]> bbs.cooldavid.org Git - net-next-2.6.git/blame - security/selinux/hooks.c
git://bbs.cooldavid.org / net-next-2.6.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
CRED: Detach the credentials from task_struct
[net-next-2.6.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
effad8df 16 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
828dfe1d 17 * Paul Moore <paul.moore@hp.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4
LT		 26#include <linux/init.h>
27#include <linux/kernel.h>
0d094efe 28#include <linux/tracehook.h>
1da177e4
LT		 29#include <linux/errno.h>
30#include <linux/sched.h>
31#include <linux/security.h>
32#include <linux/xattr.h>
33#include <linux/capability.h>
34#include <linux/unistd.h>
35#include <linux/mm.h>
36#include <linux/mman.h>
37#include <linux/slab.h>
38#include <linux/pagemap.h>
39#include <linux/swap.h>
1da177e4
LT		 40#include <linux/spinlock.h>
41#include <linux/syscalls.h>
42#include <linux/file.h>
9f3acc31 43#include <linux/fdtable.h>
1da177e4
LT		 44#include <linux/namei.h>
45#include <linux/mount.h>
1da177e4 46#include <linux/proc_fs.h>
1da177e4
LT		 47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 53#include <net/net_namespace.h>
d621d35e 54#include <net/netlabel.h>
f5269710 55#include <linux/uaccess.h>
1da177e4 56#include <asm/ioctls.h>
d621d35e 57#include <asm/atomic.h>
1da177e4
LT		 58#include <linux/bitops.h>
59#include <linux/interrupt.h>
60#include <linux/netdevice.h> /* for network interface checks */
61#include <linux/netlink.h>
62#include <linux/tcp.h>
63#include <linux/udp.h>
2ee92d46 64#include <linux/dccp.h>
1da177e4
LT		 65#include <linux/quota.h>
66#include <linux/un.h> /* for Unix socket types */
67#include <net/af_unix.h> /* for Unix socket types */
68#include <linux/parser.h>
69#include <linux/nfs_mount.h>
70#include <net/ipv6.h>
71#include <linux/hugetlb.h>
72#include <linux/personality.h>
73#include <linux/sysctl.h>
74#include <linux/audit.h>
6931dfc9 75#include <linux/string.h>
877ce7c1 76#include <linux/selinux.h>
23970741 77#include <linux/mutex.h>
f06febc9 78#include <linux/posix-timers.h>
1da177e4
LT		 79
80#include "avc.h"
81#include "objsec.h"
82#include "netif.h"
224dfbd8 83#include "netnode.h"
3e112172 84#include "netport.h"
d28d1e08 85#include "xfrm.h"
c60475bf 86#include "netlabel.h"
9d57a7f9 87#include "audit.h"
1da177e4
LT		 88
89#define XATTR_SELINUX_SUFFIX "selinux"
90#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91
c9180a57
EP		 92#define NUM_SEL_MNT_OPTS 4
93
1da177e4
LT		 94extern unsigned int policydb_loaded_version;
95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 96extern int selinux_compat_net;
20510f2f 97extern struct security_operations *security_ops;
1da177e4 98
d621d35e
PM		 99/* SECMARK reference count */
100atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101
1da177e4 102#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 103int selinux_enforcing;
1da177e4
LT		 104
105static int __init enforcing_setup(char *str)
106{
f5269710
EP		 107 unsigned long enforcing;
108 if (!strict_strtoul(str, 0, &enforcing))
109 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 110 return 1;
111}
112__setup("enforcing=", enforcing_setup);
113#endif
114
115#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117
118static int __init selinux_enabled_setup(char *str)
119{
f5269710
EP		 120 unsigned long enabled;
121 if (!strict_strtoul(str, 0, &enabled))
122 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 123 return 1;
124}
125__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 126#else
127int selinux_enabled = 1;
1da177e4
LT		 128#endif
129
1da177e4 130
6f0f0fd4
JM		 131/*
132 * Minimal support for a secondary security module,
133 * just to allow the use of the capability module.
134 */
828dfe1d 135static struct security_operations *secondary_ops;
1da177e4
LT		 136
137/* Lists of inode and superblock security structures initialized
138 before the policy was loaded. */
139static LIST_HEAD(superblock_security_head);
140static DEFINE_SPINLOCK(sb_security_lock);
141
e18b890b 142static struct kmem_cache *sel_inode_cache;
7cae7e26 143
d621d35e
PM		 144/**
145 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
146 *
147 * Description:
148 * This function checks the SECMARK reference counter to see if any SECMARK
149 * targets are currently configured, if the reference counter is greater than
150 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
151 * enabled, false (0) if SECMARK is disabled.
152 *
153 */
154static int selinux_secmark_enabled(void)
155{
156 return (atomic_read(&selinux_secmark_refcount) > 0);
157}
158
1da177e4
LT		 159/* Allocate and free functions for each kind of security blob. */
160
f1752eec 161static int cred_alloc_security(struct cred *cred)
1da177e4
LT		 162{
163 struct task_security_struct *tsec;
164
89d155ef 165 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 166 if (!tsec)
167 return -ENOMEM;
168
0356357c 169 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
f1752eec 170 cred->security = tsec;
1da177e4
LT		 171
172 return 0;
173}
174
1da177e4
LT		 175static int inode_alloc_security(struct inode *inode)
176{
b6dff3ec 177 struct task_security_struct *tsec = current->cred->security;
1da177e4
LT		 178 struct inode_security_struct *isec;
179
a02fe132 180 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 181 if (!isec)
182 return -ENOMEM;
183
23970741 184 mutex_init(&isec->lock);
1da177e4 185 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 186 isec->inode = inode;
187 isec->sid = SECINITSID_UNLABELED;
188 isec->sclass = SECCLASS_FILE;
9ac49d22 189 isec->task_sid = tsec->sid;
1da177e4
LT		 190 inode->i_security = isec;
191
192 return 0;
193}
194
195static void inode_free_security(struct inode *inode)
196{
197 struct inode_security_struct *isec = inode->i_security;
198 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
199
1da177e4
LT		 200 spin_lock(&sbsec->isec_lock);
201 if (!list_empty(&isec->list))
202 list_del_init(&isec->list);
203 spin_unlock(&sbsec->isec_lock);
204
205 inode->i_security = NULL;
7cae7e26 206 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 207}
208
209static int file_alloc_security(struct file *file)
210{
b6dff3ec 211 struct task_security_struct *tsec = current->cred->security;
1da177e4
LT		 212 struct file_security_struct *fsec;
213
26d2a4be 214 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 215 if (!fsec)
216 return -ENOMEM;
217
9ac49d22
SS		 218 fsec->sid = tsec->sid;
219 fsec->fown_sid = tsec->sid;
1da177e4
LT		 220 file->f_security = fsec;
221
222 return 0;
223}
224
225static void file_free_security(struct file *file)
226{
227 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 228 file->f_security = NULL;
229 kfree(fsec);
230}
231
232static int superblock_alloc_security(struct super_block *sb)
233{
234 struct superblock_security_struct *sbsec;
235
89d155ef 236 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 237 if (!sbsec)
238 return -ENOMEM;
239
bc7e982b 240 mutex_init(&sbsec->lock);
1da177e4
LT		 241 INIT_LIST_HEAD(&sbsec->list);
242 INIT_LIST_HEAD(&sbsec->isec_head);
243 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 244 sbsec->sb = sb;
245 sbsec->sid = SECINITSID_UNLABELED;
246 sbsec->def_sid = SECINITSID_FILE;
c312feb2 247 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 248 sb->s_security = sbsec;
249
250 return 0;
251}
252
253static void superblock_free_security(struct super_block *sb)
254{
255 struct superblock_security_struct *sbsec = sb->s_security;
256
1da177e4
LT		 257 spin_lock(&sb_security_lock);
258 if (!list_empty(&sbsec->list))
259 list_del_init(&sbsec->list);
260 spin_unlock(&sb_security_lock);
261
262 sb->s_security = NULL;
263 kfree(sbsec);
264}
265
7d877f3b 266static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 267{
268 struct sk_security_struct *ssec;
269
89d155ef 270 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 271 if (!ssec)
272 return -ENOMEM;
273
1da177e4 274 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 275 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 276 sk->sk_security = ssec;
277
f74af6e8 278 selinux_netlbl_sk_security_reset(ssec, family);
99f59ed0 279
1da177e4
LT		 280 return 0;
281}
282
283static void sk_free_security(struct sock *sk)
284{
285 struct sk_security_struct *ssec = sk->sk_security;
286
1da177e4 287 sk->sk_security = NULL;
6c5b3fc0 288 selinux_netlbl_sk_security_free(ssec);
1da177e4
LT		 289 kfree(ssec);
290}
1da177e4
LT		 291
292/* The security server must be initialized before
293 any labeling or access decisions can be provided. */
294extern int ss_initialized;
295
296/* The file system's label must be initialized prior to use. */
297
298static char *labeling_behaviors[6] = {
299 "uses xattr",
300 "uses transition SIDs",
301 "uses task SIDs",
302 "uses genfs_contexts",
303 "not configured for labeling",
304 "uses mountpoint labeling",
305};
306
307static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
308
309static inline int inode_doinit(struct inode *inode)
310{
311 return inode_doinit_with_dentry(inode, NULL);
312}
313
314enum {
31e87930 315 Opt_error = -1,
1da177e4
LT		 316 Opt_context = 1,
317 Opt_fscontext = 2,
c9180a57
EP		 318 Opt_defcontext = 3,
319 Opt_rootcontext = 4,
1da177e4
LT		 320};
321
a447c093 322static const match_table_t tokens = {
832cbd9a
EP		 323 {Opt_context, CONTEXT_STR "%s"},
324 {Opt_fscontext, FSCONTEXT_STR "%s"},
325 {Opt_defcontext, DEFCONTEXT_STR "%s"},
326 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
31e87930 327 {Opt_error, NULL},
1da177e4
LT		 328};
329
330#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
331
c312feb2
EP		 332static int may_context_mount_sb_relabel(u32 sid,
333 struct superblock_security_struct *sbsec,
334 struct task_security_struct *tsec)
335{
336 int rc;
337
338 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
339 FILESYSTEM__RELABELFROM, NULL);
340 if (rc)
341 return rc;
342
343 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
344 FILESYSTEM__RELABELTO, NULL);
345 return rc;
346}
347
0808925e
EP		 348static int may_context_mount_inode_relabel(u32 sid,
349 struct superblock_security_struct *sbsec,
350 struct task_security_struct *tsec)
351{
352 int rc;
353 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
354 FILESYSTEM__RELABELFROM, NULL);
355 if (rc)
356 return rc;
357
358 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
359 FILESYSTEM__ASSOCIATE, NULL);
360 return rc;
361}
362
c9180a57 363static int sb_finish_set_opts(struct super_block *sb)
1da177e4 364{
1da177e4 365 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 366 struct dentry *root = sb->s_root;
367 struct inode *root_inode = root->d_inode;
368 int rc = 0;
1da177e4 369
c9180a57
EP		 370 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
371 /* Make sure that the xattr handler exists and that no
372 error other than -ENODATA is returned by getxattr on
373 the root directory. -ENODATA is ok, as this may be
374 the first boot of the SELinux kernel before we have
375 assigned xattr values to the filesystem. */
376 if (!root_inode->i_op->getxattr) {
377 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
378 "xattr support\n", sb->s_id, sb->s_type->name);
379 rc = -EOPNOTSUPP;
380 goto out;
381 }
382 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
383 if (rc < 0 && rc != -ENODATA) {
384 if (rc == -EOPNOTSUPP)
385 printk(KERN_WARNING "SELinux: (dev %s, type "
386 "%s) has no security xattr handler\n",
387 sb->s_id, sb->s_type->name);
388 else
389 printk(KERN_WARNING "SELinux: (dev %s, type "
390 "%s) getxattr errno %d\n", sb->s_id,
391 sb->s_type->name, -rc);
392 goto out;
393 }
394 }
1da177e4 395
c9180a57 396 sbsec->initialized = 1;
1da177e4 397
c9180a57
EP		 398 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
399 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
400 sb->s_id, sb->s_type->name);
401 else
402 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
403 sb->s_id, sb->s_type->name,
404 labeling_behaviors[sbsec->behavior-1]);
1da177e4 405
c9180a57
EP		 406 /* Initialize the root inode. */
407 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 408
c9180a57
EP		 409 /* Initialize any other inodes associated with the superblock, e.g.
410 inodes created prior to initial policy load or inodes created
411 during get_sb by a pseudo filesystem that directly
412 populates itself. */
413 spin_lock(&sbsec->isec_lock);
414next_inode:
415 if (!list_empty(&sbsec->isec_head)) {
416 struct inode_security_struct *isec =
417 list_entry(sbsec->isec_head.next,
418 struct inode_security_struct, list);
419 struct inode *inode = isec->inode;
420 spin_unlock(&sbsec->isec_lock);
421 inode = igrab(inode);
422 if (inode) {
423 if (!IS_PRIVATE(inode))
424 inode_doinit(inode);
425 iput(inode);
426 }
427 spin_lock(&sbsec->isec_lock);
428 list_del_init(&isec->list);
429 goto next_inode;
430 }
431 spin_unlock(&sbsec->isec_lock);
432out:
433 return rc;
434}
1da177e4 435
c9180a57
EP		 436/*
437 * This function should allow an FS to ask what it's mount security
438 * options were so it can use those later for submounts, displaying
439 * mount options, or whatever.
440 */
441static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 442 struct security_mnt_opts *opts)
c9180a57
EP		 443{
444 int rc = 0, i;
445 struct superblock_security_struct *sbsec = sb->s_security;
446 char *context = NULL;
447 u32 len;
448 char tmp;
1da177e4 449
e0007529 450 security_init_mnt_opts(opts);
1da177e4 451
c9180a57
EP		 452 if (!sbsec->initialized)
453 return -EINVAL;
1da177e4 454
c9180a57
EP		 455 if (!ss_initialized)
456 return -EINVAL;
1da177e4 457
c9180a57
EP		 458 /*
459 * if we ever use sbsec flags for anything other than tracking mount
460 * settings this is going to need a mask
461 */
462 tmp = sbsec->flags;
463 /* count the number of mount options for this sb */
464 for (i = 0; i < 8; i++) {
465 if (tmp & 0x01)
e0007529 466 opts->num_mnt_opts++;
c9180a57
EP		 467 tmp >>= 1;
468 }
1da177e4 469
e0007529
EP		 470 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
471 if (!opts->mnt_opts) {
c9180a57
EP		 472 rc = -ENOMEM;
473 goto out_free;
474 }
1da177e4 475
e0007529
EP		 476 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
477 if (!opts->mnt_opts_flags) {
c9180a57
EP		 478 rc = -ENOMEM;
479 goto out_free;
480 }
1da177e4 481
c9180a57
EP		 482 i = 0;
483 if (sbsec->flags & FSCONTEXT_MNT) {
484 rc = security_sid_to_context(sbsec->sid, &context, &len);
485 if (rc)
486 goto out_free;
e0007529
EP		 487 opts->mnt_opts[i] = context;
488 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 489 }
490 if (sbsec->flags & CONTEXT_MNT) {
491 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
492 if (rc)
493 goto out_free;
e0007529
EP		 494 opts->mnt_opts[i] = context;
495 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 496 }
497 if (sbsec->flags & DEFCONTEXT_MNT) {
498 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
499 if (rc)
500 goto out_free;
e0007529
EP		 501 opts->mnt_opts[i] = context;
502 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 503 }
504 if (sbsec->flags & ROOTCONTEXT_MNT) {
505 struct inode *root = sbsec->sb->s_root->d_inode;
506 struct inode_security_struct *isec = root->i_security;
0808925e 507
c9180a57
EP		 508 rc = security_sid_to_context(isec->sid, &context, &len);
509 if (rc)
510 goto out_free;
e0007529
EP		 511 opts->mnt_opts[i] = context;
512 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 513 }
1da177e4 514
e0007529 515 BUG_ON(i != opts->num_mnt_opts);
1da177e4 516
c9180a57
EP		 517 return 0;
518
519out_free:
e0007529 520 security_free_mnt_opts(opts);
c9180a57
EP		 521 return rc;
522}
1da177e4 523
c9180a57
EP		 524static int bad_option(struct superblock_security_struct *sbsec, char flag,
525 u32 old_sid, u32 new_sid)
526{
527 /* check if the old mount command had the same options */
528 if (sbsec->initialized)
529 if (!(sbsec->flags & flag) ||
530 (old_sid != new_sid))
531 return 1;
532
533 /* check if we were passed the same options twice,
534 * aka someone passed context=a,context=b
535 */
536 if (!sbsec->initialized)
537 if (sbsec->flags & flag)
538 return 1;
539 return 0;
540}
e0007529 541
c9180a57
EP		 542/*
543 * Allow filesystems with binary mount data to explicitly set mount point
544 * labeling information.
545 */
e0007529
EP		 546static int selinux_set_mnt_opts(struct super_block *sb,
547 struct security_mnt_opts *opts)
c9180a57
EP		 548{
549 int rc = 0, i;
b6dff3ec 550 struct task_security_struct *tsec = current->cred->security;
c9180a57
EP		 551 struct superblock_security_struct *sbsec = sb->s_security;
552 const char *name = sb->s_type->name;
089be43e
JM		 553 struct inode *inode = sbsec->sb->s_root->d_inode;
554 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 555 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
556 u32 defcontext_sid = 0;
e0007529
EP		 557 char **mount_options = opts->mnt_opts;
558 int *flags = opts->mnt_opts_flags;
559 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 560
561 mutex_lock(&sbsec->lock);
562
563 if (!ss_initialized) {
564 if (!num_opts) {
565 /* Defer initialization until selinux_complete_init,
566 after the initial policy is loaded and the security
567 server is ready to handle calls. */
568 spin_lock(&sb_security_lock);
569 if (list_empty(&sbsec->list))
570 list_add(&sbsec->list, &superblock_security_head);
571 spin_unlock(&sb_security_lock);
572 goto out;
573 }
574 rc = -EINVAL;
744ba35e
EP		 575 printk(KERN_WARNING "SELinux: Unable to set superblock options "
576 "before the security server is initialized\n");
1da177e4 577 goto out;
c9180a57 578 }
1da177e4 579
e0007529
EP		 580 /*
581 * Binary mount data FS will come through this function twice. Once
582 * from an explicit call and once from the generic calls from the vfs.
583 * Since the generic VFS calls will not contain any security mount data
584 * we need to skip the double mount verification.
585 *
586 * This does open a hole in which we will not notice if the first
587 * mount using this sb set explict options and a second mount using
588 * this sb does not set any security options. (The first options
589 * will be used for both mounts)
590 */
591 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
592 && (num_opts == 0))
f5269710 593 goto out;
e0007529 594
c9180a57
EP		 595 /*
596 * parse the mount options, check if they are valid sids.
597 * also check if someone is trying to mount the same sb more
598 * than once with different security options.
599 */
600 for (i = 0; i < num_opts; i++) {
601 u32 sid;
602 rc = security_context_to_sid(mount_options[i],
603 strlen(mount_options[i]), &sid);
1da177e4
LT		 604 if (rc) {
605 printk(KERN_WARNING "SELinux: security_context_to_sid"
606 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 607 mount_options[i], sb->s_id, name, rc);
608 goto out;
609 }
610 switch (flags[i]) {
611 case FSCONTEXT_MNT:
612 fscontext_sid = sid;
613
614 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
615 fscontext_sid))
616 goto out_double_mount;
617
618 sbsec->flags |= FSCONTEXT_MNT;
619 break;
620 case CONTEXT_MNT:
621 context_sid = sid;
622
623 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
624 context_sid))
625 goto out_double_mount;
626
627 sbsec->flags |= CONTEXT_MNT;
628 break;
629 case ROOTCONTEXT_MNT:
630 rootcontext_sid = sid;
631
632 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
633 rootcontext_sid))
634 goto out_double_mount;
635
636 sbsec->flags |= ROOTCONTEXT_MNT;
637
638 break;
639 case DEFCONTEXT_MNT:
640 defcontext_sid = sid;
641
642 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
643 defcontext_sid))
644 goto out_double_mount;
645
646 sbsec->flags |= DEFCONTEXT_MNT;
647
648 break;
649 default:
650 rc = -EINVAL;
651 goto out;
1da177e4 652 }
c9180a57
EP		 653 }
654
655 if (sbsec->initialized) {
656 /* previously mounted with options, but not on this attempt? */
657 if (sbsec->flags && !num_opts)
658 goto out_double_mount;
659 rc = 0;
660 goto out;
661 }
662
089be43e 663 if (strcmp(sb->s_type->name, "proc") == 0)
c9180a57
EP		 664 sbsec->proc = 1;
665
666 /* Determine the labeling behavior to use for this filesystem type. */
089be43e 667 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
c9180a57
EP		 668 if (rc) {
669 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
089be43e 670 __func__, sb->s_type->name, rc);
c9180a57
EP		 671 goto out;
672 }
1da177e4 673
c9180a57
EP		 674 /* sets the context of the superblock for the fs being mounted. */
675 if (fscontext_sid) {
676
677 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
1da177e4 678 if (rc)
c9180a57 679 goto out;
1da177e4 680
c9180a57 681 sbsec->sid = fscontext_sid;
c312feb2
EP		 682 }
683
684 /*
685 * Switch to using mount point labeling behavior.
686 * sets the label used on all file below the mountpoint, and will set
687 * the superblock context if not already set.
688 */
c9180a57
EP		 689 if (context_sid) {
690 if (!fscontext_sid) {
691 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
b04ea3ce 692 if (rc)
c9180a57
EP		 693 goto out;
694 sbsec->sid = context_sid;
b04ea3ce 695 } else {
c9180a57 696 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
b04ea3ce 697 if (rc)
c9180a57 698 goto out;
b04ea3ce 699 }
c9180a57
EP		 700 if (!rootcontext_sid)
701 rootcontext_sid = context_sid;
1da177e4 702
c9180a57 703 sbsec->mntpoint_sid = context_sid;
c312feb2 704 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 705 }
706
c9180a57
EP		 707 if (rootcontext_sid) {
708 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
0808925e 709 if (rc)
c9180a57 710 goto out;
0808925e 711
c9180a57
EP		 712 root_isec->sid = rootcontext_sid;
713 root_isec->initialized = 1;
0808925e
EP		 714 }
715
c9180a57
EP		 716 if (defcontext_sid) {
717 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
718 rc = -EINVAL;
719 printk(KERN_WARNING "SELinux: defcontext option is "
720 "invalid for this filesystem type\n");
721 goto out;
1da177e4
LT		 722 }
723
c9180a57
EP		 724 if (defcontext_sid != sbsec->def_sid) {
725 rc = may_context_mount_inode_relabel(defcontext_sid,
726 sbsec, tsec);
727 if (rc)
728 goto out;
729 }
1da177e4 730
c9180a57 731 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 732 }
733
c9180a57 734 rc = sb_finish_set_opts(sb);
1da177e4 735out:
c9180a57 736 mutex_unlock(&sbsec->lock);
1da177e4 737 return rc;
c9180a57
EP		 738out_double_mount:
739 rc = -EINVAL;
740 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
741 "security settings for (dev %s, type %s)\n", sb->s_id, name);
742 goto out;
1da177e4
LT		 743}
744
c9180a57
EP		 745static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
746 struct super_block *newsb)
1da177e4 747{
c9180a57
EP		 748 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
749 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 750
c9180a57
EP		 751 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
752 int set_context = (oldsbsec->flags & CONTEXT_MNT);
753 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 754
0f5e6420
EP		 755 /*
756 * if the parent was able to be mounted it clearly had no special lsm
757 * mount options. thus we can safely put this sb on the list and deal
758 * with it later
759 */
760 if (!ss_initialized) {
761 spin_lock(&sb_security_lock);
762 if (list_empty(&newsbsec->list))
763 list_add(&newsbsec->list, &superblock_security_head);
764 spin_unlock(&sb_security_lock);
765 return;
766 }
c9180a57 767
c9180a57
EP		 768 /* how can we clone if the old one wasn't set up?? */
769 BUG_ON(!oldsbsec->initialized);
770
5a552617
EP		 771 /* if fs is reusing a sb, just let its options stand... */
772 if (newsbsec->initialized)
773 return;
774
c9180a57
EP		 775 mutex_lock(&newsbsec->lock);
776
777 newsbsec->flags = oldsbsec->flags;
778
779 newsbsec->sid = oldsbsec->sid;
780 newsbsec->def_sid = oldsbsec->def_sid;
781 newsbsec->behavior = oldsbsec->behavior;
782
783 if (set_context) {
784 u32 sid = oldsbsec->mntpoint_sid;
785
786 if (!set_fscontext)
787 newsbsec->sid = sid;
788 if (!set_rootcontext) {
789 struct inode *newinode = newsb->s_root->d_inode;
790 struct inode_security_struct *newisec = newinode->i_security;
791 newisec->sid = sid;
792 }
793 newsbsec->mntpoint_sid = sid;
1da177e4 794 }
c9180a57
EP		 795 if (set_rootcontext) {
796 const struct inode *oldinode = oldsb->s_root->d_inode;
797 const struct inode_security_struct *oldisec = oldinode->i_security;
798 struct inode *newinode = newsb->s_root->d_inode;
799 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 800
c9180a57 801 newisec->sid = oldisec->sid;
1da177e4
LT		 802 }
803
c9180a57
EP		 804 sb_finish_set_opts(newsb);
805 mutex_unlock(&newsbsec->lock);
806}
807
2e1479d9
AB		 808static int selinux_parse_opts_str(char *options,
809 struct security_mnt_opts *opts)
c9180a57 810{
e0007529 811 char *p;
c9180a57
EP		 812 char *context = NULL, *defcontext = NULL;
813 char *fscontext = NULL, *rootcontext = NULL;
e0007529 814 int rc, num_mnt_opts = 0;
1da177e4 815
e0007529 816 opts->num_mnt_opts = 0;
1da177e4 817
c9180a57
EP		 818 /* Standard string-based options. */
819 while ((p = strsep(&options, "|")) != NULL) {
820 int token;
821 substring_t args[MAX_OPT_ARGS];
1da177e4 822
c9180a57
EP		 823 if (!*p)
824 continue;
1da177e4 825
c9180a57 826 token = match_token(p, tokens, args);
1da177e4 827
c9180a57
EP		 828 switch (token) {
829 case Opt_context:
830 if (context || defcontext) {
831 rc = -EINVAL;
832 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
833 goto out_err;
834 }
835 context = match_strdup(&args[0]);
836 if (!context) {
837 rc = -ENOMEM;
838 goto out_err;
839 }
840 break;
841
842 case Opt_fscontext:
843 if (fscontext) {
844 rc = -EINVAL;
845 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
846 goto out_err;
847 }
848 fscontext = match_strdup(&args[0]);
849 if (!fscontext) {
850 rc = -ENOMEM;
851 goto out_err;
852 }
853 break;
854
855 case Opt_rootcontext:
856 if (rootcontext) {
857 rc = -EINVAL;
858 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
859 goto out_err;
860 }
861 rootcontext = match_strdup(&args[0]);
862 if (!rootcontext) {
863 rc = -ENOMEM;
864 goto out_err;
865 }
866 break;
867
868 case Opt_defcontext:
869 if (context || defcontext) {
870 rc = -EINVAL;
871 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
872 goto out_err;
873 }
874 defcontext = match_strdup(&args[0]);
875 if (!defcontext) {
876 rc = -ENOMEM;
877 goto out_err;
878 }
879 break;
880
881 default:
882 rc = -EINVAL;
883 printk(KERN_WARNING "SELinux: unknown mount option\n");
884 goto out_err;
1da177e4 885
1da177e4 886 }
1da177e4 887 }
c9180a57 888
e0007529
EP		 889 rc = -ENOMEM;
890 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
891 if (!opts->mnt_opts)
892 goto out_err;
893
894 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
895 if (!opts->mnt_opts_flags) {
896 kfree(opts->mnt_opts);
897 goto out_err;
898 }
899
c9180a57 900 if (fscontext) {
e0007529
EP		 901 opts->mnt_opts[num_mnt_opts] = fscontext;
902 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 903 }
904 if (context) {
e0007529
EP		 905 opts->mnt_opts[num_mnt_opts] = context;
906 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 907 }
908 if (rootcontext) {
e0007529
EP		 909 opts->mnt_opts[num_mnt_opts] = rootcontext;
910 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 911 }
912 if (defcontext) {
e0007529
EP		 913 opts->mnt_opts[num_mnt_opts] = defcontext;
914 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 915 }
916
e0007529
EP		 917 opts->num_mnt_opts = num_mnt_opts;
918 return 0;
919
c9180a57
EP		 920out_err:
921 kfree(context);
922 kfree(defcontext);
923 kfree(fscontext);
924 kfree(rootcontext);
1da177e4
LT		 925 return rc;
926}
e0007529
EP		 927/*
928 * string mount options parsing and call set the sbsec
929 */
930static int superblock_doinit(struct super_block *sb, void *data)
931{
932 int rc = 0;
933 char *options = data;
934 struct security_mnt_opts opts;
935
936 security_init_mnt_opts(&opts);
937
938 if (!data)
939 goto out;
940
941 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
942
943 rc = selinux_parse_opts_str(options, &opts);
944 if (rc)
945 goto out_err;
946
947out:
948 rc = selinux_set_mnt_opts(sb, &opts);
949
950out_err:
951 security_free_mnt_opts(&opts);
952 return rc;
953}
1da177e4 954
3583a711
AB		 955static void selinux_write_opts(struct seq_file *m,
956 struct security_mnt_opts *opts)
2069f457
EP		 957{
958 int i;
959 char *prefix;
960
961 for (i = 0; i < opts->num_mnt_opts; i++) {
962 char *has_comma = strchr(opts->mnt_opts[i], ',');
963
964 switch (opts->mnt_opts_flags[i]) {
965 case CONTEXT_MNT:
966 prefix = CONTEXT_STR;
967 break;
968 case FSCONTEXT_MNT:
969 prefix = FSCONTEXT_STR;
970 break;
971 case ROOTCONTEXT_MNT:
972 prefix = ROOTCONTEXT_STR;
973 break;
974 case DEFCONTEXT_MNT:
975 prefix = DEFCONTEXT_STR;
976 break;
977 default:
978 BUG();
979 };
980 /* we need a comma before each option */
981 seq_putc(m, ',');
982 seq_puts(m, prefix);
983 if (has_comma)
984 seq_putc(m, '\"');
985 seq_puts(m, opts->mnt_opts[i]);
986 if (has_comma)
987 seq_putc(m, '\"');
988 }
989}
990
991static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
992{
993 struct security_mnt_opts opts;
994 int rc;
995
996 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 997 if (rc) {
998 /* before policy load we may get EINVAL, don't show anything */
999 if (rc == -EINVAL)
1000 rc = 0;
2069f457 1001 return rc;
383795c2 1002 }
2069f457
EP		 1003
1004 selinux_write_opts(m, &opts);
1005
1006 security_free_mnt_opts(&opts);
1007
1008 return rc;
1009}
1010
1da177e4
LT		 1011static inline u16 inode_mode_to_security_class(umode_t mode)
1012{
1013 switch (mode & S_IFMT) {
1014 case S_IFSOCK:
1015 return SECCLASS_SOCK_FILE;
1016 case S_IFLNK:
1017 return SECCLASS_LNK_FILE;
1018 case S_IFREG:
1019 return SECCLASS_FILE;
1020 case S_IFBLK:
1021 return SECCLASS_BLK_FILE;
1022 case S_IFDIR:
1023 return SECCLASS_DIR;
1024 case S_IFCHR:
1025 return SECCLASS_CHR_FILE;
1026 case S_IFIFO:
1027 return SECCLASS_FIFO_FILE;
1028
1029 }
1030
1031 return SECCLASS_FILE;
1032}
1033
13402580
JM		 1034static inline int default_protocol_stream(int protocol)
1035{
1036 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1037}
1038
1039static inline int default_protocol_dgram(int protocol)
1040{
1041 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1042}
1043
1da177e4
LT		 1044static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1045{
1046 switch (family) {
1047 case PF_UNIX:
1048 switch (type) {
1049 case SOCK_STREAM:
1050 case SOCK_SEQPACKET:
1051 return SECCLASS_UNIX_STREAM_SOCKET;
1052 case SOCK_DGRAM:
1053 return SECCLASS_UNIX_DGRAM_SOCKET;
1054 }
1055 break;
1056 case PF_INET:
1057 case PF_INET6:
1058 switch (type) {
1059 case SOCK_STREAM:
13402580
JM		 1060 if (default_protocol_stream(protocol))
1061 return SECCLASS_TCP_SOCKET;
1062 else
1063 return SECCLASS_RAWIP_SOCKET;
1da177e4 1064 case SOCK_DGRAM:
13402580
JM		 1065 if (default_protocol_dgram(protocol))
1066 return SECCLASS_UDP_SOCKET;
1067 else
1068 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1069 case SOCK_DCCP:
1070 return SECCLASS_DCCP_SOCKET;
13402580 1071 default:
1da177e4
LT		 1072 return SECCLASS_RAWIP_SOCKET;
1073 }
1074 break;
1075 case PF_NETLINK:
1076 switch (protocol) {
1077 case NETLINK_ROUTE:
1078 return SECCLASS_NETLINK_ROUTE_SOCKET;
1079 case NETLINK_FIREWALL:
1080 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1081 case NETLINK_INET_DIAG:
1da177e4
LT		 1082 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1083 case NETLINK_NFLOG:
1084 return SECCLASS_NETLINK_NFLOG_SOCKET;
1085 case NETLINK_XFRM:
1086 return SECCLASS_NETLINK_XFRM_SOCKET;
1087 case NETLINK_SELINUX:
1088 return SECCLASS_NETLINK_SELINUX_SOCKET;
1089 case NETLINK_AUDIT:
1090 return SECCLASS_NETLINK_AUDIT_SOCKET;
1091 case NETLINK_IP6_FW:
1092 return SECCLASS_NETLINK_IP6FW_SOCKET;
1093 case NETLINK_DNRTMSG:
1094 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1095 case NETLINK_KOBJECT_UEVENT:
1096 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1097 default:
1098 return SECCLASS_NETLINK_SOCKET;
1099 }
1100 case PF_PACKET:
1101 return SECCLASS_PACKET_SOCKET;
1102 case PF_KEY:
1103 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1104 case PF_APPLETALK:
1105 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1106 }
1107
1108 return SECCLASS_SOCKET;
1109}
1110
1111#ifdef CONFIG_PROC_FS
1112static int selinux_proc_get_sid(struct proc_dir_entry *de,
1113 u16 tclass,
1114 u32 *sid)
1115{
1116 int buflen, rc;
1117 char *buffer, *path, *end;
1118
828dfe1d 1119 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1120 if (!buffer)
1121 return -ENOMEM;
1122
1123 buflen = PAGE_SIZE;
1124 end = buffer+buflen;
1125 *--end = '\0';
1126 buflen--;
1127 path = end-1;
1128 *path = '/';
1129 while (de && de != de->parent) {
1130 buflen -= de->namelen + 1;
1131 if (buflen < 0)
1132 break;
1133 end -= de->namelen;
1134 memcpy(end, de->name, de->namelen);
1135 *--end = '/';
1136 path = end;
1137 de = de->parent;
1138 }
1139 rc = security_genfs_sid("proc", path, tclass, sid);
1140 free_page((unsigned long)buffer);
1141 return rc;
1142}
1143#else
1144static int selinux_proc_get_sid(struct proc_dir_entry *de,
1145 u16 tclass,
1146 u32 *sid)
1147{
1148 return -EINVAL;
1149}
1150#endif
1151
1152/* The inode's security attributes must be initialized before first use. */
1153static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1154{
1155 struct superblock_security_struct *sbsec = NULL;
1156 struct inode_security_struct *isec = inode->i_security;
1157 u32 sid;
1158 struct dentry *dentry;
1159#define INITCONTEXTLEN 255
1160 char *context = NULL;
1161 unsigned len = 0;
1162 int rc = 0;
1da177e4
LT		 1163
1164 if (isec->initialized)
1165 goto out;
1166
23970741 1167 mutex_lock(&isec->lock);
1da177e4 1168 if (isec->initialized)
23970741 1169 goto out_unlock;
1da177e4
LT		 1170
1171 sbsec = inode->i_sb->s_security;
1172 if (!sbsec->initialized) {
1173 /* Defer initialization until selinux_complete_init,
1174 after the initial policy is loaded and the security
1175 server is ready to handle calls. */
1176 spin_lock(&sbsec->isec_lock);
1177 if (list_empty(&isec->list))
1178 list_add(&isec->list, &sbsec->isec_head);
1179 spin_unlock(&sbsec->isec_lock);
23970741 1180 goto out_unlock;
1da177e4
LT		 1181 }
1182
1183 switch (sbsec->behavior) {
1184 case SECURITY_FS_USE_XATTR:
1185 if (!inode->i_op->getxattr) {
1186 isec->sid = sbsec->def_sid;
1187 break;
1188 }
1189
1190 /* Need a dentry, since the xattr API requires one.
1191 Life would be simpler if we could just pass the inode. */
1192 if (opt_dentry) {
1193 /* Called from d_instantiate or d_splice_alias. */
1194 dentry = dget(opt_dentry);
1195 } else {
1196 /* Called from selinux_complete_init, try to find a dentry. */
1197 dentry = d_find_alias(inode);
1198 }
1199 if (!dentry) {
744ba35e 1200 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
dd6f953a 1201 "ino=%ld\n", __func__, inode->i_sb->s_id,
1da177e4 1202 inode->i_ino);
23970741 1203 goto out_unlock;
1da177e4
LT		 1204 }
1205
1206 len = INITCONTEXTLEN;
869ab514 1207 context = kmalloc(len, GFP_NOFS);
1da177e4
LT		 1208 if (!context) {
1209 rc = -ENOMEM;
1210 dput(dentry);
23970741 1211 goto out_unlock;
1da177e4
LT		 1212 }
1213 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1214 context, len);
1215 if (rc == -ERANGE) {
1216 /* Need a larger buffer. Query for the right size. */
1217 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1218 NULL, 0);
1219 if (rc < 0) {
1220 dput(dentry);
23970741 1221 goto out_unlock;
1da177e4
LT		 1222 }
1223 kfree(context);
1224 len = rc;
869ab514 1225 context = kmalloc(len, GFP_NOFS);
1da177e4
LT		 1226 if (!context) {
1227 rc = -ENOMEM;
1228 dput(dentry);
23970741 1229 goto out_unlock;
1da177e4
LT		 1230 }
1231 rc = inode->i_op->getxattr(dentry,
1232 XATTR_NAME_SELINUX,
1233 context, len);
1234 }
1235 dput(dentry);
1236 if (rc < 0) {
1237 if (rc != -ENODATA) {
744ba35e 1238 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1239 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1240 -rc, inode->i_sb->s_id, inode->i_ino);
1241 kfree(context);
23970741 1242 goto out_unlock;
1da177e4
LT		 1243 }
1244 /* Map ENODATA to the default file SID */
1245 sid = sbsec->def_sid;
1246 rc = 0;
1247 } else {
f5c1d5b2 1248 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1249 sbsec->def_sid,
1250 GFP_NOFS);
1da177e4 1251 if (rc) {
744ba35e 1252 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1da177e4 1253 "returned %d for dev=%s ino=%ld\n",
dd6f953a 1254 __func__, context, -rc,
1da177e4
LT		 1255 inode->i_sb->s_id, inode->i_ino);
1256 kfree(context);
1257 /* Leave with the unlabeled SID */
1258 rc = 0;
1259 break;
1260 }
1261 }
1262 kfree(context);
1263 isec->sid = sid;
1264 break;
1265 case SECURITY_FS_USE_TASK:
1266 isec->sid = isec->task_sid;
1267 break;
1268 case SECURITY_FS_USE_TRANS:
1269 /* Default to the fs SID. */
1270 isec->sid = sbsec->sid;
1271
1272 /* Try to obtain a transition SID. */
1273 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1274 rc = security_transition_sid(isec->task_sid,
1275 sbsec->sid,
1276 isec->sclass,
1277 &sid);
1278 if (rc)
23970741 1279 goto out_unlock;
1da177e4
LT		 1280 isec->sid = sid;
1281 break;
c312feb2
EP		 1282 case SECURITY_FS_USE_MNTPOINT:
1283 isec->sid = sbsec->mntpoint_sid;
1284 break;
1da177e4 1285 default:
c312feb2 1286 /* Default to the fs superblock SID. */
1da177e4
LT		 1287 isec->sid = sbsec->sid;
1288
ea6b184f 1289 if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
1da177e4
LT		 1290 struct proc_inode *proci = PROC_I(inode);
1291 if (proci->pde) {
1292 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1293 rc = selinux_proc_get_sid(proci->pde,
1294 isec->sclass,
1295 &sid);
1296 if (rc)
23970741 1297 goto out_unlock;
1da177e4
LT		 1298 isec->sid = sid;
1299 }
1300 }
1301 break;
1302 }
1303
1304 isec->initialized = 1;
1305
23970741
EP		 1306out_unlock:
1307 mutex_unlock(&isec->lock);
1da177e4
LT		 1308out:
1309 if (isec->sclass == SECCLASS_FILE)
1310 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1311 return rc;
1312}
1313
1314/* Convert a Linux signal to an access vector. */
1315static inline u32 signal_to_av(int sig)
1316{
1317 u32 perm = 0;
1318
1319 switch (sig) {
1320 case SIGCHLD:
1321 /* Commonly granted from child to parent. */
1322 perm = PROCESS__SIGCHLD;
1323 break;
1324 case SIGKILL:
1325 /* Cannot be caught or ignored */
1326 perm = PROCESS__SIGKILL;
1327 break;
1328 case SIGSTOP:
1329 /* Cannot be caught or ignored */
1330 perm = PROCESS__SIGSTOP;
1331 break;
1332 default:
1333 /* All other signals. */
1334 perm = PROCESS__SIGNAL;
1335 break;
1336 }
1337
1338 return perm;
1339}
1340
1341/* Check permission betweeen a pair of tasks, e.g. signal checks,
1342 fork check, ptrace check, etc. */
1343static int task_has_perm(struct task_struct *tsk1,
1344 struct task_struct *tsk2,
1345 u32 perms)
1346{
1347 struct task_security_struct *tsec1, *tsec2;
1348
b6dff3ec
DH		 1349 tsec1 = tsk1->cred->security;
1350 tsec2 = tsk2->cred->security;
1da177e4
LT		 1351 return avc_has_perm(tsec1->sid, tsec2->sid,
1352 SECCLASS_PROCESS, perms, NULL);
1353}
1354
b68e418c
SS		 1355#if CAP_LAST_CAP > 63
1356#error Fix SELinux to handle capabilities > 63.
1357#endif
1358
1da177e4
LT		 1359/* Check whether a task is allowed to use a capability. */
1360static int task_has_capability(struct task_struct *tsk,
06112163 1361 int cap, int audit)
1da177e4
LT		 1362{
1363 struct task_security_struct *tsec;
1364 struct avc_audit_data ad;
06112163 1365 struct av_decision avd;
b68e418c
SS		 1366 u16 sclass;
1367 u32 av = CAP_TO_MASK(cap);
06112163 1368 int rc;
1da177e4 1369
b6dff3ec 1370 tsec = tsk->cred->security;
1da177e4 1371
828dfe1d 1372 AVC_AUDIT_DATA_INIT(&ad, CAP);
1da177e4
LT		 1373 ad.tsk = tsk;
1374 ad.u.cap = cap;
1375
b68e418c
SS		 1376 switch (CAP_TO_INDEX(cap)) {
1377 case 0:
1378 sclass = SECCLASS_CAPABILITY;
1379 break;
1380 case 1:
1381 sclass = SECCLASS_CAPABILITY2;
1382 break;
1383 default:
1384 printk(KERN_ERR
1385 "SELinux: out of range capability %d\n", cap);
1386 BUG();
1387 }
06112163
EP		 1388
1389 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid, sclass, av, 0, &avd);
1390 if (audit == SECURITY_CAP_AUDIT)
1391 avc_audit(tsec->sid, tsec->sid, sclass, av, &avd, rc, &ad);
1392 return rc;
1da177e4
LT		 1393}
1394
1395/* Check whether a task is allowed to use a system operation. */
1396static int task_has_system(struct task_struct *tsk,
1397 u32 perms)
1398{
1399 struct task_security_struct *tsec;
1400
b6dff3ec 1401 tsec = tsk->cred->security;
1da177e4
LT		 1402
1403 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1404 SECCLASS_SYSTEM, perms, NULL);
1405}
1406
1407/* Check whether a task has a particular permission to an inode.
1408 The 'adp' parameter is optional and allows other audit
1409 data to be passed (e.g. the dentry). */
1410static int inode_has_perm(struct task_struct *tsk,
1411 struct inode *inode,
1412 u32 perms,
1413 struct avc_audit_data *adp)
1414{
1415 struct task_security_struct *tsec;
1416 struct inode_security_struct *isec;
1417 struct avc_audit_data ad;
1418
828dfe1d 1419 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1420 return 0;
1421
b6dff3ec 1422 tsec = tsk->cred->security;
1da177e4
LT		 1423 isec = inode->i_security;
1424
1425 if (!adp) {
1426 adp = &ad;
1427 AVC_AUDIT_DATA_INIT(&ad, FS);
1428 ad.u.fs.inode = inode;
1429 }
1430
1431 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1432}
1433
1434/* Same as inode_has_perm, but pass explicit audit data containing
1435 the dentry to help the auditing code to more easily generate the
1436 pathname if needed. */
1437static inline int dentry_has_perm(struct task_struct *tsk,
1438 struct vfsmount *mnt,
1439 struct dentry *dentry,
1440 u32 av)
1441{
1442 struct inode *inode = dentry->d_inode;
1443 struct avc_audit_data ad;
828dfe1d 1444 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf
JB		 1445 ad.u.fs.path.mnt = mnt;
1446 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1447 return inode_has_perm(tsk, inode, av, &ad);
1448}
1449
1450/* Check whether a task can use an open file descriptor to
1451 access an inode in a given way. Check access to the
1452 descriptor itself, and then use dentry_has_perm to
1453 check a particular permission to the file.
1454 Access to the descriptor is implicitly granted if it
1455 has the same SID as the process. If av is zero, then
1456 access to the file is not checked, e.g. for cases
1457 where only the descriptor is affected like seek. */
858119e1 1458static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1459 struct file *file,
1460 u32 av)
1461{
b6dff3ec 1462 struct task_security_struct *tsec = tsk->cred->security;
1da177e4 1463 struct file_security_struct *fsec = file->f_security;
44707fdf 1464 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 1465 struct avc_audit_data ad;
1466 int rc;
1467
1468 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1469 ad.u.fs.path = file->f_path;
1da177e4
LT		 1470
1471 if (tsec->sid != fsec->sid) {
1472 rc = avc_has_perm(tsec->sid, fsec->sid,
1473 SECCLASS_FD,
1474 FD__USE,
1475 &ad);
1476 if (rc)
1477 return rc;
1478 }
1479
1480 /* av is zero if only checking access to the descriptor. */
1481 if (av)
1482 return inode_has_perm(tsk, inode, av, &ad);
1483
1484 return 0;
1485}
1486
1487/* Check whether a task can create a file. */
1488static int may_create(struct inode *dir,
1489 struct dentry *dentry,
1490 u16 tclass)
1491{
1492 struct task_security_struct *tsec;
1493 struct inode_security_struct *dsec;
1494 struct superblock_security_struct *sbsec;
1495 u32 newsid;
1496 struct avc_audit_data ad;
1497 int rc;
1498
b6dff3ec 1499 tsec = current->cred->security;
1da177e4
LT		 1500 dsec = dir->i_security;
1501 sbsec = dir->i_sb->s_security;
1502
1503 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1504 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1505
1506 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1507 DIR__ADD_NAME | DIR__SEARCH,
1508 &ad);
1509 if (rc)
1510 return rc;
1511
1512 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1513 newsid = tsec->create_sid;
1514 } else {
1515 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1516 &newsid);
1517 if (rc)
1518 return rc;
1519 }
1520
1521 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1522 if (rc)
1523 return rc;
1524
1525 return avc_has_perm(newsid, sbsec->sid,
1526 SECCLASS_FILESYSTEM,
1527 FILESYSTEM__ASSOCIATE, &ad);
1528}
1529
4eb582cf
ML		 1530/* Check whether a task can create a key. */
1531static int may_create_key(u32 ksid,
1532 struct task_struct *ctx)
1533{
1534 struct task_security_struct *tsec;
1535
b6dff3ec 1536 tsec = ctx->cred->security;
4eb582cf
ML		 1537
1538 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1539}
1540
828dfe1d
EP		 1541#define MAY_LINK 0
1542#define MAY_UNLINK 1
1543#define MAY_RMDIR 2
1da177e4
LT		 1544
1545/* Check whether a task can link, unlink, or rmdir a file/directory. */
1546static int may_link(struct inode *dir,
1547 struct dentry *dentry,
1548 int kind)
1549
1550{
1551 struct task_security_struct *tsec;
1552 struct inode_security_struct *dsec, *isec;
1553 struct avc_audit_data ad;
1554 u32 av;
1555 int rc;
1556
b6dff3ec 1557 tsec = current->cred->security;
1da177e4
LT		 1558 dsec = dir->i_security;
1559 isec = dentry->d_inode->i_security;
1560
1561 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1562 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1563
1564 av = DIR__SEARCH;
1565 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1566 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1567 if (rc)
1568 return rc;
1569
1570 switch (kind) {
1571 case MAY_LINK:
1572 av = FILE__LINK;
1573 break;
1574 case MAY_UNLINK:
1575 av = FILE__UNLINK;
1576 break;
1577 case MAY_RMDIR:
1578 av = DIR__RMDIR;
1579 break;
1580 default:
744ba35e
EP		 1581 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1582 __func__, kind);
1da177e4
LT		 1583 return 0;
1584 }
1585
1586 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1587 return rc;
1588}
1589
1590static inline int may_rename(struct inode *old_dir,
1591 struct dentry *old_dentry,
1592 struct inode *new_dir,
1593 struct dentry *new_dentry)
1594{
1595 struct task_security_struct *tsec;
1596 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1597 struct avc_audit_data ad;
1598 u32 av;
1599 int old_is_dir, new_is_dir;
1600 int rc;
1601
b6dff3ec 1602 tsec = current->cred->security;
1da177e4
LT		 1603 old_dsec = old_dir->i_security;
1604 old_isec = old_dentry->d_inode->i_security;
1605 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1606 new_dsec = new_dir->i_security;
1607
1608 AVC_AUDIT_DATA_INIT(&ad, FS);
1609
44707fdf 1610 ad.u.fs.path.dentry = old_dentry;
1da177e4
LT		 1611 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1612 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1613 if (rc)
1614 return rc;
1615 rc = avc_has_perm(tsec->sid, old_isec->sid,
1616 old_isec->sclass, FILE__RENAME, &ad);
1617 if (rc)
1618 return rc;
1619 if (old_is_dir && new_dir != old_dir) {
1620 rc = avc_has_perm(tsec->sid, old_isec->sid,
1621 old_isec->sclass, DIR__REPARENT, &ad);
1622 if (rc)
1623 return rc;
1624 }
1625
44707fdf 1626 ad.u.fs.path.dentry = new_dentry;
1da177e4
LT		 1627 av = DIR__ADD_NAME | DIR__SEARCH;
1628 if (new_dentry->d_inode)
1629 av |= DIR__REMOVE_NAME;
1630 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1631 if (rc)
1632 return rc;
1633 if (new_dentry->d_inode) {
1634 new_isec = new_dentry->d_inode->i_security;
1635 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1636 rc = avc_has_perm(tsec->sid, new_isec->sid,
1637 new_isec->sclass,
1638 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1639 if (rc)
1640 return rc;
1641 }
1642
1643 return 0;
1644}
1645
1646/* Check whether a task can perform a filesystem operation. */
1647static int superblock_has_perm(struct task_struct *tsk,
1648 struct super_block *sb,
1649 u32 perms,
1650 struct avc_audit_data *ad)
1651{
1652 struct task_security_struct *tsec;
1653 struct superblock_security_struct *sbsec;
1654
b6dff3ec 1655 tsec = tsk->cred->security;
1da177e4
LT		 1656 sbsec = sb->s_security;
1657 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1658 perms, ad);
1659}
1660
1661/* Convert a Linux mode and permission mask to an access vector. */
1662static inline u32 file_mask_to_av(int mode, int mask)
1663{
1664 u32 av = 0;
1665
1666 if ((mode & S_IFMT) != S_IFDIR) {
1667 if (mask & MAY_EXEC)
1668 av |= FILE__EXECUTE;
1669 if (mask & MAY_READ)
1670 av |= FILE__READ;
1671
1672 if (mask & MAY_APPEND)
1673 av |= FILE__APPEND;
1674 else if (mask & MAY_WRITE)
1675 av |= FILE__WRITE;
1676
1677 } else {
1678 if (mask & MAY_EXEC)
1679 av |= DIR__SEARCH;
1680 if (mask & MAY_WRITE)
1681 av |= DIR__WRITE;
1682 if (mask & MAY_READ)
1683 av |= DIR__READ;
1684 }
1685
1686 return av;
1687}
1688
8b6a5a37
EP		 1689/* Convert a Linux file to an access vector. */
1690static inline u32 file_to_av(struct file *file)
1691{
1692 u32 av = 0;
1693
1694 if (file->f_mode & FMODE_READ)
1695 av |= FILE__READ;
1696 if (file->f_mode & FMODE_WRITE) {
1697 if (file->f_flags & O_APPEND)
1698 av |= FILE__APPEND;
1699 else
1700 av |= FILE__WRITE;
1701 }
1702 if (!av) {
1703 /*
1704 * Special file opened with flags 3 for ioctl-only use.
1705 */
1706 av = FILE__IOCTL;
1707 }
1708
1709 return av;
1710}
1711
b0c636b9 1712/*
8b6a5a37 1713 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1714 * open permission.
1715 */
8b6a5a37 1716static inline u32 open_file_to_av(struct file *file)
b0c636b9 1717{
8b6a5a37 1718 u32 av = file_to_av(file);
b0c636b9
EP		 1719
1720 if (selinux_policycap_openperm) {
8b6a5a37 1721 mode_t mode = file->f_path.dentry->d_inode->i_mode;
b0c636b9
EP		 1722 /*
1723 * lnk files and socks do not really have an 'open'
1724 */
1725 if (S_ISREG(mode))
1726 av |= FILE__OPEN;
1727 else if (S_ISCHR(mode))
1728 av |= CHR_FILE__OPEN;
1729 else if (S_ISBLK(mode))
1730 av |= BLK_FILE__OPEN;
1731 else if (S_ISFIFO(mode))
1732 av |= FIFO_FILE__OPEN;
1733 else if (S_ISDIR(mode))
1734 av |= DIR__OPEN;
1735 else
744ba35e 1736 printk(KERN_ERR "SELinux: WARNING: inside %s with "
8b6a5a37 1737 "unknown mode:%o\n", __func__, mode);
b0c636b9
EP		 1738 }
1739 return av;
1740}
1741
1da177e4
LT		 1742/* Hook functions begin here. */
1743
5cd9c58f
DH		 1744static int selinux_ptrace_may_access(struct task_struct *child,
1745 unsigned int mode)
1da177e4 1746{
1da177e4
LT		 1747 int rc;
1748
5cd9c58f 1749 rc = secondary_ops->ptrace_may_access(child, mode);
1da177e4
LT		 1750 if (rc)
1751 return rc;
1752
006ebb40 1753 if (mode == PTRACE_MODE_READ) {
b6dff3ec
DH		 1754 struct task_security_struct *tsec = current->cred->security;
1755 struct task_security_struct *csec = child->cred->security;
006ebb40
SS		 1756 return avc_has_perm(tsec->sid, csec->sid,
1757 SECCLASS_FILE, FILE__READ, NULL);
1758 }
1759
5cd9c58f
DH		 1760 return task_has_perm(current, child, PROCESS__PTRACE);
1761}
1762
1763static int selinux_ptrace_traceme(struct task_struct *parent)
1764{
1765 int rc;
1766
1767 rc = secondary_ops->ptrace_traceme(parent);
1768 if (rc)
1769 return rc;
1770
1771 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 1772}
1773
1774static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1775 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1776{
1777 int error;
1778
1779 error = task_has_perm(current, target, PROCESS__GETCAP);
1780 if (error)
1781 return error;
1782
1783 return secondary_ops->capget(target, effective, inheritable, permitted);
1784}
1785
15a2460e
DH		 1786static int selinux_capset_check(const kernel_cap_t *effective,
1787 const kernel_cap_t *inheritable,
1788 const kernel_cap_t *permitted)
1da177e4
LT		 1789{
1790 int error;
1791
1cdcbec1 1792 error = secondary_ops->capset_check(effective, inheritable, permitted);
1da177e4
LT		 1793 if (error)
1794 return error;
1795
1cdcbec1 1796 return task_has_perm(current, current, PROCESS__SETCAP);
1da177e4
LT		 1797}
1798
15a2460e
DH		 1799static void selinux_capset_set(const kernel_cap_t *effective,
1800 const kernel_cap_t *inheritable,
1801 const kernel_cap_t *permitted)
1da177e4 1802{
1cdcbec1 1803 secondary_ops->capset_set(effective, inheritable, permitted);
1da177e4
LT		 1804}
1805
06112163 1806static int selinux_capable(struct task_struct *tsk, int cap, int audit)
1da177e4
LT		 1807{
1808 int rc;
1809
06112163 1810 rc = secondary_ops->capable(tsk, cap, audit);
1da177e4
LT		 1811 if (rc)
1812 return rc;
1813
06112163 1814 return task_has_capability(tsk, cap, audit);
1da177e4
LT		 1815}
1816
3fbfa981
EB		 1817static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1818{
1819 int buflen, rc;
1820 char *buffer, *path, *end;
1821
1822 rc = -ENOMEM;
828dfe1d 1823 buffer = (char *)__get_free_page(GFP_KERNEL);
3fbfa981
EB		 1824 if (!buffer)
1825 goto out;
1826
1827 buflen = PAGE_SIZE;
1828 end = buffer+buflen;
1829 *--end = '\0';
1830 buflen--;
1831 path = end-1;
1832 *path = '/';
1833 while (table) {
1834 const char *name = table->procname;
1835 size_t namelen = strlen(name);
1836 buflen -= namelen + 1;
1837 if (buflen < 0)
1838 goto out_free;
1839 end -= namelen;
1840 memcpy(end, name, namelen);
1841 *--end = '/';
1842 path = end;
1843 table = table->parent;
1844 }
b599fdfd
EB		 1845 buflen -= 4;
1846 if (buflen < 0)
1847 goto out_free;
1848 end -= 4;
1849 memcpy(end, "/sys", 4);
1850 path = end;
3fbfa981
EB		 1851 rc = security_genfs_sid("proc", path, tclass, sid);
1852out_free:
1853 free_page((unsigned long)buffer);
1854out:
1855 return rc;
1856}
1857
1da177e4
LT		 1858static int selinux_sysctl(ctl_table *table, int op)
1859{
1860 int error = 0;
1861 u32 av;
1862 struct task_security_struct *tsec;
1863 u32 tsid;
1864 int rc;
1865
1866 rc = secondary_ops->sysctl(table, op);
1867 if (rc)
1868 return rc;
1869
b6dff3ec 1870 tsec = current->cred->security;
1da177e4 1871
3fbfa981
EB		 1872 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1873 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1874 if (rc) {
1875 /* Default to the well-defined sysctl SID. */
1876 tsid = SECINITSID_SYSCTL;
1877 }
1878
1879 /* The op values are "defined" in sysctl.c, thereby creating
1880 * a bad coupling between this module and sysctl.c */
828dfe1d 1881 if (op == 001) {
1da177e4
LT		 1882 error = avc_has_perm(tsec->sid, tsid,
1883 SECCLASS_DIR, DIR__SEARCH, NULL);
1884 } else {
1885 av = 0;
1886 if (op & 004)
1887 av |= FILE__READ;
1888 if (op & 002)
1889 av |= FILE__WRITE;
1890 if (av)
1891 error = avc_has_perm(tsec->sid, tsid,
1892 SECCLASS_FILE, av, NULL);
828dfe1d 1893 }
1da177e4
LT		 1894
1895 return error;
1896}
1897
1898static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1899{
1900 int rc = 0;
1901
1902 if (!sb)
1903 return 0;
1904
1905 switch (cmds) {
828dfe1d
EP		 1906 case Q_SYNC:
1907 case Q_QUOTAON:
1908 case Q_QUOTAOFF:
1909 case Q_SETINFO:
1910 case Q_SETQUOTA:
1911 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1912 NULL);
1913 break;
1914 case Q_GETFMT:
1915 case Q_GETINFO:
1916 case Q_GETQUOTA:
1917 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1918 NULL);
1919 break;
1920 default:
1921 rc = 0; /* let the kernel handle invalid cmds */
1922 break;
1da177e4
LT		 1923 }
1924 return rc;
1925}
1926
1927static int selinux_quota_on(struct dentry *dentry)
1928{
1929 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1930}
1931
1932static int selinux_syslog(int type)
1933{
1934 int rc;
1935
1936 rc = secondary_ops->syslog(type);
1937 if (rc)
1938 return rc;
1939
1940 switch (type) {
828dfe1d
EP		 1941 case 3: /* Read last kernel messages */
1942 case 10: /* Return size of the log buffer */
1943 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1944 break;
1945 case 6: /* Disable logging to console */
1946 case 7: /* Enable logging to console */
1947 case 8: /* Set level of messages printed to console */
1948 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1949 break;
1950 case 0: /* Close log */
1951 case 1: /* Open log */
1952 case 2: /* Read from log */
1953 case 4: /* Read/clear last kernel messages */
1954 case 5: /* Clear ring buffer */
1955 default:
1956 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1957 break;
1da177e4
LT		 1958 }
1959 return rc;
1960}
1961
1962/*
1963 * Check that a process has enough memory to allocate a new virtual
1964 * mapping. 0 means there is enough memory for the allocation to
1965 * succeed and -ENOMEM implies there is not.
1966 *
1967 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1968 * if the capability is granted, but __vm_enough_memory requires 1 if
1969 * the capability is granted.
1970 *
1971 * Do not audit the selinux permission check, as this is applied to all
1972 * processes that allocate mappings.
1973 */
34b4e4aa 1974static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1975{
1976 int rc, cap_sys_admin = 0;
1da177e4 1977
06674679 1978 rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
1da177e4
LT		 1979 if (rc == 0)
1980 cap_sys_admin = 1;
1981
34b4e4aa 1982 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 1983}
1984
1985/* binprm security operations */
1986
1987static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1988{
1989 struct bprm_security_struct *bsec;
1990
89d155ef 1991 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1992 if (!bsec)
1993 return -ENOMEM;
1994
1da177e4
LT		 1995 bsec->sid = SECINITSID_UNLABELED;
1996 bsec->set = 0;
1997
1998 bprm->security = bsec;
1999 return 0;
2000}
2001
2002static int selinux_bprm_set_security(struct linux_binprm *bprm)
2003{
2004 struct task_security_struct *tsec;
3d5ff529 2005 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 2006 struct inode_security_struct *isec;
2007 struct bprm_security_struct *bsec;
2008 u32 newsid;
2009 struct avc_audit_data ad;
2010 int rc;
2011
2012 rc = secondary_ops->bprm_set_security(bprm);
2013 if (rc)
2014 return rc;
2015
2016 bsec = bprm->security;
2017
2018 if (bsec->set)
2019 return 0;
2020
b6dff3ec 2021 tsec = current->cred->security;
1da177e4
LT		 2022 isec = inode->i_security;
2023
2024 /* Default to the current task SID. */
2025 bsec->sid = tsec->sid;
2026
28eba5bf 2027 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 2028 tsec->create_sid = 0;
28eba5bf 2029 tsec->keycreate_sid = 0;
42c3e03e 2030 tsec->sockcreate_sid = 0;
1da177e4
LT		 2031
2032 if (tsec->exec_sid) {
2033 newsid = tsec->exec_sid;
2034 /* Reset exec SID on execve. */
2035 tsec->exec_sid = 0;
2036 } else {
2037 /* Check for a default transition on this program. */
2038 rc = security_transition_sid(tsec->sid, isec->sid,
828dfe1d 2039 SECCLASS_PROCESS, &newsid);
1da177e4
LT		 2040 if (rc)
2041 return rc;
2042 }
2043
2044 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2045 ad.u.fs.path = bprm->file->f_path;
1da177e4 2046
3d5ff529 2047 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1da177e4
LT		 2048 newsid = tsec->sid;
2049
828dfe1d 2050 if (tsec->sid == newsid) {
1da177e4
LT		 2051 rc = avc_has_perm(tsec->sid, isec->sid,
2052 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2053 if (rc)
2054 return rc;
2055 } else {
2056 /* Check permissions for the transition. */
2057 rc = avc_has_perm(tsec->sid, newsid,
2058 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2059 if (rc)
2060 return rc;
2061
2062 rc = avc_has_perm(newsid, isec->sid,
2063 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2064 if (rc)
2065 return rc;
2066
2067 /* Clear any possibly unsafe personality bits on exec: */
2068 current->personality &= ~PER_CLEAR_ON_SETID;
2069
2070 /* Set the security field to the new SID. */
2071 bsec->sid = newsid;
2072 }
2073
2074 bsec->set = 1;
2075 return 0;
2076}
2077
828dfe1d 2078static int selinux_bprm_check_security(struct linux_binprm *bprm)
1da177e4
LT		 2079{
2080 return secondary_ops->bprm_check_security(bprm);
2081}
2082
2083
828dfe1d 2084static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2085{
b6dff3ec 2086 struct task_security_struct *tsec = current->cred->security;
1da177e4
LT		 2087 int atsecure = 0;
2088
2089 if (tsec->osid != tsec->sid) {
2090 /* Enable secure mode for SIDs transitions unless
2091 the noatsecure permission is granted between
2092 the two SIDs, i.e. ahp returns 0. */
2093 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2094 SECCLASS_PROCESS,
2095 PROCESS__NOATSECURE, NULL);
2096 }
2097
2098 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2099}
2100
2101static void selinux_bprm_free_security(struct linux_binprm *bprm)
2102{
9a5f04bf 2103 kfree(bprm->security);
1da177e4 2104 bprm->security = NULL;
1da177e4
LT		 2105}
2106
2107extern struct vfsmount *selinuxfs_mount;
2108extern struct dentry *selinux_null;
2109
2110/* Derived from fs/exec.c:flush_old_files. */
828dfe1d 2111static inline void flush_unauthorized_files(struct files_struct *files)
1da177e4
LT		 2112{
2113 struct avc_audit_data ad;
2114 struct file *file, *devnull = NULL;
b20c8122 2115 struct tty_struct *tty;
badf1662 2116 struct fdtable *fdt;
1da177e4 2117 long j = -1;
24ec839c 2118 int drop_tty = 0;
1da177e4 2119
24ec839c 2120 tty = get_current_tty();
1da177e4
LT		 2121 if (tty) {
2122 file_list_lock();
37dd0bd0
EP		 2123 if (!list_empty(&tty->tty_files)) {
2124 struct inode *inode;
2125
1da177e4
LT		 2126 /* Revalidate access to controlling tty.
2127 Use inode_has_perm on the tty inode directly rather
2128 than using file_has_perm, as this particular open
2129 file may belong to another process and we are only
2130 interested in the inode-based check here. */
37dd0bd0
EP		 2131 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2132 inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2133 if (inode_has_perm(current, inode,
2134 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2135 drop_tty = 1;
1da177e4
LT		 2136 }
2137 }
2138 file_list_unlock();
452a00d2 2139 tty_kref_put(tty);
1da177e4 2140 }
98a27ba4
EB		 2141 /* Reset controlling tty. */
2142 if (drop_tty)
2143 no_tty();
1da177e4
LT		 2144
2145 /* Revalidate access to inherited open files. */
2146
828dfe1d 2147 AVC_AUDIT_DATA_INIT(&ad, FS);
1da177e4
LT		 2148
2149 spin_lock(&files->file_lock);
2150 for (;;) {
2151 unsigned long set, i;
2152 int fd;
2153
2154 j++;
2155 i = j * __NFDBITS;
badf1662 2156 fdt = files_fdtable(files);
bbea9f69 2157 if (i >= fdt->max_fds)
1da177e4 2158 break;
badf1662 2159 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2160 if (!set)
2161 continue;
2162 spin_unlock(&files->file_lock);
828dfe1d 2163 for ( ; set ; i++, set >>= 1) {
1da177e4
LT		 2164 if (set & 1) {
2165 file = fget(i);
2166 if (!file)
2167 continue;
2168 if (file_has_perm(current,
2169 file,
2170 file_to_av(file))) {
2171 sys_close(i);
2172 fd = get_unused_fd();
2173 if (fd != i) {
2174 if (fd >= 0)
2175 put_unused_fd(fd);
2176 fput(file);
2177 continue;
2178 }
2179 if (devnull) {
095975da 2180 get_file(devnull);
1da177e4
LT		 2181 } else {
2182 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
fc5d81e6
AM		 2183 if (IS_ERR(devnull)) {
2184 devnull = NULL;
1da177e4
LT		 2185 put_unused_fd(fd);
2186 fput(file);
2187 continue;
2188 }
2189 }
2190 fd_install(fd, devnull);
2191 }
2192 fput(file);
2193 }
2194 }
2195 spin_lock(&files->file_lock);
2196
2197 }
2198 spin_unlock(&files->file_lock);
2199}
2200
2201static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2202{
2203 struct task_security_struct *tsec;
2204 struct bprm_security_struct *bsec;
2205 u32 sid;
2206 int rc;
2207
2208 secondary_ops->bprm_apply_creds(bprm, unsafe);
2209
b6dff3ec 2210 tsec = current->cred->security;
1da177e4
LT		 2211
2212 bsec = bprm->security;
2213 sid = bsec->sid;
2214
2215 tsec->osid = tsec->sid;
2216 bsec->unsafe = 0;
2217 if (tsec->sid != sid) {
2218 /* Check for shared state. If not ok, leave SID
2219 unchanged and kill. */
2220 if (unsafe & LSM_UNSAFE_SHARE) {
2221 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2222 PROCESS__SHARE, NULL);
2223 if (rc) {
2224 bsec->unsafe = 1;
2225 return;
2226 }
2227 }
2228
2229 /* Check for ptracing, and update the task SID if ok.
2230 Otherwise, leave SID unchanged and kill. */
2231 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
0356357c
RM		 2232 struct task_struct *tracer;
2233 struct task_security_struct *sec;
2234 u32 ptsid = 0;
2235
2236 rcu_read_lock();
0d094efe 2237 tracer = tracehook_tracer_task(current);
0356357c 2238 if (likely(tracer != NULL)) {
b6dff3ec 2239 sec = tracer->cred->security;
0356357c
RM		 2240 ptsid = sec->sid;
2241 }
2242 rcu_read_unlock();
2243
2244 if (ptsid != 0) {
2245 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2246 PROCESS__PTRACE, NULL);
2247 if (rc) {
2248 bsec->unsafe = 1;
2249 return;
2250 }
1da177e4
LT		 2251 }
2252 }
2253 tsec->sid = sid;
2254 }
2255}
2256
2257/*
2258 * called after apply_creds without the task lock held
2259 */
2260static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2261{
2262 struct task_security_struct *tsec;
2263 struct rlimit *rlim, *initrlim;
2264 struct itimerval itimer;
2265 struct bprm_security_struct *bsec;
41d9f9c5 2266 struct sighand_struct *psig;
1da177e4 2267 int rc, i;
41d9f9c5 2268 unsigned long flags;
1da177e4 2269
b6dff3ec 2270 tsec = current->cred->security;
1da177e4
LT		 2271 bsec = bprm->security;
2272
2273 if (bsec->unsafe) {
2274 force_sig_specific(SIGKILL, current);
2275 return;
2276 }
2277 if (tsec->osid == tsec->sid)
2278 return;
2279
2280 /* Close files for which the new task SID is not authorized. */
2281 flush_unauthorized_files(current->files);
2282
2283 /* Check whether the new SID can inherit signal state
2284 from the old SID. If not, clear itimers to avoid
2285 subsequent signal generation and flush and unblock
2286 signals. This must occur _after_ the task SID has
2287 been updated so that any kill done after the flush
2288 will be checked against the new SID. */
2289 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2290 PROCESS__SIGINH, NULL);
2291 if (rc) {
2292 memset(&itimer, 0, sizeof itimer);
2293 for (i = 0; i < 3; i++)
2294 do_setitimer(i, &itimer, NULL);
2295 flush_signals(current);
2296 spin_lock_irq(&current->sighand->siglock);
2297 flush_signal_handlers(current, 1);
2298 sigemptyset(&current->blocked);
2299 recalc_sigpending();
2300 spin_unlock_irq(&current->sighand->siglock);
2301 }
2302
4ac212ad
SS		 2303 /* Always clear parent death signal on SID transitions. */
2304 current->pdeath_signal = 0;
2305
1da177e4
LT		 2306 /* Check whether the new SID can inherit resource limits
2307 from the old SID. If not, reset all soft limits to
2308 the lower of the current task's hard limit and the init
2309 task's soft limit. Note that the setting of hard limits
2310 (even to lower them) can be controlled by the setrlimit
2311 check. The inclusion of the init task's soft limit into
2312 the computation is to avoid resetting soft limits higher
2313 than the default soft limit for cases where the default
2314 is lower than the hard limit, e.g. RLIMIT_CORE or
2315 RLIMIT_STACK.*/
2316 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2317 PROCESS__RLIMITINH, NULL);
2318 if (rc) {
2319 for (i = 0; i < RLIM_NLIMITS; i++) {
2320 rlim = current->signal->rlim + i;
2321 initrlim = init_task.signal->rlim+i;
828dfe1d 2322 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2323 }
f06febc9 2324 update_rlimit_cpu(rlim->rlim_cur);
1da177e4
LT		 2325 }
2326
2327 /* Wake up the parent if it is waiting so that it can
2328 recheck wait permission to the new task SID. */
41d9f9c5
EP		 2329 read_lock_irq(&tasklist_lock);
2330 psig = current->parent->sighand;
2331 spin_lock_irqsave(&psig->siglock, flags);
1da177e4 2332 wake_up_interruptible(&current->parent->signal->wait_chldexit);
41d9f9c5
EP		 2333 spin_unlock_irqrestore(&psig->siglock, flags);
2334 read_unlock_irq(&tasklist_lock);
1da177e4
LT		 2335}
2336
2337/* superblock security operations */
2338
2339static int selinux_sb_alloc_security(struct super_block *sb)
2340{
2341 return superblock_alloc_security(sb);
2342}
2343
2344static void selinux_sb_free_security(struct super_block *sb)
2345{
2346 superblock_free_security(sb);
2347}
2348
2349static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2350{
2351 if (plen > olen)
2352 return 0;
2353
2354 return !memcmp(prefix, option, plen);
2355}
2356
2357static inline int selinux_option(char *option, int len)
2358{
832cbd9a
EP		 2359 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2360 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2361 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2362 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
1da177e4
LT		 2363}
2364
2365static inline void take_option(char **to, char *from, int *first, int len)
2366{
2367 if (!*first) {
2368 **to = ',';
2369 *to += 1;
3528a953 2370 } else
1da177e4
LT		 2371 *first = 0;
2372 memcpy(*to, from, len);
2373 *to += len;
2374}
2375
828dfe1d
EP		 2376static inline void take_selinux_option(char **to, char *from, int *first,
2377 int len)
3528a953
CO		 2378{
2379 int current_size = 0;
2380
2381 if (!*first) {
2382 **to = '|';
2383 *to += 1;
828dfe1d 2384 } else
3528a953
CO		 2385 *first = 0;
2386
2387 while (current_size < len) {
2388 if (*from != '"') {
2389 **to = *from;
2390 *to += 1;
2391 }
2392 from += 1;
2393 current_size += 1;
2394 }
2395}
2396
e0007529 2397static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2398{
2399 int fnosec, fsec, rc = 0;
2400 char *in_save, *in_curr, *in_end;
2401 char *sec_curr, *nosec_save, *nosec;
3528a953 2402 int open_quote = 0;
1da177e4
LT		 2403
2404 in_curr = orig;
2405 sec_curr = copy;
2406
1da177e4
LT		 2407 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2408 if (!nosec) {
2409 rc = -ENOMEM;
2410 goto out;
2411 }
2412
2413 nosec_save = nosec;
2414 fnosec = fsec = 1;
2415 in_save = in_end = orig;
2416
2417 do {
3528a953
CO		 2418 if (*in_end == '"')
2419 open_quote = !open_quote;
2420 if ((*in_end == ',' && open_quote == 0) ||
2421 *in_end == '\0') {
1da177e4
LT		 2422 int len = in_end - in_curr;
2423
2424 if (selinux_option(in_curr, len))
3528a953 2425 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2426 else
2427 take_option(&nosec, in_curr, &fnosec, len);
2428
2429 in_curr = in_end + 1;
2430 }
2431 } while (*in_end++);
2432
6931dfc9 2433 strcpy(in_save, nosec_save);
da3caa20 2434 free_page((unsigned long)nosec_save);
1da177e4
LT		 2435out:
2436 return rc;
2437}
2438
2439static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2440{
2441 struct avc_audit_data ad;
2442 int rc;
2443
2444 rc = superblock_doinit(sb, data);
2445 if (rc)
2446 return rc;
2447
828dfe1d 2448 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2449 ad.u.fs.path.dentry = sb->s_root;
1da177e4
LT		 2450 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2451}
2452
726c3342 2453static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2454{
2455 struct avc_audit_data ad;
2456
828dfe1d 2457 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2458 ad.u.fs.path.dentry = dentry->d_sb->s_root;
726c3342 2459 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2460}
2461
828dfe1d 2462static int selinux_mount(char *dev_name,
b5266eb4 2463 struct path *path,
828dfe1d
EP		 2464 char *type,
2465 unsigned long flags,
2466 void *data)
1da177e4
LT		 2467{
2468 int rc;
2469
b5266eb4 2470 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
1da177e4
LT		 2471 if (rc)
2472 return rc;
2473
2474 if (flags & MS_REMOUNT)
b5266eb4 2475 return superblock_has_perm(current, path->mnt->mnt_sb,
828dfe1d 2476 FILESYSTEM__REMOUNT, NULL);
1da177e4 2477 else
b5266eb4 2478 return dentry_has_perm(current, path->mnt, path->dentry,
828dfe1d 2479 FILE__MOUNTON);
1da177e4
LT		 2480}
2481
2482static int selinux_umount(struct vfsmount *mnt, int flags)
2483{
2484 int rc;
2485
2486 rc = secondary_ops->sb_umount(mnt, flags);
2487 if (rc)
2488 return rc;
2489
828dfe1d
EP		 2490 return superblock_has_perm(current, mnt->mnt_sb,
2491 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2492}
2493
2494/* inode security operations */
2495
2496static int selinux_inode_alloc_security(struct inode *inode)
2497{
2498 return inode_alloc_security(inode);
2499}
2500
2501static void selinux_inode_free_security(struct inode *inode)
2502{
2503 inode_free_security(inode);
2504}
2505
5e41ff9e
SS		 2506static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2507 char **name, void **value,
2508 size_t *len)
2509{
2510 struct task_security_struct *tsec;
2511 struct inode_security_struct *dsec;
2512 struct superblock_security_struct *sbsec;
570bc1c2 2513 u32 newsid, clen;
5e41ff9e 2514 int rc;
570bc1c2 2515 char *namep = NULL, *context;
5e41ff9e 2516
b6dff3ec 2517 tsec = current->cred->security;
5e41ff9e
SS		 2518 dsec = dir->i_security;
2519 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2520
2521 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2522 newsid = tsec->create_sid;
2523 } else {
2524 rc = security_transition_sid(tsec->sid, dsec->sid,
2525 inode_mode_to_security_class(inode->i_mode),
2526 &newsid);
2527 if (rc) {
2528 printk(KERN_WARNING "%s: "
2529 "security_transition_sid failed, rc=%d (dev=%s "
2530 "ino=%ld)\n",
dd6f953a 2531 __func__,
5e41ff9e
SS		 2532 -rc, inode->i_sb->s_id, inode->i_ino);
2533 return rc;
2534 }
2535 }
2536
296fddf7
EP		 2537 /* Possibly defer initialization to selinux_complete_init. */
2538 if (sbsec->initialized) {
2539 struct inode_security_struct *isec = inode->i_security;
2540 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2541 isec->sid = newsid;
2542 isec->initialized = 1;
2543 }
5e41ff9e 2544
8aad3875 2545 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2546 return -EOPNOTSUPP;
2547
570bc1c2 2548 if (name) {
a02fe132 2549 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2550 if (!namep)
2551 return -ENOMEM;
2552 *name = namep;
2553 }
5e41ff9e 2554
570bc1c2 2555 if (value && len) {
12b29f34 2556 rc = security_sid_to_context_force(newsid, &context, &clen);
570bc1c2
SS		 2557 if (rc) {
2558 kfree(namep);
2559 return rc;
2560 }
2561 *value = context;
2562 *len = clen;
5e41ff9e 2563 }
5e41ff9e 2564
5e41ff9e
SS		 2565 return 0;
2566}
2567
1da177e4
LT		 2568static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2569{
2570 return may_create(dir, dentry, SECCLASS_FILE);
2571}
2572
1da177e4
LT		 2573static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2574{
2575 int rc;
2576
828dfe1d 2577 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
1da177e4
LT		 2578 if (rc)
2579 return rc;
2580 return may_link(dir, old_dentry, MAY_LINK);
2581}
2582
1da177e4
LT		 2583static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2584{
2585 int rc;
2586
2587 rc = secondary_ops->inode_unlink(dir, dentry);
2588 if (rc)
2589 return rc;
2590 return may_link(dir, dentry, MAY_UNLINK);
2591}
2592
2593static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2594{
2595 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2596}
2597
1da177e4
LT		 2598static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2599{
2600 return may_create(dir, dentry, SECCLASS_DIR);
2601}
2602
1da177e4
LT		 2603static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2604{
2605 return may_link(dir, dentry, MAY_RMDIR);
2606}
2607
2608static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2609{
2610 int rc;
2611
2612 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2613 if (rc)
2614 return rc;
2615
2616 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2617}
2618
1da177e4 2619static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2620 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2621{
2622 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2623}
2624
1da177e4
LT		 2625static int selinux_inode_readlink(struct dentry *dentry)
2626{
2627 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2628}
2629
2630static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2631{
2632 int rc;
2633
828dfe1d 2634 rc = secondary_ops->inode_follow_link(dentry, nameidata);
1da177e4
LT		 2635 if (rc)
2636 return rc;
2637 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2638}
2639
b77b0646 2640static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4
LT		 2641{
2642 int rc;
2643
b77b0646 2644 rc = secondary_ops->inode_permission(inode, mask);
1da177e4
LT		 2645 if (rc)
2646 return rc;
2647
2648 if (!mask) {
2649 /* No permission to check. Existence test. */
2650 return 0;
2651 }
2652
2653 return inode_has_perm(current, inode,
8b6a5a37 2654 file_mask_to_av(inode->i_mode, mask), NULL);
1da177e4
LT		 2655}
2656
2657static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2658{
2659 int rc;
2660
2661 rc = secondary_ops->inode_setattr(dentry, iattr);
2662 if (rc)
2663 return rc;
2664
2665 if (iattr->ia_valid & ATTR_FORCE)
2666 return 0;
2667
2668 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2669 ATTR_ATIME_SET | ATTR_MTIME_SET))
2670 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2671
2672 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2673}
2674
2675static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2676{
2677 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2678}
2679
8f0cfa52 2680static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771
SH		 2681{
2682 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2683 sizeof XATTR_SECURITY_PREFIX - 1)) {
2684 if (!strcmp(name, XATTR_NAME_CAPS)) {
2685 if (!capable(CAP_SETFCAP))
2686 return -EPERM;
2687 } else if (!capable(CAP_SYS_ADMIN)) {
2688 /* A different attribute in the security namespace.
2689 Restrict to administrator. */
2690 return -EPERM;
2691 }
2692 }
2693
2694 /* Not an attribute we recognize, so just check the
2695 ordinary setattr permission. */
2696 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2697}
2698
8f0cfa52
DH		 2699static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2700 const void *value, size_t size, int flags)
1da177e4 2701{
b6dff3ec 2702 struct task_security_struct *tsec = current->cred->security;
1da177e4
LT		 2703 struct inode *inode = dentry->d_inode;
2704 struct inode_security_struct *isec = inode->i_security;
2705 struct superblock_security_struct *sbsec;
2706 struct avc_audit_data ad;
2707 u32 newsid;
2708 int rc = 0;
2709
b5376771
SH		 2710 if (strcmp(name, XATTR_NAME_SELINUX))
2711 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2712
2713 sbsec = inode->i_sb->s_security;
2714 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2715 return -EOPNOTSUPP;
2716
3bd858ab 2717 if (!is_owner_or_cap(inode))
1da177e4
LT		 2718 return -EPERM;
2719
828dfe1d 2720 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2721 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 2722
2723 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2724 FILE__RELABELFROM, &ad);
2725 if (rc)
2726 return rc;
2727
2728 rc = security_context_to_sid(value, size, &newsid);
12b29f34
SS		 2729 if (rc == -EINVAL) {
2730 if (!capable(CAP_MAC_ADMIN))
2731 return rc;
2732 rc = security_context_to_sid_force(value, size, &newsid);
2733 }
1da177e4
LT		 2734 if (rc)
2735 return rc;
2736
2737 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2738 FILE__RELABELTO, &ad);
2739 if (rc)
2740 return rc;
2741
2742 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
828dfe1d 2743 isec->sclass);
1da177e4
LT		 2744 if (rc)
2745 return rc;
2746
2747 return avc_has_perm(newsid,
2748 sbsec->sid,
2749 SECCLASS_FILESYSTEM,
2750 FILESYSTEM__ASSOCIATE,
2751 &ad);
2752}
2753
8f0cfa52 2754static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 2755 const void *value, size_t size,
8f0cfa52 2756 int flags)
1da177e4
LT		 2757{
2758 struct inode *inode = dentry->d_inode;
2759 struct inode_security_struct *isec = inode->i_security;
2760 u32 newsid;
2761 int rc;
2762
2763 if (strcmp(name, XATTR_NAME_SELINUX)) {
2764 /* Not an attribute we recognize, so nothing to do. */
2765 return;
2766 }
2767
12b29f34 2768 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 2769 if (rc) {
12b29f34
SS		 2770 printk(KERN_ERR "SELinux: unable to map context to SID"
2771 "for (%s, %lu), rc=%d\n",
2772 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 2773 return;
2774 }
2775
2776 isec->sid = newsid;
2777 return;
2778}
2779
8f0cfa52 2780static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 2781{
1da177e4
LT		 2782 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2783}
2784
828dfe1d 2785static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4
LT		 2786{
2787 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2788}
2789
8f0cfa52 2790static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 2791{
b5376771
SH		 2792 if (strcmp(name, XATTR_NAME_SELINUX))
2793 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2794
2795 /* No one is allowed to remove a SELinux security label.
2796 You can change the label, but all data must be labeled. */
2797 return -EACCES;
2798}
2799
d381d8a9 2800/*
abc69bb6 2801 * Copy the inode security context value to the user.
d381d8a9
JM		 2802 *
2803 * Permission check is handled by selinux_inode_getxattr hook.
2804 */
42492594 2805static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2806{
42492594
DQ		 2807 u32 size;
2808 int error;
2809 char *context = NULL;
1da177e4 2810 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2811
8c8570fb
DK		 2812 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2813 return -EOPNOTSUPP;
d381d8a9 2814
abc69bb6
SS		 2815 /*
2816 * If the caller has CAP_MAC_ADMIN, then get the raw context
2817 * value even if it is not defined by current policy; otherwise,
2818 * use the in-core value under current policy.
2819 * Use the non-auditing forms of the permission checks since
2820 * getxattr may be called by unprivileged processes commonly
2821 * and lack of permission just means that we fall back to the
2822 * in-core context value, not a denial.
2823 */
06674679 2824 error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 2825 if (!error)
2826 error = security_sid_to_context_force(isec->sid, &context,
2827 &size);
2828 else
2829 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 2830 if (error)
2831 return error;
2832 error = size;
2833 if (alloc) {
2834 *buffer = context;
2835 goto out_nofree;
2836 }
2837 kfree(context);
2838out_nofree:
2839 return error;
1da177e4
LT		 2840}
2841
2842static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 2843 const void *value, size_t size, int flags)
1da177e4
LT		 2844{
2845 struct inode_security_struct *isec = inode->i_security;
2846 u32 newsid;
2847 int rc;
2848
2849 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2850 return -EOPNOTSUPP;
2851
2852 if (!value || !size)
2853 return -EACCES;
2854
828dfe1d 2855 rc = security_context_to_sid((void *)value, size, &newsid);
1da177e4
LT		 2856 if (rc)
2857 return rc;
2858
2859 isec->sid = newsid;
2860 return 0;
2861}
2862
2863static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2864{
2865 const int len = sizeof(XATTR_NAME_SELINUX);
2866 if (buffer && len <= buffer_size)
2867 memcpy(buffer, XATTR_NAME_SELINUX, len);
2868 return len;
2869}
2870
b5376771
SH		 2871static int selinux_inode_need_killpriv(struct dentry *dentry)
2872{
2873 return secondary_ops->inode_need_killpriv(dentry);
2874}
2875
2876static int selinux_inode_killpriv(struct dentry *dentry)
2877{
2878 return secondary_ops->inode_killpriv(dentry);
2879}
2880
713a04ae
AD		 2881static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2882{
2883 struct inode_security_struct *isec = inode->i_security;
2884 *secid = isec->sid;
2885}
2886
1da177e4
LT		 2887/* file security operations */
2888
788e7dd4 2889static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2890{
7420ed23 2891 int rc;
3d5ff529 2892 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2893
2894 if (!mask) {
2895 /* No permission to check. Existence test. */
2896 return 0;
2897 }
2898
2899 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2900 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2901 mask |= MAY_APPEND;
2902
7420ed23
VY		 2903 rc = file_has_perm(current, file,
2904 file_mask_to_av(inode->i_mode, mask));
2905 if (rc)
2906 return rc;
2907
2908 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2909}
2910
788e7dd4
YN		 2911static int selinux_file_permission(struct file *file, int mask)
2912{
2913 struct inode *inode = file->f_path.dentry->d_inode;
b6dff3ec 2914 struct task_security_struct *tsec = current->cred->security;
788e7dd4
YN		 2915 struct file_security_struct *fsec = file->f_security;
2916 struct inode_security_struct *isec = inode->i_security;
2917
2918 if (!mask) {
2919 /* No permission to check. Existence test. */
2920 return 0;
2921 }
2922
2923 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2924 && fsec->pseqno == avc_policy_seqno())
2925 return selinux_netlbl_inode_permission(inode, mask);
2926
2927 return selinux_revalidate_file_permission(file, mask);
2928}
2929
1da177e4
LT		 2930static int selinux_file_alloc_security(struct file *file)
2931{
2932 return file_alloc_security(file);
2933}
2934
2935static void selinux_file_free_security(struct file *file)
2936{
2937 file_free_security(file);
2938}
2939
2940static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2941 unsigned long arg)
2942{
242631c4 2943 u32 av = 0;
1da177e4 2944
242631c4
SS		 2945 if (_IOC_DIR(cmd) & _IOC_WRITE)
2946 av |= FILE__WRITE;
2947 if (_IOC_DIR(cmd) & _IOC_READ)
2948 av |= FILE__READ;
2949 if (!av)
2950 av = FILE__IOCTL;
1da177e4 2951
242631c4 2952 return file_has_perm(current, file, av);
1da177e4
LT		 2953}
2954
2955static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2956{
2957#ifndef CONFIG_PPC32
2958 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2959 /*
2960 * We are making executable an anonymous mapping or a
2961 * private file mapping that will also be writable.
2962 * This has an additional check.
2963 */
2964 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2965 if (rc)
2966 return rc;
2967 }
2968#endif
2969
2970 if (file) {
2971 /* read access is always possible with a mapping */
2972 u32 av = FILE__READ;
2973
2974 /* write access only matters if the mapping is shared */
2975 if (shared && (prot & PROT_WRITE))
2976 av |= FILE__WRITE;
2977
2978 if (prot & PROT_EXEC)
2979 av |= FILE__EXECUTE;
2980
2981 return file_has_perm(current, file, av);
2982 }
2983 return 0;
2984}
2985
2986static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 2987 unsigned long prot, unsigned long flags,
2988 unsigned long addr, unsigned long addr_only)
1da177e4 2989{
ed032189 2990 int rc = 0;
b6dff3ec
DH		 2991 u32 sid = ((struct task_security_struct *)
2992 (current->cred->security))->sid;
1da177e4 2993
ed032189
EP		 2994 if (addr < mmap_min_addr)
2995 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2996 MEMPROTECT__MMAP_ZERO, NULL);
2997 if (rc || addr_only)
1da177e4
LT		 2998 return rc;
2999
3000 if (selinux_checkreqprot)
3001 prot = reqprot;
3002
3003 return file_map_prot_check(file, prot,
3004 (flags & MAP_TYPE) == MAP_SHARED);
3005}
3006
3007static int selinux_file_mprotect(struct vm_area_struct *vma,
3008 unsigned long reqprot,
3009 unsigned long prot)
3010{
3011 int rc;
3012
3013 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3014 if (rc)
3015 return rc;
3016
3017 if (selinux_checkreqprot)
3018 prot = reqprot;
3019
3020#ifndef CONFIG_PPC32
db4c9641
SS		 3021 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3022 rc = 0;
3023 if (vma->vm_start >= vma->vm_mm->start_brk &&
3024 vma->vm_end <= vma->vm_mm->brk) {
3025 rc = task_has_perm(current, current,
3026 PROCESS__EXECHEAP);
3027 } else if (!vma->vm_file &&
3028 vma->vm_start <= vma->vm_mm->start_stack &&
3029 vma->vm_end >= vma->vm_mm->start_stack) {
3030 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3031 } else if (vma->vm_file && vma->anon_vma) {
3032 /*
3033 * We are making executable a file mapping that has
3034 * had some COW done. Since pages might have been
3035 * written, check ability to execute the possibly
3036 * modified content. This typically should only
3037 * occur for text relocations.
3038 */
3039 rc = file_has_perm(current, vma->vm_file,
3040 FILE__EXECMOD);
3041 }