]> Git Repo - linux.git/blame - security/selinux/hooks.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
VFS: net/: d_inode() annotations
[linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <[email protected]>
828dfe1d
EP		 7 * Chris Vance, <[email protected]>
8 * Wayne Salamon, <[email protected]>
9 * James Morris <[email protected]>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <[email protected]>
13 * Eric Paris <[email protected]>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <[email protected]>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <[email protected]>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <[email protected]>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
32#include <linux/security.h>
33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
1da177e4 54#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 55#include <net/inet_connection_sock.h>
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
60063497 60#include <linux/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
77954983 64#include <net/netlink.h>
1da177e4
LT		 65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
44fc7ea0 83#include <linux/export.h>
40401530
AV		 84#include <linux/msg.h>
85#include <linux/shm.h>
1da177e4
LT		 86
87#include "avc.h"
88#include "objsec.h"
89#include "netif.h"
224dfbd8 90#include "netnode.h"
3e112172 91#include "netport.h"
d28d1e08 92#include "xfrm.h"
c60475bf 93#include "netlabel.h"
9d57a7f9 94#include "audit.h"
7b98a585 95#include "avc_ss.h"
1da177e4 96
d621d35e 97/* SECMARK reference count */
56a4ca99 98static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 99
1da177e4 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 101int selinux_enforcing;
1da177e4
LT		 102
103static int __init enforcing_setup(char *str)
104{
f5269710 105 unsigned long enforcing;
29707b20 106 if (!kstrtoul(str, 0, &enforcing))
f5269710 107 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 108 return 1;
109}
110__setup("enforcing=", enforcing_setup);
111#endif
112
113#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116static int __init selinux_enabled_setup(char *str)
117{
f5269710 118 unsigned long enabled;
29707b20 119 if (!kstrtoul(str, 0, &enabled))
f5269710 120 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 121 return 1;
122}
123__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 124#else
125int selinux_enabled = 1;
1da177e4
LT		 126#endif
127
e18b890b 128static struct kmem_cache *sel_inode_cache;
7cae7e26 129
d621d35e
PM		 130/**
131 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
132 *
133 * Description:
134 * This function checks the SECMARK reference counter to see if any SECMARK
135 * targets are currently configured, if the reference counter is greater than
136 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 137 * enabled, false (0) if SECMARK is disabled. If the always_check_network
138 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 139 *
140 */
141static int selinux_secmark_enabled(void)
142{
2be4d74f
CP		 143 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
144}
145
146/**
147 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
148 *
149 * Description:
150 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
151 * (1) if any are enabled or false (0) if neither are enabled. If the
152 * always_check_network policy capability is enabled, peer labeling
153 * is always considered enabled.
154 *
155 */
156static int selinux_peerlbl_enabled(void)
157{
158 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 159}
160
615e51fd
PM		 161static int selinux_netcache_avc_callback(u32 event)
162{
163 if (event == AVC_CALLBACK_RESET) {
164 sel_netif_flush();
165 sel_netnode_flush();
166 sel_netport_flush();
167 synchronize_net();
168 }
169 return 0;
170}
171
d84f4f99
DH		 172/*
173 * initialise the security for the init task
174 */
175static void cred_init_security(void)
1da177e4 176{
3b11a1de 177 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 178 struct task_security_struct *tsec;
179
89d155ef 180 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 181 if (!tsec)
d84f4f99 182 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 183
d84f4f99 184 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 185 cred->security = tsec;
1da177e4
LT		 186}
187
88e67f3b
DH		 188/*
189 * get the security ID of a set of credentials
190 */
191static inline u32 cred_sid(const struct cred *cred)
192{
193 const struct task_security_struct *tsec;
194
195 tsec = cred->security;
196 return tsec->sid;
197}
198
275bb41e 199/*
3b11a1de 200 * get the objective security ID of a task
275bb41e
DH		 201 */
202static inline u32 task_sid(const struct task_struct *task)
203{
275bb41e
DH		 204 u32 sid;
205
206 rcu_read_lock();
88e67f3b 207 sid = cred_sid(__task_cred(task));
275bb41e
DH		 208 rcu_read_unlock();
209 return sid;
210}
211
212/*
3b11a1de 213 * get the subjective security ID of the current task
275bb41e
DH		 214 */
215static inline u32 current_sid(void)
216{
5fb49870 217 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 218
219 return tsec->sid;
220}
221
88e67f3b
DH		 222/* Allocate and free functions for each kind of security blob. */
223
1da177e4
LT		 224static int inode_alloc_security(struct inode *inode)
225{
1da177e4 226 struct inode_security_struct *isec;
275bb41e 227 u32 sid = current_sid();
1da177e4 228
a02fe132 229 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 230 if (!isec)
231 return -ENOMEM;
232
23970741 233 mutex_init(&isec->lock);
1da177e4 234 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 235 isec->inode = inode;
236 isec->sid = SECINITSID_UNLABELED;
237 isec->sclass = SECCLASS_FILE;
275bb41e 238 isec->task_sid = sid;
1da177e4
LT		 239 inode->i_security = isec;
240
241 return 0;
242}
243
3dc91d43
SR		 244static void inode_free_rcu(struct rcu_head *head)
245{
246 struct inode_security_struct *isec;
247
248 isec = container_of(head, struct inode_security_struct, rcu);
249 kmem_cache_free(sel_inode_cache, isec);
250}
251
1da177e4
LT		 252static void inode_free_security(struct inode *inode)
253{
254 struct inode_security_struct *isec = inode->i_security;
255 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
256
1da177e4
LT		 257 spin_lock(&sbsec->isec_lock);
258 if (!list_empty(&isec->list))
259 list_del_init(&isec->list);
260 spin_unlock(&sbsec->isec_lock);
261
3dc91d43
SR		 262 /*
263 * The inode may still be referenced in a path walk and
264 * a call to selinux_inode_permission() can be made
265 * after inode_free_security() is called. Ideally, the VFS
266 * wouldn't do this, but fixing that is a much harder
267 * job. For now, simply free the i_security via RCU, and
268 * leave the current inode->i_security pointer intact.
269 * The inode will be freed after the RCU grace period too.
270 */
271 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 272}
273
274static int file_alloc_security(struct file *file)
275{
1da177e4 276 struct file_security_struct *fsec;
275bb41e 277 u32 sid = current_sid();
1da177e4 278
26d2a4be 279 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 280 if (!fsec)
281 return -ENOMEM;
282
275bb41e
DH		 283 fsec->sid = sid;
284 fsec->fown_sid = sid;
1da177e4
LT		 285 file->f_security = fsec;
286
287 return 0;
288}
289
290static void file_free_security(struct file *file)
291{
292 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 293 file->f_security = NULL;
294 kfree(fsec);
295}
296
297static int superblock_alloc_security(struct super_block *sb)
298{
299 struct superblock_security_struct *sbsec;
300
89d155ef 301 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 302 if (!sbsec)
303 return -ENOMEM;
304
bc7e982b 305 mutex_init(&sbsec->lock);
1da177e4
LT		 306 INIT_LIST_HEAD(&sbsec->isec_head);
307 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 308 sbsec->sb = sb;
309 sbsec->sid = SECINITSID_UNLABELED;
310 sbsec->def_sid = SECINITSID_FILE;
c312feb2 311 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 312 sb->s_security = sbsec;
313
314 return 0;
315}
316
317static void superblock_free_security(struct super_block *sb)
318{
319 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 320 sb->s_security = NULL;
321 kfree(sbsec);
322}
323
1da177e4
LT		 324/* The file system's label must be initialized prior to use. */
325
eb9ae686 326static const char *labeling_behaviors[7] = {
1da177e4
LT		 327 "uses xattr",
328 "uses transition SIDs",
329 "uses task SIDs",
330 "uses genfs_contexts",
331 "not configured for labeling",
332 "uses mountpoint labeling",
eb9ae686 333 "uses native labeling",
1da177e4
LT		 334};
335
336static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
337
338static inline int inode_doinit(struct inode *inode)
339{
340 return inode_doinit_with_dentry(inode, NULL);
341}
342
343enum {
31e87930 344 Opt_error = -1,
1da177e4
LT		 345 Opt_context = 1,
346 Opt_fscontext = 2,
c9180a57
EP		 347 Opt_defcontext = 3,
348 Opt_rootcontext = 4,
11689d47 349 Opt_labelsupport = 5,
d355987f 350 Opt_nextmntopt = 6,
1da177e4
LT		 351};
352
d355987f
EP		 353#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
354
a447c093 355static const match_table_t tokens = {
832cbd9a
EP		 356 {Opt_context, CONTEXT_STR "%s"},
357 {Opt_fscontext, FSCONTEXT_STR "%s"},
358 {Opt_defcontext, DEFCONTEXT_STR "%s"},
359 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 360 {Opt_labelsupport, LABELSUPP_STR},
31e87930 361 {Opt_error, NULL},
1da177e4
LT		 362};
363
364#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
365
c312feb2
EP		 366static int may_context_mount_sb_relabel(u32 sid,
367 struct superblock_security_struct *sbsec,
275bb41e 368 const struct cred *cred)
c312feb2 369{
275bb41e 370 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 371 int rc;
372
373 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
374 FILESYSTEM__RELABELFROM, NULL);
375 if (rc)
376 return rc;
377
378 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
379 FILESYSTEM__RELABELTO, NULL);
380 return rc;
381}
382
0808925e
EP		 383static int may_context_mount_inode_relabel(u32 sid,
384 struct superblock_security_struct *sbsec,
275bb41e 385 const struct cred *cred)
0808925e 386{
275bb41e 387 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 388 int rc;
389 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
390 FILESYSTEM__RELABELFROM, NULL);
391 if (rc)
392 return rc;
393
394 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
395 FILESYSTEM__ASSOCIATE, NULL);
396 return rc;
397}
398
b43e725d
EP		 399static int selinux_is_sblabel_mnt(struct super_block *sb)
400{
401 struct superblock_security_struct *sbsec = sb->s_security;
402
d5f3a5f6
MS		 403 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
404 sbsec->behavior == SECURITY_FS_USE_TRANS ||
405 sbsec->behavior == SECURITY_FS_USE_TASK ||
406 /* Special handling. Genfs but also in-core setxattr handler */
407 !strcmp(sb->s_type->name, "sysfs") ||
408 !strcmp(sb->s_type->name, "pstore") ||
409 !strcmp(sb->s_type->name, "debugfs") ||
410 !strcmp(sb->s_type->name, "rootfs");
b43e725d
EP		 411}
412
c9180a57 413static int sb_finish_set_opts(struct super_block *sb)
1da177e4 414{
1da177e4 415 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 416 struct dentry *root = sb->s_root;
417 struct inode *root_inode = root->d_inode;
418 int rc = 0;
1da177e4 419
c9180a57
EP		 420 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
421 /* Make sure that the xattr handler exists and that no
422 error other than -ENODATA is returned by getxattr on
423 the root directory. -ENODATA is ok, as this may be
424 the first boot of the SELinux kernel before we have
425 assigned xattr values to the filesystem. */
426 if (!root_inode->i_op->getxattr) {
29b1deb2
LT		 427 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
428 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 429 rc = -EOPNOTSUPP;
430 goto out;
431 }
432 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
433 if (rc < 0 && rc != -ENODATA) {
434 if (rc == -EOPNOTSUPP)
435 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 436 "%s) has no security xattr handler\n",
437 sb->s_id, sb->s_type->name);
c9180a57
EP		 438 else
439 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 440 "%s) getxattr errno %d\n", sb->s_id,
441 sb->s_type->name, -rc);
c9180a57
EP		 442 goto out;
443 }
444 }
1da177e4 445
c9180a57 446 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 447 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
448 sb->s_id, sb->s_type->name);
1da177e4 449
eadcabc6 450 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 451 if (selinux_is_sblabel_mnt(sb))
12f348b9 452 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 453
c9180a57
EP		 454 /* Initialize the root inode. */
455 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 456
c9180a57
EP		 457 /* Initialize any other inodes associated with the superblock, e.g.
458 inodes created prior to initial policy load or inodes created
459 during get_sb by a pseudo filesystem that directly
460 populates itself. */
461 spin_lock(&sbsec->isec_lock);
462next_inode:
463 if (!list_empty(&sbsec->isec_head)) {
464 struct inode_security_struct *isec =
465 list_entry(sbsec->isec_head.next,
466 struct inode_security_struct, list);
467 struct inode *inode = isec->inode;
923190d3 468 list_del_init(&isec->list);
c9180a57
EP		 469 spin_unlock(&sbsec->isec_lock);
470 inode = igrab(inode);
471 if (inode) {
472 if (!IS_PRIVATE(inode))
473 inode_doinit(inode);
474 iput(inode);
475 }
476 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 477 goto next_inode;
478 }
479 spin_unlock(&sbsec->isec_lock);
480out:
481 return rc;
482}
1da177e4 483
c9180a57
EP		 484/*
485 * This function should allow an FS to ask what it's mount security
486 * options were so it can use those later for submounts, displaying
487 * mount options, or whatever.
488 */
489static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 490 struct security_mnt_opts *opts)
c9180a57
EP		 491{
492 int rc = 0, i;
493 struct superblock_security_struct *sbsec = sb->s_security;
494 char *context = NULL;
495 u32 len;
496 char tmp;
1da177e4 497
e0007529 498 security_init_mnt_opts(opts);
1da177e4 499
0d90a7ec 500 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 501 return -EINVAL;
1da177e4 502
c9180a57
EP		 503 if (!ss_initialized)
504 return -EINVAL;
1da177e4 505
af8e50cc
EP		 506 /* make sure we always check enough bits to cover the mask */
507 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
508
0d90a7ec 509 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 510 /* count the number of mount options for this sb */
af8e50cc 511 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 512 if (tmp & 0x01)
e0007529 513 opts->num_mnt_opts++;
c9180a57
EP		 514 tmp >>= 1;
515 }
11689d47 516 /* Check if the Label support flag is set */
0b4bdb35 517 if (sbsec->flags & SBLABEL_MNT)
11689d47 518 opts->num_mnt_opts++;
1da177e4 519
e0007529
EP		 520 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
521 if (!opts->mnt_opts) {
c9180a57
EP		 522 rc = -ENOMEM;
523 goto out_free;
524 }
1da177e4 525
e0007529
EP		 526 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
527 if (!opts->mnt_opts_flags) {
c9180a57
EP		 528 rc = -ENOMEM;
529 goto out_free;
530 }
1da177e4 531
c9180a57
EP		 532 i = 0;
533 if (sbsec->flags & FSCONTEXT_MNT) {
534 rc = security_sid_to_context(sbsec->sid, &context, &len);
535 if (rc)
536 goto out_free;
e0007529
EP		 537 opts->mnt_opts[i] = context;
538 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 539 }
540 if (sbsec->flags & CONTEXT_MNT) {
541 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
542 if (rc)
543 goto out_free;
e0007529
EP		 544 opts->mnt_opts[i] = context;
545 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 546 }
547 if (sbsec->flags & DEFCONTEXT_MNT) {
548 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
549 if (rc)
550 goto out_free;
e0007529
EP		 551 opts->mnt_opts[i] = context;
552 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 553 }
554 if (sbsec->flags & ROOTCONTEXT_MNT) {
555 struct inode *root = sbsec->sb->s_root->d_inode;
556 struct inode_security_struct *isec = root->i_security;
0808925e 557
c9180a57
EP		 558 rc = security_sid_to_context(isec->sid, &context, &len);
559 if (rc)
560 goto out_free;
e0007529
EP		 561 opts->mnt_opts[i] = context;
562 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 563 }
12f348b9 564 if (sbsec->flags & SBLABEL_MNT) {
11689d47 565 opts->mnt_opts[i] = NULL;
12f348b9 566 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 567 }
1da177e4 568
e0007529 569 BUG_ON(i != opts->num_mnt_opts);
1da177e4 570
c9180a57
EP		 571 return 0;
572
573out_free:
e0007529 574 security_free_mnt_opts(opts);
c9180a57
EP		 575 return rc;
576}
1da177e4 577
c9180a57
EP		 578static int bad_option(struct superblock_security_struct *sbsec, char flag,
579 u32 old_sid, u32 new_sid)
580{
0d90a7ec
DQ		 581 char mnt_flags = sbsec->flags & SE_MNTMASK;
582
c9180a57 583 /* check if the old mount command had the same options */
0d90a7ec 584 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 585 if (!(sbsec->flags & flag) ||
586 (old_sid != new_sid))
587 return 1;
588
589 /* check if we were passed the same options twice,
590 * aka someone passed context=a,context=b
591 */
0d90a7ec
DQ		 592 if (!(sbsec->flags & SE_SBINITIALIZED))
593 if (mnt_flags & flag)
c9180a57
EP		 594 return 1;
595 return 0;
596}
e0007529 597
c9180a57
EP		 598/*
599 * Allow filesystems with binary mount data to explicitly set mount point
600 * labeling information.
601 */
e0007529 602static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 603 struct security_mnt_opts *opts,
604 unsigned long kern_flags,
605 unsigned long *set_kern_flags)
c9180a57 606{
275bb41e 607 const struct cred *cred = current_cred();
c9180a57 608 int rc = 0, i;
c9180a57 609 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 610 const char *name = sb->s_type->name;
089be43e
JM		 611 struct inode *inode = sbsec->sb->s_root->d_inode;
612 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 613 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
614 u32 defcontext_sid = 0;
e0007529
EP		 615 char **mount_options = opts->mnt_opts;
616 int *flags = opts->mnt_opts_flags;
617 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 618
619 mutex_lock(&sbsec->lock);
620
621 if (!ss_initialized) {
622 if (!num_opts) {
623 /* Defer initialization until selinux_complete_init,
624 after the initial policy is loaded and the security
625 server is ready to handle calls. */
c9180a57
EP		 626 goto out;
627 }
628 rc = -EINVAL;
744ba35e
EP		 629 printk(KERN_WARNING "SELinux: Unable to set superblock options "
630 "before the security server is initialized\n");
1da177e4 631 goto out;
c9180a57 632 }
649f6e77
DQ		 633 if (kern_flags && !set_kern_flags) {
634 /* Specifying internal flags without providing a place to
635 * place the results is not allowed */
636 rc = -EINVAL;
637 goto out;
638 }
1da177e4 639
e0007529
EP		 640 /*
641 * Binary mount data FS will come through this function twice. Once
642 * from an explicit call and once from the generic calls from the vfs.
643 * Since the generic VFS calls will not contain any security mount data
644 * we need to skip the double mount verification.
645 *
646 * This does open a hole in which we will not notice if the first
647 * mount using this sb set explict options and a second mount using
648 * this sb does not set any security options. (The first options
649 * will be used for both mounts)
650 */
0d90a7ec 651 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 652 && (num_opts == 0))
f5269710 653 goto out;
e0007529 654
c9180a57
EP		 655 /*
656 * parse the mount options, check if they are valid sids.
657 * also check if someone is trying to mount the same sb more
658 * than once with different security options.
659 */
660 for (i = 0; i < num_opts; i++) {
661 u32 sid;
11689d47 662
12f348b9 663 if (flags[i] == SBLABEL_MNT)
11689d47 664 continue;
c9180a57 665 rc = security_context_to_sid(mount_options[i],
52a4c640 666 strlen(mount_options[i]), &sid, GFP_KERNEL);
1da177e4
LT		 667 if (rc) {
668 printk(KERN_WARNING "SELinux: security_context_to_sid"
29b1deb2
LT		 669 "(%s) failed for (dev %s, type %s) errno=%d\n",
670 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 671 goto out;
672 }
673 switch (flags[i]) {
674 case FSCONTEXT_MNT:
675 fscontext_sid = sid;
676
677 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
678 fscontext_sid))
679 goto out_double_mount;
680
681 sbsec->flags |= FSCONTEXT_MNT;
682 break;
683 case CONTEXT_MNT:
684 context_sid = sid;
685
686 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
687 context_sid))
688 goto out_double_mount;
689
690 sbsec->flags |= CONTEXT_MNT;
691 break;
692 case ROOTCONTEXT_MNT:
693 rootcontext_sid = sid;
694
695 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
696 rootcontext_sid))
697 goto out_double_mount;
698
699 sbsec->flags |= ROOTCONTEXT_MNT;
700
701 break;
702 case DEFCONTEXT_MNT:
703 defcontext_sid = sid;
704
705 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
706 defcontext_sid))
707 goto out_double_mount;
708
709 sbsec->flags |= DEFCONTEXT_MNT;
710
711 break;
712 default:
713 rc = -EINVAL;
714 goto out;
1da177e4 715 }
c9180a57
EP		 716 }
717
0d90a7ec 718 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 719 /* previously mounted with options, but not on this attempt? */
0d90a7ec 720 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 721 goto out_double_mount;
722 rc = 0;
723 goto out;
724 }
725
089be43e 726 if (strcmp(sb->s_type->name, "proc") == 0)
0d90a7ec 727 sbsec->flags |= SE_SBPROC;
c9180a57 728
eb9ae686
DQ		 729 if (!sbsec->behavior) {
730 /*
731 * Determine the labeling behavior to use for this
732 * filesystem type.
733 */
98f700f3 734 rc = security_fs_use(sb);
eb9ae686
DQ		 735 if (rc) {
736 printk(KERN_WARNING
737 "%s: security_fs_use(%s) returned %d\n",
738 __func__, sb->s_type->name, rc);
739 goto out;
740 }
c9180a57 741 }
c9180a57
EP		 742 /* sets the context of the superblock for the fs being mounted. */
743 if (fscontext_sid) {
275bb41e 744 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 745 if (rc)
c9180a57 746 goto out;
1da177e4 747
c9180a57 748 sbsec->sid = fscontext_sid;
c312feb2
EP		 749 }
750
751 /*
752 * Switch to using mount point labeling behavior.
753 * sets the label used on all file below the mountpoint, and will set
754 * the superblock context if not already set.
755 */
eb9ae686
DQ		 756 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
757 sbsec->behavior = SECURITY_FS_USE_NATIVE;
758 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
759 }
760
c9180a57
EP		 761 if (context_sid) {
762 if (!fscontext_sid) {
275bb41e
DH		 763 rc = may_context_mount_sb_relabel(context_sid, sbsec,
764 cred);
b04ea3ce 765 if (rc)
c9180a57
EP		 766 goto out;
767 sbsec->sid = context_sid;
b04ea3ce 768 } else {
275bb41e
DH		 769 rc = may_context_mount_inode_relabel(context_sid, sbsec,
770 cred);
b04ea3ce 771 if (rc)
c9180a57 772 goto out;
b04ea3ce 773 }
c9180a57
EP		 774 if (!rootcontext_sid)
775 rootcontext_sid = context_sid;
1da177e4 776
c9180a57 777 sbsec->mntpoint_sid = context_sid;
c312feb2 778 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 779 }
780
c9180a57 781 if (rootcontext_sid) {
275bb41e
DH		 782 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
783 cred);
0808925e 784 if (rc)
c9180a57 785 goto out;
0808925e 786
c9180a57
EP		 787 root_isec->sid = rootcontext_sid;
788 root_isec->initialized = 1;
0808925e
EP		 789 }
790
c9180a57 791 if (defcontext_sid) {
eb9ae686
DQ		 792 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
793 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 794 rc = -EINVAL;
795 printk(KERN_WARNING "SELinux: defcontext option is "
796 "invalid for this filesystem type\n");
797 goto out;
1da177e4
LT		 798 }
799
c9180a57
EP		 800 if (defcontext_sid != sbsec->def_sid) {
801 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 802 sbsec, cred);
c9180a57
EP		 803 if (rc)
804 goto out;
805 }
1da177e4 806
c9180a57 807 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 808 }
809
c9180a57 810 rc = sb_finish_set_opts(sb);
1da177e4 811out:
c9180a57 812 mutex_unlock(&sbsec->lock);
1da177e4 813 return rc;
c9180a57
EP		 814out_double_mount:
815 rc = -EINVAL;
816 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 817 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 818 goto out;
1da177e4
LT		 819}
820
094f7b69
JL		 821static int selinux_cmp_sb_context(const struct super_block *oldsb,
822 const struct super_block *newsb)
823{
824 struct superblock_security_struct *old = oldsb->s_security;
825 struct superblock_security_struct *new = newsb->s_security;
826 char oldflags = old->flags & SE_MNTMASK;
827 char newflags = new->flags & SE_MNTMASK;
828
829 if (oldflags != newflags)
830 goto mismatch;
831 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
832 goto mismatch;
833 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
834 goto mismatch;
835 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
836 goto mismatch;
837 if (oldflags & ROOTCONTEXT_MNT) {
838 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
839 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
840 if (oldroot->sid != newroot->sid)
841 goto mismatch;
842 }
843 return 0;
844mismatch:
845 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
846 "different security settings for (dev %s, "
847 "type %s)\n", newsb->s_id, newsb->s_type->name);
848 return -EBUSY;
849}
850
851static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 852 struct super_block *newsb)
1da177e4 853{
c9180a57
EP		 854 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
855 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 856
c9180a57
EP		 857 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
858 int set_context = (oldsbsec->flags & CONTEXT_MNT);
859 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 860
0f5e6420
EP		 861 /*
862 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 863 * mount options. thus we can safely deal with this superblock later
0f5e6420 864 */
e8c26255 865 if (!ss_initialized)
094f7b69 866 return 0;
c9180a57 867
c9180a57 868 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 869 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 870
094f7b69 871 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 872 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 873 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 874
c9180a57
EP		 875 mutex_lock(&newsbsec->lock);
876
877 newsbsec->flags = oldsbsec->flags;
878
879 newsbsec->sid = oldsbsec->sid;
880 newsbsec->def_sid = oldsbsec->def_sid;
881 newsbsec->behavior = oldsbsec->behavior;
882
883 if (set_context) {
884 u32 sid = oldsbsec->mntpoint_sid;
885
886 if (!set_fscontext)
887 newsbsec->sid = sid;
888 if (!set_rootcontext) {
889 struct inode *newinode = newsb->s_root->d_inode;
890 struct inode_security_struct *newisec = newinode->i_security;
891 newisec->sid = sid;
892 }
893 newsbsec->mntpoint_sid = sid;
1da177e4 894 }
c9180a57
EP		 895 if (set_rootcontext) {
896 const struct inode *oldinode = oldsb->s_root->d_inode;
897 const struct inode_security_struct *oldisec = oldinode->i_security;
898 struct inode *newinode = newsb->s_root->d_inode;
899 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 900
c9180a57 901 newisec->sid = oldisec->sid;
1da177e4
LT		 902 }
903
c9180a57
EP		 904 sb_finish_set_opts(newsb);
905 mutex_unlock(&newsbsec->lock);
094f7b69 906 return 0;
c9180a57
EP		 907}
908
2e1479d9
AB		 909static int selinux_parse_opts_str(char *options,
910 struct security_mnt_opts *opts)
c9180a57 911{
e0007529 912 char *p;
c9180a57
EP		 913 char *context = NULL, *defcontext = NULL;
914 char *fscontext = NULL, *rootcontext = NULL;
e0007529 915 int rc, num_mnt_opts = 0;
1da177e4 916
e0007529 917 opts->num_mnt_opts = 0;
1da177e4 918
c9180a57
EP		 919 /* Standard string-based options. */
920 while ((p = strsep(&options, "|")) != NULL) {
921 int token;
922 substring_t args[MAX_OPT_ARGS];
1da177e4 923
c9180a57
EP		 924 if (!*p)
925 continue;
1da177e4 926
c9180a57 927 token = match_token(p, tokens, args);
1da177e4 928
c9180a57
EP		 929 switch (token) {
930 case Opt_context:
931 if (context || defcontext) {
932 rc = -EINVAL;
933 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
934 goto out_err;
935 }
936 context = match_strdup(&args[0]);
937 if (!context) {
938 rc = -ENOMEM;
939 goto out_err;
940 }
941 break;
942
943 case Opt_fscontext:
944 if (fscontext) {
945 rc = -EINVAL;
946 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
947 goto out_err;
948 }
949 fscontext = match_strdup(&args[0]);
950 if (!fscontext) {
951 rc = -ENOMEM;
952 goto out_err;
953 }
954 break;
955
956 case Opt_rootcontext:
957 if (rootcontext) {
958 rc = -EINVAL;
959 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
960 goto out_err;
961 }
962 rootcontext = match_strdup(&args[0]);
963 if (!rootcontext) {
964 rc = -ENOMEM;
965 goto out_err;
966 }
967 break;
968
969 case Opt_defcontext:
970 if (context || defcontext) {
971 rc = -EINVAL;
972 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
973 goto out_err;
974 }
975 defcontext = match_strdup(&args[0]);
976 if (!defcontext) {
977 rc = -ENOMEM;
978 goto out_err;
979 }
980 break;
11689d47
DQ		 981 case Opt_labelsupport:
982 break;
c9180a57
EP		 983 default:
984 rc = -EINVAL;
985 printk(KERN_WARNING "SELinux: unknown mount option\n");
986 goto out_err;
1da177e4 987
1da177e4 988 }
1da177e4 989 }
c9180a57 990
e0007529
EP		 991 rc = -ENOMEM;
992 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
993 if (!opts->mnt_opts)
994 goto out_err;
995
996 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
997 if (!opts->mnt_opts_flags) {
998 kfree(opts->mnt_opts);
999 goto out_err;
1000 }
1001
c9180a57 1002 if (fscontext) {
e0007529
EP		 1003 opts->mnt_opts[num_mnt_opts] = fscontext;
1004 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1005 }
1006 if (context) {
e0007529
EP		 1007 opts->mnt_opts[num_mnt_opts] = context;
1008 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1009 }
1010 if (rootcontext) {
e0007529
EP		 1011 opts->mnt_opts[num_mnt_opts] = rootcontext;
1012 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1013 }
1014 if (defcontext) {
e0007529
EP		 1015 opts->mnt_opts[num_mnt_opts] = defcontext;
1016 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1017 }
1018
e0007529
EP		 1019 opts->num_mnt_opts = num_mnt_opts;
1020 return 0;
1021
c9180a57
EP		 1022out_err:
1023 kfree(context);
1024 kfree(defcontext);
1025 kfree(fscontext);
1026 kfree(rootcontext);
1da177e4
LT		 1027 return rc;
1028}
e0007529
EP		 1029/*
1030 * string mount options parsing and call set the sbsec
1031 */
1032static int superblock_doinit(struct super_block *sb, void *data)
1033{
1034 int rc = 0;
1035 char *options = data;
1036 struct security_mnt_opts opts;
1037
1038 security_init_mnt_opts(&opts);
1039
1040 if (!data)
1041 goto out;
1042
1043 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1044
1045 rc = selinux_parse_opts_str(options, &opts);
1046 if (rc)
1047 goto out_err;
1048
1049out:
649f6e77 1050 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1051
1052out_err:
1053 security_free_mnt_opts(&opts);
1054 return rc;
1055}
1da177e4 1056
3583a711
AB		 1057static void selinux_write_opts(struct seq_file *m,
1058 struct security_mnt_opts *opts)
2069f457
EP		 1059{
1060 int i;
1061 char *prefix;
1062
1063 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1064 char *has_comma;
1065
1066 if (opts->mnt_opts[i])
1067 has_comma = strchr(opts->mnt_opts[i], ',');
1068 else
1069 has_comma = NULL;
2069f457
EP		 1070
1071 switch (opts->mnt_opts_flags[i]) {
1072 case CONTEXT_MNT:
1073 prefix = CONTEXT_STR;
1074 break;
1075 case FSCONTEXT_MNT:
1076 prefix = FSCONTEXT_STR;
1077 break;
1078 case ROOTCONTEXT_MNT:
1079 prefix = ROOTCONTEXT_STR;
1080 break;
1081 case DEFCONTEXT_MNT:
1082 prefix = DEFCONTEXT_STR;
1083 break;
12f348b9 1084 case SBLABEL_MNT:
11689d47
DQ		 1085 seq_putc(m, ',');
1086 seq_puts(m, LABELSUPP_STR);
1087 continue;
2069f457
EP		 1088 default:
1089 BUG();
a35c6c83 1090 return;
2069f457
EP		 1091 };
1092 /* we need a comma before each option */
1093 seq_putc(m, ',');
1094 seq_puts(m, prefix);
1095 if (has_comma)
1096 seq_putc(m, '\"');
1097 seq_puts(m, opts->mnt_opts[i]);
1098 if (has_comma)
1099 seq_putc(m, '\"');
1100 }
1101}
1102
1103static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1104{
1105 struct security_mnt_opts opts;
1106 int rc;
1107
1108 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1109 if (rc) {
1110 /* before policy load we may get EINVAL, don't show anything */
1111 if (rc == -EINVAL)
1112 rc = 0;
2069f457 1113 return rc;
383795c2 1114 }
2069f457
EP		 1115
1116 selinux_write_opts(m, &opts);
1117
1118 security_free_mnt_opts(&opts);
1119
1120 return rc;
1121}
1122
1da177e4
LT		 1123static inline u16 inode_mode_to_security_class(umode_t mode)
1124{
1125 switch (mode & S_IFMT) {
1126 case S_IFSOCK:
1127 return SECCLASS_SOCK_FILE;
1128 case S_IFLNK:
1129 return SECCLASS_LNK_FILE;
1130 case S_IFREG:
1131 return SECCLASS_FILE;
1132 case S_IFBLK:
1133 return SECCLASS_BLK_FILE;
1134 case S_IFDIR:
1135 return SECCLASS_DIR;
1136 case S_IFCHR:
1137 return SECCLASS_CHR_FILE;
1138 case S_IFIFO:
1139 return SECCLASS_FIFO_FILE;
1140
1141 }
1142
1143 return SECCLASS_FILE;
1144}
1145
13402580
JM		 1146static inline int default_protocol_stream(int protocol)
1147{
1148 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1149}
1150
1151static inline int default_protocol_dgram(int protocol)
1152{
1153 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1154}
1155
1da177e4
LT		 1156static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1157{
1158 switch (family) {
1159 case PF_UNIX:
1160 switch (type) {
1161 case SOCK_STREAM:
1162 case SOCK_SEQPACKET:
1163 return SECCLASS_UNIX_STREAM_SOCKET;
1164 case SOCK_DGRAM:
1165 return SECCLASS_UNIX_DGRAM_SOCKET;
1166 }
1167 break;
1168 case PF_INET:
1169 case PF_INET6:
1170 switch (type) {
1171 case SOCK_STREAM:
13402580
JM		 1172 if (default_protocol_stream(protocol))
1173 return SECCLASS_TCP_SOCKET;
1174 else
1175 return SECCLASS_RAWIP_SOCKET;
1da177e4 1176 case SOCK_DGRAM:
13402580
JM		 1177 if (default_protocol_dgram(protocol))
1178 return SECCLASS_UDP_SOCKET;
1179 else
1180 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1181 case SOCK_DCCP:
1182 return SECCLASS_DCCP_SOCKET;
13402580 1183 default:
1da177e4
LT		 1184 return SECCLASS_RAWIP_SOCKET;
1185 }
1186 break;
1187 case PF_NETLINK:
1188 switch (protocol) {
1189 case NETLINK_ROUTE:
1190 return SECCLASS_NETLINK_ROUTE_SOCKET;
1191 case NETLINK_FIREWALL:
1192 return SECCLASS_NETLINK_FIREWALL_SOCKET;
7f1fb60c 1193 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1194 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1195 case NETLINK_NFLOG:
1196 return SECCLASS_NETLINK_NFLOG_SOCKET;
1197 case NETLINK_XFRM:
1198 return SECCLASS_NETLINK_XFRM_SOCKET;
1199 case NETLINK_SELINUX:
1200 return SECCLASS_NETLINK_SELINUX_SOCKET;
1201 case NETLINK_AUDIT:
1202 return SECCLASS_NETLINK_AUDIT_SOCKET;
1203 case NETLINK_IP6_FW:
1204 return SECCLASS_NETLINK_IP6FW_SOCKET;
1205 case NETLINK_DNRTMSG:
1206 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1207 case NETLINK_KOBJECT_UEVENT:
1208 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1209 default:
1210 return SECCLASS_NETLINK_SOCKET;
1211 }
1212 case PF_PACKET:
1213 return SECCLASS_PACKET_SOCKET;
1214 case PF_KEY:
1215 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1216 case PF_APPLETALK:
1217 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1218 }
1219
1220 return SECCLASS_SOCKET;
1221}
1222
1223#ifdef CONFIG_PROC_FS
8e6c9693 1224static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1225 u16 tclass,
1226 u32 *sid)
1227{
8e6c9693
LAG		 1228 int rc;
1229 char *buffer, *path;
1da177e4 1230
828dfe1d 1231 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1232 if (!buffer)
1233 return -ENOMEM;
1234
8e6c9693
LAG		 1235 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1236 if (IS_ERR(path))
1237 rc = PTR_ERR(path);
1238 else {
1239 /* each process gets a /proc/PID/ entry. Strip off the
1240 * PID part to get a valid selinux labeling.
1241 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1242 while (path[1] >= '0' && path[1] <= '9') {
1243 path[1] = '/';
1244 path++;
1245 }
1246 rc = security_genfs_sid("proc", path, tclass, sid);
1da177e4 1247 }
1da177e4
LT		 1248 free_page((unsigned long)buffer);
1249 return rc;
1250}
1251#else
8e6c9693 1252static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1253 u16 tclass,
1254 u32 *sid)
1255{
1256 return -EINVAL;
1257}
1258#endif
1259
1260/* The inode's security attributes must be initialized before first use. */
1261static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1262{
1263 struct superblock_security_struct *sbsec = NULL;
1264 struct inode_security_struct *isec = inode->i_security;
1265 u32 sid;
1266 struct dentry *dentry;
1267#define INITCONTEXTLEN 255
1268 char *context = NULL;
1269 unsigned len = 0;
1270 int rc = 0;
1da177e4
LT		 1271
1272 if (isec->initialized)
1273 goto out;
1274
23970741 1275 mutex_lock(&isec->lock);
1da177e4 1276 if (isec->initialized)
23970741 1277 goto out_unlock;
1da177e4
LT		 1278
1279 sbsec = inode->i_sb->s_security;
0d90a7ec 1280 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1281 /* Defer initialization until selinux_complete_init,
1282 after the initial policy is loaded and the security
1283 server is ready to handle calls. */
1284 spin_lock(&sbsec->isec_lock);
1285 if (list_empty(&isec->list))
1286 list_add(&isec->list, &sbsec->isec_head);
1287 spin_unlock(&sbsec->isec_lock);
23970741 1288 goto out_unlock;
1da177e4
LT		 1289 }
1290
1291 switch (sbsec->behavior) {
eb9ae686
DQ		 1292 case SECURITY_FS_USE_NATIVE:
1293 break;
1da177e4
LT		 1294 case SECURITY_FS_USE_XATTR:
1295 if (!inode->i_op->getxattr) {
1296 isec->sid = sbsec->def_sid;
1297 break;
1298 }
1299
1300 /* Need a dentry, since the xattr API requires one.
1301 Life would be simpler if we could just pass the inode. */
1302 if (opt_dentry) {
1303 /* Called from d_instantiate or d_splice_alias. */
1304 dentry = dget(opt_dentry);
1305 } else {
1306 /* Called from selinux_complete_init, try to find a dentry. */
1307 dentry = d_find_alias(inode);
1308 }
1309 if (!dentry) {
df7f54c0
EP		 1310 /*
1311 * this is can be hit on boot when a file is accessed
1312 * before the policy is loaded. When we load policy we
1313 * may find inodes that have no dentry on the
1314 * sbsec->isec_head list. No reason to complain as these
1315 * will get fixed up the next time we go through
1316 * inode_doinit with a dentry, before these inodes could
1317 * be used again by userspace.
1318 */
23970741 1319 goto out_unlock;
1da177e4
LT		 1320 }
1321
1322 len = INITCONTEXTLEN;
4cb912f1 1323 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1324 if (!context) {
1325 rc = -ENOMEM;
1326 dput(dentry);
23970741 1327 goto out_unlock;
1da177e4 1328 }
4cb912f1 1329 context[len] = '\0';
1da177e4
LT		 1330 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1331 context, len);
1332 if (rc == -ERANGE) {
314dabb8
JM		 1333 kfree(context);
1334
1da177e4
LT		 1335 /* Need a larger buffer. Query for the right size. */
1336 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1337 NULL, 0);
1338 if (rc < 0) {
1339 dput(dentry);
23970741 1340 goto out_unlock;
1da177e4 1341 }
1da177e4 1342 len = rc;
4cb912f1 1343 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1344 if (!context) {
1345 rc = -ENOMEM;
1346 dput(dentry);
23970741 1347 goto out_unlock;
1da177e4 1348 }
4cb912f1 1349 context[len] = '\0';
1da177e4
LT		 1350 rc = inode->i_op->getxattr(dentry,
1351 XATTR_NAME_SELINUX,
1352 context, len);
1353 }
1354 dput(dentry);
1355 if (rc < 0) {
1356 if (rc != -ENODATA) {
744ba35e 1357 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1358 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1359 -rc, inode->i_sb->s_id, inode->i_ino);
1360 kfree(context);
23970741 1361 goto out_unlock;
1da177e4
LT		 1362 }
1363 /* Map ENODATA to the default file SID */
1364 sid = sbsec->def_sid;
1365 rc = 0;
1366 } else {
f5c1d5b2 1367 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1368 sbsec->def_sid,
1369 GFP_NOFS);
1da177e4 1370 if (rc) {
4ba0a8ad
EP		 1371 char *dev = inode->i_sb->s_id;
1372 unsigned long ino = inode->i_ino;
1373
1374 if (rc == -EINVAL) {
1375 if (printk_ratelimit())
1376 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1377 "context=%s. This indicates you may need to relabel the inode or the "
1378 "filesystem in question.\n", ino, dev, context);
1379 } else {
1380 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1381 "returned %d for dev=%s ino=%ld\n",
1382 __func__, context, -rc, dev, ino);
1383 }
1da177e4
LT		 1384 kfree(context);
1385 /* Leave with the unlabeled SID */
1386 rc = 0;
1387 break;
1388 }
1389 }
1390 kfree(context);
1391 isec->sid = sid;
1392 break;
1393 case SECURITY_FS_USE_TASK:
1394 isec->sid = isec->task_sid;
1395 break;
1396 case SECURITY_FS_USE_TRANS:
1397 /* Default to the fs SID. */
1398 isec->sid = sbsec->sid;
1399
1400 /* Try to obtain a transition SID. */
1401 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1402 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1403 isec->sclass, NULL, &sid);
1da177e4 1404 if (rc)
23970741 1405 goto out_unlock;
1da177e4
LT		 1406 isec->sid = sid;
1407 break;
c312feb2
EP		 1408 case SECURITY_FS_USE_MNTPOINT:
1409 isec->sid = sbsec->mntpoint_sid;
1410 break;
1da177e4 1411 default:
c312feb2 1412 /* Default to the fs superblock SID. */
1da177e4
LT		 1413 isec->sid = sbsec->sid;
1414
0d90a7ec 1415 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1416 /* We must have a dentry to determine the label on
1417 * procfs inodes */
1418 if (opt_dentry)
1419 /* Called from d_instantiate or
1420 * d_splice_alias. */
1421 dentry = dget(opt_dentry);
1422 else
1423 /* Called from selinux_complete_init, try to
1424 * find a dentry. */
1425 dentry = d_find_alias(inode);
1426 /*
1427 * This can be hit on boot when a file is accessed
1428 * before the policy is loaded. When we load policy we
1429 * may find inodes that have no dentry on the
1430 * sbsec->isec_head list. No reason to complain as
1431 * these will get fixed up the next time we go through
1432 * inode_doinit() with a dentry, before these inodes
1433 * could be used again by userspace.
1434 */
1435 if (!dentry)
1436 goto out_unlock;
1437 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1438 rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1439 dput(dentry);
1440 if (rc)
1441 goto out_unlock;
1442 isec->sid = sid;
1da177e4
LT		 1443 }
1444 break;
1445 }
1446
1447 isec->initialized = 1;
1448
23970741
EP		 1449out_unlock:
1450 mutex_unlock(&isec->lock);
1da177e4
LT		 1451out:
1452 if (isec->sclass == SECCLASS_FILE)
1453 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1454 return rc;
1455}
1456
1457/* Convert a Linux signal to an access vector. */
1458static inline u32 signal_to_av(int sig)
1459{
1460 u32 perm = 0;
1461
1462 switch (sig) {
1463 case SIGCHLD:
1464 /* Commonly granted from child to parent. */
1465 perm = PROCESS__SIGCHLD;
1466 break;
1467 case SIGKILL:
1468 /* Cannot be caught or ignored */
1469 perm = PROCESS__SIGKILL;
1470 break;
1471 case SIGSTOP:
1472 /* Cannot be caught or ignored */
1473 perm = PROCESS__SIGSTOP;
1474 break;
1475 default:
1476 /* All other signals. */
1477 perm = PROCESS__SIGNAL;
1478 break;
1479 }
1480
1481 return perm;
1482}
1483
d84f4f99
DH		 1484/*
1485 * Check permission between a pair of credentials
1486 * fork check, ptrace check, etc.
1487 */
1488static int cred_has_perm(const struct cred *actor,
1489 const struct cred *target,
1490 u32 perms)
1491{
1492 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1493
1494 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1495}
1496
275bb41e 1497/*
88e67f3b 1498 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1499 * fork check, ptrace check, etc.
1500 * tsk1 is the actor and tsk2 is the target
3b11a1de 1501 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1502 */
1503static int task_has_perm(const struct task_struct *tsk1,
1504 const struct task_struct *tsk2,
1da177e4
LT		 1505 u32 perms)
1506{
275bb41e
DH		 1507 const struct task_security_struct *__tsec1, *__tsec2;
1508 u32 sid1, sid2;
1da177e4 1509
275bb41e
DH		 1510 rcu_read_lock();
1511 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1512 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1513 rcu_read_unlock();
1514 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1515}
1516
3b11a1de
DH		 1517/*
1518 * Check permission between current and another task, e.g. signal checks,
1519 * fork check, ptrace check, etc.
1520 * current is the actor and tsk2 is the target
1521 * - this uses current's subjective creds
1522 */
1523static int current_has_perm(const struct task_struct *tsk,
1524 u32 perms)
1525{
1526 u32 sid, tsid;
1527
1528 sid = current_sid();
1529 tsid = task_sid(tsk);
1530 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1531}
1532
b68e418c
SS		 1533#if CAP_LAST_CAP > 63
1534#error Fix SELinux to handle capabilities > 63.
1535#endif
1536
1da177e4 1537/* Check whether a task is allowed to use a capability. */
6a9de491 1538static int cred_has_capability(const struct cred *cred,
06112163 1539 int cap, int audit)
1da177e4 1540{
2bf49690 1541 struct common_audit_data ad;
06112163 1542 struct av_decision avd;
b68e418c 1543 u16 sclass;
3699c53c 1544 u32 sid = cred_sid(cred);
b68e418c 1545 u32 av = CAP_TO_MASK(cap);
06112163 1546 int rc;
1da177e4 1547
50c205f5 1548 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1549 ad.u.cap = cap;
1550
b68e418c
SS		 1551 switch (CAP_TO_INDEX(cap)) {
1552 case 0:
1553 sclass = SECCLASS_CAPABILITY;
1554 break;
1555 case 1:
1556 sclass = SECCLASS_CAPABILITY2;
1557 break;
1558 default:
1559 printk(KERN_ERR
1560 "SELinux: out of range capability %d\n", cap);
1561 BUG();
a35c6c83 1562 return -EINVAL;
b68e418c 1563 }
06112163 1564
275bb41e 1565 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1566 if (audit == SECURITY_CAP_AUDIT) {
ab354062 1567 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
9ade0cf4
EP		 1568 if (rc2)
1569 return rc2;
1570 }
06112163 1571 return rc;
1da177e4
LT		 1572}
1573
1574/* Check whether a task is allowed to use a system operation. */
1575static int task_has_system(struct task_struct *tsk,
1576 u32 perms)
1577{
275bb41e 1578 u32 sid = task_sid(tsk);
1da177e4 1579
275bb41e 1580 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1581 SECCLASS_SYSTEM, perms, NULL);
1582}
1583
1584/* Check whether a task has a particular permission to an inode.
1585 The 'adp' parameter is optional and allows other audit
1586 data to be passed (e.g. the dentry). */
88e67f3b 1587static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1588 struct inode *inode,
1589 u32 perms,
19e49834 1590 struct common_audit_data *adp)
1da177e4 1591{
1da177e4 1592 struct inode_security_struct *isec;
275bb41e 1593 u32 sid;
1da177e4 1594
e0e81739
DH		 1595 validate_creds(cred);
1596
828dfe1d 1597 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1598 return 0;
1599
88e67f3b 1600 sid = cred_sid(cred);
1da177e4
LT		 1601 isec = inode->i_security;
1602
19e49834 1603 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1604}
1605
1606/* Same as inode_has_perm, but pass explicit audit data containing
1607 the dentry to help the auditing code to more easily generate the
1608 pathname if needed. */
88e67f3b 1609static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1610 struct dentry *dentry,
1611 u32 av)
1612{
1613 struct inode *inode = dentry->d_inode;
2bf49690 1614 struct common_audit_data ad;
88e67f3b 1615
50c205f5 1616 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1617 ad.u.dentry = dentry;
19e49834 1618 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1619}
1620
1621/* Same as inode_has_perm, but pass explicit audit data containing
1622 the path to help the auditing code to more easily generate the
1623 pathname if needed. */
1624static inline int path_has_perm(const struct cred *cred,
3f7036a0 1625 const struct path *path,
2875fa00
EP		 1626 u32 av)
1627{
1628 struct inode *inode = path->dentry->d_inode;
1629 struct common_audit_data ad;
1630
50c205f5 1631 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1632 ad.u.path = *path;
19e49834 1633 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1634}
1635
13f8e981
DH		 1636/* Same as path_has_perm, but uses the inode from the file struct. */
1637static inline int file_path_has_perm(const struct cred *cred,
1638 struct file *file,
1639 u32 av)
1640{
1641 struct common_audit_data ad;
1642
1643 ad.type = LSM_AUDIT_DATA_PATH;
1644 ad.u.path = file->f_path;
19e49834 1645 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1646}
1647
1da177e4
LT		 1648/* Check whether a task can use an open file descriptor to
1649 access an inode in a given way. Check access to the
1650 descriptor itself, and then use dentry_has_perm to
1651 check a particular permission to the file.
1652 Access to the descriptor is implicitly granted if it
1653 has the same SID as the process. If av is zero, then
1654 access to the file is not checked, e.g. for cases
1655 where only the descriptor is affected like seek. */
88e67f3b
DH		 1656static int file_has_perm(const struct cred *cred,
1657 struct file *file,
1658 u32 av)
1da177e4 1659{
1da177e4 1660 struct file_security_struct *fsec = file->f_security;
496ad9aa 1661 struct inode *inode = file_inode(file);
2bf49690 1662 struct common_audit_data ad;
88e67f3b 1663 u32 sid = cred_sid(cred);
1da177e4
LT		 1664 int rc;
1665
50c205f5 1666 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 1667 ad.u.path = file->f_path;
1da177e4 1668
275bb41e
DH		 1669 if (sid != fsec->sid) {
1670 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1671 SECCLASS_FD,
1672 FD__USE,
1673 &ad);
1674 if (rc)
88e67f3b 1675 goto out;
1da177e4
LT		 1676 }
1677
1678 /* av is zero if only checking access to the descriptor. */
88e67f3b 1679 rc = 0;
1da177e4 1680 if (av)
19e49834 1681 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1682
88e67f3b
DH		 1683out:
1684 return rc;
1da177e4
LT		 1685}
1686
1687/* Check whether a task can create a file. */
1688static int may_create(struct inode *dir,
1689 struct dentry *dentry,
1690 u16 tclass)
1691{
5fb49870 1692 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1693 struct inode_security_struct *dsec;
1694 struct superblock_security_struct *sbsec;
275bb41e 1695 u32 sid, newsid;
2bf49690 1696 struct common_audit_data ad;
1da177e4
LT		 1697 int rc;
1698
1da177e4
LT		 1699 dsec = dir->i_security;
1700 sbsec = dir->i_sb->s_security;
1701
275bb41e
DH		 1702 sid = tsec->sid;
1703 newsid = tsec->create_sid;
1704
50c205f5 1705 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1706 ad.u.dentry = dentry;
1da177e4 1707
275bb41e 1708 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1709 DIR__ADD_NAME | DIR__SEARCH,
1710 &ad);
1711 if (rc)
1712 return rc;
1713
12f348b9 1714 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
cb1e922f
EP		 1715 rc = security_transition_sid(sid, dsec->sid, tclass,
1716 &dentry->d_name, &newsid);
1da177e4
LT		 1717 if (rc)
1718 return rc;
1719 }
1720
275bb41e 1721 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1722 if (rc)
1723 return rc;
1724
1725 return avc_has_perm(newsid, sbsec->sid,
1726 SECCLASS_FILESYSTEM,
1727 FILESYSTEM__ASSOCIATE, &ad);
1728}
1729
4eb582cf
ML		 1730/* Check whether a task can create a key. */
1731static int may_create_key(u32 ksid,
1732 struct task_struct *ctx)
1733{
275bb41e 1734 u32 sid = task_sid(ctx);
4eb582cf 1735
275bb41e 1736 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1737}
1738
828dfe1d
EP		 1739#define MAY_LINK 0
1740#define MAY_UNLINK 1
1741#define MAY_RMDIR 2
1da177e4
LT		 1742
1743/* Check whether a task can link, unlink, or rmdir a file/directory. */
1744static int may_link(struct inode *dir,
1745 struct dentry *dentry,
1746 int kind)
1747
1748{
1da177e4 1749 struct inode_security_struct *dsec, *isec;
2bf49690 1750 struct common_audit_data ad;
275bb41e 1751 u32 sid = current_sid();
1da177e4
LT		 1752 u32 av;
1753 int rc;
1754
1da177e4
LT		 1755 dsec = dir->i_security;
1756 isec = dentry->d_inode->i_security;
1757
50c205f5 1758 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1759 ad.u.dentry = dentry;
1da177e4
LT		 1760
1761 av = DIR__SEARCH;
1762 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1763 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1764 if (rc)
1765 return rc;
1766
1767 switch (kind) {
1768 case MAY_LINK:
1769 av = FILE__LINK;
1770 break;
1771 case MAY_UNLINK:
1772 av = FILE__UNLINK;
1773 break;
1774 case MAY_RMDIR:
1775 av = DIR__RMDIR;
1776 break;
1777 default:
744ba35e
EP		 1778 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1779 __func__, kind);
1da177e4
LT		 1780 return 0;
1781 }
1782
275bb41e 1783 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1784 return rc;
1785}
1786
1787static inline int may_rename(struct inode *old_dir,
1788 struct dentry *old_dentry,
1789 struct inode *new_dir,
1790 struct dentry *new_dentry)
1791{
1da177e4 1792 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1793 struct common_audit_data ad;
275bb41e 1794 u32 sid = current_sid();
1da177e4
LT		 1795 u32 av;
1796 int old_is_dir, new_is_dir;
1797 int rc;
1798
1da177e4
LT		 1799 old_dsec = old_dir->i_security;
1800 old_isec = old_dentry->d_inode->i_security;
e36cb0b8 1801 old_is_dir = d_is_dir(old_dentry);
1da177e4
LT		 1802 new_dsec = new_dir->i_security;
1803
50c205f5 1804 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1805
a269434d 1806 ad.u.dentry = old_dentry;
275bb41e 1807 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1808 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1809 if (rc)
1810 return rc;
275bb41e 1811 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1812 old_isec->sclass, FILE__RENAME, &ad);
1813 if (rc)
1814 return rc;
1815 if (old_is_dir && new_dir != old_dir) {
275bb41e 1816 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1817 old_isec->sclass, DIR__REPARENT, &ad);
1818 if (rc)
1819 return rc;
1820 }
1821
a269434d 1822 ad.u.dentry = new_dentry;
1da177e4 1823 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1824 if (d_is_positive(new_dentry))
1da177e4 1825 av |= DIR__REMOVE_NAME;
275bb41e 1826 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1827 if (rc)
1828 return rc;
2c616d4d 1829 if (d_is_positive(new_dentry)) {
1da177e4 1830 new_isec = new_dentry->d_inode->i_security;
e36cb0b8 1831 new_is_dir = d_is_dir(new_dentry);
275bb41e 1832 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1833 new_isec->sclass,
1834 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1835 if (rc)
1836 return rc;
1837 }
1838
1839 return 0;
1840}
1841
1842/* Check whether a task can perform a filesystem operation. */
88e67f3b 1843static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1844 struct super_block *sb,
1845 u32 perms,
2bf49690 1846 struct common_audit_data *ad)
1da177e4 1847{
1da177e4 1848 struct superblock_security_struct *sbsec;
88e67f3b 1849 u32 sid = cred_sid(cred);
1da177e4 1850
1da177e4 1851 sbsec = sb->s_security;
275bb41e 1852 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1853}
1854
1855/* Convert a Linux mode and permission mask to an access vector. */
1856static inline u32 file_mask_to_av(int mode, int mask)
1857{
1858 u32 av = 0;
1859
dba19c60 1860 if (!S_ISDIR(mode)) {
1da177e4
LT		 1861 if (mask & MAY_EXEC)
1862 av |= FILE__EXECUTE;
1863 if (mask & MAY_READ)
1864 av |= FILE__READ;
1865
1866 if (mask & MAY_APPEND)
1867 av |= FILE__APPEND;
1868 else if (mask & MAY_WRITE)
1869 av |= FILE__WRITE;
1870
1871 } else {
1872 if (mask & MAY_EXEC)
1873 av |= DIR__SEARCH;
1874 if (mask & MAY_WRITE)
1875 av |= DIR__WRITE;
1876 if (mask & MAY_READ)
1877 av |= DIR__READ;
1878 }
1879
1880 return av;
1881}
1882
8b6a5a37
EP		 1883/* Convert a Linux file to an access vector. */
1884static inline u32 file_to_av(struct file *file)
1885{
1886 u32 av = 0;
1887
1888 if (file->f_mode & FMODE_READ)
1889 av |= FILE__READ;
1890 if (file->f_mode & FMODE_WRITE) {
1891 if (file->f_flags & O_APPEND)
1892 av |= FILE__APPEND;
1893 else
1894 av |= FILE__WRITE;
1895 }
1896 if (!av) {
1897 /*
1898 * Special file opened with flags 3 for ioctl-only use.
1899 */
1900 av = FILE__IOCTL;
1901 }
1902
1903 return av;
1904}
1905
b0c636b9 1906/*
8b6a5a37 1907 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1908 * open permission.
1909 */
8b6a5a37 1910static inline u32 open_file_to_av(struct file *file)
b0c636b9 1911{
8b6a5a37 1912 u32 av = file_to_av(file);
b0c636b9 1913
49b7b8de
EP		 1914 if (selinux_policycap_openperm)
1915 av |= FILE__OPEN;
1916
b0c636b9
EP		 1917 return av;
1918}
1919
1da177e4
LT		 1920/* Hook functions begin here. */
1921
79af7307
SS		 1922static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1923{
1924 u32 mysid = current_sid();
1925 u32 mgrsid = task_sid(mgr);
1926
1927 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
1928 BINDER__SET_CONTEXT_MGR, NULL);
1929}
1930
1931static int selinux_binder_transaction(struct task_struct *from,
1932 struct task_struct *to)
1933{
1934 u32 mysid = current_sid();
1935 u32 fromsid = task_sid(from);
1936 u32 tosid = task_sid(to);
1937 int rc;
1938
1939 if (mysid != fromsid) {
1940 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
1941 BINDER__IMPERSONATE, NULL);
1942 if (rc)
1943 return rc;
1944 }
1945
1946 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
1947 NULL);
1948}
1949
1950static int selinux_binder_transfer_binder(struct task_struct *from,
1951 struct task_struct *to)
1952{
1953 u32 fromsid = task_sid(from);
1954 u32 tosid = task_sid(to);
1955
1956 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
1957 NULL);
1958}
1959
1960static int selinux_binder_transfer_file(struct task_struct *from,
1961 struct task_struct *to,
1962 struct file *file)
1963{
1964 u32 sid = task_sid(to);
1965 struct file_security_struct *fsec = file->f_security;
1966 struct inode *inode = file->f_path.dentry->d_inode;
1967 struct inode_security_struct *isec = inode->i_security;
1968 struct common_audit_data ad;
1969 int rc;
1970
1971 ad.type = LSM_AUDIT_DATA_PATH;
1972 ad.u.path = file->f_path;
1973
1974 if (sid != fsec->sid) {
1975 rc = avc_has_perm(sid, fsec->sid,
1976 SECCLASS_FD,
1977 FD__USE,
1978 &ad);
1979 if (rc)
1980 return rc;
1981 }
1982
1983 if (unlikely(IS_PRIVATE(inode)))
1984 return 0;
1985
1986 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
1987 &ad);
1988}
1989
9e48858f 1990static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 1991 unsigned int mode)
1da177e4 1992{
1da177e4
LT		 1993 int rc;
1994
9e48858f 1995 rc = cap_ptrace_access_check(child, mode);
1da177e4
LT		 1996 if (rc)
1997 return rc;
1998
69f594a3 1999 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 2000 u32 sid = current_sid();
2001 u32 csid = task_sid(child);
2002 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 2003 }
2004
3b11a1de 2005 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 2006}
2007
2008static int selinux_ptrace_traceme(struct task_struct *parent)
2009{
2010 int rc;
2011
200ac532 2012 rc = cap_ptrace_traceme(parent);
5cd9c58f
DH		 2013 if (rc)
2014 return rc;
2015
2016 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 2017}
2018
2019static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2020 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 2021{
2022 int error;
2023
3b11a1de 2024 error = current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 2025 if (error)
2026 return error;
2027
200ac532 2028 return cap_capget(target, effective, inheritable, permitted);
1da177e4
LT		 2029}
2030
d84f4f99
DH		 2031static int selinux_capset(struct cred *new, const struct cred *old,
2032 const kernel_cap_t *effective,
2033 const kernel_cap_t *inheritable,
2034 const kernel_cap_t *permitted)
1da177e4
LT		 2035{
2036 int error;
2037
200ac532 2038 error = cap_capset(new, old,
d84f4f99 2039 effective, inheritable, permitted);
1da177e4
LT		 2040 if (error)
2041 return error;
2042
d84f4f99 2043 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 2044}
2045
5626d3e8
JM		 2046/*
2047 * (This comment used to live with the selinux_task_setuid hook,
2048 * which was removed).
2049 *
2050 * Since setuid only affects the current process, and since the SELinux
2051 * controls are not based on the Linux identity attributes, SELinux does not
2052 * need to control this operation. However, SELinux does control the use of
2053 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2054 */
2055
6a9de491
EP		 2056static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2057 int cap, int audit)
1da177e4
LT		 2058{
2059 int rc;
2060
6a9de491 2061 rc = cap_capable(cred, ns, cap, audit);
1da177e4
LT		 2062 if (rc)
2063 return rc;
2064
6a9de491 2065 return cred_has_capability(cred, cap, audit);
1da177e4
LT		 2066}
2067
1da177e4
LT		 2068static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2069{
88e67f3b 2070 const struct cred *cred = current_cred();
1da177e4
LT		 2071 int rc = 0;
2072
2073 if (!sb)
2074 return 0;
2075
2076 switch (cmds) {
828dfe1d
EP		 2077 case Q_SYNC:
2078 case Q_QUOTAON:
2079 case Q_QUOTAOFF:
2080 case Q_SETINFO:
2081 case Q_SETQUOTA:
88e67f3b 2082 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2083 break;
2084 case Q_GETFMT:
2085 case Q_GETINFO:
2086 case Q_GETQUOTA:
88e67f3b 2087 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2088 break;
2089 default:
2090 rc = 0; /* let the kernel handle invalid cmds */
2091 break;
1da177e4
LT		 2092 }
2093 return rc;
2094}
2095
2096static int selinux_quota_on(struct dentry *dentry)
2097{
88e67f3b
DH		 2098 const struct cred *cred = current_cred();
2099
2875fa00 2100 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2101}
2102
12b3052c 2103static int selinux_syslog(int type)
1da177e4
LT		 2104{
2105 int rc;
2106
1da177e4 2107 switch (type) {
d78ca3cd
KC		 2108 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2109 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2110 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2111 break;
d78ca3cd
KC		 2112 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2113 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2114 /* Set level of messages printed to console */
2115 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2116 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2117 break;
d78ca3cd
KC		 2118 case SYSLOG_ACTION_CLOSE: /* Close log */
2119 case SYSLOG_ACTION_OPEN: /* Open log */
2120 case SYSLOG_ACTION_READ: /* Read from log */
2121 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2122 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2123 default:
2124 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2125 break;
1da177e4
LT		 2126 }
2127 return rc;
2128}
2129
2130/*
2131 * Check that a process has enough memory to allocate a new virtual
2132 * mapping. 0 means there is enough memory for the allocation to
2133 * succeed and -ENOMEM implies there is not.
2134 *
1da177e4
LT		 2135 * Do not audit the selinux permission check, as this is applied to all
2136 * processes that allocate mappings.
2137 */
34b4e4aa 2138static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2139{
2140 int rc, cap_sys_admin = 0;
1da177e4 2141
6a9de491 2142 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
3699c53c 2143 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2144 if (rc == 0)
2145 cap_sys_admin = 1;
2146
34b4e4aa 2147 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 2148}
2149
2150/* binprm security operations */
2151
7b0d0b40
SS		 2152static int check_nnp_nosuid(const struct linux_binprm *bprm,
2153 const struct task_security_struct *old_tsec,
2154 const struct task_security_struct *new_tsec)
2155{
2156 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2157 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2158 int rc;
2159
2160 if (!nnp && !nosuid)
2161 return 0; /* neither NNP nor nosuid */
2162
2163 if (new_tsec->sid == old_tsec->sid)
2164 return 0; /* No change in credentials */
2165
2166 /*
2167 * The only transitions we permit under NNP or nosuid
2168 * are transitions to bounded SIDs, i.e. SIDs that are
2169 * guaranteed to only be allowed a subset of the permissions
2170 * of the current SID.
2171 */
2172 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2173 if (rc) {
2174 /*
2175 * On failure, preserve the errno values for NNP vs nosuid.
2176 * NNP: Operation not permitted for caller.
2177 * nosuid: Permission denied to file.
2178 */
2179 if (nnp)
2180 return -EPERM;
2181 else
2182 return -EACCES;
2183 }
2184 return 0;
2185}
2186
a6f76f23 2187static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2188{
a6f76f23
DH		 2189 const struct task_security_struct *old_tsec;
2190 struct task_security_struct *new_tsec;
1da177e4 2191 struct inode_security_struct *isec;
2bf49690 2192 struct common_audit_data ad;
496ad9aa 2193 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2194 int rc;
2195
200ac532 2196 rc = cap_bprm_set_creds(bprm);
1da177e4
LT		 2197 if (rc)
2198 return rc;
2199
a6f76f23
DH		 2200 /* SELinux context only depends on initial program or script and not
2201 * the script interpreter */
2202 if (bprm->cred_prepared)
1da177e4
LT		 2203 return 0;
2204
a6f76f23
DH		 2205 old_tsec = current_security();
2206 new_tsec = bprm->cred->security;
1da177e4
LT		 2207 isec = inode->i_security;
2208
2209 /* Default to the current task SID. */
a6f76f23
DH		 2210 new_tsec->sid = old_tsec->sid;
2211 new_tsec->osid = old_tsec->sid;
1da177e4 2212
28eba5bf 2213 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2214 new_tsec->create_sid = 0;
2215 new_tsec->keycreate_sid = 0;
2216 new_tsec->sockcreate_sid = 0;
1da177e4 2217
a6f76f23
DH		 2218 if (old_tsec->exec_sid) {
2219 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2220 /* Reset exec SID on execve. */
a6f76f23 2221 new_tsec->exec_sid = 0;
259e5e6c 2222
7b0d0b40
SS		 2223 /* Fail on NNP or nosuid if not an allowed transition. */
2224 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2225 if (rc)
2226 return rc;
1da177e4
LT		 2227 } else {
2228 /* Check for a default transition on this program. */
a6f76f23 2229 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2230 SECCLASS_PROCESS, NULL,
2231 &new_tsec->sid);
1da177e4
LT		 2232 if (rc)
2233 return rc;
7b0d0b40
SS		 2234
2235 /*
2236 * Fallback to old SID on NNP or nosuid if not an allowed
2237 * transition.
2238 */
2239 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2240 if (rc)
2241 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2242 }
2243
50c205f5 2244 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 2245 ad.u.path = bprm->file->f_path;
1da177e4 2246
a6f76f23
DH		 2247 if (new_tsec->sid == old_tsec->sid) {
2248 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2249 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2250 if (rc)
2251 return rc;
2252 } else {
2253 /* Check permissions for the transition. */
a6f76f23 2254 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2255 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2256 if (rc)
2257 return rc;
2258
a6f76f23 2259 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2260 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2261 if (rc)
2262 return rc;
2263
a6f76f23
DH		 2264 /* Check for shared state */
2265 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2266 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2267 SECCLASS_PROCESS, PROCESS__SHARE,
2268 NULL);
2269 if (rc)
2270 return -EPERM;
2271 }
2272
2273 /* Make sure that anyone attempting to ptrace over a task that
2274 * changes its SID has the appropriate permit */
2275 if (bprm->unsafe &
2276 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2277 struct task_struct *tracer;
2278 struct task_security_struct *sec;
2279 u32 ptsid = 0;
2280
2281 rcu_read_lock();
06d98473 2282 tracer = ptrace_parent(current);
a6f76f23
DH		 2283 if (likely(tracer != NULL)) {
2284 sec = __task_cred(tracer)->security;
2285 ptsid = sec->sid;
2286 }
2287 rcu_read_unlock();
2288
2289 if (ptsid != 0) {
2290 rc = avc_has_perm(ptsid, new_tsec->sid,
2291 SECCLASS_PROCESS,
2292 PROCESS__PTRACE, NULL);
2293 if (rc)
2294 return -EPERM;
2295 }
2296 }
1da177e4 2297
a6f76f23
DH		 2298 /* Clear any possibly unsafe personality bits on exec: */
2299 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2300 }
2301
1da177e4
LT		 2302 return 0;
2303}
2304
828dfe1d 2305static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2306{
5fb49870 2307 const struct task_security_struct *tsec = current_security();
275bb41e 2308 u32 sid, osid;
1da177e4
LT		 2309 int atsecure = 0;
2310
275bb41e
DH		 2311 sid = tsec->sid;
2312 osid = tsec->osid;
2313
2314 if (osid != sid) {
1da177e4
LT		 2315 /* Enable secure mode for SIDs transitions unless
2316 the noatsecure permission is granted between
2317 the two SIDs, i.e. ahp returns 0. */
275bb41e 2318 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2319 SECCLASS_PROCESS,
2320 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2321 }
2322
200ac532 2323 return (atsecure || cap_bprm_secureexec(bprm));
1da177e4
LT		 2324}
2325
c3c073f8
AV		 2326static int match_file(const void *p, struct file *file, unsigned fd)
2327{
2328 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2329}
2330
1da177e4 2331/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2332static inline void flush_unauthorized_files(const struct cred *cred,
2333 struct files_struct *files)
1da177e4 2334{
1da177e4 2335 struct file *file, *devnull = NULL;
b20c8122 2336 struct tty_struct *tty;
24ec839c 2337 int drop_tty = 0;
c3c073f8 2338 unsigned n;
1da177e4 2339
24ec839c 2340 tty = get_current_tty();
1da177e4 2341 if (tty) {
ee2ffa0d 2342 spin_lock(&tty_files_lock);
37dd0bd0 2343 if (!list_empty(&tty->tty_files)) {
d996b62a 2344 struct tty_file_private *file_priv;
37dd0bd0 2345
1da177e4 2346 /* Revalidate access to controlling tty.
13f8e981
DH		 2347 Use file_path_has_perm on the tty path directly
2348 rather than using file_has_perm, as this particular
2349 open file may belong to another process and we are
2350 only interested in the inode-based check here. */
d996b62a
NP		 2351 file_priv = list_first_entry(&tty->tty_files,
2352 struct tty_file_private, list);
2353 file = file_priv->file;
13f8e981 2354 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2355 drop_tty = 1;
1da177e4 2356 }
ee2ffa0d 2357 spin_unlock(&tty_files_lock);
452a00d2 2358 tty_kref_put(tty);
1da177e4 2359 }
98a27ba4
EB		 2360 /* Reset controlling tty. */
2361 if (drop_tty)
2362 no_tty();
1da177e4
LT		 2363
2364 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2365 n = iterate_fd(files, 0, match_file, cred);
2366 if (!n) /* none found? */
2367 return;
1da177e4 2368
c3c073f8 2369 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2370 if (IS_ERR(devnull))
2371 devnull = NULL;
2372 /* replace all the matching ones with this */
2373 do {
2374 replace_fd(n - 1, devnull, 0);
2375 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2376 if (devnull)
c3c073f8 2377 fput(devnull);
1da177e4
LT		 2378}
2379
a6f76f23
DH		 2380/*
2381 * Prepare a process for imminent new credential changes due to exec
2382 */
2383static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2384{
a6f76f23
DH		 2385 struct task_security_struct *new_tsec;
2386 struct rlimit *rlim, *initrlim;
2387 int rc, i;
d84f4f99 2388
a6f76f23
DH		 2389 new_tsec = bprm->cred->security;
2390 if (new_tsec->sid == new_tsec->osid)
2391 return;
1da177e4 2392
a6f76f23
DH		 2393 /* Close files for which the new task SID is not authorized. */
2394 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2395
a6f76f23
DH		 2396 /* Always clear parent death signal on SID transitions. */
2397 current->pdeath_signal = 0;
0356357c 2398
a6f76f23
DH		 2399 /* Check whether the new SID can inherit resource limits from the old
2400 * SID. If not, reset all soft limits to the lower of the current
2401 * task's hard limit and the init task's soft limit.
2402 *
2403 * Note that the setting of hard limits (even to lower them) can be
2404 * controlled by the setrlimit check. The inclusion of the init task's
2405 * soft limit into the computation is to avoid resetting soft limits
2406 * higher than the default soft limit for cases where the default is
2407 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2408 */
2409 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2410 PROCESS__RLIMITINH, NULL);
2411 if (rc) {
eb2d55a3
ON		 2412 /* protect against do_prlimit() */
2413 task_lock(current);
a6f76f23
DH		 2414 for (i = 0; i < RLIM_NLIMITS; i++) {
2415 rlim = current->signal->rlim + i;
2416 initrlim = init_task.signal->rlim + i;
2417 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2418 }
eb2d55a3
ON		 2419 task_unlock(current);
2420 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2421 }
2422}
2423
2424/*
a6f76f23
DH		 2425 * Clean up the process immediately after the installation of new credentials
2426 * due to exec
1da177e4 2427 */
a6f76f23 2428static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2429{
a6f76f23 2430 const struct task_security_struct *tsec = current_security();
1da177e4 2431 struct itimerval itimer;
a6f76f23 2432 u32 osid, sid;
1da177e4
LT		 2433 int rc, i;
2434
a6f76f23
DH		 2435 osid = tsec->osid;
2436 sid = tsec->sid;
2437
2438 if (sid == osid)
1da177e4
LT		 2439 return;
2440
a6f76f23
DH		 2441 /* Check whether the new SID can inherit signal state from the old SID.
2442 * If not, clear itimers to avoid subsequent signal generation and
2443 * flush and unblock signals.
2444 *
2445 * This must occur _after_ the task SID has been updated so that any
2446 * kill done after the flush will be checked against the new SID.
2447 */
2448 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2449 if (rc) {
2450 memset(&itimer, 0, sizeof itimer);
2451 for (i = 0; i < 3; i++)
2452 do_setitimer(i, &itimer, NULL);
1da177e4 2453 spin_lock_irq(&current->sighand->siglock);
3bcac026
DH		 2454 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2455 __flush_signals(current);
2456 flush_signal_handlers(current, 1);
2457 sigemptyset(&current->blocked);
2458 }
1da177e4
LT		 2459 spin_unlock_irq(&current->sighand->siglock);
2460 }
2461
a6f76f23
DH		 2462 /* Wake up the parent if it is waiting so that it can recheck
2463 * wait permission to the new task SID. */
ecd6de3c 2464 read_lock(&tasklist_lock);
0b7570e7 2465 __wake_up_parent(current, current->real_parent);
ecd6de3c 2466 read_unlock(&tasklist_lock);
1da177e4
LT		 2467}
2468
2469/* superblock security operations */
2470
2471static int selinux_sb_alloc_security(struct super_block *sb)
2472{
2473 return superblock_alloc_security(sb);
2474}
2475
2476static void selinux_sb_free_security(struct super_block *sb)
2477{
2478 superblock_free_security(sb);
2479}
2480
2481static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2482{
2483 if (plen > olen)
2484 return 0;
2485
2486 return !memcmp(prefix, option, plen);
2487}
2488
2489static inline int selinux_option(char *option, int len)
2490{
832cbd9a
EP		 2491 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2492 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2493 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2494 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2495 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2496}
2497
2498static inline void take_option(char **to, char *from, int *first, int len)
2499{
2500 if (!*first) {
2501 **to = ',';
2502 *to += 1;
3528a953 2503 } else
1da177e4
LT		 2504 *first = 0;
2505 memcpy(*to, from, len);
2506 *to += len;
2507}
2508
828dfe1d
EP		 2509static inline void take_selinux_option(char **to, char *from, int *first,
2510 int len)
3528a953
CO		 2511{
2512 int current_size = 0;
2513
2514 if (!*first) {
2515 **to = '|';
2516 *to += 1;
828dfe1d 2517 } else
3528a953
CO		 2518 *first = 0;
2519
2520 while (current_size < len) {
2521 if (*from != '"') {
2522 **to = *from;
2523 *to += 1;
2524 }
2525 from += 1;
2526 current_size += 1;
2527 }
2528}
2529
e0007529 2530static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2531{
2532 int fnosec, fsec, rc = 0;
2533 char *in_save, *in_curr, *in_end;
2534 char *sec_curr, *nosec_save, *nosec;
3528a953 2535 int open_quote = 0;
1da177e4
LT		 2536
2537 in_curr = orig;
2538 sec_curr = copy;
2539
1da177e4
LT		 2540 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2541 if (!nosec) {
2542 rc = -ENOMEM;
2543 goto out;
2544 }
2545
2546 nosec_save = nosec;
2547 fnosec = fsec = 1;
2548 in_save = in_end = orig;
2549
2550 do {
3528a953
CO		 2551 if (*in_end == '"')
2552 open_quote = !open_quote;
2553 if ((*in_end == ',' && open_quote == 0) ||
2554 *in_end == '\0') {
1da177e4
LT		 2555 int len = in_end - in_curr;
2556
2557 if (selinux_option(in_curr, len))
3528a953 2558 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2559 else
2560 take_option(&nosec, in_curr, &fnosec, len);
2561
2562 in_curr = in_end + 1;
2563 }
2564 } while (*in_end++);
2565
6931dfc9 2566 strcpy(in_save, nosec_save);
da3caa20 2567 free_page((unsigned long)nosec_save);
1da177e4
LT		 2568out:
2569 return rc;
2570}
2571
026eb167
EP		 2572static int selinux_sb_remount(struct super_block *sb, void *data)
2573{
2574 int rc, i, *flags;
2575 struct security_mnt_opts opts;
2576 char *secdata, **mount_options;
2577 struct superblock_security_struct *sbsec = sb->s_security;
2578
2579 if (!(sbsec->flags & SE_SBINITIALIZED))
2580 return 0;
2581
2582 if (!data)
2583 return 0;
2584
2585 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2586 return 0;
2587
2588 security_init_mnt_opts(&opts);
2589 secdata = alloc_secdata();
2590 if (!secdata)
2591 return -ENOMEM;
2592 rc = selinux_sb_copy_data(data, secdata);
2593 if (rc)
2594 goto out_free_secdata;
2595
2596 rc = selinux_parse_opts_str(secdata, &opts);
2597 if (rc)
2598 goto out_free_secdata;
2599
2600 mount_options = opts.mnt_opts;
2601 flags = opts.mnt_opts_flags;
2602
2603 for (i = 0; i < opts.num_mnt_opts; i++) {
2604 u32 sid;
2605 size_t len;
2606
12f348b9 2607 if (flags[i] == SBLABEL_MNT)
026eb167
EP		 2608 continue;
2609 len = strlen(mount_options[i]);
52a4c640
NA		 2610 rc = security_context_to_sid(mount_options[i], len, &sid,
2611 GFP_KERNEL);
026eb167
EP		 2612 if (rc) {
2613 printk(KERN_WARNING "SELinux: security_context_to_sid"
29b1deb2
LT		 2614 "(%s) failed for (dev %s, type %s) errno=%d\n",
2615 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2616 goto out_free_opts;
2617 }
2618 rc = -EINVAL;
2619 switch (flags[i]) {
2620 case FSCONTEXT_MNT:
2621 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2622 goto out_bad_option;
2623 break;
2624 case CONTEXT_MNT:
2625 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2626 goto out_bad_option;
2627 break;
2628 case ROOTCONTEXT_MNT: {
2629 struct inode_security_struct *root_isec;
2630 root_isec = sb->s_root->d_inode->i_security;
2631
2632 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2633 goto out_bad_option;
2634 break;
2635 }
2636 case DEFCONTEXT_MNT:
2637 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2638 goto out_bad_option;
2639 break;
2640 default:
2641 goto out_free_opts;
2642 }
2643 }
2644
2645 rc = 0;
2646out_free_opts:
2647 security_free_mnt_opts(&opts);
2648out_free_secdata:
2649 free_secdata(secdata);
2650 return rc;
2651out_bad_option:
2652 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2653 "during remount (dev %s, type=%s)\n", sb->s_id,
2654 sb->s_type->name);
026eb167
EP		 2655 goto out_free_opts;
2656}
2657
12204e24 2658static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2659{
88e67f3b 2660 const struct cred *cred = current_cred();
2bf49690 2661 struct common_audit_data ad;
1da177e4
LT		 2662 int rc;
2663
2664 rc = superblock_doinit(sb, data);
2665 if (rc)
2666 return rc;
2667
74192246
JM		 2668 /* Allow all mounts performed by the kernel */
2669 if (flags & MS_KERNMOUNT)
2670 return 0;
2671
50c205f5 2672 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2673 ad.u.dentry = sb->s_root;
88e67f3b 2674 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2675}
2676
726c3342 2677static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2678{
88e67f3b 2679 const struct cred *cred = current_cred();
2bf49690 2680 struct common_audit_data ad;
1da177e4 2681
50c205f5 2682 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2683 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2684 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2685}
2686
808d4e3c 2687static int selinux_mount(const char *dev_name,
b5266eb4 2688 struct path *path,
808d4e3c 2689 const char *type,
828dfe1d
EP		 2690 unsigned long flags,
2691 void *data)
1da177e4 2692{
88e67f3b 2693 const struct cred *cred = current_cred();
1da177e4
LT		 2694
2695 if (flags & MS_REMOUNT)
d8c9584e 2696 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2697 FILESYSTEM__REMOUNT, NULL);
1da177e4 2698 else
2875fa00 2699 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2700}
2701
2702static int selinux_umount(struct vfsmount *mnt, int flags)
2703{
88e67f3b 2704 const struct cred *cred = current_cred();
1da177e4 2705
88e67f3b 2706 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2707 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2708}
2709
2710/* inode security operations */
2711
2712static int selinux_inode_alloc_security(struct inode *inode)
2713{
2714 return inode_alloc_security(inode);
2715}
2716
2717static void selinux_inode_free_security(struct inode *inode)
2718{
2719 inode_free_security(inode);
2720}
2721
d47be3df
DQ		 2722static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2723 struct qstr *name, void **ctx,
2724 u32 *ctxlen)
2725{
2726 const struct cred *cred = current_cred();
2727 struct task_security_struct *tsec;
2728 struct inode_security_struct *dsec;
2729 struct superblock_security_struct *sbsec;
2730 struct inode *dir = dentry->d_parent->d_inode;
2731 u32 newsid;
2732 int rc;
2733
2734 tsec = cred->security;
2735 dsec = dir->i_security;
2736 sbsec = dir->i_sb->s_security;
2737
2738 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2739 newsid = tsec->create_sid;
2740 } else {
2741 rc = security_transition_sid(tsec->sid, dsec->sid,
2742 inode_mode_to_security_class(mode),
2743 name,
2744 &newsid);
2745 if (rc) {
2746 printk(KERN_WARNING
2747 "%s: security_transition_sid failed, rc=%d\n",
2748 __func__, -rc);
2749 return rc;
2750 }
2751 }
2752
2753 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2754}
2755
5e41ff9e 2756static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2757 const struct qstr *qstr,
2758 const char **name,
2a7dba39 2759 void **value, size_t *len)
5e41ff9e 2760{
5fb49870 2761 const struct task_security_struct *tsec = current_security();
5e41ff9e
SS		 2762 struct inode_security_struct *dsec;
2763 struct superblock_security_struct *sbsec;
275bb41e 2764 u32 sid, newsid, clen;
5e41ff9e 2765 int rc;
9548906b 2766 char *context;
5e41ff9e 2767
5e41ff9e
SS		 2768 dsec = dir->i_security;
2769 sbsec = dir->i_sb->s_security;
5e41ff9e 2770
275bb41e
DH		 2771 sid = tsec->sid;
2772 newsid = tsec->create_sid;
2773
415103f9
EP		 2774 if ((sbsec->flags & SE_SBINITIALIZED) &&
2775 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2776 newsid = sbsec->mntpoint_sid;
12f348b9 2777 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
275bb41e 2778 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e 2779 inode_mode_to_security_class(inode->i_mode),
652bb9b0 2780 qstr, &newsid);
5e41ff9e
SS		 2781 if (rc) {
2782 printk(KERN_WARNING "%s: "
2783 "security_transition_sid failed, rc=%d (dev=%s "
2784 "ino=%ld)\n",
dd6f953a 2785 __func__,
5e41ff9e
SS		 2786 -rc, inode->i_sb->s_id, inode->i_ino);
2787 return rc;
2788 }
2789 }
2790
296fddf7 2791 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2792 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2793 struct inode_security_struct *isec = inode->i_security;
2794 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2795 isec->sid = newsid;
2796 isec->initialized = 1;
2797 }
5e41ff9e 2798
12f348b9 2799 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2800 return -EOPNOTSUPP;
2801
9548906b
TH		 2802 if (name)
2803 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2804
570bc1c2 2805 if (value && len) {
12b29f34 2806 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2807 if (rc)
570bc1c2 2808 return rc;
570bc1c2
SS		 2809 *value = context;
2810 *len = clen;
5e41ff9e 2811 }
5e41ff9e 2812
5e41ff9e
SS		 2813 return 0;
2814}
2815
4acdaf27 2816static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2817{
2818 return may_create(dir, dentry, SECCLASS_FILE);
2819}
2820
1da177e4
LT		 2821static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2822{
1da177e4
LT		 2823 return may_link(dir, old_dentry, MAY_LINK);
2824}
2825
1da177e4
LT		 2826static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2827{
1da177e4
LT		 2828 return may_link(dir, dentry, MAY_UNLINK);
2829}
2830
2831static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2832{
2833 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2834}
2835
18bb1db3 2836static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2837{
2838 return may_create(dir, dentry, SECCLASS_DIR);
2839}
2840
1da177e4
LT		 2841static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2842{
2843 return may_link(dir, dentry, MAY_RMDIR);
2844}
2845
1a67aafb 2846static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2847{
1da177e4
LT		 2848 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2849}
2850
1da177e4 2851static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2852 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2853{
2854 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2855}
2856
1da177e4
LT		 2857static int selinux_inode_readlink(struct dentry *dentry)
2858{
88e67f3b
DH		 2859 const struct cred *cred = current_cred();
2860
2875fa00 2861 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2862}
2863
2864static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2865{
88e67f3b 2866 const struct cred *cred = current_cred();
1da177e4 2867
2875fa00 2868 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2869}
2870
d4cf970d
EP		 2871static noinline int audit_inode_permission(struct inode *inode,
2872 u32 perms, u32 audited, u32 denied,
626b9740 2873 int result,
d4cf970d 2874 unsigned flags)
1da177e4 2875{
b782e0a6 2876 struct common_audit_data ad;
d4cf970d
EP		 2877 struct inode_security_struct *isec = inode->i_security;
2878 int rc;
2879
50c205f5 2880 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2881 ad.u.inode = inode;
2882
2883 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 2884 audited, denied, result, &ad, flags);
d4cf970d
EP		 2885 if (rc)
2886 return rc;
2887 return 0;
2888}
2889
e74f71eb 2890static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2891{
88e67f3b 2892 const struct cred *cred = current_cred();
b782e0a6
EP		 2893 u32 perms;
2894 bool from_access;
cf1dd1da 2895 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2896 struct inode_security_struct *isec;
2897 u32 sid;
2898 struct av_decision avd;
2899 int rc, rc2;
2900 u32 audited, denied;
1da177e4 2901
b782e0a6 2902 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2903 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2904
b782e0a6
EP		 2905 /* No permission to check. Existence test. */
2906 if (!mask)
1da177e4 2907 return 0;
1da177e4 2908
2e334057 2909 validate_creds(cred);
b782e0a6 2910
2e334057
EP		 2911 if (unlikely(IS_PRIVATE(inode)))
2912 return 0;
b782e0a6
EP		 2913
2914 perms = file_mask_to_av(inode->i_mode, mask);
2915
2e334057
EP		 2916 sid = cred_sid(cred);
2917 isec = inode->i_security;
2918
2919 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2920 audited = avc_audit_required(perms, &avd, rc,
2921 from_access ? FILE__AUDIT_ACCESS : 0,
2922 &denied);
2923 if (likely(!audited))
2924 return rc;
2925
626b9740 2926 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 2927 if (rc2)
2928 return rc2;
2929 return rc;
1da177e4
LT		 2930}
2931
2932static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2933{
88e67f3b 2934 const struct cred *cred = current_cred();
bc6a6008 2935 unsigned int ia_valid = iattr->ia_valid;
95dbf739 2936 __u32 av = FILE__WRITE;
1da177e4 2937
bc6a6008
AW		 2938 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2939 if (ia_valid & ATTR_FORCE) {
2940 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2941 ATTR_FORCE);
2942 if (!ia_valid)
2943 return 0;
2944 }
1da177e4 2945
bc6a6008
AW		 2946 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2947 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 2948 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 2949
3d2195c3 2950 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
95dbf739
EP		 2951 av |= FILE__OPEN;
2952
2953 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 2954}
2955
3f7036a0 2956static int selinux_inode_getattr(const struct path *path)
1da177e4 2957{
3f7036a0 2958 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 2959}
2960
8f0cfa52 2961static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2962{
88e67f3b
DH		 2963 const struct cred *cred = current_cred();
2964
b5376771
SH		 2965 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2966 sizeof XATTR_SECURITY_PREFIX - 1)) {
2967 if (!strcmp(name, XATTR_NAME_CAPS)) {
2968 if (!capable(CAP_SETFCAP))
2969 return -EPERM;
2970 } else if (!capable(CAP_SYS_ADMIN)) {
2971 /* A different attribute in the security namespace.
2972 Restrict to administrator. */
2973 return -EPERM;
2974 }
2975 }
2976
2977 /* Not an attribute we recognize, so just check the
2978 ordinary setattr permission. */
2875fa00 2979 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 2980}
2981
8f0cfa52
DH		 2982static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2983 const void *value, size_t size, int flags)
1da177e4 2984{
1da177e4
LT		 2985 struct inode *inode = dentry->d_inode;
2986 struct inode_security_struct *isec = inode->i_security;
2987 struct superblock_security_struct *sbsec;
2bf49690 2988 struct common_audit_data ad;
275bb41e 2989 u32 newsid, sid = current_sid();
1da177e4
LT		 2990 int rc = 0;
2991
b5376771
SH		 2992 if (strcmp(name, XATTR_NAME_SELINUX))
2993 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2994
2995 sbsec = inode->i_sb->s_security;
12f348b9 2996 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 2997 return -EOPNOTSUPP;
2998
2e149670 2999 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3000 return -EPERM;
3001
50c205f5 3002 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3003 ad.u.dentry = dentry;
1da177e4 3004
275bb41e 3005 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3006 FILE__RELABELFROM, &ad);
3007 if (rc)
3008 return rc;
3009
52a4c640 3010 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3011 if (rc == -EINVAL) {
d6ea83ec
EP		 3012 if (!capable(CAP_MAC_ADMIN)) {
3013 struct audit_buffer *ab;
3014 size_t audit_size;
3015 const char *str;
3016
3017 /* We strip a nul only if it is at the end, otherwise the
3018 * context contains a nul and we should audit that */
e3fea3f7
AV		 3019 if (value) {
3020 str = value;
3021 if (str[size - 1] == '\0')
3022 audit_size = size - 1;
3023 else
3024 audit_size = size;
3025 } else {
3026 str = "";
3027 audit_size = 0;
3028 }
d6ea83ec
EP		 3029 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3030 audit_log_format(ab, "op=setxattr invalid_context=");
3031 audit_log_n_untrustedstring(ab, value, audit_size);
3032 audit_log_end(ab);
3033
12b29f34 3034 return rc;
d6ea83ec 3035 }
12b29f34
SS		 3036 rc = security_context_to_sid_force(value, size, &newsid);
3037 }
1da177e4
LT		 3038 if (rc)
3039 return rc;
3040
275bb41e 3041 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3042 FILE__RELABELTO, &ad);
3043 if (rc)
3044 return rc;
3045
275bb41e 3046 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3047 isec->sclass);
1da177e4
LT		 3048 if (rc)
3049 return rc;
3050
3051 return avc_has_perm(newsid,
3052 sbsec->sid,
3053 SECCLASS_FILESYSTEM,
3054 FILESYSTEM__ASSOCIATE,
3055 &ad);
3056}
3057
8f0cfa52 3058static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3059 const void *value, size_t size,
8f0cfa52 3060 int flags)
1da177e4
LT		 3061{
3062 struct inode *inode = dentry->d_inode;
3063 struct inode_security_struct *isec = inode->i_security;
3064 u32 newsid;
3065 int rc;
3066
3067 if (strcmp(name, XATTR_NAME_SELINUX)) {
3068 /* Not an attribute we recognize, so nothing to do. */
3069 return;
3070 }
3071
12b29f34 3072 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3073 if (rc) {
12b29f34
SS		 3074 printk(KERN_ERR "SELinux: unable to map context to SID"
3075 "for (%s, %lu), rc=%d\n",
3076 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3077 return;
3078 }
3079
aa9c2669 3080 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3081 isec->sid = newsid;
aa9c2669
DQ		 3082 isec->initialized = 1;
3083
1da177e4
LT		 3084 return;
3085}
3086
8f0cfa52 3087static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3088{
88e67f3b
DH		 3089 const struct cred *cred = current_cred();
3090
2875fa00 3091 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3092}
3093
828dfe1d 3094static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3095{
88e67f3b
DH		 3096 const struct cred *cred = current_cred();
3097
2875fa00 3098 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3099}
3100
8f0cfa52 3101static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3102{
b5376771
SH		 3103 if (strcmp(name, XATTR_NAME_SELINUX))
3104 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3105
3106 /* No one is allowed to remove a SELinux security label.
3107 You can change the label, but all data must be labeled. */
3108 return -EACCES;
3109}
3110
d381d8a9 3111/*
abc69bb6 3112 * Copy the inode security context value to the user.
d381d8a9
JM		 3113 *
3114 * Permission check is handled by selinux_inode_getxattr hook.
3115 */
42492594 3116static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3117{
42492594
DQ		 3118 u32 size;
3119 int error;
3120 char *context = NULL;
1da177e4 3121 struct inode_security_struct *isec = inode->i_security;
d381d8a9 3122
8c8570fb
DK		 3123 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3124 return -EOPNOTSUPP;
d381d8a9 3125
abc69bb6
SS		 3126 /*
3127 * If the caller has CAP_MAC_ADMIN, then get the raw context
3128 * value even if it is not defined by current policy; otherwise,
3129 * use the in-core value under current policy.
3130 * Use the non-auditing forms of the permission checks since
3131 * getxattr may be called by unprivileged processes commonly
3132 * and lack of permission just means that we fall back to the
3133 * in-core context value, not a denial.
3134 */
6a9de491 3135 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3699c53c 3136 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 3137 if (!error)
3138 error = security_sid_to_context_force(isec->sid, &context,
3139 &size);
3140 else
3141 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3142 if (error)
3143 return error;
3144 error = size;
3145 if (alloc) {
3146 *buffer = context;
3147 goto out_nofree;
3148 }
3149 kfree(context);
3150out_nofree:
3151 return error;
1da177e4
LT		 3152}
3153
3154static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3155 const void *value, size_t size, int flags)
1da177e4
LT		 3156{
3157 struct inode_security_struct *isec = inode->i_security;
3158 u32 newsid;
3159 int rc;
3160
3161 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3162 return -EOPNOTSUPP;
3163
3164 if (!value || !size)
3165 return -EACCES;
3166
52a4c640 3167 rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3168 if (rc)
3169 return rc;
3170
aa9c2669 3171 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3172 isec->sid = newsid;
ddd29ec6 3173 isec->initialized = 1;
1da177e4
LT		 3174 return 0;
3175}
3176
3177static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3178{
3179 const int len = sizeof(XATTR_NAME_SELINUX);
3180 if (buffer && len <= buffer_size)
3181 memcpy(buffer, XATTR_NAME_SELINUX, len);
3182 return len;
3183}
3184
713a04ae
AD		 3185static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3186{
3187 struct inode_security_struct *isec = inode->i_security;
3188 *secid = isec->sid;
3189}
3190
1da177e4
LT		 3191/* file security operations */
3192
788e7dd4 3193static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3194{
88e67f3b 3195 const struct cred *cred = current_cred();
496ad9aa 3196 struct inode *inode = file_inode(file);
1da177e4 3197
1da177e4
LT		 3198 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3199 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3200 mask |= MAY_APPEND;
3201
389fb800
PM		 3202 return file_has_perm(cred, file,
3203 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3204}
3205
788e7dd4
YN		 3206static int selinux_file_permission(struct file *file, int mask)
3207{
496ad9aa 3208 struct inode *inode = file_inode(file);
20dda18b
SS		 3209 struct file_security_struct *fsec = file->f_security;
3210 struct inode_security_struct *isec = inode->i_security;
3211 u32 sid = current_sid();
3212
389fb800 3213 if (!mask)
788e7dd4
YN		 3214 /* No permission to check. Existence test. */
3215 return 0;
788e7dd4 3216
20dda18b
SS		 3217 if (sid == fsec->sid && fsec->isid == isec->sid &&
3218 fsec->pseqno == avc_policy_seqno())
83d49856 3219 /* No change since file_open check. */
20dda18b
SS		 3220 return 0;
3221
788e7dd4
YN		 3222 return selinux_revalidate_file_permission(file, mask);
3223}
3224
1da177e4
LT		 3225static int selinux_file_alloc_security(struct file *file)
3226{
3227 return file_alloc_security(file);
3228}
3229
3230static void selinux_file_free_security(struct file *file)
3231{
3232 file_free_security(file);
3233}
3234
3235static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3236 unsigned long arg)
3237{
88e67f3b 3238 const struct cred *cred = current_cred();
0b24dcb7 3239 int error = 0;
1da177e4 3240
0b24dcb7
EP		 3241 switch (cmd) {
3242 case FIONREAD:
3243 /* fall through */
3244 case FIBMAP:
3245 /* fall through */
3246 case FIGETBSZ:
3247 /* fall through */
2f99c369 3248 case FS_IOC_GETFLAGS:
0b24dcb7 3249 /* fall through */
2f99c369 3250 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3251 error = file_has_perm(cred, file, FILE__GETATTR);
3252 break;
1da177e4 3253
2f99c369 3254 case FS_IOC_SETFLAGS:
0b24dcb7 3255 /* fall through */
2f99c369 3256 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3257 error = file_has_perm(cred, file, FILE__SETATTR);
3258 break;
3259
3260 /* sys_ioctl() checks */
3261 case FIONBIO:
3262 /* fall through */
3263 case FIOASYNC:
3264 error = file_has_perm(cred, file, 0);
3265 break;
1da177e4 3266
0b24dcb7
EP		 3267 case KDSKBENT:
3268 case KDSKBSENT:
6a9de491
EP		 3269 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3270 SECURITY_CAP_AUDIT);
0b24dcb7
EP		 3271 break;
3272
3273 /* default case assumes that the command will go
3274 * to the file's ioctl() function.
3275 */
3276 default:
3277 error = file_has_perm(cred, file, FILE__IOCTL);
3278 }
3279 return error;
1da177e4
LT		 3280}
3281
fcaaade1
SS		 3282static int default_noexec;
3283
1da177e4
LT		 3284static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3285{
88e67f3b 3286 const struct cred *cred = current_cred();
d84f4f99 3287 int rc = 0;
88e67f3b 3288
fcaaade1
SS		 3289 if (default_noexec &&
3290 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3291 /*
3292 * We are making executable an anonymous mapping or a
3293 * private file mapping that will also be writable.
3294 * This has an additional check.
3295 */
d84f4f99 3296 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3297 if (rc)
d84f4f99 3298 goto error;
1da177e4 3299 }
1da177e4
LT		 3300
3301 if (file) {
3302 /* read access is always possible with a mapping */
3303 u32 av = FILE__READ;
3304
3305 /* write access only matters if the mapping is shared */
3306 if (shared && (prot & PROT_WRITE))
3307 av |= FILE__WRITE;
3308
3309 if (prot & PROT_EXEC)
3310 av |= FILE__EXECUTE;
3311
88e67f3b 3312 return file_has_perm(cred, file, av);
1da177e4 3313 }
d84f4f99
DH		 3314
3315error:
3316 return rc;
1da177e4
LT		 3317}
3318
e5467859 3319static int selinux_mmap_addr(unsigned long addr)
1da177e4 3320{
98883bfd
PM		 3321 int rc;
3322
3323 /* do DAC check on address space usage */
3324 rc = cap_mmap_addr(addr);
3325 if (rc)
3326 return rc;
1da177e4 3327
a2551df7 3328 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3329 u32 sid = current_sid();
ed032189
EP		 3330 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3331 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3332 }
3333
98883bfd 3334 return rc;
e5467859 3335}
1da177e4 3336
e5467859
AV		 3337static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3338 unsigned long prot, unsigned long flags)
3339{
1da177e4
LT		 3340 if (selinux_checkreqprot)
3341 prot = reqprot;
3342
3343 return file_map_prot_check(file, prot,
3344 (flags & MAP_TYPE) == MAP_SHARED);
3345}
3346
3347static int selinux_file_mprotect(struct vm_area_struct *vma,
3348 unsigned long reqprot,
3349 unsigned long prot)
3350{
88e67f3b 3351 const struct cred *cred = current_cred();
1da177e4
LT		 3352
3353 if (selinux_checkreqprot)
3354 prot = reqprot;
3355
fcaaade1
SS		 3356 if (default_noexec &&
3357 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3358 int rc = 0;
db4c9641
SS		 3359 if (vma->vm_start >= vma->vm_mm->start_brk &&
3360 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3361 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3362 } else if (!vma->vm_file &&
3363 vma->vm_start <= vma->vm_mm->start_stack &&
3364 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3365 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3366 } else if (vma->vm_file && vma->anon_vma) {
3367 /*
3368 * We are making executable a file mapping that has
3369 * had some COW done. Since pages might have been
3370 * written, check ability to execute the possibly
3371 * modified content. This typically should only
3372 * occur for text relocations.
3373 */
d84f4f99 3374 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3375 }