]> bbs.cooldavid.org Git - net-next-2.6.git/blame - security/selinux/hooks.c
git://bbs.cooldavid.org / net-next-2.6.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Security: split proc ptrace checking into read vs. attach
[net-next-2.6.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 14 * <dgoeddel@trustedcs.com>
effad8df 15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
828dfe1d 16 * Paul Moore <paul.moore@hp.com>
788e7dd4 17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
828dfe1d 22 * as published by the Free Software Foundation.
1da177e4
LT		 23 */
24
1da177e4
LT		 25#include <linux/init.h>
26#include <linux/kernel.h>
27#include <linux/ptrace.h>
28#include <linux/errno.h>
29#include <linux/sched.h>
30#include <linux/security.h>
31#include <linux/xattr.h>
32#include <linux/capability.h>
33#include <linux/unistd.h>
34#include <linux/mm.h>
35#include <linux/mman.h>
36#include <linux/slab.h>
37#include <linux/pagemap.h>
38#include <linux/swap.h>
1da177e4
LT		 39#include <linux/spinlock.h>
40#include <linux/syscalls.h>
41#include <linux/file.h>
9f3acc31 42#include <linux/fdtable.h>
1da177e4
LT		 43#include <linux/namei.h>
44#include <linux/mount.h>
45#include <linux/ext2_fs.h>
46#include <linux/proc_fs.h>
47#include <linux/kd.h>
48#include <linux/netfilter_ipv4.h>
49#include <linux/netfilter_ipv6.h>
50#include <linux/tty.h>
51#include <net/icmp.h>
227b60f5 52#include <net/ip.h> /* for local_port_range[] */
1da177e4 53#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 54#include <net/net_namespace.h>
d621d35e 55#include <net/netlabel.h>
f5269710 56#include <linux/uaccess.h>
1da177e4 57#include <asm/ioctls.h>
d621d35e 58#include <asm/atomic.h>
1da177e4
LT		 59#include <linux/bitops.h>
60#include <linux/interrupt.h>
61#include <linux/netdevice.h> /* for network interface checks */
62#include <linux/netlink.h>
63#include <linux/tcp.h>
64#include <linux/udp.h>
2ee92d46 65#include <linux/dccp.h>
1da177e4
LT		 66#include <linux/quota.h>
67#include <linux/un.h> /* for Unix socket types */
68#include <net/af_unix.h> /* for Unix socket types */
69#include <linux/parser.h>
70#include <linux/nfs_mount.h>
71#include <net/ipv6.h>
72#include <linux/hugetlb.h>
73#include <linux/personality.h>
74#include <linux/sysctl.h>
75#include <linux/audit.h>
6931dfc9 76#include <linux/string.h>
877ce7c1 77#include <linux/selinux.h>
23970741 78#include <linux/mutex.h>
1da177e4
LT		 79
80#include "avc.h"
81#include "objsec.h"
82#include "netif.h"
224dfbd8 83#include "netnode.h"
3e112172 84#include "netport.h"
d28d1e08 85#include "xfrm.h"
c60475bf 86#include "netlabel.h"
9d57a7f9 87#include "audit.h"
1da177e4
LT		 88
89#define XATTR_SELINUX_SUFFIX "selinux"
90#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91
c9180a57
EP		 92#define NUM_SEL_MNT_OPTS 4
93
1da177e4
LT		 94extern unsigned int policydb_loaded_version;
95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 96extern int selinux_compat_net;
20510f2f 97extern struct security_operations *security_ops;
1da177e4 98
d621d35e
PM		 99/* SECMARK reference count */
100atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101
1da177e4 102#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 103int selinux_enforcing;
1da177e4
LT		 104
105static int __init enforcing_setup(char *str)
106{
f5269710
EP		 107 unsigned long enforcing;
108 if (!strict_strtoul(str, 0, &enforcing))
109 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 110 return 1;
111}
112__setup("enforcing=", enforcing_setup);
113#endif
114
115#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117
118static int __init selinux_enabled_setup(char *str)
119{
f5269710
EP		 120 unsigned long enabled;
121 if (!strict_strtoul(str, 0, &enabled))
122 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 123 return 1;
124}
125__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 126#else
127int selinux_enabled = 1;
1da177e4
LT		 128#endif
129
130/* Original (dummy) security module. */
828dfe1d 131static struct security_operations *original_ops;
1da177e4
LT		 132
133/* Minimal support for a secondary security module,
134 just to allow the use of the dummy or capability modules.
135 The owlsm module can alternatively be used as a secondary
136 module as long as CONFIG_OWLSM_FD is not enabled. */
828dfe1d 137static struct security_operations *secondary_ops;
1da177e4
LT		 138
139/* Lists of inode and superblock security structures initialized
140 before the policy was loaded. */
141static LIST_HEAD(superblock_security_head);
142static DEFINE_SPINLOCK(sb_security_lock);
143
e18b890b 144static struct kmem_cache *sel_inode_cache;
7cae7e26 145
d621d35e
PM		 146/**
147 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
148 *
149 * Description:
150 * This function checks the SECMARK reference counter to see if any SECMARK
151 * targets are currently configured, if the reference counter is greater than
152 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
153 * enabled, false (0) if SECMARK is disabled.
154 *
155 */
156static int selinux_secmark_enabled(void)
157{
158 return (atomic_read(&selinux_secmark_refcount) > 0);
159}
160
1da177e4
LT		 161/* Allocate and free functions for each kind of security blob. */
162
163static int task_alloc_security(struct task_struct *task)
164{
165 struct task_security_struct *tsec;
166
89d155ef 167 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 168 if (!tsec)
169 return -ENOMEM;
170
0356357c 171 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 172 task->security = tsec;
173
174 return 0;
175}
176
177static void task_free_security(struct task_struct *task)
178{
179 struct task_security_struct *tsec = task->security;
1da177e4
LT		 180 task->security = NULL;
181 kfree(tsec);
182}
183
184static int inode_alloc_security(struct inode *inode)
185{
186 struct task_security_struct *tsec = current->security;
187 struct inode_security_struct *isec;
188
a02fe132 189 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 190 if (!isec)
191 return -ENOMEM;
192
23970741 193 mutex_init(&isec->lock);
1da177e4 194 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 195 isec->inode = inode;
196 isec->sid = SECINITSID_UNLABELED;
197 isec->sclass = SECCLASS_FILE;
9ac49d22 198 isec->task_sid = tsec->sid;
1da177e4
LT		 199 inode->i_security = isec;
200
201 return 0;
202}
203
204static void inode_free_security(struct inode *inode)
205{
206 struct inode_security_struct *isec = inode->i_security;
207 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
208
1da177e4
LT		 209 spin_lock(&sbsec->isec_lock);
210 if (!list_empty(&isec->list))
211 list_del_init(&isec->list);
212 spin_unlock(&sbsec->isec_lock);
213
214 inode->i_security = NULL;
7cae7e26 215 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 216}
217
218static int file_alloc_security(struct file *file)
219{
220 struct task_security_struct *tsec = current->security;
221 struct file_security_struct *fsec;
222
26d2a4be 223 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 224 if (!fsec)
225 return -ENOMEM;
226
9ac49d22
SS		 227 fsec->sid = tsec->sid;
228 fsec->fown_sid = tsec->sid;
1da177e4
LT		 229 file->f_security = fsec;
230
231 return 0;
232}
233
234static void file_free_security(struct file *file)
235{
236 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 237 file->f_security = NULL;
238 kfree(fsec);
239}
240
241static int superblock_alloc_security(struct super_block *sb)
242{
243 struct superblock_security_struct *sbsec;
244
89d155ef 245 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 246 if (!sbsec)
247 return -ENOMEM;
248
bc7e982b 249 mutex_init(&sbsec->lock);
1da177e4
LT		 250 INIT_LIST_HEAD(&sbsec->list);
251 INIT_LIST_HEAD(&sbsec->isec_head);
252 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 253 sbsec->sb = sb;
254 sbsec->sid = SECINITSID_UNLABELED;
255 sbsec->def_sid = SECINITSID_FILE;
c312feb2 256 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 257 sb->s_security = sbsec;
258
259 return 0;
260}
261
262static void superblock_free_security(struct super_block *sb)
263{
264 struct superblock_security_struct *sbsec = sb->s_security;
265
1da177e4
LT		 266 spin_lock(&sb_security_lock);
267 if (!list_empty(&sbsec->list))
268 list_del_init(&sbsec->list);
269 spin_unlock(&sb_security_lock);
270
271 sb->s_security = NULL;
272 kfree(sbsec);
273}
274
7d877f3b 275static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 276{
277 struct sk_security_struct *ssec;
278
89d155ef 279 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 280 if (!ssec)
281 return -ENOMEM;
282
1da177e4 283 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 284 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 285 sk->sk_security = ssec;
286
f74af6e8 287 selinux_netlbl_sk_security_reset(ssec, family);
99f59ed0 288
1da177e4
LT		 289 return 0;
290}
291
292static void sk_free_security(struct sock *sk)
293{
294 struct sk_security_struct *ssec = sk->sk_security;
295
1da177e4
LT		 296 sk->sk_security = NULL;
297 kfree(ssec);
298}
1da177e4
LT		 299
300/* The security server must be initialized before
301 any labeling or access decisions can be provided. */
302extern int ss_initialized;
303
304/* The file system's label must be initialized prior to use. */
305
306static char *labeling_behaviors[6] = {
307 "uses xattr",
308 "uses transition SIDs",
309 "uses task SIDs",
310 "uses genfs_contexts",
311 "not configured for labeling",
312 "uses mountpoint labeling",
313};
314
315static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
316
317static inline int inode_doinit(struct inode *inode)
318{
319 return inode_doinit_with_dentry(inode, NULL);
320}
321
322enum {
31e87930 323 Opt_error = -1,
1da177e4
LT		 324 Opt_context = 1,
325 Opt_fscontext = 2,
c9180a57
EP		 326 Opt_defcontext = 3,
327 Opt_rootcontext = 4,
1da177e4
LT		 328};
329
330static match_table_t tokens = {
832cbd9a
EP		 331 {Opt_context, CONTEXT_STR "%s"},
332 {Opt_fscontext, FSCONTEXT_STR "%s"},
333 {Opt_defcontext, DEFCONTEXT_STR "%s"},
334 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
31e87930 335 {Opt_error, NULL},
1da177e4
LT		 336};
337
338#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
339
c312feb2
EP		 340static int may_context_mount_sb_relabel(u32 sid,
341 struct superblock_security_struct *sbsec,
342 struct task_security_struct *tsec)
343{
344 int rc;
345
346 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
347 FILESYSTEM__RELABELFROM, NULL);
348 if (rc)
349 return rc;
350
351 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
352 FILESYSTEM__RELABELTO, NULL);
353 return rc;
354}
355
0808925e
EP		 356static int may_context_mount_inode_relabel(u32 sid,
357 struct superblock_security_struct *sbsec,
358 struct task_security_struct *tsec)
359{
360 int rc;
361 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
362 FILESYSTEM__RELABELFROM, NULL);
363 if (rc)
364 return rc;
365
366 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
367 FILESYSTEM__ASSOCIATE, NULL);
368 return rc;
369}
370
c9180a57 371static int sb_finish_set_opts(struct super_block *sb)
1da177e4 372{
1da177e4 373 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 374 struct dentry *root = sb->s_root;
375 struct inode *root_inode = root->d_inode;
376 int rc = 0;
1da177e4 377
c9180a57
EP		 378 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
379 /* Make sure that the xattr handler exists and that no
380 error other than -ENODATA is returned by getxattr on
381 the root directory. -ENODATA is ok, as this may be
382 the first boot of the SELinux kernel before we have
383 assigned xattr values to the filesystem. */
384 if (!root_inode->i_op->getxattr) {
385 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
386 "xattr support\n", sb->s_id, sb->s_type->name);
387 rc = -EOPNOTSUPP;
388 goto out;
389 }
390 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
391 if (rc < 0 && rc != -ENODATA) {
392 if (rc == -EOPNOTSUPP)
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) has no security xattr handler\n",
395 sb->s_id, sb->s_type->name);
396 else
397 printk(KERN_WARNING "SELinux: (dev %s, type "
398 "%s) getxattr errno %d\n", sb->s_id,
399 sb->s_type->name, -rc);
400 goto out;
401 }
402 }
1da177e4 403
c9180a57 404 sbsec->initialized = 1;
1da177e4 405
c9180a57
EP		 406 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
407 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
408 sb->s_id, sb->s_type->name);
409 else
410 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
411 sb->s_id, sb->s_type->name,
412 labeling_behaviors[sbsec->behavior-1]);
1da177e4 413
c9180a57
EP		 414 /* Initialize the root inode. */
415 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 416
c9180a57
EP		 417 /* Initialize any other inodes associated with the superblock, e.g.
418 inodes created prior to initial policy load or inodes created
419 during get_sb by a pseudo filesystem that directly
420 populates itself. */
421 spin_lock(&sbsec->isec_lock);
422next_inode:
423 if (!list_empty(&sbsec->isec_head)) {
424 struct inode_security_struct *isec =
425 list_entry(sbsec->isec_head.next,
426 struct inode_security_struct, list);
427 struct inode *inode = isec->inode;
428 spin_unlock(&sbsec->isec_lock);
429 inode = igrab(inode);
430 if (inode) {
431 if (!IS_PRIVATE(inode))
432 inode_doinit(inode);
433 iput(inode);
434 }
435 spin_lock(&sbsec->isec_lock);
436 list_del_init(&isec->list);
437 goto next_inode;
438 }
439 spin_unlock(&sbsec->isec_lock);
440out:
441 return rc;
442}
1da177e4 443
c9180a57
EP		 444/*
445 * This function should allow an FS to ask what it's mount security
446 * options were so it can use those later for submounts, displaying
447 * mount options, or whatever.
448 */
449static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 450 struct security_mnt_opts *opts)
c9180a57
EP		 451{
452 int rc = 0, i;
453 struct superblock_security_struct *sbsec = sb->s_security;
454 char *context = NULL;
455 u32 len;
456 char tmp;
1da177e4 457
e0007529 458 security_init_mnt_opts(opts);
1da177e4 459
c9180a57
EP		 460 if (!sbsec->initialized)
461 return -EINVAL;
1da177e4 462
c9180a57
EP		 463 if (!ss_initialized)
464 return -EINVAL;
1da177e4 465
c9180a57
EP		 466 /*
467 * if we ever use sbsec flags for anything other than tracking mount
468 * settings this is going to need a mask
469 */
470 tmp = sbsec->flags;
471 /* count the number of mount options for this sb */
472 for (i = 0; i < 8; i++) {
473 if (tmp & 0x01)
e0007529 474 opts->num_mnt_opts++;
c9180a57
EP		 475 tmp >>= 1;
476 }
1da177e4 477
e0007529
EP		 478 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
479 if (!opts->mnt_opts) {
c9180a57
EP		 480 rc = -ENOMEM;
481 goto out_free;
482 }
1da177e4 483
e0007529
EP		 484 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
485 if (!opts->mnt_opts_flags) {
c9180a57
EP		 486 rc = -ENOMEM;
487 goto out_free;
488 }
1da177e4 489
c9180a57
EP		 490 i = 0;
491 if (sbsec->flags & FSCONTEXT_MNT) {
492 rc = security_sid_to_context(sbsec->sid, &context, &len);
493 if (rc)
494 goto out_free;
e0007529
EP		 495 opts->mnt_opts[i] = context;
496 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 497 }
498 if (sbsec->flags & CONTEXT_MNT) {
499 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
500 if (rc)
501 goto out_free;
e0007529
EP		 502 opts->mnt_opts[i] = context;
503 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 504 }
505 if (sbsec->flags & DEFCONTEXT_MNT) {
506 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
507 if (rc)
508 goto out_free;
e0007529
EP		 509 opts->mnt_opts[i] = context;
510 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 511 }
512 if (sbsec->flags & ROOTCONTEXT_MNT) {
513 struct inode *root = sbsec->sb->s_root->d_inode;
514 struct inode_security_struct *isec = root->i_security;
0808925e 515
c9180a57
EP		 516 rc = security_sid_to_context(isec->sid, &context, &len);
517 if (rc)
518 goto out_free;
e0007529
EP		 519 opts->mnt_opts[i] = context;
520 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 521 }
1da177e4 522
e0007529 523 BUG_ON(i != opts->num_mnt_opts);
1da177e4 524
c9180a57
EP		 525 return 0;
526
527out_free:
e0007529 528 security_free_mnt_opts(opts);
c9180a57
EP		 529 return rc;
530}
1da177e4 531
c9180a57
EP		 532static int bad_option(struct superblock_security_struct *sbsec, char flag,
533 u32 old_sid, u32 new_sid)
534{
535 /* check if the old mount command had the same options */
536 if (sbsec->initialized)
537 if (!(sbsec->flags & flag) ||
538 (old_sid != new_sid))
539 return 1;
540
541 /* check if we were passed the same options twice,
542 * aka someone passed context=a,context=b
543 */
544 if (!sbsec->initialized)
545 if (sbsec->flags & flag)
546 return 1;
547 return 0;
548}
e0007529 549
c9180a57
EP		 550/*
551 * Allow filesystems with binary mount data to explicitly set mount point
552 * labeling information.
553 */
e0007529
EP		 554static int selinux_set_mnt_opts(struct super_block *sb,
555 struct security_mnt_opts *opts)
c9180a57
EP		 556{
557 int rc = 0, i;
558 struct task_security_struct *tsec = current->security;
559 struct superblock_security_struct *sbsec = sb->s_security;
560 const char *name = sb->s_type->name;
561 struct inode *inode = sbsec->sb->s_root->d_inode;
562 struct inode_security_struct *root_isec = inode->i_security;
563 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
564 u32 defcontext_sid = 0;
e0007529
EP		 565 char **mount_options = opts->mnt_opts;
566 int *flags = opts->mnt_opts_flags;
567 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 568
569 mutex_lock(&sbsec->lock);
570
571 if (!ss_initialized) {
572 if (!num_opts) {
573 /* Defer initialization until selinux_complete_init,
574 after the initial policy is loaded and the security
575 server is ready to handle calls. */
576 spin_lock(&sb_security_lock);
577 if (list_empty(&sbsec->list))
578 list_add(&sbsec->list, &superblock_security_head);
579 spin_unlock(&sb_security_lock);
580 goto out;
581 }
582 rc = -EINVAL;
744ba35e
EP		 583 printk(KERN_WARNING "SELinux: Unable to set superblock options "
584 "before the security server is initialized\n");
1da177e4 585 goto out;
c9180a57 586 }
1da177e4 587
e0007529
EP		 588 /*
589 * Binary mount data FS will come through this function twice. Once
590 * from an explicit call and once from the generic calls from the vfs.
591 * Since the generic VFS calls will not contain any security mount data
592 * we need to skip the double mount verification.
593 *
594 * This does open a hole in which we will not notice if the first
595 * mount using this sb set explict options and a second mount using
596 * this sb does not set any security options. (The first options
597 * will be used for both mounts)
598 */
599 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
600 && (num_opts == 0))
f5269710 601 goto out;
e0007529 602
c9180a57
EP		 603 /*
604 * parse the mount options, check if they are valid sids.
605 * also check if someone is trying to mount the same sb more
606 * than once with different security options.
607 */
608 for (i = 0; i < num_opts; i++) {
609 u32 sid;
610 rc = security_context_to_sid(mount_options[i],
611 strlen(mount_options[i]), &sid);
1da177e4
LT		 612 if (rc) {
613 printk(KERN_WARNING "SELinux: security_context_to_sid"
614 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 615 mount_options[i], sb->s_id, name, rc);
616 goto out;
617 }
618 switch (flags[i]) {
619 case FSCONTEXT_MNT:
620 fscontext_sid = sid;
621
622 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
623 fscontext_sid))
624 goto out_double_mount;
625
626 sbsec->flags |= FSCONTEXT_MNT;
627 break;
628 case CONTEXT_MNT:
629 context_sid = sid;
630
631 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
632 context_sid))
633 goto out_double_mount;
634
635 sbsec->flags |= CONTEXT_MNT;
636 break;
637 case ROOTCONTEXT_MNT:
638 rootcontext_sid = sid;
639
640 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
641 rootcontext_sid))
642 goto out_double_mount;
643
644 sbsec->flags |= ROOTCONTEXT_MNT;
645
646 break;
647 case DEFCONTEXT_MNT:
648 defcontext_sid = sid;
649
650 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
651 defcontext_sid))
652 goto out_double_mount;
653
654 sbsec->flags |= DEFCONTEXT_MNT;
655
656 break;
657 default:
658 rc = -EINVAL;
659 goto out;
1da177e4 660 }
c9180a57
EP		 661 }
662
663 if (sbsec->initialized) {
664 /* previously mounted with options, but not on this attempt? */
665 if (sbsec->flags && !num_opts)
666 goto out_double_mount;
667 rc = 0;
668 goto out;
669 }
670
671 if (strcmp(sb->s_type->name, "proc") == 0)
672 sbsec->proc = 1;
673
674 /* Determine the labeling behavior to use for this filesystem type. */
675 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
676 if (rc) {
677 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
dd6f953a 678 __func__, sb->s_type->name, rc);
c9180a57
EP		 679 goto out;
680 }
1da177e4 681
c9180a57
EP		 682 /* sets the context of the superblock for the fs being mounted. */
683 if (fscontext_sid) {
684
685 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
1da177e4 686 if (rc)
c9180a57 687 goto out;
1da177e4 688
c9180a57 689 sbsec->sid = fscontext_sid;
c312feb2
EP		 690 }
691
692 /*
693 * Switch to using mount point labeling behavior.
694 * sets the label used on all file below the mountpoint, and will set
695 * the superblock context if not already set.
696 */
c9180a57
EP		 697 if (context_sid) {
698 if (!fscontext_sid) {
699 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
b04ea3ce 700 if (rc)
c9180a57
EP		 701 goto out;
702 sbsec->sid = context_sid;
b04ea3ce 703 } else {
c9180a57 704 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
b04ea3ce 705 if (rc)
c9180a57 706 goto out;
b04ea3ce 707 }
c9180a57
EP		 708 if (!rootcontext_sid)
709 rootcontext_sid = context_sid;
1da177e4 710
c9180a57 711 sbsec->mntpoint_sid = context_sid;
c312feb2 712 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 713 }
714
c9180a57
EP		 715 if (rootcontext_sid) {
716 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
0808925e 717 if (rc)
c9180a57 718 goto out;
0808925e 719
c9180a57
EP		 720 root_isec->sid = rootcontext_sid;
721 root_isec->initialized = 1;
0808925e
EP		 722 }
723
c9180a57
EP		 724 if (defcontext_sid) {
725 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
726 rc = -EINVAL;
727 printk(KERN_WARNING "SELinux: defcontext option is "
728 "invalid for this filesystem type\n");
729 goto out;
1da177e4
LT		 730 }
731
c9180a57
EP		 732 if (defcontext_sid != sbsec->def_sid) {
733 rc = may_context_mount_inode_relabel(defcontext_sid,
734 sbsec, tsec);
735 if (rc)
736 goto out;
737 }
1da177e4 738
c9180a57 739 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 740 }
741
c9180a57 742 rc = sb_finish_set_opts(sb);
1da177e4 743out:
c9180a57 744 mutex_unlock(&sbsec->lock);
1da177e4 745 return rc;
c9180a57
EP		 746out_double_mount:
747 rc = -EINVAL;
748 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
749 "security settings for (dev %s, type %s)\n", sb->s_id, name);
750 goto out;
1da177e4
LT		 751}
752
c9180a57
EP		 753static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
754 struct super_block *newsb)
1da177e4 755{
c9180a57
EP		 756 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
757 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 758
c9180a57
EP		 759 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
760 int set_context = (oldsbsec->flags & CONTEXT_MNT);
761 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 762
0f5e6420
EP		 763 /*
764 * if the parent was able to be mounted it clearly had no special lsm
765 * mount options. thus we can safely put this sb on the list and deal
766 * with it later
767 */
768 if (!ss_initialized) {
769 spin_lock(&sb_security_lock);
770 if (list_empty(&newsbsec->list))
771 list_add(&newsbsec->list, &superblock_security_head);
772 spin_unlock(&sb_security_lock);
773 return;
774 }
c9180a57 775
c9180a57
EP		 776 /* how can we clone if the old one wasn't set up?? */
777 BUG_ON(!oldsbsec->initialized);
778
5a552617
EP		 779 /* if fs is reusing a sb, just let its options stand... */
780 if (newsbsec->initialized)
781 return;
782
c9180a57
EP		 783 mutex_lock(&newsbsec->lock);
784
785 newsbsec->flags = oldsbsec->flags;
786
787 newsbsec->sid = oldsbsec->sid;
788 newsbsec->def_sid = oldsbsec->def_sid;
789 newsbsec->behavior = oldsbsec->behavior;
790
791 if (set_context) {
792 u32 sid = oldsbsec->mntpoint_sid;
793
794 if (!set_fscontext)
795 newsbsec->sid = sid;
796 if (!set_rootcontext) {
797 struct inode *newinode = newsb->s_root->d_inode;
798 struct inode_security_struct *newisec = newinode->i_security;
799 newisec->sid = sid;
800 }
801 newsbsec->mntpoint_sid = sid;
1da177e4 802 }
c9180a57
EP		 803 if (set_rootcontext) {
804 const struct inode *oldinode = oldsb->s_root->d_inode;
805 const struct inode_security_struct *oldisec = oldinode->i_security;
806 struct inode *newinode = newsb->s_root->d_inode;
807 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 808
c9180a57 809 newisec->sid = oldisec->sid;
1da177e4
LT		 810 }
811
c9180a57
EP		 812 sb_finish_set_opts(newsb);
813 mutex_unlock(&newsbsec->lock);
814}
815
2e1479d9
AB		 816static int selinux_parse_opts_str(char *options,
817 struct security_mnt_opts *opts)
c9180a57 818{
e0007529 819 char *p;
c9180a57
EP		 820 char *context = NULL, *defcontext = NULL;
821 char *fscontext = NULL, *rootcontext = NULL;
e0007529 822 int rc, num_mnt_opts = 0;
1da177e4 823
e0007529 824 opts->num_mnt_opts = 0;
1da177e4 825
c9180a57
EP		 826 /* Standard string-based options. */
827 while ((p = strsep(&options, "|")) != NULL) {
828 int token;
829 substring_t args[MAX_OPT_ARGS];
1da177e4 830
c9180a57
EP		 831 if (!*p)
832 continue;
1da177e4 833
c9180a57 834 token = match_token(p, tokens, args);
1da177e4 835
c9180a57
EP		 836 switch (token) {
837 case Opt_context:
838 if (context || defcontext) {
839 rc = -EINVAL;
840 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
841 goto out_err;
842 }
843 context = match_strdup(&args[0]);
844 if (!context) {
845 rc = -ENOMEM;
846 goto out_err;
847 }
848 break;
849
850 case Opt_fscontext:
851 if (fscontext) {
852 rc = -EINVAL;
853 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
854 goto out_err;
855 }
856 fscontext = match_strdup(&args[0]);
857 if (!fscontext) {
858 rc = -ENOMEM;
859 goto out_err;
860 }
861 break;
862
863 case Opt_rootcontext:
864 if (rootcontext) {
865 rc = -EINVAL;
866 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
867 goto out_err;
868 }
869 rootcontext = match_strdup(&args[0]);
870 if (!rootcontext) {
871 rc = -ENOMEM;
872 goto out_err;
873 }
874 break;
875
876 case Opt_defcontext:
877 if (context || defcontext) {
878 rc = -EINVAL;
879 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
880 goto out_err;
881 }
882 defcontext = match_strdup(&args[0]);
883 if (!defcontext) {
884 rc = -ENOMEM;
885 goto out_err;
886 }
887 break;
888
889 default:
890 rc = -EINVAL;
891 printk(KERN_WARNING "SELinux: unknown mount option\n");
892 goto out_err;
1da177e4 893
1da177e4 894 }
1da177e4 895 }
c9180a57 896
e0007529
EP		 897 rc = -ENOMEM;
898 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
899 if (!opts->mnt_opts)
900 goto out_err;
901
902 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
903 if (!opts->mnt_opts_flags) {
904 kfree(opts->mnt_opts);
905 goto out_err;
906 }
907
c9180a57 908 if (fscontext) {
e0007529
EP		 909 opts->mnt_opts[num_mnt_opts] = fscontext;
910 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 911 }
912 if (context) {
e0007529
EP		 913 opts->mnt_opts[num_mnt_opts] = context;
914 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 915 }
916 if (rootcontext) {
e0007529
EP		 917 opts->mnt_opts[num_mnt_opts] = rootcontext;
918 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 919 }
920 if (defcontext) {
e0007529
EP		 921 opts->mnt_opts[num_mnt_opts] = defcontext;
922 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 923 }
924
e0007529
EP		 925 opts->num_mnt_opts = num_mnt_opts;
926 return 0;
927
c9180a57
EP		 928out_err:
929 kfree(context);
930 kfree(defcontext);
931 kfree(fscontext);
932 kfree(rootcontext);
1da177e4
LT		 933 return rc;
934}
e0007529
EP		 935/*
936 * string mount options parsing and call set the sbsec
937 */
938static int superblock_doinit(struct super_block *sb, void *data)
939{
940 int rc = 0;
941 char *options = data;
942 struct security_mnt_opts opts;
943
944 security_init_mnt_opts(&opts);
945
946 if (!data)
947 goto out;
948
949 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
950
951 rc = selinux_parse_opts_str(options, &opts);
952 if (rc)
953 goto out_err;
954
955out:
956 rc = selinux_set_mnt_opts(sb, &opts);
957
958out_err:
959 security_free_mnt_opts(&opts);
960 return rc;
961}
1da177e4
LT		 962
963static inline u16 inode_mode_to_security_class(umode_t mode)
964{
965 switch (mode & S_IFMT) {
966 case S_IFSOCK:
967 return SECCLASS_SOCK_FILE;
968 case S_IFLNK:
969 return SECCLASS_LNK_FILE;
970 case S_IFREG:
971 return SECCLASS_FILE;
972 case S_IFBLK:
973 return SECCLASS_BLK_FILE;
974 case S_IFDIR:
975 return SECCLASS_DIR;
976 case S_IFCHR:
977 return SECCLASS_CHR_FILE;
978 case S_IFIFO:
979 return SECCLASS_FIFO_FILE;
980
981 }
982
983 return SECCLASS_FILE;
984}
985
13402580
JM		 986static inline int default_protocol_stream(int protocol)
987{
988 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
989}
990
991static inline int default_protocol_dgram(int protocol)
992{
993 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
994}
995
1da177e4
LT		 996static inline u16 socket_type_to_security_class(int family, int type, int protocol)
997{
998 switch (family) {
999 case PF_UNIX:
1000 switch (type) {
1001 case SOCK_STREAM:
1002 case SOCK_SEQPACKET:
1003 return SECCLASS_UNIX_STREAM_SOCKET;
1004 case SOCK_DGRAM:
1005 return SECCLASS_UNIX_DGRAM_SOCKET;
1006 }
1007 break;
1008 case PF_INET:
1009 case PF_INET6:
1010 switch (type) {
1011 case SOCK_STREAM:
13402580
JM		 1012 if (default_protocol_stream(protocol))
1013 return SECCLASS_TCP_SOCKET;
1014 else
1015 return SECCLASS_RAWIP_SOCKET;
1da177e4 1016 case SOCK_DGRAM:
13402580
JM		 1017 if (default_protocol_dgram(protocol))
1018 return SECCLASS_UDP_SOCKET;
1019 else
1020 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1021 case SOCK_DCCP:
1022 return SECCLASS_DCCP_SOCKET;
13402580 1023 default:
1da177e4
LT		 1024 return SECCLASS_RAWIP_SOCKET;
1025 }
1026 break;
1027 case PF_NETLINK:
1028 switch (protocol) {
1029 case NETLINK_ROUTE:
1030 return SECCLASS_NETLINK_ROUTE_SOCKET;
1031 case NETLINK_FIREWALL:
1032 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1033 case NETLINK_INET_DIAG:
1da177e4
LT		 1034 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1035 case NETLINK_NFLOG:
1036 return SECCLASS_NETLINK_NFLOG_SOCKET;
1037 case NETLINK_XFRM:
1038 return SECCLASS_NETLINK_XFRM_SOCKET;
1039 case NETLINK_SELINUX:
1040 return SECCLASS_NETLINK_SELINUX_SOCKET;
1041 case NETLINK_AUDIT:
1042 return SECCLASS_NETLINK_AUDIT_SOCKET;
1043 case NETLINK_IP6_FW:
1044 return SECCLASS_NETLINK_IP6FW_SOCKET;
1045 case NETLINK_DNRTMSG:
1046 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1047 case NETLINK_KOBJECT_UEVENT:
1048 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1049 default:
1050 return SECCLASS_NETLINK_SOCKET;
1051 }
1052 case PF_PACKET:
1053 return SECCLASS_PACKET_SOCKET;
1054 case PF_KEY:
1055 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1056 case PF_APPLETALK:
1057 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1058 }
1059
1060 return SECCLASS_SOCKET;
1061}
1062
1063#ifdef CONFIG_PROC_FS
1064static int selinux_proc_get_sid(struct proc_dir_entry *de,
1065 u16 tclass,
1066 u32 *sid)
1067{
1068 int buflen, rc;
1069 char *buffer, *path, *end;
1070
828dfe1d 1071 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1072 if (!buffer)
1073 return -ENOMEM;
1074
1075 buflen = PAGE_SIZE;
1076 end = buffer+buflen;
1077 *--end = '\0';
1078 buflen--;
1079 path = end-1;
1080 *path = '/';
1081 while (de && de != de->parent) {
1082 buflen -= de->namelen + 1;
1083 if (buflen < 0)
1084 break;
1085 end -= de->namelen;
1086 memcpy(end, de->name, de->namelen);
1087 *--end = '/';
1088 path = end;
1089 de = de->parent;
1090 }
1091 rc = security_genfs_sid("proc", path, tclass, sid);
1092 free_page((unsigned long)buffer);
1093 return rc;
1094}
1095#else
1096static int selinux_proc_get_sid(struct proc_dir_entry *de,
1097 u16 tclass,
1098 u32 *sid)
1099{
1100 return -EINVAL;
1101}
1102#endif
1103
1104/* The inode's security attributes must be initialized before first use. */
1105static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1106{
1107 struct superblock_security_struct *sbsec = NULL;
1108 struct inode_security_struct *isec = inode->i_security;
1109 u32 sid;
1110 struct dentry *dentry;
1111#define INITCONTEXTLEN 255
1112 char *context = NULL;
1113 unsigned len = 0;
1114 int rc = 0;
1da177e4
LT		 1115
1116 if (isec->initialized)
1117 goto out;
1118
23970741 1119 mutex_lock(&isec->lock);
1da177e4 1120 if (isec->initialized)
23970741 1121 goto out_unlock;
1da177e4
LT		 1122
1123 sbsec = inode->i_sb->s_security;
1124 if (!sbsec->initialized) {
1125 /* Defer initialization until selinux_complete_init,
1126 after the initial policy is loaded and the security
1127 server is ready to handle calls. */
1128 spin_lock(&sbsec->isec_lock);
1129 if (list_empty(&isec->list))
1130 list_add(&isec->list, &sbsec->isec_head);
1131 spin_unlock(&sbsec->isec_lock);
23970741 1132 goto out_unlock;
1da177e4
LT		 1133 }
1134
1135 switch (sbsec->behavior) {
1136 case SECURITY_FS_USE_XATTR:
1137 if (!inode->i_op->getxattr) {
1138 isec->sid = sbsec->def_sid;
1139 break;
1140 }
1141
1142 /* Need a dentry, since the xattr API requires one.
1143 Life would be simpler if we could just pass the inode. */
1144 if (opt_dentry) {
1145 /* Called from d_instantiate or d_splice_alias. */
1146 dentry = dget(opt_dentry);
1147 } else {
1148 /* Called from selinux_complete_init, try to find a dentry. */
1149 dentry = d_find_alias(inode);
1150 }
1151 if (!dentry) {
744ba35e 1152 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
dd6f953a 1153 "ino=%ld\n", __func__, inode->i_sb->s_id,
1da177e4 1154 inode->i_ino);
23970741 1155 goto out_unlock;
1da177e4
LT		 1156 }
1157
1158 len = INITCONTEXTLEN;
869ab514 1159 context = kmalloc(len, GFP_NOFS);
1da177e4
LT		 1160 if (!context) {
1161 rc = -ENOMEM;
1162 dput(dentry);
23970741 1163 goto out_unlock;
1da177e4
LT		 1164 }
1165 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1166 context, len);
1167 if (rc == -ERANGE) {
1168 /* Need a larger buffer. Query for the right size. */
1169 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1170 NULL, 0);
1171 if (rc < 0) {
1172 dput(dentry);
23970741 1173 goto out_unlock;
1da177e4
LT		 1174 }
1175 kfree(context);
1176 len = rc;
869ab514 1177 context = kmalloc(len, GFP_NOFS);
1da177e4
LT		 1178 if (!context) {
1179 rc = -ENOMEM;
1180 dput(dentry);
23970741 1181 goto out_unlock;
1da177e4
LT		 1182 }
1183 rc = inode->i_op->getxattr(dentry,
1184 XATTR_NAME_SELINUX,
1185 context, len);
1186 }
1187 dput(dentry);
1188 if (rc < 0) {
1189 if (rc != -ENODATA) {
744ba35e 1190 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1191 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1192 -rc, inode->i_sb->s_id, inode->i_ino);
1193 kfree(context);
23970741 1194 goto out_unlock;
1da177e4
LT		 1195 }
1196 /* Map ENODATA to the default file SID */
1197 sid = sbsec->def_sid;
1198 rc = 0;
1199 } else {
f5c1d5b2 1200 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1201 sbsec->def_sid,
1202 GFP_NOFS);
1da177e4 1203 if (rc) {
744ba35e 1204 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1da177e4 1205 "returned %d for dev=%s ino=%ld\n",
dd6f953a 1206 __func__, context, -rc,
1da177e4
LT		 1207 inode->i_sb->s_id, inode->i_ino);
1208 kfree(context);
1209 /* Leave with the unlabeled SID */
1210 rc = 0;
1211 break;
1212 }
1213 }
1214 kfree(context);
1215 isec->sid = sid;
1216 break;
1217 case SECURITY_FS_USE_TASK:
1218 isec->sid = isec->task_sid;
1219 break;
1220 case SECURITY_FS_USE_TRANS:
1221 /* Default to the fs SID. */
1222 isec->sid = sbsec->sid;
1223
1224 /* Try to obtain a transition SID. */
1225 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1226 rc = security_transition_sid(isec->task_sid,
1227 sbsec->sid,
1228 isec->sclass,
1229 &sid);
1230 if (rc)
23970741 1231 goto out_unlock;
1da177e4
LT		 1232 isec->sid = sid;
1233 break;
c312feb2
EP		 1234 case SECURITY_FS_USE_MNTPOINT:
1235 isec->sid = sbsec->mntpoint_sid;
1236 break;
1da177e4 1237 default:
c312feb2 1238 /* Default to the fs superblock SID. */
1da177e4
LT		 1239 isec->sid = sbsec->sid;
1240
1241 if (sbsec->proc) {
1242 struct proc_inode *proci = PROC_I(inode);
1243 if (proci->pde) {
1244 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1245 rc = selinux_proc_get_sid(proci->pde,
1246 isec->sclass,
1247 &sid);
1248 if (rc)
23970741 1249 goto out_unlock;
1da177e4
LT		 1250 isec->sid = sid;
1251 }
1252 }
1253 break;
1254 }
1255
1256 isec->initialized = 1;
1257
23970741
EP		 1258out_unlock:
1259 mutex_unlock(&isec->lock);
1da177e4
LT		 1260out:
1261 if (isec->sclass == SECCLASS_FILE)
1262 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1263 return rc;
1264}
1265
1266/* Convert a Linux signal to an access vector. */
1267static inline u32 signal_to_av(int sig)
1268{
1269 u32 perm = 0;
1270
1271 switch (sig) {
1272 case SIGCHLD:
1273 /* Commonly granted from child to parent. */
1274 perm = PROCESS__SIGCHLD;
1275 break;
1276 case SIGKILL:
1277 /* Cannot be caught or ignored */
1278 perm = PROCESS__SIGKILL;
1279 break;
1280 case SIGSTOP:
1281 /* Cannot be caught or ignored */
1282 perm = PROCESS__SIGSTOP;
1283 break;
1284 default:
1285 /* All other signals. */
1286 perm = PROCESS__SIGNAL;
1287 break;
1288 }
1289
1290 return perm;
1291}
1292
1293/* Check permission betweeen a pair of tasks, e.g. signal checks,
1294 fork check, ptrace check, etc. */
1295static int task_has_perm(struct task_struct *tsk1,
1296 struct task_struct *tsk2,
1297 u32 perms)
1298{
1299 struct task_security_struct *tsec1, *tsec2;
1300
1301 tsec1 = tsk1->security;
1302 tsec2 = tsk2->security;
1303 return avc_has_perm(tsec1->sid, tsec2->sid,
1304 SECCLASS_PROCESS, perms, NULL);
1305}
1306
b68e418c
SS		 1307#if CAP_LAST_CAP > 63
1308#error Fix SELinux to handle capabilities > 63.
1309#endif
1310
1da177e4
LT		 1311/* Check whether a task is allowed to use a capability. */
1312static int task_has_capability(struct task_struct *tsk,
1313 int cap)
1314{
1315 struct task_security_struct *tsec;
1316 struct avc_audit_data ad;
b68e418c
SS		 1317 u16 sclass;
1318 u32 av = CAP_TO_MASK(cap);
1da177e4
LT		 1319
1320 tsec = tsk->security;
1321
828dfe1d 1322 AVC_AUDIT_DATA_INIT(&ad, CAP);
1da177e4
LT		 1323 ad.tsk = tsk;
1324 ad.u.cap = cap;
1325
b68e418c
SS		 1326 switch (CAP_TO_INDEX(cap)) {
1327 case 0:
1328 sclass = SECCLASS_CAPABILITY;
1329 break;
1330 case 1:
1331 sclass = SECCLASS_CAPABILITY2;
1332 break;
1333 default:
1334 printk(KERN_ERR
1335 "SELinux: out of range capability %d\n", cap);
1336 BUG();
1337 }
1338 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1da177e4
LT		 1339}
1340
1341/* Check whether a task is allowed to use a system operation. */
1342static int task_has_system(struct task_struct *tsk,
1343 u32 perms)
1344{
1345 struct task_security_struct *tsec;
1346
1347 tsec = tsk->security;
1348
1349 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1350 SECCLASS_SYSTEM, perms, NULL);
1351}
1352
1353/* Check whether a task has a particular permission to an inode.
1354 The 'adp' parameter is optional and allows other audit
1355 data to be passed (e.g. the dentry). */
1356static int inode_has_perm(struct task_struct *tsk,
1357 struct inode *inode,
1358 u32 perms,
1359 struct avc_audit_data *adp)
1360{
1361 struct task_security_struct *tsec;
1362 struct inode_security_struct *isec;
1363 struct avc_audit_data ad;
1364
828dfe1d 1365 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1366 return 0;
1367
1da177e4
LT		 1368 tsec = tsk->security;
1369 isec = inode->i_security;
1370
1371 if (!adp) {
1372 adp = &ad;
1373 AVC_AUDIT_DATA_INIT(&ad, FS);
1374 ad.u.fs.inode = inode;
1375 }
1376
1377 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1378}
1379
1380/* Same as inode_has_perm, but pass explicit audit data containing
1381 the dentry to help the auditing code to more easily generate the
1382 pathname if needed. */
1383static inline int dentry_has_perm(struct task_struct *tsk,
1384 struct vfsmount *mnt,
1385 struct dentry *dentry,
1386 u32 av)
1387{
1388 struct inode *inode = dentry->d_inode;
1389 struct avc_audit_data ad;
828dfe1d 1390 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf
JB		 1391 ad.u.fs.path.mnt = mnt;
1392 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1393 return inode_has_perm(tsk, inode, av, &ad);
1394}
1395
1396/* Check whether a task can use an open file descriptor to
1397 access an inode in a given way. Check access to the
1398 descriptor itself, and then use dentry_has_perm to
1399 check a particular permission to the file.
1400 Access to the descriptor is implicitly granted if it
1401 has the same SID as the process. If av is zero, then
1402 access to the file is not checked, e.g. for cases
1403 where only the descriptor is affected like seek. */
858119e1 1404static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1405 struct file *file,
1406 u32 av)
1407{
1408 struct task_security_struct *tsec = tsk->security;
1409 struct file_security_struct *fsec = file->f_security;
44707fdf 1410 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 1411 struct avc_audit_data ad;
1412 int rc;
1413
1414 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1415 ad.u.fs.path = file->f_path;
1da177e4
LT		 1416
1417 if (tsec->sid != fsec->sid) {
1418 rc = avc_has_perm(tsec->sid, fsec->sid,
1419 SECCLASS_FD,
1420 FD__USE,
1421 &ad);
1422 if (rc)
1423 return rc;
1424 }
1425
1426 /* av is zero if only checking access to the descriptor. */
1427 if (av)
1428 return inode_has_perm(tsk, inode, av, &ad);
1429
1430 return 0;
1431}
1432
1433/* Check whether a task can create a file. */
1434static int may_create(struct inode *dir,
1435 struct dentry *dentry,
1436 u16 tclass)
1437{
1438 struct task_security_struct *tsec;
1439 struct inode_security_struct *dsec;
1440 struct superblock_security_struct *sbsec;
1441 u32 newsid;
1442 struct avc_audit_data ad;
1443 int rc;
1444
1445 tsec = current->security;
1446 dsec = dir->i_security;
1447 sbsec = dir->i_sb->s_security;
1448
1449 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1450 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1451
1452 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1453 DIR__ADD_NAME | DIR__SEARCH,
1454 &ad);
1455 if (rc)
1456 return rc;
1457
1458 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1459 newsid = tsec->create_sid;
1460 } else {
1461 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1462 &newsid);
1463 if (rc)
1464 return rc;
1465 }
1466
1467 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1468 if (rc)
1469 return rc;
1470
1471 return avc_has_perm(newsid, sbsec->sid,
1472 SECCLASS_FILESYSTEM,
1473 FILESYSTEM__ASSOCIATE, &ad);
1474}
1475
4eb582cf
ML		 1476/* Check whether a task can create a key. */
1477static int may_create_key(u32 ksid,
1478 struct task_struct *ctx)
1479{
1480 struct task_security_struct *tsec;
1481
1482 tsec = ctx->security;
1483
1484 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1485}
1486
828dfe1d
EP		 1487#define MAY_LINK 0
1488#define MAY_UNLINK 1
1489#define MAY_RMDIR 2
1da177e4
LT		 1490
1491/* Check whether a task can link, unlink, or rmdir a file/directory. */
1492static int may_link(struct inode *dir,
1493 struct dentry *dentry,
1494 int kind)
1495
1496{
1497 struct task_security_struct *tsec;
1498 struct inode_security_struct *dsec, *isec;
1499 struct avc_audit_data ad;
1500 u32 av;
1501 int rc;
1502
1503 tsec = current->security;
1504 dsec = dir->i_security;
1505 isec = dentry->d_inode->i_security;
1506
1507 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1508 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1509
1510 av = DIR__SEARCH;
1511 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1512 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1513 if (rc)
1514 return rc;
1515
1516 switch (kind) {
1517 case MAY_LINK:
1518 av = FILE__LINK;
1519 break;
1520 case MAY_UNLINK:
1521 av = FILE__UNLINK;
1522 break;
1523 case MAY_RMDIR:
1524 av = DIR__RMDIR;
1525 break;
1526 default:
744ba35e
EP		 1527 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1528 __func__, kind);
1da177e4
LT		 1529 return 0;
1530 }
1531
1532 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1533 return rc;
1534}
1535
1536static inline int may_rename(struct inode *old_dir,
1537 struct dentry *old_dentry,
1538 struct inode *new_dir,
1539 struct dentry *new_dentry)
1540{
1541 struct task_security_struct *tsec;
1542 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1543 struct avc_audit_data ad;
1544 u32 av;
1545 int old_is_dir, new_is_dir;
1546 int rc;
1547
1548 tsec = current->security;
1549 old_dsec = old_dir->i_security;
1550 old_isec = old_dentry->d_inode->i_security;
1551 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1552 new_dsec = new_dir->i_security;
1553
1554 AVC_AUDIT_DATA_INIT(&ad, FS);
1555
44707fdf 1556 ad.u.fs.path.dentry = old_dentry;
1da177e4
LT		 1557 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1558 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1559 if (rc)
1560 return rc;
1561 rc = avc_has_perm(tsec->sid, old_isec->sid,
1562 old_isec->sclass, FILE__RENAME, &ad);
1563 if (rc)
1564 return rc;
1565 if (old_is_dir && new_dir != old_dir) {
1566 rc = avc_has_perm(tsec->sid, old_isec->sid,
1567 old_isec->sclass, DIR__REPARENT, &ad);
1568 if (rc)
1569 return rc;
1570 }
1571
44707fdf 1572 ad.u.fs.path.dentry = new_dentry;
1da177e4
LT		 1573 av = DIR__ADD_NAME | DIR__SEARCH;
1574 if (new_dentry->d_inode)
1575 av |= DIR__REMOVE_NAME;
1576 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1577 if (rc)
1578 return rc;
1579 if (new_dentry->d_inode) {
1580 new_isec = new_dentry->d_inode->i_security;
1581 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1582 rc = avc_has_perm(tsec->sid, new_isec->sid,
1583 new_isec->sclass,
1584 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1585 if (rc)
1586 return rc;
1587 }
1588
1589 return 0;
1590}
1591
1592/* Check whether a task can perform a filesystem operation. */
1593static int superblock_has_perm(struct task_struct *tsk,
1594 struct super_block *sb,
1595 u32 perms,
1596 struct avc_audit_data *ad)
1597{
1598 struct task_security_struct *tsec;
1599 struct superblock_security_struct *sbsec;
1600
1601 tsec = tsk->security;
1602 sbsec = sb->s_security;
1603 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1604 perms, ad);
1605}
1606
1607/* Convert a Linux mode and permission mask to an access vector. */
1608static inline u32 file_mask_to_av(int mode, int mask)
1609{
1610 u32 av = 0;
1611
1612 if ((mode & S_IFMT) != S_IFDIR) {
1613 if (mask & MAY_EXEC)
1614 av |= FILE__EXECUTE;
1615 if (mask & MAY_READ)
1616 av |= FILE__READ;
1617
1618 if (mask & MAY_APPEND)
1619 av |= FILE__APPEND;
1620 else if (mask & MAY_WRITE)
1621 av |= FILE__WRITE;
1622
1623 } else {
1624 if (mask & MAY_EXEC)
1625 av |= DIR__SEARCH;
1626 if (mask & MAY_WRITE)
1627 av |= DIR__WRITE;
1628 if (mask & MAY_READ)
1629 av |= DIR__READ;
1630 }
1631
1632 return av;
1633}
1634
b0c636b9
EP		 1635/*
1636 * Convert a file mask to an access vector and include the correct open
1637 * open permission.
1638 */
1639static inline u32 open_file_mask_to_av(int mode, int mask)
1640{
1641 u32 av = file_mask_to_av(mode, mask);
1642
1643 if (selinux_policycap_openperm) {
1644 /*
1645 * lnk files and socks do not really have an 'open'
1646 */
1647 if (S_ISREG(mode))
1648 av |= FILE__OPEN;
1649 else if (S_ISCHR(mode))
1650 av |= CHR_FILE__OPEN;
1651 else if (S_ISBLK(mode))
1652 av |= BLK_FILE__OPEN;
1653 else if (S_ISFIFO(mode))
1654 av |= FIFO_FILE__OPEN;
1655 else if (S_ISDIR(mode))
1656 av |= DIR__OPEN;
1657 else
744ba35e
EP		 1658 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1659 "unknown mode:%x\n", __func__, mode);
b0c636b9
EP		 1660 }
1661 return av;
1662}
1663
1da177e4
LT		 1664/* Convert a Linux file to an access vector. */
1665static inline u32 file_to_av(struct file *file)
1666{
1667 u32 av = 0;
1668
1669 if (file->f_mode & FMODE_READ)
1670 av |= FILE__READ;
1671 if (file->f_mode & FMODE_WRITE) {
1672 if (file->f_flags & O_APPEND)
1673 av |= FILE__APPEND;
1674 else
1675 av |= FILE__WRITE;
1676 }
0794c66d
SS		 1677 if (!av) {
1678 /*
1679 * Special file opened with flags 3 for ioctl-only use.
1680 */
1681 av = FILE__IOCTL;
1682 }
1da177e4
LT		 1683
1684 return av;
1685}
1686
1da177e4
LT		 1687/* Hook functions begin here. */
1688
006ebb40
SS		 1689static int selinux_ptrace(struct task_struct *parent,
1690 struct task_struct *child,
1691 unsigned int mode)
1da177e4 1692{
1da177e4
LT		 1693 int rc;
1694
006ebb40 1695 rc = secondary_ops->ptrace(parent, child, mode);
1da177e4
LT		 1696 if (rc)
1697 return rc;
1698
006ebb40
SS		 1699 if (mode == PTRACE_MODE_READ) {
1700 struct task_security_struct *tsec = parent->security;
1701 struct task_security_struct *csec = child->security;
1702 return avc_has_perm(tsec->sid, csec->sid,
1703 SECCLASS_FILE, FILE__READ, NULL);
1704 }
1705
0356357c 1706 return task_has_perm(parent, child, PROCESS__PTRACE);
1da177e4
LT		 1707}
1708
1709static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1710 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1711{
1712 int error;
1713
1714 error = task_has_perm(current, target, PROCESS__GETCAP);
1715 if (error)
1716 return error;
1717
1718 return secondary_ops->capget(target, effective, inheritable, permitted);
1719}
1720
1721static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1722 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1723{
1724 int error;
1725
1726 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1727 if (error)
1728 return error;
1729
1730 return task_has_perm(current, target, PROCESS__SETCAP);
1731}
1732
1733static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1734 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1735{
1736 secondary_ops->capset_set(target, effective, inheritable, permitted);
1737}
1738
1739static int selinux_capable(struct task_struct *tsk, int cap)
1740{
1741 int rc;
1742
1743 rc = secondary_ops->capable(tsk, cap);
1744 if (rc)
1745 return rc;
1746
828dfe1d 1747 return task_has_capability(tsk, cap);
1da177e4
LT		 1748}
1749
3fbfa981
EB		 1750static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1751{
1752 int buflen, rc;
1753 char *buffer, *path, *end;
1754
1755 rc = -ENOMEM;
828dfe1d 1756 buffer = (char *)__get_free_page(GFP_KERNEL);
3fbfa981
EB		 1757 if (!buffer)
1758 goto out;
1759
1760 buflen = PAGE_SIZE;
1761 end = buffer+buflen;
1762 *--end = '\0';
1763 buflen--;
1764 path = end-1;
1765 *path = '/';
1766 while (table) {
1767 const char *name = table->procname;
1768 size_t namelen = strlen(name);
1769 buflen -= namelen + 1;
1770 if (buflen < 0)
1771 goto out_free;
1772 end -= namelen;
1773 memcpy(end, name, namelen);
1774 *--end = '/';
1775 path = end;
1776 table = table->parent;
1777 }
b599fdfd
EB		 1778 buflen -= 4;
1779 if (buflen < 0)
1780 goto out_free;
1781 end -= 4;
1782 memcpy(end, "/sys", 4);
1783 path = end;
3fbfa981
EB		 1784 rc = security_genfs_sid("proc", path, tclass, sid);
1785out_free:
1786 free_page((unsigned long)buffer);
1787out:
1788 return rc;
1789}
1790
1da177e4
LT		 1791static int selinux_sysctl(ctl_table *table, int op)
1792{
1793 int error = 0;
1794 u32 av;
1795 struct task_security_struct *tsec;
1796 u32 tsid;
1797 int rc;
1798
1799 rc = secondary_ops->sysctl(table, op);
1800 if (rc)
1801 return rc;
1802
1803 tsec = current->security;
1804
3fbfa981
EB		 1805 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1806 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1807 if (rc) {
1808 /* Default to the well-defined sysctl SID. */
1809 tsid = SECINITSID_SYSCTL;
1810 }
1811
1812 /* The op values are "defined" in sysctl.c, thereby creating
1813 * a bad coupling between this module and sysctl.c */
828dfe1d 1814 if (op == 001) {
1da177e4
LT		 1815 error = avc_has_perm(tsec->sid, tsid,
1816 SECCLASS_DIR, DIR__SEARCH, NULL);
1817 } else {
1818 av = 0;
1819 if (op & 004)
1820 av |= FILE__READ;
1821 if (op & 002)
1822 av |= FILE__WRITE;
1823 if (av)
1824 error = avc_has_perm(tsec->sid, tsid,
1825 SECCLASS_FILE, av, NULL);
828dfe1d 1826 }
1da177e4
LT		 1827
1828 return error;
1829}
1830
1831static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1832{
1833 int rc = 0;
1834
1835 if (!sb)
1836 return 0;
1837
1838 switch (cmds) {
828dfe1d
EP		 1839 case Q_SYNC:
1840 case Q_QUOTAON:
1841 case Q_QUOTAOFF:
1842 case Q_SETINFO:
1843 case Q_SETQUOTA:
1844 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1845 NULL);
1846 break;
1847 case Q_GETFMT:
1848 case Q_GETINFO:
1849 case Q_GETQUOTA:
1850 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1851 NULL);
1852 break;
1853 default:
1854 rc = 0; /* let the kernel handle invalid cmds */
1855 break;
1da177e4
LT		 1856 }
1857 return rc;
1858}
1859
1860static int selinux_quota_on(struct dentry *dentry)
1861{
1862 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1863}
1864
1865static int selinux_syslog(int type)
1866{
1867 int rc;
1868
1869 rc = secondary_ops->syslog(type);
1870 if (rc)
1871 return rc;
1872
1873 switch (type) {
828dfe1d
EP		 1874 case 3: /* Read last kernel messages */
1875 case 10: /* Return size of the log buffer */
1876 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1877 break;
1878 case 6: /* Disable logging to console */
1879 case 7: /* Enable logging to console */
1880 case 8: /* Set level of messages printed to console */
1881 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1882 break;
1883 case 0: /* Close log */
1884 case 1: /* Open log */
1885 case 2: /* Read from log */
1886 case 4: /* Read/clear last kernel messages */
1887 case 5: /* Clear ring buffer */
1888 default:
1889 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1890 break;
1da177e4
LT		 1891 }
1892 return rc;
1893}
1894
1895/*
1896 * Check that a process has enough memory to allocate a new virtual
1897 * mapping. 0 means there is enough memory for the allocation to
1898 * succeed and -ENOMEM implies there is not.
1899 *
1900 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1901 * if the capability is granted, but __vm_enough_memory requires 1 if
1902 * the capability is granted.
1903 *
1904 * Do not audit the selinux permission check, as this is applied to all
1905 * processes that allocate mappings.
1906 */
34b4e4aa 1907static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1908{
1909 int rc, cap_sys_admin = 0;
1910 struct task_security_struct *tsec = current->security;
1911
1912 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1913 if (rc == 0)
1914 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2c3c05db
SS		 1915 SECCLASS_CAPABILITY,
1916 CAP_TO_MASK(CAP_SYS_ADMIN),
1917 0,
1918 NULL);
1da177e4
LT		 1919
1920 if (rc == 0)
1921 cap_sys_admin = 1;
1922
34b4e4aa 1923 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 1924}
1925
0356357c
RM		 1926/**
1927 * task_tracer_task - return the task that is tracing the given task
1928 * @task: task to consider
1929 *
1930 * Returns NULL if noone is tracing @task, or the &struct task_struct
1931 * pointer to its tracer.
1932 *
1933 * Must be called under rcu_read_lock().
1934 */
1935static struct task_struct *task_tracer_task(struct task_struct *task)
1936{
1937 if (task->ptrace & PT_PTRACED)
1938 return rcu_dereference(task->parent);
1939 return NULL;
1940}
1941
1da177e4
LT		 1942/* binprm security operations */
1943
1944static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1945{
1946 struct bprm_security_struct *bsec;
1947
89d155ef 1948 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1949 if (!bsec)
1950 return -ENOMEM;
1951
1da177e4
LT		 1952 bsec->sid = SECINITSID_UNLABELED;
1953 bsec->set = 0;
1954
1955 bprm->security = bsec;
1956 return 0;
1957}
1958
1959static int selinux_bprm_set_security(struct linux_binprm *bprm)
1960{
1961 struct task_security_struct *tsec;
3d5ff529 1962 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 1963 struct inode_security_struct *isec;
1964 struct bprm_security_struct *bsec;
1965 u32 newsid;
1966 struct avc_audit_data ad;
1967 int rc;
1968
1969 rc = secondary_ops->bprm_set_security(bprm);
1970 if (rc)
1971 return rc;
1972
1973 bsec = bprm->security;
1974
1975 if (bsec->set)
1976 return 0;
1977
1978 tsec = current->security;
1979 isec = inode->i_security;
1980
1981 /* Default to the current task SID. */
1982 bsec->sid = tsec->sid;
1983
28eba5bf 1984 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1985 tsec->create_sid = 0;
28eba5bf 1986 tsec->keycreate_sid = 0;
42c3e03e 1987 tsec->sockcreate_sid = 0;
1da177e4
LT		 1988
1989 if (tsec->exec_sid) {
1990 newsid = tsec->exec_sid;
1991 /* Reset exec SID on execve. */
1992 tsec->exec_sid = 0;
1993 } else {
1994 /* Check for a default transition on this program. */
1995 rc = security_transition_sid(tsec->sid, isec->sid,
828dfe1d 1996 SECCLASS_PROCESS, &newsid);
1da177e4
LT		 1997 if (rc)
1998 return rc;
1999 }
2000
2001 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2002 ad.u.fs.path = bprm->file->f_path;
1da177e4 2003
3d5ff529 2004 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1da177e4
LT		 2005 newsid = tsec->sid;
2006
828dfe1d 2007 if (tsec->sid == newsid) {
1da177e4
LT		 2008 rc = avc_has_perm(tsec->sid, isec->sid,
2009 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2010 if (rc)
2011 return rc;
2012 } else {
2013 /* Check permissions for the transition. */
2014 rc = avc_has_perm(tsec->sid, newsid,
2015 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2016 if (rc)
2017 return rc;
2018
2019 rc = avc_has_perm(newsid, isec->sid,
2020 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2021 if (rc)
2022 return rc;
2023
2024 /* Clear any possibly unsafe personality bits on exec: */
2025 current->personality &= ~PER_CLEAR_ON_SETID;
2026
2027 /* Set the security field to the new SID. */
2028 bsec->sid = newsid;
2029 }
2030
2031 bsec->set = 1;
2032 return 0;
2033}
2034
828dfe1d 2035static int selinux_bprm_check_security(struct linux_binprm *bprm)
1da177e4
LT		 2036{
2037 return secondary_ops->bprm_check_security(bprm);
2038}
2039
2040
828dfe1d 2041static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4
LT		 2042{
2043 struct task_security_struct *tsec = current->security;
2044 int atsecure = 0;
2045
2046 if (tsec->osid != tsec->sid) {
2047 /* Enable secure mode for SIDs transitions unless
2048 the noatsecure permission is granted between
2049 the two SIDs, i.e. ahp returns 0. */
2050 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2051 SECCLASS_PROCESS,
2052 PROCESS__NOATSECURE, NULL);
2053 }
2054
2055 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2056}
2057
2058static void selinux_bprm_free_security(struct linux_binprm *bprm)
2059{
9a5f04bf 2060 kfree(bprm->security);
1da177e4 2061 bprm->security = NULL;
1da177e4
LT		 2062}
2063
2064extern struct vfsmount *selinuxfs_mount;
2065extern struct dentry *selinux_null;
2066
2067/* Derived from fs/exec.c:flush_old_files. */
828dfe1d 2068static inline void flush_unauthorized_files(struct files_struct *files)
1da177e4
LT		 2069{
2070 struct avc_audit_data ad;
2071 struct file *file, *devnull = NULL;
b20c8122 2072 struct tty_struct *tty;
badf1662 2073 struct fdtable *fdt;
1da177e4 2074 long j = -1;
24ec839c 2075 int drop_tty = 0;
1da177e4 2076
b20c8122 2077 mutex_lock(&tty_mutex);
24ec839c 2078 tty = get_current_tty();
1da177e4
LT		 2079 if (tty) {
2080 file_list_lock();
2f512016 2081 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 2082 if (file) {
2083 /* Revalidate access to controlling tty.
2084 Use inode_has_perm on the tty inode directly rather
2085 than using file_has_perm, as this particular open
2086 file may belong to another process and we are only
2087 interested in the inode-based check here. */
3d5ff529 2088 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2089 if (inode_has_perm(current, inode,
2090 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2091 drop_tty = 1;
1da177e4
LT		 2092 }
2093 }
2094 file_list_unlock();
2095 }
b20c8122 2096 mutex_unlock(&tty_mutex);
98a27ba4
EB		 2097 /* Reset controlling tty. */
2098 if (drop_tty)
2099 no_tty();
1da177e4
LT		 2100
2101 /* Revalidate access to inherited open files. */
2102
828dfe1d 2103 AVC_AUDIT_DATA_INIT(&ad, FS);
1da177e4
LT		 2104
2105 spin_lock(&files->file_lock);
2106 for (;;) {
2107 unsigned long set, i;
2108 int fd;
2109
2110 j++;
2111 i = j * __NFDBITS;
badf1662 2112 fdt = files_fdtable(files);
bbea9f69 2113 if (i >= fdt->max_fds)
1da177e4 2114 break;
badf1662 2115 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2116 if (!set)
2117 continue;
2118 spin_unlock(&files->file_lock);
828dfe1d 2119 for ( ; set ; i++, set >>= 1) {
1da177e4
LT		 2120 if (set & 1) {
2121 file = fget(i);
2122 if (!file)
2123 continue;
2124 if (file_has_perm(current,
2125 file,
2126 file_to_av(file))) {
2127 sys_close(i);
2128 fd = get_unused_fd();
2129 if (fd != i) {
2130 if (fd >= 0)
2131 put_unused_fd(fd);
2132 fput(file);
2133 continue;
2134 }
2135 if (devnull) {
095975da 2136 get_file(devnull);
1da177e4
LT		 2137 } else {
2138 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
fc5d81e6
AM		 2139 if (IS_ERR(devnull)) {
2140 devnull = NULL;
1da177e4
LT		 2141 put_unused_fd(fd);
2142 fput(file);
2143 continue;
2144 }
2145 }
2146 fd_install(fd, devnull);
2147 }
2148 fput(file);
2149 }
2150 }
2151 spin_lock(&files->file_lock);
2152
2153 }
2154 spin_unlock(&files->file_lock);
2155}
2156
2157static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2158{
2159 struct task_security_struct *tsec;
2160 struct bprm_security_struct *bsec;
2161 u32 sid;
2162 int rc;
2163
2164 secondary_ops->bprm_apply_creds(bprm, unsafe);
2165
2166 tsec = current->security;
2167
2168 bsec = bprm->security;
2169 sid = bsec->sid;
2170
2171 tsec->osid = tsec->sid;
2172 bsec->unsafe = 0;
2173 if (tsec->sid != sid) {
2174 /* Check for shared state. If not ok, leave SID
2175 unchanged and kill. */
2176 if (unsafe & LSM_UNSAFE_SHARE) {
2177 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2178 PROCESS__SHARE, NULL);
2179 if (rc) {
2180 bsec->unsafe = 1;
2181 return;
2182 }
2183 }
2184
2185 /* Check for ptracing, and update the task SID if ok.
2186 Otherwise, leave SID unchanged and kill. */
2187 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
0356357c
RM		 2188 struct task_struct *tracer;
2189 struct task_security_struct *sec;
2190 u32 ptsid = 0;
2191
2192 rcu_read_lock();
2193 tracer = task_tracer_task(current);
2194 if (likely(tracer != NULL)) {
2195 sec = tracer->security;
2196 ptsid = sec->sid;
2197 }
2198 rcu_read_unlock();
2199
2200 if (ptsid != 0) {
2201 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2202 PROCESS__PTRACE, NULL);
2203 if (rc) {
2204 bsec->unsafe = 1;
2205 return;
2206 }
1da177e4
LT		 2207 }
2208 }
2209 tsec->sid = sid;
2210 }
2211}
2212
2213/*
2214 * called after apply_creds without the task lock held
2215 */
2216static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2217{
2218 struct task_security_struct *tsec;
2219 struct rlimit *rlim, *initrlim;
2220 struct itimerval itimer;
2221 struct bprm_security_struct *bsec;
2222 int rc, i;
2223
2224 tsec = current->security;
2225 bsec = bprm->security;
2226
2227 if (bsec->unsafe) {
2228 force_sig_specific(SIGKILL, current);
2229 return;
2230 }
2231 if (tsec->osid == tsec->sid)
2232 return;
2233
2234 /* Close files for which the new task SID is not authorized. */
2235 flush_unauthorized_files(current->files);
2236
2237 /* Check whether the new SID can inherit signal state
2238 from the old SID. If not, clear itimers to avoid
2239 subsequent signal generation and flush and unblock
2240 signals. This must occur _after_ the task SID has
2241 been updated so that any kill done after the flush
2242 will be checked against the new SID. */
2243 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2244 PROCESS__SIGINH, NULL);
2245 if (rc) {
2246 memset(&itimer, 0, sizeof itimer);
2247 for (i = 0; i < 3; i++)
2248 do_setitimer(i, &itimer, NULL);
2249 flush_signals(current);
2250 spin_lock_irq(&current->sighand->siglock);
2251 flush_signal_handlers(current, 1);
2252 sigemptyset(&current->blocked);
2253 recalc_sigpending();
2254 spin_unlock_irq(&current->sighand->siglock);
2255 }
2256
4ac212ad
SS		 2257 /* Always clear parent death signal on SID transitions. */
2258 current->pdeath_signal = 0;
2259
1da177e4
LT		 2260 /* Check whether the new SID can inherit resource limits
2261 from the old SID. If not, reset all soft limits to
2262 the lower of the current task's hard limit and the init
2263 task's soft limit. Note that the setting of hard limits
2264 (even to lower them) can be controlled by the setrlimit
2265 check. The inclusion of the init task's soft limit into
2266 the computation is to avoid resetting soft limits higher
2267 than the default soft limit for cases where the default
2268 is lower than the hard limit, e.g. RLIMIT_CORE or
2269 RLIMIT_STACK.*/
2270 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2271 PROCESS__RLIMITINH, NULL);
2272 if (rc) {
2273 for (i = 0; i < RLIM_NLIMITS; i++) {
2274 rlim = current->signal->rlim + i;
2275 initrlim = init_task.signal->rlim+i;
828dfe1d 2276 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4
LT		 2277 }
2278 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2279 /*
2280 * This will cause RLIMIT_CPU calculations
2281 * to be refigured.
2282 */
2283 current->it_prof_expires = jiffies_to_cputime(1);
2284 }
2285 }
2286
2287 /* Wake up the parent if it is waiting so that it can
2288 recheck wait permission to the new task SID. */
2289 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2290}
2291
2292/* superblock security operations */
2293
2294static int selinux_sb_alloc_security(struct super_block *sb)
2295{
2296 return superblock_alloc_security(sb);
2297}
2298
2299static void selinux_sb_free_security(struct super_block *sb)
2300{
2301 superblock_free_security(sb);
2302}
2303
2304static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2305{
2306 if (plen > olen)
2307 return 0;
2308
2309 return !memcmp(prefix, option, plen);
2310}
2311
2312static inline int selinux_option(char *option, int len)
2313{
832cbd9a
EP		 2314 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2315 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2316 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2317 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
1da177e4
LT		 2318}
2319
2320static inline void take_option(char **to, char *from, int *first, int len)
2321{
2322 if (!*first) {
2323 **to = ',';
2324 *to += 1;
3528a953 2325 } else
1da177e4
LT		 2326 *first = 0;
2327 memcpy(*to, from, len);
2328 *to += len;
2329}
2330
828dfe1d
EP		 2331static inline void take_selinux_option(char **to, char *from, int *first,
2332 int len)
3528a953
CO		 2333{
2334 int current_size = 0;
2335
2336 if (!*first) {
2337 **to = '|';
2338 *to += 1;
828dfe1d 2339 } else
3528a953
CO		 2340 *first = 0;
2341
2342 while (current_size < len) {
2343 if (*from != '"') {
2344 **to = *from;
2345 *to += 1;
2346 }
2347 from += 1;
2348 current_size += 1;
2349 }
2350}
2351
e0007529 2352static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2353{
2354 int fnosec, fsec, rc = 0;
2355 char *in_save, *in_curr, *in_end;
2356 char *sec_curr, *nosec_save, *nosec;
3528a953 2357 int open_quote = 0;
1da177e4
LT		 2358
2359 in_curr = orig;
2360 sec_curr = copy;
2361
1da177e4
LT		 2362 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2363 if (!nosec) {
2364 rc = -ENOMEM;
2365 goto out;
2366 }
2367
2368 nosec_save = nosec;
2369 fnosec = fsec = 1;
2370 in_save = in_end = orig;
2371
2372 do {
3528a953
CO		 2373 if (*in_end == '"')
2374 open_quote = !open_quote;
2375 if ((*in_end == ',' && open_quote == 0) ||
2376 *in_end == '\0') {
1da177e4
LT		 2377 int len = in_end - in_curr;
2378
2379 if (selinux_option(in_curr, len))
3528a953 2380 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2381 else
2382 take_option(&nosec, in_curr, &fnosec, len);
2383
2384 in_curr = in_end + 1;
2385 }
2386 } while (*in_end++);
2387
6931dfc9 2388 strcpy(in_save, nosec_save);
da3caa20 2389 free_page((unsigned long)nosec_save);
1da177e4
LT		 2390out:
2391 return rc;
2392}
2393
2394static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2395{
2396 struct avc_audit_data ad;
2397 int rc;
2398
2399 rc = superblock_doinit(sb, data);
2400 if (rc)
2401 return rc;
2402
828dfe1d 2403 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2404 ad.u.fs.path.dentry = sb->s_root;
1da177e4
LT		 2405 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2406}
2407
726c3342 2408static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2409{
2410 struct avc_audit_data ad;
2411
828dfe1d 2412 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2413 ad.u.fs.path.dentry = dentry->d_sb->s_root;
726c3342 2414 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2415}
2416
828dfe1d 2417static int selinux_mount(char *dev_name,
b5266eb4 2418 struct path *path,
828dfe1d
EP		 2419 char *type,
2420 unsigned long flags,
2421 void *data)
1da177e4
LT		 2422{
2423 int rc;
2424
b5266eb4 2425 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
1da177e4
LT		 2426 if (rc)
2427 return rc;
2428
2429 if (flags & MS_REMOUNT)
b5266eb4 2430 return superblock_has_perm(current, path->mnt->mnt_sb,
828dfe1d 2431 FILESYSTEM__REMOUNT, NULL);
1da177e4 2432 else
b5266eb4 2433 return dentry_has_perm(current, path->mnt, path->dentry,
828dfe1d 2434 FILE__MOUNTON);
1da177e4
LT		 2435}
2436
2437static int selinux_umount(struct vfsmount *mnt, int flags)
2438{
2439 int rc;
2440
2441 rc = secondary_ops->sb_umount(mnt, flags);
2442 if (rc)
2443 return rc;
2444
828dfe1d
EP		 2445 return superblock_has_perm(current, mnt->mnt_sb,
2446 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2447}
2448
2449/* inode security operations */
2450
2451static int selinux_inode_alloc_security(struct inode *inode)
2452{
2453 return inode_alloc_security(inode);
2454}
2455
2456static void selinux_inode_free_security(struct inode *inode)
2457{
2458 inode_free_security(inode);
2459}
2460
5e41ff9e
SS		 2461static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2462 char **name, void **value,
2463 size_t *len)
2464{
2465 struct task_security_struct *tsec;
2466 struct inode_security_struct *dsec;
2467 struct superblock_security_struct *sbsec;
570bc1c2 2468 u32 newsid, clen;
5e41ff9e 2469 int rc;
570bc1c2 2470 char *namep = NULL, *context;
5e41ff9e
SS		 2471
2472 tsec = current->security;
2473 dsec = dir->i_security;
2474 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2475
2476 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2477 newsid = tsec->create_sid;
2478 } else {
2479 rc = security_transition_sid(tsec->sid, dsec->sid,
2480 inode_mode_to_security_class(inode->i_mode),
2481 &newsid);
2482 if (rc) {
2483 printk(KERN_WARNING "%s: "
2484 "security_transition_sid failed, rc=%d (dev=%s "
2485 "ino=%ld)\n",
dd6f953a 2486 __func__,
5e41ff9e
SS		 2487 -rc, inode->i_sb->s_id, inode->i_ino);
2488 return rc;
2489 }
2490 }
2491
296fddf7
EP		 2492 /* Possibly defer initialization to selinux_complete_init. */
2493 if (sbsec->initialized) {
2494 struct inode_security_struct *isec = inode->i_security;
2495 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2496 isec->sid = newsid;
2497 isec->initialized = 1;
2498 }
5e41ff9e 2499
8aad3875 2500 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2501 return -EOPNOTSUPP;
2502
570bc1c2 2503 if (name) {
a02fe132 2504 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2505 if (!namep)
2506 return -ENOMEM;
2507 *name = namep;
2508 }
5e41ff9e 2509
570bc1c2 2510 if (value && len) {
12b29f34 2511 rc = security_sid_to_context_force(newsid, &context, &clen);
570bc1c2
SS		 2512 if (rc) {
2513 kfree(namep);
2514 return rc;
2515 }
2516 *value = context;
2517 *len = clen;
5e41ff9e 2518 }
5e41ff9e 2519
5e41ff9e
SS		 2520 return 0;
2521}
2522
1da177e4
LT		 2523static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2524{
2525 return may_create(dir, dentry, SECCLASS_FILE);
2526}
2527
1da177e4
LT		 2528static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2529{
2530 int rc;
2531
828dfe1d 2532 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
1da177e4
LT		 2533 if (rc)
2534 return rc;
2535 return may_link(dir, old_dentry, MAY_LINK);
2536}
2537
1da177e4
LT		 2538static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2539{
2540 int rc;
2541
2542 rc = secondary_ops->inode_unlink(dir, dentry);
2543 if (rc)
2544 return rc;
2545 return may_link(dir, dentry, MAY_UNLINK);
2546}
2547
2548static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2549{
2550 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2551}
2552
1da177e4
LT		 2553static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2554{
2555 return may_create(dir, dentry, SECCLASS_DIR);
2556}
2557
1da177e4
LT		 2558static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2559{
2560 return may_link(dir, dentry, MAY_RMDIR);
2561}
2562
2563static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2564{
2565 int rc;
2566
2567 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2568 if (rc)
2569 return rc;
2570
2571 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2572}
2573
1da177e4 2574static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2575 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2576{
2577 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2578}
2579
1da177e4
LT		 2580static int selinux_inode_readlink(struct dentry *dentry)
2581{
2582 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2583}
2584
2585static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2586{
2587 int rc;
2588
828dfe1d 2589 rc = secondary_ops->inode_follow_link(dentry, nameidata);
1da177e4
LT		 2590 if (rc)
2591 return rc;
2592 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2593}
2594
2595static int selinux_inode_permission(struct inode *inode, int mask,
2596 struct nameidata *nd)
2597{
2598 int rc;
2599
2600 rc = secondary_ops->inode_permission(inode, mask, nd);
2601 if (rc)
2602 return rc;
2603
2604 if (!mask) {
2605 /* No permission to check. Existence test. */
2606 return 0;
2607 }
2608
2609 return inode_has_perm(current, inode,
b0c636b9 2610 open_file_mask_to_av(inode->i_mode, mask), NULL);
1da177e4
LT		 2611}
2612
2613static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2614{
2615 int rc;
2616
2617 rc = secondary_ops->inode_setattr(dentry, iattr);
2618 if (rc)
2619 return rc;
2620
2621 if (iattr->ia_valid & ATTR_FORCE)
2622 return 0;
2623
2624 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2625 ATTR_ATIME_SET | ATTR_MTIME_SET))
2626 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2627
2628 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2629}
2630
2631static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2632{
2633 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2634}
2635
8f0cfa52 2636static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771
SH		 2637{
2638 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2639 sizeof XATTR_SECURITY_PREFIX - 1)) {
2640 if (!strcmp(name, XATTR_NAME_CAPS)) {
2641 if (!capable(CAP_SETFCAP))
2642 return -EPERM;
2643 } else if (!capable(CAP_SYS_ADMIN)) {
2644 /* A different attribute in the security namespace.
2645 Restrict to administrator. */
2646 return -EPERM;
2647 }
2648 }
2649
2650 /* Not an attribute we recognize, so just check the
2651 ordinary setattr permission. */
2652 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2653}
2654
8f0cfa52
DH		 2655static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2656 const void *value, size_t size, int flags)
1da177e4
LT		 2657{
2658 struct task_security_struct *tsec = current->security;
2659 struct inode *inode = dentry->d_inode;
2660 struct inode_security_struct *isec = inode->i_security;
2661 struct superblock_security_struct *sbsec;
2662 struct avc_audit_data ad;
2663 u32 newsid;
2664 int rc = 0;
2665
b5376771
SH		 2666 if (strcmp(name, XATTR_NAME_SELINUX))
2667 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2668
2669 sbsec = inode->i_sb->s_security;
2670 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2671 return -EOPNOTSUPP;
2672
3bd858ab 2673 if (!is_owner_or_cap(inode))
1da177e4
LT		 2674 return -EPERM;
2675
828dfe1d 2676 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2677 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 2678
2679 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2680 FILE__RELABELFROM, &ad);
2681 if (rc)
2682 return rc;
2683
2684 rc = security_context_to_sid(value, size, &newsid);
12b29f34
SS		 2685 if (rc == -EINVAL) {
2686 if (!capable(CAP_MAC_ADMIN))
2687 return rc;
2688 rc = security_context_to_sid_force(value, size, &newsid);
2689 }
1da177e4
LT		 2690 if (rc)
2691 return rc;
2692
2693 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2694 FILE__RELABELTO, &ad);
2695 if (rc)
2696 return rc;
2697
2698 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
828dfe1d 2699 isec->sclass);
1da177e4
LT		 2700 if (rc)
2701 return rc;
2702
2703 return avc_has_perm(newsid,
2704 sbsec->sid,
2705 SECCLASS_FILESYSTEM,
2706 FILESYSTEM__ASSOCIATE,
2707 &ad);
2708}
2709
8f0cfa52 2710static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 2711 const void *value, size_t size,
8f0cfa52 2712 int flags)
1da177e4
LT		 2713{
2714 struct inode *inode = dentry->d_inode;
2715 struct inode_security_struct *isec = inode->i_security;
2716 u32 newsid;
2717 int rc;
2718
2719 if (strcmp(name, XATTR_NAME_SELINUX)) {
2720 /* Not an attribute we recognize, so nothing to do. */
2721 return;
2722 }
2723
12b29f34 2724 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 2725 if (rc) {
12b29f34
SS		 2726 printk(KERN_ERR "SELinux: unable to map context to SID"
2727 "for (%s, %lu), rc=%d\n",
2728 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 2729 return;
2730 }
2731
2732 isec->sid = newsid;
2733 return;
2734}
2735
8f0cfa52 2736static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 2737{
1da177e4
LT		 2738 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2739}
2740
828dfe1d 2741static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4
LT		 2742{
2743 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2744}
2745
8f0cfa52 2746static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 2747{
b5376771
SH		 2748 if (strcmp(name, XATTR_NAME_SELINUX))
2749 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2750
2751 /* No one is allowed to remove a SELinux security label.
2752 You can change the label, but all data must be labeled. */
2753 return -EACCES;
2754}
2755
d381d8a9
JM		 2756/*
2757 * Copy the in-core inode security context value to the user. If the
2758 * getxattr() prior to this succeeded, check to see if we need to
2759 * canonicalize the value to be finally returned to the user.
2760 *
2761 * Permission check is handled by selinux_inode_getxattr hook.
2762 */
42492594 2763static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2764{
42492594
DQ		 2765 u32 size;
2766 int error;
2767 char *context = NULL;
1da177e4 2768 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2769
8c8570fb
DK		 2770 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2771 return -EOPNOTSUPP;
d381d8a9 2772
42492594
DQ		 2773 error = security_sid_to_context(isec->sid, &context, &size);
2774 if (error)
2775 return error;
2776 error = size;
2777 if (alloc) {
2778 *buffer = context;
2779 goto out_nofree;
2780 }
2781 kfree(context);
2782out_nofree:
2783 return error;
1da177e4
LT		 2784}
2785
2786static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 2787 const void *value, size_t size, int flags)
1da177e4
LT		 2788{
2789 struct inode_security_struct *isec = inode->i_security;
2790 u32 newsid;
2791 int rc;
2792
2793 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2794 return -EOPNOTSUPP;
2795
2796 if (!value || !size)
2797 return -EACCES;
2798
828dfe1d 2799 rc = security_context_to_sid((void *)value, size, &newsid);
1da177e4
LT		 2800 if (rc)
2801 return rc;
2802
2803 isec->sid = newsid;
2804 return 0;
2805}
2806
2807static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2808{
2809 const int len = sizeof(XATTR_NAME_SELINUX);
2810 if (buffer && len <= buffer_size)
2811 memcpy(buffer, XATTR_NAME_SELINUX, len);
2812 return len;
2813}
2814
b5376771
SH		 2815static int selinux_inode_need_killpriv(struct dentry *dentry)
2816{
2817 return secondary_ops->inode_need_killpriv(dentry);
2818}
2819
2820static int selinux_inode_killpriv(struct dentry *dentry)
2821{
2822 return secondary_ops->inode_killpriv(dentry);
2823}
2824
713a04ae
AD		 2825static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2826{
2827 struct inode_security_struct *isec = inode->i_security;
2828 *secid = isec->sid;
2829}
2830
1da177e4
LT		 2831/* file security operations */
2832
788e7dd4 2833static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2834{
7420ed23 2835 int rc;
3d5ff529 2836 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2837
2838 if (!mask) {
2839 /* No permission to check. Existence test. */
2840 return 0;
2841 }
2842
2843 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2844 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2845 mask |= MAY_APPEND;
2846
7420ed23
VY		 2847 rc = file_has_perm(current, file,
2848 file_mask_to_av(inode->i_mode, mask));
2849 if (rc)
2850 return rc;
2851
2852 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2853}
2854
788e7dd4
YN		 2855static int selinux_file_permission(struct file *file, int mask)
2856{
2857 struct inode *inode = file->f_path.dentry->d_inode;
2858 struct task_security_struct *tsec = current->security;
2859 struct file_security_struct *fsec = file->f_security;
2860 struct inode_security_struct *isec = inode->i_security;
2861
2862 if (!mask) {
2863 /* No permission to check. Existence test. */
2864 return 0;
2865 }
2866
2867 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2868 && fsec->pseqno == avc_policy_seqno())
2869 return selinux_netlbl_inode_permission(inode, mask);
2870
2871 return selinux_revalidate_file_permission(file, mask);
2872}
2873
1da177e4
LT		 2874static int selinux_file_alloc_security(struct file *file)
2875{
2876 return file_alloc_security(file);
2877}
2878
2879static void selinux_file_free_security(struct file *file)
2880{
2881 file_free_security(file);
2882}
2883
2884static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2885 unsigned long arg)
2886{
2887 int error = 0;
2888
2889 switch (cmd) {
828dfe1d
EP		 2890 case FIONREAD:
2891 /* fall through */
2892 case FIBMAP:
2893 /* fall through */
2894 case FIGETBSZ:
2895 /* fall through */
2896 case EXT2_IOC_GETFLAGS:
2897 /* fall through */
2898 case EXT2_IOC_GETVERSION:
2899 error = file_has_perm(current, file, FILE__GETATTR);
2900 break;
1da177e4 2901
828dfe1d
EP		 2902 case EXT2_IOC_SETFLAGS:
2903 /* fall through */
2904 case EXT2_IOC_SETVERSION:
2905 error = file_has_perm(current, file, FILE__SETATTR);
2906 break;
1da177e4 2907
828dfe1d
EP		 2908 /* sys_ioctl() checks */
2909 case FIONBIO:
2910 /* fall through */
2911 case FIOASYNC:
2912 error = file_has_perm(current, file, 0);
2913 break;
1da177e4 2914
828dfe1d
EP		 2915 case KDSKBENT:
2916 case KDSKBSENT:
2917 error = task_has_capability(current, CAP_SYS_TTY_CONFIG);
2918 break;
1da177e4 2919
828dfe1d
EP		 2920 /* default case assumes that the command will go
2921 * to the file's ioctl() function.
2922 */
2923 default:
2924 error = file_has_perm(current, file, FILE__IOCTL);
1da177e4
LT		 2925 }
2926 return error;
2927}
2928
2929static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2930{
2931#ifndef CONFIG_PPC32
2932 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2933 /*
2934 * We are making executable an anonymous mapping or a
2935 * private file mapping that will also be writable.
2936 * This has an additional check.
2937 */
2938 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2939 if (rc)
2940 return rc;
2941 }
2942#endif
2943
2944 if (file) {
2945 /* read access is always possible with a mapping */
2946 u32 av = FILE__READ;
2947
2948 /* write access only matters if the mapping is shared */
2949 if (shared && (prot & PROT_WRITE))
2950 av |= FILE__WRITE;
2951
2952 if (prot & PROT_EXEC)
2953 av |= FILE__EXECUTE;
2954
2955 return file_has_perm(current, file, av);
2956 }
2957 return 0;
2958}
2959
2960static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 2961 unsigned long prot, unsigned long flags,
2962 unsigned long addr, unsigned long addr_only)
1da177e4 2963{
ed032189 2964 int rc = 0;
828dfe1d 2965 u32 sid = ((struct task_security_struct *)(current->security))->sid;
1da177e4 2966
ed032189
EP		 2967 if (addr < mmap_min_addr)
2968 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2969 MEMPROTECT__MMAP_ZERO, NULL);
2970 if (rc || addr_only)
1da177e4
LT		 2971 return rc;
2972
2973 if (selinux_checkreqprot)
2974 prot = reqprot;
2975
2976 return file_map_prot_check(file, prot,
2977 (flags & MAP_TYPE) == MAP_SHARED);
2978}
2979
2980static int selinux_file_mprotect(struct vm_area_struct *vma,
2981 unsigned long reqprot,
2982 unsigned long prot)
2983{
2984 int rc;
2985
2986 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2987 if (rc)
2988 return rc;
2989
2990 if (selinux_checkreqprot)
2991 prot = reqprot;
2992
2993#ifndef CONFIG_PPC32
db4c9641
SS		 2994 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2995 rc = 0;
2996 if (vma->vm_start >= vma->vm_mm->start_brk &&
2997 vma->vm_end <= vma->vm_mm->brk) {
2998 rc = task_has_perm(current, current,
2999 PROCESS__EXECHEAP);
3000 } else if (!vma->vm_file &&
3001 vma->vm_start <= vma->vm_mm->start_stack &&
3002 vma->vm_end >= vma->vm_mm->start_stack) {
3003 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3004 } else if (vma->vm_file && vma->anon_vma) {
3005 /*
3006 * We are making executable a file mapping that has
3007 * had some COW done. Since pages might have been
3008 * written, check ability to execute the possibly
3009 * modified content. This typically should only
3010 * occur for text relocations.
3011 */
3012 rc = file_has_perm(current, vma->vm_file,
3013 FILE__EXECMOD);
3014 }