * Wayne Salamon, <[email protected]>
9 * James Morris <[email protected]>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <[email protected]>
13 * Eric Paris <[email protected]>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <[email protected]>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <[email protected]>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <[email protected]>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
32#include <linux/security.h>
33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
ca10b9e9 54#include <net/sock.h>
1da177e4 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 56#include <net/inet_connection_sock.h>
220deb96 57#include <net/net_namespace.h>
d621d35e 58#include <net/netlabel.h>
f5269710 59#include <linux/uaccess.h>
1da177e4 60#include <asm/ioctls.h>
60063497 61#include <linux/atomic.h>
1da177e4
LT		 62#include <linux/bitops.h>
63#include <linux/interrupt.h>
64#include <linux/netdevice.h> /* for network interface checks */
77954983 65#include <net/netlink.h>
1da177e4
LT		 66#include <linux/tcp.h>
67#include <linux/udp.h>
2ee92d46 68#include <linux/dccp.h>
1da177e4
LT		 69#include <linux/quota.h>
70#include <linux/un.h> /* for Unix socket types */
71#include <net/af_unix.h> /* for Unix socket types */
72#include <linux/parser.h>
73#include <linux/nfs_mount.h>
74#include <net/ipv6.h>
75#include <linux/hugetlb.h>
76#include <linux/personality.h>
1da177e4 77#include <linux/audit.h>
6931dfc9 78#include <linux/string.h>
877ce7c1 79#include <linux/selinux.h>
23970741 80#include <linux/mutex.h>
f06febc9 81#include <linux/posix-timers.h>
00234592 82#include <linux/syslog.h>
3486740a 83#include <linux/user_namespace.h>
44fc7ea0 84#include <linux/export.h>
40401530
AV		 85#include <linux/msg.h>
86#include <linux/shm.h>
1da177e4
LT		 87
88#include "avc.h"
89#include "objsec.h"
90#include "netif.h"
224dfbd8 91#include "netnode.h"
3e112172 92#include "netport.h"
d28d1e08 93#include "xfrm.h"
c60475bf 94#include "netlabel.h"
9d57a7f9 95#include "audit.h"
7b98a585 96#include "avc_ss.h"
1da177e4 97
20510f2f 98extern struct security_operations *security_ops;
1da177e4 99
d621d35e 100/* SECMARK reference count */
56a4ca99 101static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 102
1da177e4 103#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 104int selinux_enforcing;
1da177e4
LT		 105
106static int __init enforcing_setup(char *str)
107{
f5269710
EP		 108 unsigned long enforcing;
109 if (!strict_strtoul(str, 0, &enforcing))
110 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 111 return 1;
112}
113__setup("enforcing=", enforcing_setup);
114#endif
115
116#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119static int __init selinux_enabled_setup(char *str)
120{
f5269710
EP		 121 unsigned long enabled;
122 if (!strict_strtoul(str, 0, &enabled))
123 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 124 return 1;
125}
126__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 127#else
128int selinux_enabled = 1;
1da177e4
LT		 129#endif
130
e18b890b 131static struct kmem_cache *sel_inode_cache;
7cae7e26 132
d621d35e
PM		 133/**
134 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135 *
136 * Description:
137 * This function checks the SECMARK reference counter to see if any SECMARK
138 * targets are currently configured, if the reference counter is greater than
139 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 140 * enabled, false (0) if SECMARK is disabled. If the always_check_network
141 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 142 *
143 */
144static int selinux_secmark_enabled(void)
145{
2be4d74f
CP		 146 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
147}
148
149/**
150 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
151 *
152 * Description:
153 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
154 * (1) if any are enabled or false (0) if neither are enabled. If the
155 * always_check_network policy capability is enabled, peer labeling
156 * is always considered enabled.
157 *
158 */
159static int selinux_peerlbl_enabled(void)
160{
161 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 162}
163
d84f4f99
DH		 164/*
165 * initialise the security for the init task
166 */
167static void cred_init_security(void)
1da177e4 168{
3b11a1de 169 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 170 struct task_security_struct *tsec;
171
89d155ef 172 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 173 if (!tsec)
d84f4f99 174 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 175
d84f4f99 176 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 177 cred->security = tsec;
1da177e4
LT		 178}
179
88e67f3b
DH		 180/*
181 * get the security ID of a set of credentials
182 */
183static inline u32 cred_sid(const struct cred *cred)
184{
185 const struct task_security_struct *tsec;
186
187 tsec = cred->security;
188 return tsec->sid;
189}
190
275bb41e 191/*
3b11a1de 192 * get the objective security ID of a task
275bb41e
DH		 193 */
194static inline u32 task_sid(const struct task_struct *task)
195{
275bb41e
DH		 196 u32 sid;
197
198 rcu_read_lock();
88e67f3b 199 sid = cred_sid(__task_cred(task));
275bb41e
DH		 200 rcu_read_unlock();
201 return sid;
202}
203
204/*
3b11a1de 205 * get the subjective security ID of the current task
275bb41e
DH		 206 */
207static inline u32 current_sid(void)
208{
5fb49870 209 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 210
211 return tsec->sid;
212}
213
88e67f3b
DH		 214/* Allocate and free functions for each kind of security blob. */
215
1da177e4
LT		 216static int inode_alloc_security(struct inode *inode)
217{
1da177e4 218 struct inode_security_struct *isec;
275bb41e 219 u32 sid = current_sid();
1da177e4 220
a02fe132 221 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 222 if (!isec)
223 return -ENOMEM;
224
23970741 225 mutex_init(&isec->lock);
1da177e4 226 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 227 isec->inode = inode;
228 isec->sid = SECINITSID_UNLABELED;
229 isec->sclass = SECCLASS_FILE;
275bb41e 230 isec->task_sid = sid;
1da177e4
LT		 231 inode->i_security = isec;
232
233 return 0;
234}
235
236static void inode_free_security(struct inode *inode)
237{
238 struct inode_security_struct *isec = inode->i_security;
239 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
240
1da177e4
LT		 241 spin_lock(&sbsec->isec_lock);
242 if (!list_empty(&isec->list))
243 list_del_init(&isec->list);
244 spin_unlock(&sbsec->isec_lock);
245
246 inode->i_security = NULL;
7cae7e26 247 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 248}
249
250static int file_alloc_security(struct file *file)
251{
1da177e4 252 struct file_security_struct *fsec;
275bb41e 253 u32 sid = current_sid();
1da177e4 254
26d2a4be 255 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 256 if (!fsec)
257 return -ENOMEM;
258
275bb41e
DH		 259 fsec->sid = sid;
260 fsec->fown_sid = sid;
1da177e4
LT		 261 file->f_security = fsec;
262
263 return 0;
264}
265
266static void file_free_security(struct file *file)
267{
268 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 269 file->f_security = NULL;
270 kfree(fsec);
271}
272
273static int superblock_alloc_security(struct super_block *sb)
274{
275 struct superblock_security_struct *sbsec;
276
89d155ef 277 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 278 if (!sbsec)
279 return -ENOMEM;
280
bc7e982b 281 mutex_init(&sbsec->lock);
1da177e4
LT		 282 INIT_LIST_HEAD(&sbsec->isec_head);
283 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 284 sbsec->sb = sb;
285 sbsec->sid = SECINITSID_UNLABELED;
286 sbsec->def_sid = SECINITSID_FILE;
c312feb2 287 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 288 sb->s_security = sbsec;
289
290 return 0;
291}
292
293static void superblock_free_security(struct super_block *sb)
294{
295 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 296 sb->s_security = NULL;
297 kfree(sbsec);
298}
299
1da177e4
LT		 300/* The file system's label must be initialized prior to use. */
301
eb9ae686 302static const char *labeling_behaviors[7] = {
1da177e4
LT		 303 "uses xattr",
304 "uses transition SIDs",
305 "uses task SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
eb9ae686 309 "uses native labeling",
1da177e4
LT		 310};
311
312static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314static inline int inode_doinit(struct inode *inode)
315{
316 return inode_doinit_with_dentry(inode, NULL);
317}
318
319enum {
31e87930 320 Opt_error = -1,
1da177e4
LT		 321 Opt_context = 1,
322 Opt_fscontext = 2,
c9180a57
EP		 323 Opt_defcontext = 3,
324 Opt_rootcontext = 4,
11689d47 325 Opt_labelsupport = 5,
d355987f 326 Opt_nextmntopt = 6,
1da177e4
LT		 327};
328
d355987f
EP		 329#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
330
a447c093 331static const match_table_t tokens = {
832cbd9a
EP		 332 {Opt_context, CONTEXT_STR "%s"},
333 {Opt_fscontext, FSCONTEXT_STR "%s"},
334 {Opt_defcontext, DEFCONTEXT_STR "%s"},
335 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 336 {Opt_labelsupport, LABELSUPP_STR},
31e87930 337 {Opt_error, NULL},
1da177e4
LT		 338};
339
340#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
341
c312feb2
EP		 342static int may_context_mount_sb_relabel(u32 sid,
343 struct superblock_security_struct *sbsec,
275bb41e 344 const struct cred *cred)
c312feb2 345{
275bb41e 346 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 347 int rc;
348
349 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
350 FILESYSTEM__RELABELFROM, NULL);
351 if (rc)
352 return rc;
353
354 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
355 FILESYSTEM__RELABELTO, NULL);
356 return rc;
357}
358
0808925e
EP		 359static int may_context_mount_inode_relabel(u32 sid,
360 struct superblock_security_struct *sbsec,
275bb41e 361 const struct cred *cred)
0808925e 362{
275bb41e 363 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 364 int rc;
365 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
366 FILESYSTEM__RELABELFROM, NULL);
367 if (rc)
368 return rc;
369
370 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
371 FILESYSTEM__ASSOCIATE, NULL);
372 return rc;
373}
374
b43e725d
EP		 375static int selinux_is_sblabel_mnt(struct super_block *sb)
376{
377 struct superblock_security_struct *sbsec = sb->s_security;
378
379 if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
380 sbsec->behavior == SECURITY_FS_USE_TRANS ||
381 sbsec->behavior == SECURITY_FS_USE_TASK)
382 return 1;
383
384 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
385 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
386 return 1;
387
388 /*
389 * Special handling for rootfs. Is genfs but supports
390 * setting SELinux context on in-core inodes.
391 */
392 if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
393 return 1;
394
395 return 0;
396}
397
c9180a57 398static int sb_finish_set_opts(struct super_block *sb)
1da177e4 399{
1da177e4 400 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 401 struct dentry *root = sb->s_root;
402 struct inode *root_inode = root->d_inode;
403 int rc = 0;
1da177e4 404
c9180a57
EP		 405 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
406 /* Make sure that the xattr handler exists and that no
407 error other than -ENODATA is returned by getxattr on
408 the root directory. -ENODATA is ok, as this may be
409 the first boot of the SELinux kernel before we have
410 assigned xattr values to the filesystem. */
411 if (!root_inode->i_op->getxattr) {
29b1deb2
LT		 412 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
413 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 414 rc = -EOPNOTSUPP;
415 goto out;
416 }
417 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
418 if (rc < 0 && rc != -ENODATA) {
419 if (rc == -EOPNOTSUPP)
420 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 421 "%s) has no security xattr handler\n",
422 sb->s_id, sb->s_type->name);
c9180a57
EP		 423 else
424 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 425 "%s) getxattr errno %d\n", sb->s_id,
426 sb->s_type->name, -rc);
c9180a57
EP		 427 goto out;
428 }
429 }
1da177e4 430
c9180a57 431 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 432 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
433 sb->s_id, sb->s_type->name);
c9180a57 434 else
29b1deb2
LT		 435 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
436 sb->s_id, sb->s_type->name,
c9180a57 437 labeling_behaviors[sbsec->behavior-1]);
1da177e4 438
eadcabc6 439 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 440 if (selinux_is_sblabel_mnt(sb))
12f348b9 441 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 442
c9180a57
EP		 443 /* Initialize the root inode. */
444 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 445
c9180a57
EP		 446 /* Initialize any other inodes associated with the superblock, e.g.
447 inodes created prior to initial policy load or inodes created
448 during get_sb by a pseudo filesystem that directly
449 populates itself. */
450 spin_lock(&sbsec->isec_lock);
451next_inode:
452 if (!list_empty(&sbsec->isec_head)) {
453 struct inode_security_struct *isec =
454 list_entry(sbsec->isec_head.next,
455 struct inode_security_struct, list);
456 struct inode *inode = isec->inode;
457 spin_unlock(&sbsec->isec_lock);
458 inode = igrab(inode);
459 if (inode) {
460 if (!IS_PRIVATE(inode))
461 inode_doinit(inode);
462 iput(inode);
463 }
464 spin_lock(&sbsec->isec_lock);
465 list_del_init(&isec->list);
466 goto next_inode;
467 }
468 spin_unlock(&sbsec->isec_lock);
469out:
470 return rc;
471}
1da177e4 472
c9180a57
EP		 473/*
474 * This function should allow an FS to ask what it's mount security
475 * options were so it can use those later for submounts, displaying
476 * mount options, or whatever.
477 */
478static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 479 struct security_mnt_opts *opts)
c9180a57
EP		 480{
481 int rc = 0, i;
482 struct superblock_security_struct *sbsec = sb->s_security;
483 char *context = NULL;
484 u32 len;
485 char tmp;
1da177e4 486
e0007529 487 security_init_mnt_opts(opts);
1da177e4 488
0d90a7ec 489 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 490 return -EINVAL;
1da177e4 491
c9180a57
EP		 492 if (!ss_initialized)
493 return -EINVAL;
1da177e4 494
af8e50cc
EP		 495 /* make sure we always check enough bits to cover the mask */
496 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
497
0d90a7ec 498 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 499 /* count the number of mount options for this sb */
af8e50cc 500 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 501 if (tmp & 0x01)
e0007529 502 opts->num_mnt_opts++;
c9180a57
EP		 503 tmp >>= 1;
504 }
11689d47 505 /* Check if the Label support flag is set */
0b4bdb35 506 if (sbsec->flags & SBLABEL_MNT)
11689d47 507 opts->num_mnt_opts++;
1da177e4 508
e0007529
EP		 509 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
510 if (!opts->mnt_opts) {
c9180a57
EP		 511 rc = -ENOMEM;
512 goto out_free;
513 }
1da177e4 514
e0007529
EP		 515 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
516 if (!opts->mnt_opts_flags) {
c9180a57
EP		 517 rc = -ENOMEM;
518 goto out_free;
519 }
1da177e4 520
c9180a57
EP		 521 i = 0;
522 if (sbsec->flags & FSCONTEXT_MNT) {
523 rc = security_sid_to_context(sbsec->sid, &context, &len);
524 if (rc)
525 goto out_free;
e0007529
EP		 526 opts->mnt_opts[i] = context;
527 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 528 }
529 if (sbsec->flags & CONTEXT_MNT) {
530 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
531 if (rc)
532 goto out_free;
e0007529
EP		 533 opts->mnt_opts[i] = context;
534 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 535 }
536 if (sbsec->flags & DEFCONTEXT_MNT) {
537 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
538 if (rc)
539 goto out_free;
e0007529
EP		 540 opts->mnt_opts[i] = context;
541 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 542 }
543 if (sbsec->flags & ROOTCONTEXT_MNT) {
544 struct inode *root = sbsec->sb->s_root->d_inode;
545 struct inode_security_struct *isec = root->i_security;
0808925e 546
c9180a57
EP		 547 rc = security_sid_to_context(isec->sid, &context, &len);
548 if (rc)
549 goto out_free;
e0007529
EP		 550 opts->mnt_opts[i] = context;
551 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 552 }
12f348b9 553 if (sbsec->flags & SBLABEL_MNT) {
11689d47 554 opts->mnt_opts[i] = NULL;
12f348b9 555 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 556 }
1da177e4 557
e0007529 558 BUG_ON(i != opts->num_mnt_opts);
1da177e4 559
c9180a57
EP		 560 return 0;
561
562out_free:
e0007529 563 security_free_mnt_opts(opts);
c9180a57
EP		 564 return rc;
565}
1da177e4 566
c9180a57
EP		 567static int bad_option(struct superblock_security_struct *sbsec, char flag,
568 u32 old_sid, u32 new_sid)
569{
0d90a7ec
DQ		 570 char mnt_flags = sbsec->flags & SE_MNTMASK;
571
c9180a57 572 /* check if the old mount command had the same options */
0d90a7ec 573 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 574 if (!(sbsec->flags & flag) ||
575 (old_sid != new_sid))
576 return 1;
577
578 /* check if we were passed the same options twice,
579 * aka someone passed context=a,context=b
580 */
0d90a7ec
DQ		 581 if (!(sbsec->flags & SE_SBINITIALIZED))
582 if (mnt_flags & flag)
c9180a57
EP		 583 return 1;
584 return 0;
585}
e0007529 586
c9180a57
EP		 587/*
588 * Allow filesystems with binary mount data to explicitly set mount point
589 * labeling information.
590 */
e0007529 591static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 592 struct security_mnt_opts *opts,
593 unsigned long kern_flags,
594 unsigned long *set_kern_flags)
c9180a57 595{
275bb41e 596 const struct cred *cred = current_cred();
c9180a57 597 int rc = 0, i;
c9180a57 598 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 599 const char *name = sb->s_type->name;
089be43e
JM		 600 struct inode *inode = sbsec->sb->s_root->d_inode;
601 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 602 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
603 u32 defcontext_sid = 0;
e0007529
EP		 604 char **mount_options = opts->mnt_opts;
605 int *flags = opts->mnt_opts_flags;
606 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 607
608 mutex_lock(&sbsec->lock);
609
610 if (!ss_initialized) {
611 if (!num_opts) {
612 /* Defer initialization until selinux_complete_init,
613 after the initial policy is loaded and the security
614 server is ready to handle calls. */
c9180a57
EP		 615 goto out;
616 }
617 rc = -EINVAL;
744ba35e
EP		 618 printk(KERN_WARNING "SELinux: Unable to set superblock options "
619 "before the security server is initialized\n");
1da177e4 620 goto out;
c9180a57 621 }
649f6e77
DQ		 622 if (kern_flags && !set_kern_flags) {
623 /* Specifying internal flags without providing a place to
624 * place the results is not allowed */
625 rc = -EINVAL;
626 goto out;
627 }
1da177e4 628
e0007529
EP		 629 /*
630 * Binary mount data FS will come through this function twice. Once
631 * from an explicit call and once from the generic calls from the vfs.
632 * Since the generic VFS calls will not contain any security mount data
633 * we need to skip the double mount verification.
634 *
635 * This does open a hole in which we will not notice if the first
636 * mount using this sb set explict options and a second mount using
637 * this sb does not set any security options. (The first options
638 * will be used for both mounts)
639 */
0d90a7ec 640 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 641 && (num_opts == 0))
f5269710 642 goto out;
e0007529 643
c9180a57
EP		 644 /*
645 * parse the mount options, check if they are valid sids.
646 * also check if someone is trying to mount the same sb more
647 * than once with different security options.
648 */
649 for (i = 0; i < num_opts; i++) {
650 u32 sid;
11689d47 651
12f348b9 652 if (flags[i] == SBLABEL_MNT)
11689d47 653 continue;
c9180a57
EP		 654 rc = security_context_to_sid(mount_options[i],
655 strlen(mount_options[i]), &sid);
1da177e4
LT		 656 if (rc) {
657 printk(KERN_WARNING "SELinux: security_context_to_sid"
29b1deb2
LT		 658 "(%s) failed for (dev %s, type %s) errno=%d\n",
659 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 660 goto out;
661 }
662 switch (flags[i]) {
663 case FSCONTEXT_MNT:
664 fscontext_sid = sid;
665
666 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
667 fscontext_sid))
668 goto out_double_mount;
669
670 sbsec->flags |= FSCONTEXT_MNT;
671 break;
672 case CONTEXT_MNT:
673 context_sid = sid;
674
675 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
676 context_sid))
677 goto out_double_mount;
678
679 sbsec->flags |= CONTEXT_MNT;
680 break;
681 case ROOTCONTEXT_MNT:
682 rootcontext_sid = sid;
683
684 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
685 rootcontext_sid))
686 goto out_double_mount;
687
688 sbsec->flags |= ROOTCONTEXT_MNT;
689
690 break;
691 case DEFCONTEXT_MNT:
692 defcontext_sid = sid;
693
694 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
695 defcontext_sid))
696 goto out_double_mount;
697
698 sbsec->flags |= DEFCONTEXT_MNT;
699
700 break;
701 default:
702 rc = -EINVAL;
703 goto out;
1da177e4 704 }
c9180a57
EP		 705 }
706
0d90a7ec 707 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 708 /* previously mounted with options, but not on this attempt? */
0d90a7ec 709 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 710 goto out_double_mount;
711 rc = 0;
712 goto out;
713 }
714
089be43e 715 if (strcmp(sb->s_type->name, "proc") == 0)
0d90a7ec 716 sbsec->flags |= SE_SBPROC;
c9180a57 717
eb9ae686
DQ		 718 if (!sbsec->behavior) {
719 /*
720 * Determine the labeling behavior to use for this
721 * filesystem type.
722 */
98f700f3 723 rc = security_fs_use(sb);
eb9ae686
DQ		 724 if (rc) {
725 printk(KERN_WARNING
726 "%s: security_fs_use(%s) returned %d\n",
727 __func__, sb->s_type->name, rc);
728 goto out;
729 }
c9180a57 730 }
c9180a57
EP		 731 /* sets the context of the superblock for the fs being mounted. */
732 if (fscontext_sid) {
275bb41e 733 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 734 if (rc)
c9180a57 735 goto out;
1da177e4 736
c9180a57 737 sbsec->sid = fscontext_sid;
c312feb2
EP		 738 }
739
740 /*
741 * Switch to using mount point labeling behavior.
742 * sets the label used on all file below the mountpoint, and will set
743 * the superblock context if not already set.
744 */
eb9ae686
DQ		 745 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
746 sbsec->behavior = SECURITY_FS_USE_NATIVE;
747 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
748 }
749
c9180a57
EP		 750 if (context_sid) {
751 if (!fscontext_sid) {
275bb41e
DH		 752 rc = may_context_mount_sb_relabel(context_sid, sbsec,
753 cred);
b04ea3ce 754 if (rc)
c9180a57
EP		 755 goto out;
756 sbsec->sid = context_sid;
b04ea3ce 757 } else {
275bb41e
DH		 758 rc = may_context_mount_inode_relabel(context_sid, sbsec,
759 cred);
b04ea3ce 760 if (rc)
c9180a57 761 goto out;
b04ea3ce 762 }
c9180a57
EP		 763 if (!rootcontext_sid)
764 rootcontext_sid = context_sid;
1da177e4 765
c9180a57 766 sbsec->mntpoint_sid = context_sid;
c312feb2 767 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 768 }
769
c9180a57 770 if (rootcontext_sid) {
275bb41e
DH		 771 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
772 cred);
0808925e 773 if (rc)
c9180a57 774 goto out;
0808925e 775
c9180a57
EP		 776 root_isec->sid = rootcontext_sid;
777 root_isec->initialized = 1;
0808925e
EP		 778 }
779
c9180a57 780 if (defcontext_sid) {
eb9ae686
DQ		 781 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
782 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 783 rc = -EINVAL;
784 printk(KERN_WARNING "SELinux: defcontext option is "
785 "invalid for this filesystem type\n");
786 goto out;
1da177e4
LT		 787 }
788
c9180a57
EP		 789 if (defcontext_sid != sbsec->def_sid) {
790 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 791 sbsec, cred);
c9180a57
EP		 792 if (rc)
793 goto out;
794 }
1da177e4 795
c9180a57 796 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 797 }
798
c9180a57 799 rc = sb_finish_set_opts(sb);
1da177e4 800out:
c9180a57 801 mutex_unlock(&sbsec->lock);
1da177e4 802 return rc;
c9180a57
EP		 803out_double_mount:
804 rc = -EINVAL;
805 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 806 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 807 goto out;
1da177e4
LT		 808}
809
094f7b69
JL		 810static int selinux_cmp_sb_context(const struct super_block *oldsb,
811 const struct super_block *newsb)
812{
813 struct superblock_security_struct *old = oldsb->s_security;
814 struct superblock_security_struct *new = newsb->s_security;
815 char oldflags = old->flags & SE_MNTMASK;
816 char newflags = new->flags & SE_MNTMASK;
817
818 if (oldflags != newflags)
819 goto mismatch;
820 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
821 goto mismatch;
822 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
823 goto mismatch;
824 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
825 goto mismatch;
826 if (oldflags & ROOTCONTEXT_MNT) {
827 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
828 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
829 if (oldroot->sid != newroot->sid)
830 goto mismatch;
831 }
832 return 0;
833mismatch:
834 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
835 "different security settings for (dev %s, "
836 "type %s)\n", newsb->s_id, newsb->s_type->name);
837 return -EBUSY;
838}
839
840static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 841 struct super_block *newsb)
1da177e4 842{
c9180a57
EP		 843 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
844 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 845
c9180a57
EP		 846 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
847 int set_context = (oldsbsec->flags & CONTEXT_MNT);
848 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 849
0f5e6420
EP		 850 /*
851 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 852 * mount options. thus we can safely deal with this superblock later
0f5e6420 853 */
e8c26255 854 if (!ss_initialized)
094f7b69 855 return 0;
c9180a57 856
c9180a57 857 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 858 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 859
094f7b69 860 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 861 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 862 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 863
c9180a57
EP		 864 mutex_lock(&newsbsec->lock);
865
866 newsbsec->flags = oldsbsec->flags;
867
868 newsbsec->sid = oldsbsec->sid;
869 newsbsec->def_sid = oldsbsec->def_sid;
870 newsbsec->behavior = oldsbsec->behavior;
871
872 if (set_context) {
873 u32 sid = oldsbsec->mntpoint_sid;
874
875 if (!set_fscontext)
876 newsbsec->sid = sid;
877 if (!set_rootcontext) {
878 struct inode *newinode = newsb->s_root->d_inode;
879 struct inode_security_struct *newisec = newinode->i_security;
880 newisec->sid = sid;
881 }
882 newsbsec->mntpoint_sid = sid;
1da177e4 883 }
c9180a57
EP		 884 if (set_rootcontext) {
885 const struct inode *oldinode = oldsb->s_root->d_inode;
886 const struct inode_security_struct *oldisec = oldinode->i_security;
887 struct inode *newinode = newsb->s_root->d_inode;
888 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 889
c9180a57 890 newisec->sid = oldisec->sid;
1da177e4
LT		 891 }
892
c9180a57
EP		 893 sb_finish_set_opts(newsb);
894 mutex_unlock(&newsbsec->lock);
094f7b69 895 return 0;
c9180a57
EP		 896}
897
2e1479d9
AB		 898static int selinux_parse_opts_str(char *options,
899 struct security_mnt_opts *opts)
c9180a57 900{
e0007529 901 char *p;
c9180a57
EP		 902 char *context = NULL, *defcontext = NULL;
903 char *fscontext = NULL, *rootcontext = NULL;
e0007529 904 int rc, num_mnt_opts = 0;
1da177e4 905
e0007529 906 opts->num_mnt_opts = 0;
1da177e4 907
c9180a57
EP		 908 /* Standard string-based options. */
909 while ((p = strsep(&options, "|")) != NULL) {
910 int token;
911 substring_t args[MAX_OPT_ARGS];
1da177e4 912
c9180a57
EP		 913 if (!*p)
914 continue;
1da177e4 915
c9180a57 916 token = match_token(p, tokens, args);
1da177e4 917
c9180a57
EP		 918 switch (token) {
919 case Opt_context:
920 if (context || defcontext) {
921 rc = -EINVAL;
922 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
923 goto out_err;
924 }
925 context = match_strdup(&args[0]);
926 if (!context) {
927 rc = -ENOMEM;
928 goto out_err;
929 }
930 break;
931
932 case Opt_fscontext:
933 if (fscontext) {
934 rc = -EINVAL;
935 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
936 goto out_err;
937 }
938 fscontext = match_strdup(&args[0]);
939 if (!fscontext) {
940 rc = -ENOMEM;
941 goto out_err;
942 }
943 break;
944
945 case Opt_rootcontext:
946 if (rootcontext) {
947 rc = -EINVAL;
948 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
949 goto out_err;
950 }
951 rootcontext = match_strdup(&args[0]);
952 if (!rootcontext) {
953 rc = -ENOMEM;
954 goto out_err;
955 }
956 break;
957
958 case Opt_defcontext:
959 if (context || defcontext) {
960 rc = -EINVAL;
961 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
962 goto out_err;
963 }
964 defcontext = match_strdup(&args[0]);
965 if (!defcontext) {
966 rc = -ENOMEM;
967 goto out_err;
968 }
969 break;
11689d47
DQ		 970 case Opt_labelsupport:
971 break;
c9180a57
EP		 972 default:
973 rc = -EINVAL;
974 printk(KERN_WARNING "SELinux: unknown mount option\n");
975 goto out_err;
1da177e4 976
1da177e4 977 }
1da177e4 978 }
c9180a57 979
e0007529
EP		 980 rc = -ENOMEM;
981 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
982 if (!opts->mnt_opts)
983 goto out_err;
984
985 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
986 if (!opts->mnt_opts_flags) {
987 kfree(opts->mnt_opts);
988 goto out_err;
989 }
990
c9180a57 991 if (fscontext) {
e0007529
EP		 992 opts->mnt_opts[num_mnt_opts] = fscontext;
993 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 994 }
995 if (context) {
e0007529
EP		 996 opts->mnt_opts[num_mnt_opts] = context;
997 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 998 }
999 if (rootcontext) {
e0007529
EP		 1000 opts->mnt_opts[num_mnt_opts] = rootcontext;
1001 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1002 }
1003 if (defcontext) {
e0007529
EP		 1004 opts->mnt_opts[num_mnt_opts] = defcontext;
1005 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1006 }
1007
e0007529
EP		 1008 opts->num_mnt_opts = num_mnt_opts;
1009 return 0;
1010
c9180a57
EP		 1011out_err:
1012 kfree(context);
1013 kfree(defcontext);
1014 kfree(fscontext);
1015 kfree(rootcontext);
1da177e4
LT		 1016 return rc;
1017}
e0007529
EP		 1018/*
1019 * string mount options parsing and call set the sbsec
1020 */
1021static int superblock_doinit(struct super_block *sb, void *data)
1022{
1023 int rc = 0;
1024 char *options = data;
1025 struct security_mnt_opts opts;
1026
1027 security_init_mnt_opts(&opts);
1028
1029 if (!data)
1030 goto out;
1031
1032 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1033
1034 rc = selinux_parse_opts_str(options, &opts);
1035 if (rc)
1036 goto out_err;
1037
1038out:
649f6e77 1039 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1040
1041out_err:
1042 security_free_mnt_opts(&opts);
1043 return rc;
1044}
1da177e4 1045
3583a711
AB		 1046static void selinux_write_opts(struct seq_file *m,
1047 struct security_mnt_opts *opts)
2069f457
EP		 1048{
1049 int i;
1050 char *prefix;
1051
1052 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1053 char *has_comma;
1054
1055 if (opts->mnt_opts[i])
1056 has_comma = strchr(opts->mnt_opts[i], ',');
1057 else
1058 has_comma = NULL;
2069f457
EP		 1059
1060 switch (opts->mnt_opts_flags[i]) {
1061 case CONTEXT_MNT:
1062 prefix = CONTEXT_STR;
1063 break;
1064 case FSCONTEXT_MNT:
1065 prefix = FSCONTEXT_STR;
1066 break;
1067 case ROOTCONTEXT_MNT:
1068 prefix = ROOTCONTEXT_STR;
1069 break;
1070 case DEFCONTEXT_MNT:
1071 prefix = DEFCONTEXT_STR;
1072 break;
12f348b9 1073 case SBLABEL_MNT:
11689d47
DQ		 1074 seq_putc(m, ',');
1075 seq_puts(m, LABELSUPP_STR);
1076 continue;
2069f457
EP		 1077 default:
1078 BUG();
a35c6c83 1079 return;
2069f457
EP		 1080 };
1081 /* we need a comma before each option */
1082 seq_putc(m, ',');
1083 seq_puts(m, prefix);
1084 if (has_comma)
1085 seq_putc(m, '\"');
1086 seq_puts(m, opts->mnt_opts[i]);
1087 if (has_comma)
1088 seq_putc(m, '\"');
1089 }
1090}
1091
1092static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1093{
1094 struct security_mnt_opts opts;
1095 int rc;
1096
1097 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1098 if (rc) {
1099 /* before policy load we may get EINVAL, don't show anything */
1100 if (rc == -EINVAL)
1101 rc = 0;
2069f457 1102 return rc;
383795c2 1103 }
2069f457
EP		 1104
1105 selinux_write_opts(m, &opts);
1106
1107 security_free_mnt_opts(&opts);
1108
1109 return rc;
1110}
1111
1da177e4
LT		 1112static inline u16 inode_mode_to_security_class(umode_t mode)
1113{
1114 switch (mode & S_IFMT) {
1115 case S_IFSOCK:
1116 return SECCLASS_SOCK_FILE;
1117 case S_IFLNK:
1118 return SECCLASS_LNK_FILE;
1119 case S_IFREG:
1120 return SECCLASS_FILE;
1121 case S_IFBLK:
1122 return SECCLASS_BLK_FILE;
1123 case S_IFDIR:
1124 return SECCLASS_DIR;
1125 case S_IFCHR:
1126 return SECCLASS_CHR_FILE;
1127 case S_IFIFO:
1128 return SECCLASS_FIFO_FILE;
1129
1130 }
1131
1132 return SECCLASS_FILE;
1133}
1134
13402580
JM		 1135static inline int default_protocol_stream(int protocol)
1136{
1137 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1138}
1139
1140static inline int default_protocol_dgram(int protocol)
1141{
1142 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1143}
1144
1da177e4
LT		 1145static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1146{
1147 switch (family) {
1148 case PF_UNIX:
1149 switch (type) {
1150 case SOCK_STREAM:
1151 case SOCK_SEQPACKET:
1152 return SECCLASS_UNIX_STREAM_SOCKET;
1153 case SOCK_DGRAM:
1154 return SECCLASS_UNIX_DGRAM_SOCKET;
1155 }
1156 break;
1157 case PF_INET:
1158 case PF_INET6:
1159 switch (type) {
1160 case SOCK_STREAM:
13402580
JM		 1161 if (default_protocol_stream(protocol))
1162 return SECCLASS_TCP_SOCKET;
1163 else
1164 return SECCLASS_RAWIP_SOCKET;
1da177e4 1165 case SOCK_DGRAM:
13402580
JM		 1166 if (default_protocol_dgram(protocol))
1167 return SECCLASS_UDP_SOCKET;
1168 else
1169 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1170 case SOCK_DCCP:
1171 return SECCLASS_DCCP_SOCKET;
13402580 1172 default:
1da177e4
LT		 1173 return SECCLASS_RAWIP_SOCKET;
1174 }
1175 break;
1176 case PF_NETLINK:
1177 switch (protocol) {
1178 case NETLINK_ROUTE:
1179 return SECCLASS_NETLINK_ROUTE_SOCKET;
1180 case NETLINK_FIREWALL:
1181 return SECCLASS_NETLINK_FIREWALL_SOCKET;
7f1fb60c 1182 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1183 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1184 case NETLINK_NFLOG:
1185 return SECCLASS_NETLINK_NFLOG_SOCKET;
1186 case NETLINK_XFRM:
1187 return SECCLASS_NETLINK_XFRM_SOCKET;
1188 case NETLINK_SELINUX:
1189 return SECCLASS_NETLINK_SELINUX_SOCKET;
1190 case NETLINK_AUDIT:
1191 return SECCLASS_NETLINK_AUDIT_SOCKET;
1192 case NETLINK_IP6_FW:
1193 return SECCLASS_NETLINK_IP6FW_SOCKET;
1194 case NETLINK_DNRTMSG:
1195 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1196 case NETLINK_KOBJECT_UEVENT:
1197 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1198 default:
1199 return SECCLASS_NETLINK_SOCKET;
1200 }
1201 case PF_PACKET:
1202 return SECCLASS_PACKET_SOCKET;
1203 case PF_KEY:
1204 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1205 case PF_APPLETALK:
1206 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1207 }
1208
1209 return SECCLASS_SOCKET;
1210}
1211
1212#ifdef CONFIG_PROC_FS
8e6c9693 1213static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1214 u16 tclass,
1215 u32 *sid)
1216{
8e6c9693
LAG		 1217 int rc;
1218 char *buffer, *path;
1da177e4 1219
828dfe1d 1220 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1221 if (!buffer)
1222 return -ENOMEM;
1223
8e6c9693
LAG		 1224 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1225 if (IS_ERR(path))
1226 rc = PTR_ERR(path);
1227 else {
1228 /* each process gets a /proc/PID/ entry. Strip off the
1229 * PID part to get a valid selinux labeling.
1230 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1231 while (path[1] >= '0' && path[1] <= '9') {
1232 path[1] = '/';
1233 path++;
1234 }
1235 rc = security_genfs_sid("proc", path, tclass, sid);
1da177e4 1236 }
1da177e4
LT		 1237 free_page((unsigned long)buffer);
1238 return rc;
1239}
1240#else
8e6c9693 1241static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1242 u16 tclass,
1243 u32 *sid)
1244{
1245 return -EINVAL;
1246}
1247#endif
1248
1249/* The inode's security attributes must be initialized before first use. */
1250static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1251{
1252 struct superblock_security_struct *sbsec = NULL;
1253 struct inode_security_struct *isec = inode->i_security;
1254 u32 sid;
1255 struct dentry *dentry;
1256#define INITCONTEXTLEN 255
1257 char *context = NULL;
1258 unsigned len = 0;
1259 int rc = 0;
1da177e4
LT		 1260
1261 if (isec->initialized)
1262 goto out;
1263
23970741 1264 mutex_lock(&isec->lock);
1da177e4 1265 if (isec->initialized)
23970741 1266 goto out_unlock;
1da177e4
LT		 1267
1268 sbsec = inode->i_sb->s_security;
0d90a7ec 1269 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1270 /* Defer initialization until selinux_complete_init,
1271 after the initial policy is loaded and the security
1272 server is ready to handle calls. */
1273 spin_lock(&sbsec->isec_lock);
1274 if (list_empty(&isec->list))
1275 list_add(&isec->list, &sbsec->isec_head);
1276 spin_unlock(&sbsec->isec_lock);
23970741 1277 goto out_unlock;
1da177e4
LT		 1278 }
1279
1280 switch (sbsec->behavior) {
eb9ae686
DQ		 1281 case SECURITY_FS_USE_NATIVE:
1282 break;
1da177e4
LT		 1283 case SECURITY_FS_USE_XATTR:
1284 if (!inode->i_op->getxattr) {
1285 isec->sid = sbsec->def_sid;
1286 break;
1287 }
1288
1289 /* Need a dentry, since the xattr API requires one.
1290 Life would be simpler if we could just pass the inode. */
1291 if (opt_dentry) {
1292 /* Called from d_instantiate or d_splice_alias. */
1293 dentry = dget(opt_dentry);
1294 } else {
1295 /* Called from selinux_complete_init, try to find a dentry. */
1296 dentry = d_find_alias(inode);
1297 }
1298 if (!dentry) {
df7f54c0
EP		 1299 /*
1300 * this is can be hit on boot when a file is accessed
1301 * before the policy is loaded. When we load policy we
1302 * may find inodes that have no dentry on the
1303 * sbsec->isec_head list. No reason to complain as these
1304 * will get fixed up the next time we go through
1305 * inode_doinit with a dentry, before these inodes could
1306 * be used again by userspace.
1307 */
23970741 1308 goto out_unlock;
1da177e4
LT		 1309 }
1310
1311 len = INITCONTEXTLEN;
4cb912f1 1312 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1313 if (!context) {
1314 rc = -ENOMEM;
1315 dput(dentry);
23970741 1316 goto out_unlock;
1da177e4 1317 }
4cb912f1 1318 context[len] = '\0';
1da177e4
LT		 1319 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1320 context, len);
1321 if (rc == -ERANGE) {
314dabb8
JM		 1322 kfree(context);
1323
1da177e4
LT		 1324 /* Need a larger buffer. Query for the right size. */
1325 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1326 NULL, 0);
1327 if (rc < 0) {
1328 dput(dentry);
23970741 1329 goto out_unlock;
1da177e4 1330 }
1da177e4 1331 len = rc;
4cb912f1 1332 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1333 if (!context) {
1334 rc = -ENOMEM;
1335 dput(dentry);
23970741 1336 goto out_unlock;
1da177e4 1337 }
4cb912f1 1338 context[len] = '\0';
1da177e4
LT		 1339 rc = inode->i_op->getxattr(dentry,
1340 XATTR_NAME_SELINUX,
1341 context, len);
1342 }
1343 dput(dentry);
1344 if (rc < 0) {
1345 if (rc != -ENODATA) {
744ba35e 1346 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1347 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1348 -rc, inode->i_sb->s_id, inode->i_ino);
1349 kfree(context);
23970741 1350 goto out_unlock;
1da177e4
LT		 1351 }
1352 /* Map ENODATA to the default file SID */
1353 sid = sbsec->def_sid;
1354 rc = 0;
1355 } else {
f5c1d5b2 1356 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1357 sbsec->def_sid,
1358 GFP_NOFS);
1da177e4 1359 if (rc) {
4ba0a8ad
EP		 1360 char *dev = inode->i_sb->s_id;
1361 unsigned long ino = inode->i_ino;
1362
1363 if (rc == -EINVAL) {
1364 if (printk_ratelimit())
1365 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1366 "context=%s. This indicates you may need to relabel the inode or the "
1367 "filesystem in question.\n", ino, dev, context);
1368 } else {
1369 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1370 "returned %d for dev=%s ino=%ld\n",
1371 __func__, context, -rc, dev, ino);
1372 }
1da177e4
LT		 1373 kfree(context);
1374 /* Leave with the unlabeled SID */
1375 rc = 0;
1376 break;
1377 }
1378 }
1379 kfree(context);
1380 isec->sid = sid;
1381 break;
1382 case SECURITY_FS_USE_TASK:
1383 isec->sid = isec->task_sid;
1384 break;
1385 case SECURITY_FS_USE_TRANS:
1386 /* Default to the fs SID. */
1387 isec->sid = sbsec->sid;
1388
1389 /* Try to obtain a transition SID. */
1390 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1391 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1392 isec->sclass, NULL, &sid);
1da177e4 1393 if (rc)
23970741 1394 goto out_unlock;
1da177e4
LT		 1395 isec->sid = sid;
1396 break;
c312feb2
EP		 1397 case SECURITY_FS_USE_MNTPOINT:
1398 isec->sid = sbsec->mntpoint_sid;
1399 break;
1da177e4 1400 default:
c312feb2 1401 /* Default to the fs superblock SID. */
1da177e4
LT		 1402 isec->sid = sbsec->sid;
1403
0d90a7ec 1404 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
8e6c9693 1405 if (opt_dentry) {
1da177e4 1406 isec->sclass = inode_mode_to_security_class(inode->i_mode);
8e6c9693 1407 rc = selinux_proc_get_sid(opt_dentry,
1da177e4
LT		 1408 isec->sclass,
1409 &sid);
1410 if (rc)
23970741 1411 goto out_unlock;
1da177e4
LT		 1412 isec->sid = sid;
1413 }
1414 }
1415 break;
1416 }
1417
1418 isec->initialized = 1;
1419
23970741
EP		 1420out_unlock:
1421 mutex_unlock(&isec->lock);
1da177e4
LT		 1422out:
1423 if (isec->sclass == SECCLASS_FILE)
1424 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1425 return rc;
1426}
1427
1428/* Convert a Linux signal to an access vector. */
1429static inline u32 signal_to_av(int sig)
1430{
1431 u32 perm = 0;
1432
1433 switch (sig) {
1434 case SIGCHLD:
1435 /* Commonly granted from child to parent. */
1436 perm = PROCESS__SIGCHLD;
1437 break;
1438 case SIGKILL:
1439 /* Cannot be caught or ignored */
1440 perm = PROCESS__SIGKILL;
1441 break;
1442 case SIGSTOP:
1443 /* Cannot be caught or ignored */
1444 perm = PROCESS__SIGSTOP;
1445 break;
1446 default:
1447 /* All other signals. */
1448 perm = PROCESS__SIGNAL;
1449 break;
1450 }
1451
1452 return perm;
1453}
1454
d84f4f99
DH		 1455/*
1456 * Check permission between a pair of credentials
1457 * fork check, ptrace check, etc.
1458 */
1459static int cred_has_perm(const struct cred *actor,
1460 const struct cred *target,
1461 u32 perms)
1462{
1463 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1464
1465 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1466}
1467
275bb41e 1468/*
88e67f3b 1469 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1470 * fork check, ptrace check, etc.
1471 * tsk1 is the actor and tsk2 is the target
3b11a1de 1472 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1473 */
1474static int task_has_perm(const struct task_struct *tsk1,
1475 const struct task_struct *tsk2,
1da177e4
LT		 1476 u32 perms)
1477{
275bb41e
DH		 1478 const struct task_security_struct *__tsec1, *__tsec2;
1479 u32 sid1, sid2;
1da177e4 1480
275bb41e
DH		 1481 rcu_read_lock();
1482 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1483 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1484 rcu_read_unlock();
1485 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1486}
1487
3b11a1de
DH		 1488/*
1489 * Check permission between current and another task, e.g. signal checks,
1490 * fork check, ptrace check, etc.
1491 * current is the actor and tsk2 is the target
1492 * - this uses current's subjective creds
1493 */
1494static int current_has_perm(const struct task_struct *tsk,
1495 u32 perms)
1496{
1497 u32 sid, tsid;
1498
1499 sid = current_sid();
1500 tsid = task_sid(tsk);
1501 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1502}
1503
b68e418c
SS		 1504#if CAP_LAST_CAP > 63
1505#error Fix SELinux to handle capabilities > 63.
1506#endif
1507
1da177e4 1508/* Check whether a task is allowed to use a capability. */
6a9de491 1509static int cred_has_capability(const struct cred *cred,
06112163 1510 int cap, int audit)
1da177e4 1511{
2bf49690 1512 struct common_audit_data ad;
06112163 1513 struct av_decision avd;
b68e418c 1514 u16 sclass;
3699c53c 1515 u32 sid = cred_sid(cred);
b68e418c 1516 u32 av = CAP_TO_MASK(cap);
06112163 1517 int rc;
1da177e4 1518
50c205f5 1519 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1520 ad.u.cap = cap;
1521
b68e418c
SS		 1522 switch (CAP_TO_INDEX(cap)) {
1523 case 0:
1524 sclass = SECCLASS_CAPABILITY;
1525 break;
1526 case 1:
1527 sclass = SECCLASS_CAPABILITY2;
1528 break;
1529 default:
1530 printk(KERN_ERR
1531 "SELinux: out of range capability %d\n", cap);
1532 BUG();
a35c6c83 1533 return -EINVAL;
b68e418c 1534 }
06112163 1535
275bb41e 1536 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1537 if (audit == SECURITY_CAP_AUDIT) {
ab354062 1538 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
9ade0cf4
EP		 1539 if (rc2)
1540 return rc2;
1541 }
06112163 1542 return rc;
1da177e4
LT		 1543}
1544
1545/* Check whether a task is allowed to use a system operation. */
1546static int task_has_system(struct task_struct *tsk,
1547 u32 perms)
1548{
275bb41e 1549 u32 sid = task_sid(tsk);
1da177e4 1550
275bb41e 1551 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1552 SECCLASS_SYSTEM, perms, NULL);
1553}
1554
1555/* Check whether a task has a particular permission to an inode.
1556 The 'adp' parameter is optional and allows other audit
1557 data to be passed (e.g. the dentry). */
88e67f3b 1558static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1559 struct inode *inode,
1560 u32 perms,
19e49834 1561 struct common_audit_data *adp)
1da177e4 1562{
1da177e4 1563 struct inode_security_struct *isec;
275bb41e 1564 u32 sid;
1da177e4 1565
e0e81739
DH		 1566 validate_creds(cred);
1567
828dfe1d 1568 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1569 return 0;
1570
88e67f3b 1571 sid = cred_sid(cred);
1da177e4
LT		 1572 isec = inode->i_security;
1573
19e49834 1574 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1575}
1576
1577/* Same as inode_has_perm, but pass explicit audit data containing
1578 the dentry to help the auditing code to more easily generate the
1579 pathname if needed. */
88e67f3b 1580static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1581 struct dentry *dentry,
1582 u32 av)
1583{
1584 struct inode *inode = dentry->d_inode;
2bf49690 1585 struct common_audit_data ad;
88e67f3b 1586
50c205f5 1587 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1588 ad.u.dentry = dentry;
19e49834 1589 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1590}
1591
1592/* Same as inode_has_perm, but pass explicit audit data containing
1593 the path to help the auditing code to more easily generate the
1594 pathname if needed. */
1595static inline int path_has_perm(const struct cred *cred,
1596 struct path *path,
1597 u32 av)
1598{
1599 struct inode *inode = path->dentry->d_inode;
1600 struct common_audit_data ad;
1601
50c205f5 1602 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1603 ad.u.path = *path;
19e49834 1604 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1605}
1606
13f8e981
DH		 1607/* Same as path_has_perm, but uses the inode from the file struct. */
1608static inline int file_path_has_perm(const struct cred *cred,
1609 struct file *file,
1610 u32 av)
1611{
1612 struct common_audit_data ad;
1613
1614 ad.type = LSM_AUDIT_DATA_PATH;
1615 ad.u.path = file->f_path;
19e49834 1616 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1617}
1618
1da177e4
LT		 1619/* Check whether a task can use an open file descriptor to
1620 access an inode in a given way. Check access to the
1621 descriptor itself, and then use dentry_has_perm to
1622 check a particular permission to the file.
1623 Access to the descriptor is implicitly granted if it
1624 has the same SID as the process. If av is zero, then
1625 access to the file is not checked, e.g. for cases
1626 where only the descriptor is affected like seek. */
88e67f3b
DH		 1627static int file_has_perm(const struct cred *cred,
1628 struct file *file,
1629 u32 av)
1da177e4 1630{
1da177e4 1631 struct file_security_struct *fsec = file->f_security;
496ad9aa 1632 struct inode *inode = file_inode(file);
2bf49690 1633 struct common_audit_data ad;
88e67f3b 1634 u32 sid = cred_sid(cred);
1da177e4
LT		 1635 int rc;
1636
50c205f5 1637 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 1638 ad.u.path = file->f_path;
1da177e4 1639
275bb41e
DH		 1640 if (sid != fsec->sid) {
1641 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1642 SECCLASS_FD,
1643 FD__USE,
1644 &ad);
1645 if (rc)
88e67f3b 1646 goto out;
1da177e4
LT		 1647 }
1648
1649 /* av is zero if only checking access to the descriptor. */
88e67f3b 1650 rc = 0;
1da177e4 1651 if (av)
19e49834 1652 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1653
88e67f3b
DH		 1654out:
1655 return rc;
1da177e4
LT		 1656}
1657
1658/* Check whether a task can create a file. */
1659static int may_create(struct inode *dir,
1660 struct dentry *dentry,
1661 u16 tclass)
1662{
5fb49870 1663 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1664 struct inode_security_struct *dsec;
1665 struct superblock_security_struct *sbsec;
275bb41e 1666 u32 sid, newsid;
2bf49690 1667 struct common_audit_data ad;
1da177e4
LT		 1668 int rc;
1669
1da177e4
LT		 1670 dsec = dir->i_security;
1671 sbsec = dir->i_sb->s_security;
1672
275bb41e
DH		 1673 sid = tsec->sid;
1674 newsid = tsec->create_sid;
1675
50c205f5 1676 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1677 ad.u.dentry = dentry;
1da177e4 1678
275bb41e 1679 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1680 DIR__ADD_NAME | DIR__SEARCH,
1681 &ad);
1682 if (rc)
1683 return rc;
1684
12f348b9 1685 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
cb1e922f
EP		 1686 rc = security_transition_sid(sid, dsec->sid, tclass,
1687 &dentry->d_name, &newsid);
1da177e4
LT		 1688 if (rc)
1689 return rc;
1690 }
1691
275bb41e 1692 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1693 if (rc)
1694 return rc;
1695
1696 return avc_has_perm(newsid, sbsec->sid,
1697 SECCLASS_FILESYSTEM,
1698 FILESYSTEM__ASSOCIATE, &ad);
1699}
1700
4eb582cf
ML		 1701/* Check whether a task can create a key. */
1702static int may_create_key(u32 ksid,
1703 struct task_struct *ctx)
1704{
275bb41e 1705 u32 sid = task_sid(ctx);
4eb582cf 1706
275bb41e 1707 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1708}
1709
828dfe1d
EP		 1710#define MAY_LINK 0
1711#define MAY_UNLINK 1
1712#define MAY_RMDIR 2
1da177e4
LT		 1713
1714/* Check whether a task can link, unlink, or rmdir a file/directory. */
1715static int may_link(struct inode *dir,
1716 struct dentry *dentry,
1717 int kind)
1718
1719{
1da177e4 1720 struct inode_security_struct *dsec, *isec;
2bf49690 1721 struct common_audit_data ad;
275bb41e 1722 u32 sid = current_sid();
1da177e4
LT		 1723 u32 av;
1724 int rc;
1725
1da177e4
LT		 1726 dsec = dir->i_security;
1727 isec = dentry->d_inode->i_security;
1728
50c205f5 1729 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1730 ad.u.dentry = dentry;
1da177e4
LT		 1731
1732 av = DIR__SEARCH;
1733 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1734 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1735 if (rc)
1736 return rc;
1737
1738 switch (kind) {
1739 case MAY_LINK:
1740 av = FILE__LINK;
1741 break;
1742 case MAY_UNLINK:
1743 av = FILE__UNLINK;
1744 break;
1745 case MAY_RMDIR:
1746 av = DIR__RMDIR;
1747 break;
1748 default:
744ba35e
EP		 1749 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1750 __func__, kind);
1da177e4
LT		 1751 return 0;
1752 }
1753
275bb41e 1754 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1755 return rc;
1756}
1757
1758static inline int may_rename(struct inode *old_dir,
1759 struct dentry *old_dentry,
1760 struct inode *new_dir,
1761 struct dentry *new_dentry)
1762{
1da177e4 1763 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1764 struct common_audit_data ad;
275bb41e 1765 u32 sid = current_sid();
1da177e4
LT		 1766 u32 av;
1767 int old_is_dir, new_is_dir;
1768 int rc;
1769
1da177e4
LT		 1770 old_dsec = old_dir->i_security;
1771 old_isec = old_dentry->d_inode->i_security;
1772 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1773 new_dsec = new_dir->i_security;
1774
50c205f5 1775 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1776
a269434d 1777 ad.u.dentry = old_dentry;
275bb41e 1778 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1779 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1780 if (rc)
1781 return rc;
275bb41e 1782 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1783 old_isec->sclass, FILE__RENAME, &ad);
1784 if (rc)
1785 return rc;
1786 if (old_is_dir && new_dir != old_dir) {
275bb41e 1787 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1788 old_isec->sclass, DIR__REPARENT, &ad);
1789 if (rc)
1790 return rc;
1791 }
1792
a269434d 1793 ad.u.dentry = new_dentry;
1da177e4
LT		 1794 av = DIR__ADD_NAME | DIR__SEARCH;
1795 if (new_dentry->d_inode)
1796 av |= DIR__REMOVE_NAME;
275bb41e 1797 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1798 if (rc)
1799 return rc;
1800 if (new_dentry->d_inode) {
1801 new_isec = new_dentry->d_inode->i_security;
1802 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
275bb41e 1803 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1804 new_isec->sclass,
1805 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1806 if (rc)
1807 return rc;
1808 }
1809
1810 return 0;
1811}
1812
1813/* Check whether a task can perform a filesystem operation. */
88e67f3b 1814static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1815 struct super_block *sb,
1816 u32 perms,
2bf49690 1817 struct common_audit_data *ad)
1da177e4 1818{
1da177e4 1819 struct superblock_security_struct *sbsec;
88e67f3b 1820 u32 sid = cred_sid(cred);
1da177e4 1821
1da177e4 1822 sbsec = sb->s_security;
275bb41e 1823 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1824}
1825
1826/* Convert a Linux mode and permission mask to an access vector. */
1827static inline u32 file_mask_to_av(int mode, int mask)
1828{
1829 u32 av = 0;
1830
dba19c60 1831 if (!S_ISDIR(mode)) {
1da177e4
LT		 1832 if (mask & MAY_EXEC)
1833 av |= FILE__EXECUTE;
1834 if (mask & MAY_READ)
1835 av |= FILE__READ;
1836
1837 if (mask & MAY_APPEND)
1838 av |= FILE__APPEND;
1839 else if (mask & MAY_WRITE)
1840 av |= FILE__WRITE;
1841
1842 } else {
1843 if (mask & MAY_EXEC)
1844 av |= DIR__SEARCH;
1845 if (mask & MAY_WRITE)
1846 av |= DIR__WRITE;
1847 if (mask & MAY_READ)
1848 av |= DIR__READ;
1849 }
1850
1851 return av;
1852}
1853
8b6a5a37
EP		 1854/* Convert a Linux file to an access vector. */
1855static inline u32 file_to_av(struct file *file)
1856{
1857 u32 av = 0;
1858
1859 if (file->f_mode & FMODE_READ)
1860 av |= FILE__READ;
1861 if (file->f_mode & FMODE_WRITE) {
1862 if (file->f_flags & O_APPEND)
1863 av |= FILE__APPEND;
1864 else
1865 av |= FILE__WRITE;
1866 }
1867 if (!av) {
1868 /*
1869 * Special file opened with flags 3 for ioctl-only use.
1870 */
1871 av = FILE__IOCTL;
1872 }
1873
1874 return av;
1875}
1876
b0c636b9 1877/*
8b6a5a37 1878 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1879 * open permission.
1880 */
8b6a5a37 1881static inline u32 open_file_to_av(struct file *file)
b0c636b9 1882{
8b6a5a37 1883 u32 av = file_to_av(file);
b0c636b9 1884
49b7b8de
EP		 1885 if (selinux_policycap_openperm)
1886 av |= FILE__OPEN;
1887
b0c636b9
EP		 1888 return av;
1889}
1890
1da177e4
LT		 1891/* Hook functions begin here. */
1892
9e48858f 1893static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 1894 unsigned int mode)
1da177e4 1895{
1da177e4
LT		 1896 int rc;
1897
9e48858f 1898 rc = cap_ptrace_access_check(child, mode);
1da177e4
LT		 1899 if (rc)
1900 return rc;
1901
69f594a3 1902 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 1903 u32 sid = current_sid();
1904 u32 csid = task_sid(child);
1905 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 1906 }
1907
3b11a1de 1908 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 1909}
1910
1911static int selinux_ptrace_traceme(struct task_struct *parent)
1912{
1913 int rc;
1914
200ac532 1915 rc = cap_ptrace_traceme(parent);
5cd9c58f
DH		 1916 if (rc)
1917 return rc;
1918
1919 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 1920}
1921
1922static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1923 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1924{
1925 int error;
1926
3b11a1de 1927 error = current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 1928 if (error)
1929 return error;
1930
200ac532 1931 return cap_capget(target, effective, inheritable, permitted);
1da177e4
LT		 1932}
1933
d84f4f99
DH		 1934static int selinux_capset(struct cred *new, const struct cred *old,
1935 const kernel_cap_t *effective,
1936 const kernel_cap_t *inheritable,
1937 const kernel_cap_t *permitted)
1da177e4
LT		 1938{
1939 int error;
1940
200ac532 1941 error = cap_capset(new, old,
d84f4f99 1942 effective, inheritable, permitted);
1da177e4
LT		 1943 if (error)
1944 return error;
1945
d84f4f99 1946 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 1947}
1948
5626d3e8
JM		 1949/*
1950 * (This comment used to live with the selinux_task_setuid hook,
1951 * which was removed).
1952 *
1953 * Since setuid only affects the current process, and since the SELinux
1954 * controls are not based on the Linux identity attributes, SELinux does not
1955 * need to control this operation. However, SELinux does control the use of
1956 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1957 */
1958
6a9de491
EP		 1959static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1960 int cap, int audit)
1da177e4
LT		 1961{
1962 int rc;
1963
6a9de491 1964 rc = cap_capable(cred, ns, cap, audit);
1da177e4
LT		 1965 if (rc)
1966 return rc;
1967
6a9de491 1968 return cred_has_capability(cred, cap, audit);
1da177e4
LT		 1969}
1970
1da177e4
LT		 1971static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1972{
88e67f3b 1973 const struct cred *cred = current_cred();
1da177e4
LT		 1974 int rc = 0;
1975
1976 if (!sb)
1977 return 0;
1978
1979 switch (cmds) {
828dfe1d
EP		 1980 case Q_SYNC:
1981 case Q_QUOTAON:
1982 case Q_QUOTAOFF:
1983 case Q_SETINFO:
1984 case Q_SETQUOTA:
88e67f3b 1985 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 1986 break;
1987 case Q_GETFMT:
1988 case Q_GETINFO:
1989 case Q_GETQUOTA:
88e67f3b 1990 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 1991 break;
1992 default:
1993 rc = 0; /* let the kernel handle invalid cmds */
1994 break;
1da177e4
LT		 1995 }
1996 return rc;
1997}
1998
1999static int selinux_quota_on(struct dentry *dentry)
2000{
88e67f3b
DH		 2001 const struct cred *cred = current_cred();
2002
2875fa00 2003 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2004}
2005
12b3052c 2006static int selinux_syslog(int type)
1da177e4
LT		 2007{
2008 int rc;
2009
1da177e4 2010 switch (type) {
d78ca3cd
KC		 2011 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2012 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2013 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2014 break;
d78ca3cd
KC		 2015 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2016 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2017 /* Set level of messages printed to console */
2018 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2019 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2020 break;
d78ca3cd
KC		 2021 case SYSLOG_ACTION_CLOSE: /* Close log */
2022 case SYSLOG_ACTION_OPEN: /* Open log */
2023 case SYSLOG_ACTION_READ: /* Read from log */
2024 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2025 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2026 default:
2027 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2028 break;
1da177e4
LT		 2029 }
2030 return rc;
2031}
2032
2033/*
2034 * Check that a process has enough memory to allocate a new virtual
2035 * mapping. 0 means there is enough memory for the allocation to
2036 * succeed and -ENOMEM implies there is not.
2037 *
1da177e4
LT		 2038 * Do not audit the selinux permission check, as this is applied to all
2039 * processes that allocate mappings.
2040 */
34b4e4aa 2041static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2042{
2043 int rc, cap_sys_admin = 0;
1da177e4 2044
6a9de491 2045 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
3699c53c 2046 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2047 if (rc == 0)
2048 cap_sys_admin = 1;
2049
34b4e4aa 2050 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 2051}
2052
2053/* binprm security operations */
2054
a6f76f23 2055static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2056{
a6f76f23
DH		 2057 const struct task_security_struct *old_tsec;
2058 struct task_security_struct *new_tsec;
1da177e4 2059 struct inode_security_struct *isec;
2bf49690 2060 struct common_audit_data ad;
496ad9aa 2061 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2062 int rc;
2063
200ac532 2064 rc = cap_bprm_set_creds(bprm);
1da177e4
LT		 2065 if (rc)
2066 return rc;
2067
a6f76f23
DH		 2068 /* SELinux context only depends on initial program or script and not
2069 * the script interpreter */
2070 if (bprm->cred_prepared)
1da177e4
LT		 2071 return 0;
2072
a6f76f23
DH		 2073 old_tsec = current_security();
2074 new_tsec = bprm->cred->security;
1da177e4
LT		 2075 isec = inode->i_security;
2076
2077 /* Default to the current task SID. */
a6f76f23
DH		 2078 new_tsec->sid = old_tsec->sid;
2079 new_tsec->osid = old_tsec->sid;
1da177e4 2080
28eba5bf 2081 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2082 new_tsec->create_sid = 0;
2083 new_tsec->keycreate_sid = 0;
2084 new_tsec->sockcreate_sid = 0;
1da177e4 2085
a6f76f23
DH		 2086 if (old_tsec->exec_sid) {
2087 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2088 /* Reset exec SID on execve. */
a6f76f23 2089 new_tsec->exec_sid = 0;
259e5e6c
AL		 2090
2091 /*
2092 * Minimize confusion: if no_new_privs and a transition is
2093 * explicitly requested, then fail the exec.
2094 */
2095 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2096 return -EPERM;
1da177e4
LT		 2097 } else {
2098 /* Check for a default transition on this program. */
a6f76f23 2099 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2100 SECCLASS_PROCESS, NULL,
2101 &new_tsec->sid);
1da177e4
LT		 2102 if (rc)
2103 return rc;
2104 }
2105
50c205f5 2106 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 2107 ad.u.path = bprm->file->f_path;
1da177e4 2108
259e5e6c
AL		 2109 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2110 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
a6f76f23 2111 new_tsec->sid = old_tsec->sid;
1da177e4 2112
a6f76f23
DH		 2113 if (new_tsec->sid == old_tsec->sid) {
2114 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2115 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2116 if (rc)
2117 return rc;
2118 } else {
2119 /* Check permissions for the transition. */
a6f76f23 2120 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2121 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2122 if (rc)
2123 return rc;
2124
a6f76f23 2125 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2126 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2127 if (rc)
2128 return rc;
2129
a6f76f23
DH		 2130 /* Check for shared state */
2131 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2132 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2133 SECCLASS_PROCESS, PROCESS__SHARE,
2134 NULL);
2135 if (rc)
2136 return -EPERM;
2137 }
2138
2139 /* Make sure that anyone attempting to ptrace over a task that
2140 * changes its SID has the appropriate permit */
2141 if (bprm->unsafe &
2142 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2143 struct task_struct *tracer;
2144 struct task_security_struct *sec;
2145 u32 ptsid = 0;
2146
2147 rcu_read_lock();
06d98473 2148 tracer = ptrace_parent(current);
a6f76f23
DH		 2149 if (likely(tracer != NULL)) {
2150 sec = __task_cred(tracer)->security;
2151 ptsid = sec->sid;
2152 }
2153 rcu_read_unlock();
2154
2155 if (ptsid != 0) {
2156 rc = avc_has_perm(ptsid, new_tsec->sid,
2157 SECCLASS_PROCESS,
2158 PROCESS__PTRACE, NULL);
2159 if (rc)
2160 return -EPERM;
2161 }
2162 }
1da177e4 2163
a6f76f23
DH		 2164 /* Clear any possibly unsafe personality bits on exec: */
2165 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2166 }
2167
1da177e4
LT		 2168 return 0;
2169}
2170
828dfe1d 2171static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2172{
5fb49870 2173 const struct task_security_struct *tsec = current_security();
275bb41e 2174 u32 sid, osid;
1da177e4
LT		 2175 int atsecure = 0;
2176
275bb41e
DH		 2177 sid = tsec->sid;
2178 osid = tsec->osid;
2179
2180 if (osid != sid) {
1da177e4
LT		 2181 /* Enable secure mode for SIDs transitions unless
2182 the noatsecure permission is granted between
2183 the two SIDs, i.e. ahp returns 0. */
275bb41e 2184 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2185 SECCLASS_PROCESS,
2186 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2187 }
2188
200ac532 2189 return (atsecure || cap_bprm_secureexec(bprm));
1da177e4
LT		 2190}
2191
c3c073f8
AV		 2192static int match_file(const void *p, struct file *file, unsigned fd)
2193{
2194 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2195}
2196
1da177e4 2197/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2198static inline void flush_unauthorized_files(const struct cred *cred,
2199 struct files_struct *files)
1da177e4 2200{
1da177e4 2201 struct file *file, *devnull = NULL;
b20c8122 2202 struct tty_struct *tty;
24ec839c 2203 int drop_tty = 0;
c3c073f8 2204 unsigned n;
1da177e4 2205
24ec839c 2206 tty = get_current_tty();
1da177e4 2207 if (tty) {
ee2ffa0d 2208 spin_lock(&tty_files_lock);
37dd0bd0 2209 if (!list_empty(&tty->tty_files)) {
d996b62a 2210 struct tty_file_private *file_priv;
37dd0bd0 2211
1da177e4 2212 /* Revalidate access to controlling tty.
13f8e981
DH		 2213 Use file_path_has_perm on the tty path directly
2214 rather than using file_has_perm, as this particular
2215 open file may belong to another process and we are
2216 only interested in the inode-based check here. */
d996b62a
NP		 2217 file_priv = list_first_entry(&tty->tty_files,
2218 struct tty_file_private, list);
2219 file = file_priv->file;
13f8e981 2220 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2221 drop_tty = 1;
1da177e4 2222 }
ee2ffa0d 2223 spin_unlock(&tty_files_lock);
452a00d2 2224 tty_kref_put(tty);
1da177e4 2225 }
98a27ba4
EB		 2226 /* Reset controlling tty. */
2227 if (drop_tty)
2228 no_tty();
1da177e4
LT		 2229
2230 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2231 n = iterate_fd(files, 0, match_file, cred);
2232 if (!n) /* none found? */
2233 return;
1da177e4 2234
c3c073f8 2235 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2236 if (IS_ERR(devnull))
2237 devnull = NULL;
2238 /* replace all the matching ones with this */
2239 do {
2240 replace_fd(n - 1, devnull, 0);
2241 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2242 if (devnull)
c3c073f8 2243 fput(devnull);
1da177e4
LT		 2244}
2245
a6f76f23
DH		 2246/*
2247 * Prepare a process for imminent new credential changes due to exec
2248 */
2249static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2250{
a6f76f23
DH		 2251 struct task_security_struct *new_tsec;
2252 struct rlimit *rlim, *initrlim;
2253 int rc, i;
d84f4f99 2254
a6f76f23
DH		 2255 new_tsec = bprm->cred->security;
2256 if (new_tsec->sid == new_tsec->osid)
2257 return;
1da177e4 2258
a6f76f23
DH		 2259 /* Close files for which the new task SID is not authorized. */
2260 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2261
a6f76f23
DH		 2262 /* Always clear parent death signal on SID transitions. */
2263 current->pdeath_signal = 0;
0356357c 2264
a6f76f23
DH		 2265 /* Check whether the new SID can inherit resource limits from the old
2266 * SID. If not, reset all soft limits to the lower of the current
2267 * task's hard limit and the init task's soft limit.
2268 *
2269 * Note that the setting of hard limits (even to lower them) can be
2270 * controlled by the setrlimit check. The inclusion of the init task's
2271 * soft limit into the computation is to avoid resetting soft limits
2272 * higher than the default soft limit for cases where the default is
2273 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2274 */
2275 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2276 PROCESS__RLIMITINH, NULL);
2277 if (rc) {
eb2d55a3
ON		 2278 /* protect against do_prlimit() */
2279 task_lock(current);
a6f76f23
DH		 2280 for (i = 0; i < RLIM_NLIMITS; i++) {
2281 rlim = current->signal->rlim + i;
2282 initrlim = init_task.signal->rlim + i;
2283 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2284 }
eb2d55a3
ON		 2285 task_unlock(current);
2286 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2287 }
2288}
2289
2290/*
a6f76f23
DH		 2291 * Clean up the process immediately after the installation of new credentials
2292 * due to exec
1da177e4 2293 */
a6f76f23 2294static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2295{
a6f76f23 2296 const struct task_security_struct *tsec = current_security();
1da177e4 2297 struct itimerval itimer;
a6f76f23 2298 u32 osid, sid;
1da177e4
LT		 2299 int rc, i;
2300
a6f76f23
DH		 2301 osid = tsec->osid;
2302 sid = tsec->sid;
2303
2304 if (sid == osid)
1da177e4
LT		 2305 return;
2306
a6f76f23
DH		 2307 /* Check whether the new SID can inherit signal state from the old SID.
2308 * If not, clear itimers to avoid subsequent signal generation and
2309 * flush and unblock signals.
2310 *
2311 * This must occur _after_ the task SID has been updated so that any
2312 * kill done after the flush will be checked against the new SID.
2313 */
2314 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2315 if (rc) {
2316 memset(&itimer, 0, sizeof itimer);
2317 for (i = 0; i < 3; i++)
2318 do_setitimer(i, &itimer, NULL);
1da177e4 2319 spin_lock_irq(&current->sighand->siglock);
3bcac026
DH		 2320 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2321 __flush_signals(current);
2322 flush_signal_handlers(current, 1);
2323 sigemptyset(&current->blocked);
2324 }
1da177e4
LT		 2325 spin_unlock_irq(&current->sighand->siglock);
2326 }
2327
a6f76f23
DH		 2328 /* Wake up the parent if it is waiting so that it can recheck
2329 * wait permission to the new task SID. */
ecd6de3c 2330 read_lock(&tasklist_lock);
0b7570e7 2331 __wake_up_parent(current, current->real_parent);
ecd6de3c 2332 read_unlock(&tasklist_lock);
1da177e4
LT		 2333}
2334
2335/* superblock security operations */
2336
2337static int selinux_sb_alloc_security(struct super_block *sb)
2338{
2339 return superblock_alloc_security(sb);
2340}
2341
2342static void selinux_sb_free_security(struct super_block *sb)
2343{
2344 superblock_free_security(sb);
2345}
2346
2347static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2348{
2349 if (plen > olen)
2350 return 0;
2351
2352 return !memcmp(prefix, option, plen);
2353}
2354
2355static inline int selinux_option(char *option, int len)
2356{
832cbd9a
EP		 2357 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2358 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2359 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2360 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2361 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2362}
2363
2364static inline void take_option(char **to, char *from, int *first, int len)
2365{
2366 if (!*first) {
2367 **to = ',';
2368 *to += 1;
3528a953 2369 } else
1da177e4
LT		 2370 *first = 0;
2371 memcpy(*to, from, len);
2372 *to += len;
2373}
2374
828dfe1d
EP		 2375static inline void take_selinux_option(char **to, char *from, int *first,
2376 int len)
3528a953
CO		 2377{
2378 int current_size = 0;
2379
2380 if (!*first) {
2381 **to = '|';
2382 *to += 1;
828dfe1d 2383 } else
3528a953
CO		 2384 *first = 0;
2385
2386 while (current_size < len) {
2387 if (*from != '"') {
2388 **to = *from;
2389 *to += 1;
2390 }
2391 from += 1;
2392 current_size += 1;
2393 }
2394}
2395
e0007529 2396static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2397{
2398 int fnosec, fsec, rc = 0;
2399 char *in_save, *in_curr, *in_end;
2400 char *sec_curr, *nosec_save, *nosec;
3528a953 2401 int open_quote = 0;
1da177e4
LT		 2402
2403 in_curr = orig;
2404 sec_curr = copy;
2405
1da177e4
LT		 2406 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2407 if (!nosec) {
2408 rc = -ENOMEM;
2409 goto out;
2410 }
2411
2412 nosec_save = nosec;
2413 fnosec = fsec = 1;
2414 in_save = in_end = orig;
2415
2416 do {
3528a953
CO		 2417 if (*in_end == '"')
2418 open_quote = !open_quote;
2419 if ((*in_end == ',' && open_quote == 0) ||
2420 *in_end == '\0') {
1da177e4
LT		 2421 int len = in_end - in_curr;
2422
2423 if (selinux_option(in_curr, len))
3528a953 2424 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2425 else
2426 take_option(&nosec, in_curr, &fnosec, len);
2427
2428 in_curr = in_end + 1;
2429 }
2430 } while (*in_end++);
2431
6931dfc9 2432 strcpy(in_save, nosec_save);
da3caa20 2433 free_page((unsigned long)nosec_save);
1da177e4
LT		 2434out:
2435 return rc;
2436}
2437
026eb167
EP		 2438static int selinux_sb_remount(struct super_block *sb, void *data)
2439{
2440 int rc, i, *flags;
2441 struct security_mnt_opts opts;
2442 char *secdata, **mount_options;
2443 struct superblock_security_struct *sbsec = sb->s_security;
2444
2445 if (!(sbsec->flags & SE_SBINITIALIZED))
2446 return 0;
2447
2448 if (!data)
2449 return 0;
2450
2451 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2452 return 0;
2453
2454 security_init_mnt_opts(&opts);
2455 secdata = alloc_secdata();
2456 if (!secdata)
2457 return -ENOMEM;
2458 rc = selinux_sb_copy_data(data, secdata);
2459 if (rc)
2460 goto out_free_secdata;
2461
2462 rc = selinux_parse_opts_str(secdata, &opts);
2463 if (rc)
2464 goto out_free_secdata;
2465
2466 mount_options = opts.mnt_opts;
2467 flags = opts.mnt_opts_flags;
2468
2469 for (i = 0; i < opts.num_mnt_opts; i++) {
2470 u32 sid;
2471 size_t len;
2472
12f348b9 2473 if (flags[i] == SBLABEL_MNT)
026eb167
EP		 2474 continue;
2475 len = strlen(mount_options[i]);
2476 rc = security_context_to_sid(mount_options[i], len, &sid);
2477 if (rc) {
2478 printk(KERN_WARNING "SELinux: security_context_to_sid"
29b1deb2
LT		 2479 "(%s) failed for (dev %s, type %s) errno=%d\n",
2480 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2481 goto out_free_opts;
2482 }
2483 rc = -EINVAL;
2484 switch (flags[i]) {
2485 case FSCONTEXT_MNT:
2486 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2487 goto out_bad_option;
2488 break;
2489 case CONTEXT_MNT:
2490 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2491 goto out_bad_option;
2492 break;
2493 case ROOTCONTEXT_MNT: {
2494 struct inode_security_struct *root_isec;
2495 root_isec = sb->s_root->d_inode->i_security;
2496
2497 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2498 goto out_bad_option;
2499 break;
2500 }
2501 case DEFCONTEXT_MNT:
2502 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2503 goto out_bad_option;
2504 break;
2505 default:
2506 goto out_free_opts;
2507 }
2508 }
2509
2510 rc = 0;
2511out_free_opts:
2512 security_free_mnt_opts(&opts);
2513out_free_secdata:
2514 free_secdata(secdata);
2515 return rc;
2516out_bad_option:
2517 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2518 "during remount (dev %s, type=%s)\n", sb->s_id,
2519 sb->s_type->name);
026eb167
EP		 2520 goto out_free_opts;
2521}
2522
12204e24 2523static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2524{
88e67f3b 2525 const struct cred *cred = current_cred();
2bf49690 2526 struct common_audit_data ad;
1da177e4
LT		 2527 int rc;
2528
2529 rc = superblock_doinit(sb, data);
2530 if (rc)
2531 return rc;
2532
74192246
JM		 2533 /* Allow all mounts performed by the kernel */
2534 if (flags & MS_KERNMOUNT)
2535 return 0;
2536
50c205f5 2537 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2538 ad.u.dentry = sb->s_root;
88e67f3b 2539 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2540}
2541
726c3342 2542static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2543{
88e67f3b 2544 const struct cred *cred = current_cred();
2bf49690 2545 struct common_audit_data ad;
1da177e4 2546
50c205f5 2547 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2548 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2549 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2550}
2551
808d4e3c 2552static int selinux_mount(const char *dev_name,
b5266eb4 2553 struct path *path,
808d4e3c 2554 const char *type,
828dfe1d
EP		 2555 unsigned long flags,
2556 void *data)
1da177e4 2557{
88e67f3b 2558 const struct cred *cred = current_cred();
1da177e4
LT		 2559
2560 if (flags & MS_REMOUNT)
d8c9584e 2561 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2562 FILESYSTEM__REMOUNT, NULL);
1da177e4 2563 else
2875fa00 2564 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2565}
2566
2567static int selinux_umount(struct vfsmount *mnt, int flags)
2568{
88e67f3b 2569 const struct cred *cred = current_cred();
1da177e4 2570
88e67f3b 2571 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2572 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2573}
2574
2575/* inode security operations */
2576
2577static int selinux_inode_alloc_security(struct inode *inode)
2578{
2579 return inode_alloc_security(inode);
2580}
2581
2582static void selinux_inode_free_security(struct inode *inode)
2583{
2584 inode_free_security(inode);
2585}
2586
d47be3df
DQ		 2587static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2588 struct qstr *name, void **ctx,
2589 u32 *ctxlen)
2590{
2591 const struct cred *cred = current_cred();
2592 struct task_security_struct *tsec;
2593 struct inode_security_struct *dsec;
2594 struct superblock_security_struct *sbsec;
2595 struct inode *dir = dentry->d_parent->d_inode;
2596 u32 newsid;
2597 int rc;
2598
2599 tsec = cred->security;
2600 dsec = dir->i_security;
2601 sbsec = dir->i_sb->s_security;
2602
2603 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2604 newsid = tsec->create_sid;
2605 } else {
2606 rc = security_transition_sid(tsec->sid, dsec->sid,
2607 inode_mode_to_security_class(mode),
2608 name,
2609 &newsid);
2610 if (rc) {
2611 printk(KERN_WARNING
2612 "%s: security_transition_sid failed, rc=%d\n",
2613 __func__, -rc);
2614 return rc;
2615 }
2616 }
2617
2618 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2619}
2620
5e41ff9e 2621static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2622 const struct qstr *qstr,
2623 const char **name,
2a7dba39 2624 void **value, size_t *len)
5e41ff9e 2625{
5fb49870 2626 const struct task_security_struct *tsec = current_security();
5e41ff9e
SS		 2627 struct inode_security_struct *dsec;
2628 struct superblock_security_struct *sbsec;
275bb41e 2629 u32 sid, newsid, clen;
5e41ff9e 2630 int rc;
9548906b 2631 char *context;
5e41ff9e 2632
5e41ff9e
SS		 2633 dsec = dir->i_security;
2634 sbsec = dir->i_sb->s_security;
5e41ff9e 2635
275bb41e
DH		 2636 sid = tsec->sid;
2637 newsid = tsec->create_sid;
2638
415103f9
EP		 2639 if ((sbsec->flags & SE_SBINITIALIZED) &&
2640 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2641 newsid = sbsec->mntpoint_sid;
12f348b9 2642 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
275bb41e 2643 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e 2644 inode_mode_to_security_class(inode->i_mode),
652bb9b0 2645 qstr, &newsid);
5e41ff9e
SS		 2646 if (rc) {
2647 printk(KERN_WARNING "%s: "
2648 "security_transition_sid failed, rc=%d (dev=%s "
2649 "ino=%ld)\n",
dd6f953a 2650 __func__,
5e41ff9e
SS		 2651 -rc, inode->i_sb->s_id, inode->i_ino);
2652 return rc;
2653 }
2654 }
2655
296fddf7 2656 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2657 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2658 struct inode_security_struct *isec = inode->i_security;
2659 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2660 isec->sid = newsid;
2661 isec->initialized = 1;
2662 }
5e41ff9e 2663
12f348b9 2664 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2665 return -EOPNOTSUPP;
2666
9548906b
TH		 2667 if (name)
2668 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2669
570bc1c2 2670 if (value && len) {
12b29f34 2671 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2672 if (rc)
570bc1c2 2673 return rc;
570bc1c2
SS		 2674 *value = context;
2675 *len = clen;
5e41ff9e 2676 }
5e41ff9e 2677
5e41ff9e
SS		 2678 return 0;
2679}
2680
4acdaf27 2681static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2682{
2683 return may_create(dir, dentry, SECCLASS_FILE);
2684}
2685
1da177e4
LT		 2686static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2687{
1da177e4
LT		 2688 return may_link(dir, old_dentry, MAY_LINK);
2689}
2690
1da177e4
LT		 2691static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2692{
1da177e4
LT		 2693 return may_link(dir, dentry, MAY_UNLINK);
2694}
2695
2696static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2697{
2698 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2699}
2700
18bb1db3 2701static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2702{
2703 return may_create(dir, dentry, SECCLASS_DIR);
2704}
2705
1da177e4
LT		 2706static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2707{
2708 return may_link(dir, dentry, MAY_RMDIR);
2709}
2710
1a67aafb 2711static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2712{
1da177e4
LT		 2713 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2714}
2715
1da177e4 2716static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2717 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2718{
2719 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2720}
2721
1da177e4
LT		 2722static int selinux_inode_readlink(struct dentry *dentry)
2723{
88e67f3b
DH		 2724 const struct cred *cred = current_cred();
2725
2875fa00 2726 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2727}
2728
2729static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2730{
88e67f3b 2731 const struct cred *cred = current_cred();
1da177e4 2732
2875fa00 2733 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2734}
2735
d4cf970d
EP		 2736static noinline int audit_inode_permission(struct inode *inode,
2737 u32 perms, u32 audited, u32 denied,
2738 unsigned flags)
1da177e4 2739{
b782e0a6 2740 struct common_audit_data ad;
d4cf970d
EP		 2741 struct inode_security_struct *isec = inode->i_security;
2742 int rc;
2743
50c205f5 2744 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2745 ad.u.inode = inode;
2746
2747 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2748 audited, denied, &ad, flags);
2749 if (rc)
2750 return rc;
2751 return 0;
2752}
2753
e74f71eb 2754static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2755{
88e67f3b 2756 const struct cred *cred = current_cred();
b782e0a6
EP		 2757 u32 perms;
2758 bool from_access;
cf1dd1da 2759 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2760 struct inode_security_struct *isec;
2761 u32 sid;
2762 struct av_decision avd;
2763 int rc, rc2;
2764 u32 audited, denied;
1da177e4 2765
b782e0a6 2766 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2767 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2768
b782e0a6
EP		 2769 /* No permission to check. Existence test. */
2770 if (!mask)
1da177e4 2771 return 0;
1da177e4 2772
2e334057 2773 validate_creds(cred);
b782e0a6 2774
2e334057
EP		 2775 if (unlikely(IS_PRIVATE(inode)))
2776 return 0;
b782e0a6
EP		 2777
2778 perms = file_mask_to_av(inode->i_mode, mask);
2779
2e334057
EP		 2780 sid = cred_sid(cred);
2781 isec = inode->i_security;
2782
2783 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2784 audited = avc_audit_required(perms, &avd, rc,
2785 from_access ? FILE__AUDIT_ACCESS : 0,
2786 &denied);
2787 if (likely(!audited))
2788 return rc;
2789
d4cf970d 2790 rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2e334057
EP		 2791 if (rc2)
2792 return rc2;
2793 return rc;
1da177e4
LT		 2794}
2795
2796static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2797{
88e67f3b 2798 const struct cred *cred = current_cred();
bc6a6008 2799 unsigned int ia_valid = iattr->ia_valid;
95dbf739 2800 __u32 av = FILE__WRITE;
1da177e4 2801
bc6a6008
AW		 2802 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2803 if (ia_valid & ATTR_FORCE) {
2804 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2805 ATTR_FORCE);
2806 if (!ia_valid)
2807 return 0;
2808 }
1da177e4 2809
bc6a6008
AW		 2810 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2811 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 2812 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 2813
3d2195c3 2814 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
95dbf739
EP		 2815 av |= FILE__OPEN;
2816
2817 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 2818}
2819
2820static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2821{
88e67f3b 2822 const struct cred *cred = current_cred();
2875fa00
EP		 2823 struct path path;
2824
2825 path.dentry = dentry;
2826 path.mnt = mnt;
88e67f3b 2827
2875fa00 2828 return path_has_perm(cred, &path, FILE__GETATTR);
1da177e4
LT		 2829}
2830
8f0cfa52 2831static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2832{
88e67f3b
DH		 2833 const struct cred *cred = current_cred();
2834
b5376771
SH		 2835 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2836 sizeof XATTR_SECURITY_PREFIX - 1)) {
2837 if (!strcmp(name, XATTR_NAME_CAPS)) {
2838 if (!capable(CAP_SETFCAP))
2839 return -EPERM;
2840 } else if (!capable(CAP_SYS_ADMIN)) {
2841 /* A different attribute in the security namespace.
2842 Restrict to administrator. */
2843 return -EPERM;
2844 }
2845 }
2846
2847 /* Not an attribute we recognize, so just check the
2848 ordinary setattr permission. */
2875fa00 2849 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 2850}
2851
8f0cfa52
DH		 2852static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2853 const void *value, size_t size, int flags)
1da177e4 2854{
1da177e4
LT		 2855 struct inode *inode = dentry->d_inode;
2856 struct inode_security_struct *isec = inode->i_security;
2857 struct superblock_security_struct *sbsec;
2bf49690 2858 struct common_audit_data ad;
275bb41e 2859 u32 newsid, sid = current_sid();
1da177e4
LT		 2860 int rc = 0;
2861
b5376771
SH		 2862 if (strcmp(name, XATTR_NAME_SELINUX))
2863 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2864
2865 sbsec = inode->i_sb->s_security;
12f348b9 2866 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 2867 return -EOPNOTSUPP;
2868
2e149670 2869 if (!inode_owner_or_capable(inode))
1da177e4
LT		 2870 return -EPERM;
2871
50c205f5 2872 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2873 ad.u.dentry = dentry;
1da177e4 2874
275bb41e 2875 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 2876 FILE__RELABELFROM, &ad);
2877 if (rc)
2878 return rc;
2879
2880 rc = security_context_to_sid(value, size, &newsid);
12b29f34 2881 if (rc == -EINVAL) {
d6ea83ec
EP		 2882 if (!capable(CAP_MAC_ADMIN)) {
2883 struct audit_buffer *ab;
2884 size_t audit_size;
2885 const char *str;
2886
2887 /* We strip a nul only if it is at the end, otherwise the
2888 * context contains a nul and we should audit that */
e3fea3f7
AV		 2889 if (value) {
2890 str = value;
2891 if (str[size - 1] == '\0')
2892 audit_size = size - 1;
2893 else
2894 audit_size = size;
2895 } else {
2896 str = "";
2897 audit_size = 0;
2898 }
d6ea83ec
EP		 2899 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2900 audit_log_format(ab, "op=setxattr invalid_context=");
2901 audit_log_n_untrustedstring(ab, value, audit_size);
2902 audit_log_end(ab);
2903
12b29f34 2904 return rc;
d6ea83ec 2905 }
12b29f34
SS		 2906 rc = security_context_to_sid_force(value, size, &newsid);
2907 }
1da177e4
LT		 2908 if (rc)
2909 return rc;
2910
275bb41e 2911 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 2912 FILE__RELABELTO, &ad);
2913 if (rc)
2914 return rc;
2915
275bb41e 2916 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 2917 isec->sclass);
1da177e4
LT		 2918 if (rc)
2919 return rc;
2920
2921 return avc_has_perm(newsid,
2922 sbsec->sid,
2923 SECCLASS_FILESYSTEM,
2924 FILESYSTEM__ASSOCIATE,
2925 &ad);
2926}
2927
8f0cfa52 2928static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 2929 const void *value, size_t size,
8f0cfa52 2930 int flags)
1da177e4
LT		 2931{
2932 struct inode *inode = dentry->d_inode;
2933 struct inode_security_struct *isec = inode->i_security;
2934 u32 newsid;
2935 int rc;
2936
2937 if (strcmp(name, XATTR_NAME_SELINUX)) {
2938 /* Not an attribute we recognize, so nothing to do. */
2939 return;
2940 }
2941
12b29f34 2942 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 2943 if (rc) {
12b29f34
SS		 2944 printk(KERN_ERR "SELinux: unable to map context to SID"
2945 "for (%s, %lu), rc=%d\n",
2946 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 2947 return;
2948 }
2949
aa9c2669 2950 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 2951 isec->sid = newsid;
aa9c2669
DQ		 2952 isec->initialized = 1;
2953
1da177e4
LT		 2954 return;
2955}
2956
8f0cfa52 2957static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 2958{
88e67f3b
DH		 2959 const struct cred *cred = current_cred();
2960
2875fa00 2961 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 2962}
2963
828dfe1d 2964static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 2965{
88e67f3b
DH		 2966 const struct cred *cred = current_cred();
2967
2875fa00 2968 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 2969}
2970
8f0cfa52 2971static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 2972{
b5376771
SH		 2973 if (strcmp(name, XATTR_NAME_SELINUX))
2974 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2975
2976 /* No one is allowed to remove a SELinux security label.
2977 You can change the label, but all data must be labeled. */
2978 return -EACCES;
2979}
2980
d381d8a9 2981/*
abc69bb6 2982 * Copy the inode security context value to the user.
d381d8a9
JM		 2983 *
2984 * Permission check is handled by selinux_inode_getxattr hook.
2985 */
42492594 2986static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2987{
42492594
DQ		 2988 u32 size;
2989 int error;
2990 char *context = NULL;
1da177e4 2991 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2992
8c8570fb
DK		 2993 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2994 return -EOPNOTSUPP;
d381d8a9 2995
abc69bb6
SS		 2996 /*
2997 * If the caller has CAP_MAC_ADMIN, then get the raw context
2998 * value even if it is not defined by current policy; otherwise,
2999 * use the in-core value under current policy.
3000 * Use the non-auditing forms of the permission checks since
3001 * getxattr may be called by unprivileged processes commonly
3002 * and lack of permission just means that we fall back to the
3003 * in-core context value, not a denial.
3004 */
6a9de491 3005 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3699c53c 3006 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 3007 if (!error)
3008 error = security_sid_to_context_force(isec->sid, &context,
3009 &size);
3010 else
3011 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3012 if (error)
3013 return error;
3014 error = size;
3015 if (alloc) {
3016 *buffer = context;
3017 goto out_nofree;
3018 }
3019 kfree(context);
3020out_nofree:
3021 return error;
1da177e4
LT		 3022}
3023
3024static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3025 const void *value, size_t size, int flags)
1da177e4
LT		 3026{
3027 struct inode_security_struct *isec = inode->i_security;
3028 u32 newsid;
3029 int rc;
3030
3031 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3032 return -EOPNOTSUPP;
3033
3034 if (!value || !size)
3035 return -EACCES;
3036
828dfe1d 3037 rc = security_context_to_sid((void *)value, size, &newsid);
1da177e4
LT		 3038 if (rc)
3039 return rc;
3040
aa9c2669 3041 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3042 isec->sid = newsid;
ddd29ec6 3043 isec->initialized = 1;
1da177e4
LT		 3044 return 0;
3045}
3046
3047static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3048{
3049 const int len = sizeof(XATTR_NAME_SELINUX);
3050 if (buffer && len <= buffer_size)
3051 memcpy(buffer, XATTR_NAME_SELINUX, len);
3052 return len;
3053}
3054
713a04ae
AD		 3055static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3056{
3057 struct inode_security_struct *isec = inode->i_security;
3058 *secid = isec->sid;
3059}
3060
1da177e4
LT		 3061/* file security operations */
3062
788e7dd4 3063static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3064{
88e67f3b 3065 const struct cred *cred = current_cred();
496ad9aa 3066 struct inode *inode = file_inode(file);
1da177e4 3067
1da177e4
LT		 3068 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3069 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3070 mask |= MAY_APPEND;
3071
389fb800
PM		 3072 return file_has_perm(cred, file,
3073 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3074}
3075
788e7dd4
YN		 3076static int selinux_file_permission(struct file *file, int mask)
3077{
496ad9aa 3078 struct inode *inode = file_inode(file);
20dda18b
SS		 3079 struct file_security_struct *fsec = file->f_security;
3080 struct inode_security_struct *isec = inode->i_security;
3081 u32 sid = current_sid();
3082
389fb800 3083 if (!mask)
788e7dd4
YN		 3084 /* No permission to check. Existence test. */
3085 return 0;
788e7dd4 3086
20dda18b
SS		 3087 if (sid == fsec->sid && fsec->isid == isec->sid &&
3088 fsec->pseqno == avc_policy_seqno())
83d49856 3089 /* No change since file_open check. */
20dda18b
SS		 3090 return 0;
3091
788e7dd4
YN		 3092 return selinux_revalidate_file_permission(file, mask);
3093}
3094
1da177e4
LT		 3095static int selinux_file_alloc_security(struct file *file)
3096{
3097 return file_alloc_security(file);
3098}
3099
3100static void selinux_file_free_security(struct file *file)
3101{
3102 file_free_security(file);
3103}
3104
3105static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3106 unsigned long arg)
3107{
88e67f3b 3108 const struct cred *cred = current_cred();
0b24dcb7 3109 int error = 0;
1da177e4 3110
0b24dcb7
EP		 3111 switch (cmd) {
3112 case FIONREAD:
3113 /* fall through */
3114 case FIBMAP:
3115 /* fall through */
3116 case FIGETBSZ:
3117 /* fall through */
2f99c369 3118 case FS_IOC_GETFLAGS:
0b24dcb7 3119 /* fall through */
2f99c369 3120 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3121 error = file_has_perm(cred, file, FILE__GETATTR);
3122 break;
1da177e4 3123
2f99c369 3124 case FS_IOC_SETFLAGS:
0b24dcb7 3125 /* fall through */
2f99c369 3126 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3127 error = file_has_perm(cred, file, FILE__SETATTR);
3128 break;
3129
3130 /* sys_ioctl() checks */
3131 case FIONBIO:
3132 /* fall through */
3133 case FIOASYNC:
3134 error = file_has_perm(cred, file, 0);
3135 break;
1da177e4 3136
0b24dcb7
EP		 3137 case KDSKBENT:
3138 case KDSKBSENT:
6a9de491
EP		 3139 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3140 SECURITY_CAP_AUDIT);
0b24dcb7
EP		 3141 break;
3142
3143 /* default case assumes that the command will go
3144 * to the file's ioctl() function.
3145 */
3146 default:
3147 error = file_has_perm(cred, file, FILE__IOCTL);
3148 }
3149 return error;
1da177e4
LT		 3150}
3151
fcaaade1
SS		 3152static int default_noexec;
3153
1da177e4
LT		 3154static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3155{
88e67f3b 3156 const struct cred *cred = current_cred();
d84f4f99 3157 int rc = 0;
88e67f3b 3158
fcaaade1
SS		 3159 if (default_noexec &&
3160 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3161 /*
3162 * We are making executable an anonymous mapping or a
3163 * private file mapping that will also be writable.
3164 * This has an additional check.
3165 */
d84f4f99 3166 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3167 if (rc)
d84f4f99 3168 goto error;
1da177e4 3169 }
1da177e4
LT		 3170
3171 if (file) {
3172 /* read access is always possible with a mapping */
3173 u32 av = FILE__READ;
3174
3175 /* write access only matters if the mapping is shared */
3176 if (shared && (prot & PROT_WRITE))
3177 av |= FILE__WRITE;
3178
3179 if (prot & PROT_EXEC)
3180 av |= FILE__EXECUTE;
3181
88e67f3b 3182 return file_has_perm(cred, file, av);
1da177e4 3183 }
d84f4f99
DH		 3184
3185error:
3186 return rc;
1da177e4
LT		 3187}
3188
e5467859 3189static int selinux_mmap_addr(unsigned long addr)
1da177e4 3190{
ed032189 3191 int rc = 0;
275bb41e 3192 u32 sid = current_sid();
1da177e4 3193
84336d1a
EP		 3194 /*
3195 * notice that we are intentionally putting the SELinux check before
3196 * the secondary cap_file_mmap check. This is such a likely attempt
3197 * at bad behaviour/exploit that we always want to get the AVC, even
3198 * if DAC would have also denied the operation.
3199 */
a2551df7 3200 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
ed032189
EP		 3201 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3202 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3203 if (rc)
3204 return rc;
3205 }
3206
3207 /* do DAC check on address space usage */
e5467859
AV		 3208 return cap_mmap_addr(addr);
3209}
1da177e4 3210
e5467859
AV		 3211static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3212 unsigned long prot, unsigned long flags)
3213{
1da177e4
LT		 3214 if (selinux_checkreqprot)
3215 prot = reqprot;
3216
3217 return file_map_prot_check(file, prot,
3218 (flags & MAP_TYPE) == MAP_SHARED);
3219}
3220
3221static int selinux_file_mprotect(struct vm_area_struct *vma,
3222 unsigned long reqprot,
3223 unsigned long prot)
3224{
88e67f3b 3225 const struct cred *cred = current_cred();
1da177e4
LT		 3226
3227 if (selinux_checkreqprot)
3228 prot = reqprot;
3229
fcaaade1
SS		 3230 if (default_noexec &&
3231 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3232 int rc = 0;
db4c9641
SS		 3233 if (vma->vm_start >= vma->vm_mm->start_brk &&
3234 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3235 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3236 } else if (!vma->vm_file &&
3237 vma->vm_start <= vma->vm_mm->start_stack &&
3238 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3239 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3240 } else if (vma->vm_file && vma->anon_vma) {
3241 /*
3242 * We are making executable a file mapping that has
3243 * had some COW done. Since pages might have been
3244 * written, check ability to execute the possibly
3245 * modified content. This typically should only
3246 * occur for text relocations.
3247 */
d84f4f99 3248 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3249 }