]> bbs.cooldavid.org Git - net-next-2.6.git/blame - security/selinux/hooks.c
git://bbs.cooldavid.org / net-next-2.6.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
SELinux: sidtab.c whitespace, syntax, and static declaraction cleanups
[net-next-2.6.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
effad8df
PM		 15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
788e7dd4
YN		 17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
23 */
24
1da177e4
LT		 25#include <linux/init.h>
26#include <linux/kernel.h>
27#include <linux/ptrace.h>
28#include <linux/errno.h>
29#include <linux/sched.h>
30#include <linux/security.h>
31#include <linux/xattr.h>
32#include <linux/capability.h>
33#include <linux/unistd.h>
34#include <linux/mm.h>
35#include <linux/mman.h>
36#include <linux/slab.h>
37#include <linux/pagemap.h>
38#include <linux/swap.h>
1da177e4
LT		 39#include <linux/spinlock.h>
40#include <linux/syscalls.h>
41#include <linux/file.h>
42#include <linux/namei.h>
43#include <linux/mount.h>
44#include <linux/ext2_fs.h>
45#include <linux/proc_fs.h>
46#include <linux/kd.h>
47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 53#include <net/net_namespace.h>
d621d35e 54#include <net/netlabel.h>
1da177e4 55#include <asm/uaccess.h>
1da177e4 56#include <asm/ioctls.h>
d621d35e 57#include <asm/atomic.h>
1da177e4
LT		 58#include <linux/bitops.h>
59#include <linux/interrupt.h>
60#include <linux/netdevice.h> /* for network interface checks */
61#include <linux/netlink.h>
62#include <linux/tcp.h>
63#include <linux/udp.h>
2ee92d46 64#include <linux/dccp.h>
1da177e4
LT		 65#include <linux/quota.h>
66#include <linux/un.h> /* for Unix socket types */
67#include <net/af_unix.h> /* for Unix socket types */
68#include <linux/parser.h>
69#include <linux/nfs_mount.h>
70#include <net/ipv6.h>
71#include <linux/hugetlb.h>
72#include <linux/personality.h>
73#include <linux/sysctl.h>
74#include <linux/audit.h>
6931dfc9 75#include <linux/string.h>
877ce7c1 76#include <linux/selinux.h>
23970741 77#include <linux/mutex.h>
1da177e4
LT		 78
79#include "avc.h"
80#include "objsec.h"
81#include "netif.h"
224dfbd8 82#include "netnode.h"
3e112172 83#include "netport.h"
d28d1e08 84#include "xfrm.h"
c60475bf 85#include "netlabel.h"
9d57a7f9 86#include "audit.h"
1da177e4
LT		 87
88#define XATTR_SELINUX_SUFFIX "selinux"
89#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
90
c9180a57
EP		 91#define NUM_SEL_MNT_OPTS 4
92
1da177e4
LT		 93extern unsigned int policydb_loaded_version;
94extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 95extern int selinux_compat_net;
20510f2f 96extern struct security_operations *security_ops;
1da177e4 97
d621d35e
PM		 98/* SECMARK reference count */
99atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
1da177e4
LT		 101#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102int selinux_enforcing = 0;
103
104static int __init enforcing_setup(char *str)
105{
106 selinux_enforcing = simple_strtol(str,NULL,0);
107 return 1;
108}
109__setup("enforcing=", enforcing_setup);
110#endif
111
112#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
113int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
114
115static int __init selinux_enabled_setup(char *str)
116{
117 selinux_enabled = simple_strtol(str, NULL, 0);
118 return 1;
119}
120__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 121#else
122int selinux_enabled = 1;
1da177e4
LT		 123#endif
124
125/* Original (dummy) security module. */
126static struct security_operations *original_ops = NULL;
127
128/* Minimal support for a secondary security module,
129 just to allow the use of the dummy or capability modules.
130 The owlsm module can alternatively be used as a secondary
131 module as long as CONFIG_OWLSM_FD is not enabled. */
132static struct security_operations *secondary_ops = NULL;
133
134/* Lists of inode and superblock security structures initialized
135 before the policy was loaded. */
136static LIST_HEAD(superblock_security_head);
137static DEFINE_SPINLOCK(sb_security_lock);
138
e18b890b 139static struct kmem_cache *sel_inode_cache;
7cae7e26 140
d621d35e
PM		 141/**
142 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
143 *
144 * Description:
145 * This function checks the SECMARK reference counter to see if any SECMARK
146 * targets are currently configured, if the reference counter is greater than
147 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
148 * enabled, false (0) if SECMARK is disabled.
149 *
150 */
151static int selinux_secmark_enabled(void)
152{
153 return (atomic_read(&selinux_secmark_refcount) > 0);
154}
155
1da177e4
LT		 156/* Allocate and free functions for each kind of security blob. */
157
158static int task_alloc_security(struct task_struct *task)
159{
160 struct task_security_struct *tsec;
161
89d155ef 162 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 163 if (!tsec)
164 return -ENOMEM;
165
0356357c 166 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 167 task->security = tsec;
168
169 return 0;
170}
171
172static void task_free_security(struct task_struct *task)
173{
174 struct task_security_struct *tsec = task->security;
1da177e4
LT		 175 task->security = NULL;
176 kfree(tsec);
177}
178
179static int inode_alloc_security(struct inode *inode)
180{
181 struct task_security_struct *tsec = current->security;
182 struct inode_security_struct *isec;
183
a02fe132 184 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 185 if (!isec)
186 return -ENOMEM;
187
23970741 188 mutex_init(&isec->lock);
1da177e4 189 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 190 isec->inode = inode;
191 isec->sid = SECINITSID_UNLABELED;
192 isec->sclass = SECCLASS_FILE;
9ac49d22 193 isec->task_sid = tsec->sid;
1da177e4
LT		 194 inode->i_security = isec;
195
196 return 0;
197}
198
199static void inode_free_security(struct inode *inode)
200{
201 struct inode_security_struct *isec = inode->i_security;
202 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
203
1da177e4
LT		 204 spin_lock(&sbsec->isec_lock);
205 if (!list_empty(&isec->list))
206 list_del_init(&isec->list);
207 spin_unlock(&sbsec->isec_lock);
208
209 inode->i_security = NULL;
7cae7e26 210 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 211}
212
213static int file_alloc_security(struct file *file)
214{
215 struct task_security_struct *tsec = current->security;
216 struct file_security_struct *fsec;
217
26d2a4be 218 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 219 if (!fsec)
220 return -ENOMEM;
221
9ac49d22
SS		 222 fsec->sid = tsec->sid;
223 fsec->fown_sid = tsec->sid;
1da177e4
LT		 224 file->f_security = fsec;
225
226 return 0;
227}
228
229static void file_free_security(struct file *file)
230{
231 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 232 file->f_security = NULL;
233 kfree(fsec);
234}
235
236static int superblock_alloc_security(struct super_block *sb)
237{
238 struct superblock_security_struct *sbsec;
239
89d155ef 240 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 241 if (!sbsec)
242 return -ENOMEM;
243
bc7e982b 244 mutex_init(&sbsec->lock);
1da177e4
LT		 245 INIT_LIST_HEAD(&sbsec->list);
246 INIT_LIST_HEAD(&sbsec->isec_head);
247 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 248 sbsec->sb = sb;
249 sbsec->sid = SECINITSID_UNLABELED;
250 sbsec->def_sid = SECINITSID_FILE;
c312feb2 251 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 252 sb->s_security = sbsec;
253
254 return 0;
255}
256
257static void superblock_free_security(struct super_block *sb)
258{
259 struct superblock_security_struct *sbsec = sb->s_security;
260
1da177e4
LT		 261 spin_lock(&sb_security_lock);
262 if (!list_empty(&sbsec->list))
263 list_del_init(&sbsec->list);
264 spin_unlock(&sb_security_lock);
265
266 sb->s_security = NULL;
267 kfree(sbsec);
268}
269
7d877f3b 270static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 271{
272 struct sk_security_struct *ssec;
273
89d155ef 274 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 275 if (!ssec)
276 return -ENOMEM;
277
1da177e4 278 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 279 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 280 sk->sk_security = ssec;
281
f74af6e8 282 selinux_netlbl_sk_security_reset(ssec, family);
99f59ed0 283
1da177e4
LT		 284 return 0;
285}
286
287static void sk_free_security(struct sock *sk)
288{
289 struct sk_security_struct *ssec = sk->sk_security;
290
1da177e4
LT		 291 sk->sk_security = NULL;
292 kfree(ssec);
293}
1da177e4
LT		 294
295/* The security server must be initialized before
296 any labeling or access decisions can be provided. */
297extern int ss_initialized;
298
299/* The file system's label must be initialized prior to use. */
300
301static char *labeling_behaviors[6] = {
302 "uses xattr",
303 "uses transition SIDs",
304 "uses task SIDs",
305 "uses genfs_contexts",
306 "not configured for labeling",
307 "uses mountpoint labeling",
308};
309
310static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
311
312static inline int inode_doinit(struct inode *inode)
313{
314 return inode_doinit_with_dentry(inode, NULL);
315}
316
317enum {
31e87930 318 Opt_error = -1,
1da177e4
LT		 319 Opt_context = 1,
320 Opt_fscontext = 2,
c9180a57
EP		 321 Opt_defcontext = 3,
322 Opt_rootcontext = 4,
1da177e4
LT		 323};
324
325static match_table_t tokens = {
832cbd9a
EP		 326 {Opt_context, CONTEXT_STR "%s"},
327 {Opt_fscontext, FSCONTEXT_STR "%s"},
328 {Opt_defcontext, DEFCONTEXT_STR "%s"},
329 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
31e87930 330 {Opt_error, NULL},
1da177e4
LT		 331};
332
333#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
334
c312feb2
EP		 335static int may_context_mount_sb_relabel(u32 sid,
336 struct superblock_security_struct *sbsec,
337 struct task_security_struct *tsec)
338{
339 int rc;
340
341 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
342 FILESYSTEM__RELABELFROM, NULL);
343 if (rc)
344 return rc;
345
346 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
347 FILESYSTEM__RELABELTO, NULL);
348 return rc;
349}
350
0808925e
EP		 351static int may_context_mount_inode_relabel(u32 sid,
352 struct superblock_security_struct *sbsec,
353 struct task_security_struct *tsec)
354{
355 int rc;
356 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
357 FILESYSTEM__RELABELFROM, NULL);
358 if (rc)
359 return rc;
360
361 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
362 FILESYSTEM__ASSOCIATE, NULL);
363 return rc;
364}
365
c9180a57 366static int sb_finish_set_opts(struct super_block *sb)
1da177e4 367{
1da177e4 368 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 369 struct dentry *root = sb->s_root;
370 struct inode *root_inode = root->d_inode;
371 int rc = 0;
1da177e4 372
c9180a57
EP		 373 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
374 /* Make sure that the xattr handler exists and that no
375 error other than -ENODATA is returned by getxattr on
376 the root directory. -ENODATA is ok, as this may be
377 the first boot of the SELinux kernel before we have
378 assigned xattr values to the filesystem. */
379 if (!root_inode->i_op->getxattr) {
380 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
381 "xattr support\n", sb->s_id, sb->s_type->name);
382 rc = -EOPNOTSUPP;
383 goto out;
384 }
385 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
386 if (rc < 0 && rc != -ENODATA) {
387 if (rc == -EOPNOTSUPP)
388 printk(KERN_WARNING "SELinux: (dev %s, type "
389 "%s) has no security xattr handler\n",
390 sb->s_id, sb->s_type->name);
391 else
392 printk(KERN_WARNING "SELinux: (dev %s, type "
393 "%s) getxattr errno %d\n", sb->s_id,
394 sb->s_type->name, -rc);
395 goto out;
396 }
397 }
1da177e4 398
c9180a57 399 sbsec->initialized = 1;
1da177e4 400
c9180a57
EP		 401 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
402 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
403 sb->s_id, sb->s_type->name);
404 else
405 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
406 sb->s_id, sb->s_type->name,
407 labeling_behaviors[sbsec->behavior-1]);
1da177e4 408
c9180a57
EP		 409 /* Initialize the root inode. */
410 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 411
c9180a57
EP		 412 /* Initialize any other inodes associated with the superblock, e.g.
413 inodes created prior to initial policy load or inodes created
414 during get_sb by a pseudo filesystem that directly
415 populates itself. */
416 spin_lock(&sbsec->isec_lock);
417next_inode:
418 if (!list_empty(&sbsec->isec_head)) {
419 struct inode_security_struct *isec =
420 list_entry(sbsec->isec_head.next,
421 struct inode_security_struct, list);
422 struct inode *inode = isec->inode;
423 spin_unlock(&sbsec->isec_lock);
424 inode = igrab(inode);
425 if (inode) {
426 if (!IS_PRIVATE(inode))
427 inode_doinit(inode);
428 iput(inode);
429 }
430 spin_lock(&sbsec->isec_lock);
431 list_del_init(&isec->list);
432 goto next_inode;
433 }
434 spin_unlock(&sbsec->isec_lock);
435out:
436 return rc;
437}
1da177e4 438
c9180a57
EP		 439/*
440 * This function should allow an FS to ask what it's mount security
441 * options were so it can use those later for submounts, displaying
442 * mount options, or whatever.
443 */
444static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 445 struct security_mnt_opts *opts)
c9180a57
EP		 446{
447 int rc = 0, i;
448 struct superblock_security_struct *sbsec = sb->s_security;
449 char *context = NULL;
450 u32 len;
451 char tmp;
1da177e4 452
e0007529 453 security_init_mnt_opts(opts);
1da177e4 454
c9180a57
EP		 455 if (!sbsec->initialized)
456 return -EINVAL;
1da177e4 457
c9180a57
EP		 458 if (!ss_initialized)
459 return -EINVAL;
1da177e4 460
c9180a57
EP		 461 /*
462 * if we ever use sbsec flags for anything other than tracking mount
463 * settings this is going to need a mask
464 */
465 tmp = sbsec->flags;
466 /* count the number of mount options for this sb */
467 for (i = 0; i < 8; i++) {
468 if (tmp & 0x01)
e0007529 469 opts->num_mnt_opts++;
c9180a57
EP		 470 tmp >>= 1;
471 }
1da177e4 472
e0007529
EP		 473 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
474 if (!opts->mnt_opts) {
c9180a57
EP		 475 rc = -ENOMEM;
476 goto out_free;
477 }
1da177e4 478
e0007529
EP		 479 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
480 if (!opts->mnt_opts_flags) {
c9180a57
EP		 481 rc = -ENOMEM;
482 goto out_free;
483 }
1da177e4 484
c9180a57
EP		 485 i = 0;
486 if (sbsec->flags & FSCONTEXT_MNT) {
487 rc = security_sid_to_context(sbsec->sid, &context, &len);
488 if (rc)
489 goto out_free;
e0007529
EP		 490 opts->mnt_opts[i] = context;
491 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 492 }
493 if (sbsec->flags & CONTEXT_MNT) {
494 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
495 if (rc)
496 goto out_free;
e0007529
EP		 497 opts->mnt_opts[i] = context;
498 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 499 }
500 if (sbsec->flags & DEFCONTEXT_MNT) {
501 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
502 if (rc)
503 goto out_free;
e0007529
EP		 504 opts->mnt_opts[i] = context;
505 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 506 }
507 if (sbsec->flags & ROOTCONTEXT_MNT) {
508 struct inode *root = sbsec->sb->s_root->d_inode;
509 struct inode_security_struct *isec = root->i_security;
0808925e 510
c9180a57
EP		 511 rc = security_sid_to_context(isec->sid, &context, &len);
512 if (rc)
513 goto out_free;
e0007529
EP		 514 opts->mnt_opts[i] = context;
515 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 516 }
1da177e4 517
e0007529 518 BUG_ON(i != opts->num_mnt_opts);
1da177e4 519
c9180a57
EP		 520 return 0;
521
522out_free:
e0007529 523 security_free_mnt_opts(opts);
c9180a57
EP		 524 return rc;
525}
1da177e4 526
c9180a57
EP		 527static int bad_option(struct superblock_security_struct *sbsec, char flag,
528 u32 old_sid, u32 new_sid)
529{
530 /* check if the old mount command had the same options */
531 if (sbsec->initialized)
532 if (!(sbsec->flags & flag) ||
533 (old_sid != new_sid))
534 return 1;
535
536 /* check if we were passed the same options twice,
537 * aka someone passed context=a,context=b
538 */
539 if (!sbsec->initialized)
540 if (sbsec->flags & flag)
541 return 1;
542 return 0;
543}
e0007529 544
c9180a57
EP		 545/*
546 * Allow filesystems with binary mount data to explicitly set mount point
547 * labeling information.
548 */
e0007529
EP		 549static int selinux_set_mnt_opts(struct super_block *sb,
550 struct security_mnt_opts *opts)
c9180a57
EP		 551{
552 int rc = 0, i;
553 struct task_security_struct *tsec = current->security;
554 struct superblock_security_struct *sbsec = sb->s_security;
555 const char *name = sb->s_type->name;
556 struct inode *inode = sbsec->sb->s_root->d_inode;
557 struct inode_security_struct *root_isec = inode->i_security;
558 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
559 u32 defcontext_sid = 0;
e0007529
EP		 560 char **mount_options = opts->mnt_opts;
561 int *flags = opts->mnt_opts_flags;
562 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 563
564 mutex_lock(&sbsec->lock);
565
566 if (!ss_initialized) {
567 if (!num_opts) {
568 /* Defer initialization until selinux_complete_init,
569 after the initial policy is loaded and the security
570 server is ready to handle calls. */
571 spin_lock(&sb_security_lock);
572 if (list_empty(&sbsec->list))
573 list_add(&sbsec->list, &superblock_security_head);
574 spin_unlock(&sb_security_lock);
575 goto out;
576 }
577 rc = -EINVAL;
578 printk(KERN_WARNING "Unable to set superblock options before "
579 "the security server is initialized\n");
1da177e4 580 goto out;
c9180a57 581 }
1da177e4 582
e0007529
EP		 583 /*
584 * Binary mount data FS will come through this function twice. Once
585 * from an explicit call and once from the generic calls from the vfs.
586 * Since the generic VFS calls will not contain any security mount data
587 * we need to skip the double mount verification.
588 *
589 * This does open a hole in which we will not notice if the first
590 * mount using this sb set explict options and a second mount using
591 * this sb does not set any security options. (The first options
592 * will be used for both mounts)
593 */
594 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
595 && (num_opts == 0))
596 goto out;
597
c9180a57
EP		 598 /*
599 * parse the mount options, check if they are valid sids.
600 * also check if someone is trying to mount the same sb more
601 * than once with different security options.
602 */
603 for (i = 0; i < num_opts; i++) {
604 u32 sid;
605 rc = security_context_to_sid(mount_options[i],
606 strlen(mount_options[i]), &sid);
1da177e4
LT		 607 if (rc) {
608 printk(KERN_WARNING "SELinux: security_context_to_sid"
609 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 610 mount_options[i], sb->s_id, name, rc);
611 goto out;
612 }
613 switch (flags[i]) {
614 case FSCONTEXT_MNT:
615 fscontext_sid = sid;
616
617 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
618 fscontext_sid))
619 goto out_double_mount;
620
621 sbsec->flags |= FSCONTEXT_MNT;
622 break;
623 case CONTEXT_MNT:
624 context_sid = sid;
625
626 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
627 context_sid))
628 goto out_double_mount;
629
630 sbsec->flags |= CONTEXT_MNT;
631 break;
632 case ROOTCONTEXT_MNT:
633 rootcontext_sid = sid;
634
635 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
636 rootcontext_sid))
637 goto out_double_mount;
638
639 sbsec->flags |= ROOTCONTEXT_MNT;
640
641 break;
642 case DEFCONTEXT_MNT:
643 defcontext_sid = sid;
644
645 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
646 defcontext_sid))
647 goto out_double_mount;
648
649 sbsec->flags |= DEFCONTEXT_MNT;
650
651 break;
652 default:
653 rc = -EINVAL;
654 goto out;
1da177e4 655 }
c9180a57
EP		 656 }
657
658 if (sbsec->initialized) {
659 /* previously mounted with options, but not on this attempt? */
660 if (sbsec->flags && !num_opts)
661 goto out_double_mount;
662 rc = 0;
663 goto out;
664 }
665
666 if (strcmp(sb->s_type->name, "proc") == 0)
667 sbsec->proc = 1;
668
669 /* Determine the labeling behavior to use for this filesystem type. */
670 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
671 if (rc) {
672 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
dd6f953a 673 __func__, sb->s_type->name, rc);
c9180a57
EP		 674 goto out;
675 }
1da177e4 676
c9180a57
EP		 677 /* sets the context of the superblock for the fs being mounted. */
678 if (fscontext_sid) {
679
680 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
1da177e4 681 if (rc)
c9180a57 682 goto out;
1da177e4 683
c9180a57 684 sbsec->sid = fscontext_sid;
c312feb2
EP		 685 }
686
687 /*
688 * Switch to using mount point labeling behavior.
689 * sets the label used on all file below the mountpoint, and will set
690 * the superblock context if not already set.
691 */
c9180a57
EP		 692 if (context_sid) {
693 if (!fscontext_sid) {
694 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
b04ea3ce 695 if (rc)
c9180a57
EP		 696 goto out;
697 sbsec->sid = context_sid;
b04ea3ce 698 } else {
c9180a57 699 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
b04ea3ce 700 if (rc)
c9180a57 701 goto out;
b04ea3ce 702 }
c9180a57
EP		 703 if (!rootcontext_sid)
704 rootcontext_sid = context_sid;
1da177e4 705
c9180a57 706 sbsec->mntpoint_sid = context_sid;
c312feb2 707 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 708 }
709
c9180a57
EP		 710 if (rootcontext_sid) {
711 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
0808925e 712 if (rc)
c9180a57 713 goto out;
0808925e 714
c9180a57
EP		 715 root_isec->sid = rootcontext_sid;
716 root_isec->initialized = 1;
0808925e
EP		 717 }
718
c9180a57
EP		 719 if (defcontext_sid) {
720 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
721 rc = -EINVAL;
722 printk(KERN_WARNING "SELinux: defcontext option is "
723 "invalid for this filesystem type\n");
724 goto out;
1da177e4
LT		 725 }
726
c9180a57
EP		 727 if (defcontext_sid != sbsec->def_sid) {
728 rc = may_context_mount_inode_relabel(defcontext_sid,
729 sbsec, tsec);
730 if (rc)
731 goto out;
732 }
1da177e4 733
c9180a57 734 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 735 }
736
c9180a57 737 rc = sb_finish_set_opts(sb);
1da177e4 738out:
c9180a57 739 mutex_unlock(&sbsec->lock);
1da177e4 740 return rc;
c9180a57
EP		 741out_double_mount:
742 rc = -EINVAL;
743 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
744 "security settings for (dev %s, type %s)\n", sb->s_id, name);
745 goto out;
1da177e4
LT		 746}
747
c9180a57
EP		 748static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
749 struct super_block *newsb)
1da177e4 750{
c9180a57
EP		 751 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
752 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 753
c9180a57
EP		 754 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
755 int set_context = (oldsbsec->flags & CONTEXT_MNT);
756 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 757
c9180a57
EP		 758 /* we can't error, we can't save the info, this shouldn't get called
759 * this early in the boot process. */
760 BUG_ON(!ss_initialized);
761
c9180a57
EP		 762 /* how can we clone if the old one wasn't set up?? */
763 BUG_ON(!oldsbsec->initialized);
764
5a552617
EP		 765 /* if fs is reusing a sb, just let its options stand... */
766 if (newsbsec->initialized)
767 return;
768
c9180a57
EP		 769 mutex_lock(&newsbsec->lock);
770
771 newsbsec->flags = oldsbsec->flags;
772
773 newsbsec->sid = oldsbsec->sid;
774 newsbsec->def_sid = oldsbsec->def_sid;
775 newsbsec->behavior = oldsbsec->behavior;
776
777 if (set_context) {
778 u32 sid = oldsbsec->mntpoint_sid;
779
780 if (!set_fscontext)
781 newsbsec->sid = sid;
782 if (!set_rootcontext) {
783 struct inode *newinode = newsb->s_root->d_inode;
784 struct inode_security_struct *newisec = newinode->i_security;
785 newisec->sid = sid;
786 }
787 newsbsec->mntpoint_sid = sid;
1da177e4 788 }
c9180a57
EP		 789 if (set_rootcontext) {
790 const struct inode *oldinode = oldsb->s_root->d_inode;
791 const struct inode_security_struct *oldisec = oldinode->i_security;
792 struct inode *newinode = newsb->s_root->d_inode;
793 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 794
c9180a57 795 newisec->sid = oldisec->sid;
1da177e4
LT		 796 }
797
c9180a57
EP		 798 sb_finish_set_opts(newsb);
799 mutex_unlock(&newsbsec->lock);
800}
801
2e1479d9
AB		 802static int selinux_parse_opts_str(char *options,
803 struct security_mnt_opts *opts)
c9180a57 804{
e0007529 805 char *p;
c9180a57
EP		 806 char *context = NULL, *defcontext = NULL;
807 char *fscontext = NULL, *rootcontext = NULL;
e0007529 808 int rc, num_mnt_opts = 0;
1da177e4 809
e0007529 810 opts->num_mnt_opts = 0;
1da177e4 811
c9180a57
EP		 812 /* Standard string-based options. */
813 while ((p = strsep(&options, "|")) != NULL) {
814 int token;
815 substring_t args[MAX_OPT_ARGS];
1da177e4 816
c9180a57
EP		 817 if (!*p)
818 continue;
1da177e4 819
c9180a57 820 token = match_token(p, tokens, args);
1da177e4 821
c9180a57
EP		 822 switch (token) {
823 case Opt_context:
824 if (context || defcontext) {
825 rc = -EINVAL;
826 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
827 goto out_err;
828 }
829 context = match_strdup(&args[0]);
830 if (!context) {
831 rc = -ENOMEM;
832 goto out_err;
833 }
834 break;
835
836 case Opt_fscontext:
837 if (fscontext) {
838 rc = -EINVAL;
839 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
840 goto out_err;
841 }
842 fscontext = match_strdup(&args[0]);
843 if (!fscontext) {
844 rc = -ENOMEM;
845 goto out_err;
846 }
847 break;
848
849 case Opt_rootcontext:
850 if (rootcontext) {
851 rc = -EINVAL;
852 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
853 goto out_err;
854 }
855 rootcontext = match_strdup(&args[0]);
856 if (!rootcontext) {
857 rc = -ENOMEM;
858 goto out_err;
859 }
860 break;
861
862 case Opt_defcontext:
863 if (context || defcontext) {
864 rc = -EINVAL;
865 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
866 goto out_err;
867 }
868 defcontext = match_strdup(&args[0]);
869 if (!defcontext) {
870 rc = -ENOMEM;
871 goto out_err;
872 }
873 break;
874
875 default:
876 rc = -EINVAL;
877 printk(KERN_WARNING "SELinux: unknown mount option\n");
878 goto out_err;
1da177e4 879
1da177e4 880 }
1da177e4 881 }
c9180a57 882
e0007529
EP		 883 rc = -ENOMEM;
884 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
885 if (!opts->mnt_opts)
886 goto out_err;
887
888 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
889 if (!opts->mnt_opts_flags) {
890 kfree(opts->mnt_opts);
891 goto out_err;
892 }
893
c9180a57 894 if (fscontext) {
e0007529
EP		 895 opts->mnt_opts[num_mnt_opts] = fscontext;
896 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 897 }
898 if (context) {
e0007529
EP		 899 opts->mnt_opts[num_mnt_opts] = context;
900 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 901 }
902 if (rootcontext) {
e0007529
EP		 903 opts->mnt_opts[num_mnt_opts] = rootcontext;
904 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 905 }
906 if (defcontext) {
e0007529
EP		 907 opts->mnt_opts[num_mnt_opts] = defcontext;
908 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 909 }
910
e0007529
EP		 911 opts->num_mnt_opts = num_mnt_opts;
912 return 0;
913
c9180a57
EP		 914out_err:
915 kfree(context);
916 kfree(defcontext);
917 kfree(fscontext);
918 kfree(rootcontext);
1da177e4
LT		 919 return rc;
920}
e0007529
EP		 921/*
922 * string mount options parsing and call set the sbsec
923 */
924static int superblock_doinit(struct super_block *sb, void *data)
925{
926 int rc = 0;
927 char *options = data;
928 struct security_mnt_opts opts;
929
930 security_init_mnt_opts(&opts);
931
932 if (!data)
933 goto out;
934
935 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
936
937 rc = selinux_parse_opts_str(options, &opts);
938 if (rc)
939 goto out_err;
940
941out:
942 rc = selinux_set_mnt_opts(sb, &opts);
943
944out_err:
945 security_free_mnt_opts(&opts);
946 return rc;
947}
1da177e4
LT		 948
949static inline u16 inode_mode_to_security_class(umode_t mode)
950{
951 switch (mode & S_IFMT) {
952 case S_IFSOCK:
953 return SECCLASS_SOCK_FILE;
954 case S_IFLNK:
955 return SECCLASS_LNK_FILE;
956 case S_IFREG:
957 return SECCLASS_FILE;
958 case S_IFBLK:
959 return SECCLASS_BLK_FILE;
960 case S_IFDIR:
961 return SECCLASS_DIR;
962 case S_IFCHR:
963 return SECCLASS_CHR_FILE;
964 case S_IFIFO:
965 return SECCLASS_FIFO_FILE;
966
967 }
968
969 return SECCLASS_FILE;
970}
971
13402580
JM		 972static inline int default_protocol_stream(int protocol)
973{
974 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
975}
976
977static inline int default_protocol_dgram(int protocol)
978{
979 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
980}
981
1da177e4
LT		 982static inline u16 socket_type_to_security_class(int family, int type, int protocol)
983{
984 switch (family) {
985 case PF_UNIX:
986 switch (type) {
987 case SOCK_STREAM:
988 case SOCK_SEQPACKET:
989 return SECCLASS_UNIX_STREAM_SOCKET;
990 case SOCK_DGRAM:
991 return SECCLASS_UNIX_DGRAM_SOCKET;
992 }
993 break;
994 case PF_INET:
995 case PF_INET6:
996 switch (type) {
997 case SOCK_STREAM:
13402580
JM		 998 if (default_protocol_stream(protocol))
999 return SECCLASS_TCP_SOCKET;
1000 else
1001 return SECCLASS_RAWIP_SOCKET;
1da177e4 1002 case SOCK_DGRAM:
13402580
JM		 1003 if (default_protocol_dgram(protocol))
1004 return SECCLASS_UDP_SOCKET;
1005 else
1006 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1007 case SOCK_DCCP:
1008 return SECCLASS_DCCP_SOCKET;
13402580 1009 default:
1da177e4
LT		 1010 return SECCLASS_RAWIP_SOCKET;
1011 }
1012 break;
1013 case PF_NETLINK:
1014 switch (protocol) {
1015 case NETLINK_ROUTE:
1016 return SECCLASS_NETLINK_ROUTE_SOCKET;
1017 case NETLINK_FIREWALL:
1018 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1019 case NETLINK_INET_DIAG:
1da177e4
LT		 1020 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1021 case NETLINK_NFLOG:
1022 return SECCLASS_NETLINK_NFLOG_SOCKET;
1023 case NETLINK_XFRM:
1024 return SECCLASS_NETLINK_XFRM_SOCKET;
1025 case NETLINK_SELINUX:
1026 return SECCLASS_NETLINK_SELINUX_SOCKET;
1027 case NETLINK_AUDIT:
1028 return SECCLASS_NETLINK_AUDIT_SOCKET;
1029 case NETLINK_IP6_FW:
1030 return SECCLASS_NETLINK_IP6FW_SOCKET;
1031 case NETLINK_DNRTMSG:
1032 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1033 case NETLINK_KOBJECT_UEVENT:
1034 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1035 default:
1036 return SECCLASS_NETLINK_SOCKET;
1037 }
1038 case PF_PACKET:
1039 return SECCLASS_PACKET_SOCKET;
1040 case PF_KEY:
1041 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1042 case PF_APPLETALK:
1043 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1044 }
1045
1046 return SECCLASS_SOCKET;
1047}
1048
1049#ifdef CONFIG_PROC_FS
1050static int selinux_proc_get_sid(struct proc_dir_entry *de,
1051 u16 tclass,
1052 u32 *sid)
1053{
1054 int buflen, rc;
1055 char *buffer, *path, *end;
1056
1057 buffer = (char*)__get_free_page(GFP_KERNEL);
1058 if (!buffer)
1059 return -ENOMEM;
1060
1061 buflen = PAGE_SIZE;
1062 end = buffer+buflen;
1063 *--end = '\0';
1064 buflen--;
1065 path = end-1;
1066 *path = '/';
1067 while (de && de != de->parent) {
1068 buflen -= de->namelen + 1;
1069 if (buflen < 0)
1070 break;
1071 end -= de->namelen;
1072 memcpy(end, de->name, de->namelen);
1073 *--end = '/';
1074 path = end;
1075 de = de->parent;
1076 }
1077 rc = security_genfs_sid("proc", path, tclass, sid);
1078 free_page((unsigned long)buffer);
1079 return rc;
1080}
1081#else
1082static int selinux_proc_get_sid(struct proc_dir_entry *de,
1083 u16 tclass,
1084 u32 *sid)
1085{
1086 return -EINVAL;
1087}
1088#endif
1089
1090/* The inode's security attributes must be initialized before first use. */
1091static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1092{
1093 struct superblock_security_struct *sbsec = NULL;
1094 struct inode_security_struct *isec = inode->i_security;
1095 u32 sid;
1096 struct dentry *dentry;
1097#define INITCONTEXTLEN 255
1098 char *context = NULL;
1099 unsigned len = 0;
1100 int rc = 0;
1da177e4
LT		 1101
1102 if (isec->initialized)
1103 goto out;
1104
23970741 1105 mutex_lock(&isec->lock);
1da177e4 1106 if (isec->initialized)
23970741 1107 goto out_unlock;
1da177e4
LT		 1108
1109 sbsec = inode->i_sb->s_security;
1110 if (!sbsec->initialized) {
1111 /* Defer initialization until selinux_complete_init,
1112 after the initial policy is loaded and the security
1113 server is ready to handle calls. */
1114 spin_lock(&sbsec->isec_lock);
1115 if (list_empty(&isec->list))
1116 list_add(&isec->list, &sbsec->isec_head);
1117 spin_unlock(&sbsec->isec_lock);
23970741 1118 goto out_unlock;
1da177e4
LT		 1119 }
1120
1121 switch (sbsec->behavior) {
1122 case SECURITY_FS_USE_XATTR:
1123 if (!inode->i_op->getxattr) {
1124 isec->sid = sbsec->def_sid;
1125 break;
1126 }
1127
1128 /* Need a dentry, since the xattr API requires one.
1129 Life would be simpler if we could just pass the inode. */
1130 if (opt_dentry) {
1131 /* Called from d_instantiate or d_splice_alias. */
1132 dentry = dget(opt_dentry);
1133 } else {
1134 /* Called from selinux_complete_init, try to find a dentry. */
1135 dentry = d_find_alias(inode);
1136 }
1137 if (!dentry) {
1138 printk(KERN_WARNING "%s: no dentry for dev=%s "
dd6f953a 1139 "ino=%ld\n", __func__, inode->i_sb->s_id,
1da177e4 1140 inode->i_ino);
23970741 1141 goto out_unlock;
1da177e4
LT		 1142 }
1143
1144 len = INITCONTEXTLEN;
869ab514 1145 context = kmalloc(len, GFP_NOFS);
1da177e4
LT		 1146 if (!context) {
1147 rc = -ENOMEM;
1148 dput(dentry);
23970741 1149 goto out_unlock;
1da177e4
LT		 1150 }
1151 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1152 context, len);
1153 if (rc == -ERANGE) {
1154 /* Need a larger buffer. Query for the right size. */
1155 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1156 NULL, 0);
1157 if (rc < 0) {
1158 dput(dentry);
23970741 1159 goto out_unlock;
1da177e4
LT		 1160 }
1161 kfree(context);
1162 len = rc;
869ab514 1163 context = kmalloc(len, GFP_NOFS);
1da177e4
LT		 1164 if (!context) {
1165 rc = -ENOMEM;
1166 dput(dentry);
23970741 1167 goto out_unlock;
1da177e4
LT		 1168 }
1169 rc = inode->i_op->getxattr(dentry,
1170 XATTR_NAME_SELINUX,
1171 context, len);
1172 }
1173 dput(dentry);
1174 if (rc < 0) {
1175 if (rc != -ENODATA) {
1176 printk(KERN_WARNING "%s: getxattr returned "
dd6f953a 1177 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1178 -rc, inode->i_sb->s_id, inode->i_ino);
1179 kfree(context);
23970741 1180 goto out_unlock;
1da177e4
LT		 1181 }
1182 /* Map ENODATA to the default file SID */
1183 sid = sbsec->def_sid;
1184 rc = 0;
1185 } else {
f5c1d5b2 1186 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1187 sbsec->def_sid,
1188 GFP_NOFS);
1da177e4
LT		 1189 if (rc) {
1190 printk(KERN_WARNING "%s: context_to_sid(%s) "
1191 "returned %d for dev=%s ino=%ld\n",
dd6f953a 1192 __func__, context, -rc,
1da177e4
LT		 1193 inode->i_sb->s_id, inode->i_ino);
1194 kfree(context);
1195 /* Leave with the unlabeled SID */
1196 rc = 0;
1197 break;
1198 }
1199 }
1200 kfree(context);
1201 isec->sid = sid;
1202 break;
1203 case SECURITY_FS_USE_TASK:
1204 isec->sid = isec->task_sid;
1205 break;
1206 case SECURITY_FS_USE_TRANS:
1207 /* Default to the fs SID. */
1208 isec->sid = sbsec->sid;
1209
1210 /* Try to obtain a transition SID. */
1211 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1212 rc = security_transition_sid(isec->task_sid,
1213 sbsec->sid,
1214 isec->sclass,
1215 &sid);
1216 if (rc)
23970741 1217 goto out_unlock;
1da177e4
LT		 1218 isec->sid = sid;
1219 break;
c312feb2
EP		 1220 case SECURITY_FS_USE_MNTPOINT:
1221 isec->sid = sbsec->mntpoint_sid;
1222 break;
1da177e4 1223 default:
c312feb2 1224 /* Default to the fs superblock SID. */
1da177e4
LT		 1225 isec->sid = sbsec->sid;
1226
1227 if (sbsec->proc) {
1228 struct proc_inode *proci = PROC_I(inode);
1229 if (proci->pde) {
1230 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1231 rc = selinux_proc_get_sid(proci->pde,
1232 isec->sclass,
1233 &sid);
1234 if (rc)
23970741 1235 goto out_unlock;
1da177e4
LT		 1236 isec->sid = sid;
1237 }
1238 }
1239 break;
1240 }
1241
1242 isec->initialized = 1;
1243
23970741
EP		 1244out_unlock:
1245 mutex_unlock(&isec->lock);
1da177e4
LT		 1246out:
1247 if (isec->sclass == SECCLASS_FILE)
1248 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1249 return rc;
1250}
1251
1252/* Convert a Linux signal to an access vector. */
1253static inline u32 signal_to_av(int sig)
1254{
1255 u32 perm = 0;
1256
1257 switch (sig) {
1258 case SIGCHLD:
1259 /* Commonly granted from child to parent. */
1260 perm = PROCESS__SIGCHLD;
1261 break;
1262 case SIGKILL:
1263 /* Cannot be caught or ignored */
1264 perm = PROCESS__SIGKILL;
1265 break;
1266 case SIGSTOP:
1267 /* Cannot be caught or ignored */
1268 perm = PROCESS__SIGSTOP;
1269 break;
1270 default:
1271 /* All other signals. */
1272 perm = PROCESS__SIGNAL;
1273 break;
1274 }
1275
1276 return perm;
1277}
1278
1279/* Check permission betweeen a pair of tasks, e.g. signal checks,
1280 fork check, ptrace check, etc. */
1281static int task_has_perm(struct task_struct *tsk1,
1282 struct task_struct *tsk2,
1283 u32 perms)
1284{
1285 struct task_security_struct *tsec1, *tsec2;
1286
1287 tsec1 = tsk1->security;
1288 tsec2 = tsk2->security;
1289 return avc_has_perm(tsec1->sid, tsec2->sid,
1290 SECCLASS_PROCESS, perms, NULL);
1291}
1292
b68e418c
SS		 1293#if CAP_LAST_CAP > 63
1294#error Fix SELinux to handle capabilities > 63.
1295#endif
1296
1da177e4
LT		 1297/* Check whether a task is allowed to use a capability. */
1298static int task_has_capability(struct task_struct *tsk,
1299 int cap)
1300{
1301 struct task_security_struct *tsec;
1302 struct avc_audit_data ad;
b68e418c
SS		 1303 u16 sclass;
1304 u32 av = CAP_TO_MASK(cap);
1da177e4
LT		 1305
1306 tsec = tsk->security;
1307
1308 AVC_AUDIT_DATA_INIT(&ad,CAP);
1309 ad.tsk = tsk;
1310 ad.u.cap = cap;
1311
b68e418c
SS		 1312 switch (CAP_TO_INDEX(cap)) {
1313 case 0:
1314 sclass = SECCLASS_CAPABILITY;
1315 break;
1316 case 1:
1317 sclass = SECCLASS_CAPABILITY2;
1318 break;
1319 default:
1320 printk(KERN_ERR
1321 "SELinux: out of range capability %d\n", cap);
1322 BUG();
1323 }
1324 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1da177e4
LT		 1325}
1326
1327/* Check whether a task is allowed to use a system operation. */
1328static int task_has_system(struct task_struct *tsk,
1329 u32 perms)
1330{
1331 struct task_security_struct *tsec;
1332
1333 tsec = tsk->security;
1334
1335 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1336 SECCLASS_SYSTEM, perms, NULL);
1337}
1338
1339/* Check whether a task has a particular permission to an inode.
1340 The 'adp' parameter is optional and allows other audit
1341 data to be passed (e.g. the dentry). */
1342static int inode_has_perm(struct task_struct *tsk,
1343 struct inode *inode,
1344 u32 perms,
1345 struct avc_audit_data *adp)
1346{
1347 struct task_security_struct *tsec;
1348 struct inode_security_struct *isec;
1349 struct avc_audit_data ad;
1350
bbaca6c2
SS		 1351 if (unlikely (IS_PRIVATE (inode)))
1352 return 0;
1353
1da177e4
LT		 1354 tsec = tsk->security;
1355 isec = inode->i_security;
1356
1357 if (!adp) {
1358 adp = &ad;
1359 AVC_AUDIT_DATA_INIT(&ad, FS);
1360 ad.u.fs.inode = inode;
1361 }
1362
1363 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1364}
1365
1366/* Same as inode_has_perm, but pass explicit audit data containing
1367 the dentry to help the auditing code to more easily generate the
1368 pathname if needed. */
1369static inline int dentry_has_perm(struct task_struct *tsk,
1370 struct vfsmount *mnt,
1371 struct dentry *dentry,
1372 u32 av)
1373{
1374 struct inode *inode = dentry->d_inode;
1375 struct avc_audit_data ad;
1376 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf
JB		 1377 ad.u.fs.path.mnt = mnt;
1378 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1379 return inode_has_perm(tsk, inode, av, &ad);
1380}
1381
1382/* Check whether a task can use an open file descriptor to
1383 access an inode in a given way. Check access to the
1384 descriptor itself, and then use dentry_has_perm to
1385 check a particular permission to the file.
1386 Access to the descriptor is implicitly granted if it
1387 has the same SID as the process. If av is zero, then
1388 access to the file is not checked, e.g. for cases
1389 where only the descriptor is affected like seek. */
858119e1 1390static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1391 struct file *file,
1392 u32 av)
1393{
1394 struct task_security_struct *tsec = tsk->security;
1395 struct file_security_struct *fsec = file->f_security;
44707fdf 1396 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 1397 struct avc_audit_data ad;
1398 int rc;
1399
1400 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1401 ad.u.fs.path = file->f_path;
1da177e4
LT		 1402
1403 if (tsec->sid != fsec->sid) {
1404 rc = avc_has_perm(tsec->sid, fsec->sid,
1405 SECCLASS_FD,
1406 FD__USE,
1407 &ad);
1408 if (rc)
1409 return rc;
1410 }
1411
1412 /* av is zero if only checking access to the descriptor. */
1413 if (av)
1414 return inode_has_perm(tsk, inode, av, &ad);
1415
1416 return 0;
1417}
1418
1419/* Check whether a task can create a file. */
1420static int may_create(struct inode *dir,
1421 struct dentry *dentry,
1422 u16 tclass)
1423{
1424 struct task_security_struct *tsec;
1425 struct inode_security_struct *dsec;
1426 struct superblock_security_struct *sbsec;
1427 u32 newsid;
1428 struct avc_audit_data ad;
1429 int rc;
1430
1431 tsec = current->security;
1432 dsec = dir->i_security;
1433 sbsec = dir->i_sb->s_security;
1434
1435 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1436 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1437
1438 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1439 DIR__ADD_NAME | DIR__SEARCH,
1440 &ad);
1441 if (rc)
1442 return rc;
1443
1444 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1445 newsid = tsec->create_sid;
1446 } else {
1447 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1448 &newsid);
1449 if (rc)
1450 return rc;
1451 }
1452
1453 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1454 if (rc)
1455 return rc;
1456
1457 return avc_has_perm(newsid, sbsec->sid,
1458 SECCLASS_FILESYSTEM,
1459 FILESYSTEM__ASSOCIATE, &ad);
1460}
1461
4eb582cf
ML		 1462/* Check whether a task can create a key. */
1463static int may_create_key(u32 ksid,
1464 struct task_struct *ctx)
1465{
1466 struct task_security_struct *tsec;
1467
1468 tsec = ctx->security;
1469
1470 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1471}
1472
1da177e4
LT		 1473#define MAY_LINK 0
1474#define MAY_UNLINK 1
1475#define MAY_RMDIR 2
1476
1477/* Check whether a task can link, unlink, or rmdir a file/directory. */
1478static int may_link(struct inode *dir,
1479 struct dentry *dentry,
1480 int kind)
1481
1482{
1483 struct task_security_struct *tsec;
1484 struct inode_security_struct *dsec, *isec;
1485 struct avc_audit_data ad;
1486 u32 av;
1487 int rc;
1488
1489 tsec = current->security;
1490 dsec = dir->i_security;
1491 isec = dentry->d_inode->i_security;
1492
1493 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1494 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1495
1496 av = DIR__SEARCH;
1497 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1498 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1499 if (rc)
1500 return rc;
1501
1502 switch (kind) {
1503 case MAY_LINK:
1504 av = FILE__LINK;
1505 break;
1506 case MAY_UNLINK:
1507 av = FILE__UNLINK;
1508 break;
1509 case MAY_RMDIR:
1510 av = DIR__RMDIR;
1511 break;
1512 default:
1513 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1514 return 0;
1515 }
1516
1517 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1518 return rc;
1519}
1520
1521static inline int may_rename(struct inode *old_dir,
1522 struct dentry *old_dentry,
1523 struct inode *new_dir,
1524 struct dentry *new_dentry)
1525{
1526 struct task_security_struct *tsec;
1527 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1528 struct avc_audit_data ad;
1529 u32 av;
1530 int old_is_dir, new_is_dir;
1531 int rc;
1532
1533 tsec = current->security;
1534 old_dsec = old_dir->i_security;
1535 old_isec = old_dentry->d_inode->i_security;
1536 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1537 new_dsec = new_dir->i_security;
1538
1539 AVC_AUDIT_DATA_INIT(&ad, FS);
1540
44707fdf 1541 ad.u.fs.path.dentry = old_dentry;
1da177e4
LT		 1542 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1543 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1544 if (rc)
1545 return rc;
1546 rc = avc_has_perm(tsec->sid, old_isec->sid,
1547 old_isec->sclass, FILE__RENAME, &ad);
1548 if (rc)
1549 return rc;
1550 if (old_is_dir && new_dir != old_dir) {
1551 rc = avc_has_perm(tsec->sid, old_isec->sid,
1552 old_isec->sclass, DIR__REPARENT, &ad);
1553 if (rc)
1554 return rc;
1555 }
1556
44707fdf 1557 ad.u.fs.path.dentry = new_dentry;
1da177e4
LT		 1558 av = DIR__ADD_NAME | DIR__SEARCH;
1559 if (new_dentry->d_inode)
1560 av |= DIR__REMOVE_NAME;
1561 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1562 if (rc)
1563 return rc;
1564 if (new_dentry->d_inode) {
1565 new_isec = new_dentry->d_inode->i_security;
1566 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1567 rc = avc_has_perm(tsec->sid, new_isec->sid,
1568 new_isec->sclass,
1569 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1570 if (rc)
1571 return rc;
1572 }
1573
1574 return 0;
1575}
1576
1577/* Check whether a task can perform a filesystem operation. */
1578static int superblock_has_perm(struct task_struct *tsk,
1579 struct super_block *sb,
1580 u32 perms,
1581 struct avc_audit_data *ad)
1582{
1583 struct task_security_struct *tsec;
1584 struct superblock_security_struct *sbsec;
1585
1586 tsec = tsk->security;
1587 sbsec = sb->s_security;
1588 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1589 perms, ad);
1590}
1591
1592/* Convert a Linux mode and permission mask to an access vector. */
1593static inline u32 file_mask_to_av(int mode, int mask)
1594{
1595 u32 av = 0;
1596
1597 if ((mode & S_IFMT) != S_IFDIR) {
1598 if (mask & MAY_EXEC)
1599 av |= FILE__EXECUTE;
1600 if (mask & MAY_READ)
1601 av |= FILE__READ;
1602
1603 if (mask & MAY_APPEND)
1604 av |= FILE__APPEND;
1605 else if (mask & MAY_WRITE)
1606 av |= FILE__WRITE;
1607
1608 } else {
1609 if (mask & MAY_EXEC)
1610 av |= DIR__SEARCH;
1611 if (mask & MAY_WRITE)
1612 av |= DIR__WRITE;
1613 if (mask & MAY_READ)
1614 av |= DIR__READ;
1615 }
1616
1617 return av;
1618}
1619
b0c636b9
EP		 1620/*
1621 * Convert a file mask to an access vector and include the correct open
1622 * open permission.
1623 */
1624static inline u32 open_file_mask_to_av(int mode, int mask)
1625{
1626 u32 av = file_mask_to_av(mode, mask);
1627
1628 if (selinux_policycap_openperm) {
1629 /*
1630 * lnk files and socks do not really have an 'open'
1631 */
1632 if (S_ISREG(mode))
1633 av |= FILE__OPEN;
1634 else if (S_ISCHR(mode))
1635 av |= CHR_FILE__OPEN;
1636 else if (S_ISBLK(mode))
1637 av |= BLK_FILE__OPEN;
1638 else if (S_ISFIFO(mode))
1639 av |= FIFO_FILE__OPEN;
1640 else if (S_ISDIR(mode))
1641 av |= DIR__OPEN;
1642 else
1643 printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
1644 "with unknown mode:%x\n", mode);
1645 }
1646 return av;
1647}
1648
1da177e4
LT		 1649/* Convert a Linux file to an access vector. */
1650static inline u32 file_to_av(struct file *file)
1651{
1652 u32 av = 0;
1653
1654 if (file->f_mode & FMODE_READ)
1655 av |= FILE__READ;
1656 if (file->f_mode & FMODE_WRITE) {
1657 if (file->f_flags & O_APPEND)
1658 av |= FILE__APPEND;
1659 else
1660 av |= FILE__WRITE;
1661 }
0794c66d
SS		 1662 if (!av) {
1663 /*
1664 * Special file opened with flags 3 for ioctl-only use.
1665 */
1666 av = FILE__IOCTL;
1667 }
1da177e4
LT		 1668
1669 return av;
1670}
1671
1da177e4
LT		 1672/* Hook functions begin here. */
1673
1674static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1675{
1da177e4
LT		 1676 int rc;
1677
1678 rc = secondary_ops->ptrace(parent,child);
1679 if (rc)
1680 return rc;
1681
0356357c 1682 return task_has_perm(parent, child, PROCESS__PTRACE);
1da177e4
LT		 1683}
1684
1685static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1686 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1687{
1688 int error;
1689
1690 error = task_has_perm(current, target, PROCESS__GETCAP);
1691 if (error)
1692 return error;
1693
1694 return secondary_ops->capget(target, effective, inheritable, permitted);
1695}
1696
1697static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1698 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1699{
1700 int error;
1701
1702 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1703 if (error)
1704 return error;
1705
1706 return task_has_perm(current, target, PROCESS__SETCAP);
1707}
1708
1709static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1710 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1711{
1712 secondary_ops->capset_set(target, effective, inheritable, permitted);
1713}
1714
1715static int selinux_capable(struct task_struct *tsk, int cap)
1716{
1717 int rc;
1718
1719 rc = secondary_ops->capable(tsk, cap);
1720 if (rc)
1721 return rc;
1722
1723 return task_has_capability(tsk,cap);
1724}
1725
3fbfa981
EB		 1726static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1727{
1728 int buflen, rc;
1729 char *buffer, *path, *end;
1730
1731 rc = -ENOMEM;
1732 buffer = (char*)__get_free_page(GFP_KERNEL);
1733 if (!buffer)
1734 goto out;
1735
1736 buflen = PAGE_SIZE;
1737 end = buffer+buflen;
1738 *--end = '\0';
1739 buflen--;
1740 path = end-1;
1741 *path = '/';
1742 while (table) {
1743 const char *name = table->procname;
1744 size_t namelen = strlen(name);
1745 buflen -= namelen + 1;
1746 if (buflen < 0)
1747 goto out_free;
1748 end -= namelen;
1749 memcpy(end, name, namelen);
1750 *--end = '/';
1751 path = end;
1752 table = table->parent;
1753 }
b599fdfd
EB		 1754 buflen -= 4;
1755 if (buflen < 0)
1756 goto out_free;
1757 end -= 4;
1758 memcpy(end, "/sys", 4);
1759 path = end;
3fbfa981
EB		 1760 rc = security_genfs_sid("proc", path, tclass, sid);
1761out_free:
1762 free_page((unsigned long)buffer);
1763out:
1764 return rc;
1765}
1766
1da177e4
LT		 1767static int selinux_sysctl(ctl_table *table, int op)
1768{
1769 int error = 0;
1770 u32 av;
1771 struct task_security_struct *tsec;
1772 u32 tsid;
1773 int rc;
1774
1775 rc = secondary_ops->sysctl(table, op);
1776 if (rc)
1777 return rc;
1778
1779 tsec = current->security;
1780
3fbfa981
EB		 1781 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1782 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1783 if (rc) {
1784 /* Default to the well-defined sysctl SID. */
1785 tsid = SECINITSID_SYSCTL;
1786 }
1787
1788 /* The op values are "defined" in sysctl.c, thereby creating
1789 * a bad coupling between this module and sysctl.c */
1790 if(op == 001) {
1791 error = avc_has_perm(tsec->sid, tsid,
1792 SECCLASS_DIR, DIR__SEARCH, NULL);
1793 } else {
1794 av = 0;
1795 if (op & 004)
1796 av |= FILE__READ;
1797 if (op & 002)
1798 av |= FILE__WRITE;
1799 if (av)
1800 error = avc_has_perm(tsec->sid, tsid,
1801 SECCLASS_FILE, av, NULL);
1802 }
1803
1804 return error;
1805}
1806
1807static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1808{
1809 int rc = 0;
1810
1811 if (!sb)
1812 return 0;
1813
1814 switch (cmds) {
1815 case Q_SYNC:
1816 case Q_QUOTAON:
1817 case Q_QUOTAOFF:
1818 case Q_SETINFO:
1819 case Q_SETQUOTA:
1820 rc = superblock_has_perm(current,
1821 sb,
1822 FILESYSTEM__QUOTAMOD, NULL);
1823 break;
1824 case Q_GETFMT:
1825 case Q_GETINFO:
1826 case Q_GETQUOTA:
1827 rc = superblock_has_perm(current,
1828 sb,
1829 FILESYSTEM__QUOTAGET, NULL);
1830 break;
1831 default:
1832 rc = 0; /* let the kernel handle invalid cmds */
1833 break;
1834 }
1835 return rc;
1836}
1837
1838static int selinux_quota_on(struct dentry *dentry)
1839{
1840 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1841}
1842
1843static int selinux_syslog(int type)
1844{
1845 int rc;
1846
1847 rc = secondary_ops->syslog(type);
1848 if (rc)
1849 return rc;
1850
1851 switch (type) {
1852 case 3: /* Read last kernel messages */
1853 case 10: /* Return size of the log buffer */
1854 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1855 break;
1856 case 6: /* Disable logging to console */
1857 case 7: /* Enable logging to console */
1858 case 8: /* Set level of messages printed to console */
1859 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1860 break;
1861 case 0: /* Close log */
1862 case 1: /* Open log */
1863 case 2: /* Read from log */
1864 case 4: /* Read/clear last kernel messages */
1865 case 5: /* Clear ring buffer */
1866 default:
1867 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1868 break;
1869 }
1870 return rc;
1871}
1872
1873/*
1874 * Check that a process has enough memory to allocate a new virtual
1875 * mapping. 0 means there is enough memory for the allocation to
1876 * succeed and -ENOMEM implies there is not.
1877 *
1878 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1879 * if the capability is granted, but __vm_enough_memory requires 1 if
1880 * the capability is granted.
1881 *
1882 * Do not audit the selinux permission check, as this is applied to all
1883 * processes that allocate mappings.
1884 */
34b4e4aa 1885static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1886{
1887 int rc, cap_sys_admin = 0;
1888 struct task_security_struct *tsec = current->security;
1889
1890 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1891 if (rc == 0)
1892 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2c3c05db
SS		 1893 SECCLASS_CAPABILITY,
1894 CAP_TO_MASK(CAP_SYS_ADMIN),
1895 0,
1896 NULL);
1da177e4
LT		 1897
1898 if (rc == 0)
1899 cap_sys_admin = 1;
1900
34b4e4aa 1901 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 1902}
1903
0356357c
RM		 1904/**
1905 * task_tracer_task - return the task that is tracing the given task
1906 * @task: task to consider
1907 *
1908 * Returns NULL if noone is tracing @task, or the &struct task_struct
1909 * pointer to its tracer.
1910 *
1911 * Must be called under rcu_read_lock().
1912 */
1913static struct task_struct *task_tracer_task(struct task_struct *task)
1914{
1915 if (task->ptrace & PT_PTRACED)
1916 return rcu_dereference(task->parent);
1917 return NULL;
1918}
1919
1da177e4
LT		 1920/* binprm security operations */
1921
1922static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1923{
1924 struct bprm_security_struct *bsec;
1925
89d155ef 1926 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1927 if (!bsec)
1928 return -ENOMEM;
1929
1da177e4
LT		 1930 bsec->sid = SECINITSID_UNLABELED;
1931 bsec->set = 0;
1932
1933 bprm->security = bsec;
1934 return 0;
1935}
1936
1937static int selinux_bprm_set_security(struct linux_binprm *bprm)
1938{
1939 struct task_security_struct *tsec;
3d5ff529 1940 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 1941 struct inode_security_struct *isec;
1942 struct bprm_security_struct *bsec;
1943 u32 newsid;
1944 struct avc_audit_data ad;
1945 int rc;
1946
1947 rc = secondary_ops->bprm_set_security(bprm);
1948 if (rc)
1949 return rc;
1950
1951 bsec = bprm->security;
1952
1953 if (bsec->set)
1954 return 0;
1955
1956 tsec = current->security;
1957 isec = inode->i_security;
1958
1959 /* Default to the current task SID. */
1960 bsec->sid = tsec->sid;
1961
28eba5bf 1962 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1963 tsec->create_sid = 0;
28eba5bf 1964 tsec->keycreate_sid = 0;
42c3e03e 1965 tsec->sockcreate_sid = 0;
1da177e4
LT		 1966
1967 if (tsec->exec_sid) {
1968 newsid = tsec->exec_sid;
1969 /* Reset exec SID on execve. */
1970 tsec->exec_sid = 0;
1971 } else {
1972 /* Check for a default transition on this program. */
1973 rc = security_transition_sid(tsec->sid, isec->sid,
1974 SECCLASS_PROCESS, &newsid);
1975 if (rc)
1976 return rc;
1977 }
1978
1979 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1980 ad.u.fs.path = bprm->file->f_path;
1da177e4 1981
3d5ff529 1982 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1da177e4
LT		 1983 newsid = tsec->sid;
1984
1985 if (tsec->sid == newsid) {
1986 rc = avc_has_perm(tsec->sid, isec->sid,
1987 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1988 if (rc)
1989 return rc;
1990 } else {
1991 /* Check permissions for the transition. */
1992 rc = avc_has_perm(tsec->sid, newsid,
1993 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1994 if (rc)
1995 return rc;
1996
1997 rc = avc_has_perm(newsid, isec->sid,
1998 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1999 if (rc)
2000 return rc;
2001
2002 /* Clear any possibly unsafe personality bits on exec: */
2003 current->personality &= ~PER_CLEAR_ON_SETID;
2004
2005 /* Set the security field to the new SID. */
2006 bsec->sid = newsid;
2007 }
2008
2009 bsec->set = 1;
2010 return 0;
2011}
2012
2013static int selinux_bprm_check_security (struct linux_binprm *bprm)
2014{
2015 return secondary_ops->bprm_check_security(bprm);
2016}
2017
2018
2019static int selinux_bprm_secureexec (struct linux_binprm *bprm)
2020{
2021 struct task_security_struct *tsec = current->security;
2022 int atsecure = 0;
2023
2024 if (tsec->osid != tsec->sid) {
2025 /* Enable secure mode for SIDs transitions unless
2026 the noatsecure permission is granted between
2027 the two SIDs, i.e. ahp returns 0. */
2028 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2029 SECCLASS_PROCESS,
2030 PROCESS__NOATSECURE, NULL);
2031 }
2032
2033 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2034}
2035
2036static void selinux_bprm_free_security(struct linux_binprm *bprm)
2037{
9a5f04bf 2038 kfree(bprm->security);
1da177e4 2039 bprm->security = NULL;
1da177e4
LT		 2040}
2041
2042extern struct vfsmount *selinuxfs_mount;
2043extern struct dentry *selinux_null;
2044
2045/* Derived from fs/exec.c:flush_old_files. */
2046static inline void flush_unauthorized_files(struct files_struct * files)
2047{
2048 struct avc_audit_data ad;
2049 struct file *file, *devnull = NULL;
b20c8122 2050 struct tty_struct *tty;
badf1662 2051 struct fdtable *fdt;
1da177e4 2052 long j = -1;
24ec839c 2053 int drop_tty = 0;
1da177e4 2054
b20c8122 2055 mutex_lock(&tty_mutex);
24ec839c 2056 tty = get_current_tty();
1da177e4
LT		 2057 if (tty) {
2058 file_list_lock();
2f512016 2059 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 2060 if (file) {
2061 /* Revalidate access to controlling tty.
2062 Use inode_has_perm on the tty inode directly rather
2063 than using file_has_perm, as this particular open
2064 file may belong to another process and we are only
2065 interested in the inode-based check here. */
3d5ff529 2066 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2067 if (inode_has_perm(current, inode,
2068 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2069 drop_tty = 1;
1da177e4
LT		 2070 }
2071 }
2072 file_list_unlock();
2073 }
b20c8122 2074 mutex_unlock(&tty_mutex);
98a27ba4
EB		 2075 /* Reset controlling tty. */
2076 if (drop_tty)
2077 no_tty();
1da177e4
LT		 2078
2079 /* Revalidate access to inherited open files. */
2080
2081 AVC_AUDIT_DATA_INIT(&ad,FS);
2082
2083 spin_lock(&files->file_lock);
2084 for (;;) {
2085 unsigned long set, i;
2086 int fd;
2087
2088 j++;
2089 i = j * __NFDBITS;
badf1662 2090 fdt = files_fdtable(files);
bbea9f69 2091 if (i >= fdt->max_fds)
1da177e4 2092 break;
badf1662 2093 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2094 if (!set)
2095 continue;
2096 spin_unlock(&files->file_lock);
2097 for ( ; set ; i++,set >>= 1) {
2098 if (set & 1) {
2099 file = fget(i);
2100 if (!file)
2101 continue;
2102 if (file_has_perm(current,
2103 file,
2104 file_to_av(file))) {
2105 sys_close(i);
2106 fd = get_unused_fd();
2107 if (fd != i) {
2108 if (fd >= 0)
2109 put_unused_fd(fd);
2110 fput(file);
2111 continue;
2112 }
2113 if (devnull) {
095975da 2114 get_file(devnull);
1da177e4
LT		 2115 } else {
2116 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
fc5d81e6
AM		 2117 if (IS_ERR(devnull)) {
2118 devnull = NULL;
1da177e4
LT		 2119 put_unused_fd(fd);
2120 fput(file);
2121 continue;
2122 }
2123 }
2124 fd_install(fd, devnull);
2125 }
2126 fput(file);
2127 }
2128 }
2129 spin_lock(&files->file_lock);
2130
2131 }
2132 spin_unlock(&files->file_lock);
2133}
2134
2135static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2136{
2137 struct task_security_struct *tsec;
2138 struct bprm_security_struct *bsec;
2139 u32 sid;
2140 int rc;
2141
2142 secondary_ops->bprm_apply_creds(bprm, unsafe);
2143
2144 tsec = current->security;
2145
2146 bsec = bprm->security;
2147 sid = bsec->sid;
2148
2149 tsec->osid = tsec->sid;
2150 bsec->unsafe = 0;
2151 if (tsec->sid != sid) {
2152 /* Check for shared state. If not ok, leave SID
2153 unchanged and kill. */
2154 if (unsafe & LSM_UNSAFE_SHARE) {
2155 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2156 PROCESS__SHARE, NULL);
2157 if (rc) {
2158 bsec->unsafe = 1;
2159 return;
2160 }
2161 }
2162
2163 /* Check for ptracing, and update the task SID if ok.
2164 Otherwise, leave SID unchanged and kill. */
2165 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
0356357c
RM		 2166 struct task_struct *tracer;
2167 struct task_security_struct *sec;
2168 u32 ptsid = 0;
2169
2170 rcu_read_lock();
2171 tracer = task_tracer_task(current);
2172 if (likely(tracer != NULL)) {
2173 sec = tracer->security;
2174 ptsid = sec->sid;
2175 }
2176 rcu_read_unlock();
2177
2178 if (ptsid != 0) {
2179 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2180 PROCESS__PTRACE, NULL);
2181 if (rc) {
2182 bsec->unsafe = 1;
2183 return;
2184 }
1da177e4
LT		 2185 }
2186 }
2187 tsec->sid = sid;
2188 }
2189}
2190
2191/*
2192 * called after apply_creds without the task lock held
2193 */
2194static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2195{
2196 struct task_security_struct *tsec;
2197 struct rlimit *rlim, *initrlim;
2198 struct itimerval itimer;
2199 struct bprm_security_struct *bsec;
2200 int rc, i;
2201
2202 tsec = current->security;
2203 bsec = bprm->security;
2204
2205 if (bsec->unsafe) {
2206 force_sig_specific(SIGKILL, current);
2207 return;
2208 }
2209 if (tsec->osid == tsec->sid)
2210 return;
2211
2212 /* Close files for which the new task SID is not authorized. */
2213 flush_unauthorized_files(current->files);
2214
2215 /* Check whether the new SID can inherit signal state
2216 from the old SID. If not, clear itimers to avoid
2217 subsequent signal generation and flush and unblock
2218 signals. This must occur _after_ the task SID has
2219 been updated so that any kill done after the flush
2220 will be checked against the new SID. */
2221 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2222 PROCESS__SIGINH, NULL);
2223 if (rc) {
2224 memset(&itimer, 0, sizeof itimer);
2225 for (i = 0; i < 3; i++)
2226 do_setitimer(i, &itimer, NULL);
2227 flush_signals(current);
2228 spin_lock_irq(&current->sighand->siglock);
2229 flush_signal_handlers(current, 1);
2230 sigemptyset(&current->blocked);
2231 recalc_sigpending();
2232 spin_unlock_irq(&current->sighand->siglock);
2233 }
2234
4ac212ad
SS		 2235 /* Always clear parent death signal on SID transitions. */
2236 current->pdeath_signal = 0;
2237
1da177e4
LT		 2238 /* Check whether the new SID can inherit resource limits
2239 from the old SID. If not, reset all soft limits to
2240 the lower of the current task's hard limit and the init
2241 task's soft limit. Note that the setting of hard limits
2242 (even to lower them) can be controlled by the setrlimit
2243 check. The inclusion of the init task's soft limit into
2244 the computation is to avoid resetting soft limits higher
2245 than the default soft limit for cases where the default
2246 is lower than the hard limit, e.g. RLIMIT_CORE or
2247 RLIMIT_STACK.*/
2248 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2249 PROCESS__RLIMITINH, NULL);
2250 if (rc) {
2251 for (i = 0; i < RLIM_NLIMITS; i++) {
2252 rlim = current->signal->rlim + i;
2253 initrlim = init_task.signal->rlim+i;
2254 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2255 }
2256 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2257 /*
2258 * This will cause RLIMIT_CPU calculations
2259 * to be refigured.
2260 */
2261 current->it_prof_expires = jiffies_to_cputime(1);
2262 }
2263 }
2264
2265 /* Wake up the parent if it is waiting so that it can
2266 recheck wait permission to the new task SID. */
2267 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2268}
2269
2270/* superblock security operations */
2271
2272static int selinux_sb_alloc_security(struct super_block *sb)
2273{
2274 return superblock_alloc_security(sb);
2275}
2276
2277static void selinux_sb_free_security(struct super_block *sb)
2278{
2279 superblock_free_security(sb);
2280}
2281
2282static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2283{
2284 if (plen > olen)
2285 return 0;
2286
2287 return !memcmp(prefix, option, plen);
2288}
2289
2290static inline int selinux_option(char *option, int len)
2291{
832cbd9a
EP		 2292 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2293 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2294 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2295 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
1da177e4
LT		 2296}
2297
2298static inline void take_option(char **to, char *from, int *first, int len)
2299{
2300 if (!*first) {
2301 **to = ',';
2302 *to += 1;
3528a953 2303 } else
1da177e4
LT		 2304 *first = 0;
2305 memcpy(*to, from, len);
2306 *to += len;
2307}
2308
3528a953
CO		 2309static inline void take_selinux_option(char **to, char *from, int *first,
2310 int len)
2311{
2312 int current_size = 0;
2313
2314 if (!*first) {
2315 **to = '|';
2316 *to += 1;
2317 }
2318 else
2319 *first = 0;
2320
2321 while (current_size < len) {
2322 if (*from != '"') {
2323 **to = *from;
2324 *to += 1;
2325 }
2326 from += 1;
2327 current_size += 1;
2328 }
2329}
2330
e0007529 2331static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2332{
2333 int fnosec, fsec, rc = 0;
2334 char *in_save, *in_curr, *in_end;
2335 char *sec_curr, *nosec_save, *nosec;
3528a953 2336 int open_quote = 0;
1da177e4
LT		 2337
2338 in_curr = orig;
2339 sec_curr = copy;
2340
1da177e4
LT		 2341 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2342 if (!nosec) {
2343 rc = -ENOMEM;
2344 goto out;
2345 }
2346
2347 nosec_save = nosec;
2348 fnosec = fsec = 1;
2349 in_save = in_end = orig;
2350
2351 do {
3528a953
CO		 2352 if (*in_end == '"')
2353 open_quote = !open_quote;
2354 if ((*in_end == ',' && open_quote == 0) ||
2355 *in_end == '\0') {
1da177e4
LT		 2356 int len = in_end - in_curr;
2357
2358 if (selinux_option(in_curr, len))
3528a953 2359 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2360 else
2361 take_option(&nosec, in_curr, &fnosec, len);
2362
2363 in_curr = in_end + 1;
2364 }
2365 } while (*in_end++);
2366
6931dfc9 2367 strcpy(in_save, nosec_save);
da3caa20 2368 free_page((unsigned long)nosec_save);
1da177e4
LT		 2369out:
2370 return rc;
2371}
2372
2373static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2374{
2375 struct avc_audit_data ad;
2376 int rc;
2377
2378 rc = superblock_doinit(sb, data);
2379 if (rc)
2380 return rc;
2381
2382 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf 2383 ad.u.fs.path.dentry = sb->s_root;
1da177e4
LT		 2384 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2385}
2386
726c3342 2387static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2388{
2389 struct avc_audit_data ad;
2390
2391 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf 2392 ad.u.fs.path.dentry = dentry->d_sb->s_root;
726c3342 2393 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2394}
2395
2396static int selinux_mount(char * dev_name,
2397 struct nameidata *nd,
2398 char * type,
2399 unsigned long flags,
2400 void * data)
2401{
2402 int rc;
2403
2404 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2405 if (rc)
2406 return rc;
2407
2408 if (flags & MS_REMOUNT)
4ac91378 2409 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
1da177e4
LT		 2410 FILESYSTEM__REMOUNT, NULL);
2411 else
4ac91378 2412 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
1da177e4
LT		 2413 FILE__MOUNTON);
2414}
2415
2416static int selinux_umount(struct vfsmount *mnt, int flags)
2417{
2418 int rc;
2419
2420 rc = secondary_ops->sb_umount(mnt, flags);
2421 if (rc)
2422 return rc;
2423
2424 return superblock_has_perm(current,mnt->mnt_sb,
2425 FILESYSTEM__UNMOUNT,NULL);
2426}
2427
2428/* inode security operations */
2429
2430static int selinux_inode_alloc_security(struct inode *inode)
2431{
2432 return inode_alloc_security(inode);
2433}
2434
2435static void selinux_inode_free_security(struct inode *inode)
2436{
2437 inode_free_security(inode);
2438}
2439
5e41ff9e
SS		 2440static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2441 char **name, void **value,
2442 size_t *len)
2443{
2444 struct task_security_struct *tsec;
2445 struct inode_security_struct *dsec;
2446 struct superblock_security_struct *sbsec;
570bc1c2 2447 u32 newsid, clen;
5e41ff9e 2448 int rc;
570bc1c2 2449 char *namep = NULL, *context;
5e41ff9e
SS		 2450
2451 tsec = current->security;
2452 dsec = dir->i_security;
2453 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2454
2455 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2456 newsid = tsec->create_sid;
2457 } else {
2458 rc = security_transition_sid(tsec->sid, dsec->sid,
2459 inode_mode_to_security_class(inode->i_mode),
2460 &newsid);
2461 if (rc) {
2462 printk(KERN_WARNING "%s: "
2463 "security_transition_sid failed, rc=%d (dev=%s "
2464 "ino=%ld)\n",
dd6f953a 2465 __func__,
5e41ff9e
SS		 2466 -rc, inode->i_sb->s_id, inode->i_ino);
2467 return rc;
2468 }
2469 }
2470
296fddf7
EP		 2471 /* Possibly defer initialization to selinux_complete_init. */
2472 if (sbsec->initialized) {
2473 struct inode_security_struct *isec = inode->i_security;
2474 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2475 isec->sid = newsid;
2476 isec->initialized = 1;
2477 }
5e41ff9e 2478
8aad3875 2479 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2480 return -EOPNOTSUPP;
2481
570bc1c2 2482 if (name) {
a02fe132 2483 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2484 if (!namep)
2485 return -ENOMEM;
2486 *name = namep;
2487 }
5e41ff9e 2488
570bc1c2
SS		 2489 if (value && len) {
2490 rc = security_sid_to_context(newsid, &context, &clen);
2491 if (rc) {
2492 kfree(namep);
2493 return rc;
2494 }
2495 *value = context;
2496 *len = clen;
5e41ff9e 2497 }
5e41ff9e 2498
5e41ff9e
SS		 2499 return 0;
2500}
2501
1da177e4
LT		 2502static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2503{
2504 return may_create(dir, dentry, SECCLASS_FILE);
2505}
2506
1da177e4
LT		 2507static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2508{
2509 int rc;
2510
2511 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2512 if (rc)
2513 return rc;
2514 return may_link(dir, old_dentry, MAY_LINK);
2515}
2516
1da177e4
LT		 2517static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2518{
2519 int rc;
2520
2521 rc = secondary_ops->inode_unlink(dir, dentry);
2522 if (rc)
2523 return rc;
2524 return may_link(dir, dentry, MAY_UNLINK);
2525}
2526
2527static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2528{
2529 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2530}
2531
1da177e4
LT		 2532static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2533{
2534 return may_create(dir, dentry, SECCLASS_DIR);
2535}
2536
1da177e4
LT		 2537static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2538{
2539 return may_link(dir, dentry, MAY_RMDIR);
2540}
2541
2542static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2543{
2544 int rc;
2545
2546 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2547 if (rc)
2548 return rc;
2549
2550 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2551}
2552
1da177e4
LT		 2553static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2554 struct inode *new_inode, struct dentry *new_dentry)
2555{
2556 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2557}
2558
1da177e4
LT		 2559static int selinux_inode_readlink(struct dentry *dentry)
2560{
2561 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2562}
2563
2564static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2565{
2566 int rc;
2567
2568 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2569 if (rc)
2570 return rc;
2571 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2572}
2573
2574static int selinux_inode_permission(struct inode *inode, int mask,
2575 struct nameidata *nd)
2576{
2577 int rc;
2578
2579 rc = secondary_ops->inode_permission(inode, mask, nd);
2580 if (rc)
2581 return rc;
2582
2583 if (!mask) {
2584 /* No permission to check. Existence test. */
2585 return 0;
2586 }
2587
2588 return inode_has_perm(current, inode,
b0c636b9 2589 open_file_mask_to_av(inode->i_mode, mask), NULL);
1da177e4
LT		 2590}
2591
2592static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2593{
2594 int rc;
2595
2596 rc = secondary_ops->inode_setattr(dentry, iattr);
2597 if (rc)
2598 return rc;
2599
2600 if (iattr->ia_valid & ATTR_FORCE)
2601 return 0;
2602
2603 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2604 ATTR_ATIME_SET | ATTR_MTIME_SET))
2605 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2606
2607 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2608}
2609
2610static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2611{
2612 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2613}
2614
b5376771
SH		 2615static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2616{
2617 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2618 sizeof XATTR_SECURITY_PREFIX - 1)) {
2619 if (!strcmp(name, XATTR_NAME_CAPS)) {
2620 if (!capable(CAP_SETFCAP))
2621 return -EPERM;
2622 } else if (!capable(CAP_SYS_ADMIN)) {
2623 /* A different attribute in the security namespace.
2624 Restrict to administrator. */
2625 return -EPERM;
2626 }
2627 }
2628
2629 /* Not an attribute we recognize, so just check the
2630 ordinary setattr permission. */
2631 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2632}
2633
1da177e4
LT		 2634static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2635{
2636 struct task_security_struct *tsec = current->security;
2637 struct inode *inode = dentry->d_inode;
2638 struct inode_security_struct *isec = inode->i_security;
2639 struct superblock_security_struct *sbsec;
2640 struct avc_audit_data ad;
2641 u32 newsid;
2642 int rc = 0;
2643
b5376771
SH		 2644 if (strcmp(name, XATTR_NAME_SELINUX))
2645 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2646
2647 sbsec = inode->i_sb->s_security;
2648 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2649 return -EOPNOTSUPP;
2650
3bd858ab 2651 if (!is_owner_or_cap(inode))
1da177e4
LT		 2652 return -EPERM;
2653
2654 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf 2655 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 2656
2657 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2658 FILE__RELABELFROM, &ad);
2659 if (rc)
2660 return rc;
2661
2662 rc = security_context_to_sid(value, size, &newsid);
2663 if (rc)
2664 return rc;
2665
2666 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2667 FILE__RELABELTO, &ad);
2668 if (rc)
2669 return rc;
2670
2671 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2672 isec->sclass);
2673 if (rc)
2674 return rc;
2675
2676 return avc_has_perm(newsid,
2677 sbsec->sid,
2678 SECCLASS_FILESYSTEM,
2679 FILESYSTEM__ASSOCIATE,
2680 &ad);
2681}
2682
2683static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2684 void *value, size_t size, int flags)
2685{
2686 struct inode *inode = dentry->d_inode;
2687 struct inode_security_struct *isec = inode->i_security;
2688 u32 newsid;
2689 int rc;
2690
2691 if (strcmp(name, XATTR_NAME_SELINUX)) {
2692 /* Not an attribute we recognize, so nothing to do. */
2693 return;
2694 }
2695
2696 rc = security_context_to_sid(value, size, &newsid);
2697 if (rc) {
2698 printk(KERN_WARNING "%s: unable to obtain SID for context "
f0115e6c 2699 "%s, rc=%d\n", __func__, (char *)value, -rc);
1da177e4
LT		 2700 return;
2701 }
2702
2703 isec->sid = newsid;
2704 return;
2705}
2706
2707static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2708{
1da177e4
LT		 2709 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2710}
2711
2712static int selinux_inode_listxattr (struct dentry *dentry)
2713{
2714 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2715}
2716
2717static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2718{
b5376771
SH		 2719 if (strcmp(name, XATTR_NAME_SELINUX))
2720 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2721
2722 /* No one is allowed to remove a SELinux security label.
2723 You can change the label, but all data must be labeled. */
2724 return -EACCES;
2725}
2726
d381d8a9
JM		 2727/*
2728 * Copy the in-core inode security context value to the user. If the
2729 * getxattr() prior to this succeeded, check to see if we need to
2730 * canonicalize the value to be finally returned to the user.
2731 *
2732 * Permission check is handled by selinux_inode_getxattr hook.
2733 */
42492594 2734static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2735{
42492594
DQ		 2736 u32 size;
2737 int error;
2738 char *context = NULL;
1da177e4 2739 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2740
8c8570fb
DK		 2741 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2742 return -EOPNOTSUPP;
d381d8a9 2743
42492594
DQ		 2744 error = security_sid_to_context(isec->sid, &context, &size);
2745 if (error)
2746 return error;
2747 error = size;
2748 if (alloc) {
2749 *buffer = context;
2750 goto out_nofree;
2751 }
2752 kfree(context);
2753out_nofree:
2754 return error;
1da177e4
LT		 2755}
2756
2757static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2758 const void *value, size_t size, int flags)
2759{
2760 struct inode_security_struct *isec = inode->i_security;
2761 u32 newsid;
2762 int rc;
2763
2764 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2765 return -EOPNOTSUPP;
2766
2767 if (!value || !size)
2768 return -EACCES;
2769
2770 rc = security_context_to_sid((void*)value, size, &newsid);
2771 if (rc)
2772 return rc;
2773
2774 isec->sid = newsid;
2775 return 0;
2776}
2777
2778static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2779{
2780 const int len = sizeof(XATTR_NAME_SELINUX);
2781 if (buffer && len <= buffer_size)
2782 memcpy(buffer, XATTR_NAME_SELINUX, len);
2783 return len;
2784}
2785
b5376771
SH		 2786static int selinux_inode_need_killpriv(struct dentry *dentry)
2787{
2788 return secondary_ops->inode_need_killpriv(dentry);
2789}
2790
2791static int selinux_inode_killpriv(struct dentry *dentry)
2792{
2793 return secondary_ops->inode_killpriv(dentry);
2794}
2795
713a04ae
AD		 2796static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2797{
2798 struct inode_security_struct *isec = inode->i_security;
2799 *secid = isec->sid;
2800}
2801
1da177e4
LT		 2802/* file security operations */
2803
788e7dd4 2804static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2805{
7420ed23 2806 int rc;
3d5ff529 2807 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2808
2809 if (!mask) {
2810 /* No permission to check. Existence test. */
2811 return 0;
2812 }
2813
2814 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2815 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2816 mask |= MAY_APPEND;
2817
7420ed23
VY		 2818 rc = file_has_perm(current, file,
2819 file_mask_to_av(inode->i_mode, mask));
2820 if (rc)
2821 return rc;
2822
2823 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2824}
2825
788e7dd4
YN		 2826static int selinux_file_permission(struct file *file, int mask)
2827{
2828 struct inode *inode = file->f_path.dentry->d_inode;
2829 struct task_security_struct *tsec = current->security;
2830 struct file_security_struct *fsec = file->f_security;
2831 struct inode_security_struct *isec = inode->i_security;
2832
2833 if (!mask) {
2834 /* No permission to check. Existence test. */
2835 return 0;
2836 }
2837
2838 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2839 && fsec->pseqno == avc_policy_seqno())
2840 return selinux_netlbl_inode_permission(inode, mask);
2841
2842 return selinux_revalidate_file_permission(file, mask);
2843}
2844
1da177e4
LT		 2845static int selinux_file_alloc_security(struct file *file)
2846{
2847 return file_alloc_security(file);
2848}
2849
2850static void selinux_file_free_security(struct file *file)
2851{
2852 file_free_security(file);
2853}
2854
2855static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2856 unsigned long arg)
2857{
2858 int error = 0;
2859
2860 switch (cmd) {
2861 case FIONREAD:
2862 /* fall through */
2863 case FIBMAP:
2864 /* fall through */
2865 case FIGETBSZ:
2866 /* fall through */
2867 case EXT2_IOC_GETFLAGS:
2868 /* fall through */
2869 case EXT2_IOC_GETVERSION:
2870 error = file_has_perm(current, file, FILE__GETATTR);
2871 break;
2872
2873 case EXT2_IOC_SETFLAGS:
2874 /* fall through */
2875 case EXT2_IOC_SETVERSION:
2876 error = file_has_perm(current, file, FILE__SETATTR);
2877 break;
2878
2879 /* sys_ioctl() checks */
2880 case FIONBIO:
2881 /* fall through */
2882 case FIOASYNC:
2883 error = file_has_perm(current, file, 0);
2884 break;
2885
2886 case KDSKBENT:
2887 case KDSKBSENT:
2888 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2889 break;
2890
2891 /* default case assumes that the command will go
2892 * to the file's ioctl() function.
2893 */
2894 default:
2895 error = file_has_perm(current, file, FILE__IOCTL);
2896
2897 }
2898 return error;
2899}
2900
2901static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2902{
2903#ifndef CONFIG_PPC32
2904 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2905 /*
2906 * We are making executable an anonymous mapping or a
2907 * private file mapping that will also be writable.
2908 * This has an additional check.
2909 */
2910 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2911 if (rc)
2912 return rc;
2913 }
2914#endif
2915
2916 if (file) {
2917 /* read access is always possible with a mapping */
2918 u32 av = FILE__READ;
2919
2920 /* write access only matters if the mapping is shared */
2921 if (shared && (prot & PROT_WRITE))
2922 av |= FILE__WRITE;
2923
2924 if (prot & PROT_EXEC)
2925 av |= FILE__EXECUTE;
2926
2927 return file_has_perm(current, file, av);
2928 }
2929 return 0;
2930}
2931
2932static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 2933 unsigned long prot, unsigned long flags,
2934 unsigned long addr, unsigned long addr_only)
1da177e4 2935{
ed032189
EP		 2936 int rc = 0;
2937 u32 sid = ((struct task_security_struct*)(current->security))->sid;
1da177e4 2938
ed032189
EP		 2939 if (addr < mmap_min_addr)
2940 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2941 MEMPROTECT__MMAP_ZERO, NULL);
2942 if (rc || addr_only)
1da177e4
LT		 2943 return rc;
2944
2945 if (selinux_checkreqprot)
2946 prot = reqprot;
2947
2948 return file_map_prot_check(file, prot,
2949 (flags & MAP_TYPE) == MAP_SHARED);
2950}
2951
2952static int selinux_file_mprotect(struct vm_area_struct *vma,
2953 unsigned long reqprot,
2954 unsigned long prot)
2955{
2956 int rc;
2957
2958 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2959 if (rc)
2960 return rc;
2961
2962 if (selinux_checkreqprot)
2963 prot = reqprot;
2964
2965#ifndef CONFIG_PPC32
db4c9641
SS		 2966 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2967 rc = 0;
2968 if (vma->vm_start >= vma->vm_mm->start_brk &&
2969 vma->vm_end <= vma->vm_mm->brk) {
2970 rc = task_has_perm(current, current,
2971 PROCESS__EXECHEAP);
2972 } else if (!vma->vm_file &&
2973 vma->vm_start <= vma->vm_mm->start_stack &&
2974 vma->vm_end >= vma->vm_mm->start_stack) {
2975 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2976 } else if (vma->vm_file && vma->anon_vma) {
2977 /*
2978 * We are making executable a file mapping that has
2979 * had some COW done. Since pages might have been
2980 * written, check ability to execute the possibly
2981 * modified content. This typically should only
2982 * occur for text relocations.
2983 */
2984 rc = file_has_perm(current, vma->vm_file,
2985 FILE__EXECMOD);
2986 }