]> bbs.cooldavid.org Git - net-next-2.6.git/blame - security/selinux/hooks.c
git://bbs.cooldavid.org / net-next-2.6.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
slob: correct Kconfig description
[net-next-2.6.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
effad8df
PM		 15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
788e7dd4
YN		 17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
23 */
24
1da177e4
LT		 25#include <linux/init.h>
26#include <linux/kernel.h>
27#include <linux/ptrace.h>
28#include <linux/errno.h>
29#include <linux/sched.h>
30#include <linux/security.h>
31#include <linux/xattr.h>
32#include <linux/capability.h>
33#include <linux/unistd.h>
34#include <linux/mm.h>
35#include <linux/mman.h>
36#include <linux/slab.h>
37#include <linux/pagemap.h>
38#include <linux/swap.h>
1da177e4
LT		 39#include <linux/spinlock.h>
40#include <linux/syscalls.h>
41#include <linux/file.h>
42#include <linux/namei.h>
43#include <linux/mount.h>
44#include <linux/ext2_fs.h>
45#include <linux/proc_fs.h>
46#include <linux/kd.h>
47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 53#include <net/net_namespace.h>
d621d35e 54#include <net/netlabel.h>
1da177e4 55#include <asm/uaccess.h>
1da177e4 56#include <asm/ioctls.h>
d621d35e 57#include <asm/atomic.h>
1da177e4
LT		 58#include <linux/bitops.h>
59#include <linux/interrupt.h>
60#include <linux/netdevice.h> /* for network interface checks */
61#include <linux/netlink.h>
62#include <linux/tcp.h>
63#include <linux/udp.h>
2ee92d46 64#include <linux/dccp.h>
1da177e4
LT		 65#include <linux/quota.h>
66#include <linux/un.h> /* for Unix socket types */
67#include <net/af_unix.h> /* for Unix socket types */
68#include <linux/parser.h>
69#include <linux/nfs_mount.h>
70#include <net/ipv6.h>
71#include <linux/hugetlb.h>
72#include <linux/personality.h>
73#include <linux/sysctl.h>
74#include <linux/audit.h>
6931dfc9 75#include <linux/string.h>
877ce7c1 76#include <linux/selinux.h>
23970741 77#include <linux/mutex.h>
1da177e4
LT		 78
79#include "avc.h"
80#include "objsec.h"
81#include "netif.h"
224dfbd8 82#include "netnode.h"
d28d1e08 83#include "xfrm.h"
c60475bf 84#include "netlabel.h"
1da177e4
LT		 85
86#define XATTR_SELINUX_SUFFIX "selinux"
87#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
c9180a57
EP		 89#define NUM_SEL_MNT_OPTS 4
90
1da177e4
LT		 91extern unsigned int policydb_loaded_version;
92extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 93extern int selinux_compat_net;
20510f2f 94extern struct security_operations *security_ops;
1da177e4 95
d621d35e
PM		 96/* SECMARK reference count */
97atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
1da177e4
LT		 99#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100int selinux_enforcing = 0;
101
102static int __init enforcing_setup(char *str)
103{
104 selinux_enforcing = simple_strtol(str,NULL,0);
105 return 1;
106}
107__setup("enforcing=", enforcing_setup);
108#endif
109
110#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113static int __init selinux_enabled_setup(char *str)
114{
115 selinux_enabled = simple_strtol(str, NULL, 0);
116 return 1;
117}
118__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 119#else
120int selinux_enabled = 1;
1da177e4
LT		 121#endif
122
123/* Original (dummy) security module. */
124static struct security_operations *original_ops = NULL;
125
126/* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130static struct security_operations *secondary_ops = NULL;
131
132/* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134static LIST_HEAD(superblock_security_head);
135static DEFINE_SPINLOCK(sb_security_lock);
136
e18b890b 137static struct kmem_cache *sel_inode_cache;
7cae7e26 138
8c8570fb
DK		 139/* Return security context for a given sid or just the context
140 length if the buffer is null or length is 0 */
141static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
142{
143 char *context;
144 unsigned len;
145 int rc;
146
147 rc = security_sid_to_context(sid, &context, &len);
148 if (rc)
149 return rc;
150
151 if (!buffer || !size)
152 goto getsecurity_exit;
153
154 if (size < len) {
155 len = -ERANGE;
156 goto getsecurity_exit;
157 }
158 memcpy(buffer, context, len);
159
160getsecurity_exit:
161 kfree(context);
162 return len;
163}
164
d621d35e
PM		 165/**
166 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
167 *
168 * Description:
169 * This function checks the SECMARK reference counter to see if any SECMARK
170 * targets are currently configured, if the reference counter is greater than
171 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
172 * enabled, false (0) if SECMARK is disabled.
173 *
174 */
175static int selinux_secmark_enabled(void)
176{
177 return (atomic_read(&selinux_secmark_refcount) > 0);
178}
179
1da177e4
LT		 180/* Allocate and free functions for each kind of security blob. */
181
182static int task_alloc_security(struct task_struct *task)
183{
184 struct task_security_struct *tsec;
185
89d155ef 186 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 187 if (!tsec)
188 return -ENOMEM;
189
1da177e4
LT		 190 tsec->task = task;
191 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
192 task->security = tsec;
193
194 return 0;
195}
196
197static void task_free_security(struct task_struct *task)
198{
199 struct task_security_struct *tsec = task->security;
1da177e4
LT		 200 task->security = NULL;
201 kfree(tsec);
202}
203
204static int inode_alloc_security(struct inode *inode)
205{
206 struct task_security_struct *tsec = current->security;
207 struct inode_security_struct *isec;
208
c3762229 209 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
1da177e4
LT		 210 if (!isec)
211 return -ENOMEM;
212
23970741 213 mutex_init(&isec->lock);
1da177e4 214 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 215 isec->inode = inode;
216 isec->sid = SECINITSID_UNLABELED;
217 isec->sclass = SECCLASS_FILE;
9ac49d22 218 isec->task_sid = tsec->sid;
1da177e4
LT		 219 inode->i_security = isec;
220
221 return 0;
222}
223
224static void inode_free_security(struct inode *inode)
225{
226 struct inode_security_struct *isec = inode->i_security;
227 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
228
1da177e4
LT		 229 spin_lock(&sbsec->isec_lock);
230 if (!list_empty(&isec->list))
231 list_del_init(&isec->list);
232 spin_unlock(&sbsec->isec_lock);
233
234 inode->i_security = NULL;
7cae7e26 235 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 236}
237
238static int file_alloc_security(struct file *file)
239{
240 struct task_security_struct *tsec = current->security;
241 struct file_security_struct *fsec;
242
26d2a4be 243 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 244 if (!fsec)
245 return -ENOMEM;
246
1da177e4 247 fsec->file = file;
9ac49d22
SS		 248 fsec->sid = tsec->sid;
249 fsec->fown_sid = tsec->sid;
1da177e4
LT		 250 file->f_security = fsec;
251
252 return 0;
253}
254
255static void file_free_security(struct file *file)
256{
257 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 258 file->f_security = NULL;
259 kfree(fsec);
260}
261
262static int superblock_alloc_security(struct super_block *sb)
263{
264 struct superblock_security_struct *sbsec;
265
89d155ef 266 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 267 if (!sbsec)
268 return -ENOMEM;
269
bc7e982b 270 mutex_init(&sbsec->lock);
1da177e4
LT		 271 INIT_LIST_HEAD(&sbsec->list);
272 INIT_LIST_HEAD(&sbsec->isec_head);
273 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 274 sbsec->sb = sb;
275 sbsec->sid = SECINITSID_UNLABELED;
276 sbsec->def_sid = SECINITSID_FILE;
c312feb2 277 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 278 sb->s_security = sbsec;
279
280 return 0;
281}
282
283static void superblock_free_security(struct super_block *sb)
284{
285 struct superblock_security_struct *sbsec = sb->s_security;
286
1da177e4
LT		 287 spin_lock(&sb_security_lock);
288 if (!list_empty(&sbsec->list))
289 list_del_init(&sbsec->list);
290 spin_unlock(&sb_security_lock);
291
292 sb->s_security = NULL;
293 kfree(sbsec);
294}
295
7d877f3b 296static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 297{
298 struct sk_security_struct *ssec;
299
89d155ef 300 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 301 if (!ssec)
302 return -ENOMEM;
303
1da177e4
LT		 304 ssec->sk = sk;
305 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 306 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 307 sk->sk_security = ssec;
308
99f59ed0
PM		 309 selinux_netlbl_sk_security_init(ssec, family);
310
1da177e4
LT		 311 return 0;
312}
313
314static void sk_free_security(struct sock *sk)
315{
316 struct sk_security_struct *ssec = sk->sk_security;
317
1da177e4
LT		 318 sk->sk_security = NULL;
319 kfree(ssec);
320}
1da177e4
LT		 321
322/* The security server must be initialized before
323 any labeling or access decisions can be provided. */
324extern int ss_initialized;
325
326/* The file system's label must be initialized prior to use. */
327
328static char *labeling_behaviors[6] = {
329 "uses xattr",
330 "uses transition SIDs",
331 "uses task SIDs",
332 "uses genfs_contexts",
333 "not configured for labeling",
334 "uses mountpoint labeling",
335};
336
337static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
338
339static inline int inode_doinit(struct inode *inode)
340{
341 return inode_doinit_with_dentry(inode, NULL);
342}
343
344enum {
31e87930 345 Opt_error = -1,
1da177e4
LT		 346 Opt_context = 1,
347 Opt_fscontext = 2,
c9180a57
EP		 348 Opt_defcontext = 3,
349 Opt_rootcontext = 4,
1da177e4
LT		 350};
351
352static match_table_t tokens = {
353 {Opt_context, "context=%s"},
354 {Opt_fscontext, "fscontext=%s"},
355 {Opt_defcontext, "defcontext=%s"},
0808925e 356 {Opt_rootcontext, "rootcontext=%s"},
31e87930 357 {Opt_error, NULL},
1da177e4
LT		 358};
359
360#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
361
c312feb2
EP		 362static int may_context_mount_sb_relabel(u32 sid,
363 struct superblock_security_struct *sbsec,
364 struct task_security_struct *tsec)
365{
366 int rc;
367
368 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
369 FILESYSTEM__RELABELFROM, NULL);
370 if (rc)
371 return rc;
372
373 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
374 FILESYSTEM__RELABELTO, NULL);
375 return rc;
376}
377
0808925e
EP		 378static int may_context_mount_inode_relabel(u32 sid,
379 struct superblock_security_struct *sbsec,
380 struct task_security_struct *tsec)
381{
382 int rc;
383 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
384 FILESYSTEM__RELABELFROM, NULL);
385 if (rc)
386 return rc;
387
388 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
389 FILESYSTEM__ASSOCIATE, NULL);
390 return rc;
391}
392
c9180a57 393static int sb_finish_set_opts(struct super_block *sb)
1da177e4 394{
1da177e4 395 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 396 struct dentry *root = sb->s_root;
397 struct inode *root_inode = root->d_inode;
398 int rc = 0;
1da177e4 399
c9180a57
EP		 400 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
401 /* Make sure that the xattr handler exists and that no
402 error other than -ENODATA is returned by getxattr on
403 the root directory. -ENODATA is ok, as this may be
404 the first boot of the SELinux kernel before we have
405 assigned xattr values to the filesystem. */
406 if (!root_inode->i_op->getxattr) {
407 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
408 "xattr support\n", sb->s_id, sb->s_type->name);
409 rc = -EOPNOTSUPP;
410 goto out;
411 }
412 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
413 if (rc < 0 && rc != -ENODATA) {
414 if (rc == -EOPNOTSUPP)
415 printk(KERN_WARNING "SELinux: (dev %s, type "
416 "%s) has no security xattr handler\n",
417 sb->s_id, sb->s_type->name);
418 else
419 printk(KERN_WARNING "SELinux: (dev %s, type "
420 "%s) getxattr errno %d\n", sb->s_id,
421 sb->s_type->name, -rc);
422 goto out;
423 }
424 }
1da177e4 425
c9180a57 426 sbsec->initialized = 1;
1da177e4 427
c9180a57
EP		 428 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
429 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
430 sb->s_id, sb->s_type->name);
431 else
432 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
433 sb->s_id, sb->s_type->name,
434 labeling_behaviors[sbsec->behavior-1]);
1da177e4 435
c9180a57
EP		 436 /* Initialize the root inode. */
437 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 438
c9180a57
EP		 439 /* Initialize any other inodes associated with the superblock, e.g.
440 inodes created prior to initial policy load or inodes created
441 during get_sb by a pseudo filesystem that directly
442 populates itself. */
443 spin_lock(&sbsec->isec_lock);
444next_inode:
445 if (!list_empty(&sbsec->isec_head)) {
446 struct inode_security_struct *isec =
447 list_entry(sbsec->isec_head.next,
448 struct inode_security_struct, list);
449 struct inode *inode = isec->inode;
450 spin_unlock(&sbsec->isec_lock);
451 inode = igrab(inode);
452 if (inode) {
453 if (!IS_PRIVATE(inode))
454 inode_doinit(inode);
455 iput(inode);
456 }
457 spin_lock(&sbsec->isec_lock);
458 list_del_init(&isec->list);
459 goto next_inode;
460 }
461 spin_unlock(&sbsec->isec_lock);
462out:
463 return rc;
464}
1da177e4 465
c9180a57
EP		 466/*
467 * This function should allow an FS to ask what it's mount security
468 * options were so it can use those later for submounts, displaying
469 * mount options, or whatever.
470 */
471static int selinux_get_mnt_opts(const struct super_block *sb,
472 char ***mount_options, int **mnt_opts_flags,
473 int *num_opts)
474{
475 int rc = 0, i;
476 struct superblock_security_struct *sbsec = sb->s_security;
477 char *context = NULL;
478 u32 len;
479 char tmp;
1da177e4 480
c9180a57
EP		 481 *num_opts = 0;
482 *mount_options = NULL;
483 *mnt_opts_flags = NULL;
1da177e4 484
c9180a57
EP		 485 if (!sbsec->initialized)
486 return -EINVAL;
1da177e4 487
c9180a57
EP		 488 if (!ss_initialized)
489 return -EINVAL;
1da177e4 490
c9180a57
EP		 491 /*
492 * if we ever use sbsec flags for anything other than tracking mount
493 * settings this is going to need a mask
494 */
495 tmp = sbsec->flags;
496 /* count the number of mount options for this sb */
497 for (i = 0; i < 8; i++) {
498 if (tmp & 0x01)
499 (*num_opts)++;
500 tmp >>= 1;
501 }
1da177e4 502
c9180a57
EP		 503 *mount_options = kcalloc(*num_opts, sizeof(char *), GFP_ATOMIC);
504 if (!*mount_options) {
505 rc = -ENOMEM;
506 goto out_free;
507 }
1da177e4 508
c9180a57
EP		 509 *mnt_opts_flags = kcalloc(*num_opts, sizeof(int), GFP_ATOMIC);
510 if (!*mnt_opts_flags) {
511 rc = -ENOMEM;
512 goto out_free;
513 }
1da177e4 514
c9180a57
EP		 515 i = 0;
516 if (sbsec->flags & FSCONTEXT_MNT) {
517 rc = security_sid_to_context(sbsec->sid, &context, &len);
518 if (rc)
519 goto out_free;
520 (*mount_options)[i] = context;
521 (*mnt_opts_flags)[i++] = FSCONTEXT_MNT;
522 }
523 if (sbsec->flags & CONTEXT_MNT) {
524 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
525 if (rc)
526 goto out_free;
527 (*mount_options)[i] = context;
528 (*mnt_opts_flags)[i++] = CONTEXT_MNT;
529 }
530 if (sbsec->flags & DEFCONTEXT_MNT) {
531 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
532 if (rc)
533 goto out_free;
534 (*mount_options)[i] = context;
535 (*mnt_opts_flags)[i++] = DEFCONTEXT_MNT;
536 }
537 if (sbsec->flags & ROOTCONTEXT_MNT) {
538 struct inode *root = sbsec->sb->s_root->d_inode;
539 struct inode_security_struct *isec = root->i_security;
0808925e 540
c9180a57
EP		 541 rc = security_sid_to_context(isec->sid, &context, &len);
542 if (rc)
543 goto out_free;
544 (*mount_options)[i] = context;
545 (*mnt_opts_flags)[i++] = ROOTCONTEXT_MNT;
546 }
1da177e4 547
c9180a57 548 BUG_ON(i != *num_opts);
1da177e4 549
c9180a57
EP		 550 return 0;
551
552out_free:
553 /* don't leak context string if security_sid_to_context had an error */
554 if (*mount_options && i)
555 for (; i > 0; i--)
556 kfree((*mount_options)[i-1]);
557 kfree(*mount_options);
558 *mount_options = NULL;
559 kfree(*mnt_opts_flags);
560 *mnt_opts_flags = NULL;
561 *num_opts = 0;
562 return rc;
563}
1da177e4 564
c9180a57
EP		 565static int bad_option(struct superblock_security_struct *sbsec, char flag,
566 u32 old_sid, u32 new_sid)
567{
568 /* check if the old mount command had the same options */
569 if (sbsec->initialized)
570 if (!(sbsec->flags & flag) ||
571 (old_sid != new_sid))
572 return 1;
573
574 /* check if we were passed the same options twice,
575 * aka someone passed context=a,context=b
576 */
577 if (!sbsec->initialized)
578 if (sbsec->flags & flag)
579 return 1;
580 return 0;
581}
582/*
583 * Allow filesystems with binary mount data to explicitly set mount point
584 * labeling information.
585 */
374ea019
AB		 586static int selinux_set_mnt_opts(struct super_block *sb, char **mount_options,
587 int *flags, int num_opts)
c9180a57
EP		 588{
589 int rc = 0, i;
590 struct task_security_struct *tsec = current->security;
591 struct superblock_security_struct *sbsec = sb->s_security;
592 const char *name = sb->s_type->name;
593 struct inode *inode = sbsec->sb->s_root->d_inode;
594 struct inode_security_struct *root_isec = inode->i_security;
595 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
596 u32 defcontext_sid = 0;
597
598 mutex_lock(&sbsec->lock);
599
600 if (!ss_initialized) {
601 if (!num_opts) {
602 /* Defer initialization until selinux_complete_init,
603 after the initial policy is loaded and the security
604 server is ready to handle calls. */
605 spin_lock(&sb_security_lock);
606 if (list_empty(&sbsec->list))
607 list_add(&sbsec->list, &superblock_security_head);
608 spin_unlock(&sb_security_lock);
609 goto out;
610 }
611 rc = -EINVAL;
612 printk(KERN_WARNING "Unable to set superblock options before "
613 "the security server is initialized\n");
1da177e4 614 goto out;
c9180a57 615 }
1da177e4 616
c9180a57
EP		 617 /*
618 * parse the mount options, check if they are valid sids.
619 * also check if someone is trying to mount the same sb more
620 * than once with different security options.
621 */
622 for (i = 0; i < num_opts; i++) {
623 u32 sid;
624 rc = security_context_to_sid(mount_options[i],
625 strlen(mount_options[i]), &sid);
1da177e4
LT		 626 if (rc) {
627 printk(KERN_WARNING "SELinux: security_context_to_sid"
628 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 629 mount_options[i], sb->s_id, name, rc);
630 goto out;
631 }
632 switch (flags[i]) {
633 case FSCONTEXT_MNT:
634 fscontext_sid = sid;
635
636 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
637 fscontext_sid))
638 goto out_double_mount;
639
640 sbsec->flags |= FSCONTEXT_MNT;
641 break;
642 case CONTEXT_MNT:
643 context_sid = sid;
644
645 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
646 context_sid))
647 goto out_double_mount;
648
649 sbsec->flags |= CONTEXT_MNT;
650 break;
651 case ROOTCONTEXT_MNT:
652 rootcontext_sid = sid;
653
654 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
655 rootcontext_sid))
656 goto out_double_mount;
657
658 sbsec->flags |= ROOTCONTEXT_MNT;
659
660 break;
661 case DEFCONTEXT_MNT:
662 defcontext_sid = sid;
663
664 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
665 defcontext_sid))
666 goto out_double_mount;
667
668 sbsec->flags |= DEFCONTEXT_MNT;
669
670 break;
671 default:
672 rc = -EINVAL;
673 goto out;
1da177e4 674 }
c9180a57
EP		 675 }
676
677 if (sbsec->initialized) {
678 /* previously mounted with options, but not on this attempt? */
679 if (sbsec->flags && !num_opts)
680 goto out_double_mount;
681 rc = 0;
682 goto out;
683 }
684
685 if (strcmp(sb->s_type->name, "proc") == 0)
686 sbsec->proc = 1;
687
688 /* Determine the labeling behavior to use for this filesystem type. */
689 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
690 if (rc) {
691 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
692 __FUNCTION__, sb->s_type->name, rc);
693 goto out;
694 }
1da177e4 695
c9180a57
EP		 696 /* sets the context of the superblock for the fs being mounted. */
697 if (fscontext_sid) {
698
699 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
1da177e4 700 if (rc)
c9180a57 701 goto out;
1da177e4 702
c9180a57 703 sbsec->sid = fscontext_sid;
c312feb2
EP		 704 }
705
706 /*
707 * Switch to using mount point labeling behavior.
708 * sets the label used on all file below the mountpoint, and will set
709 * the superblock context if not already set.
710 */
c9180a57
EP		 711 if (context_sid) {
712 if (!fscontext_sid) {
713 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
b04ea3ce 714 if (rc)
c9180a57
EP		 715 goto out;
716 sbsec->sid = context_sid;
b04ea3ce 717 } else {
c9180a57 718 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
b04ea3ce 719 if (rc)
c9180a57 720 goto out;
b04ea3ce 721 }
c9180a57
EP		 722 if (!rootcontext_sid)
723 rootcontext_sid = context_sid;
1da177e4 724
c9180a57 725 sbsec->mntpoint_sid = context_sid;
c312feb2 726 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 727 }
728
c9180a57
EP		 729 if (rootcontext_sid) {
730 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
0808925e 731 if (rc)
c9180a57 732 goto out;
0808925e 733
c9180a57
EP		 734 root_isec->sid = rootcontext_sid;
735 root_isec->initialized = 1;
0808925e
EP		 736 }
737
c9180a57
EP		 738 if (defcontext_sid) {
739 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
740 rc = -EINVAL;
741 printk(KERN_WARNING "SELinux: defcontext option is "
742 "invalid for this filesystem type\n");
743 goto out;
1da177e4
LT		 744 }
745
c9180a57
EP		 746 if (defcontext_sid != sbsec->def_sid) {
747 rc = may_context_mount_inode_relabel(defcontext_sid,
748 sbsec, tsec);
749 if (rc)
750 goto out;
751 }
1da177e4 752
c9180a57 753 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 754 }
755
c9180a57 756 rc = sb_finish_set_opts(sb);
1da177e4 757out:
c9180a57 758 mutex_unlock(&sbsec->lock);
1da177e4 759 return rc;
c9180a57
EP		 760out_double_mount:
761 rc = -EINVAL;
762 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
763 "security settings for (dev %s, type %s)\n", sb->s_id, name);
764 goto out;
1da177e4
LT		 765}
766
c9180a57
EP		 767static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
768 struct super_block *newsb)
1da177e4 769{
c9180a57
EP		 770 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
771 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 772
c9180a57
EP		 773 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
774 int set_context = (oldsbsec->flags & CONTEXT_MNT);
775 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 776
c9180a57
EP		 777 /* we can't error, we can't save the info, this shouldn't get called
778 * this early in the boot process. */
779 BUG_ON(!ss_initialized);
780
781 /* this might go away sometime down the line if there is a new user
782 * of clone, but for now, nfs better not get here... */
783 BUG_ON(newsbsec->initialized);
784
785 /* how can we clone if the old one wasn't set up?? */
786 BUG_ON(!oldsbsec->initialized);
787
788 mutex_lock(&newsbsec->lock);
789
790 newsbsec->flags = oldsbsec->flags;
791
792 newsbsec->sid = oldsbsec->sid;
793 newsbsec->def_sid = oldsbsec->def_sid;
794 newsbsec->behavior = oldsbsec->behavior;
795
796 if (set_context) {
797 u32 sid = oldsbsec->mntpoint_sid;
798
799 if (!set_fscontext)
800 newsbsec->sid = sid;
801 if (!set_rootcontext) {
802 struct inode *newinode = newsb->s_root->d_inode;
803 struct inode_security_struct *newisec = newinode->i_security;
804 newisec->sid = sid;
805 }
806 newsbsec->mntpoint_sid = sid;
1da177e4 807 }
c9180a57
EP		 808 if (set_rootcontext) {
809 const struct inode *oldinode = oldsb->s_root->d_inode;
810 const struct inode_security_struct *oldisec = oldinode->i_security;
811 struct inode *newinode = newsb->s_root->d_inode;
812 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 813
c9180a57 814 newisec->sid = oldisec->sid;
1da177e4
LT		 815 }
816
c9180a57
EP		 817 sb_finish_set_opts(newsb);
818 mutex_unlock(&newsbsec->lock);
819}
820
821/*
822 * string mount options parsing and call set the sbsec
823 */
824static int superblock_doinit(struct super_block *sb, void *data)
825{
826 char *context = NULL, *defcontext = NULL;
827 char *fscontext = NULL, *rootcontext = NULL;
828 int rc = 0;
829 char *p, *options = data;
830 /* selinux only know about a fixed number of mount options */
831 char *mnt_opts[NUM_SEL_MNT_OPTS];
832 int mnt_opts_flags[NUM_SEL_MNT_OPTS], num_mnt_opts = 0;
833
834 if (!data)
1da177e4
LT		 835 goto out;
836
c9180a57
EP		 837 /* with the nfs patch this will become a goto out; */
838 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
839 const char *name = sb->s_type->name;
840 /* NFS we understand. */
841 if (!strcmp(name, "nfs")) {
842 struct nfs_mount_data *d = data;
843
844 if (d->version != NFS_MOUNT_VERSION)
845 goto out;
846
847 if (d->context[0]) {
848 context = kstrdup(d->context, GFP_KERNEL);
849 if (!context) {
850 rc = -ENOMEM;
851 goto out;
852 }
853 }
854 goto build_flags;
855 } else
1da177e4 856 goto out;
1da177e4
LT		 857 }
858
c9180a57
EP		 859 /* Standard string-based options. */
860 while ((p = strsep(&options, "|")) != NULL) {
861 int token;
862 substring_t args[MAX_OPT_ARGS];
1da177e4 863
c9180a57
EP		 864 if (!*p)
865 continue;
1da177e4 866
c9180a57 867 token = match_token(p, tokens, args);
1da177e4 868
c9180a57
EP		 869 switch (token) {
870 case Opt_context:
871 if (context || defcontext) {
872 rc = -EINVAL;
873 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
874 goto out_err;
875 }
876 context = match_strdup(&args[0]);
877 if (!context) {
878 rc = -ENOMEM;
879 goto out_err;
880 }
881 break;
882
883 case Opt_fscontext:
884 if (fscontext) {
885 rc = -EINVAL;
886 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
887 goto out_err;
888 }
889 fscontext = match_strdup(&args[0]);
890 if (!fscontext) {
891 rc = -ENOMEM;
892 goto out_err;
893 }
894 break;
895
896 case Opt_rootcontext:
897 if (rootcontext) {
898 rc = -EINVAL;
899 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
900 goto out_err;
901 }
902 rootcontext = match_strdup(&args[0]);
903 if (!rootcontext) {
904 rc = -ENOMEM;
905 goto out_err;
906 }
907 break;
908
909 case Opt_defcontext:
910 if (context || defcontext) {
911 rc = -EINVAL;
912 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
913 goto out_err;
914 }
915 defcontext = match_strdup(&args[0]);
916 if (!defcontext) {
917 rc = -ENOMEM;
918 goto out_err;
919 }
920 break;
921
922 default:
923 rc = -EINVAL;
924 printk(KERN_WARNING "SELinux: unknown mount option\n");
925 goto out_err;
1da177e4 926
1da177e4 927 }
1da177e4 928 }
c9180a57
EP		 929
930build_flags:
931 if (fscontext) {
932 mnt_opts[num_mnt_opts] = fscontext;
933 mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
934 }
935 if (context) {
936 mnt_opts[num_mnt_opts] = context;
937 mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
938 }
939 if (rootcontext) {
940 mnt_opts[num_mnt_opts] = rootcontext;
941 mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
942 }
943 if (defcontext) {
944 mnt_opts[num_mnt_opts] = defcontext;
945 mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
946 }
947
1da177e4 948out:
c9180a57
EP		 949 rc = selinux_set_mnt_opts(sb, mnt_opts, mnt_opts_flags, num_mnt_opts);
950out_err:
951 kfree(context);
952 kfree(defcontext);
953 kfree(fscontext);
954 kfree(rootcontext);
1da177e4
LT		 955 return rc;
956}
957
958static inline u16 inode_mode_to_security_class(umode_t mode)
959{
960 switch (mode & S_IFMT) {
961 case S_IFSOCK:
962 return SECCLASS_SOCK_FILE;
963 case S_IFLNK:
964 return SECCLASS_LNK_FILE;
965 case S_IFREG:
966 return SECCLASS_FILE;
967 case S_IFBLK:
968 return SECCLASS_BLK_FILE;
969 case S_IFDIR:
970 return SECCLASS_DIR;
971 case S_IFCHR:
972 return SECCLASS_CHR_FILE;
973 case S_IFIFO:
974 return SECCLASS_FIFO_FILE;
975
976 }
977
978 return SECCLASS_FILE;
979}
980
13402580
JM		 981static inline int default_protocol_stream(int protocol)
982{
983 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
984}
985
986static inline int default_protocol_dgram(int protocol)
987{
988 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
989}
990
1da177e4
LT		 991static inline u16 socket_type_to_security_class(int family, int type, int protocol)
992{
993 switch (family) {
994 case PF_UNIX:
995 switch (type) {
996 case SOCK_STREAM:
997 case SOCK_SEQPACKET:
998 return SECCLASS_UNIX_STREAM_SOCKET;
999 case SOCK_DGRAM:
1000 return SECCLASS_UNIX_DGRAM_SOCKET;
1001 }
1002 break;
1003 case PF_INET:
1004 case PF_INET6:
1005 switch (type) {
1006 case SOCK_STREAM:
13402580
JM		 1007 if (default_protocol_stream(protocol))
1008 return SECCLASS_TCP_SOCKET;
1009 else
1010 return SECCLASS_RAWIP_SOCKET;
1da177e4 1011 case SOCK_DGRAM:
13402580
JM		 1012 if (default_protocol_dgram(protocol))
1013 return SECCLASS_UDP_SOCKET;
1014 else
1015 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1016 case SOCK_DCCP:
1017 return SECCLASS_DCCP_SOCKET;
13402580 1018 default:
1da177e4
LT		 1019 return SECCLASS_RAWIP_SOCKET;
1020 }
1021 break;
1022 case PF_NETLINK:
1023 switch (protocol) {
1024 case NETLINK_ROUTE:
1025 return SECCLASS_NETLINK_ROUTE_SOCKET;
1026 case NETLINK_FIREWALL:
1027 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1028 case NETLINK_INET_DIAG:
1da177e4
LT		 1029 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1030 case NETLINK_NFLOG:
1031 return SECCLASS_NETLINK_NFLOG_SOCKET;
1032 case NETLINK_XFRM:
1033 return SECCLASS_NETLINK_XFRM_SOCKET;
1034 case NETLINK_SELINUX:
1035 return SECCLASS_NETLINK_SELINUX_SOCKET;
1036 case NETLINK_AUDIT:
1037 return SECCLASS_NETLINK_AUDIT_SOCKET;
1038 case NETLINK_IP6_FW:
1039 return SECCLASS_NETLINK_IP6FW_SOCKET;
1040 case NETLINK_DNRTMSG:
1041 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1042 case NETLINK_KOBJECT_UEVENT:
1043 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1044 default:
1045 return SECCLASS_NETLINK_SOCKET;
1046 }
1047 case PF_PACKET:
1048 return SECCLASS_PACKET_SOCKET;
1049 case PF_KEY:
1050 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1051 case PF_APPLETALK:
1052 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1053 }
1054
1055 return SECCLASS_SOCKET;
1056}
1057
1058#ifdef CONFIG_PROC_FS
1059static int selinux_proc_get_sid(struct proc_dir_entry *de,
1060 u16 tclass,
1061 u32 *sid)
1062{
1063 int buflen, rc;
1064 char *buffer, *path, *end;
1065
1066 buffer = (char*)__get_free_page(GFP_KERNEL);
1067 if (!buffer)
1068 return -ENOMEM;
1069
1070 buflen = PAGE_SIZE;
1071 end = buffer+buflen;
1072 *--end = '\0';
1073 buflen--;
1074 path = end-1;
1075 *path = '/';
1076 while (de && de != de->parent) {
1077 buflen -= de->namelen + 1;
1078 if (buflen < 0)
1079 break;
1080 end -= de->namelen;
1081 memcpy(end, de->name, de->namelen);
1082 *--end = '/';
1083 path = end;
1084 de = de->parent;
1085 }
1086 rc = security_genfs_sid("proc", path, tclass, sid);
1087 free_page((unsigned long)buffer);
1088 return rc;
1089}
1090#else
1091static int selinux_proc_get_sid(struct proc_dir_entry *de,
1092 u16 tclass,
1093 u32 *sid)
1094{
1095 return -EINVAL;
1096}
1097#endif
1098
1099/* The inode's security attributes must be initialized before first use. */
1100static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1101{
1102 struct superblock_security_struct *sbsec = NULL;
1103 struct inode_security_struct *isec = inode->i_security;
1104 u32 sid;
1105 struct dentry *dentry;
1106#define INITCONTEXTLEN 255
1107 char *context = NULL;
1108 unsigned len = 0;
1109 int rc = 0;
1da177e4
LT		 1110
1111 if (isec->initialized)
1112 goto out;
1113
23970741 1114 mutex_lock(&isec->lock);
1da177e4 1115 if (isec->initialized)
23970741 1116 goto out_unlock;
1da177e4
LT		 1117
1118 sbsec = inode->i_sb->s_security;
1119 if (!sbsec->initialized) {
1120 /* Defer initialization until selinux_complete_init,
1121 after the initial policy is loaded and the security
1122 server is ready to handle calls. */
1123 spin_lock(&sbsec->isec_lock);
1124 if (list_empty(&isec->list))
1125 list_add(&isec->list, &sbsec->isec_head);
1126 spin_unlock(&sbsec->isec_lock);
23970741 1127 goto out_unlock;
1da177e4
LT		 1128 }
1129
1130 switch (sbsec->behavior) {
1131 case SECURITY_FS_USE_XATTR:
1132 if (!inode->i_op->getxattr) {
1133 isec->sid = sbsec->def_sid;
1134 break;
1135 }
1136
1137 /* Need a dentry, since the xattr API requires one.
1138 Life would be simpler if we could just pass the inode. */
1139 if (opt_dentry) {
1140 /* Called from d_instantiate or d_splice_alias. */
1141 dentry = dget(opt_dentry);
1142 } else {
1143 /* Called from selinux_complete_init, try to find a dentry. */
1144 dentry = d_find_alias(inode);
1145 }
1146 if (!dentry) {
1147 printk(KERN_WARNING "%s: no dentry for dev=%s "
1148 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1149 inode->i_ino);
23970741 1150 goto out_unlock;
1da177e4
LT		 1151 }
1152
1153 len = INITCONTEXTLEN;
1154 context = kmalloc(len, GFP_KERNEL);
1155 if (!context) {
1156 rc = -ENOMEM;
1157 dput(dentry);
23970741 1158 goto out_unlock;
1da177e4
LT		 1159 }
1160 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1161 context, len);
1162 if (rc == -ERANGE) {
1163 /* Need a larger buffer. Query for the right size. */
1164 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1165 NULL, 0);
1166 if (rc < 0) {
1167 dput(dentry);
23970741 1168 goto out_unlock;
1da177e4
LT		 1169 }
1170 kfree(context);
1171 len = rc;
1172 context = kmalloc(len, GFP_KERNEL);
1173 if (!context) {
1174 rc = -ENOMEM;
1175 dput(dentry);
23970741 1176 goto out_unlock;
1da177e4
LT		 1177 }
1178 rc = inode->i_op->getxattr(dentry,
1179 XATTR_NAME_SELINUX,
1180 context, len);
1181 }
1182 dput(dentry);
1183 if (rc < 0) {
1184 if (rc != -ENODATA) {
1185 printk(KERN_WARNING "%s: getxattr returned "
1186 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1187 -rc, inode->i_sb->s_id, inode->i_ino);
1188 kfree(context);
23970741 1189 goto out_unlock;
1da177e4
LT		 1190 }
1191 /* Map ENODATA to the default file SID */
1192 sid = sbsec->def_sid;
1193 rc = 0;
1194 } else {
f5c1d5b2
JM		 1195 rc = security_context_to_sid_default(context, rc, &sid,
1196 sbsec->def_sid);
1da177e4
LT		 1197 if (rc) {
1198 printk(KERN_WARNING "%s: context_to_sid(%s) "
1199 "returned %d for dev=%s ino=%ld\n",
1200 __FUNCTION__, context, -rc,
1201 inode->i_sb->s_id, inode->i_ino);
1202 kfree(context);
1203 /* Leave with the unlabeled SID */
1204 rc = 0;
1205 break;
1206 }
1207 }
1208 kfree(context);
1209 isec->sid = sid;
1210 break;
1211 case SECURITY_FS_USE_TASK:
1212 isec->sid = isec->task_sid;
1213 break;
1214 case SECURITY_FS_USE_TRANS:
1215 /* Default to the fs SID. */
1216 isec->sid = sbsec->sid;
1217
1218 /* Try to obtain a transition SID. */
1219 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1220 rc = security_transition_sid(isec->task_sid,
1221 sbsec->sid,
1222 isec->sclass,
1223 &sid);
1224 if (rc)
23970741 1225 goto out_unlock;
1da177e4
LT		 1226 isec->sid = sid;
1227 break;
c312feb2
EP		 1228 case SECURITY_FS_USE_MNTPOINT:
1229 isec->sid = sbsec->mntpoint_sid;
1230 break;
1da177e4 1231 default:
c312feb2 1232 /* Default to the fs superblock SID. */
1da177e4
LT		 1233 isec->sid = sbsec->sid;
1234
1235 if (sbsec->proc) {
1236 struct proc_inode *proci = PROC_I(inode);
1237 if (proci->pde) {
1238 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1239 rc = selinux_proc_get_sid(proci->pde,
1240 isec->sclass,
1241 &sid);
1242 if (rc)
23970741 1243 goto out_unlock;
1da177e4
LT		 1244 isec->sid = sid;
1245 }
1246 }
1247 break;
1248 }
1249
1250 isec->initialized = 1;
1251
23970741
EP		 1252out_unlock:
1253 mutex_unlock(&isec->lock);
1da177e4
LT		 1254out:
1255 if (isec->sclass == SECCLASS_FILE)
1256 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1257 return rc;
1258}
1259
1260/* Convert a Linux signal to an access vector. */
1261static inline u32 signal_to_av(int sig)
1262{
1263 u32 perm = 0;
1264
1265 switch (sig) {
1266 case SIGCHLD:
1267 /* Commonly granted from child to parent. */
1268 perm = PROCESS__SIGCHLD;
1269 break;
1270 case SIGKILL:
1271 /* Cannot be caught or ignored */
1272 perm = PROCESS__SIGKILL;
1273 break;
1274 case SIGSTOP:
1275 /* Cannot be caught or ignored */
1276 perm = PROCESS__SIGSTOP;
1277 break;
1278 default:
1279 /* All other signals. */
1280 perm = PROCESS__SIGNAL;
1281 break;
1282 }
1283
1284 return perm;
1285}
1286
1287/* Check permission betweeen a pair of tasks, e.g. signal checks,
1288 fork check, ptrace check, etc. */
1289static int task_has_perm(struct task_struct *tsk1,
1290 struct task_struct *tsk2,
1291 u32 perms)
1292{
1293 struct task_security_struct *tsec1, *tsec2;
1294
1295 tsec1 = tsk1->security;
1296 tsec2 = tsk2->security;
1297 return avc_has_perm(tsec1->sid, tsec2->sid,
1298 SECCLASS_PROCESS, perms, NULL);
1299}
1300
1301/* Check whether a task is allowed to use a capability. */
1302static int task_has_capability(struct task_struct *tsk,
1303 int cap)
1304{
1305 struct task_security_struct *tsec;
1306 struct avc_audit_data ad;
1307
1308 tsec = tsk->security;
1309
1310 AVC_AUDIT_DATA_INIT(&ad,CAP);
1311 ad.tsk = tsk;
1312 ad.u.cap = cap;
1313
1314 return avc_has_perm(tsec->sid, tsec->sid,
1315 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1316}
1317
1318/* Check whether a task is allowed to use a system operation. */
1319static int task_has_system(struct task_struct *tsk,
1320 u32 perms)
1321{
1322 struct task_security_struct *tsec;
1323
1324 tsec = tsk->security;
1325
1326 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1327 SECCLASS_SYSTEM, perms, NULL);
1328}
1329
1330/* Check whether a task has a particular permission to an inode.
1331 The 'adp' parameter is optional and allows other audit
1332 data to be passed (e.g. the dentry). */
1333static int inode_has_perm(struct task_struct *tsk,
1334 struct inode *inode,
1335 u32 perms,
1336 struct avc_audit_data *adp)
1337{
1338 struct task_security_struct *tsec;
1339 struct inode_security_struct *isec;
1340 struct avc_audit_data ad;
1341
bbaca6c2
SS		 1342 if (unlikely (IS_PRIVATE (inode)))
1343 return 0;
1344
1da177e4
LT		 1345 tsec = tsk->security;
1346 isec = inode->i_security;
1347
1348 if (!adp) {
1349 adp = &ad;
1350 AVC_AUDIT_DATA_INIT(&ad, FS);
1351 ad.u.fs.inode = inode;
1352 }
1353
1354 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1355}
1356
1357/* Same as inode_has_perm, but pass explicit audit data containing
1358 the dentry to help the auditing code to more easily generate the
1359 pathname if needed. */
1360static inline int dentry_has_perm(struct task_struct *tsk,
1361 struct vfsmount *mnt,
1362 struct dentry *dentry,
1363 u32 av)
1364{
1365 struct inode *inode = dentry->d_inode;
1366 struct avc_audit_data ad;
1367 AVC_AUDIT_DATA_INIT(&ad,FS);
1368 ad.u.fs.mnt = mnt;
1369 ad.u.fs.dentry = dentry;
1370 return inode_has_perm(tsk, inode, av, &ad);
1371}
1372
1373/* Check whether a task can use an open file descriptor to
1374 access an inode in a given way. Check access to the
1375 descriptor itself, and then use dentry_has_perm to
1376 check a particular permission to the file.
1377 Access to the descriptor is implicitly granted if it
1378 has the same SID as the process. If av is zero, then
1379 access to the file is not checked, e.g. for cases
1380 where only the descriptor is affected like seek. */
858119e1 1381static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1382 struct file *file,
1383 u32 av)
1384{
1385 struct task_security_struct *tsec = tsk->security;
1386 struct file_security_struct *fsec = file->f_security;
3d5ff529
JS		 1387 struct vfsmount *mnt = file->f_path.mnt;
1388 struct dentry *dentry = file->f_path.dentry;
1da177e4
LT		 1389 struct inode *inode = dentry->d_inode;
1390 struct avc_audit_data ad;
1391 int rc;
1392
1393 AVC_AUDIT_DATA_INIT(&ad, FS);
1394 ad.u.fs.mnt = mnt;
1395 ad.u.fs.dentry = dentry;
1396
1397 if (tsec->sid != fsec->sid) {
1398 rc = avc_has_perm(tsec->sid, fsec->sid,
1399 SECCLASS_FD,
1400 FD__USE,
1401 &ad);
1402 if (rc)
1403 return rc;
1404 }
1405
1406 /* av is zero if only checking access to the descriptor. */
1407 if (av)
1408 return inode_has_perm(tsk, inode, av, &ad);
1409
1410 return 0;
1411}
1412
1413/* Check whether a task can create a file. */
1414static int may_create(struct inode *dir,
1415 struct dentry *dentry,
1416 u16 tclass)
1417{
1418 struct task_security_struct *tsec;
1419 struct inode_security_struct *dsec;
1420 struct superblock_security_struct *sbsec;
1421 u32 newsid;
1422 struct avc_audit_data ad;
1423 int rc;
1424
1425 tsec = current->security;
1426 dsec = dir->i_security;
1427 sbsec = dir->i_sb->s_security;
1428
1429 AVC_AUDIT_DATA_INIT(&ad, FS);
1430 ad.u.fs.dentry = dentry;
1431
1432 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1433 DIR__ADD_NAME | DIR__SEARCH,
1434 &ad);
1435 if (rc)
1436 return rc;
1437
1438 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1439 newsid = tsec->create_sid;
1440 } else {
1441 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1442 &newsid);
1443 if (rc)
1444 return rc;
1445 }
1446
1447 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1448 if (rc)
1449 return rc;
1450
1451 return avc_has_perm(newsid, sbsec->sid,
1452 SECCLASS_FILESYSTEM,
1453 FILESYSTEM__ASSOCIATE, &ad);
1454}
1455
4eb582cf
ML		 1456/* Check whether a task can create a key. */
1457static int may_create_key(u32 ksid,
1458 struct task_struct *ctx)
1459{
1460 struct task_security_struct *tsec;
1461
1462 tsec = ctx->security;
1463
1464 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1465}
1466
1da177e4
LT		 1467#define MAY_LINK 0
1468#define MAY_UNLINK 1
1469#define MAY_RMDIR 2
1470
1471/* Check whether a task can link, unlink, or rmdir a file/directory. */
1472static int may_link(struct inode *dir,
1473 struct dentry *dentry,
1474 int kind)
1475
1476{
1477 struct task_security_struct *tsec;
1478 struct inode_security_struct *dsec, *isec;
1479 struct avc_audit_data ad;
1480 u32 av;
1481 int rc;
1482
1483 tsec = current->security;
1484 dsec = dir->i_security;
1485 isec = dentry->d_inode->i_security;
1486
1487 AVC_AUDIT_DATA_INIT(&ad, FS);
1488 ad.u.fs.dentry = dentry;
1489
1490 av = DIR__SEARCH;
1491 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1492 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1493 if (rc)
1494 return rc;
1495
1496 switch (kind) {
1497 case MAY_LINK:
1498 av = FILE__LINK;
1499 break;
1500 case MAY_UNLINK:
1501 av = FILE__UNLINK;
1502 break;
1503 case MAY_RMDIR:
1504 av = DIR__RMDIR;
1505 break;
1506 default:
1507 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1508 return 0;
1509 }
1510
1511 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1512 return rc;
1513}
1514
1515static inline int may_rename(struct inode *old_dir,
1516 struct dentry *old_dentry,
1517 struct inode *new_dir,
1518 struct dentry *new_dentry)
1519{
1520 struct task_security_struct *tsec;
1521 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1522 struct avc_audit_data ad;
1523 u32 av;
1524 int old_is_dir, new_is_dir;
1525 int rc;
1526
1527 tsec = current->security;
1528 old_dsec = old_dir->i_security;
1529 old_isec = old_dentry->d_inode->i_security;
1530 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1531 new_dsec = new_dir->i_security;
1532
1533 AVC_AUDIT_DATA_INIT(&ad, FS);
1534
1535 ad.u.fs.dentry = old_dentry;
1536 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1537 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1538 if (rc)
1539 return rc;
1540 rc = avc_has_perm(tsec->sid, old_isec->sid,
1541 old_isec->sclass, FILE__RENAME, &ad);
1542 if (rc)
1543 return rc;
1544 if (old_is_dir && new_dir != old_dir) {
1545 rc = avc_has_perm(tsec->sid, old_isec->sid,
1546 old_isec->sclass, DIR__REPARENT, &ad);
1547 if (rc)
1548 return rc;
1549 }
1550
1551 ad.u.fs.dentry = new_dentry;
1552 av = DIR__ADD_NAME | DIR__SEARCH;
1553 if (new_dentry->d_inode)
1554 av |= DIR__REMOVE_NAME;
1555 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1556 if (rc)
1557 return rc;
1558 if (new_dentry->d_inode) {
1559 new_isec = new_dentry->d_inode->i_security;
1560 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1561 rc = avc_has_perm(tsec->sid, new_isec->sid,
1562 new_isec->sclass,
1563 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1564 if (rc)
1565 return rc;
1566 }
1567
1568 return 0;
1569}
1570
1571/* Check whether a task can perform a filesystem operation. */
1572static int superblock_has_perm(struct task_struct *tsk,
1573 struct super_block *sb,
1574 u32 perms,
1575 struct avc_audit_data *ad)
1576{
1577 struct task_security_struct *tsec;
1578 struct superblock_security_struct *sbsec;
1579
1580 tsec = tsk->security;
1581 sbsec = sb->s_security;
1582 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1583 perms, ad);
1584}
1585
1586/* Convert a Linux mode and permission mask to an access vector. */
1587static inline u32 file_mask_to_av(int mode, int mask)
1588{
1589 u32 av = 0;
1590
1591 if ((mode & S_IFMT) != S_IFDIR) {
1592 if (mask & MAY_EXEC)
1593 av |= FILE__EXECUTE;
1594 if (mask & MAY_READ)
1595 av |= FILE__READ;
1596
1597 if (mask & MAY_APPEND)
1598 av |= FILE__APPEND;
1599 else if (mask & MAY_WRITE)
1600 av |= FILE__WRITE;
1601
1602 } else {
1603 if (mask & MAY_EXEC)
1604 av |= DIR__SEARCH;
1605 if (mask & MAY_WRITE)
1606 av |= DIR__WRITE;
1607 if (mask & MAY_READ)
1608 av |= DIR__READ;
1609 }
1610
1611 return av;
1612}
1613
1614/* Convert a Linux file to an access vector. */
1615static inline u32 file_to_av(struct file *file)
1616{
1617 u32 av = 0;
1618
1619 if (file->f_mode & FMODE_READ)
1620 av |= FILE__READ;
1621 if (file->f_mode & FMODE_WRITE) {
1622 if (file->f_flags & O_APPEND)
1623 av |= FILE__APPEND;
1624 else
1625 av |= FILE__WRITE;
1626 }
1627
1628 return av;
1629}
1630
1da177e4
LT		 1631/* Hook functions begin here. */
1632
1633static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1634{
1635 struct task_security_struct *psec = parent->security;
1636 struct task_security_struct *csec = child->security;
1637 int rc;
1638
1639 rc = secondary_ops->ptrace(parent,child);
1640 if (rc)
1641 return rc;
1642
1643 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1644 /* Save the SID of the tracing process for later use in apply_creds. */
341c2d80 1645 if (!(child->ptrace & PT_PTRACED) && !rc)
1da177e4
LT		 1646 csec->ptrace_sid = psec->sid;
1647 return rc;
1648}
1649
1650static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1651 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1652{
1653 int error;
1654
1655 error = task_has_perm(current, target, PROCESS__GETCAP);
1656 if (error)
1657 return error;
1658
1659 return secondary_ops->capget(target, effective, inheritable, permitted);
1660}
1661
1662static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1663 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1664{
1665 int error;
1666
1667 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1668 if (error)
1669 return error;
1670
1671 return task_has_perm(current, target, PROCESS__SETCAP);
1672}
1673
1674static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1675 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1676{
1677 secondary_ops->capset_set(target, effective, inheritable, permitted);
1678}
1679
1680static int selinux_capable(struct task_struct *tsk, int cap)
1681{
1682 int rc;
1683
1684 rc = secondary_ops->capable(tsk, cap);
1685 if (rc)
1686 return rc;
1687
1688 return task_has_capability(tsk,cap);
1689}
1690
3fbfa981
EB		 1691static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1692{
1693 int buflen, rc;
1694 char *buffer, *path, *end;
1695
1696 rc = -ENOMEM;
1697 buffer = (char*)__get_free_page(GFP_KERNEL);
1698 if (!buffer)
1699 goto out;
1700
1701 buflen = PAGE_SIZE;
1702 end = buffer+buflen;
1703 *--end = '\0';
1704 buflen--;
1705 path = end-1;
1706 *path = '/';
1707 while (table) {
1708 const char *name = table->procname;
1709 size_t namelen = strlen(name);
1710 buflen -= namelen + 1;
1711 if (buflen < 0)
1712 goto out_free;
1713 end -= namelen;
1714 memcpy(end, name, namelen);
1715 *--end = '/';
1716 path = end;
1717 table = table->parent;
1718 }
b599fdfd
EB		 1719 buflen -= 4;
1720 if (buflen < 0)
1721 goto out_free;
1722 end -= 4;
1723 memcpy(end, "/sys", 4);
1724 path = end;
3fbfa981
EB		 1725 rc = security_genfs_sid("proc", path, tclass, sid);
1726out_free:
1727 free_page((unsigned long)buffer);
1728out:
1729 return rc;
1730}
1731
1da177e4
LT		 1732static int selinux_sysctl(ctl_table *table, int op)
1733{
1734 int error = 0;
1735 u32 av;
1736 struct task_security_struct *tsec;
1737 u32 tsid;
1738 int rc;
1739
1740 rc = secondary_ops->sysctl(table, op);
1741 if (rc)
1742 return rc;
1743
1744 tsec = current->security;
1745
3fbfa981
EB		 1746 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1747 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1748 if (rc) {
1749 /* Default to the well-defined sysctl SID. */
1750 tsid = SECINITSID_SYSCTL;
1751 }
1752
1753 /* The op values are "defined" in sysctl.c, thereby creating
1754 * a bad coupling between this module and sysctl.c */
1755 if(op == 001) {
1756 error = avc_has_perm(tsec->sid, tsid,
1757 SECCLASS_DIR, DIR__SEARCH, NULL);
1758 } else {
1759 av = 0;
1760 if (op & 004)
1761 av |= FILE__READ;
1762 if (op & 002)
1763 av |= FILE__WRITE;
1764 if (av)
1765 error = avc_has_perm(tsec->sid, tsid,
1766 SECCLASS_FILE, av, NULL);
1767 }
1768
1769 return error;
1770}
1771
1772static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1773{
1774 int rc = 0;
1775
1776 if (!sb)
1777 return 0;
1778
1779 switch (cmds) {
1780 case Q_SYNC:
1781 case Q_QUOTAON:
1782 case Q_QUOTAOFF:
1783 case Q_SETINFO:
1784 case Q_SETQUOTA:
1785 rc = superblock_has_perm(current,
1786 sb,
1787 FILESYSTEM__QUOTAMOD, NULL);
1788 break;
1789 case Q_GETFMT:
1790 case Q_GETINFO:
1791 case Q_GETQUOTA:
1792 rc = superblock_has_perm(current,
1793 sb,
1794 FILESYSTEM__QUOTAGET, NULL);
1795 break;
1796 default:
1797 rc = 0; /* let the kernel handle invalid cmds */
1798 break;
1799 }
1800 return rc;
1801}
1802
1803static int selinux_quota_on(struct dentry *dentry)
1804{
1805 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1806}
1807
1808static int selinux_syslog(int type)
1809{
1810 int rc;
1811
1812 rc = secondary_ops->syslog(type);
1813 if (rc)
1814 return rc;
1815
1816 switch (type) {
1817 case 3: /* Read last kernel messages */
1818 case 10: /* Return size of the log buffer */
1819 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1820 break;
1821 case 6: /* Disable logging to console */
1822 case 7: /* Enable logging to console */
1823 case 8: /* Set level of messages printed to console */
1824 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1825 break;
1826 case 0: /* Close log */
1827 case 1: /* Open log */
1828 case 2: /* Read from log */
1829 case 4: /* Read/clear last kernel messages */
1830 case 5: /* Clear ring buffer */
1831 default:
1832 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1833 break;
1834 }
1835 return rc;
1836}
1837
1838/*
1839 * Check that a process has enough memory to allocate a new virtual
1840 * mapping. 0 means there is enough memory for the allocation to
1841 * succeed and -ENOMEM implies there is not.
1842 *
1843 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1844 * if the capability is granted, but __vm_enough_memory requires 1 if
1845 * the capability is granted.
1846 *
1847 * Do not audit the selinux permission check, as this is applied to all
1848 * processes that allocate mappings.
1849 */
34b4e4aa 1850static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1851{
1852 int rc, cap_sys_admin = 0;
1853 struct task_security_struct *tsec = current->security;
1854
1855 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1856 if (rc == 0)
1857 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2c3c05db
SS		 1858 SECCLASS_CAPABILITY,
1859 CAP_TO_MASK(CAP_SYS_ADMIN),
1860 0,
1861 NULL);
1da177e4
LT		 1862
1863 if (rc == 0)
1864 cap_sys_admin = 1;
1865
34b4e4aa 1866 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 1867}
1868
1869/* binprm security operations */
1870
1871static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1872{
1873 struct bprm_security_struct *bsec;
1874
89d155ef 1875 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1876 if (!bsec)
1877 return -ENOMEM;
1878
1da177e4
LT		 1879 bsec->bprm = bprm;
1880 bsec->sid = SECINITSID_UNLABELED;
1881 bsec->set = 0;
1882
1883 bprm->security = bsec;
1884 return 0;
1885}
1886
1887static int selinux_bprm_set_security(struct linux_binprm *bprm)
1888{
1889 struct task_security_struct *tsec;
3d5ff529 1890 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 1891 struct inode_security_struct *isec;
1892 struct bprm_security_struct *bsec;
1893 u32 newsid;
1894 struct avc_audit_data ad;
1895 int rc;
1896
1897 rc = secondary_ops->bprm_set_security(bprm);
1898 if (rc)
1899 return rc;
1900
1901 bsec = bprm->security;
1902
1903 if (bsec->set)
1904 return 0;
1905
1906 tsec = current->security;
1907 isec = inode->i_security;
1908
1909 /* Default to the current task SID. */
1910 bsec->sid = tsec->sid;
1911
28eba5bf 1912 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1913 tsec->create_sid = 0;
28eba5bf 1914 tsec->keycreate_sid = 0;
42c3e03e 1915 tsec->sockcreate_sid = 0;
1da177e4
LT		 1916
1917 if (tsec->exec_sid) {
1918 newsid = tsec->exec_sid;
1919 /* Reset exec SID on execve. */
1920 tsec->exec_sid = 0;
1921 } else {
1922 /* Check for a default transition on this program. */
1923 rc = security_transition_sid(tsec->sid, isec->sid,
1924 SECCLASS_PROCESS, &newsid);
1925 if (rc)
1926 return rc;
1927 }
1928
1929 AVC_AUDIT_DATA_INIT(&ad, FS);
3d5ff529
JS		 1930 ad.u.fs.mnt = bprm->file->f_path.mnt;
1931 ad.u.fs.dentry = bprm->file->f_path.dentry;
1da177e4 1932
3d5ff529 1933 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1da177e4
LT		 1934 newsid = tsec->sid;
1935
1936 if (tsec->sid == newsid) {
1937 rc = avc_has_perm(tsec->sid, isec->sid,
1938 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1939 if (rc)
1940 return rc;
1941 } else {
1942 /* Check permissions for the transition. */
1943 rc = avc_has_perm(tsec->sid, newsid,
1944 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1945 if (rc)
1946 return rc;
1947
1948 rc = avc_has_perm(newsid, isec->sid,
1949 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1950 if (rc)
1951 return rc;
1952
1953 /* Clear any possibly unsafe personality bits on exec: */
1954 current->personality &= ~PER_CLEAR_ON_SETID;
1955
1956 /* Set the security field to the new SID. */
1957 bsec->sid = newsid;
1958 }
1959
1960 bsec->set = 1;
1961 return 0;
1962}
1963
1964static int selinux_bprm_check_security (struct linux_binprm *bprm)
1965{
1966 return secondary_ops->bprm_check_security(bprm);
1967}
1968
1969
1970static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1971{
1972 struct task_security_struct *tsec = current->security;
1973 int atsecure = 0;
1974
1975 if (tsec->osid != tsec->sid) {
1976 /* Enable secure mode for SIDs transitions unless
1977 the noatsecure permission is granted between
1978 the two SIDs, i.e. ahp returns 0. */
1979 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1980 SECCLASS_PROCESS,
1981 PROCESS__NOATSECURE, NULL);
1982 }
1983
1984 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1985}
1986
1987static void selinux_bprm_free_security(struct linux_binprm *bprm)
1988{
9a5f04bf 1989 kfree(bprm->security);
1da177e4 1990 bprm->security = NULL;
1da177e4
LT		 1991}
1992
1993extern struct vfsmount *selinuxfs_mount;
1994extern struct dentry *selinux_null;
1995
1996/* Derived from fs/exec.c:flush_old_files. */
1997static inline void flush_unauthorized_files(struct files_struct * files)
1998{
1999 struct avc_audit_data ad;
2000 struct file *file, *devnull = NULL;
b20c8122 2001 struct tty_struct *tty;
badf1662 2002 struct fdtable *fdt;
1da177e4 2003 long j = -1;
24ec839c 2004 int drop_tty = 0;
1da177e4 2005
b20c8122 2006 mutex_lock(&tty_mutex);
24ec839c 2007 tty = get_current_tty();
1da177e4
LT		 2008 if (tty) {
2009 file_list_lock();
2f512016 2010 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 2011 if (file) {
2012 /* Revalidate access to controlling tty.
2013 Use inode_has_perm on the tty inode directly rather
2014 than using file_has_perm, as this particular open
2015 file may belong to another process and we are only
2016 interested in the inode-based check here. */
3d5ff529 2017 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2018 if (inode_has_perm(current, inode,
2019 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2020 drop_tty = 1;
1da177e4
LT		 2021 }
2022 }
2023 file_list_unlock();
2024 }
b20c8122 2025 mutex_unlock(&tty_mutex);
98a27ba4
EB		 2026 /* Reset controlling tty. */
2027 if (drop_tty)
2028 no_tty();
1da177e4
LT		 2029
2030 /* Revalidate access to inherited open files. */
2031
2032 AVC_AUDIT_DATA_INIT(&ad,FS);
2033
2034 spin_lock(&files->file_lock);
2035 for (;;) {
2036 unsigned long set, i;
2037 int fd;
2038
2039 j++;
2040 i = j * __NFDBITS;
badf1662 2041 fdt = files_fdtable(files);
bbea9f69 2042 if (i >= fdt->max_fds)
1da177e4 2043 break;
badf1662 2044 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2045 if (!set)
2046 continue;
2047 spin_unlock(&files->file_lock);
2048 for ( ; set ; i++,set >>= 1) {
2049 if (set & 1) {
2050 file = fget(i);
2051 if (!file)
2052 continue;
2053 if (file_has_perm(current,
2054 file,
2055 file_to_av(file))) {
2056 sys_close(i);
2057 fd = get_unused_fd();
2058 if (fd != i) {
2059 if (fd >= 0)
2060 put_unused_fd(fd);
2061 fput(file);
2062 continue;
2063 }
2064 if (devnull) {
095975da 2065 get_file(devnull);
1da177e4
LT		 2066 } else {
2067 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
fc5d81e6
AM		 2068 if (IS_ERR(devnull)) {
2069 devnull = NULL;
1da177e4
LT		 2070 put_unused_fd(fd);
2071 fput(file);
2072 continue;
2073 }
2074 }
2075 fd_install(fd, devnull);
2076 }
2077 fput(file);
2078 }
2079 }
2080 spin_lock(&files->file_lock);
2081
2082 }
2083 spin_unlock(&files->file_lock);
2084}
2085
2086static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2087{
2088 struct task_security_struct *tsec;
2089 struct bprm_security_struct *bsec;
2090 u32 sid;
2091 int rc;
2092
2093 secondary_ops->bprm_apply_creds(bprm, unsafe);
2094
2095 tsec = current->security;
2096
2097 bsec = bprm->security;
2098 sid = bsec->sid;
2099
2100 tsec->osid = tsec->sid;
2101 bsec->unsafe = 0;
2102 if (tsec->sid != sid) {
2103 /* Check for shared state. If not ok, leave SID
2104 unchanged and kill. */
2105 if (unsafe & LSM_UNSAFE_SHARE) {
2106 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2107 PROCESS__SHARE, NULL);
2108 if (rc) {
2109 bsec->unsafe = 1;
2110 return;
2111 }
2112 }
2113
2114 /* Check for ptracing, and update the task SID if ok.
2115 Otherwise, leave SID unchanged and kill. */
2116 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2117 rc = avc_has_perm(tsec->ptrace_sid, sid,
2118 SECCLASS_PROCESS, PROCESS__PTRACE,
2119 NULL);
2120 if (rc) {
2121 bsec->unsafe = 1;
2122 return;
2123 }
2124 }
2125 tsec->sid = sid;
2126 }
2127}
2128
2129/*
2130 * called after apply_creds without the task lock held
2131 */
2132static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2133{
2134 struct task_security_struct *tsec;
2135 struct rlimit *rlim, *initrlim;
2136 struct itimerval itimer;
2137 struct bprm_security_struct *bsec;
2138 int rc, i;
2139
2140 tsec = current->security;
2141 bsec = bprm->security;
2142
2143 if (bsec->unsafe) {
2144 force_sig_specific(SIGKILL, current);
2145 return;
2146 }
2147 if (tsec->osid == tsec->sid)
2148 return;
2149
2150 /* Close files for which the new task SID is not authorized. */
2151 flush_unauthorized_files(current->files);
2152
2153 /* Check whether the new SID can inherit signal state
2154 from the old SID. If not, clear itimers to avoid
2155 subsequent signal generation and flush and unblock
2156 signals. This must occur _after_ the task SID has
2157 been updated so that any kill done after the flush
2158 will be checked against the new SID. */
2159 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2160 PROCESS__SIGINH, NULL);
2161 if (rc) {
2162 memset(&itimer, 0, sizeof itimer);
2163 for (i = 0; i < 3; i++)
2164 do_setitimer(i, &itimer, NULL);
2165 flush_signals(current);
2166 spin_lock_irq(&current->sighand->siglock);
2167 flush_signal_handlers(current, 1);
2168 sigemptyset(&current->blocked);
2169 recalc_sigpending();
2170 spin_unlock_irq(&current->sighand->siglock);
2171 }
2172
4ac212ad
SS		 2173 /* Always clear parent death signal on SID transitions. */
2174 current->pdeath_signal = 0;
2175
1da177e4
LT		 2176 /* Check whether the new SID can inherit resource limits
2177 from the old SID. If not, reset all soft limits to
2178 the lower of the current task's hard limit and the init
2179 task's soft limit. Note that the setting of hard limits
2180 (even to lower them) can be controlled by the setrlimit
2181 check. The inclusion of the init task's soft limit into
2182 the computation is to avoid resetting soft limits higher
2183 than the default soft limit for cases where the default
2184 is lower than the hard limit, e.g. RLIMIT_CORE or
2185 RLIMIT_STACK.*/
2186 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2187 PROCESS__RLIMITINH, NULL);
2188 if (rc) {
2189 for (i = 0; i < RLIM_NLIMITS; i++) {
2190 rlim = current->signal->rlim + i;
2191 initrlim = init_task.signal->rlim+i;
2192 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2193 }
2194 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2195 /*
2196 * This will cause RLIMIT_CPU calculations
2197 * to be refigured.
2198 */
2199 current->it_prof_expires = jiffies_to_cputime(1);
2200 }
2201 }
2202
2203 /* Wake up the parent if it is waiting so that it can
2204 recheck wait permission to the new task SID. */
2205 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2206}
2207
2208/* superblock security operations */
2209
2210static int selinux_sb_alloc_security(struct super_block *sb)
2211{
2212 return superblock_alloc_security(sb);
2213}
2214
2215static void selinux_sb_free_security(struct super_block *sb)
2216{
2217 superblock_free_security(sb);
2218}
2219
2220static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2221{
2222 if (plen > olen)
2223 return 0;
2224
2225 return !memcmp(prefix, option, plen);
2226}
2227
2228static inline int selinux_option(char *option, int len)
2229{
2230 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2231 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
0808925e
EP		 2232 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2233 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1da177e4
LT		 2234}
2235
2236static inline void take_option(char **to, char *from, int *first, int len)
2237{
2238 if (!*first) {
2239 **to = ',';
2240 *to += 1;
3528a953 2241 } else
1da177e4
LT		 2242 *first = 0;
2243 memcpy(*to, from, len);
2244 *to += len;
2245}
2246
3528a953
CO		 2247static inline void take_selinux_option(char **to, char *from, int *first,
2248 int len)
2249{
2250 int current_size = 0;
2251
2252 if (!*first) {
2253 **to = '|';
2254 *to += 1;
2255 }
2256 else
2257 *first = 0;
2258
2259 while (current_size < len) {
2260 if (*from != '"') {
2261 **to = *from;
2262 *to += 1;
2263 }
2264 from += 1;
2265 current_size += 1;
2266 }
2267}
2268
1da177e4
LT		 2269static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2270{
2271 int fnosec, fsec, rc = 0;
2272 char *in_save, *in_curr, *in_end;
2273 char *sec_curr, *nosec_save, *nosec;
3528a953 2274 int open_quote = 0;
1da177e4
LT		 2275
2276 in_curr = orig;
2277 sec_curr = copy;
2278
2279 /* Binary mount data: just copy */
2280 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2281 copy_page(sec_curr, in_curr);
2282 goto out;
2283 }
2284
2285 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2286 if (!nosec) {
2287 rc = -ENOMEM;
2288 goto out;
2289 }
2290
2291 nosec_save = nosec;
2292 fnosec = fsec = 1;
2293 in_save = in_end = orig;
2294
2295 do {
3528a953
CO		 2296 if (*in_end == '"')
2297 open_quote = !open_quote;
2298 if ((*in_end == ',' && open_quote == 0) ||
2299 *in_end == '\0') {
1da177e4
LT		 2300 int len = in_end - in_curr;
2301
2302 if (selinux_option(in_curr, len))
3528a953 2303 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2304 else
2305 take_option(&nosec, in_curr, &fnosec, len);
2306
2307 in_curr = in_end + 1;
2308 }
2309 } while (*in_end++);
2310
6931dfc9 2311 strcpy(in_save, nosec_save);
da3caa20 2312 free_page((unsigned long)nosec_save);
1da177e4
LT		 2313out:
2314 return rc;
2315}
2316
2317static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2318{
2319 struct avc_audit_data ad;
2320 int rc;
2321
2322 rc = superblock_doinit(sb, data);
2323 if (rc)
2324 return rc;
2325
2326 AVC_AUDIT_DATA_INIT(&ad,FS);
2327 ad.u.fs.dentry = sb->s_root;
2328 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2329}
2330
726c3342 2331static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2332{
2333 struct avc_audit_data ad;
2334
2335 AVC_AUDIT_DATA_INIT(&ad,FS);
726c3342
DH		 2336 ad.u.fs.dentry = dentry->d_sb->s_root;
2337 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2338}
2339
2340static int selinux_mount(char * dev_name,
2341 struct nameidata *nd,
2342 char * type,
2343 unsigned long flags,
2344 void * data)
2345{
2346 int rc;
2347
2348 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2349 if (rc)
2350 return rc;
2351
2352 if (flags & MS_REMOUNT)
2353 return superblock_has_perm(current, nd->mnt->mnt_sb,
2354 FILESYSTEM__REMOUNT, NULL);
2355 else
2356 return dentry_has_perm(current, nd->mnt, nd->dentry,
2357 FILE__MOUNTON);
2358}
2359
2360static int selinux_umount(struct vfsmount *mnt, int flags)
2361{
2362 int rc;
2363
2364 rc = secondary_ops->sb_umount(mnt, flags);
2365 if (rc)
2366 return rc;
2367
2368 return superblock_has_perm(current,mnt->mnt_sb,
2369 FILESYSTEM__UNMOUNT,NULL);
2370}
2371
2372/* inode security operations */
2373
2374static int selinux_inode_alloc_security(struct inode *inode)
2375{
2376 return inode_alloc_security(inode);
2377}
2378
2379static void selinux_inode_free_security(struct inode *inode)
2380{
2381 inode_free_security(inode);
2382}
2383
5e41ff9e
SS		 2384static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2385 char **name, void **value,
2386 size_t *len)
2387{
2388 struct task_security_struct *tsec;
2389 struct inode_security_struct *dsec;
2390 struct superblock_security_struct *sbsec;
570bc1c2 2391 u32 newsid, clen;
5e41ff9e 2392 int rc;
570bc1c2 2393 char *namep = NULL, *context;
5e41ff9e
SS		 2394
2395 tsec = current->security;
2396 dsec = dir->i_security;
2397 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2398
2399 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2400 newsid = tsec->create_sid;
2401 } else {
2402 rc = security_transition_sid(tsec->sid, dsec->sid,
2403 inode_mode_to_security_class(inode->i_mode),
2404 &newsid);
2405 if (rc) {
2406 printk(KERN_WARNING "%s: "
2407 "security_transition_sid failed, rc=%d (dev=%s "
2408 "ino=%ld)\n",
2409 __FUNCTION__,
2410 -rc, inode->i_sb->s_id, inode->i_ino);
2411 return rc;
2412 }
2413 }
2414
296fddf7
EP		 2415 /* Possibly defer initialization to selinux_complete_init. */
2416 if (sbsec->initialized) {
2417 struct inode_security_struct *isec = inode->i_security;
2418 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2419 isec->sid = newsid;
2420 isec->initialized = 1;
2421 }
5e41ff9e 2422
8aad3875 2423 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2424 return -EOPNOTSUPP;
2425
570bc1c2
SS		 2426 if (name) {
2427 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2428 if (!namep)
2429 return -ENOMEM;
2430 *name = namep;
2431 }
5e41ff9e 2432
570bc1c2
SS		 2433 if (value && len) {
2434 rc = security_sid_to_context(newsid, &context, &clen);
2435 if (rc) {
2436 kfree(namep);
2437 return rc;
2438 }
2439 *value = context;
2440 *len = clen;
5e41ff9e 2441 }
5e41ff9e 2442
5e41ff9e
SS		 2443 return 0;
2444}
2445
1da177e4
LT		 2446static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2447{
2448 return may_create(dir, dentry, SECCLASS_FILE);
2449}
2450
1da177e4
LT		 2451static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2452{
2453 int rc;
2454
2455 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2456 if (rc)
2457 return rc;
2458 return may_link(dir, old_dentry, MAY_LINK);
2459}
2460
1da177e4
LT		 2461static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2462{
2463 int rc;
2464
2465 rc = secondary_ops->inode_unlink(dir, dentry);
2466 if (rc)
2467 return rc;
2468 return may_link(dir, dentry, MAY_UNLINK);
2469}
2470
2471static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2472{
2473 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2474}
2475
1da177e4
LT		 2476static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2477{
2478 return may_create(dir, dentry, SECCLASS_DIR);
2479}
2480
1da177e4
LT		 2481static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2482{
2483 return may_link(dir, dentry, MAY_RMDIR);
2484}
2485
2486static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2487{
2488 int rc;
2489
2490 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2491 if (rc)
2492 return rc;
2493
2494 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2495}
2496
1da177e4
LT		 2497static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2498 struct inode *new_inode, struct dentry *new_dentry)
2499{
2500 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2501}
2502
1da177e4
LT		 2503static int selinux_inode_readlink(struct dentry *dentry)
2504{
2505 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2506}
2507
2508static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2509{
2510 int rc;
2511
2512 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2513 if (rc)
2514 return rc;
2515 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2516}
2517
2518static int selinux_inode_permission(struct inode *inode, int mask,
2519 struct nameidata *nd)
2520{
2521 int rc;
2522
2523 rc = secondary_ops->inode_permission(inode, mask, nd);
2524 if (rc)
2525 return rc;
2526
2527 if (!mask) {
2528 /* No permission to check. Existence test. */
2529 return 0;
2530 }
2531
2532 return inode_has_perm(current, inode,
2533 file_mask_to_av(inode->i_mode, mask), NULL);
2534}
2535
2536static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2537{
2538 int rc;
2539
2540 rc = secondary_ops->inode_setattr(dentry, iattr);
2541 if (rc)
2542 return rc;
2543
2544 if (iattr->ia_valid & ATTR_FORCE)
2545 return 0;
2546
2547 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2548 ATTR_ATIME_SET | ATTR_MTIME_SET))
2549 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2550
2551 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2552}
2553
2554static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2555{
2556 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2557}
2558
b5376771
SH		 2559static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2560{
2561 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2562 sizeof XATTR_SECURITY_PREFIX - 1)) {
2563 if (!strcmp(name, XATTR_NAME_CAPS)) {
2564 if (!capable(CAP_SETFCAP))
2565 return -EPERM;
2566 } else if (!capable(CAP_SYS_ADMIN)) {
2567 /* A different attribute in the security namespace.
2568 Restrict to administrator. */
2569 return -EPERM;
2570 }
2571 }
2572
2573 /* Not an attribute we recognize, so just check the
2574 ordinary setattr permission. */
2575 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2576}
2577
1da177e4
LT		 2578static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2579{
2580 struct task_security_struct *tsec = current->security;
2581 struct inode *inode = dentry->d_inode;
2582 struct inode_security_struct *isec = inode->i_security;
2583 struct superblock_security_struct *sbsec;
2584 struct avc_audit_data ad;
2585 u32 newsid;
2586 int rc = 0;
2587
b5376771
SH		 2588 if (strcmp(name, XATTR_NAME_SELINUX))
2589 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2590
2591 sbsec = inode->i_sb->s_security;
2592 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2593 return -EOPNOTSUPP;
2594
3bd858ab 2595 if (!is_owner_or_cap(inode))
1da177e4
LT		 2596 return -EPERM;
2597
2598 AVC_AUDIT_DATA_INIT(&ad,FS);
2599 ad.u.fs.dentry = dentry;
2600
2601 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2602 FILE__RELABELFROM, &ad);
2603 if (rc)
2604 return rc;
2605
2606 rc = security_context_to_sid(value, size, &newsid);
2607 if (rc)
2608 return rc;
2609
2610 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2611 FILE__RELABELTO, &ad);
2612 if (rc)
2613 return rc;
2614
2615 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2616 isec->sclass);
2617 if (rc)
2618 return rc;
2619
2620 return avc_has_perm(newsid,
2621 sbsec->sid,
2622 SECCLASS_FILESYSTEM,
2623 FILESYSTEM__ASSOCIATE,
2624 &ad);
2625}
2626
2627static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2628 void *value, size_t size, int flags)
2629{
2630 struct inode *inode = dentry->d_inode;
2631 struct inode_security_struct *isec = inode->i_security;
2632 u32 newsid;
2633 int rc;
2634
2635 if (strcmp(name, XATTR_NAME_SELINUX)) {
2636 /* Not an attribute we recognize, so nothing to do. */
2637 return;
2638 }
2639
2640 rc = security_context_to_sid(value, size, &newsid);
2641 if (rc) {
2642 printk(KERN_WARNING "%s: unable to obtain SID for context "
2643 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2644 return;
2645 }
2646
2647 isec->sid = newsid;
2648 return;
2649}
2650
2651static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2652{
1da177e4
LT		 2653 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2654}
2655
2656static int selinux_inode_listxattr (struct dentry *dentry)
2657{
2658 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2659}
2660
2661static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2662{
b5376771
SH		 2663 if (strcmp(name, XATTR_NAME_SELINUX))
2664 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2665
2666 /* No one is allowed to remove a SELinux security label.
2667 You can change the label, but all data must be labeled. */
2668 return -EACCES;
2669}
2670
d381d8a9
JM		 2671/*
2672 * Copy the in-core inode security context value to the user. If the
2673 * getxattr() prior to this succeeded, check to see if we need to
2674 * canonicalize the value to be finally returned to the user.
2675 *
2676 * Permission check is handled by selinux_inode_getxattr hook.
2677 */
7306a0b9 2678static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
1da177e4
LT		 2679{
2680 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2681
8c8570fb
DK		 2682 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2683 return -EOPNOTSUPP;
d381d8a9 2684
8c8570fb 2685 return selinux_getsecurity(isec->sid, buffer, size);
1da177e4
LT		 2686}
2687
2688static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2689 const void *value, size_t size, int flags)
2690{
2691 struct inode_security_struct *isec = inode->i_security;
2692 u32 newsid;
2693 int rc;
2694
2695 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2696 return -EOPNOTSUPP;
2697
2698 if (!value || !size)
2699 return -EACCES;
2700
2701 rc = security_context_to_sid((void*)value, size, &newsid);
2702 if (rc)
2703 return rc;
2704
2705 isec->sid = newsid;
2706 return 0;
2707}
2708
2709static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2710{
2711 const int len = sizeof(XATTR_NAME_SELINUX);
2712 if (buffer && len <= buffer_size)
2713 memcpy(buffer, XATTR_NAME_SELINUX, len);
2714 return len;
2715}
2716
b5376771
SH		 2717static int selinux_inode_need_killpriv(struct dentry *dentry)
2718{
2719 return secondary_ops->inode_need_killpriv(dentry);
2720}
2721
2722static int selinux_inode_killpriv(struct dentry *dentry)
2723{
2724 return secondary_ops->inode_killpriv(dentry);
2725}
2726
1da177e4
LT		 2727/* file security operations */
2728
788e7dd4 2729static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2730{
7420ed23 2731 int rc;
3d5ff529 2732 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2733
2734 if (!mask) {
2735 /* No permission to check. Existence test. */
2736 return 0;
2737 }
2738
2739 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2740 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2741 mask |= MAY_APPEND;
2742
7420ed23
VY		 2743 rc = file_has_perm(current, file,
2744 file_mask_to_av(inode->i_mode, mask));
2745 if (rc)
2746 return rc;
2747
2748 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2749}
2750
788e7dd4
YN		 2751static int selinux_file_permission(struct file *file, int mask)
2752{
2753 struct inode *inode = file->f_path.dentry->d_inode;
2754 struct task_security_struct *tsec = current->security;
2755 struct file_security_struct *fsec = file->f_security;
2756 struct inode_security_struct *isec = inode->i_security;
2757
2758 if (!mask) {
2759 /* No permission to check. Existence test. */
2760 return 0;
2761 }
2762
2763 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2764 && fsec->pseqno == avc_policy_seqno())
2765 return selinux_netlbl_inode_permission(inode, mask);
2766
2767 return selinux_revalidate_file_permission(file, mask);
2768}
2769
1da177e4
LT		 2770static int selinux_file_alloc_security(struct file *file)
2771{
2772 return file_alloc_security(file);
2773}
2774
2775static void selinux_file_free_security(struct file *file)
2776{
2777 file_free_security(file);
2778}
2779
2780static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2781 unsigned long arg)
2782{
2783 int error = 0;
2784
2785 switch (cmd) {
2786 case FIONREAD:
2787 /* fall through */
2788 case FIBMAP:
2789 /* fall through */
2790 case FIGETBSZ:
2791 /* fall through */
2792 case EXT2_IOC_GETFLAGS:
2793 /* fall through */
2794 case EXT2_IOC_GETVERSION:
2795 error = file_has_perm(current, file, FILE__GETATTR);
2796 break;
2797
2798 case EXT2_IOC_SETFLAGS:
2799 /* fall through */
2800 case EXT2_IOC_SETVERSION:
2801 error = file_has_perm(current, file, FILE__SETATTR);
2802 break;
2803
2804 /* sys_ioctl() checks */
2805 case FIONBIO:
2806 /* fall through */
2807 case FIOASYNC:
2808 error = file_has_perm(current, file, 0);
2809 break;
2810
2811 case KDSKBENT:
2812 case KDSKBSENT:
2813 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2814 break;
2815
2816 /* default case assumes that the command will go
2817 * to the file's ioctl() function.
2818 */
2819 default:
2820 error = file_has_perm(current, file, FILE__IOCTL);
2821
2822 }
2823 return error;
2824}
2825
2826static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2827{
2828#ifndef CONFIG_PPC32
2829 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2830 /*
2831 * We are making executable an anonymous mapping or a
2832 * private file mapping that will also be writable.
2833 * This has an additional check.
2834 */
2835 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2836 if (rc)
2837 return rc;
2838 }
2839#endif
2840
2841 if (file) {
2842 /* read access is always possible with a mapping */
2843 u32 av = FILE__READ;
2844
2845 /* write access only matters if the mapping is shared */
2846 if (shared && (prot & PROT_WRITE))
2847 av |= FILE__WRITE;
2848
2849 if (prot & PROT_EXEC)
2850 av |= FILE__EXECUTE;
2851
2852 return file_has_perm(current, file, av);
2853 }
2854 return 0;
2855}
2856
2857static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 2858 unsigned long prot, unsigned long flags,
2859 unsigned long addr, unsigned long addr_only)
1da177e4 2860{
ed032189
EP		 2861 int rc = 0;
2862 u32 sid = ((struct task_security_struct*)(current->security))->sid;
1da177e4 2863
ed032189
EP		 2864 if (addr < mmap_min_addr)
2865 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2866 MEMPROTECT__MMAP_ZERO, NULL);
2867 if (rc || addr_only)
1da177e4
LT		 2868 return rc;
2869
2870 if (selinux_checkreqprot)
2871 prot = reqprot;
2872
2873 return file_map_prot_check(file, prot,
2874 (flags & MAP_TYPE) == MAP_SHARED);
2875}
2876
2877static int selinux_file_mprotect(struct vm_area_struct *vma,
2878 unsigned long reqprot,
2879 unsigned long prot)
2880{
2881 int rc;
2882
2883 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2884 if (rc)
2885 return rc;
2886
2887 if (selinux_checkreqprot)
2888 prot = reqprot;
2889
2890#ifndef CONFIG_PPC32
db4c9641
SS		 2891 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2892 rc = 0;
2893 if (vma->vm_start >= vma->vm_mm->start_brk &&
2894 vma->vm_end <= vma->vm_mm->brk) {
2895 rc = task_has_perm(current, current,
2896 PROCESS__EXECHEAP);
2897 } else if (!vma->vm_file &&
2898 vma->vm_start <= vma->vm_mm->start_stack &&
2899 vma->vm_end >= vma->vm_mm->start_stack) {
2900 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2901 } else if (vma->vm_file && vma->anon_vma) {
2902 /*
2903 * We are making executable a file mapping that has
2904 * had some COW done. Since pages might have been
2905 * written, check ability to execute the possibly
2906 * modified content. This typically should only
2907 * occur for text relocations.
2908 */
2909 rc = file_has_perm(current, vma->vm_file,
2910 FILE__EXECMOD);
2911 }