]> bbs.cooldavid.org Git - net-next-2.6.git/blame - security/selinux/hooks.c
git://bbs.cooldavid.org / net-next-2.6.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris...
[net-next-2.6.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
effad8df
PM		 15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
788e7dd4
YN		 17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
23 */
24
1da177e4
LT		 25#include <linux/init.h>
26#include <linux/kernel.h>
27#include <linux/ptrace.h>
28#include <linux/errno.h>
29#include <linux/sched.h>
30#include <linux/security.h>
31#include <linux/xattr.h>
32#include <linux/capability.h>
33#include <linux/unistd.h>
34#include <linux/mm.h>
35#include <linux/mman.h>
36#include <linux/slab.h>
37#include <linux/pagemap.h>
38#include <linux/swap.h>
1da177e4
LT		 39#include <linux/spinlock.h>
40#include <linux/syscalls.h>
41#include <linux/file.h>
42#include <linux/namei.h>
43#include <linux/mount.h>
44#include <linux/ext2_fs.h>
45#include <linux/proc_fs.h>
46#include <linux/kd.h>
47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 53#include <net/net_namespace.h>
d621d35e 54#include <net/netlabel.h>
1da177e4 55#include <asm/uaccess.h>
1da177e4 56#include <asm/ioctls.h>
d621d35e 57#include <asm/atomic.h>
1da177e4
LT		 58#include <linux/bitops.h>
59#include <linux/interrupt.h>
60#include <linux/netdevice.h> /* for network interface checks */
61#include <linux/netlink.h>
62#include <linux/tcp.h>
63#include <linux/udp.h>
2ee92d46 64#include <linux/dccp.h>
1da177e4
LT		 65#include <linux/quota.h>
66#include <linux/un.h> /* for Unix socket types */
67#include <net/af_unix.h> /* for Unix socket types */
68#include <linux/parser.h>
69#include <linux/nfs_mount.h>
70#include <net/ipv6.h>
71#include <linux/hugetlb.h>
72#include <linux/personality.h>
73#include <linux/sysctl.h>
74#include <linux/audit.h>
6931dfc9 75#include <linux/string.h>
877ce7c1 76#include <linux/selinux.h>
23970741 77#include <linux/mutex.h>
1da177e4
LT		 78
79#include "avc.h"
80#include "objsec.h"
81#include "netif.h"
224dfbd8 82#include "netnode.h"
d28d1e08 83#include "xfrm.h"
c60475bf 84#include "netlabel.h"
1da177e4
LT		 85
86#define XATTR_SELINUX_SUFFIX "selinux"
87#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
c9180a57
EP		 89#define NUM_SEL_MNT_OPTS 4
90
1da177e4
LT		 91extern unsigned int policydb_loaded_version;
92extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 93extern int selinux_compat_net;
20510f2f 94extern struct security_operations *security_ops;
1da177e4 95
d621d35e
PM		 96/* SECMARK reference count */
97atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
1da177e4
LT		 99#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100int selinux_enforcing = 0;
101
102static int __init enforcing_setup(char *str)
103{
104 selinux_enforcing = simple_strtol(str,NULL,0);
105 return 1;
106}
107__setup("enforcing=", enforcing_setup);
108#endif
109
110#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113static int __init selinux_enabled_setup(char *str)
114{
115 selinux_enabled = simple_strtol(str, NULL, 0);
116 return 1;
117}
118__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 119#else
120int selinux_enabled = 1;
1da177e4
LT		 121#endif
122
123/* Original (dummy) security module. */
124static struct security_operations *original_ops = NULL;
125
126/* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130static struct security_operations *secondary_ops = NULL;
131
132/* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134static LIST_HEAD(superblock_security_head);
135static DEFINE_SPINLOCK(sb_security_lock);
136
e18b890b 137static struct kmem_cache *sel_inode_cache;
7cae7e26 138
d621d35e
PM		 139/**
140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
141 *
142 * Description:
143 * This function checks the SECMARK reference counter to see if any SECMARK
144 * targets are currently configured, if the reference counter is greater than
145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
146 * enabled, false (0) if SECMARK is disabled.
147 *
148 */
149static int selinux_secmark_enabled(void)
150{
151 return (atomic_read(&selinux_secmark_refcount) > 0);
152}
153
1da177e4
LT		 154/* Allocate and free functions for each kind of security blob. */
155
156static int task_alloc_security(struct task_struct *task)
157{
158 struct task_security_struct *tsec;
159
89d155ef 160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 161 if (!tsec)
162 return -ENOMEM;
163
1da177e4
LT		 164 tsec->task = task;
165 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166 task->security = tsec;
167
168 return 0;
169}
170
171static void task_free_security(struct task_struct *task)
172{
173 struct task_security_struct *tsec = task->security;
1da177e4
LT		 174 task->security = NULL;
175 kfree(tsec);
176}
177
178static int inode_alloc_security(struct inode *inode)
179{
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
182
a02fe132 183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 184 if (!isec)
185 return -ENOMEM;
186
23970741 187 mutex_init(&isec->lock);
1da177e4 188 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 189 isec->inode = inode;
190 isec->sid = SECINITSID_UNLABELED;
191 isec->sclass = SECCLASS_FILE;
9ac49d22 192 isec->task_sid = tsec->sid;
1da177e4
LT		 193 inode->i_security = isec;
194
195 return 0;
196}
197
198static void inode_free_security(struct inode *inode)
199{
200 struct inode_security_struct *isec = inode->i_security;
201 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
1da177e4
LT		 203 spin_lock(&sbsec->isec_lock);
204 if (!list_empty(&isec->list))
205 list_del_init(&isec->list);
206 spin_unlock(&sbsec->isec_lock);
207
208 inode->i_security = NULL;
7cae7e26 209 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 210}
211
212static int file_alloc_security(struct file *file)
213{
214 struct task_security_struct *tsec = current->security;
215 struct file_security_struct *fsec;
216
26d2a4be 217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 218 if (!fsec)
219 return -ENOMEM;
220
1da177e4 221 fsec->file = file;
9ac49d22
SS		 222 fsec->sid = tsec->sid;
223 fsec->fown_sid = tsec->sid;
1da177e4
LT		 224 file->f_security = fsec;
225
226 return 0;
227}
228
229static void file_free_security(struct file *file)
230{
231 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 232 file->f_security = NULL;
233 kfree(fsec);
234}
235
236static int superblock_alloc_security(struct super_block *sb)
237{
238 struct superblock_security_struct *sbsec;
239
89d155ef 240 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 241 if (!sbsec)
242 return -ENOMEM;
243
bc7e982b 244 mutex_init(&sbsec->lock);
1da177e4
LT		 245 INIT_LIST_HEAD(&sbsec->list);
246 INIT_LIST_HEAD(&sbsec->isec_head);
247 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 248 sbsec->sb = sb;
249 sbsec->sid = SECINITSID_UNLABELED;
250 sbsec->def_sid = SECINITSID_FILE;
c312feb2 251 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 252 sb->s_security = sbsec;
253
254 return 0;
255}
256
257static void superblock_free_security(struct super_block *sb)
258{
259 struct superblock_security_struct *sbsec = sb->s_security;
260
1da177e4
LT		 261 spin_lock(&sb_security_lock);
262 if (!list_empty(&sbsec->list))
263 list_del_init(&sbsec->list);
264 spin_unlock(&sb_security_lock);
265
266 sb->s_security = NULL;
267 kfree(sbsec);
268}
269
7d877f3b 270static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 271{
272 struct sk_security_struct *ssec;
273
89d155ef 274 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 275 if (!ssec)
276 return -ENOMEM;
277
1da177e4
LT		 278 ssec->sk = sk;
279 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 280 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 281 sk->sk_security = ssec;
282
99f59ed0
PM		 283 selinux_netlbl_sk_security_init(ssec, family);
284
1da177e4
LT		 285 return 0;
286}
287
288static void sk_free_security(struct sock *sk)
289{
290 struct sk_security_struct *ssec = sk->sk_security;
291
1da177e4
LT		 292 sk->sk_security = NULL;
293 kfree(ssec);
294}
1da177e4
LT		 295
296/* The security server must be initialized before
297 any labeling or access decisions can be provided. */
298extern int ss_initialized;
299
300/* The file system's label must be initialized prior to use. */
301
302static char *labeling_behaviors[6] = {
303 "uses xattr",
304 "uses transition SIDs",
305 "uses task SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
309};
310
311static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313static inline int inode_doinit(struct inode *inode)
314{
315 return inode_doinit_with_dentry(inode, NULL);
316}
317
318enum {
31e87930 319 Opt_error = -1,
1da177e4
LT		 320 Opt_context = 1,
321 Opt_fscontext = 2,
c9180a57
EP		 322 Opt_defcontext = 3,
323 Opt_rootcontext = 4,
1da177e4
LT		 324};
325
326static match_table_t tokens = {
327 {Opt_context, "context=%s"},
328 {Opt_fscontext, "fscontext=%s"},
329 {Opt_defcontext, "defcontext=%s"},
0808925e 330 {Opt_rootcontext, "rootcontext=%s"},
31e87930 331 {Opt_error, NULL},
1da177e4
LT		 332};
333
334#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
335
c312feb2
EP		 336static int may_context_mount_sb_relabel(u32 sid,
337 struct superblock_security_struct *sbsec,
338 struct task_security_struct *tsec)
339{
340 int rc;
341
342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343 FILESYSTEM__RELABELFROM, NULL);
344 if (rc)
345 return rc;
346
347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELTO, NULL);
349 return rc;
350}
351
0808925e
EP		 352static int may_context_mount_inode_relabel(u32 sid,
353 struct superblock_security_struct *sbsec,
354 struct task_security_struct *tsec)
355{
356 int rc;
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
359 if (rc)
360 return rc;
361
362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__ASSOCIATE, NULL);
364 return rc;
365}
366
c9180a57 367static int sb_finish_set_opts(struct super_block *sb)
1da177e4 368{
1da177e4 369 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 370 struct dentry *root = sb->s_root;
371 struct inode *root_inode = root->d_inode;
372 int rc = 0;
1da177e4 373
c9180a57
EP		 374 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375 /* Make sure that the xattr handler exists and that no
376 error other than -ENODATA is returned by getxattr on
377 the root directory. -ENODATA is ok, as this may be
378 the first boot of the SELinux kernel before we have
379 assigned xattr values to the filesystem. */
380 if (!root_inode->i_op->getxattr) {
381 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382 "xattr support\n", sb->s_id, sb->s_type->name);
383 rc = -EOPNOTSUPP;
384 goto out;
385 }
386 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387 if (rc < 0 && rc != -ENODATA) {
388 if (rc == -EOPNOTSUPP)
389 printk(KERN_WARNING "SELinux: (dev %s, type "
390 "%s) has no security xattr handler\n",
391 sb->s_id, sb->s_type->name);
392 else
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) getxattr errno %d\n", sb->s_id,
395 sb->s_type->name, -rc);
396 goto out;
397 }
398 }
1da177e4 399
c9180a57 400 sbsec->initialized = 1;
1da177e4 401
c9180a57
EP		 402 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404 sb->s_id, sb->s_type->name);
405 else
406 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407 sb->s_id, sb->s_type->name,
408 labeling_behaviors[sbsec->behavior-1]);
1da177e4 409
c9180a57
EP		 410 /* Initialize the root inode. */
411 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 412
c9180a57
EP		 413 /* Initialize any other inodes associated with the superblock, e.g.
414 inodes created prior to initial policy load or inodes created
415 during get_sb by a pseudo filesystem that directly
416 populates itself. */
417 spin_lock(&sbsec->isec_lock);
418next_inode:
419 if (!list_empty(&sbsec->isec_head)) {
420 struct inode_security_struct *isec =
421 list_entry(sbsec->isec_head.next,
422 struct inode_security_struct, list);
423 struct inode *inode = isec->inode;
424 spin_unlock(&sbsec->isec_lock);
425 inode = igrab(inode);
426 if (inode) {
427 if (!IS_PRIVATE(inode))
428 inode_doinit(inode);
429 iput(inode);
430 }
431 spin_lock(&sbsec->isec_lock);
432 list_del_init(&isec->list);
433 goto next_inode;
434 }
435 spin_unlock(&sbsec->isec_lock);
436out:
437 return rc;
438}
1da177e4 439
c9180a57
EP		 440/*
441 * This function should allow an FS to ask what it's mount security
442 * options were so it can use those later for submounts, displaying
443 * mount options, or whatever.
444 */
445static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 446 struct security_mnt_opts *opts)
c9180a57
EP		 447{
448 int rc = 0, i;
449 struct superblock_security_struct *sbsec = sb->s_security;
450 char *context = NULL;
451 u32 len;
452 char tmp;
1da177e4 453
e0007529 454 security_init_mnt_opts(opts);
1da177e4 455
c9180a57
EP		 456 if (!sbsec->initialized)
457 return -EINVAL;
1da177e4 458
c9180a57
EP		 459 if (!ss_initialized)
460 return -EINVAL;
1da177e4 461
c9180a57
EP		 462 /*
463 * if we ever use sbsec flags for anything other than tracking mount
464 * settings this is going to need a mask
465 */
466 tmp = sbsec->flags;
467 /* count the number of mount options for this sb */
468 for (i = 0; i < 8; i++) {
469 if (tmp & 0x01)
e0007529 470 opts->num_mnt_opts++;
c9180a57
EP		 471 tmp >>= 1;
472 }
1da177e4 473
e0007529
EP		 474 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
475 if (!opts->mnt_opts) {
c9180a57
EP		 476 rc = -ENOMEM;
477 goto out_free;
478 }
1da177e4 479
e0007529
EP		 480 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
481 if (!opts->mnt_opts_flags) {
c9180a57
EP		 482 rc = -ENOMEM;
483 goto out_free;
484 }
1da177e4 485
c9180a57
EP		 486 i = 0;
487 if (sbsec->flags & FSCONTEXT_MNT) {
488 rc = security_sid_to_context(sbsec->sid, &context, &len);
489 if (rc)
490 goto out_free;
e0007529
EP		 491 opts->mnt_opts[i] = context;
492 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 493 }
494 if (sbsec->flags & CONTEXT_MNT) {
495 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
496 if (rc)
497 goto out_free;
e0007529
EP		 498 opts->mnt_opts[i] = context;
499 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 500 }
501 if (sbsec->flags & DEFCONTEXT_MNT) {
502 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
503 if (rc)
504 goto out_free;
e0007529
EP		 505 opts->mnt_opts[i] = context;
506 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 507 }
508 if (sbsec->flags & ROOTCONTEXT_MNT) {
509 struct inode *root = sbsec->sb->s_root->d_inode;
510 struct inode_security_struct *isec = root->i_security;
0808925e 511
c9180a57
EP		 512 rc = security_sid_to_context(isec->sid, &context, &len);
513 if (rc)
514 goto out_free;
e0007529
EP		 515 opts->mnt_opts[i] = context;
516 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 517 }
1da177e4 518
e0007529 519 BUG_ON(i != opts->num_mnt_opts);
1da177e4 520
c9180a57
EP		 521 return 0;
522
523out_free:
e0007529 524 security_free_mnt_opts(opts);
c9180a57
EP		 525 return rc;
526}
1da177e4 527
c9180a57
EP		 528static int bad_option(struct superblock_security_struct *sbsec, char flag,
529 u32 old_sid, u32 new_sid)
530{
531 /* check if the old mount command had the same options */
532 if (sbsec->initialized)
533 if (!(sbsec->flags & flag) ||
534 (old_sid != new_sid))
535 return 1;
536
537 /* check if we were passed the same options twice,
538 * aka someone passed context=a,context=b
539 */
540 if (!sbsec->initialized)
541 if (sbsec->flags & flag)
542 return 1;
543 return 0;
544}
e0007529 545
c9180a57
EP		 546/*
547 * Allow filesystems with binary mount data to explicitly set mount point
548 * labeling information.
549 */
e0007529
EP		 550static int selinux_set_mnt_opts(struct super_block *sb,
551 struct security_mnt_opts *opts)
c9180a57
EP		 552{
553 int rc = 0, i;
554 struct task_security_struct *tsec = current->security;
555 struct superblock_security_struct *sbsec = sb->s_security;
556 const char *name = sb->s_type->name;
557 struct inode *inode = sbsec->sb->s_root->d_inode;
558 struct inode_security_struct *root_isec = inode->i_security;
559 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
560 u32 defcontext_sid = 0;
e0007529
EP		 561 char **mount_options = opts->mnt_opts;
562 int *flags = opts->mnt_opts_flags;
563 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 564
565 mutex_lock(&sbsec->lock);
566
567 if (!ss_initialized) {
568 if (!num_opts) {
569 /* Defer initialization until selinux_complete_init,
570 after the initial policy is loaded and the security
571 server is ready to handle calls. */
572 spin_lock(&sb_security_lock);
573 if (list_empty(&sbsec->list))
574 list_add(&sbsec->list, &superblock_security_head);
575 spin_unlock(&sb_security_lock);
576 goto out;
577 }
578 rc = -EINVAL;
579 printk(KERN_WARNING "Unable to set superblock options before "
580 "the security server is initialized\n");
1da177e4 581 goto out;
c9180a57 582 }
1da177e4 583
e0007529
EP		 584 /*
585 * Binary mount data FS will come through this function twice. Once
586 * from an explicit call and once from the generic calls from the vfs.
587 * Since the generic VFS calls will not contain any security mount data
588 * we need to skip the double mount verification.
589 *
590 * This does open a hole in which we will not notice if the first
591 * mount using this sb set explict options and a second mount using
592 * this sb does not set any security options. (The first options
593 * will be used for both mounts)
594 */
595 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
596 && (num_opts == 0))
597 goto out;
598
c9180a57
EP		 599 /*
600 * parse the mount options, check if they are valid sids.
601 * also check if someone is trying to mount the same sb more
602 * than once with different security options.
603 */
604 for (i = 0; i < num_opts; i++) {
605 u32 sid;
606 rc = security_context_to_sid(mount_options[i],
607 strlen(mount_options[i]), &sid);
1da177e4
LT		 608 if (rc) {
609 printk(KERN_WARNING "SELinux: security_context_to_sid"
610 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 611 mount_options[i], sb->s_id, name, rc);
612 goto out;
613 }
614 switch (flags[i]) {
615 case FSCONTEXT_MNT:
616 fscontext_sid = sid;
617
618 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
619 fscontext_sid))
620 goto out_double_mount;
621
622 sbsec->flags |= FSCONTEXT_MNT;
623 break;
624 case CONTEXT_MNT:
625 context_sid = sid;
626
627 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
628 context_sid))
629 goto out_double_mount;
630
631 sbsec->flags |= CONTEXT_MNT;
632 break;
633 case ROOTCONTEXT_MNT:
634 rootcontext_sid = sid;
635
636 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
637 rootcontext_sid))
638 goto out_double_mount;
639
640 sbsec->flags |= ROOTCONTEXT_MNT;
641
642 break;
643 case DEFCONTEXT_MNT:
644 defcontext_sid = sid;
645
646 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
647 defcontext_sid))
648 goto out_double_mount;
649
650 sbsec->flags |= DEFCONTEXT_MNT;
651
652 break;
653 default:
654 rc = -EINVAL;
655 goto out;
1da177e4 656 }
c9180a57
EP		 657 }
658
659 if (sbsec->initialized) {
660 /* previously mounted with options, but not on this attempt? */
661 if (sbsec->flags && !num_opts)
662 goto out_double_mount;
663 rc = 0;
664 goto out;
665 }
666
667 if (strcmp(sb->s_type->name, "proc") == 0)
668 sbsec->proc = 1;
669
670 /* Determine the labeling behavior to use for this filesystem type. */
671 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
672 if (rc) {
673 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674 __FUNCTION__, sb->s_type->name, rc);
675 goto out;
676 }
1da177e4 677
c9180a57
EP		 678 /* sets the context of the superblock for the fs being mounted. */
679 if (fscontext_sid) {
680
681 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
1da177e4 682 if (rc)
c9180a57 683 goto out;
1da177e4 684
c9180a57 685 sbsec->sid = fscontext_sid;
c312feb2
EP		 686 }
687
688 /*
689 * Switch to using mount point labeling behavior.
690 * sets the label used on all file below the mountpoint, and will set
691 * the superblock context if not already set.
692 */
c9180a57
EP		 693 if (context_sid) {
694 if (!fscontext_sid) {
695 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
b04ea3ce 696 if (rc)
c9180a57
EP		 697 goto out;
698 sbsec->sid = context_sid;
b04ea3ce 699 } else {
c9180a57 700 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
b04ea3ce 701 if (rc)
c9180a57 702 goto out;
b04ea3ce 703 }
c9180a57
EP		 704 if (!rootcontext_sid)
705 rootcontext_sid = context_sid;
1da177e4 706
c9180a57 707 sbsec->mntpoint_sid = context_sid;
c312feb2 708 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 709 }
710
c9180a57
EP		 711 if (rootcontext_sid) {
712 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
0808925e 713 if (rc)
c9180a57 714 goto out;
0808925e 715
c9180a57
EP		 716 root_isec->sid = rootcontext_sid;
717 root_isec->initialized = 1;
0808925e
EP		 718 }
719
c9180a57
EP		 720 if (defcontext_sid) {
721 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
722 rc = -EINVAL;
723 printk(KERN_WARNING "SELinux: defcontext option is "
724 "invalid for this filesystem type\n");
725 goto out;
1da177e4
LT		 726 }
727
c9180a57
EP		 728 if (defcontext_sid != sbsec->def_sid) {
729 rc = may_context_mount_inode_relabel(defcontext_sid,
730 sbsec, tsec);
731 if (rc)
732 goto out;
733 }
1da177e4 734
c9180a57 735 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 736 }
737
c9180a57 738 rc = sb_finish_set_opts(sb);
1da177e4 739out:
c9180a57 740 mutex_unlock(&sbsec->lock);
1da177e4 741 return rc;
c9180a57
EP		 742out_double_mount:
743 rc = -EINVAL;
744 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
745 "security settings for (dev %s, type %s)\n", sb->s_id, name);
746 goto out;
1da177e4
LT		 747}
748
c9180a57
EP		 749static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
750 struct super_block *newsb)
1da177e4 751{
c9180a57
EP		 752 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
753 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 754
c9180a57
EP		 755 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
756 int set_context = (oldsbsec->flags & CONTEXT_MNT);
757 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 758
c9180a57
EP		 759 /* we can't error, we can't save the info, this shouldn't get called
760 * this early in the boot process. */
761 BUG_ON(!ss_initialized);
762
763 /* this might go away sometime down the line if there is a new user
764 * of clone, but for now, nfs better not get here... */
765 BUG_ON(newsbsec->initialized);
766
767 /* how can we clone if the old one wasn't set up?? */
768 BUG_ON(!oldsbsec->initialized);
769
770 mutex_lock(&newsbsec->lock);
771
772 newsbsec->flags = oldsbsec->flags;
773
774 newsbsec->sid = oldsbsec->sid;
775 newsbsec->def_sid = oldsbsec->def_sid;
776 newsbsec->behavior = oldsbsec->behavior;
777
778 if (set_context) {
779 u32 sid = oldsbsec->mntpoint_sid;
780
781 if (!set_fscontext)
782 newsbsec->sid = sid;
783 if (!set_rootcontext) {
784 struct inode *newinode = newsb->s_root->d_inode;
785 struct inode_security_struct *newisec = newinode->i_security;
786 newisec->sid = sid;
787 }
788 newsbsec->mntpoint_sid = sid;
1da177e4 789 }
c9180a57
EP		 790 if (set_rootcontext) {
791 const struct inode *oldinode = oldsb->s_root->d_inode;
792 const struct inode_security_struct *oldisec = oldinode->i_security;
793 struct inode *newinode = newsb->s_root->d_inode;
794 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 795
c9180a57 796 newisec->sid = oldisec->sid;
1da177e4
LT		 797 }
798
c9180a57
EP		 799 sb_finish_set_opts(newsb);
800 mutex_unlock(&newsbsec->lock);
801}
802
2e1479d9
AB		 803static int selinux_parse_opts_str(char *options,
804 struct security_mnt_opts *opts)
c9180a57 805{
e0007529 806 char *p;
c9180a57
EP		 807 char *context = NULL, *defcontext = NULL;
808 char *fscontext = NULL, *rootcontext = NULL;
e0007529 809 int rc, num_mnt_opts = 0;
1da177e4 810
e0007529 811 opts->num_mnt_opts = 0;
1da177e4 812
c9180a57
EP		 813 /* Standard string-based options. */
814 while ((p = strsep(&options, "|")) != NULL) {
815 int token;
816 substring_t args[MAX_OPT_ARGS];
1da177e4 817
c9180a57
EP		 818 if (!*p)
819 continue;
1da177e4 820
c9180a57 821 token = match_token(p, tokens, args);
1da177e4 822
c9180a57
EP		 823 switch (token) {
824 case Opt_context:
825 if (context || defcontext) {
826 rc = -EINVAL;
827 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
828 goto out_err;
829 }
830 context = match_strdup(&args[0]);
831 if (!context) {
832 rc = -ENOMEM;
833 goto out_err;
834 }
835 break;
836
837 case Opt_fscontext:
838 if (fscontext) {
839 rc = -EINVAL;
840 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
841 goto out_err;
842 }
843 fscontext = match_strdup(&args[0]);
844 if (!fscontext) {
845 rc = -ENOMEM;
846 goto out_err;
847 }
848 break;
849
850 case Opt_rootcontext:
851 if (rootcontext) {
852 rc = -EINVAL;
853 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
854 goto out_err;
855 }
856 rootcontext = match_strdup(&args[0]);
857 if (!rootcontext) {
858 rc = -ENOMEM;
859 goto out_err;
860 }
861 break;
862
863 case Opt_defcontext:
864 if (context || defcontext) {
865 rc = -EINVAL;
866 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
867 goto out_err;
868 }
869 defcontext = match_strdup(&args[0]);
870 if (!defcontext) {
871 rc = -ENOMEM;
872 goto out_err;
873 }
874 break;
875
876 default:
877 rc = -EINVAL;
878 printk(KERN_WARNING "SELinux: unknown mount option\n");
879 goto out_err;
1da177e4 880
1da177e4 881 }
1da177e4 882 }
c9180a57 883
e0007529
EP		 884 rc = -ENOMEM;
885 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
886 if (!opts->mnt_opts)
887 goto out_err;
888
889 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
890 if (!opts->mnt_opts_flags) {
891 kfree(opts->mnt_opts);
892 goto out_err;
893 }
894
c9180a57 895 if (fscontext) {
e0007529
EP		 896 opts->mnt_opts[num_mnt_opts] = fscontext;
897 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 898 }
899 if (context) {
e0007529
EP		 900 opts->mnt_opts[num_mnt_opts] = context;
901 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 902 }
903 if (rootcontext) {
e0007529
EP		 904 opts->mnt_opts[num_mnt_opts] = rootcontext;
905 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 906 }
907 if (defcontext) {
e0007529
EP		 908 opts->mnt_opts[num_mnt_opts] = defcontext;
909 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 910 }
911
e0007529
EP		 912 opts->num_mnt_opts = num_mnt_opts;
913 return 0;
914
c9180a57
EP		 915out_err:
916 kfree(context);
917 kfree(defcontext);
918 kfree(fscontext);
919 kfree(rootcontext);
1da177e4
LT		 920 return rc;
921}
e0007529
EP		 922/*
923 * string mount options parsing and call set the sbsec
924 */
925static int superblock_doinit(struct super_block *sb, void *data)
926{
927 int rc = 0;
928 char *options = data;
929 struct security_mnt_opts opts;
930
931 security_init_mnt_opts(&opts);
932
933 if (!data)
934 goto out;
935
936 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
937
938 rc = selinux_parse_opts_str(options, &opts);
939 if (rc)
940 goto out_err;
941
942out:
943 rc = selinux_set_mnt_opts(sb, &opts);
944
945out_err:
946 security_free_mnt_opts(&opts);
947 return rc;
948}
1da177e4
LT		 949
950static inline u16 inode_mode_to_security_class(umode_t mode)
951{
952 switch (mode & S_IFMT) {
953 case S_IFSOCK:
954 return SECCLASS_SOCK_FILE;
955 case S_IFLNK:
956 return SECCLASS_LNK_FILE;
957 case S_IFREG:
958 return SECCLASS_FILE;
959 case S_IFBLK:
960 return SECCLASS_BLK_FILE;
961 case S_IFDIR:
962 return SECCLASS_DIR;
963 case S_IFCHR:
964 return SECCLASS_CHR_FILE;
965 case S_IFIFO:
966 return SECCLASS_FIFO_FILE;
967
968 }
969
970 return SECCLASS_FILE;
971}
972
13402580
JM		 973static inline int default_protocol_stream(int protocol)
974{
975 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
976}
977
978static inline int default_protocol_dgram(int protocol)
979{
980 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
981}
982
1da177e4
LT		 983static inline u16 socket_type_to_security_class(int family, int type, int protocol)
984{
985 switch (family) {
986 case PF_UNIX:
987 switch (type) {
988 case SOCK_STREAM:
989 case SOCK_SEQPACKET:
990 return SECCLASS_UNIX_STREAM_SOCKET;
991 case SOCK_DGRAM:
992 return SECCLASS_UNIX_DGRAM_SOCKET;
993 }
994 break;
995 case PF_INET:
996 case PF_INET6:
997 switch (type) {
998 case SOCK_STREAM:
13402580
JM		 999 if (default_protocol_stream(protocol))
1000 return SECCLASS_TCP_SOCKET;
1001 else
1002 return SECCLASS_RAWIP_SOCKET;
1da177e4 1003 case SOCK_DGRAM:
13402580
JM		 1004 if (default_protocol_dgram(protocol))
1005 return SECCLASS_UDP_SOCKET;
1006 else
1007 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1008 case SOCK_DCCP:
1009 return SECCLASS_DCCP_SOCKET;
13402580 1010 default:
1da177e4
LT		 1011 return SECCLASS_RAWIP_SOCKET;
1012 }
1013 break;
1014 case PF_NETLINK:
1015 switch (protocol) {
1016 case NETLINK_ROUTE:
1017 return SECCLASS_NETLINK_ROUTE_SOCKET;
1018 case NETLINK_FIREWALL:
1019 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1020 case NETLINK_INET_DIAG:
1da177e4
LT		 1021 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1022 case NETLINK_NFLOG:
1023 return SECCLASS_NETLINK_NFLOG_SOCKET;
1024 case NETLINK_XFRM:
1025 return SECCLASS_NETLINK_XFRM_SOCKET;
1026 case NETLINK_SELINUX:
1027 return SECCLASS_NETLINK_SELINUX_SOCKET;
1028 case NETLINK_AUDIT:
1029 return SECCLASS_NETLINK_AUDIT_SOCKET;
1030 case NETLINK_IP6_FW:
1031 return SECCLASS_NETLINK_IP6FW_SOCKET;
1032 case NETLINK_DNRTMSG:
1033 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1034 case NETLINK_KOBJECT_UEVENT:
1035 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1036 default:
1037 return SECCLASS_NETLINK_SOCKET;
1038 }
1039 case PF_PACKET:
1040 return SECCLASS_PACKET_SOCKET;
1041 case PF_KEY:
1042 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1043 case PF_APPLETALK:
1044 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1045 }
1046
1047 return SECCLASS_SOCKET;
1048}
1049
1050#ifdef CONFIG_PROC_FS
1051static int selinux_proc_get_sid(struct proc_dir_entry *de,
1052 u16 tclass,
1053 u32 *sid)
1054{
1055 int buflen, rc;
1056 char *buffer, *path, *end;
1057
1058 buffer = (char*)__get_free_page(GFP_KERNEL);
1059 if (!buffer)
1060 return -ENOMEM;
1061
1062 buflen = PAGE_SIZE;
1063 end = buffer+buflen;
1064 *--end = '\0';
1065 buflen--;
1066 path = end-1;
1067 *path = '/';
1068 while (de && de != de->parent) {
1069 buflen -= de->namelen + 1;
1070 if (buflen < 0)
1071 break;
1072 end -= de->namelen;
1073 memcpy(end, de->name, de->namelen);
1074 *--end = '/';
1075 path = end;
1076 de = de->parent;
1077 }
1078 rc = security_genfs_sid("proc", path, tclass, sid);
1079 free_page((unsigned long)buffer);
1080 return rc;
1081}
1082#else
1083static int selinux_proc_get_sid(struct proc_dir_entry *de,
1084 u16 tclass,
1085 u32 *sid)
1086{
1087 return -EINVAL;
1088}
1089#endif
1090
1091/* The inode's security attributes must be initialized before first use. */
1092static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1093{
1094 struct superblock_security_struct *sbsec = NULL;
1095 struct inode_security_struct *isec = inode->i_security;
1096 u32 sid;
1097 struct dentry *dentry;
1098#define INITCONTEXTLEN 255
1099 char *context = NULL;
1100 unsigned len = 0;
1101 int rc = 0;
1da177e4
LT		 1102
1103 if (isec->initialized)
1104 goto out;
1105
23970741 1106 mutex_lock(&isec->lock);
1da177e4 1107 if (isec->initialized)
23970741 1108 goto out_unlock;
1da177e4
LT		 1109
1110 sbsec = inode->i_sb->s_security;
1111 if (!sbsec->initialized) {
1112 /* Defer initialization until selinux_complete_init,
1113 after the initial policy is loaded and the security
1114 server is ready to handle calls. */
1115 spin_lock(&sbsec->isec_lock);
1116 if (list_empty(&isec->list))
1117 list_add(&isec->list, &sbsec->isec_head);
1118 spin_unlock(&sbsec->isec_lock);
23970741 1119 goto out_unlock;
1da177e4
LT		 1120 }
1121
1122 switch (sbsec->behavior) {
1123 case SECURITY_FS_USE_XATTR:
1124 if (!inode->i_op->getxattr) {
1125 isec->sid = sbsec->def_sid;
1126 break;
1127 }
1128
1129 /* Need a dentry, since the xattr API requires one.
1130 Life would be simpler if we could just pass the inode. */
1131 if (opt_dentry) {
1132 /* Called from d_instantiate or d_splice_alias. */
1133 dentry = dget(opt_dentry);
1134 } else {
1135 /* Called from selinux_complete_init, try to find a dentry. */
1136 dentry = d_find_alias(inode);
1137 }
1138 if (!dentry) {
1139 printk(KERN_WARNING "%s: no dentry for dev=%s "
1140 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1141 inode->i_ino);
23970741 1142 goto out_unlock;
1da177e4
LT		 1143 }
1144
1145 len = INITCONTEXTLEN;
869ab514 1146 context = kmalloc(len, GFP_NOFS);
1da177e4
LT		 1147 if (!context) {
1148 rc = -ENOMEM;
1149 dput(dentry);
23970741 1150 goto out_unlock;
1da177e4
LT		 1151 }
1152 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1153 context, len);
1154 if (rc == -ERANGE) {
1155 /* Need a larger buffer. Query for the right size. */
1156 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1157 NULL, 0);
1158 if (rc < 0) {
1159 dput(dentry);
23970741 1160 goto out_unlock;
1da177e4
LT		 1161 }
1162 kfree(context);
1163 len = rc;
869ab514 1164 context = kmalloc(len, GFP_NOFS);
1da177e4
LT		 1165 if (!context) {
1166 rc = -ENOMEM;
1167 dput(dentry);
23970741 1168 goto out_unlock;
1da177e4
LT		 1169 }
1170 rc = inode->i_op->getxattr(dentry,
1171 XATTR_NAME_SELINUX,
1172 context, len);
1173 }
1174 dput(dentry);
1175 if (rc < 0) {
1176 if (rc != -ENODATA) {
1177 printk(KERN_WARNING "%s: getxattr returned "
1178 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1179 -rc, inode->i_sb->s_id, inode->i_ino);
1180 kfree(context);
23970741 1181 goto out_unlock;
1da177e4
LT		 1182 }
1183 /* Map ENODATA to the default file SID */
1184 sid = sbsec->def_sid;
1185 rc = 0;
1186 } else {
f5c1d5b2 1187 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1188 sbsec->def_sid,
1189 GFP_NOFS);
1da177e4
LT		 1190 if (rc) {
1191 printk(KERN_WARNING "%s: context_to_sid(%s) "
1192 "returned %d for dev=%s ino=%ld\n",
1193 __FUNCTION__, context, -rc,
1194 inode->i_sb->s_id, inode->i_ino);
1195 kfree(context);
1196 /* Leave with the unlabeled SID */
1197 rc = 0;
1198 break;
1199 }
1200 }
1201 kfree(context);
1202 isec->sid = sid;
1203 break;
1204 case SECURITY_FS_USE_TASK:
1205 isec->sid = isec->task_sid;
1206 break;
1207 case SECURITY_FS_USE_TRANS:
1208 /* Default to the fs SID. */
1209 isec->sid = sbsec->sid;
1210
1211 /* Try to obtain a transition SID. */
1212 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1213 rc = security_transition_sid(isec->task_sid,
1214 sbsec->sid,
1215 isec->sclass,
1216 &sid);
1217 if (rc)
23970741 1218 goto out_unlock;
1da177e4
LT		 1219 isec->sid = sid;
1220 break;
c312feb2
EP		 1221 case SECURITY_FS_USE_MNTPOINT:
1222 isec->sid = sbsec->mntpoint_sid;
1223 break;
1da177e4 1224 default:
c312feb2 1225 /* Default to the fs superblock SID. */
1da177e4
LT		 1226 isec->sid = sbsec->sid;
1227
1228 if (sbsec->proc) {
1229 struct proc_inode *proci = PROC_I(inode);
1230 if (proci->pde) {
1231 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1232 rc = selinux_proc_get_sid(proci->pde,
1233 isec->sclass,
1234 &sid);
1235 if (rc)
23970741 1236 goto out_unlock;
1da177e4
LT		 1237 isec->sid = sid;
1238 }
1239 }
1240 break;
1241 }
1242
1243 isec->initialized = 1;
1244
23970741
EP		 1245out_unlock:
1246 mutex_unlock(&isec->lock);
1da177e4
LT		 1247out:
1248 if (isec->sclass == SECCLASS_FILE)
1249 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1250 return rc;
1251}
1252
1253/* Convert a Linux signal to an access vector. */
1254static inline u32 signal_to_av(int sig)
1255{
1256 u32 perm = 0;
1257
1258 switch (sig) {
1259 case SIGCHLD:
1260 /* Commonly granted from child to parent. */
1261 perm = PROCESS__SIGCHLD;
1262 break;
1263 case SIGKILL:
1264 /* Cannot be caught or ignored */
1265 perm = PROCESS__SIGKILL;
1266 break;
1267 case SIGSTOP:
1268 /* Cannot be caught or ignored */
1269 perm = PROCESS__SIGSTOP;
1270 break;
1271 default:
1272 /* All other signals. */
1273 perm = PROCESS__SIGNAL;
1274 break;
1275 }
1276
1277 return perm;
1278}
1279
1280/* Check permission betweeen a pair of tasks, e.g. signal checks,
1281 fork check, ptrace check, etc. */
1282static int task_has_perm(struct task_struct *tsk1,
1283 struct task_struct *tsk2,
1284 u32 perms)
1285{
1286 struct task_security_struct *tsec1, *tsec2;
1287
1288 tsec1 = tsk1->security;
1289 tsec2 = tsk2->security;
1290 return avc_has_perm(tsec1->sid, tsec2->sid,
1291 SECCLASS_PROCESS, perms, NULL);
1292}
1293
b68e418c
SS		 1294#if CAP_LAST_CAP > 63
1295#error Fix SELinux to handle capabilities > 63.
1296#endif
1297
1da177e4
LT		 1298/* Check whether a task is allowed to use a capability. */
1299static int task_has_capability(struct task_struct *tsk,
1300 int cap)
1301{
1302 struct task_security_struct *tsec;
1303 struct avc_audit_data ad;
b68e418c
SS		 1304 u16 sclass;
1305 u32 av = CAP_TO_MASK(cap);
1da177e4
LT		 1306
1307 tsec = tsk->security;
1308
1309 AVC_AUDIT_DATA_INIT(&ad,CAP);
1310 ad.tsk = tsk;
1311 ad.u.cap = cap;
1312
b68e418c
SS		 1313 switch (CAP_TO_INDEX(cap)) {
1314 case 0:
1315 sclass = SECCLASS_CAPABILITY;
1316 break;
1317 case 1:
1318 sclass = SECCLASS_CAPABILITY2;
1319 break;
1320 default:
1321 printk(KERN_ERR
1322 "SELinux: out of range capability %d\n", cap);
1323 BUG();
1324 }
1325 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1da177e4
LT		 1326}
1327
1328/* Check whether a task is allowed to use a system operation. */
1329static int task_has_system(struct task_struct *tsk,
1330 u32 perms)
1331{
1332 struct task_security_struct *tsec;
1333
1334 tsec = tsk->security;
1335
1336 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1337 SECCLASS_SYSTEM, perms, NULL);
1338}
1339
1340/* Check whether a task has a particular permission to an inode.
1341 The 'adp' parameter is optional and allows other audit
1342 data to be passed (e.g. the dentry). */
1343static int inode_has_perm(struct task_struct *tsk,
1344 struct inode *inode,
1345 u32 perms,
1346 struct avc_audit_data *adp)
1347{
1348 struct task_security_struct *tsec;
1349 struct inode_security_struct *isec;
1350 struct avc_audit_data ad;
1351
bbaca6c2
SS		 1352 if (unlikely (IS_PRIVATE (inode)))
1353 return 0;
1354
1da177e4
LT		 1355 tsec = tsk->security;
1356 isec = inode->i_security;
1357
1358 if (!adp) {
1359 adp = &ad;
1360 AVC_AUDIT_DATA_INIT(&ad, FS);
1361 ad.u.fs.inode = inode;
1362 }
1363
1364 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1365}
1366
1367/* Same as inode_has_perm, but pass explicit audit data containing
1368 the dentry to help the auditing code to more easily generate the
1369 pathname if needed. */
1370static inline int dentry_has_perm(struct task_struct *tsk,
1371 struct vfsmount *mnt,
1372 struct dentry *dentry,
1373 u32 av)
1374{
1375 struct inode *inode = dentry->d_inode;
1376 struct avc_audit_data ad;
1377 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf
JB		 1378 ad.u.fs.path.mnt = mnt;
1379 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1380 return inode_has_perm(tsk, inode, av, &ad);
1381}
1382
1383/* Check whether a task can use an open file descriptor to
1384 access an inode in a given way. Check access to the
1385 descriptor itself, and then use dentry_has_perm to
1386 check a particular permission to the file.
1387 Access to the descriptor is implicitly granted if it
1388 has the same SID as the process. If av is zero, then
1389 access to the file is not checked, e.g. for cases
1390 where only the descriptor is affected like seek. */
858119e1 1391static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1392 struct file *file,
1393 u32 av)
1394{
1395 struct task_security_struct *tsec = tsk->security;
1396 struct file_security_struct *fsec = file->f_security;
44707fdf 1397 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 1398 struct avc_audit_data ad;
1399 int rc;
1400
1401 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1402 ad.u.fs.path = file->f_path;
1da177e4
LT		 1403
1404 if (tsec->sid != fsec->sid) {
1405 rc = avc_has_perm(tsec->sid, fsec->sid,
1406 SECCLASS_FD,
1407 FD__USE,
1408 &ad);
1409 if (rc)
1410 return rc;
1411 }
1412
1413 /* av is zero if only checking access to the descriptor. */
1414 if (av)
1415 return inode_has_perm(tsk, inode, av, &ad);
1416
1417 return 0;
1418}
1419
1420/* Check whether a task can create a file. */
1421static int may_create(struct inode *dir,
1422 struct dentry *dentry,
1423 u16 tclass)
1424{
1425 struct task_security_struct *tsec;
1426 struct inode_security_struct *dsec;
1427 struct superblock_security_struct *sbsec;
1428 u32 newsid;
1429 struct avc_audit_data ad;
1430 int rc;
1431
1432 tsec = current->security;
1433 dsec = dir->i_security;
1434 sbsec = dir->i_sb->s_security;
1435
1436 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1437 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1438
1439 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1440 DIR__ADD_NAME | DIR__SEARCH,
1441 &ad);
1442 if (rc)
1443 return rc;
1444
1445 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1446 newsid = tsec->create_sid;
1447 } else {
1448 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1449 &newsid);
1450 if (rc)
1451 return rc;
1452 }
1453
1454 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1455 if (rc)
1456 return rc;
1457
1458 return avc_has_perm(newsid, sbsec->sid,
1459 SECCLASS_FILESYSTEM,
1460 FILESYSTEM__ASSOCIATE, &ad);
1461}
1462
4eb582cf
ML		 1463/* Check whether a task can create a key. */
1464static int may_create_key(u32 ksid,
1465 struct task_struct *ctx)
1466{
1467 struct task_security_struct *tsec;
1468
1469 tsec = ctx->security;
1470
1471 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1472}
1473
1da177e4
LT		 1474#define MAY_LINK 0
1475#define MAY_UNLINK 1
1476#define MAY_RMDIR 2
1477
1478/* Check whether a task can link, unlink, or rmdir a file/directory. */
1479static int may_link(struct inode *dir,
1480 struct dentry *dentry,
1481 int kind)
1482
1483{
1484 struct task_security_struct *tsec;
1485 struct inode_security_struct *dsec, *isec;
1486 struct avc_audit_data ad;
1487 u32 av;
1488 int rc;
1489
1490 tsec = current->security;
1491 dsec = dir->i_security;
1492 isec = dentry->d_inode->i_security;
1493
1494 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1495 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1496
1497 av = DIR__SEARCH;
1498 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1499 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1500 if (rc)
1501 return rc;
1502
1503 switch (kind) {
1504 case MAY_LINK:
1505 av = FILE__LINK;
1506 break;
1507 case MAY_UNLINK:
1508 av = FILE__UNLINK;
1509 break;
1510 case MAY_RMDIR:
1511 av = DIR__RMDIR;
1512 break;
1513 default:
1514 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1515 return 0;
1516 }
1517
1518 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1519 return rc;
1520}
1521
1522static inline int may_rename(struct inode *old_dir,
1523 struct dentry *old_dentry,
1524 struct inode *new_dir,
1525 struct dentry *new_dentry)
1526{
1527 struct task_security_struct *tsec;
1528 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1529 struct avc_audit_data ad;
1530 u32 av;
1531 int old_is_dir, new_is_dir;
1532 int rc;
1533
1534 tsec = current->security;
1535 old_dsec = old_dir->i_security;
1536 old_isec = old_dentry->d_inode->i_security;
1537 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1538 new_dsec = new_dir->i_security;
1539
1540 AVC_AUDIT_DATA_INIT(&ad, FS);
1541
44707fdf 1542 ad.u.fs.path.dentry = old_dentry;
1da177e4
LT		 1543 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1544 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1545 if (rc)
1546 return rc;
1547 rc = avc_has_perm(tsec->sid, old_isec->sid,
1548 old_isec->sclass, FILE__RENAME, &ad);
1549 if (rc)
1550 return rc;
1551 if (old_is_dir && new_dir != old_dir) {
1552 rc = avc_has_perm(tsec->sid, old_isec->sid,
1553 old_isec->sclass, DIR__REPARENT, &ad);
1554 if (rc)
1555 return rc;
1556 }
1557
44707fdf 1558 ad.u.fs.path.dentry = new_dentry;
1da177e4
LT		 1559 av = DIR__ADD_NAME | DIR__SEARCH;
1560 if (new_dentry->d_inode)
1561 av |= DIR__REMOVE_NAME;
1562 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1563 if (rc)
1564 return rc;
1565 if (new_dentry->d_inode) {
1566 new_isec = new_dentry->d_inode->i_security;
1567 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1568 rc = avc_has_perm(tsec->sid, new_isec->sid,
1569 new_isec->sclass,
1570 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1571 if (rc)
1572 return rc;
1573 }
1574
1575 return 0;
1576}
1577
1578/* Check whether a task can perform a filesystem operation. */
1579static int superblock_has_perm(struct task_struct *tsk,
1580 struct super_block *sb,
1581 u32 perms,
1582 struct avc_audit_data *ad)
1583{
1584 struct task_security_struct *tsec;
1585 struct superblock_security_struct *sbsec;
1586
1587 tsec = tsk->security;
1588 sbsec = sb->s_security;
1589 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1590 perms, ad);
1591}
1592
1593/* Convert a Linux mode and permission mask to an access vector. */
1594static inline u32 file_mask_to_av(int mode, int mask)
1595{
1596 u32 av = 0;
1597
1598 if ((mode & S_IFMT) != S_IFDIR) {
1599 if (mask & MAY_EXEC)
1600 av |= FILE__EXECUTE;
1601 if (mask & MAY_READ)
1602 av |= FILE__READ;
1603
1604 if (mask & MAY_APPEND)
1605 av |= FILE__APPEND;
1606 else if (mask & MAY_WRITE)
1607 av |= FILE__WRITE;
1608
1609 } else {
1610 if (mask & MAY_EXEC)
1611 av |= DIR__SEARCH;
1612 if (mask & MAY_WRITE)
1613 av |= DIR__WRITE;
1614 if (mask & MAY_READ)
1615 av |= DIR__READ;
1616 }
1617
1618 return av;
1619}
1620
1621/* Convert a Linux file to an access vector. */
1622static inline u32 file_to_av(struct file *file)
1623{
1624 u32 av = 0;
1625
1626 if (file->f_mode & FMODE_READ)
1627 av |= FILE__READ;
1628 if (file->f_mode & FMODE_WRITE) {
1629 if (file->f_flags & O_APPEND)
1630 av |= FILE__APPEND;
1631 else
1632 av |= FILE__WRITE;
1633 }
0794c66d
SS		 1634 if (!av) {
1635 /*
1636 * Special file opened with flags 3 for ioctl-only use.
1637 */
1638 av = FILE__IOCTL;
1639 }
1da177e4
LT		 1640
1641 return av;
1642}
1643
1da177e4
LT		 1644/* Hook functions begin here. */
1645
1646static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1647{
1648 struct task_security_struct *psec = parent->security;
1649 struct task_security_struct *csec = child->security;
1650 int rc;
1651
1652 rc = secondary_ops->ptrace(parent,child);
1653 if (rc)
1654 return rc;
1655
1656 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1657 /* Save the SID of the tracing process for later use in apply_creds. */
341c2d80 1658 if (!(child->ptrace & PT_PTRACED) && !rc)
1da177e4
LT		 1659 csec->ptrace_sid = psec->sid;
1660 return rc;
1661}
1662
1663static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1664 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1665{
1666 int error;
1667
1668 error = task_has_perm(current, target, PROCESS__GETCAP);
1669 if (error)
1670 return error;
1671
1672 return secondary_ops->capget(target, effective, inheritable, permitted);
1673}
1674
1675static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1676 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1677{
1678 int error;
1679
1680 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1681 if (error)
1682 return error;
1683
1684 return task_has_perm(current, target, PROCESS__SETCAP);
1685}
1686
1687static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1688 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1689{
1690 secondary_ops->capset_set(target, effective, inheritable, permitted);
1691}
1692
1693static int selinux_capable(struct task_struct *tsk, int cap)
1694{
1695 int rc;
1696
1697 rc = secondary_ops->capable(tsk, cap);
1698 if (rc)
1699 return rc;
1700
1701 return task_has_capability(tsk,cap);
1702}
1703
3fbfa981
EB		 1704static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1705{
1706 int buflen, rc;
1707 char *buffer, *path, *end;
1708
1709 rc = -ENOMEM;
1710 buffer = (char*)__get_free_page(GFP_KERNEL);
1711 if (!buffer)
1712 goto out;
1713
1714 buflen = PAGE_SIZE;
1715 end = buffer+buflen;
1716 *--end = '\0';
1717 buflen--;
1718 path = end-1;
1719 *path = '/';
1720 while (table) {
1721 const char *name = table->procname;
1722 size_t namelen = strlen(name);
1723 buflen -= namelen + 1;
1724 if (buflen < 0)
1725 goto out_free;
1726 end -= namelen;
1727 memcpy(end, name, namelen);
1728 *--end = '/';
1729 path = end;
1730 table = table->parent;
1731 }
b599fdfd
EB		 1732 buflen -= 4;
1733 if (buflen < 0)
1734 goto out_free;
1735 end -= 4;
1736 memcpy(end, "/sys", 4);
1737 path = end;
3fbfa981
EB		 1738 rc = security_genfs_sid("proc", path, tclass, sid);
1739out_free:
1740 free_page((unsigned long)buffer);
1741out:
1742 return rc;
1743}
1744
1da177e4
LT		 1745static int selinux_sysctl(ctl_table *table, int op)
1746{
1747 int error = 0;
1748 u32 av;
1749 struct task_security_struct *tsec;
1750 u32 tsid;
1751 int rc;
1752
1753 rc = secondary_ops->sysctl(table, op);
1754 if (rc)
1755 return rc;
1756
1757 tsec = current->security;
1758
3fbfa981
EB		 1759 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1760 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1761 if (rc) {
1762 /* Default to the well-defined sysctl SID. */
1763 tsid = SECINITSID_SYSCTL;
1764 }
1765
1766 /* The op values are "defined" in sysctl.c, thereby creating
1767 * a bad coupling between this module and sysctl.c */
1768 if(op == 001) {
1769 error = avc_has_perm(tsec->sid, tsid,
1770 SECCLASS_DIR, DIR__SEARCH, NULL);
1771 } else {
1772 av = 0;
1773 if (op & 004)
1774 av |= FILE__READ;
1775 if (op & 002)
1776 av |= FILE__WRITE;
1777 if (av)
1778 error = avc_has_perm(tsec->sid, tsid,
1779 SECCLASS_FILE, av, NULL);
1780 }
1781
1782 return error;
1783}
1784
1785static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1786{
1787 int rc = 0;
1788
1789 if (!sb)
1790 return 0;
1791
1792 switch (cmds) {
1793 case Q_SYNC:
1794 case Q_QUOTAON:
1795 case Q_QUOTAOFF:
1796 case Q_SETINFO:
1797 case Q_SETQUOTA:
1798 rc = superblock_has_perm(current,
1799 sb,
1800 FILESYSTEM__QUOTAMOD, NULL);
1801 break;
1802 case Q_GETFMT:
1803 case Q_GETINFO:
1804 case Q_GETQUOTA:
1805 rc = superblock_has_perm(current,
1806 sb,
1807 FILESYSTEM__QUOTAGET, NULL);
1808 break;
1809 default:
1810 rc = 0; /* let the kernel handle invalid cmds */
1811 break;
1812 }
1813 return rc;
1814}
1815
1816static int selinux_quota_on(struct dentry *dentry)
1817{
1818 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1819}
1820
1821static int selinux_syslog(int type)
1822{
1823 int rc;
1824
1825 rc = secondary_ops->syslog(type);
1826 if (rc)
1827 return rc;
1828
1829 switch (type) {
1830 case 3: /* Read last kernel messages */
1831 case 10: /* Return size of the log buffer */
1832 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1833 break;
1834 case 6: /* Disable logging to console */
1835 case 7: /* Enable logging to console */
1836 case 8: /* Set level of messages printed to console */
1837 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1838 break;
1839 case 0: /* Close log */
1840 case 1: /* Open log */
1841 case 2: /* Read from log */
1842 case 4: /* Read/clear last kernel messages */
1843 case 5: /* Clear ring buffer */
1844 default:
1845 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1846 break;
1847 }
1848 return rc;
1849}
1850
1851/*
1852 * Check that a process has enough memory to allocate a new virtual
1853 * mapping. 0 means there is enough memory for the allocation to
1854 * succeed and -ENOMEM implies there is not.
1855 *
1856 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1857 * if the capability is granted, but __vm_enough_memory requires 1 if
1858 * the capability is granted.
1859 *
1860 * Do not audit the selinux permission check, as this is applied to all
1861 * processes that allocate mappings.
1862 */
34b4e4aa 1863static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1864{
1865 int rc, cap_sys_admin = 0;
1866 struct task_security_struct *tsec = current->security;
1867
1868 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1869 if (rc == 0)
1870 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2c3c05db
SS		 1871 SECCLASS_CAPABILITY,
1872 CAP_TO_MASK(CAP_SYS_ADMIN),
1873 0,
1874 NULL);
1da177e4
LT		 1875
1876 if (rc == 0)
1877 cap_sys_admin = 1;
1878
34b4e4aa 1879 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 1880}
1881
1882/* binprm security operations */
1883
1884static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1885{
1886 struct bprm_security_struct *bsec;
1887
89d155ef 1888 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1889 if (!bsec)
1890 return -ENOMEM;
1891
1da177e4
LT		 1892 bsec->bprm = bprm;
1893 bsec->sid = SECINITSID_UNLABELED;
1894 bsec->set = 0;
1895
1896 bprm->security = bsec;
1897 return 0;
1898}
1899
1900static int selinux_bprm_set_security(struct linux_binprm *bprm)
1901{
1902 struct task_security_struct *tsec;
3d5ff529 1903 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 1904 struct inode_security_struct *isec;
1905 struct bprm_security_struct *bsec;
1906 u32 newsid;
1907 struct avc_audit_data ad;
1908 int rc;
1909
1910 rc = secondary_ops->bprm_set_security(bprm);
1911 if (rc)
1912 return rc;
1913
1914 bsec = bprm->security;
1915
1916 if (bsec->set)
1917 return 0;
1918
1919 tsec = current->security;
1920 isec = inode->i_security;
1921
1922 /* Default to the current task SID. */
1923 bsec->sid = tsec->sid;
1924
28eba5bf 1925 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1926 tsec->create_sid = 0;
28eba5bf 1927 tsec->keycreate_sid = 0;
42c3e03e 1928 tsec->sockcreate_sid = 0;
1da177e4
LT		 1929
1930 if (tsec->exec_sid) {
1931 newsid = tsec->exec_sid;
1932 /* Reset exec SID on execve. */
1933 tsec->exec_sid = 0;
1934 } else {
1935 /* Check for a default transition on this program. */
1936 rc = security_transition_sid(tsec->sid, isec->sid,
1937 SECCLASS_PROCESS, &newsid);
1938 if (rc)
1939 return rc;
1940 }
1941
1942 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1943 ad.u.fs.path = bprm->file->f_path;
1da177e4 1944
3d5ff529 1945 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1da177e4
LT		 1946 newsid = tsec->sid;
1947
1948 if (tsec->sid == newsid) {
1949 rc = avc_has_perm(tsec->sid, isec->sid,
1950 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1951 if (rc)
1952 return rc;
1953 } else {
1954 /* Check permissions for the transition. */
1955 rc = avc_has_perm(tsec->sid, newsid,
1956 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1957 if (rc)
1958 return rc;
1959
1960 rc = avc_has_perm(newsid, isec->sid,
1961 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1962 if (rc)
1963 return rc;
1964
1965 /* Clear any possibly unsafe personality bits on exec: */
1966 current->personality &= ~PER_CLEAR_ON_SETID;
1967
1968 /* Set the security field to the new SID. */
1969 bsec->sid = newsid;
1970 }
1971
1972 bsec->set = 1;
1973 return 0;
1974}
1975
1976static int selinux_bprm_check_security (struct linux_binprm *bprm)
1977{
1978 return secondary_ops->bprm_check_security(bprm);
1979}
1980
1981
1982static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1983{
1984 struct task_security_struct *tsec = current->security;
1985 int atsecure = 0;
1986
1987 if (tsec->osid != tsec->sid) {
1988 /* Enable secure mode for SIDs transitions unless
1989 the noatsecure permission is granted between
1990 the two SIDs, i.e. ahp returns 0. */
1991 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1992 SECCLASS_PROCESS,
1993 PROCESS__NOATSECURE, NULL);
1994 }
1995
1996 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1997}
1998
1999static void selinux_bprm_free_security(struct linux_binprm *bprm)
2000{
9a5f04bf 2001 kfree(bprm->security);
1da177e4 2002 bprm->security = NULL;
1da177e4
LT		 2003}
2004
2005extern struct vfsmount *selinuxfs_mount;
2006extern struct dentry *selinux_null;
2007
2008/* Derived from fs/exec.c:flush_old_files. */
2009static inline void flush_unauthorized_files(struct files_struct * files)
2010{
2011 struct avc_audit_data ad;
2012 struct file *file, *devnull = NULL;
b20c8122 2013 struct tty_struct *tty;
badf1662 2014 struct fdtable *fdt;
1da177e4 2015 long j = -1;
24ec839c 2016 int drop_tty = 0;
1da177e4 2017
b20c8122 2018 mutex_lock(&tty_mutex);
24ec839c 2019 tty = get_current_tty();
1da177e4
LT		 2020 if (tty) {
2021 file_list_lock();
2f512016 2022 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 2023 if (file) {
2024 /* Revalidate access to controlling tty.
2025 Use inode_has_perm on the tty inode directly rather
2026 than using file_has_perm, as this particular open
2027 file may belong to another process and we are only
2028 interested in the inode-based check here. */
3d5ff529 2029 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2030 if (inode_has_perm(current, inode,
2031 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2032 drop_tty = 1;
1da177e4
LT		 2033 }
2034 }
2035 file_list_unlock();
2036 }
b20c8122 2037 mutex_unlock(&tty_mutex);
98a27ba4
EB		 2038 /* Reset controlling tty. */
2039 if (drop_tty)
2040 no_tty();
1da177e4
LT		 2041
2042 /* Revalidate access to inherited open files. */
2043
2044 AVC_AUDIT_DATA_INIT(&ad,FS);
2045
2046 spin_lock(&files->file_lock);
2047 for (;;) {
2048 unsigned long set, i;
2049 int fd;
2050
2051 j++;
2052 i = j * __NFDBITS;
badf1662 2053 fdt = files_fdtable(files);
bbea9f69 2054 if (i >= fdt->max_fds)
1da177e4 2055 break;
badf1662 2056 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2057 if (!set)
2058 continue;
2059 spin_unlock(&files->file_lock);
2060 for ( ; set ; i++,set >>= 1) {
2061 if (set & 1) {
2062 file = fget(i);
2063 if (!file)
2064 continue;
2065 if (file_has_perm(current,
2066 file,
2067 file_to_av(file))) {
2068 sys_close(i);
2069 fd = get_unused_fd();
2070 if (fd != i) {
2071 if (fd >= 0)
2072 put_unused_fd(fd);
2073 fput(file);
2074 continue;
2075 }
2076 if (devnull) {
095975da 2077 get_file(devnull);
1da177e4
LT		 2078 } else {
2079 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
fc5d81e6
AM		 2080 if (IS_ERR(devnull)) {
2081 devnull = NULL;
1da177e4
LT		 2082 put_unused_fd(fd);
2083 fput(file);
2084 continue;
2085 }
2086 }
2087 fd_install(fd, devnull);
2088 }
2089 fput(file);
2090 }
2091 }
2092 spin_lock(&files->file_lock);
2093
2094 }
2095 spin_unlock(&files->file_lock);
2096}
2097
2098static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2099{
2100 struct task_security_struct *tsec;
2101 struct bprm_security_struct *bsec;
2102 u32 sid;
2103 int rc;
2104
2105 secondary_ops->bprm_apply_creds(bprm, unsafe);
2106
2107 tsec = current->security;
2108
2109 bsec = bprm->security;
2110 sid = bsec->sid;
2111
2112 tsec->osid = tsec->sid;
2113 bsec->unsafe = 0;
2114 if (tsec->sid != sid) {
2115 /* Check for shared state. If not ok, leave SID
2116 unchanged and kill. */
2117 if (unsafe & LSM_UNSAFE_SHARE) {
2118 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2119 PROCESS__SHARE, NULL);
2120 if (rc) {
2121 bsec->unsafe = 1;
2122 return;
2123 }
2124 }
2125
2126 /* Check for ptracing, and update the task SID if ok.
2127 Otherwise, leave SID unchanged and kill. */
2128 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2129 rc = avc_has_perm(tsec->ptrace_sid, sid,
2130 SECCLASS_PROCESS, PROCESS__PTRACE,
2131 NULL);
2132 if (rc) {
2133 bsec->unsafe = 1;
2134 return;
2135 }
2136 }
2137 tsec->sid = sid;
2138 }
2139}
2140
2141/*
2142 * called after apply_creds without the task lock held
2143 */
2144static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2145{
2146 struct task_security_struct *tsec;
2147 struct rlimit *rlim, *initrlim;
2148 struct itimerval itimer;
2149 struct bprm_security_struct *bsec;
2150 int rc, i;
2151
2152 tsec = current->security;
2153 bsec = bprm->security;
2154
2155 if (bsec->unsafe) {
2156 force_sig_specific(SIGKILL, current);
2157 return;
2158 }
2159 if (tsec->osid == tsec->sid)
2160 return;
2161
2162 /* Close files for which the new task SID is not authorized. */
2163 flush_unauthorized_files(current->files);
2164
2165 /* Check whether the new SID can inherit signal state
2166 from the old SID. If not, clear itimers to avoid
2167 subsequent signal generation and flush and unblock
2168 signals. This must occur _after_ the task SID has
2169 been updated so that any kill done after the flush
2170 will be checked against the new SID. */
2171 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2172 PROCESS__SIGINH, NULL);
2173 if (rc) {
2174 memset(&itimer, 0, sizeof itimer);
2175 for (i = 0; i < 3; i++)
2176 do_setitimer(i, &itimer, NULL);
2177 flush_signals(current);
2178 spin_lock_irq(&current->sighand->siglock);
2179 flush_signal_handlers(current, 1);
2180 sigemptyset(&current->blocked);
2181 recalc_sigpending();
2182 spin_unlock_irq(&current->sighand->siglock);
2183 }
2184
4ac212ad
SS		 2185 /* Always clear parent death signal on SID transitions. */
2186 current->pdeath_signal = 0;
2187
1da177e4
LT		 2188 /* Check whether the new SID can inherit resource limits
2189 from the old SID. If not, reset all soft limits to
2190 the lower of the current task's hard limit and the init
2191 task's soft limit. Note that the setting of hard limits
2192 (even to lower them) can be controlled by the setrlimit
2193 check. The inclusion of the init task's soft limit into
2194 the computation is to avoid resetting soft limits higher
2195 than the default soft limit for cases where the default
2196 is lower than the hard limit, e.g. RLIMIT_CORE or
2197 RLIMIT_STACK.*/
2198 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2199 PROCESS__RLIMITINH, NULL);
2200 if (rc) {
2201 for (i = 0; i < RLIM_NLIMITS; i++) {
2202 rlim = current->signal->rlim + i;
2203 initrlim = init_task.signal->rlim+i;
2204 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2205 }
2206 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2207 /*
2208 * This will cause RLIMIT_CPU calculations
2209 * to be refigured.
2210 */
2211 current->it_prof_expires = jiffies_to_cputime(1);
2212 }
2213 }
2214
2215 /* Wake up the parent if it is waiting so that it can
2216 recheck wait permission to the new task SID. */
2217 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2218}
2219
2220/* superblock security operations */
2221
2222static int selinux_sb_alloc_security(struct super_block *sb)
2223{
2224 return superblock_alloc_security(sb);
2225}
2226
2227static void selinux_sb_free_security(struct super_block *sb)
2228{
2229 superblock_free_security(sb);
2230}
2231
2232static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2233{
2234 if (plen > olen)
2235 return 0;
2236
2237 return !memcmp(prefix, option, plen);
2238}
2239
2240static inline int selinux_option(char *option, int len)
2241{
2242 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2243 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
0808925e
EP		 2244 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2245 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1da177e4
LT		 2246}
2247
2248static inline void take_option(char **to, char *from, int *first, int len)
2249{
2250 if (!*first) {
2251 **to = ',';
2252 *to += 1;
3528a953 2253 } else
1da177e4
LT		 2254 *first = 0;
2255 memcpy(*to, from, len);
2256 *to += len;
2257}
2258
3528a953
CO		 2259static inline void take_selinux_option(char **to, char *from, int *first,
2260 int len)
2261{
2262 int current_size = 0;
2263
2264 if (!*first) {
2265 **to = '|';
2266 *to += 1;
2267 }
2268 else
2269 *first = 0;
2270
2271 while (current_size < len) {
2272 if (*from != '"') {
2273 **to = *from;
2274 *to += 1;
2275 }
2276 from += 1;
2277 current_size += 1;
2278 }
2279}
2280
e0007529 2281static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2282{
2283 int fnosec, fsec, rc = 0;
2284 char *in_save, *in_curr, *in_end;
2285 char *sec_curr, *nosec_save, *nosec;
3528a953 2286 int open_quote = 0;
1da177e4
LT		 2287
2288 in_curr = orig;
2289 sec_curr = copy;
2290
1da177e4
LT		 2291 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2292 if (!nosec) {
2293 rc = -ENOMEM;
2294 goto out;
2295 }
2296
2297 nosec_save = nosec;
2298 fnosec = fsec = 1;
2299 in_save = in_end = orig;
2300
2301 do {
3528a953
CO		 2302 if (*in_end == '"')
2303 open_quote = !open_quote;
2304 if ((*in_end == ',' && open_quote == 0) ||
2305 *in_end == '\0') {
1da177e4
LT		 2306 int len = in_end - in_curr;
2307
2308 if (selinux_option(in_curr, len))
3528a953 2309 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2310 else
2311 take_option(&nosec, in_curr, &fnosec, len);
2312
2313 in_curr = in_end + 1;
2314 }
2315 } while (*in_end++);
2316
6931dfc9 2317 strcpy(in_save, nosec_save);
da3caa20 2318 free_page((unsigned long)nosec_save);
1da177e4
LT		 2319out:
2320 return rc;
2321}
2322
2323static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2324{
2325 struct avc_audit_data ad;
2326 int rc;
2327
2328 rc = superblock_doinit(sb, data);
2329 if (rc)
2330 return rc;
2331
2332 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf 2333 ad.u.fs.path.dentry = sb->s_root;
1da177e4
LT		 2334 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2335}
2336
726c3342 2337static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2338{
2339 struct avc_audit_data ad;
2340
2341 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf 2342 ad.u.fs.path.dentry = dentry->d_sb->s_root;
726c3342 2343 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2344}
2345
2346static int selinux_mount(char * dev_name,
2347 struct nameidata *nd,
2348 char * type,
2349 unsigned long flags,
2350 void * data)
2351{
2352 int rc;
2353
2354 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2355 if (rc)
2356 return rc;
2357
2358 if (flags & MS_REMOUNT)
4ac91378 2359 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
1da177e4
LT		 2360 FILESYSTEM__REMOUNT, NULL);
2361 else
4ac91378 2362 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
1da177e4
LT		 2363 FILE__MOUNTON);
2364}
2365
2366static int selinux_umount(struct vfsmount *mnt, int flags)
2367{
2368 int rc;
2369
2370 rc = secondary_ops->sb_umount(mnt, flags);
2371 if (rc)
2372 return rc;
2373
2374 return superblock_has_perm(current,mnt->mnt_sb,
2375 FILESYSTEM__UNMOUNT,NULL);
2376}
2377
2378/* inode security operations */
2379
2380static int selinux_inode_alloc_security(struct inode *inode)
2381{
2382 return inode_alloc_security(inode);
2383}
2384
2385static void selinux_inode_free_security(struct inode *inode)
2386{
2387 inode_free_security(inode);
2388}
2389
5e41ff9e
SS		 2390static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2391 char **name, void **value,
2392 size_t *len)
2393{
2394 struct task_security_struct *tsec;
2395 struct inode_security_struct *dsec;
2396 struct superblock_security_struct *sbsec;
570bc1c2 2397 u32 newsid, clen;
5e41ff9e 2398 int rc;
570bc1c2 2399 char *namep = NULL, *context;
5e41ff9e
SS		 2400
2401 tsec = current->security;
2402 dsec = dir->i_security;
2403 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2404
2405 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2406 newsid = tsec->create_sid;
2407 } else {
2408 rc = security_transition_sid(tsec->sid, dsec->sid,
2409 inode_mode_to_security_class(inode->i_mode),
2410 &newsid);
2411 if (rc) {
2412 printk(KERN_WARNING "%s: "
2413 "security_transition_sid failed, rc=%d (dev=%s "
2414 "ino=%ld)\n",
2415 __FUNCTION__,
2416 -rc, inode->i_sb->s_id, inode->i_ino);
2417 return rc;
2418 }
2419 }
2420
296fddf7
EP		 2421 /* Possibly defer initialization to selinux_complete_init. */
2422 if (sbsec->initialized) {
2423 struct inode_security_struct *isec = inode->i_security;
2424 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2425 isec->sid = newsid;
2426 isec->initialized = 1;
2427 }
5e41ff9e 2428
8aad3875 2429 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2430 return -EOPNOTSUPP;
2431
570bc1c2 2432 if (name) {
a02fe132 2433 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2434 if (!namep)
2435 return -ENOMEM;
2436 *name = namep;
2437 }
5e41ff9e 2438
570bc1c2
SS		 2439 if (value && len) {
2440 rc = security_sid_to_context(newsid, &context, &clen);
2441 if (rc) {
2442 kfree(namep);
2443 return rc;
2444 }
2445 *value = context;
2446 *len = clen;
5e41ff9e 2447 }
5e41ff9e 2448
5e41ff9e
SS		 2449 return 0;
2450}
2451
1da177e4
LT		 2452static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2453{
2454 return may_create(dir, dentry, SECCLASS_FILE);
2455}
2456
1da177e4
LT		 2457static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2458{
2459 int rc;
2460
2461 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2462 if (rc)
2463 return rc;
2464 return may_link(dir, old_dentry, MAY_LINK);
2465}
2466
1da177e4
LT		 2467static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2468{
2469 int rc;
2470
2471 rc = secondary_ops->inode_unlink(dir, dentry);
2472 if (rc)
2473 return rc;
2474 return may_link(dir, dentry, MAY_UNLINK);
2475}
2476
2477static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2478{
2479 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2480}
2481
1da177e4
LT		 2482static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2483{
2484 return may_create(dir, dentry, SECCLASS_DIR);
2485}
2486
1da177e4
LT		 2487static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2488{
2489 return may_link(dir, dentry, MAY_RMDIR);
2490}
2491
2492static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2493{
2494 int rc;
2495
2496 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2497 if (rc)
2498 return rc;
2499
2500 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2501}
2502
1da177e4
LT		 2503static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2504 struct inode *new_inode, struct dentry *new_dentry)
2505{
2506 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2507}
2508
1da177e4
LT		 2509static int selinux_inode_readlink(struct dentry *dentry)
2510{
2511 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2512}
2513
2514static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2515{
2516 int rc;
2517
2518 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2519 if (rc)
2520 return rc;
2521 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2522}
2523
2524static int selinux_inode_permission(struct inode *inode, int mask,
2525 struct nameidata *nd)
2526{
2527 int rc;
2528
2529 rc = secondary_ops->inode_permission(inode, mask, nd);
2530 if (rc)
2531 return rc;
2532
2533 if (!mask) {
2534 /* No permission to check. Existence test. */
2535 return 0;
2536 }
2537
2538 return inode_has_perm(current, inode,
2539 file_mask_to_av(inode->i_mode, mask), NULL);
2540}
2541
2542static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2543{
2544 int rc;
2545
2546 rc = secondary_ops->inode_setattr(dentry, iattr);
2547 if (rc)
2548 return rc;
2549
2550 if (iattr->ia_valid & ATTR_FORCE)
2551 return 0;
2552
2553 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2554 ATTR_ATIME_SET | ATTR_MTIME_SET))
2555 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2556
2557 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2558}
2559
2560static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2561{
2562 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2563}
2564
b5376771
SH		 2565static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2566{
2567 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2568 sizeof XATTR_SECURITY_PREFIX - 1)) {
2569 if (!strcmp(name, XATTR_NAME_CAPS)) {
2570 if (!capable(CAP_SETFCAP))
2571 return -EPERM;
2572 } else if (!capable(CAP_SYS_ADMIN)) {
2573 /* A different attribute in the security namespace.
2574 Restrict to administrator. */
2575 return -EPERM;
2576 }
2577 }
2578
2579 /* Not an attribute we recognize, so just check the
2580 ordinary setattr permission. */
2581 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2582}
2583
1da177e4
LT		 2584static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2585{
2586 struct task_security_struct *tsec = current->security;
2587 struct inode *inode = dentry->d_inode;
2588 struct inode_security_struct *isec = inode->i_security;
2589 struct superblock_security_struct *sbsec;
2590 struct avc_audit_data ad;
2591 u32 newsid;
2592 int rc = 0;
2593
b5376771
SH		 2594 if (strcmp(name, XATTR_NAME_SELINUX))
2595 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2596
2597 sbsec = inode->i_sb->s_security;
2598 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2599 return -EOPNOTSUPP;
2600
3bd858ab 2601 if (!is_owner_or_cap(inode))
1da177e4
LT		 2602 return -EPERM;
2603
2604 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf 2605 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 2606
2607 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2608 FILE__RELABELFROM, &ad);
2609 if (rc)
2610 return rc;
2611
2612 rc = security_context_to_sid(value, size, &newsid);
2613 if (rc)
2614 return rc;
2615
2616 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2617 FILE__RELABELTO, &ad);
2618 if (rc)
2619 return rc;
2620
2621 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2622 isec->sclass);
2623 if (rc)
2624 return rc;
2625
2626 return avc_has_perm(newsid,
2627 sbsec->sid,
2628 SECCLASS_FILESYSTEM,
2629 FILESYSTEM__ASSOCIATE,
2630 &ad);
2631}
2632
2633static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2634 void *value, size_t size, int flags)
2635{
2636 struct inode *inode = dentry->d_inode;
2637 struct inode_security_struct *isec = inode->i_security;
2638 u32 newsid;
2639 int rc;
2640
2641 if (strcmp(name, XATTR_NAME_SELINUX)) {
2642 /* Not an attribute we recognize, so nothing to do. */
2643 return;
2644 }
2645
2646 rc = security_context_to_sid(value, size, &newsid);
2647 if (rc) {
2648 printk(KERN_WARNING "%s: unable to obtain SID for context "
2649 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2650 return;
2651 }
2652
2653 isec->sid = newsid;
2654 return;
2655}
2656
2657static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2658{
1da177e4
LT		 2659 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2660}
2661
2662static int selinux_inode_listxattr (struct dentry *dentry)
2663{
2664 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2665}
2666
2667static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2668{
b5376771
SH		 2669 if (strcmp(name, XATTR_NAME_SELINUX))
2670 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2671
2672 /* No one is allowed to remove a SELinux security label.
2673 You can change the label, but all data must be labeled. */
2674 return -EACCES;
2675}
2676
d381d8a9
JM		 2677/*
2678 * Copy the in-core inode security context value to the user. If the
2679 * getxattr() prior to this succeeded, check to see if we need to
2680 * canonicalize the value to be finally returned to the user.
2681 *
2682 * Permission check is handled by selinux_inode_getxattr hook.
2683 */
42492594 2684static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2685{
42492594
DQ		 2686 u32 size;
2687 int error;
2688 char *context = NULL;
1da177e4 2689 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2690
8c8570fb
DK		 2691 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2692 return -EOPNOTSUPP;
d381d8a9 2693
42492594
DQ		 2694 error = security_sid_to_context(isec->sid, &context, &size);
2695 if (error)
2696 return error;
2697 error = size;
2698 if (alloc) {
2699 *buffer = context;
2700 goto out_nofree;
2701 }
2702 kfree(context);
2703out_nofree:
2704 return error;
1da177e4
LT		 2705}
2706
2707static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2708 const void *value, size_t size, int flags)
2709{
2710 struct inode_security_struct *isec = inode->i_security;
2711 u32 newsid;
2712 int rc;
2713
2714 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2715 return -EOPNOTSUPP;
2716
2717 if (!value || !size)
2718 return -EACCES;
2719
2720 rc = security_context_to_sid((void*)value, size, &newsid);
2721 if (rc)
2722 return rc;
2723
2724 isec->sid = newsid;
2725 return 0;
2726}
2727
2728static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2729{
2730 const int len = sizeof(XATTR_NAME_SELINUX);
2731 if (buffer && len <= buffer_size)
2732 memcpy(buffer, XATTR_NAME_SELINUX, len);
2733 return len;
2734}
2735
b5376771
SH		 2736static int selinux_inode_need_killpriv(struct dentry *dentry)
2737{
2738 return secondary_ops->inode_need_killpriv(dentry);
2739}
2740
2741static int selinux_inode_killpriv(struct dentry *dentry)
2742{
2743 return secondary_ops->inode_killpriv(dentry);
2744}
2745
1da177e4
LT		 2746/* file security operations */
2747
788e7dd4 2748static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2749{
7420ed23 2750 int rc;
3d5ff529 2751 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2752
2753 if (!mask) {
2754 /* No permission to check. Existence test. */
2755 return 0;
2756 }
2757
2758 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2759 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2760 mask |= MAY_APPEND;
2761
7420ed23
VY		 2762 rc = file_has_perm(current, file,
2763 file_mask_to_av(inode->i_mode, mask));
2764 if (rc)
2765 return rc;
2766
2767 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2768}
2769
788e7dd4
YN		 2770static int selinux_file_permission(struct file *file, int mask)
2771{
2772 struct inode *inode = file->f_path.dentry->d_inode;
2773 struct task_security_struct *tsec = current->security;
2774 struct file_security_struct *fsec = file->f_security;
2775 struct inode_security_struct *isec = inode->i_security;
2776
2777 if (!mask) {
2778 /* No permission to check. Existence test. */
2779 return 0;
2780 }
2781
2782 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2783 && fsec->pseqno == avc_policy_seqno())
2784 return selinux_netlbl_inode_permission(inode, mask);
2785
2786 return selinux_revalidate_file_permission(file, mask);
2787}
2788
1da177e4
LT		 2789static int selinux_file_alloc_security(struct file *file)
2790{
2791 return file_alloc_security(file);
2792}
2793
2794static void selinux_file_free_security(struct file *file)
2795{
2796 file_free_security(file);
2797}
2798
2799static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2800 unsigned long arg)
2801{
2802 int error = 0;
2803
2804 switch (cmd) {
2805 case FIONREAD:
2806 /* fall through */
2807 case FIBMAP:
2808 /* fall through */
2809 case FIGETBSZ:
2810 /* fall through */
2811 case EXT2_IOC_GETFLAGS:
2812 /* fall through */
2813 case EXT2_IOC_GETVERSION:
2814 error = file_has_perm(current, file, FILE__GETATTR);
2815 break;
2816
2817 case EXT2_IOC_SETFLAGS:
2818 /* fall through */
2819 case EXT2_IOC_SETVERSION:
2820 error = file_has_perm(current, file, FILE__SETATTR);
2821 break;
2822
2823 /* sys_ioctl() checks */
2824 case FIONBIO:
2825 /* fall through */
2826 case FIOASYNC:
2827 error = file_has_perm(current, file, 0);
2828 break;
2829
2830 case KDSKBENT:
2831 case KDSKBSENT:
2832 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2833 break;
2834
2835 /* default case assumes that the command will go
2836 * to the file's ioctl() function.
2837 */
2838 default:
2839 error = file_has_perm(current, file, FILE__IOCTL);
2840
2841 }
2842 return error;
2843}
2844
2845static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2846{
2847#ifndef CONFIG_PPC32
2848 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2849 /*
2850 * We are making executable an anonymous mapping or a
2851 * private file mapping that will also be writable.
2852 * This has an additional check.
2853 */
2854 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2855 if (rc)
2856 return rc;
2857 }
2858#endif
2859
2860 if (file) {
2861 /* read access is always possible with a mapping */
2862 u32 av = FILE__READ;
2863
2864 /* write access only matters if the mapping is shared */
2865 if (shared && (prot & PROT_WRITE))
2866 av |= FILE__WRITE;
2867
2868 if (prot & PROT_EXEC)
2869 av |= FILE__EXECUTE;
2870
2871 return file_has_perm(current, file, av);
2872 }
2873 return 0;
2874}
2875
2876static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 2877 unsigned long prot, unsigned long flags,
2878 unsigned long addr, unsigned long addr_only)
1da177e4 2879{
ed032189
EP		 2880 int rc = 0;
2881 u32 sid = ((struct task_security_struct*)(current->security))->sid;
1da177e4 2882
ed032189
EP		 2883 if (addr < mmap_min_addr)
2884 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2885 MEMPROTECT__MMAP_ZERO, NULL);
2886 if (rc || addr_only)
1da177e4
LT		 2887 return rc;
2888
2889 if (selinux_checkreqprot)
2890 prot = reqprot;
2891
2892 return file_map_prot_check(file, prot,
2893 (flags & MAP_TYPE) == MAP_SHARED);
2894}
2895
2896static int selinux_file_mprotect(struct vm_area_struct *vma,
2897 unsigned long reqprot,
2898 unsigned long prot)
2899{
2900 int rc;
2901
2902 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2903 if (rc)
2904 return rc;
2905
2906 if (selinux_checkreqprot)
2907 prot = reqprot;
2908
2909#ifndef CONFIG_PPC32
db4c9641
SS		 2910 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2911 rc = 0;
2912 if (vma->vm_start >= vma->vm_mm->start_brk &&
2913 vma->vm_end <= vma->vm_mm->brk) {
2914 rc = task_has_perm(current, current,
2915 PROCESS__EXECHEAP);
2916 } else if (!vma->vm_file &&
2917 vma->vm_start <= vma->vm_mm->start_stack &&
2918 vma->vm_end >= vma->vm_mm->start_stack) {
2919 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2920 } else if (vma->vm_file && vma->anon_vma) {
2921 /*
2922 * We are making executable a file mapping that has
2923 * had some COW done. Since pages might have been
2924 * written, check ability to execute the possibly
2925 * modified content. This typically should only
2926 * occur for text relocations.
2927 */
2928 rc = file_has_perm(current, vma->vm_file,
2929 FILE__EXECMOD);
2930 }