]> Git Repo - linux.git/blame - security/selinux/hooks.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
SELinux: Only store the network interface's ifindex
[linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <[email protected]>
7 * Chris Vance, <[email protected]>
8 * Wayne Salamon, <[email protected]>
9 * James Morris <[email protected]>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <[email protected]>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <[email protected]>
7420ed23
VY		 15 * Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
16 * Paul Moore, <[email protected]>
788e7dd4
YN		 17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <[email protected]>
1da177e4
LT		 19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
23 */
24
1da177e4
LT		 25#include <linux/init.h>
26#include <linux/kernel.h>
27#include <linux/ptrace.h>
28#include <linux/errno.h>
29#include <linux/sched.h>
30#include <linux/security.h>
31#include <linux/xattr.h>
32#include <linux/capability.h>
33#include <linux/unistd.h>
34#include <linux/mm.h>
35#include <linux/mman.h>
36#include <linux/slab.h>
37#include <linux/pagemap.h>
38#include <linux/swap.h>
1da177e4
LT		 39#include <linux/spinlock.h>
40#include <linux/syscalls.h>
41#include <linux/file.h>
42#include <linux/namei.h>
43#include <linux/mount.h>
44#include <linux/ext2_fs.h>
45#include <linux/proc_fs.h>
46#include <linux/kd.h>
47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4
LT		 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53#include <asm/uaccess.h>
1da177e4
LT		 54#include <asm/ioctls.h>
55#include <linux/bitops.h>
56#include <linux/interrupt.h>
57#include <linux/netdevice.h> /* for network interface checks */
58#include <linux/netlink.h>
59#include <linux/tcp.h>
60#include <linux/udp.h>
2ee92d46 61#include <linux/dccp.h>
1da177e4
LT		 62#include <linux/quota.h>
63#include <linux/un.h> /* for Unix socket types */
64#include <net/af_unix.h> /* for Unix socket types */
65#include <linux/parser.h>
66#include <linux/nfs_mount.h>
67#include <net/ipv6.h>
68#include <linux/hugetlb.h>
69#include <linux/personality.h>
70#include <linux/sysctl.h>
71#include <linux/audit.h>
6931dfc9 72#include <linux/string.h>
877ce7c1 73#include <linux/selinux.h>
23970741 74#include <linux/mutex.h>
1da177e4
LT		 75
76#include "avc.h"
77#include "objsec.h"
78#include "netif.h"
d28d1e08 79#include "xfrm.h"
c60475bf 80#include "netlabel.h"
1da177e4
LT		 81
82#define XATTR_SELINUX_SUFFIX "selinux"
83#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
84
c9180a57
EP		 85#define NUM_SEL_MNT_OPTS 4
86
1da177e4
LT		 87extern unsigned int policydb_loaded_version;
88extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 89extern int selinux_compat_net;
20510f2f 90extern struct security_operations *security_ops;
1da177e4
LT		 91
92#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
93int selinux_enforcing = 0;
94
95static int __init enforcing_setup(char *str)
96{
97 selinux_enforcing = simple_strtol(str,NULL,0);
98 return 1;
99}
100__setup("enforcing=", enforcing_setup);
101#endif
102
103#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
104int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
105
106static int __init selinux_enabled_setup(char *str)
107{
108 selinux_enabled = simple_strtol(str, NULL, 0);
109 return 1;
110}
111__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 112#else
113int selinux_enabled = 1;
1da177e4
LT		 114#endif
115
116/* Original (dummy) security module. */
117static struct security_operations *original_ops = NULL;
118
119/* Minimal support for a secondary security module,
120 just to allow the use of the dummy or capability modules.
121 The owlsm module can alternatively be used as a secondary
122 module as long as CONFIG_OWLSM_FD is not enabled. */
123static struct security_operations *secondary_ops = NULL;
124
125/* Lists of inode and superblock security structures initialized
126 before the policy was loaded. */
127static LIST_HEAD(superblock_security_head);
128static DEFINE_SPINLOCK(sb_security_lock);
129
e18b890b 130static struct kmem_cache *sel_inode_cache;
7cae7e26 131
8c8570fb
DK		 132/* Return security context for a given sid or just the context
133 length if the buffer is null or length is 0 */
134static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
135{
136 char *context;
137 unsigned len;
138 int rc;
139
140 rc = security_sid_to_context(sid, &context, &len);
141 if (rc)
142 return rc;
143
144 if (!buffer || !size)
145 goto getsecurity_exit;
146
147 if (size < len) {
148 len = -ERANGE;
149 goto getsecurity_exit;
150 }
151 memcpy(buffer, context, len);
152
153getsecurity_exit:
154 kfree(context);
155 return len;
156}
157
1da177e4
LT		 158/* Allocate and free functions for each kind of security blob. */
159
160static int task_alloc_security(struct task_struct *task)
161{
162 struct task_security_struct *tsec;
163
89d155ef 164 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 165 if (!tsec)
166 return -ENOMEM;
167
1da177e4
LT		 168 tsec->task = task;
169 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
170 task->security = tsec;
171
172 return 0;
173}
174
175static void task_free_security(struct task_struct *task)
176{
177 struct task_security_struct *tsec = task->security;
1da177e4
LT		 178 task->security = NULL;
179 kfree(tsec);
180}
181
182static int inode_alloc_security(struct inode *inode)
183{
184 struct task_security_struct *tsec = current->security;
185 struct inode_security_struct *isec;
186
c3762229 187 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
1da177e4
LT		 188 if (!isec)
189 return -ENOMEM;
190
23970741 191 mutex_init(&isec->lock);
1da177e4 192 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 193 isec->inode = inode;
194 isec->sid = SECINITSID_UNLABELED;
195 isec->sclass = SECCLASS_FILE;
9ac49d22 196 isec->task_sid = tsec->sid;
1da177e4
LT		 197 inode->i_security = isec;
198
199 return 0;
200}
201
202static void inode_free_security(struct inode *inode)
203{
204 struct inode_security_struct *isec = inode->i_security;
205 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
206
1da177e4
LT		 207 spin_lock(&sbsec->isec_lock);
208 if (!list_empty(&isec->list))
209 list_del_init(&isec->list);
210 spin_unlock(&sbsec->isec_lock);
211
212 inode->i_security = NULL;
7cae7e26 213 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 214}
215
216static int file_alloc_security(struct file *file)
217{
218 struct task_security_struct *tsec = current->security;
219 struct file_security_struct *fsec;
220
26d2a4be 221 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 222 if (!fsec)
223 return -ENOMEM;
224
1da177e4 225 fsec->file = file;
9ac49d22
SS		 226 fsec->sid = tsec->sid;
227 fsec->fown_sid = tsec->sid;
1da177e4
LT		 228 file->f_security = fsec;
229
230 return 0;
231}
232
233static void file_free_security(struct file *file)
234{
235 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 236 file->f_security = NULL;
237 kfree(fsec);
238}
239
240static int superblock_alloc_security(struct super_block *sb)
241{
242 struct superblock_security_struct *sbsec;
243
89d155ef 244 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 245 if (!sbsec)
246 return -ENOMEM;
247
bc7e982b 248 mutex_init(&sbsec->lock);
1da177e4
LT		 249 INIT_LIST_HEAD(&sbsec->list);
250 INIT_LIST_HEAD(&sbsec->isec_head);
251 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 252 sbsec->sb = sb;
253 sbsec->sid = SECINITSID_UNLABELED;
254 sbsec->def_sid = SECINITSID_FILE;
c312feb2 255 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 256 sb->s_security = sbsec;
257
258 return 0;
259}
260
261static void superblock_free_security(struct super_block *sb)
262{
263 struct superblock_security_struct *sbsec = sb->s_security;
264
1da177e4
LT		 265 spin_lock(&sb_security_lock);
266 if (!list_empty(&sbsec->list))
267 list_del_init(&sbsec->list);
268 spin_unlock(&sb_security_lock);
269
270 sb->s_security = NULL;
271 kfree(sbsec);
272}
273
7d877f3b 274static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 275{
276 struct sk_security_struct *ssec;
277
89d155ef 278 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 279 if (!ssec)
280 return -ENOMEM;
281
1da177e4
LT		 282 ssec->sk = sk;
283 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 284 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 285 sk->sk_security = ssec;
286
99f59ed0
PM		 287 selinux_netlbl_sk_security_init(ssec, family);
288
1da177e4
LT		 289 return 0;
290}
291
292static void sk_free_security(struct sock *sk)
293{
294 struct sk_security_struct *ssec = sk->sk_security;
295
1da177e4
LT		 296 sk->sk_security = NULL;
297 kfree(ssec);
298}
1da177e4
LT		 299
300/* The security server must be initialized before
301 any labeling or access decisions can be provided. */
302extern int ss_initialized;
303
304/* The file system's label must be initialized prior to use. */
305
306static char *labeling_behaviors[6] = {
307 "uses xattr",
308 "uses transition SIDs",
309 "uses task SIDs",
310 "uses genfs_contexts",
311 "not configured for labeling",
312 "uses mountpoint labeling",
313};
314
315static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
316
317static inline int inode_doinit(struct inode *inode)
318{
319 return inode_doinit_with_dentry(inode, NULL);
320}
321
322enum {
31e87930 323 Opt_error = -1,
1da177e4
LT		 324 Opt_context = 1,
325 Opt_fscontext = 2,
c9180a57
EP		 326 Opt_defcontext = 3,
327 Opt_rootcontext = 4,
1da177e4
LT		 328};
329
330static match_table_t tokens = {
331 {Opt_context, "context=%s"},
332 {Opt_fscontext, "fscontext=%s"},
333 {Opt_defcontext, "defcontext=%s"},
0808925e 334 {Opt_rootcontext, "rootcontext=%s"},
31e87930 335 {Opt_error, NULL},
1da177e4
LT		 336};
337
338#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
339
c312feb2
EP		 340static int may_context_mount_sb_relabel(u32 sid,
341 struct superblock_security_struct *sbsec,
342 struct task_security_struct *tsec)
343{
344 int rc;
345
346 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
347 FILESYSTEM__RELABELFROM, NULL);
348 if (rc)
349 return rc;
350
351 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
352 FILESYSTEM__RELABELTO, NULL);
353 return rc;
354}
355
0808925e
EP		 356static int may_context_mount_inode_relabel(u32 sid,
357 struct superblock_security_struct *sbsec,
358 struct task_security_struct *tsec)
359{
360 int rc;
361 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
362 FILESYSTEM__RELABELFROM, NULL);
363 if (rc)
364 return rc;
365
366 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
367 FILESYSTEM__ASSOCIATE, NULL);
368 return rc;
369}
370
c9180a57 371static int sb_finish_set_opts(struct super_block *sb)
1da177e4 372{
1da177e4 373 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 374 struct dentry *root = sb->s_root;
375 struct inode *root_inode = root->d_inode;
376 int rc = 0;
1da177e4 377
c9180a57
EP		 378 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
379 /* Make sure that the xattr handler exists and that no
380 error other than -ENODATA is returned by getxattr on
381 the root directory. -ENODATA is ok, as this may be
382 the first boot of the SELinux kernel before we have
383 assigned xattr values to the filesystem. */
384 if (!root_inode->i_op->getxattr) {
385 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
386 "xattr support\n", sb->s_id, sb->s_type->name);
387 rc = -EOPNOTSUPP;
388 goto out;
389 }
390 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
391 if (rc < 0 && rc != -ENODATA) {
392 if (rc == -EOPNOTSUPP)
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) has no security xattr handler\n",
395 sb->s_id, sb->s_type->name);
396 else
397 printk(KERN_WARNING "SELinux: (dev %s, type "
398 "%s) getxattr errno %d\n", sb->s_id,
399 sb->s_type->name, -rc);
400 goto out;
401 }
402 }
1da177e4 403
c9180a57 404 sbsec->initialized = 1;
1da177e4 405
c9180a57
EP		 406 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
407 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
408 sb->s_id, sb->s_type->name);
409 else
410 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
411 sb->s_id, sb->s_type->name,
412 labeling_behaviors[sbsec->behavior-1]);
1da177e4 413
c9180a57
EP		 414 /* Initialize the root inode. */
415 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 416
c9180a57
EP		 417 /* Initialize any other inodes associated with the superblock, e.g.
418 inodes created prior to initial policy load or inodes created
419 during get_sb by a pseudo filesystem that directly
420 populates itself. */
421 spin_lock(&sbsec->isec_lock);
422next_inode:
423 if (!list_empty(&sbsec->isec_head)) {
424 struct inode_security_struct *isec =
425 list_entry(sbsec->isec_head.next,
426 struct inode_security_struct, list);
427 struct inode *inode = isec->inode;
428 spin_unlock(&sbsec->isec_lock);
429 inode = igrab(inode);
430 if (inode) {
431 if (!IS_PRIVATE(inode))
432 inode_doinit(inode);
433 iput(inode);
434 }
435 spin_lock(&sbsec->isec_lock);
436 list_del_init(&isec->list);
437 goto next_inode;
438 }
439 spin_unlock(&sbsec->isec_lock);
440out:
441 return rc;
442}
1da177e4 443
c9180a57
EP		 444/*
445 * This function should allow an FS to ask what it's mount security
446 * options were so it can use those later for submounts, displaying
447 * mount options, or whatever.
448 */
449static int selinux_get_mnt_opts(const struct super_block *sb,
450 char ***mount_options, int **mnt_opts_flags,
451 int *num_opts)
452{
453 int rc = 0, i;
454 struct superblock_security_struct *sbsec = sb->s_security;
455 char *context = NULL;
456 u32 len;
457 char tmp;
1da177e4 458
c9180a57
EP		 459 *num_opts = 0;
460 *mount_options = NULL;
461 *mnt_opts_flags = NULL;
1da177e4 462
c9180a57
EP		 463 if (!sbsec->initialized)
464 return -EINVAL;
1da177e4 465
c9180a57
EP		 466 if (!ss_initialized)
467 return -EINVAL;
1da177e4 468
c9180a57
EP		 469 /*
470 * if we ever use sbsec flags for anything other than tracking mount
471 * settings this is going to need a mask
472 */
473 tmp = sbsec->flags;
474 /* count the number of mount options for this sb */
475 for (i = 0; i < 8; i++) {
476 if (tmp & 0x01)
477 (*num_opts)++;
478 tmp >>= 1;
479 }
1da177e4 480
c9180a57
EP		 481 *mount_options = kcalloc(*num_opts, sizeof(char *), GFP_ATOMIC);
482 if (!*mount_options) {
483 rc = -ENOMEM;
484 goto out_free;
485 }
1da177e4 486
c9180a57
EP		 487 *mnt_opts_flags = kcalloc(*num_opts, sizeof(int), GFP_ATOMIC);
488 if (!*mnt_opts_flags) {
489 rc = -ENOMEM;
490 goto out_free;
491 }
1da177e4 492
c9180a57
EP		 493 i = 0;
494 if (sbsec->flags & FSCONTEXT_MNT) {
495 rc = security_sid_to_context(sbsec->sid, &context, &len);
496 if (rc)
497 goto out_free;
498 (*mount_options)[i] = context;
499 (*mnt_opts_flags)[i++] = FSCONTEXT_MNT;
500 }
501 if (sbsec->flags & CONTEXT_MNT) {
502 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
503 if (rc)
504 goto out_free;
505 (*mount_options)[i] = context;
506 (*mnt_opts_flags)[i++] = CONTEXT_MNT;
507 }
508 if (sbsec->flags & DEFCONTEXT_MNT) {
509 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
510 if (rc)
511 goto out_free;
512 (*mount_options)[i] = context;
513 (*mnt_opts_flags)[i++] = DEFCONTEXT_MNT;
514 }
515 if (sbsec->flags & ROOTCONTEXT_MNT) {
516 struct inode *root = sbsec->sb->s_root->d_inode;
517 struct inode_security_struct *isec = root->i_security;
0808925e 518
c9180a57
EP		 519 rc = security_sid_to_context(isec->sid, &context, &len);
520 if (rc)
521 goto out_free;
522 (*mount_options)[i] = context;
523 (*mnt_opts_flags)[i++] = ROOTCONTEXT_MNT;
524 }
1da177e4 525
c9180a57 526 BUG_ON(i != *num_opts);
1da177e4 527
c9180a57
EP		 528 return 0;
529
530out_free:
531 /* don't leak context string if security_sid_to_context had an error */
532 if (*mount_options && i)
533 for (; i > 0; i--)
534 kfree((*mount_options)[i-1]);
535 kfree(*mount_options);
536 *mount_options = NULL;
537 kfree(*mnt_opts_flags);
538 *mnt_opts_flags = NULL;
539 *num_opts = 0;
540 return rc;
541}
1da177e4 542
c9180a57
EP		 543static int bad_option(struct superblock_security_struct *sbsec, char flag,
544 u32 old_sid, u32 new_sid)
545{
546 /* check if the old mount command had the same options */
547 if (sbsec->initialized)
548 if (!(sbsec->flags & flag) ||
549 (old_sid != new_sid))
550 return 1;
551
552 /* check if we were passed the same options twice,
553 * aka someone passed context=a,context=b
554 */
555 if (!sbsec->initialized)
556 if (sbsec->flags & flag)
557 return 1;
558 return 0;
559}
560/*
561 * Allow filesystems with binary mount data to explicitly set mount point
562 * labeling information.
563 */
564int selinux_set_mnt_opts(struct super_block *sb, char **mount_options,
565 int *flags, int num_opts)
566{
567 int rc = 0, i;
568 struct task_security_struct *tsec = current->security;
569 struct superblock_security_struct *sbsec = sb->s_security;
570 const char *name = sb->s_type->name;
571 struct inode *inode = sbsec->sb->s_root->d_inode;
572 struct inode_security_struct *root_isec = inode->i_security;
573 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
574 u32 defcontext_sid = 0;
575
576 mutex_lock(&sbsec->lock);
577
578 if (!ss_initialized) {
579 if (!num_opts) {
580 /* Defer initialization until selinux_complete_init,
581 after the initial policy is loaded and the security
582 server is ready to handle calls. */
583 spin_lock(&sb_security_lock);
584 if (list_empty(&sbsec->list))
585 list_add(&sbsec->list, &superblock_security_head);
586 spin_unlock(&sb_security_lock);
587 goto out;
588 }
589 rc = -EINVAL;
590 printk(KERN_WARNING "Unable to set superblock options before "
591 "the security server is initialized\n");
1da177e4 592 goto out;
c9180a57 593 }
1da177e4 594
c9180a57
EP		 595 /*
596 * parse the mount options, check if they are valid sids.
597 * also check if someone is trying to mount the same sb more
598 * than once with different security options.
599 */
600 for (i = 0; i < num_opts; i++) {
601 u32 sid;
602 rc = security_context_to_sid(mount_options[i],
603 strlen(mount_options[i]), &sid);
1da177e4
LT		 604 if (rc) {
605 printk(KERN_WARNING "SELinux: security_context_to_sid"
606 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 607 mount_options[i], sb->s_id, name, rc);
608 goto out;
609 }
610 switch (flags[i]) {
611 case FSCONTEXT_MNT:
612 fscontext_sid = sid;
613
614 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
615 fscontext_sid))
616 goto out_double_mount;
617
618 sbsec->flags |= FSCONTEXT_MNT;
619 break;
620 case CONTEXT_MNT:
621 context_sid = sid;
622
623 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
624 context_sid))
625 goto out_double_mount;
626
627 sbsec->flags |= CONTEXT_MNT;
628 break;
629 case ROOTCONTEXT_MNT:
630 rootcontext_sid = sid;
631
632 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
633 rootcontext_sid))
634 goto out_double_mount;
635
636 sbsec->flags |= ROOTCONTEXT_MNT;
637
638 break;
639 case DEFCONTEXT_MNT:
640 defcontext_sid = sid;
641
642 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
643 defcontext_sid))
644 goto out_double_mount;
645
646 sbsec->flags |= DEFCONTEXT_MNT;
647
648 break;
649 default:
650 rc = -EINVAL;
651 goto out;
1da177e4 652 }
c9180a57
EP		 653 }
654
655 if (sbsec->initialized) {
656 /* previously mounted with options, but not on this attempt? */
657 if (sbsec->flags && !num_opts)
658 goto out_double_mount;
659 rc = 0;
660 goto out;
661 }
662
663 if (strcmp(sb->s_type->name, "proc") == 0)
664 sbsec->proc = 1;
665
666 /* Determine the labeling behavior to use for this filesystem type. */
667 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
668 if (rc) {
669 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
670 __FUNCTION__, sb->s_type->name, rc);
671 goto out;
672 }
1da177e4 673
c9180a57
EP		 674 /* sets the context of the superblock for the fs being mounted. */
675 if (fscontext_sid) {
676
677 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
1da177e4 678 if (rc)
c9180a57 679 goto out;
1da177e4 680
c9180a57 681 sbsec->sid = fscontext_sid;
c312feb2
EP		 682 }
683
684 /*
685 * Switch to using mount point labeling behavior.
686 * sets the label used on all file below the mountpoint, and will set
687 * the superblock context if not already set.
688 */
c9180a57
EP		 689 if (context_sid) {
690 if (!fscontext_sid) {
691 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
b04ea3ce 692 if (rc)
c9180a57
EP		 693 goto out;
694 sbsec->sid = context_sid;
b04ea3ce 695 } else {
c9180a57 696 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
b04ea3ce 697 if (rc)
c9180a57 698 goto out;
b04ea3ce 699 }
c9180a57
EP		 700 if (!rootcontext_sid)
701 rootcontext_sid = context_sid;
1da177e4 702
c9180a57 703 sbsec->mntpoint_sid = context_sid;
c312feb2 704 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 705 }
706
c9180a57
EP		 707 if (rootcontext_sid) {
708 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
0808925e 709 if (rc)
c9180a57 710 goto out;
0808925e 711
c9180a57
EP		 712 root_isec->sid = rootcontext_sid;
713 root_isec->initialized = 1;
0808925e
EP		 714 }
715
c9180a57
EP		 716 if (defcontext_sid) {
717 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
718 rc = -EINVAL;
719 printk(KERN_WARNING "SELinux: defcontext option is "
720 "invalid for this filesystem type\n");
721 goto out;
1da177e4
LT		 722 }
723
c9180a57
EP		 724 if (defcontext_sid != sbsec->def_sid) {
725 rc = may_context_mount_inode_relabel(defcontext_sid,
726 sbsec, tsec);
727 if (rc)
728 goto out;
729 }
1da177e4 730
c9180a57 731 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 732 }
733
c9180a57 734 rc = sb_finish_set_opts(sb);
1da177e4 735out:
c9180a57 736 mutex_unlock(&sbsec->lock);
1da177e4 737 return rc;
c9180a57
EP		 738out_double_mount:
739 rc = -EINVAL;
740 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
741 "security settings for (dev %s, type %s)\n", sb->s_id, name);
742 goto out;
1da177e4
LT		 743}
744
c9180a57
EP		 745static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
746 struct super_block *newsb)
1da177e4 747{
c9180a57
EP		 748 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
749 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 750
c9180a57
EP		 751 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
752 int set_context = (oldsbsec->flags & CONTEXT_MNT);
753 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 754
c9180a57
EP		 755 /* we can't error, we can't save the info, this shouldn't get called
756 * this early in the boot process. */
757 BUG_ON(!ss_initialized);
758
759 /* this might go away sometime down the line if there is a new user
760 * of clone, but for now, nfs better not get here... */
761 BUG_ON(newsbsec->initialized);
762
763 /* how can we clone if the old one wasn't set up?? */
764 BUG_ON(!oldsbsec->initialized);
765
766 mutex_lock(&newsbsec->lock);
767
768 newsbsec->flags = oldsbsec->flags;
769
770 newsbsec->sid = oldsbsec->sid;
771 newsbsec->def_sid = oldsbsec->def_sid;
772 newsbsec->behavior = oldsbsec->behavior;
773
774 if (set_context) {
775 u32 sid = oldsbsec->mntpoint_sid;
776
777 if (!set_fscontext)
778 newsbsec->sid = sid;
779 if (!set_rootcontext) {
780 struct inode *newinode = newsb->s_root->d_inode;
781 struct inode_security_struct *newisec = newinode->i_security;
782 newisec->sid = sid;
783 }
784 newsbsec->mntpoint_sid = sid;
1da177e4 785 }
c9180a57
EP		 786 if (set_rootcontext) {
787 const struct inode *oldinode = oldsb->s_root->d_inode;
788 const struct inode_security_struct *oldisec = oldinode->i_security;
789 struct inode *newinode = newsb->s_root->d_inode;
790 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 791
c9180a57 792 newisec->sid = oldisec->sid;
1da177e4
LT		 793 }
794
c9180a57
EP		 795 sb_finish_set_opts(newsb);
796 mutex_unlock(&newsbsec->lock);
797}
798
799/*
800 * string mount options parsing and call set the sbsec
801 */
802static int superblock_doinit(struct super_block *sb, void *data)
803{
804 char *context = NULL, *defcontext = NULL;
805 char *fscontext = NULL, *rootcontext = NULL;
806 int rc = 0;
807 char *p, *options = data;
808 /* selinux only know about a fixed number of mount options */
809 char *mnt_opts[NUM_SEL_MNT_OPTS];
810 int mnt_opts_flags[NUM_SEL_MNT_OPTS], num_mnt_opts = 0;
811
812 if (!data)
1da177e4
LT		 813 goto out;
814
c9180a57
EP		 815 /* with the nfs patch this will become a goto out; */
816 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
817 const char *name = sb->s_type->name;
818 /* NFS we understand. */
819 if (!strcmp(name, "nfs")) {
820 struct nfs_mount_data *d = data;
821
822 if (d->version != NFS_MOUNT_VERSION)
823 goto out;
824
825 if (d->context[0]) {
826 context = kstrdup(d->context, GFP_KERNEL);
827 if (!context) {
828 rc = -ENOMEM;
829 goto out;
830 }
831 }
832 goto build_flags;
833 } else
1da177e4 834 goto out;
1da177e4
LT		 835 }
836
c9180a57
EP		 837 /* Standard string-based options. */
838 while ((p = strsep(&options, "|")) != NULL) {
839 int token;
840 substring_t args[MAX_OPT_ARGS];
1da177e4 841
c9180a57
EP		 842 if (!*p)
843 continue;
1da177e4 844
c9180a57 845 token = match_token(p, tokens, args);
1da177e4 846
c9180a57
EP		 847 switch (token) {
848 case Opt_context:
849 if (context || defcontext) {
850 rc = -EINVAL;
851 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
852 goto out_err;
853 }
854 context = match_strdup(&args[0]);
855 if (!context) {
856 rc = -ENOMEM;
857 goto out_err;
858 }
859 break;
860
861 case Opt_fscontext:
862 if (fscontext) {
863 rc = -EINVAL;
864 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
865 goto out_err;
866 }
867 fscontext = match_strdup(&args[0]);
868 if (!fscontext) {
869 rc = -ENOMEM;
870 goto out_err;
871 }
872 break;
873
874 case Opt_rootcontext:
875 if (rootcontext) {
876 rc = -EINVAL;
877 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
878 goto out_err;
879 }
880 rootcontext = match_strdup(&args[0]);
881 if (!rootcontext) {
882 rc = -ENOMEM;
883 goto out_err;
884 }
885 break;
886
887 case Opt_defcontext:
888 if (context || defcontext) {
889 rc = -EINVAL;
890 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
891 goto out_err;
892 }
893 defcontext = match_strdup(&args[0]);
894 if (!defcontext) {
895 rc = -ENOMEM;
896 goto out_err;
897 }
898 break;
899
900 default:
901 rc = -EINVAL;
902 printk(KERN_WARNING "SELinux: unknown mount option\n");
903 goto out_err;
1da177e4 904
1da177e4 905 }
1da177e4 906 }
c9180a57
EP		 907
908build_flags:
909 if (fscontext) {
910 mnt_opts[num_mnt_opts] = fscontext;
911 mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
912 }
913 if (context) {
914 mnt_opts[num_mnt_opts] = context;
915 mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
916 }
917 if (rootcontext) {
918 mnt_opts[num_mnt_opts] = rootcontext;
919 mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
920 }
921 if (defcontext) {
922 mnt_opts[num_mnt_opts] = defcontext;
923 mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
924 }
925
1da177e4 926out:
c9180a57
EP		 927 rc = selinux_set_mnt_opts(sb, mnt_opts, mnt_opts_flags, num_mnt_opts);
928out_err:
929 kfree(context);
930 kfree(defcontext);
931 kfree(fscontext);
932 kfree(rootcontext);
1da177e4
LT		 933 return rc;
934}
935
936static inline u16 inode_mode_to_security_class(umode_t mode)
937{
938 switch (mode & S_IFMT) {
939 case S_IFSOCK:
940 return SECCLASS_SOCK_FILE;
941 case S_IFLNK:
942 return SECCLASS_LNK_FILE;
943 case S_IFREG:
944 return SECCLASS_FILE;
945 case S_IFBLK:
946 return SECCLASS_BLK_FILE;
947 case S_IFDIR:
948 return SECCLASS_DIR;
949 case S_IFCHR:
950 return SECCLASS_CHR_FILE;
951 case S_IFIFO:
952 return SECCLASS_FIFO_FILE;
953
954 }
955
956 return SECCLASS_FILE;
957}
958
13402580
JM		 959static inline int default_protocol_stream(int protocol)
960{
961 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
962}
963
964static inline int default_protocol_dgram(int protocol)
965{
966 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
967}
968
1da177e4
LT		 969static inline u16 socket_type_to_security_class(int family, int type, int protocol)
970{
971 switch (family) {
972 case PF_UNIX:
973 switch (type) {
974 case SOCK_STREAM:
975 case SOCK_SEQPACKET:
976 return SECCLASS_UNIX_STREAM_SOCKET;
977 case SOCK_DGRAM:
978 return SECCLASS_UNIX_DGRAM_SOCKET;
979 }
980 break;
981 case PF_INET:
982 case PF_INET6:
983 switch (type) {
984 case SOCK_STREAM:
13402580
JM		 985 if (default_protocol_stream(protocol))
986 return SECCLASS_TCP_SOCKET;
987 else
988 return SECCLASS_RAWIP_SOCKET;
1da177e4 989 case SOCK_DGRAM:
13402580
JM		 990 if (default_protocol_dgram(protocol))
991 return SECCLASS_UDP_SOCKET;
992 else
993 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 994 case SOCK_DCCP:
995 return SECCLASS_DCCP_SOCKET;
13402580 996 default:
1da177e4
LT		 997 return SECCLASS_RAWIP_SOCKET;
998 }
999 break;
1000 case PF_NETLINK:
1001 switch (protocol) {
1002 case NETLINK_ROUTE:
1003 return SECCLASS_NETLINK_ROUTE_SOCKET;
1004 case NETLINK_FIREWALL:
1005 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1006 case NETLINK_INET_DIAG:
1da177e4
LT		 1007 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1008 case NETLINK_NFLOG:
1009 return SECCLASS_NETLINK_NFLOG_SOCKET;
1010 case NETLINK_XFRM:
1011 return SECCLASS_NETLINK_XFRM_SOCKET;
1012 case NETLINK_SELINUX:
1013 return SECCLASS_NETLINK_SELINUX_SOCKET;
1014 case NETLINK_AUDIT:
1015 return SECCLASS_NETLINK_AUDIT_SOCKET;
1016 case NETLINK_IP6_FW:
1017 return SECCLASS_NETLINK_IP6FW_SOCKET;
1018 case NETLINK_DNRTMSG:
1019 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1020 case NETLINK_KOBJECT_UEVENT:
1021 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1022 default:
1023 return SECCLASS_NETLINK_SOCKET;
1024 }
1025 case PF_PACKET:
1026 return SECCLASS_PACKET_SOCKET;
1027 case PF_KEY:
1028 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1029 case PF_APPLETALK:
1030 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1031 }
1032
1033 return SECCLASS_SOCKET;
1034}
1035
1036#ifdef CONFIG_PROC_FS
1037static int selinux_proc_get_sid(struct proc_dir_entry *de,
1038 u16 tclass,
1039 u32 *sid)
1040{
1041 int buflen, rc;
1042 char *buffer, *path, *end;
1043
1044 buffer = (char*)__get_free_page(GFP_KERNEL);
1045 if (!buffer)
1046 return -ENOMEM;
1047
1048 buflen = PAGE_SIZE;
1049 end = buffer+buflen;
1050 *--end = '\0';
1051 buflen--;
1052 path = end-1;
1053 *path = '/';
1054 while (de && de != de->parent) {
1055 buflen -= de->namelen + 1;
1056 if (buflen < 0)
1057 break;
1058 end -= de->namelen;
1059 memcpy(end, de->name, de->namelen);
1060 *--end = '/';
1061 path = end;
1062 de = de->parent;
1063 }
1064 rc = security_genfs_sid("proc", path, tclass, sid);
1065 free_page((unsigned long)buffer);
1066 return rc;
1067}
1068#else
1069static int selinux_proc_get_sid(struct proc_dir_entry *de,
1070 u16 tclass,
1071 u32 *sid)
1072{
1073 return -EINVAL;
1074}
1075#endif
1076
1077/* The inode's security attributes must be initialized before first use. */
1078static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1079{
1080 struct superblock_security_struct *sbsec = NULL;
1081 struct inode_security_struct *isec = inode->i_security;
1082 u32 sid;
1083 struct dentry *dentry;
1084#define INITCONTEXTLEN 255
1085 char *context = NULL;
1086 unsigned len = 0;
1087 int rc = 0;
1da177e4
LT		 1088
1089 if (isec->initialized)
1090 goto out;
1091
23970741 1092 mutex_lock(&isec->lock);
1da177e4 1093 if (isec->initialized)
23970741 1094 goto out_unlock;
1da177e4
LT		 1095
1096 sbsec = inode->i_sb->s_security;
1097 if (!sbsec->initialized) {
1098 /* Defer initialization until selinux_complete_init,
1099 after the initial policy is loaded and the security
1100 server is ready to handle calls. */
1101 spin_lock(&sbsec->isec_lock);
1102 if (list_empty(&isec->list))
1103 list_add(&isec->list, &sbsec->isec_head);
1104 spin_unlock(&sbsec->isec_lock);
23970741 1105 goto out_unlock;
1da177e4
LT		 1106 }
1107
1108 switch (sbsec->behavior) {
1109 case SECURITY_FS_USE_XATTR:
1110 if (!inode->i_op->getxattr) {
1111 isec->sid = sbsec->def_sid;
1112 break;
1113 }
1114
1115 /* Need a dentry, since the xattr API requires one.
1116 Life would be simpler if we could just pass the inode. */
1117 if (opt_dentry) {
1118 /* Called from d_instantiate or d_splice_alias. */
1119 dentry = dget(opt_dentry);
1120 } else {
1121 /* Called from selinux_complete_init, try to find a dentry. */
1122 dentry = d_find_alias(inode);
1123 }
1124 if (!dentry) {
1125 printk(KERN_WARNING "%s: no dentry for dev=%s "
1126 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1127 inode->i_ino);
23970741 1128 goto out_unlock;
1da177e4
LT		 1129 }
1130
1131 len = INITCONTEXTLEN;
1132 context = kmalloc(len, GFP_KERNEL);
1133 if (!context) {
1134 rc = -ENOMEM;
1135 dput(dentry);
23970741 1136 goto out_unlock;
1da177e4
LT		 1137 }
1138 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1139 context, len);
1140 if (rc == -ERANGE) {
1141 /* Need a larger buffer. Query for the right size. */
1142 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1143 NULL, 0);
1144 if (rc < 0) {
1145 dput(dentry);
23970741 1146 goto out_unlock;
1da177e4
LT		 1147 }
1148 kfree(context);
1149 len = rc;
1150 context = kmalloc(len, GFP_KERNEL);
1151 if (!context) {
1152 rc = -ENOMEM;
1153 dput(dentry);
23970741 1154 goto out_unlock;
1da177e4
LT		 1155 }
1156 rc = inode->i_op->getxattr(dentry,
1157 XATTR_NAME_SELINUX,
1158 context, len);
1159 }
1160 dput(dentry);
1161 if (rc < 0) {
1162 if (rc != -ENODATA) {
1163 printk(KERN_WARNING "%s: getxattr returned "
1164 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1165 -rc, inode->i_sb->s_id, inode->i_ino);
1166 kfree(context);
23970741 1167 goto out_unlock;
1da177e4
LT		 1168 }
1169 /* Map ENODATA to the default file SID */
1170 sid = sbsec->def_sid;
1171 rc = 0;
1172 } else {
f5c1d5b2
JM		 1173 rc = security_context_to_sid_default(context, rc, &sid,
1174 sbsec->def_sid);
1da177e4
LT		 1175 if (rc) {
1176 printk(KERN_WARNING "%s: context_to_sid(%s) "
1177 "returned %d for dev=%s ino=%ld\n",
1178 __FUNCTION__, context, -rc,
1179 inode->i_sb->s_id, inode->i_ino);
1180 kfree(context);
1181 /* Leave with the unlabeled SID */
1182 rc = 0;
1183 break;
1184 }
1185 }
1186 kfree(context);
1187 isec->sid = sid;
1188 break;
1189 case SECURITY_FS_USE_TASK:
1190 isec->sid = isec->task_sid;
1191 break;
1192 case SECURITY_FS_USE_TRANS:
1193 /* Default to the fs SID. */
1194 isec->sid = sbsec->sid;
1195
1196 /* Try to obtain a transition SID. */
1197 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1198 rc = security_transition_sid(isec->task_sid,
1199 sbsec->sid,
1200 isec->sclass,
1201 &sid);
1202 if (rc)
23970741 1203 goto out_unlock;
1da177e4
LT		 1204 isec->sid = sid;
1205 break;
c312feb2
EP		 1206 case SECURITY_FS_USE_MNTPOINT:
1207 isec->sid = sbsec->mntpoint_sid;
1208 break;
1da177e4 1209 default:
c312feb2 1210 /* Default to the fs superblock SID. */
1da177e4
LT		 1211 isec->sid = sbsec->sid;
1212
1213 if (sbsec->proc) {
1214 struct proc_inode *proci = PROC_I(inode);
1215 if (proci->pde) {
1216 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1217 rc = selinux_proc_get_sid(proci->pde,
1218 isec->sclass,
1219 &sid);
1220 if (rc)
23970741 1221 goto out_unlock;
1da177e4
LT		 1222 isec->sid = sid;
1223 }
1224 }
1225 break;
1226 }
1227
1228 isec->initialized = 1;
1229
23970741
EP		 1230out_unlock:
1231 mutex_unlock(&isec->lock);
1da177e4
LT		 1232out:
1233 if (isec->sclass == SECCLASS_FILE)
1234 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1235 return rc;
1236}
1237
1238/* Convert a Linux signal to an access vector. */
1239static inline u32 signal_to_av(int sig)
1240{
1241 u32 perm = 0;
1242
1243 switch (sig) {
1244 case SIGCHLD:
1245 /* Commonly granted from child to parent. */
1246 perm = PROCESS__SIGCHLD;
1247 break;
1248 case SIGKILL:
1249 /* Cannot be caught or ignored */
1250 perm = PROCESS__SIGKILL;
1251 break;
1252 case SIGSTOP:
1253 /* Cannot be caught or ignored */
1254 perm = PROCESS__SIGSTOP;
1255 break;
1256 default:
1257 /* All other signals. */
1258 perm = PROCESS__SIGNAL;
1259 break;
1260 }
1261
1262 return perm;
1263}
1264
1265/* Check permission betweeen a pair of tasks, e.g. signal checks,
1266 fork check, ptrace check, etc. */
1267static int task_has_perm(struct task_struct *tsk1,
1268 struct task_struct *tsk2,
1269 u32 perms)
1270{
1271 struct task_security_struct *tsec1, *tsec2;
1272
1273 tsec1 = tsk1->security;
1274 tsec2 = tsk2->security;
1275 return avc_has_perm(tsec1->sid, tsec2->sid,
1276 SECCLASS_PROCESS, perms, NULL);
1277}
1278
1279/* Check whether a task is allowed to use a capability. */
1280static int task_has_capability(struct task_struct *tsk,
1281 int cap)
1282{
1283 struct task_security_struct *tsec;
1284 struct avc_audit_data ad;
1285
1286 tsec = tsk->security;
1287
1288 AVC_AUDIT_DATA_INIT(&ad,CAP);
1289 ad.tsk = tsk;
1290 ad.u.cap = cap;
1291
1292 return avc_has_perm(tsec->sid, tsec->sid,
1293 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1294}
1295
1296/* Check whether a task is allowed to use a system operation. */
1297static int task_has_system(struct task_struct *tsk,
1298 u32 perms)
1299{
1300 struct task_security_struct *tsec;
1301
1302 tsec = tsk->security;
1303
1304 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1305 SECCLASS_SYSTEM, perms, NULL);
1306}
1307
1308/* Check whether a task has a particular permission to an inode.
1309 The 'adp' parameter is optional and allows other audit
1310 data to be passed (e.g. the dentry). */
1311static int inode_has_perm(struct task_struct *tsk,
1312 struct inode *inode,
1313 u32 perms,
1314 struct avc_audit_data *adp)
1315{
1316 struct task_security_struct *tsec;
1317 struct inode_security_struct *isec;
1318 struct avc_audit_data ad;
1319
bbaca6c2
SS		 1320 if (unlikely (IS_PRIVATE (inode)))
1321 return 0;
1322
1da177e4
LT		 1323 tsec = tsk->security;
1324 isec = inode->i_security;
1325
1326 if (!adp) {
1327 adp = &ad;
1328 AVC_AUDIT_DATA_INIT(&ad, FS);
1329 ad.u.fs.inode = inode;
1330 }
1331
1332 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1333}
1334
1335/* Same as inode_has_perm, but pass explicit audit data containing
1336 the dentry to help the auditing code to more easily generate the
1337 pathname if needed. */
1338static inline int dentry_has_perm(struct task_struct *tsk,
1339 struct vfsmount *mnt,
1340 struct dentry *dentry,
1341 u32 av)
1342{
1343 struct inode *inode = dentry->d_inode;
1344 struct avc_audit_data ad;
1345 AVC_AUDIT_DATA_INIT(&ad,FS);
1346 ad.u.fs.mnt = mnt;
1347 ad.u.fs.dentry = dentry;
1348 return inode_has_perm(tsk, inode, av, &ad);
1349}
1350
1351/* Check whether a task can use an open file descriptor to
1352 access an inode in a given way. Check access to the
1353 descriptor itself, and then use dentry_has_perm to
1354 check a particular permission to the file.
1355 Access to the descriptor is implicitly granted if it
1356 has the same SID as the process. If av is zero, then
1357 access to the file is not checked, e.g. for cases
1358 where only the descriptor is affected like seek. */
858119e1 1359static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1360 struct file *file,
1361 u32 av)
1362{
1363 struct task_security_struct *tsec = tsk->security;
1364 struct file_security_struct *fsec = file->f_security;
3d5ff529
JS		 1365 struct vfsmount *mnt = file->f_path.mnt;
1366 struct dentry *dentry = file->f_path.dentry;
1da177e4
LT		 1367 struct inode *inode = dentry->d_inode;
1368 struct avc_audit_data ad;
1369 int rc;
1370
1371 AVC_AUDIT_DATA_INIT(&ad, FS);
1372 ad.u.fs.mnt = mnt;
1373 ad.u.fs.dentry = dentry;
1374
1375 if (tsec->sid != fsec->sid) {
1376 rc = avc_has_perm(tsec->sid, fsec->sid,
1377 SECCLASS_FD,
1378 FD__USE,
1379 &ad);
1380 if (rc)
1381 return rc;
1382 }
1383
1384 /* av is zero if only checking access to the descriptor. */
1385 if (av)
1386 return inode_has_perm(tsk, inode, av, &ad);
1387
1388 return 0;
1389}
1390
1391/* Check whether a task can create a file. */
1392static int may_create(struct inode *dir,
1393 struct dentry *dentry,
1394 u16 tclass)
1395{
1396 struct task_security_struct *tsec;
1397 struct inode_security_struct *dsec;
1398 struct superblock_security_struct *sbsec;
1399 u32 newsid;
1400 struct avc_audit_data ad;
1401 int rc;
1402
1403 tsec = current->security;
1404 dsec = dir->i_security;
1405 sbsec = dir->i_sb->s_security;
1406
1407 AVC_AUDIT_DATA_INIT(&ad, FS);
1408 ad.u.fs.dentry = dentry;
1409
1410 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1411 DIR__ADD_NAME | DIR__SEARCH,
1412 &ad);
1413 if (rc)
1414 return rc;
1415
1416 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1417 newsid = tsec->create_sid;
1418 } else {
1419 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1420 &newsid);
1421 if (rc)
1422 return rc;
1423 }
1424
1425 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1426 if (rc)
1427 return rc;
1428
1429 return avc_has_perm(newsid, sbsec->sid,
1430 SECCLASS_FILESYSTEM,
1431 FILESYSTEM__ASSOCIATE, &ad);
1432}
1433
4eb582cf
ML		 1434/* Check whether a task can create a key. */
1435static int may_create_key(u32 ksid,
1436 struct task_struct *ctx)
1437{
1438 struct task_security_struct *tsec;
1439
1440 tsec = ctx->security;
1441
1442 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1443}
1444
1da177e4
LT		 1445#define MAY_LINK 0
1446#define MAY_UNLINK 1
1447#define MAY_RMDIR 2
1448
1449/* Check whether a task can link, unlink, or rmdir a file/directory. */
1450static int may_link(struct inode *dir,
1451 struct dentry *dentry,
1452 int kind)
1453
1454{
1455 struct task_security_struct *tsec;
1456 struct inode_security_struct *dsec, *isec;
1457 struct avc_audit_data ad;
1458 u32 av;
1459 int rc;
1460
1461 tsec = current->security;
1462 dsec = dir->i_security;
1463 isec = dentry->d_inode->i_security;
1464
1465 AVC_AUDIT_DATA_INIT(&ad, FS);
1466 ad.u.fs.dentry = dentry;
1467
1468 av = DIR__SEARCH;
1469 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1470 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1471 if (rc)
1472 return rc;
1473
1474 switch (kind) {
1475 case MAY_LINK:
1476 av = FILE__LINK;
1477 break;
1478 case MAY_UNLINK:
1479 av = FILE__UNLINK;
1480 break;
1481 case MAY_RMDIR:
1482 av = DIR__RMDIR;
1483 break;
1484 default:
1485 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1486 return 0;
1487 }
1488
1489 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1490 return rc;
1491}
1492
1493static inline int may_rename(struct inode *old_dir,
1494 struct dentry *old_dentry,
1495 struct inode *new_dir,
1496 struct dentry *new_dentry)
1497{
1498 struct task_security_struct *tsec;
1499 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1500 struct avc_audit_data ad;
1501 u32 av;
1502 int old_is_dir, new_is_dir;
1503 int rc;
1504
1505 tsec = current->security;
1506 old_dsec = old_dir->i_security;
1507 old_isec = old_dentry->d_inode->i_security;
1508 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1509 new_dsec = new_dir->i_security;
1510
1511 AVC_AUDIT_DATA_INIT(&ad, FS);
1512
1513 ad.u.fs.dentry = old_dentry;
1514 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1515 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1516 if (rc)
1517 return rc;
1518 rc = avc_has_perm(tsec->sid, old_isec->sid,
1519 old_isec->sclass, FILE__RENAME, &ad);
1520 if (rc)
1521 return rc;
1522 if (old_is_dir && new_dir != old_dir) {
1523 rc = avc_has_perm(tsec->sid, old_isec->sid,
1524 old_isec->sclass, DIR__REPARENT, &ad);
1525 if (rc)
1526 return rc;
1527 }
1528
1529 ad.u.fs.dentry = new_dentry;
1530 av = DIR__ADD_NAME | DIR__SEARCH;
1531 if (new_dentry->d_inode)
1532 av |= DIR__REMOVE_NAME;
1533 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1534 if (rc)
1535 return rc;
1536 if (new_dentry->d_inode) {
1537 new_isec = new_dentry->d_inode->i_security;
1538 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1539 rc = avc_has_perm(tsec->sid, new_isec->sid,
1540 new_isec->sclass,
1541 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1542 if (rc)
1543 return rc;
1544 }
1545
1546 return 0;
1547}
1548
1549/* Check whether a task can perform a filesystem operation. */
1550static int superblock_has_perm(struct task_struct *tsk,
1551 struct super_block *sb,
1552 u32 perms,
1553 struct avc_audit_data *ad)
1554{
1555 struct task_security_struct *tsec;
1556 struct superblock_security_struct *sbsec;
1557
1558 tsec = tsk->security;
1559 sbsec = sb->s_security;
1560 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1561 perms, ad);
1562}
1563
1564/* Convert a Linux mode and permission mask to an access vector. */
1565static inline u32 file_mask_to_av(int mode, int mask)
1566{
1567 u32 av = 0;
1568
1569 if ((mode & S_IFMT) != S_IFDIR) {
1570 if (mask & MAY_EXEC)
1571 av |= FILE__EXECUTE;
1572 if (mask & MAY_READ)
1573 av |= FILE__READ;
1574
1575 if (mask & MAY_APPEND)
1576 av |= FILE__APPEND;
1577 else if (mask & MAY_WRITE)
1578 av |= FILE__WRITE;
1579
1580 } else {
1581 if (mask & MAY_EXEC)
1582 av |= DIR__SEARCH;
1583 if (mask & MAY_WRITE)
1584 av |= DIR__WRITE;
1585 if (mask & MAY_READ)
1586 av |= DIR__READ;
1587 }
1588
1589 return av;
1590}
1591
1592/* Convert a Linux file to an access vector. */
1593static inline u32 file_to_av(struct file *file)
1594{
1595 u32 av = 0;
1596
1597 if (file->f_mode & FMODE_READ)
1598 av |= FILE__READ;
1599 if (file->f_mode & FMODE_WRITE) {
1600 if (file->f_flags & O_APPEND)
1601 av |= FILE__APPEND;
1602 else
1603 av |= FILE__WRITE;
1604 }
1605
1606 return av;
1607}
1608
1da177e4
LT		 1609/* Hook functions begin here. */
1610
1611static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1612{
1613 struct task_security_struct *psec = parent->security;
1614 struct task_security_struct *csec = child->security;
1615 int rc;
1616
1617 rc = secondary_ops->ptrace(parent,child);
1618 if (rc)
1619 return rc;
1620
1621 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1622 /* Save the SID of the tracing process for later use in apply_creds. */
341c2d80 1623 if (!(child->ptrace & PT_PTRACED) && !rc)
1da177e4
LT		 1624 csec->ptrace_sid = psec->sid;
1625 return rc;
1626}
1627
1628static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1629 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1630{
1631 int error;
1632
1633 error = task_has_perm(current, target, PROCESS__GETCAP);
1634 if (error)
1635 return error;
1636
1637 return secondary_ops->capget(target, effective, inheritable, permitted);
1638}
1639
1640static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1641 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1642{
1643 int error;
1644
1645 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1646 if (error)
1647 return error;
1648
1649 return task_has_perm(current, target, PROCESS__SETCAP);
1650}
1651
1652static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1653 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1654{
1655 secondary_ops->capset_set(target, effective, inheritable, permitted);
1656}
1657
1658static int selinux_capable(struct task_struct *tsk, int cap)
1659{
1660 int rc;
1661
1662 rc = secondary_ops->capable(tsk, cap);
1663 if (rc)
1664 return rc;
1665
1666 return task_has_capability(tsk,cap);
1667}
1668
3fbfa981
EB		 1669static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1670{
1671 int buflen, rc;
1672 char *buffer, *path, *end;
1673
1674 rc = -ENOMEM;
1675 buffer = (char*)__get_free_page(GFP_KERNEL);
1676 if (!buffer)
1677 goto out;
1678
1679 buflen = PAGE_SIZE;
1680 end = buffer+buflen;
1681 *--end = '\0';
1682 buflen--;
1683 path = end-1;
1684 *path = '/';
1685 while (table) {
1686 const char *name = table->procname;
1687 size_t namelen = strlen(name);
1688 buflen -= namelen + 1;
1689 if (buflen < 0)
1690 goto out_free;
1691 end -= namelen;
1692 memcpy(end, name, namelen);
1693 *--end = '/';
1694 path = end;
1695 table = table->parent;
1696 }
b599fdfd
EB		 1697 buflen -= 4;
1698 if (buflen < 0)
1699 goto out_free;
1700 end -= 4;
1701 memcpy(end, "/sys", 4);
1702 path = end;
3fbfa981
EB		 1703 rc = security_genfs_sid("proc", path, tclass, sid);
1704out_free:
1705 free_page((unsigned long)buffer);
1706out:
1707 return rc;
1708}
1709
1da177e4
LT		 1710static int selinux_sysctl(ctl_table *table, int op)
1711{
1712 int error = 0;
1713 u32 av;
1714 struct task_security_struct *tsec;
1715 u32 tsid;
1716 int rc;
1717
1718 rc = secondary_ops->sysctl(table, op);
1719 if (rc)
1720 return rc;
1721
1722 tsec = current->security;
1723
3fbfa981
EB		 1724 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1725 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1726 if (rc) {
1727 /* Default to the well-defined sysctl SID. */
1728 tsid = SECINITSID_SYSCTL;
1729 }
1730
1731 /* The op values are "defined" in sysctl.c, thereby creating
1732 * a bad coupling between this module and sysctl.c */
1733 if(op == 001) {
1734 error = avc_has_perm(tsec->sid, tsid,
1735 SECCLASS_DIR, DIR__SEARCH, NULL);
1736 } else {
1737 av = 0;
1738 if (op & 004)
1739 av |= FILE__READ;
1740 if (op & 002)
1741 av |= FILE__WRITE;
1742 if (av)
1743 error = avc_has_perm(tsec->sid, tsid,
1744 SECCLASS_FILE, av, NULL);
1745 }
1746
1747 return error;
1748}
1749
1750static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1751{
1752 int rc = 0;
1753
1754 if (!sb)
1755 return 0;
1756
1757 switch (cmds) {
1758 case Q_SYNC:
1759 case Q_QUOTAON:
1760 case Q_QUOTAOFF:
1761 case Q_SETINFO:
1762 case Q_SETQUOTA:
1763 rc = superblock_has_perm(current,
1764 sb,
1765 FILESYSTEM__QUOTAMOD, NULL);
1766 break;
1767 case Q_GETFMT:
1768 case Q_GETINFO:
1769 case Q_GETQUOTA:
1770 rc = superblock_has_perm(current,
1771 sb,
1772 FILESYSTEM__QUOTAGET, NULL);
1773 break;
1774 default:
1775 rc = 0; /* let the kernel handle invalid cmds */
1776 break;
1777 }
1778 return rc;
1779}
1780
1781static int selinux_quota_on(struct dentry *dentry)
1782{
1783 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1784}
1785
1786static int selinux_syslog(int type)
1787{
1788 int rc;
1789
1790 rc = secondary_ops->syslog(type);
1791 if (rc)
1792 return rc;
1793
1794 switch (type) {
1795 case 3: /* Read last kernel messages */
1796 case 10: /* Return size of the log buffer */
1797 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1798 break;
1799 case 6: /* Disable logging to console */
1800 case 7: /* Enable logging to console */
1801 case 8: /* Set level of messages printed to console */
1802 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1803 break;
1804 case 0: /* Close log */
1805 case 1: /* Open log */
1806 case 2: /* Read from log */
1807 case 4: /* Read/clear last kernel messages */
1808 case 5: /* Clear ring buffer */
1809 default:
1810 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1811 break;
1812 }
1813 return rc;
1814}
1815
1816/*
1817 * Check that a process has enough memory to allocate a new virtual
1818 * mapping. 0 means there is enough memory for the allocation to
1819 * succeed and -ENOMEM implies there is not.
1820 *
1821 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1822 * if the capability is granted, but __vm_enough_memory requires 1 if
1823 * the capability is granted.
1824 *
1825 * Do not audit the selinux permission check, as this is applied to all
1826 * processes that allocate mappings.
1827 */
34b4e4aa 1828static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1829{
1830 int rc, cap_sys_admin = 0;
1831 struct task_security_struct *tsec = current->security;
1832
1833 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1834 if (rc == 0)
1835 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2c3c05db
SS		 1836 SECCLASS_CAPABILITY,
1837 CAP_TO_MASK(CAP_SYS_ADMIN),
1838 0,
1839 NULL);
1da177e4
LT		 1840
1841 if (rc == 0)
1842 cap_sys_admin = 1;
1843
34b4e4aa 1844 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 1845}
1846
1847/* binprm security operations */
1848
1849static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1850{
1851 struct bprm_security_struct *bsec;
1852
89d155ef 1853 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1854 if (!bsec)
1855 return -ENOMEM;
1856
1da177e4
LT		 1857 bsec->bprm = bprm;
1858 bsec->sid = SECINITSID_UNLABELED;
1859 bsec->set = 0;
1860
1861 bprm->security = bsec;
1862 return 0;
1863}
1864
1865static int selinux_bprm_set_security(struct linux_binprm *bprm)
1866{
1867 struct task_security_struct *tsec;
3d5ff529 1868 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 1869 struct inode_security_struct *isec;
1870 struct bprm_security_struct *bsec;
1871 u32 newsid;
1872 struct avc_audit_data ad;
1873 int rc;
1874
1875 rc = secondary_ops->bprm_set_security(bprm);
1876 if (rc)
1877 return rc;
1878
1879 bsec = bprm->security;
1880
1881 if (bsec->set)
1882 return 0;
1883
1884 tsec = current->security;
1885 isec = inode->i_security;
1886
1887 /* Default to the current task SID. */
1888 bsec->sid = tsec->sid;
1889
28eba5bf 1890 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1891 tsec->create_sid = 0;
28eba5bf 1892 tsec->keycreate_sid = 0;
42c3e03e 1893 tsec->sockcreate_sid = 0;
1da177e4
LT		 1894
1895 if (tsec->exec_sid) {
1896 newsid = tsec->exec_sid;
1897 /* Reset exec SID on execve. */
1898 tsec->exec_sid = 0;
1899 } else {
1900 /* Check for a default transition on this program. */
1901 rc = security_transition_sid(tsec->sid, isec->sid,
1902 SECCLASS_PROCESS, &newsid);
1903 if (rc)
1904 return rc;
1905 }
1906
1907 AVC_AUDIT_DATA_INIT(&ad, FS);
3d5ff529
JS		 1908 ad.u.fs.mnt = bprm->file->f_path.mnt;
1909 ad.u.fs.dentry = bprm->file->f_path.dentry;
1da177e4 1910
3d5ff529 1911 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1da177e4
LT		 1912 newsid = tsec->sid;
1913
1914 if (tsec->sid == newsid) {
1915 rc = avc_has_perm(tsec->sid, isec->sid,
1916 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1917 if (rc)
1918 return rc;
1919 } else {
1920 /* Check permissions for the transition. */
1921 rc = avc_has_perm(tsec->sid, newsid,
1922 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1923 if (rc)
1924 return rc;
1925
1926 rc = avc_has_perm(newsid, isec->sid,
1927 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1928 if (rc)
1929 return rc;
1930
1931 /* Clear any possibly unsafe personality bits on exec: */
1932 current->personality &= ~PER_CLEAR_ON_SETID;
1933
1934 /* Set the security field to the new SID. */
1935 bsec->sid = newsid;
1936 }
1937
1938 bsec->set = 1;
1939 return 0;
1940}
1941
1942static int selinux_bprm_check_security (struct linux_binprm *bprm)
1943{
1944 return secondary_ops->bprm_check_security(bprm);
1945}
1946
1947
1948static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1949{
1950 struct task_security_struct *tsec = current->security;
1951 int atsecure = 0;
1952
1953 if (tsec->osid != tsec->sid) {
1954 /* Enable secure mode for SIDs transitions unless
1955 the noatsecure permission is granted between
1956 the two SIDs, i.e. ahp returns 0. */
1957 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1958 SECCLASS_PROCESS,
1959 PROCESS__NOATSECURE, NULL);
1960 }
1961
1962 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1963}
1964
1965static void selinux_bprm_free_security(struct linux_binprm *bprm)
1966{
9a5f04bf 1967 kfree(bprm->security);
1da177e4 1968 bprm->security = NULL;
1da177e4
LT		 1969}
1970
1971extern struct vfsmount *selinuxfs_mount;
1972extern struct dentry *selinux_null;
1973
1974/* Derived from fs/exec.c:flush_old_files. */
1975static inline void flush_unauthorized_files(struct files_struct * files)
1976{
1977 struct avc_audit_data ad;
1978 struct file *file, *devnull = NULL;
b20c8122 1979 struct tty_struct *tty;
badf1662 1980 struct fdtable *fdt;
1da177e4 1981 long j = -1;
24ec839c 1982 int drop_tty = 0;
1da177e4 1983
b20c8122 1984 mutex_lock(&tty_mutex);
24ec839c 1985 tty = get_current_tty();
1da177e4
LT		 1986 if (tty) {
1987 file_list_lock();
2f512016 1988 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 1989 if (file) {
1990 /* Revalidate access to controlling tty.
1991 Use inode_has_perm on the tty inode directly rather
1992 than using file_has_perm, as this particular open
1993 file may belong to another process and we are only
1994 interested in the inode-based check here. */
3d5ff529 1995 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 1996 if (inode_has_perm(current, inode,
1997 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 1998 drop_tty = 1;
1da177e4
LT		 1999 }
2000 }
2001 file_list_unlock();
2002 }
b20c8122 2003 mutex_unlock(&tty_mutex);
98a27ba4
EB		 2004 /* Reset controlling tty. */
2005 if (drop_tty)
2006 no_tty();
1da177e4
LT		 2007
2008 /* Revalidate access to inherited open files. */
2009
2010 AVC_AUDIT_DATA_INIT(&ad,FS);
2011
2012 spin_lock(&files->file_lock);
2013 for (;;) {
2014 unsigned long set, i;
2015 int fd;
2016
2017 j++;
2018 i = j * __NFDBITS;
badf1662 2019 fdt = files_fdtable(files);
bbea9f69 2020 if (i >= fdt->max_fds)
1da177e4 2021 break;
badf1662 2022 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2023 if (!set)
2024 continue;
2025 spin_unlock(&files->file_lock);
2026 for ( ; set ; i++,set >>= 1) {
2027 if (set & 1) {
2028 file = fget(i);
2029 if (!file)
2030 continue;
2031 if (file_has_perm(current,
2032 file,
2033 file_to_av(file))) {
2034 sys_close(i);
2035 fd = get_unused_fd();
2036 if (fd != i) {
2037 if (fd >= 0)
2038 put_unused_fd(fd);
2039 fput(file);
2040 continue;
2041 }
2042 if (devnull) {
095975da 2043 get_file(devnull);
1da177e4
LT		 2044 } else {
2045 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
fc5d81e6
AM		 2046 if (IS_ERR(devnull)) {
2047 devnull = NULL;
1da177e4
LT		 2048 put_unused_fd(fd);
2049 fput(file);
2050 continue;
2051 }
2052 }
2053 fd_install(fd, devnull);
2054 }
2055 fput(file);
2056 }
2057 }
2058 spin_lock(&files->file_lock);
2059
2060 }
2061 spin_unlock(&files->file_lock);
2062}
2063
2064static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2065{
2066 struct task_security_struct *tsec;
2067 struct bprm_security_struct *bsec;
2068 u32 sid;
2069 int rc;
2070
2071 secondary_ops->bprm_apply_creds(bprm, unsafe);
2072
2073 tsec = current->security;
2074
2075 bsec = bprm->security;
2076 sid = bsec->sid;
2077
2078 tsec->osid = tsec->sid;
2079 bsec->unsafe = 0;
2080 if (tsec->sid != sid) {
2081 /* Check for shared state. If not ok, leave SID
2082 unchanged and kill. */
2083 if (unsafe & LSM_UNSAFE_SHARE) {
2084 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2085 PROCESS__SHARE, NULL);
2086 if (rc) {
2087 bsec->unsafe = 1;
2088 return;
2089 }
2090 }
2091
2092 /* Check for ptracing, and update the task SID if ok.
2093 Otherwise, leave SID unchanged and kill. */
2094 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2095 rc = avc_has_perm(tsec->ptrace_sid, sid,
2096 SECCLASS_PROCESS, PROCESS__PTRACE,
2097 NULL);
2098 if (rc) {
2099 bsec->unsafe = 1;
2100 return;
2101 }
2102 }
2103 tsec->sid = sid;
2104 }
2105}
2106
2107/*
2108 * called after apply_creds without the task lock held
2109 */
2110static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2111{
2112 struct task_security_struct *tsec;
2113 struct rlimit *rlim, *initrlim;
2114 struct itimerval itimer;
2115 struct bprm_security_struct *bsec;
2116 int rc, i;
2117
2118 tsec = current->security;
2119 bsec = bprm->security;
2120
2121 if (bsec->unsafe) {
2122 force_sig_specific(SIGKILL, current);
2123 return;
2124 }
2125 if (tsec->osid == tsec->sid)
2126 return;
2127
2128 /* Close files for which the new task SID is not authorized. */
2129 flush_unauthorized_files(current->files);
2130
2131 /* Check whether the new SID can inherit signal state
2132 from the old SID. If not, clear itimers to avoid
2133 subsequent signal generation and flush and unblock
2134 signals. This must occur _after_ the task SID has
2135 been updated so that any kill done after the flush
2136 will be checked against the new SID. */
2137 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2138 PROCESS__SIGINH, NULL);
2139 if (rc) {
2140 memset(&itimer, 0, sizeof itimer);
2141 for (i = 0; i < 3; i++)
2142 do_setitimer(i, &itimer, NULL);
2143 flush_signals(current);
2144 spin_lock_irq(&current->sighand->siglock);
2145 flush_signal_handlers(current, 1);
2146 sigemptyset(&current->blocked);
2147 recalc_sigpending();
2148 spin_unlock_irq(&current->sighand->siglock);
2149 }
2150
4ac212ad
SS		 2151 /* Always clear parent death signal on SID transitions. */
2152 current->pdeath_signal = 0;
2153
1da177e4
LT		 2154 /* Check whether the new SID can inherit resource limits
2155 from the old SID. If not, reset all soft limits to
2156 the lower of the current task's hard limit and the init
2157 task's soft limit. Note that the setting of hard limits
2158 (even to lower them) can be controlled by the setrlimit
2159 check. The inclusion of the init task's soft limit into
2160 the computation is to avoid resetting soft limits higher
2161 than the default soft limit for cases where the default
2162 is lower than the hard limit, e.g. RLIMIT_CORE or
2163 RLIMIT_STACK.*/
2164 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2165 PROCESS__RLIMITINH, NULL);
2166 if (rc) {
2167 for (i = 0; i < RLIM_NLIMITS; i++) {
2168 rlim = current->signal->rlim + i;
2169 initrlim = init_task.signal->rlim+i;
2170 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2171 }
2172 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2173 /*
2174 * This will cause RLIMIT_CPU calculations
2175 * to be refigured.
2176 */
2177 current->it_prof_expires = jiffies_to_cputime(1);
2178 }
2179 }
2180
2181 /* Wake up the parent if it is waiting so that it can
2182 recheck wait permission to the new task SID. */
2183 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2184}
2185
2186/* superblock security operations */
2187
2188static int selinux_sb_alloc_security(struct super_block *sb)
2189{
2190 return superblock_alloc_security(sb);
2191}
2192
2193static void selinux_sb_free_security(struct super_block *sb)
2194{
2195 superblock_free_security(sb);
2196}
2197
2198static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2199{
2200 if (plen > olen)
2201 return 0;
2202
2203 return !memcmp(prefix, option, plen);
2204}
2205
2206static inline int selinux_option(char *option, int len)
2207{
2208 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2209 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
0808925e
EP		 2210 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2211 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1da177e4
LT		 2212}
2213
2214static inline void take_option(char **to, char *from, int *first, int len)
2215{
2216 if (!*first) {
2217 **to = ',';
2218 *to += 1;
3528a953 2219 } else
1da177e4
LT		 2220 *first = 0;
2221 memcpy(*to, from, len);
2222 *to += len;
2223}
2224
3528a953
CO		 2225static inline void take_selinux_option(char **to, char *from, int *first,
2226 int len)
2227{
2228 int current_size = 0;
2229
2230 if (!*first) {
2231 **to = '|';
2232 *to += 1;
2233 }
2234 else
2235 *first = 0;
2236
2237 while (current_size < len) {
2238 if (*from != '"') {
2239 **to = *from;
2240 *to += 1;
2241 }
2242 from += 1;
2243 current_size += 1;
2244 }
2245}
2246
1da177e4
LT		 2247static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2248{
2249 int fnosec, fsec, rc = 0;
2250 char *in_save, *in_curr, *in_end;
2251 char *sec_curr, *nosec_save, *nosec;
3528a953 2252 int open_quote = 0;
1da177e4
LT		 2253
2254 in_curr = orig;
2255 sec_curr = copy;
2256
2257 /* Binary mount data: just copy */
2258 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2259 copy_page(sec_curr, in_curr);
2260 goto out;
2261 }
2262
2263 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2264 if (!nosec) {
2265 rc = -ENOMEM;
2266 goto out;
2267 }
2268
2269 nosec_save = nosec;
2270 fnosec = fsec = 1;
2271 in_save = in_end = orig;
2272
2273 do {
3528a953
CO		 2274 if (*in_end == '"')
2275 open_quote = !open_quote;
2276 if ((*in_end == ',' && open_quote == 0) ||
2277 *in_end == '\0') {
1da177e4
LT		 2278 int len = in_end - in_curr;
2279
2280 if (selinux_option(in_curr, len))
3528a953 2281 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2282 else
2283 take_option(&nosec, in_curr, &fnosec, len);
2284
2285 in_curr = in_end + 1;
2286 }
2287 } while (*in_end++);
2288
6931dfc9 2289 strcpy(in_save, nosec_save);
da3caa20 2290 free_page((unsigned long)nosec_save);
1da177e4
LT		 2291out:
2292 return rc;
2293}
2294
2295static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2296{
2297 struct avc_audit_data ad;
2298 int rc;
2299
2300 rc = superblock_doinit(sb, data);
2301 if (rc)
2302 return rc;
2303
2304 AVC_AUDIT_DATA_INIT(&ad,FS);
2305 ad.u.fs.dentry = sb->s_root;
2306 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2307}
2308
726c3342 2309static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2310{
2311 struct avc_audit_data ad;
2312
2313 AVC_AUDIT_DATA_INIT(&ad,FS);
726c3342
DH		 2314 ad.u.fs.dentry = dentry->d_sb->s_root;
2315 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2316}
2317
2318static int selinux_mount(char * dev_name,
2319 struct nameidata *nd,
2320 char * type,
2321 unsigned long flags,
2322 void * data)
2323{
2324 int rc;
2325
2326 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2327 if (rc)
2328 return rc;
2329
2330 if (flags & MS_REMOUNT)
2331 return superblock_has_perm(current, nd->mnt->mnt_sb,
2332 FILESYSTEM__REMOUNT, NULL);
2333 else
2334 return dentry_has_perm(current, nd->mnt, nd->dentry,
2335 FILE__MOUNTON);
2336}
2337
2338static int selinux_umount(struct vfsmount *mnt, int flags)
2339{
2340 int rc;
2341
2342 rc = secondary_ops->sb_umount(mnt, flags);
2343 if (rc)
2344 return rc;
2345
2346 return superblock_has_perm(current,mnt->mnt_sb,
2347 FILESYSTEM__UNMOUNT,NULL);
2348}
2349
2350/* inode security operations */
2351
2352static int selinux_inode_alloc_security(struct inode *inode)
2353{
2354 return inode_alloc_security(inode);
2355}
2356
2357static void selinux_inode_free_security(struct inode *inode)
2358{
2359 inode_free_security(inode);
2360}
2361
5e41ff9e
SS		 2362static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2363 char **name, void **value,
2364 size_t *len)
2365{
2366 struct task_security_struct *tsec;
2367 struct inode_security_struct *dsec;
2368 struct superblock_security_struct *sbsec;
570bc1c2 2369 u32 newsid, clen;
5e41ff9e 2370 int rc;
570bc1c2 2371 char *namep = NULL, *context;
5e41ff9e
SS		 2372
2373 tsec = current->security;
2374 dsec = dir->i_security;
2375 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2376
2377 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2378 newsid = tsec->create_sid;
2379 } else {
2380 rc = security_transition_sid(tsec->sid, dsec->sid,
2381 inode_mode_to_security_class(inode->i_mode),
2382 &newsid);
2383 if (rc) {
2384 printk(KERN_WARNING "%s: "
2385 "security_transition_sid failed, rc=%d (dev=%s "
2386 "ino=%ld)\n",
2387 __FUNCTION__,
2388 -rc, inode->i_sb->s_id, inode->i_ino);
2389 return rc;
2390 }
2391 }
2392
296fddf7
EP		 2393 /* Possibly defer initialization to selinux_complete_init. */
2394 if (sbsec->initialized) {
2395 struct inode_security_struct *isec = inode->i_security;
2396 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2397 isec->sid = newsid;
2398 isec->initialized = 1;
2399 }
5e41ff9e 2400
8aad3875 2401 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2402 return -EOPNOTSUPP;
2403
570bc1c2
SS		 2404 if (name) {
2405 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2406 if (!namep)
2407 return -ENOMEM;
2408 *name = namep;
2409 }
5e41ff9e 2410
570bc1c2
SS		 2411 if (value && len) {
2412 rc = security_sid_to_context(newsid, &context, &clen);
2413 if (rc) {
2414 kfree(namep);
2415 return rc;
2416 }
2417 *value = context;
2418 *len = clen;
5e41ff9e 2419 }
5e41ff9e 2420
5e41ff9e
SS		 2421 return 0;
2422}
2423
1da177e4
LT		 2424static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2425{
2426 return may_create(dir, dentry, SECCLASS_FILE);
2427}
2428
1da177e4
LT		 2429static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2430{
2431 int rc;
2432
2433 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2434 if (rc)
2435 return rc;
2436 return may_link(dir, old_dentry, MAY_LINK);
2437}
2438
1da177e4
LT		 2439static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2440{
2441 int rc;
2442
2443 rc = secondary_ops->inode_unlink(dir, dentry);
2444 if (rc)
2445 return rc;
2446 return may_link(dir, dentry, MAY_UNLINK);
2447}
2448
2449static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2450{
2451 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2452}
2453
1da177e4
LT		 2454static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2455{
2456 return may_create(dir, dentry, SECCLASS_DIR);
2457}
2458
1da177e4
LT		 2459static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2460{
2461 return may_link(dir, dentry, MAY_RMDIR);
2462}
2463
2464static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2465{
2466 int rc;
2467
2468 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2469 if (rc)
2470 return rc;
2471
2472 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2473}
2474
1da177e4
LT		 2475static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2476 struct inode *new_inode, struct dentry *new_dentry)
2477{
2478 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2479}
2480
1da177e4
LT		 2481static int selinux_inode_readlink(struct dentry *dentry)
2482{
2483 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2484}
2485
2486static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2487{
2488 int rc;
2489
2490 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2491 if (rc)
2492 return rc;
2493 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2494}
2495
2496static int selinux_inode_permission(struct inode *inode, int mask,
2497 struct nameidata *nd)
2498{
2499 int rc;
2500
2501 rc = secondary_ops->inode_permission(inode, mask, nd);
2502 if (rc)
2503 return rc;
2504
2505 if (!mask) {
2506 /* No permission to check. Existence test. */
2507 return 0;
2508 }
2509
2510 return inode_has_perm(current, inode,
2511 file_mask_to_av(inode->i_mode, mask), NULL);
2512}
2513
2514static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2515{
2516 int rc;
2517
2518 rc = secondary_ops->inode_setattr(dentry, iattr);
2519 if (rc)
2520 return rc;
2521
2522 if (iattr->ia_valid & ATTR_FORCE)
2523 return 0;
2524
2525 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2526 ATTR_ATIME_SET | ATTR_MTIME_SET))
2527 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2528
2529 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2530}
2531
2532static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2533{
2534 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2535}
2536
b5376771
SH		 2537static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2538{
2539 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2540 sizeof XATTR_SECURITY_PREFIX - 1)) {
2541 if (!strcmp(name, XATTR_NAME_CAPS)) {
2542 if (!capable(CAP_SETFCAP))
2543 return -EPERM;
2544 } else if (!capable(CAP_SYS_ADMIN)) {
2545 /* A different attribute in the security namespace.
2546 Restrict to administrator. */
2547 return -EPERM;
2548 }
2549 }
2550
2551 /* Not an attribute we recognize, so just check the
2552 ordinary setattr permission. */
2553 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2554}
2555
1da177e4
LT		 2556static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2557{
2558 struct task_security_struct *tsec = current->security;
2559 struct inode *inode = dentry->d_inode;
2560 struct inode_security_struct *isec = inode->i_security;
2561 struct superblock_security_struct *sbsec;
2562 struct avc_audit_data ad;
2563 u32 newsid;
2564 int rc = 0;
2565
b5376771
SH		 2566 if (strcmp(name, XATTR_NAME_SELINUX))
2567 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2568
2569 sbsec = inode->i_sb->s_security;
2570 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2571 return -EOPNOTSUPP;
2572
3bd858ab 2573 if (!is_owner_or_cap(inode))
1da177e4
LT		 2574 return -EPERM;
2575
2576 AVC_AUDIT_DATA_INIT(&ad,FS);
2577 ad.u.fs.dentry = dentry;
2578
2579 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2580 FILE__RELABELFROM, &ad);
2581 if (rc)
2582 return rc;
2583
2584 rc = security_context_to_sid(value, size, &newsid);
2585 if (rc)
2586 return rc;
2587
2588 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2589 FILE__RELABELTO, &ad);
2590 if (rc)
2591 return rc;
2592
2593 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2594 isec->sclass);
2595 if (rc)
2596 return rc;
2597
2598 return avc_has_perm(newsid,
2599 sbsec->sid,
2600 SECCLASS_FILESYSTEM,
2601 FILESYSTEM__ASSOCIATE,
2602 &ad);
2603}
2604
2605static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2606 void *value, size_t size, int flags)
2607{
2608 struct inode *inode = dentry->d_inode;
2609 struct inode_security_struct *isec = inode->i_security;
2610 u32 newsid;
2611 int rc;
2612
2613 if (strcmp(name, XATTR_NAME_SELINUX)) {
2614 /* Not an attribute we recognize, so nothing to do. */
2615 return;
2616 }
2617
2618 rc = security_context_to_sid(value, size, &newsid);
2619 if (rc) {
2620 printk(KERN_WARNING "%s: unable to obtain SID for context "
2621 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2622 return;
2623 }
2624
2625 isec->sid = newsid;
2626 return;
2627}
2628
2629static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2630{
1da177e4
LT		 2631 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2632}
2633
2634static int selinux_inode_listxattr (struct dentry *dentry)
2635{
2636 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2637}
2638
2639static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2640{
b5376771
SH		 2641 if (strcmp(name, XATTR_NAME_SELINUX))
2642 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2643
2644 /* No one is allowed to remove a SELinux security label.
2645 You can change the label, but all data must be labeled. */
2646 return -EACCES;
2647}
2648
d381d8a9
JM		 2649/*
2650 * Copy the in-core inode security context value to the user. If the
2651 * getxattr() prior to this succeeded, check to see if we need to
2652 * canonicalize the value to be finally returned to the user.
2653 *
2654 * Permission check is handled by selinux_inode_getxattr hook.
2655 */
7306a0b9 2656static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
1da177e4
LT		 2657{
2658 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2659
8c8570fb
DK		 2660 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2661 return -EOPNOTSUPP;
d381d8a9 2662
8c8570fb 2663 return selinux_getsecurity(isec->sid, buffer, size);
1da177e4
LT		 2664}
2665
2666static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2667 const void *value, size_t size, int flags)
2668{
2669 struct inode_security_struct *isec = inode->i_security;
2670 u32 newsid;
2671 int rc;
2672
2673 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2674 return -EOPNOTSUPP;
2675
2676 if (!value || !size)
2677 return -EACCES;
2678
2679 rc = security_context_to_sid((void*)value, size, &newsid);
2680 if (rc)
2681 return rc;
2682
2683 isec->sid = newsid;
2684 return 0;
2685}
2686
2687static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2688{
2689 const int len = sizeof(XATTR_NAME_SELINUX);
2690 if (buffer && len <= buffer_size)
2691 memcpy(buffer, XATTR_NAME_SELINUX, len);
2692 return len;
2693}
2694
b5376771
SH		 2695static int selinux_inode_need_killpriv(struct dentry *dentry)
2696{
2697 return secondary_ops->inode_need_killpriv(dentry);
2698}
2699
2700static int selinux_inode_killpriv(struct dentry *dentry)
2701{
2702 return secondary_ops->inode_killpriv(dentry);
2703}
2704
1da177e4
LT		 2705/* file security operations */
2706
788e7dd4 2707static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2708{
7420ed23 2709 int rc;
3d5ff529 2710 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2711
2712 if (!mask) {
2713 /* No permission to check. Existence test. */
2714 return 0;
2715 }
2716
2717 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2718 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2719 mask |= MAY_APPEND;
2720
7420ed23
VY		 2721 rc = file_has_perm(current, file,
2722 file_mask_to_av(inode->i_mode, mask));
2723 if (rc)
2724 return rc;
2725
2726 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2727}
2728
788e7dd4
YN		 2729static int selinux_file_permission(struct file *file, int mask)
2730{
2731 struct inode *inode = file->f_path.dentry->d_inode;
2732 struct task_security_struct *tsec = current->security;
2733 struct file_security_struct *fsec = file->f_security;
2734 struct inode_security_struct *isec = inode->i_security;
2735
2736 if (!mask) {
2737 /* No permission to check. Existence test. */
2738 return 0;
2739 }
2740
2741 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2742 && fsec->pseqno == avc_policy_seqno())
2743 return selinux_netlbl_inode_permission(inode, mask);
2744
2745 return selinux_revalidate_file_permission(file, mask);
2746}
2747
1da177e4
LT		 2748static int selinux_file_alloc_security(struct file *file)
2749{
2750 return file_alloc_security(file);
2751}
2752
2753static void selinux_file_free_security(struct file *file)
2754{
2755 file_free_security(file);
2756}
2757
2758static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2759 unsigned long arg)
2760{
2761 int error = 0;
2762
2763 switch (cmd) {
2764 case FIONREAD:
2765 /* fall through */
2766 case FIBMAP:
2767 /* fall through */
2768 case FIGETBSZ:
2769 /* fall through */
2770 case EXT2_IOC_GETFLAGS:
2771 /* fall through */
2772 case EXT2_IOC_GETVERSION:
2773 error = file_has_perm(current, file, FILE__GETATTR);
2774 break;
2775
2776 case EXT2_IOC_SETFLAGS:
2777 /* fall through */
2778 case EXT2_IOC_SETVERSION:
2779 error = file_has_perm(current, file, FILE__SETATTR);
2780 break;
2781
2782 /* sys_ioctl() checks */
2783 case FIONBIO:
2784 /* fall through */
2785 case FIOASYNC:
2786 error = file_has_perm(current, file, 0);
2787 break;
2788
2789 case KDSKBENT:
2790 case KDSKBSENT:
2791 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2792 break;
2793
2794 /* default case assumes that the command will go
2795 * to the file's ioctl() function.
2796 */
2797 default:
2798 error = file_has_perm(current, file, FILE__IOCTL);
2799
2800 }
2801 return error;
2802}
2803
2804static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2805{
2806#ifndef CONFIG_PPC32
2807 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2808 /*
2809 * We are making executable an anonymous mapping or a
2810 * private file mapping that will also be writable.
2811 * This has an additional check.
2812 */
2813 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2814 if (rc)
2815 return rc;
2816 }
2817#endif
2818
2819 if (file) {
2820 /* read access is always possible with a mapping */
2821 u32 av = FILE__READ;
2822
2823 /* write access only matters if the mapping is shared */
2824 if (shared && (prot & PROT_WRITE))
2825 av |= FILE__WRITE;
2826
2827 if (prot & PROT_EXEC)
2828 av |= FILE__EXECUTE;
2829
2830 return file_has_perm(current, file, av);
2831 }
2832 return 0;
2833}
2834
2835static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 2836 unsigned long prot, unsigned long flags,
2837 unsigned long addr, unsigned long addr_only)
1da177e4 2838{
ed032189
EP		 2839 int rc = 0;
2840 u32 sid = ((struct task_security_struct*)(current->security))->sid;
1da177e4 2841
ed032189
EP		 2842 if (addr < mmap_min_addr)
2843 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2844 MEMPROTECT__MMAP_ZERO, NULL);
2845 if (rc || addr_only)
1da177e4
LT		 2846 return rc;
2847
2848 if (selinux_checkreqprot)
2849 prot = reqprot;
2850
2851 return file_map_prot_check(file, prot,
2852 (flags & MAP_TYPE) == MAP_SHARED);
2853}
2854
2855static int selinux_file_mprotect(struct vm_area_struct *vma,
2856 unsigned long reqprot,
2857 unsigned long prot)
2858{
2859 int rc;
2860
2861 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2862 if (rc)
2863 return rc;
2864
2865 if (selinux_checkreqprot)
2866 prot = reqprot;
2867
2868#ifndef CONFIG_PPC32
db4c9641
SS		 2869 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2870 rc = 0;
2871 if (vma->vm_start >= vma->vm_mm->start_brk &&
2872 vma->vm_end <= vma->vm_mm->brk) {
2873 rc = task_has_perm(current, current,
2874 PROCESS__EXECHEAP);
2875 } else if (!vma->vm_file &&
2876 vma->vm_start <= vma->vm_mm->start_stack &&
2877 vma->vm_end >= vma->vm_mm->start_stack) {
2878 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2879 } else if (vma->vm_file && vma->anon_vma) {
2880 /*
2881 * We are making executable a file mapping that has
2882 * had some COW done. Since pages might have been
2883 * written, check ability to execute the possibly
2884 * modified content. This typically should only
2885 * occur for text relocations.
2886 */
2887 rc = file_has_perm(current, vma->vm_file,
2888 FILE__EXECMOD);
2889 }