]> bbs.cooldavid.org Git - net-next-2.6.git/blame - security/selinux/hooks.c
git://bbs.cooldavid.org / net-next-2.6.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
[PATCH] fdtable: Delete pointless code in dup_fd()
[net-next-2.6.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
7420ed23
VY		 15 * Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
16 * Paul Moore, <paul.moore@hp.com>
1da177e4
LT		 17 *
18 * This program is free software; you can redistribute it and/or modify
19 * it under the terms of the GNU General Public License version 2,
20 * as published by the Free Software Foundation.
21 */
22
1da177e4
LT		 23#include <linux/module.h>
24#include <linux/init.h>
25#include <linux/kernel.h>
26#include <linux/ptrace.h>
27#include <linux/errno.h>
28#include <linux/sched.h>
29#include <linux/security.h>
30#include <linux/xattr.h>
31#include <linux/capability.h>
32#include <linux/unistd.h>
33#include <linux/mm.h>
34#include <linux/mman.h>
35#include <linux/slab.h>
36#include <linux/pagemap.h>
37#include <linux/swap.h>
38#include <linux/smp_lock.h>
39#include <linux/spinlock.h>
40#include <linux/syscalls.h>
41#include <linux/file.h>
42#include <linux/namei.h>
43#include <linux/mount.h>
44#include <linux/ext2_fs.h>
45#include <linux/proc_fs.h>
46#include <linux/kd.h>
47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
51#include <net/ip.h> /* for sysctl_local_port_range[] */
52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53#include <asm/uaccess.h>
1da177e4
LT		 54#include <asm/ioctls.h>
55#include <linux/bitops.h>
56#include <linux/interrupt.h>
57#include <linux/netdevice.h> /* for network interface checks */
58#include <linux/netlink.h>
59#include <linux/tcp.h>
60#include <linux/udp.h>
2ee92d46 61#include <linux/dccp.h>
1da177e4
LT		 62#include <linux/quota.h>
63#include <linux/un.h> /* for Unix socket types */
64#include <net/af_unix.h> /* for Unix socket types */
65#include <linux/parser.h>
66#include <linux/nfs_mount.h>
67#include <net/ipv6.h>
68#include <linux/hugetlb.h>
69#include <linux/personality.h>
70#include <linux/sysctl.h>
71#include <linux/audit.h>
6931dfc9 72#include <linux/string.h>
877ce7c1 73#include <linux/selinux.h>
23970741 74#include <linux/mutex.h>
1da177e4
LT		 75
76#include "avc.h"
77#include "objsec.h"
78#include "netif.h"
d28d1e08 79#include "xfrm.h"
7420ed23 80#include "selinux_netlabel.h"
1da177e4
LT		 81
82#define XATTR_SELINUX_SUFFIX "selinux"
83#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
84
85extern unsigned int policydb_loaded_version;
86extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 87extern int selinux_compat_net;
1da177e4
LT		 88
89#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
90int selinux_enforcing = 0;
91
92static int __init enforcing_setup(char *str)
93{
94 selinux_enforcing = simple_strtol(str,NULL,0);
95 return 1;
96}
97__setup("enforcing=", enforcing_setup);
98#endif
99
100#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
101int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
102
103static int __init selinux_enabled_setup(char *str)
104{
105 selinux_enabled = simple_strtol(str, NULL, 0);
106 return 1;
107}
108__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 109#else
110int selinux_enabled = 1;
1da177e4
LT		 111#endif
112
113/* Original (dummy) security module. */
114static struct security_operations *original_ops = NULL;
115
116/* Minimal support for a secondary security module,
117 just to allow the use of the dummy or capability modules.
118 The owlsm module can alternatively be used as a secondary
119 module as long as CONFIG_OWLSM_FD is not enabled. */
120static struct security_operations *secondary_ops = NULL;
121
122/* Lists of inode and superblock security structures initialized
123 before the policy was loaded. */
124static LIST_HEAD(superblock_security_head);
125static DEFINE_SPINLOCK(sb_security_lock);
126
e18b890b 127static struct kmem_cache *sel_inode_cache;
7cae7e26 128
8c8570fb
DK		 129/* Return security context for a given sid or just the context
130 length if the buffer is null or length is 0 */
131static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
132{
133 char *context;
134 unsigned len;
135 int rc;
136
137 rc = security_sid_to_context(sid, &context, &len);
138 if (rc)
139 return rc;
140
141 if (!buffer || !size)
142 goto getsecurity_exit;
143
144 if (size < len) {
145 len = -ERANGE;
146 goto getsecurity_exit;
147 }
148 memcpy(buffer, context, len);
149
150getsecurity_exit:
151 kfree(context);
152 return len;
153}
154
1da177e4
LT		 155/* Allocate and free functions for each kind of security blob. */
156
157static int task_alloc_security(struct task_struct *task)
158{
159 struct task_security_struct *tsec;
160
89d155ef 161 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 162 if (!tsec)
163 return -ENOMEM;
164
1da177e4
LT		 165 tsec->task = task;
166 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
167 task->security = tsec;
168
169 return 0;
170}
171
172static void task_free_security(struct task_struct *task)
173{
174 struct task_security_struct *tsec = task->security;
1da177e4
LT		 175 task->security = NULL;
176 kfree(tsec);
177}
178
179static int inode_alloc_security(struct inode *inode)
180{
181 struct task_security_struct *tsec = current->security;
182 struct inode_security_struct *isec;
183
e94b1766 184 isec = kmem_cache_alloc(sel_inode_cache, GFP_KERNEL);
1da177e4
LT		 185 if (!isec)
186 return -ENOMEM;
187
7cae7e26 188 memset(isec, 0, sizeof(*isec));
23970741 189 mutex_init(&isec->lock);
1da177e4 190 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 191 isec->inode = inode;
192 isec->sid = SECINITSID_UNLABELED;
193 isec->sclass = SECCLASS_FILE;
9ac49d22 194 isec->task_sid = tsec->sid;
1da177e4
LT		 195 inode->i_security = isec;
196
197 return 0;
198}
199
200static void inode_free_security(struct inode *inode)
201{
202 struct inode_security_struct *isec = inode->i_security;
203 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
204
1da177e4
LT		 205 spin_lock(&sbsec->isec_lock);
206 if (!list_empty(&isec->list))
207 list_del_init(&isec->list);
208 spin_unlock(&sbsec->isec_lock);
209
210 inode->i_security = NULL;
7cae7e26 211 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 212}
213
214static int file_alloc_security(struct file *file)
215{
216 struct task_security_struct *tsec = current->security;
217 struct file_security_struct *fsec;
218
26d2a4be 219 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 220 if (!fsec)
221 return -ENOMEM;
222
1da177e4 223 fsec->file = file;
9ac49d22
SS		 224 fsec->sid = tsec->sid;
225 fsec->fown_sid = tsec->sid;
1da177e4
LT		 226 file->f_security = fsec;
227
228 return 0;
229}
230
231static void file_free_security(struct file *file)
232{
233 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 234 file->f_security = NULL;
235 kfree(fsec);
236}
237
238static int superblock_alloc_security(struct super_block *sb)
239{
240 struct superblock_security_struct *sbsec;
241
89d155ef 242 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 243 if (!sbsec)
244 return -ENOMEM;
245
bc7e982b 246 mutex_init(&sbsec->lock);
1da177e4
LT		 247 INIT_LIST_HEAD(&sbsec->list);
248 INIT_LIST_HEAD(&sbsec->isec_head);
249 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 250 sbsec->sb = sb;
251 sbsec->sid = SECINITSID_UNLABELED;
252 sbsec->def_sid = SECINITSID_FILE;
c312feb2 253 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 254 sb->s_security = sbsec;
255
256 return 0;
257}
258
259static void superblock_free_security(struct super_block *sb)
260{
261 struct superblock_security_struct *sbsec = sb->s_security;
262
1da177e4
LT		 263 spin_lock(&sb_security_lock);
264 if (!list_empty(&sbsec->list))
265 list_del_init(&sbsec->list);
266 spin_unlock(&sb_security_lock);
267
268 sb->s_security = NULL;
269 kfree(sbsec);
270}
271
7d877f3b 272static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 273{
274 struct sk_security_struct *ssec;
275
89d155ef 276 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 277 if (!ssec)
278 return -ENOMEM;
279
1da177e4
LT		 280 ssec->sk = sk;
281 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 282 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 283 sk->sk_security = ssec;
284
99f59ed0
PM		 285 selinux_netlbl_sk_security_init(ssec, family);
286
1da177e4
LT		 287 return 0;
288}
289
290static void sk_free_security(struct sock *sk)
291{
292 struct sk_security_struct *ssec = sk->sk_security;
293
1da177e4
LT		 294 sk->sk_security = NULL;
295 kfree(ssec);
296}
1da177e4
LT		 297
298/* The security server must be initialized before
299 any labeling or access decisions can be provided. */
300extern int ss_initialized;
301
302/* The file system's label must be initialized prior to use. */
303
304static char *labeling_behaviors[6] = {
305 "uses xattr",
306 "uses transition SIDs",
307 "uses task SIDs",
308 "uses genfs_contexts",
309 "not configured for labeling",
310 "uses mountpoint labeling",
311};
312
313static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
314
315static inline int inode_doinit(struct inode *inode)
316{
317 return inode_doinit_with_dentry(inode, NULL);
318}
319
320enum {
321 Opt_context = 1,
322 Opt_fscontext = 2,
323 Opt_defcontext = 4,
0808925e 324 Opt_rootcontext = 8,
1da177e4
LT		 325};
326
327static match_table_t tokens = {
328 {Opt_context, "context=%s"},
329 {Opt_fscontext, "fscontext=%s"},
330 {Opt_defcontext, "defcontext=%s"},
0808925e 331 {Opt_rootcontext, "rootcontext=%s"},
1da177e4
LT		 332};
333
334#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
335
c312feb2
EP		 336static int may_context_mount_sb_relabel(u32 sid,
337 struct superblock_security_struct *sbsec,
338 struct task_security_struct *tsec)
339{
340 int rc;
341
342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343 FILESYSTEM__RELABELFROM, NULL);
344 if (rc)
345 return rc;
346
347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELTO, NULL);
349 return rc;
350}
351
0808925e
EP		 352static int may_context_mount_inode_relabel(u32 sid,
353 struct superblock_security_struct *sbsec,
354 struct task_security_struct *tsec)
355{
356 int rc;
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
359 if (rc)
360 return rc;
361
362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__ASSOCIATE, NULL);
364 return rc;
365}
366
1da177e4
LT		 367static int try_context_mount(struct super_block *sb, void *data)
368{
369 char *context = NULL, *defcontext = NULL;
0808925e 370 char *fscontext = NULL, *rootcontext = NULL;
1da177e4
LT		 371 const char *name;
372 u32 sid;
373 int alloc = 0, rc = 0, seen = 0;
374 struct task_security_struct *tsec = current->security;
375 struct superblock_security_struct *sbsec = sb->s_security;
376
377 if (!data)
378 goto out;
379
380 name = sb->s_type->name;
381
382 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
383
384 /* NFS we understand. */
385 if (!strcmp(name, "nfs")) {
386 struct nfs_mount_data *d = data;
387
388 if (d->version < NFS_MOUNT_VERSION)
389 goto out;
390
391 if (d->context[0]) {
392 context = d->context;
393 seen |= Opt_context;
394 }
395 } else
396 goto out;
397
398 } else {
399 /* Standard string-based options. */
400 char *p, *options = data;
401
3528a953 402 while ((p = strsep(&options, "|")) != NULL) {
1da177e4
LT		 403 int token;
404 substring_t args[MAX_OPT_ARGS];
405
406 if (!*p)
407 continue;
408
409 token = match_token(p, tokens, args);
410
411 switch (token) {
412 case Opt_context:
c312feb2 413 if (seen & (Opt_context|Opt_defcontext)) {
1da177e4
LT		 414 rc = -EINVAL;
415 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
416 goto out_free;
417 }
418 context = match_strdup(&args[0]);
419 if (!context) {
420 rc = -ENOMEM;
421 goto out_free;
422 }
423 if (!alloc)
424 alloc = 1;
425 seen |= Opt_context;
426 break;
427
428 case Opt_fscontext:
c312feb2 429 if (seen & Opt_fscontext) {
1da177e4
LT		 430 rc = -EINVAL;
431 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
432 goto out_free;
433 }
c312feb2
EP		 434 fscontext = match_strdup(&args[0]);
435 if (!fscontext) {
1da177e4
LT		 436 rc = -ENOMEM;
437 goto out_free;
438 }
439 if (!alloc)
440 alloc = 1;
441 seen |= Opt_fscontext;
442 break;
443
0808925e
EP		 444 case Opt_rootcontext:
445 if (seen & Opt_rootcontext) {
446 rc = -EINVAL;
447 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
448 goto out_free;
449 }
450 rootcontext = match_strdup(&args[0]);
451 if (!rootcontext) {
452 rc = -ENOMEM;
453 goto out_free;
454 }
455 if (!alloc)
456 alloc = 1;
457 seen |= Opt_rootcontext;
458 break;
459
1da177e4
LT		 460 case Opt_defcontext:
461 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
462 rc = -EINVAL;
463 printk(KERN_WARNING "SELinux: "
464 "defcontext option is invalid "
465 "for this filesystem type\n");
466 goto out_free;
467 }
468 if (seen & (Opt_context|Opt_defcontext)) {
469 rc = -EINVAL;
470 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
471 goto out_free;
472 }
473 defcontext = match_strdup(&args[0]);
474 if (!defcontext) {
475 rc = -ENOMEM;
476 goto out_free;
477 }
478 if (!alloc)
479 alloc = 1;
480 seen |= Opt_defcontext;
481 break;
482
483 default:
484 rc = -EINVAL;
485 printk(KERN_WARNING "SELinux: unknown mount "
486 "option\n");
487 goto out_free;
488
489 }
490 }
491 }
492
493 if (!seen)
494 goto out;
495
c312feb2
EP		 496 /* sets the context of the superblock for the fs being mounted. */
497 if (fscontext) {
498 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
1da177e4
LT		 499 if (rc) {
500 printk(KERN_WARNING "SELinux: security_context_to_sid"
501 "(%s) failed for (dev %s, type %s) errno=%d\n",
c312feb2 502 fscontext, sb->s_id, name, rc);
1da177e4
LT		 503 goto out_free;
504 }
505
c312feb2 506 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
1da177e4
LT		 507 if (rc)
508 goto out_free;
509
c312feb2
EP		 510 sbsec->sid = sid;
511 }
512
513 /*
514 * Switch to using mount point labeling behavior.
515 * sets the label used on all file below the mountpoint, and will set
516 * the superblock context if not already set.
517 */
518 if (context) {
519 rc = security_context_to_sid(context, strlen(context), &sid);
520 if (rc) {
521 printk(KERN_WARNING "SELinux: security_context_to_sid"
522 "(%s) failed for (dev %s, type %s) errno=%d\n",
523 context, sb->s_id, name, rc);
524 goto out_free;
525 }
526
b04ea3ce
EP		 527 if (!fscontext) {
528 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
529 if (rc)
530 goto out_free;
c312feb2 531 sbsec->sid = sid;
b04ea3ce
EP		 532 } else {
533 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
534 if (rc)
535 goto out_free;
536 }
c312feb2 537 sbsec->mntpoint_sid = sid;
1da177e4 538
c312feb2 539 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 540 }
541
0808925e
EP		 542 if (rootcontext) {
543 struct inode *inode = sb->s_root->d_inode;
544 struct inode_security_struct *isec = inode->i_security;
545 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
546 if (rc) {
547 printk(KERN_WARNING "SELinux: security_context_to_sid"
548 "(%s) failed for (dev %s, type %s) errno=%d\n",
549 rootcontext, sb->s_id, name, rc);
550 goto out_free;
551 }
552
553 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
554 if (rc)
555 goto out_free;
556
557 isec->sid = sid;
558 isec->initialized = 1;
559 }
560
1da177e4
LT		 561 if (defcontext) {
562 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
563 if (rc) {
564 printk(KERN_WARNING "SELinux: security_context_to_sid"
565 "(%s) failed for (dev %s, type %s) errno=%d\n",
566 defcontext, sb->s_id, name, rc);
567 goto out_free;
568 }
569
570 if (sid == sbsec->def_sid)
571 goto out_free;
572
0808925e 573 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
1da177e4
LT		 574 if (rc)
575 goto out_free;
576
577 sbsec->def_sid = sid;
578 }
579
580out_free:
581 if (alloc) {
582 kfree(context);
583 kfree(defcontext);
c312feb2 584 kfree(fscontext);
0808925e 585 kfree(rootcontext);
1da177e4
LT		 586 }
587out:
588 return rc;
589}
590
591static int superblock_doinit(struct super_block *sb, void *data)
592{
593 struct superblock_security_struct *sbsec = sb->s_security;
594 struct dentry *root = sb->s_root;
595 struct inode *inode = root->d_inode;
596 int rc = 0;
597
bc7e982b 598 mutex_lock(&sbsec->lock);
1da177e4
LT		 599 if (sbsec->initialized)
600 goto out;
601
602 if (!ss_initialized) {
603 /* Defer initialization until selinux_complete_init,
604 after the initial policy is loaded and the security
605 server is ready to handle calls. */
606 spin_lock(&sb_security_lock);
607 if (list_empty(&sbsec->list))
608 list_add(&sbsec->list, &superblock_security_head);
609 spin_unlock(&sb_security_lock);
610 goto out;
611 }
612
613 /* Determine the labeling behavior to use for this filesystem type. */
614 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
615 if (rc) {
616 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
617 __FUNCTION__, sb->s_type->name, rc);
618 goto out;
619 }
620
621 rc = try_context_mount(sb, data);
622 if (rc)
623 goto out;
624
625 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
626 /* Make sure that the xattr handler exists and that no
627 error other than -ENODATA is returned by getxattr on
628 the root directory. -ENODATA is ok, as this may be
629 the first boot of the SELinux kernel before we have
630 assigned xattr values to the filesystem. */
631 if (!inode->i_op->getxattr) {
632 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
633 "xattr support\n", sb->s_id, sb->s_type->name);
634 rc = -EOPNOTSUPP;
635 goto out;
636 }
637 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
638 if (rc < 0 && rc != -ENODATA) {
639 if (rc == -EOPNOTSUPP)
640 printk(KERN_WARNING "SELinux: (dev %s, type "
641 "%s) has no security xattr handler\n",
642 sb->s_id, sb->s_type->name);
643 else
644 printk(KERN_WARNING "SELinux: (dev %s, type "
645 "%s) getxattr errno %d\n", sb->s_id,
646 sb->s_type->name, -rc);
647 goto out;
648 }
649 }
650
651 if (strcmp(sb->s_type->name, "proc") == 0)
652 sbsec->proc = 1;
653
654 sbsec->initialized = 1;
655
656 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
657 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
658 sb->s_id, sb->s_type->name);
659 }
660 else {
661 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
662 sb->s_id, sb->s_type->name,
663 labeling_behaviors[sbsec->behavior-1]);
664 }
665
666 /* Initialize the root inode. */
667 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
668
669 /* Initialize any other inodes associated with the superblock, e.g.
670 inodes created prior to initial policy load or inodes created
671 during get_sb by a pseudo filesystem that directly
672 populates itself. */
673 spin_lock(&sbsec->isec_lock);
674next_inode:
675 if (!list_empty(&sbsec->isec_head)) {
676 struct inode_security_struct *isec =
677 list_entry(sbsec->isec_head.next,
678 struct inode_security_struct, list);
679 struct inode *inode = isec->inode;
680 spin_unlock(&sbsec->isec_lock);
681 inode = igrab(inode);
682 if (inode) {
683 if (!IS_PRIVATE (inode))
684 inode_doinit(inode);
685 iput(inode);
686 }
687 spin_lock(&sbsec->isec_lock);
688 list_del_init(&isec->list);
689 goto next_inode;
690 }
691 spin_unlock(&sbsec->isec_lock);
692out:
bc7e982b 693 mutex_unlock(&sbsec->lock);
1da177e4
LT		 694 return rc;
695}
696
697static inline u16 inode_mode_to_security_class(umode_t mode)
698{
699 switch (mode & S_IFMT) {
700 case S_IFSOCK:
701 return SECCLASS_SOCK_FILE;
702 case S_IFLNK:
703 return SECCLASS_LNK_FILE;
704 case S_IFREG:
705 return SECCLASS_FILE;
706 case S_IFBLK:
707 return SECCLASS_BLK_FILE;
708 case S_IFDIR:
709 return SECCLASS_DIR;
710 case S_IFCHR:
711 return SECCLASS_CHR_FILE;
712 case S_IFIFO:
713 return SECCLASS_FIFO_FILE;
714
715 }
716
717 return SECCLASS_FILE;
718}
719
13402580
JM		 720static inline int default_protocol_stream(int protocol)
721{
722 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
723}
724
725static inline int default_protocol_dgram(int protocol)
726{
727 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
728}
729
1da177e4
LT		 730static inline u16 socket_type_to_security_class(int family, int type, int protocol)
731{
732 switch (family) {
733 case PF_UNIX:
734 switch (type) {
735 case SOCK_STREAM:
736 case SOCK_SEQPACKET:
737 return SECCLASS_UNIX_STREAM_SOCKET;
738 case SOCK_DGRAM:
739 return SECCLASS_UNIX_DGRAM_SOCKET;
740 }
741 break;
742 case PF_INET:
743 case PF_INET6:
744 switch (type) {
745 case SOCK_STREAM:
13402580
JM		 746 if (default_protocol_stream(protocol))
747 return SECCLASS_TCP_SOCKET;
748 else
749 return SECCLASS_RAWIP_SOCKET;
1da177e4 750 case SOCK_DGRAM:
13402580
JM		 751 if (default_protocol_dgram(protocol))
752 return SECCLASS_UDP_SOCKET;
753 else
754 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 755 case SOCK_DCCP:
756 return SECCLASS_DCCP_SOCKET;
13402580 757 default:
1da177e4
LT		 758 return SECCLASS_RAWIP_SOCKET;
759 }
760 break;
761 case PF_NETLINK:
762 switch (protocol) {
763 case NETLINK_ROUTE:
764 return SECCLASS_NETLINK_ROUTE_SOCKET;
765 case NETLINK_FIREWALL:
766 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 767 case NETLINK_INET_DIAG:
1da177e4
LT		 768 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
769 case NETLINK_NFLOG:
770 return SECCLASS_NETLINK_NFLOG_SOCKET;
771 case NETLINK_XFRM:
772 return SECCLASS_NETLINK_XFRM_SOCKET;
773 case NETLINK_SELINUX:
774 return SECCLASS_NETLINK_SELINUX_SOCKET;
775 case NETLINK_AUDIT:
776 return SECCLASS_NETLINK_AUDIT_SOCKET;
777 case NETLINK_IP6_FW:
778 return SECCLASS_NETLINK_IP6FW_SOCKET;
779 case NETLINK_DNRTMSG:
780 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 781 case NETLINK_KOBJECT_UEVENT:
782 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 783 default:
784 return SECCLASS_NETLINK_SOCKET;
785 }
786 case PF_PACKET:
787 return SECCLASS_PACKET_SOCKET;
788 case PF_KEY:
789 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 790 case PF_APPLETALK:
791 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 792 }
793
794 return SECCLASS_SOCKET;
795}
796
797#ifdef CONFIG_PROC_FS
798static int selinux_proc_get_sid(struct proc_dir_entry *de,
799 u16 tclass,
800 u32 *sid)
801{
802 int buflen, rc;
803 char *buffer, *path, *end;
804
805 buffer = (char*)__get_free_page(GFP_KERNEL);
806 if (!buffer)
807 return -ENOMEM;
808
809 buflen = PAGE_SIZE;
810 end = buffer+buflen;
811 *--end = '\0';
812 buflen--;
813 path = end-1;
814 *path = '/';
815 while (de && de != de->parent) {
816 buflen -= de->namelen + 1;
817 if (buflen < 0)
818 break;
819 end -= de->namelen;
820 memcpy(end, de->name, de->namelen);
821 *--end = '/';
822 path = end;
823 de = de->parent;
824 }
825 rc = security_genfs_sid("proc", path, tclass, sid);
826 free_page((unsigned long)buffer);
827 return rc;
828}
829#else
830static int selinux_proc_get_sid(struct proc_dir_entry *de,
831 u16 tclass,
832 u32 *sid)
833{
834 return -EINVAL;
835}
836#endif
837
838/* The inode's security attributes must be initialized before first use. */
839static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
840{
841 struct superblock_security_struct *sbsec = NULL;
842 struct inode_security_struct *isec = inode->i_security;
843 u32 sid;
844 struct dentry *dentry;
845#define INITCONTEXTLEN 255
846 char *context = NULL;
847 unsigned len = 0;
848 int rc = 0;
1da177e4
LT		 849
850 if (isec->initialized)
851 goto out;
852
23970741 853 mutex_lock(&isec->lock);
1da177e4 854 if (isec->initialized)
23970741 855 goto out_unlock;
1da177e4
LT		 856
857 sbsec = inode->i_sb->s_security;
858 if (!sbsec->initialized) {
859 /* Defer initialization until selinux_complete_init,
860 after the initial policy is loaded and the security
861 server is ready to handle calls. */
862 spin_lock(&sbsec->isec_lock);
863 if (list_empty(&isec->list))
864 list_add(&isec->list, &sbsec->isec_head);
865 spin_unlock(&sbsec->isec_lock);
23970741 866 goto out_unlock;
1da177e4
LT		 867 }
868
869 switch (sbsec->behavior) {
870 case SECURITY_FS_USE_XATTR:
871 if (!inode->i_op->getxattr) {
872 isec->sid = sbsec->def_sid;
873 break;
874 }
875
876 /* Need a dentry, since the xattr API requires one.
877 Life would be simpler if we could just pass the inode. */
878 if (opt_dentry) {
879 /* Called from d_instantiate or d_splice_alias. */
880 dentry = dget(opt_dentry);
881 } else {
882 /* Called from selinux_complete_init, try to find a dentry. */
883 dentry = d_find_alias(inode);
884 }
885 if (!dentry) {
886 printk(KERN_WARNING "%s: no dentry for dev=%s "
887 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
888 inode->i_ino);
23970741 889 goto out_unlock;
1da177e4
LT		 890 }
891
892 len = INITCONTEXTLEN;
893 context = kmalloc(len, GFP_KERNEL);
894 if (!context) {
895 rc = -ENOMEM;
896 dput(dentry);
23970741 897 goto out_unlock;
1da177e4
LT		 898 }
899 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
900 context, len);
901 if (rc == -ERANGE) {
902 /* Need a larger buffer. Query for the right size. */
903 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
904 NULL, 0);
905 if (rc < 0) {
906 dput(dentry);
23970741 907 goto out_unlock;
1da177e4
LT		 908 }
909 kfree(context);
910 len = rc;
911 context = kmalloc(len, GFP_KERNEL);
912 if (!context) {
913 rc = -ENOMEM;
914 dput(dentry);
23970741 915 goto out_unlock;
1da177e4
LT		 916 }
917 rc = inode->i_op->getxattr(dentry,
918 XATTR_NAME_SELINUX,
919 context, len);
920 }
921 dput(dentry);
922 if (rc < 0) {
923 if (rc != -ENODATA) {
924 printk(KERN_WARNING "%s: getxattr returned "
925 "%d for dev=%s ino=%ld\n", __FUNCTION__,
926 -rc, inode->i_sb->s_id, inode->i_ino);
927 kfree(context);
23970741 928 goto out_unlock;
1da177e4
LT		 929 }
930 /* Map ENODATA to the default file SID */
931 sid = sbsec->def_sid;
932 rc = 0;
933 } else {
f5c1d5b2
JM		 934 rc = security_context_to_sid_default(context, rc, &sid,
935 sbsec->def_sid);
1da177e4
LT		 936 if (rc) {
937 printk(KERN_WARNING "%s: context_to_sid(%s) "
938 "returned %d for dev=%s ino=%ld\n",
939 __FUNCTION__, context, -rc,
940 inode->i_sb->s_id, inode->i_ino);
941 kfree(context);
942 /* Leave with the unlabeled SID */
943 rc = 0;
944 break;
945 }
946 }
947 kfree(context);
948 isec->sid = sid;
949 break;
950 case SECURITY_FS_USE_TASK:
951 isec->sid = isec->task_sid;
952 break;
953 case SECURITY_FS_USE_TRANS:
954 /* Default to the fs SID. */
955 isec->sid = sbsec->sid;
956
957 /* Try to obtain a transition SID. */
958 isec->sclass = inode_mode_to_security_class(inode->i_mode);
959 rc = security_transition_sid(isec->task_sid,
960 sbsec->sid,
961 isec->sclass,
962 &sid);
963 if (rc)
23970741 964 goto out_unlock;
1da177e4
LT		 965 isec->sid = sid;
966 break;
c312feb2
EP		 967 case SECURITY_FS_USE_MNTPOINT:
968 isec->sid = sbsec->mntpoint_sid;
969 break;
1da177e4 970 default:
c312feb2 971 /* Default to the fs superblock SID. */
1da177e4
LT		 972 isec->sid = sbsec->sid;
973
974 if (sbsec->proc) {
975 struct proc_inode *proci = PROC_I(inode);
976 if (proci->pde) {
977 isec->sclass = inode_mode_to_security_class(inode->i_mode);
978 rc = selinux_proc_get_sid(proci->pde,
979 isec->sclass,
980 &sid);
981 if (rc)
23970741 982 goto out_unlock;
1da177e4
LT		 983 isec->sid = sid;
984 }
985 }
986 break;
987 }
988
989 isec->initialized = 1;
990
23970741
EP		 991out_unlock:
992 mutex_unlock(&isec->lock);
1da177e4
LT		 993out:
994 if (isec->sclass == SECCLASS_FILE)
995 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 996 return rc;
997}
998
999/* Convert a Linux signal to an access vector. */
1000static inline u32 signal_to_av(int sig)
1001{
1002 u32 perm = 0;
1003
1004 switch (sig) {
1005 case SIGCHLD:
1006 /* Commonly granted from child to parent. */
1007 perm = PROCESS__SIGCHLD;
1008 break;
1009 case SIGKILL:
1010 /* Cannot be caught or ignored */
1011 perm = PROCESS__SIGKILL;
1012 break;
1013 case SIGSTOP:
1014 /* Cannot be caught or ignored */
1015 perm = PROCESS__SIGSTOP;
1016 break;
1017 default:
1018 /* All other signals. */
1019 perm = PROCESS__SIGNAL;
1020 break;
1021 }
1022
1023 return perm;
1024}
1025
1026/* Check permission betweeen a pair of tasks, e.g. signal checks,
1027 fork check, ptrace check, etc. */
1028static int task_has_perm(struct task_struct *tsk1,
1029 struct task_struct *tsk2,
1030 u32 perms)
1031{
1032 struct task_security_struct *tsec1, *tsec2;
1033
1034 tsec1 = tsk1->security;
1035 tsec2 = tsk2->security;
1036 return avc_has_perm(tsec1->sid, tsec2->sid,
1037 SECCLASS_PROCESS, perms, NULL);
1038}
1039
1040/* Check whether a task is allowed to use a capability. */
1041static int task_has_capability(struct task_struct *tsk,
1042 int cap)
1043{
1044 struct task_security_struct *tsec;
1045 struct avc_audit_data ad;
1046
1047 tsec = tsk->security;
1048
1049 AVC_AUDIT_DATA_INIT(&ad,CAP);
1050 ad.tsk = tsk;
1051 ad.u.cap = cap;
1052
1053 return avc_has_perm(tsec->sid, tsec->sid,
1054 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1055}
1056
1057/* Check whether a task is allowed to use a system operation. */
1058static int task_has_system(struct task_struct *tsk,
1059 u32 perms)
1060{
1061 struct task_security_struct *tsec;
1062
1063 tsec = tsk->security;
1064
1065 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1066 SECCLASS_SYSTEM, perms, NULL);
1067}
1068
1069/* Check whether a task has a particular permission to an inode.
1070 The 'adp' parameter is optional and allows other audit
1071 data to be passed (e.g. the dentry). */
1072static int inode_has_perm(struct task_struct *tsk,
1073 struct inode *inode,
1074 u32 perms,
1075 struct avc_audit_data *adp)
1076{
1077 struct task_security_struct *tsec;
1078 struct inode_security_struct *isec;
1079 struct avc_audit_data ad;
1080
1081 tsec = tsk->security;
1082 isec = inode->i_security;
1083
1084 if (!adp) {
1085 adp = &ad;
1086 AVC_AUDIT_DATA_INIT(&ad, FS);
1087 ad.u.fs.inode = inode;
1088 }
1089
1090 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1091}
1092
1093/* Same as inode_has_perm, but pass explicit audit data containing
1094 the dentry to help the auditing code to more easily generate the
1095 pathname if needed. */
1096static inline int dentry_has_perm(struct task_struct *tsk,
1097 struct vfsmount *mnt,
1098 struct dentry *dentry,
1099 u32 av)
1100{
1101 struct inode *inode = dentry->d_inode;
1102 struct avc_audit_data ad;
1103 AVC_AUDIT_DATA_INIT(&ad,FS);
1104 ad.u.fs.mnt = mnt;
1105 ad.u.fs.dentry = dentry;
1106 return inode_has_perm(tsk, inode, av, &ad);
1107}
1108
1109/* Check whether a task can use an open file descriptor to
1110 access an inode in a given way. Check access to the
1111 descriptor itself, and then use dentry_has_perm to
1112 check a particular permission to the file.
1113 Access to the descriptor is implicitly granted if it
1114 has the same SID as the process. If av is zero, then
1115 access to the file is not checked, e.g. for cases
1116 where only the descriptor is affected like seek. */
858119e1 1117static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1118 struct file *file,
1119 u32 av)
1120{
1121 struct task_security_struct *tsec = tsk->security;
1122 struct file_security_struct *fsec = file->f_security;
3d5ff529
JS		 1123 struct vfsmount *mnt = file->f_path.mnt;
1124 struct dentry *dentry = file->f_path.dentry;
1da177e4
LT		 1125 struct inode *inode = dentry->d_inode;
1126 struct avc_audit_data ad;
1127 int rc;
1128
1129 AVC_AUDIT_DATA_INIT(&ad, FS);
1130 ad.u.fs.mnt = mnt;
1131 ad.u.fs.dentry = dentry;
1132
1133 if (tsec->sid != fsec->sid) {
1134 rc = avc_has_perm(tsec->sid, fsec->sid,
1135 SECCLASS_FD,
1136 FD__USE,
1137 &ad);
1138 if (rc)
1139 return rc;
1140 }
1141
1142 /* av is zero if only checking access to the descriptor. */
1143 if (av)
1144 return inode_has_perm(tsk, inode, av, &ad);
1145
1146 return 0;
1147}
1148
1149/* Check whether a task can create a file. */
1150static int may_create(struct inode *dir,
1151 struct dentry *dentry,
1152 u16 tclass)
1153{
1154 struct task_security_struct *tsec;
1155 struct inode_security_struct *dsec;
1156 struct superblock_security_struct *sbsec;
1157 u32 newsid;
1158 struct avc_audit_data ad;
1159 int rc;
1160
1161 tsec = current->security;
1162 dsec = dir->i_security;
1163 sbsec = dir->i_sb->s_security;
1164
1165 AVC_AUDIT_DATA_INIT(&ad, FS);
1166 ad.u.fs.dentry = dentry;
1167
1168 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1169 DIR__ADD_NAME | DIR__SEARCH,
1170 &ad);
1171 if (rc)
1172 return rc;
1173
1174 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1175 newsid = tsec->create_sid;
1176 } else {
1177 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1178 &newsid);
1179 if (rc)
1180 return rc;
1181 }
1182
1183 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1184 if (rc)
1185 return rc;
1186
1187 return avc_has_perm(newsid, sbsec->sid,
1188 SECCLASS_FILESYSTEM,
1189 FILESYSTEM__ASSOCIATE, &ad);
1190}
1191
4eb582cf
ML		 1192/* Check whether a task can create a key. */
1193static int may_create_key(u32 ksid,
1194 struct task_struct *ctx)
1195{
1196 struct task_security_struct *tsec;
1197
1198 tsec = ctx->security;
1199
1200 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1201}
1202
1da177e4
LT		 1203#define MAY_LINK 0
1204#define MAY_UNLINK 1
1205#define MAY_RMDIR 2
1206
1207/* Check whether a task can link, unlink, or rmdir a file/directory. */
1208static int may_link(struct inode *dir,
1209 struct dentry *dentry,
1210 int kind)
1211
1212{
1213 struct task_security_struct *tsec;
1214 struct inode_security_struct *dsec, *isec;
1215 struct avc_audit_data ad;
1216 u32 av;
1217 int rc;
1218
1219 tsec = current->security;
1220 dsec = dir->i_security;
1221 isec = dentry->d_inode->i_security;
1222
1223 AVC_AUDIT_DATA_INIT(&ad, FS);
1224 ad.u.fs.dentry = dentry;
1225
1226 av = DIR__SEARCH;
1227 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1228 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1229 if (rc)
1230 return rc;
1231
1232 switch (kind) {
1233 case MAY_LINK:
1234 av = FILE__LINK;
1235 break;
1236 case MAY_UNLINK:
1237 av = FILE__UNLINK;
1238 break;
1239 case MAY_RMDIR:
1240 av = DIR__RMDIR;
1241 break;
1242 default:
1243 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1244 return 0;
1245 }
1246
1247 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1248 return rc;
1249}
1250
1251static inline int may_rename(struct inode *old_dir,
1252 struct dentry *old_dentry,
1253 struct inode *new_dir,
1254 struct dentry *new_dentry)
1255{
1256 struct task_security_struct *tsec;
1257 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1258 struct avc_audit_data ad;
1259 u32 av;
1260 int old_is_dir, new_is_dir;
1261 int rc;
1262
1263 tsec = current->security;
1264 old_dsec = old_dir->i_security;
1265 old_isec = old_dentry->d_inode->i_security;
1266 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1267 new_dsec = new_dir->i_security;
1268
1269 AVC_AUDIT_DATA_INIT(&ad, FS);
1270
1271 ad.u.fs.dentry = old_dentry;
1272 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1273 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1274 if (rc)
1275 return rc;
1276 rc = avc_has_perm(tsec->sid, old_isec->sid,
1277 old_isec->sclass, FILE__RENAME, &ad);
1278 if (rc)
1279 return rc;
1280 if (old_is_dir && new_dir != old_dir) {
1281 rc = avc_has_perm(tsec->sid, old_isec->sid,
1282 old_isec->sclass, DIR__REPARENT, &ad);
1283 if (rc)
1284 return rc;
1285 }
1286
1287 ad.u.fs.dentry = new_dentry;
1288 av = DIR__ADD_NAME | DIR__SEARCH;
1289 if (new_dentry->d_inode)
1290 av |= DIR__REMOVE_NAME;
1291 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1292 if (rc)
1293 return rc;
1294 if (new_dentry->d_inode) {
1295 new_isec = new_dentry->d_inode->i_security;
1296 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1297 rc = avc_has_perm(tsec->sid, new_isec->sid,
1298 new_isec->sclass,
1299 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1300 if (rc)
1301 return rc;
1302 }
1303
1304 return 0;
1305}
1306
1307/* Check whether a task can perform a filesystem operation. */
1308static int superblock_has_perm(struct task_struct *tsk,
1309 struct super_block *sb,
1310 u32 perms,
1311 struct avc_audit_data *ad)
1312{
1313 struct task_security_struct *tsec;
1314 struct superblock_security_struct *sbsec;
1315
1316 tsec = tsk->security;
1317 sbsec = sb->s_security;
1318 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1319 perms, ad);
1320}
1321
1322/* Convert a Linux mode and permission mask to an access vector. */
1323static inline u32 file_mask_to_av(int mode, int mask)
1324{
1325 u32 av = 0;
1326
1327 if ((mode & S_IFMT) != S_IFDIR) {
1328 if (mask & MAY_EXEC)
1329 av |= FILE__EXECUTE;
1330 if (mask & MAY_READ)
1331 av |= FILE__READ;
1332
1333 if (mask & MAY_APPEND)
1334 av |= FILE__APPEND;
1335 else if (mask & MAY_WRITE)
1336 av |= FILE__WRITE;
1337
1338 } else {
1339 if (mask & MAY_EXEC)
1340 av |= DIR__SEARCH;
1341 if (mask & MAY_WRITE)
1342 av |= DIR__WRITE;
1343 if (mask & MAY_READ)
1344 av |= DIR__READ;
1345 }
1346
1347 return av;
1348}
1349
1350/* Convert a Linux file to an access vector. */
1351static inline u32 file_to_av(struct file *file)
1352{
1353 u32 av = 0;
1354
1355 if (file->f_mode & FMODE_READ)
1356 av |= FILE__READ;
1357 if (file->f_mode & FMODE_WRITE) {
1358 if (file->f_flags & O_APPEND)
1359 av |= FILE__APPEND;
1360 else
1361 av |= FILE__WRITE;
1362 }
1363
1364 return av;
1365}
1366
1da177e4
LT		 1367/* Hook functions begin here. */
1368
1369static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1370{
1371 struct task_security_struct *psec = parent->security;
1372 struct task_security_struct *csec = child->security;
1373 int rc;
1374
1375 rc = secondary_ops->ptrace(parent,child);
1376 if (rc)
1377 return rc;
1378
1379 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1380 /* Save the SID of the tracing process for later use in apply_creds. */
341c2d80 1381 if (!(child->ptrace & PT_PTRACED) && !rc)
1da177e4
LT		 1382 csec->ptrace_sid = psec->sid;
1383 return rc;
1384}
1385
1386static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1387 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1388{
1389 int error;
1390
1391 error = task_has_perm(current, target, PROCESS__GETCAP);
1392 if (error)
1393 return error;
1394
1395 return secondary_ops->capget(target, effective, inheritable, permitted);
1396}
1397
1398static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1399 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1400{
1401 int error;
1402
1403 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1404 if (error)
1405 return error;
1406
1407 return task_has_perm(current, target, PROCESS__SETCAP);
1408}
1409
1410static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1411 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1412{
1413 secondary_ops->capset_set(target, effective, inheritable, permitted);
1414}
1415
1416static int selinux_capable(struct task_struct *tsk, int cap)
1417{
1418 int rc;
1419
1420 rc = secondary_ops->capable(tsk, cap);
1421 if (rc)
1422 return rc;
1423
1424 return task_has_capability(tsk,cap);
1425}
1426
1427static int selinux_sysctl(ctl_table *table, int op)
1428{
1429 int error = 0;
1430 u32 av;
1431 struct task_security_struct *tsec;
1432 u32 tsid;
1433 int rc;
1434
1435 rc = secondary_ops->sysctl(table, op);
1436 if (rc)
1437 return rc;
1438
1439 tsec = current->security;
1440
1441 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1442 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1443 if (rc) {
1444 /* Default to the well-defined sysctl SID. */
1445 tsid = SECINITSID_SYSCTL;
1446 }
1447
1448 /* The op values are "defined" in sysctl.c, thereby creating
1449 * a bad coupling between this module and sysctl.c */
1450 if(op == 001) {
1451 error = avc_has_perm(tsec->sid, tsid,
1452 SECCLASS_DIR, DIR__SEARCH, NULL);
1453 } else {
1454 av = 0;
1455 if (op & 004)
1456 av |= FILE__READ;
1457 if (op & 002)
1458 av |= FILE__WRITE;
1459 if (av)
1460 error = avc_has_perm(tsec->sid, tsid,
1461 SECCLASS_FILE, av, NULL);
1462 }
1463
1464 return error;
1465}
1466
1467static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1468{
1469 int rc = 0;
1470
1471 if (!sb)
1472 return 0;
1473
1474 switch (cmds) {
1475 case Q_SYNC:
1476 case Q_QUOTAON:
1477 case Q_QUOTAOFF:
1478 case Q_SETINFO:
1479 case Q_SETQUOTA:
1480 rc = superblock_has_perm(current,
1481 sb,
1482 FILESYSTEM__QUOTAMOD, NULL);
1483 break;
1484 case Q_GETFMT:
1485 case Q_GETINFO:
1486 case Q_GETQUOTA:
1487 rc = superblock_has_perm(current,
1488 sb,
1489 FILESYSTEM__QUOTAGET, NULL);
1490 break;
1491 default:
1492 rc = 0; /* let the kernel handle invalid cmds */
1493 break;
1494 }
1495 return rc;
1496}
1497
1498static int selinux_quota_on(struct dentry *dentry)
1499{
1500 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1501}
1502
1503static int selinux_syslog(int type)
1504{
1505 int rc;
1506
1507 rc = secondary_ops->syslog(type);
1508 if (rc)
1509 return rc;
1510
1511 switch (type) {
1512 case 3: /* Read last kernel messages */
1513 case 10: /* Return size of the log buffer */
1514 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1515 break;
1516 case 6: /* Disable logging to console */
1517 case 7: /* Enable logging to console */
1518 case 8: /* Set level of messages printed to console */
1519 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1520 break;
1521 case 0: /* Close log */
1522 case 1: /* Open log */
1523 case 2: /* Read from log */
1524 case 4: /* Read/clear last kernel messages */
1525 case 5: /* Clear ring buffer */
1526 default:
1527 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1528 break;
1529 }
1530 return rc;
1531}
1532
1533/*
1534 * Check that a process has enough memory to allocate a new virtual
1535 * mapping. 0 means there is enough memory for the allocation to
1536 * succeed and -ENOMEM implies there is not.
1537 *
1538 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1539 * if the capability is granted, but __vm_enough_memory requires 1 if
1540 * the capability is granted.
1541 *
1542 * Do not audit the selinux permission check, as this is applied to all
1543 * processes that allocate mappings.
1544 */
1545static int selinux_vm_enough_memory(long pages)
1546{
1547 int rc, cap_sys_admin = 0;
1548 struct task_security_struct *tsec = current->security;
1549
1550 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1551 if (rc == 0)
1552 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1553 SECCLASS_CAPABILITY,
1554 CAP_TO_MASK(CAP_SYS_ADMIN),
1555 NULL);
1556
1557 if (rc == 0)
1558 cap_sys_admin = 1;
1559
1560 return __vm_enough_memory(pages, cap_sys_admin);
1561}
1562
1563/* binprm security operations */
1564
1565static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1566{
1567 struct bprm_security_struct *bsec;
1568
89d155ef 1569 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1570 if (!bsec)
1571 return -ENOMEM;
1572
1da177e4
LT		 1573 bsec->bprm = bprm;
1574 bsec->sid = SECINITSID_UNLABELED;
1575 bsec->set = 0;
1576
1577 bprm->security = bsec;
1578 return 0;
1579}
1580
1581static int selinux_bprm_set_security(struct linux_binprm *bprm)
1582{
1583 struct task_security_struct *tsec;
3d5ff529 1584 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 1585 struct inode_security_struct *isec;
1586 struct bprm_security_struct *bsec;
1587 u32 newsid;
1588 struct avc_audit_data ad;
1589 int rc;
1590
1591 rc = secondary_ops->bprm_set_security(bprm);
1592 if (rc)
1593 return rc;
1594
1595 bsec = bprm->security;
1596
1597 if (bsec->set)
1598 return 0;
1599
1600 tsec = current->security;
1601 isec = inode->i_security;
1602
1603 /* Default to the current task SID. */
1604 bsec->sid = tsec->sid;
1605
28eba5bf 1606 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1607 tsec->create_sid = 0;
28eba5bf 1608 tsec->keycreate_sid = 0;
42c3e03e 1609 tsec->sockcreate_sid = 0;
1da177e4
LT		 1610
1611 if (tsec->exec_sid) {
1612 newsid = tsec->exec_sid;
1613 /* Reset exec SID on execve. */
1614 tsec->exec_sid = 0;
1615 } else {
1616 /* Check for a default transition on this program. */
1617 rc = security_transition_sid(tsec->sid, isec->sid,
1618 SECCLASS_PROCESS, &newsid);
1619 if (rc)
1620 return rc;
1621 }
1622
1623 AVC_AUDIT_DATA_INIT(&ad, FS);
3d5ff529
JS		 1624 ad.u.fs.mnt = bprm->file->f_path.mnt;
1625 ad.u.fs.dentry = bprm->file->f_path.dentry;
1da177e4 1626
3d5ff529 1627 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1da177e4
LT		 1628 newsid = tsec->sid;
1629
1630 if (tsec->sid == newsid) {
1631 rc = avc_has_perm(tsec->sid, isec->sid,
1632 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1633 if (rc)
1634 return rc;
1635 } else {
1636 /* Check permissions for the transition. */
1637 rc = avc_has_perm(tsec->sid, newsid,
1638 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1639 if (rc)
1640 return rc;
1641
1642 rc = avc_has_perm(newsid, isec->sid,
1643 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1644 if (rc)
1645 return rc;
1646
1647 /* Clear any possibly unsafe personality bits on exec: */
1648 current->personality &= ~PER_CLEAR_ON_SETID;
1649
1650 /* Set the security field to the new SID. */
1651 bsec->sid = newsid;
1652 }
1653
1654 bsec->set = 1;
1655 return 0;
1656}
1657
1658static int selinux_bprm_check_security (struct linux_binprm *bprm)
1659{
1660 return secondary_ops->bprm_check_security(bprm);
1661}
1662
1663
1664static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1665{
1666 struct task_security_struct *tsec = current->security;
1667 int atsecure = 0;
1668
1669 if (tsec->osid != tsec->sid) {
1670 /* Enable secure mode for SIDs transitions unless
1671 the noatsecure permission is granted between
1672 the two SIDs, i.e. ahp returns 0. */
1673 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1674 SECCLASS_PROCESS,
1675 PROCESS__NOATSECURE, NULL);
1676 }
1677
1678 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1679}
1680
1681static void selinux_bprm_free_security(struct linux_binprm *bprm)
1682{
9a5f04bf 1683 kfree(bprm->security);
1da177e4 1684 bprm->security = NULL;
1da177e4
LT		 1685}
1686
1687extern struct vfsmount *selinuxfs_mount;
1688extern struct dentry *selinux_null;
1689
1690/* Derived from fs/exec.c:flush_old_files. */
1691static inline void flush_unauthorized_files(struct files_struct * files)
1692{
1693 struct avc_audit_data ad;
1694 struct file *file, *devnull = NULL;
b20c8122 1695 struct tty_struct *tty;
badf1662 1696 struct fdtable *fdt;
1da177e4 1697 long j = -1;
24ec839c 1698 int drop_tty = 0;
1da177e4 1699
b20c8122 1700 mutex_lock(&tty_mutex);
24ec839c 1701 tty = get_current_tty();
1da177e4
LT		 1702 if (tty) {
1703 file_list_lock();
2f512016 1704 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 1705 if (file) {
1706 /* Revalidate access to controlling tty.
1707 Use inode_has_perm on the tty inode directly rather
1708 than using file_has_perm, as this particular open
1709 file may belong to another process and we are only
1710 interested in the inode-based check here. */
3d5ff529 1711 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 1712 if (inode_has_perm(current, inode,
1713 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 1714 drop_tty = 1;
1da177e4
LT		 1715 }
1716 }
1717 file_list_unlock();
24ec839c
PZ		 1718
1719 /* Reset controlling tty. */
1720 if (drop_tty)
1721 proc_set_tty(current, NULL);
1da177e4 1722 }
b20c8122 1723 mutex_unlock(&tty_mutex);
1da177e4
LT		 1724
1725 /* Revalidate access to inherited open files. */
1726
1727 AVC_AUDIT_DATA_INIT(&ad,FS);
1728
1729 spin_lock(&files->file_lock);
1730 for (;;) {
1731 unsigned long set, i;
1732 int fd;
1733
1734 j++;
1735 i = j * __NFDBITS;
badf1662
DS		 1736 fdt = files_fdtable(files);
1737 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1da177e4 1738 break;
badf1662 1739 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 1740 if (!set)
1741 continue;
1742 spin_unlock(&files->file_lock);
1743 for ( ; set ; i++,set >>= 1) {
1744 if (set & 1) {
1745 file = fget(i);
1746 if (!file)
1747 continue;
1748 if (file_has_perm(current,
1749 file,
1750 file_to_av(file))) {
1751 sys_close(i);
1752 fd = get_unused_fd();
1753 if (fd != i) {
1754 if (fd >= 0)
1755 put_unused_fd(fd);
1756 fput(file);
1757 continue;
1758 }
1759 if (devnull) {
095975da 1760 get_file(devnull);
1da177e4
LT		 1761 } else {
1762 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
fc5d81e6
AM		 1763 if (IS_ERR(devnull)) {
1764 devnull = NULL;
1da177e4
LT		 1765 put_unused_fd(fd);
1766 fput(file);
1767 continue;
1768 }
1769 }
1770 fd_install(fd, devnull);
1771 }
1772 fput(file);
1773 }
1774 }
1775 spin_lock(&files->file_lock);
1776
1777 }
1778 spin_unlock(&files->file_lock);
1779}
1780
1781static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1782{
1783 struct task_security_struct *tsec;
1784 struct bprm_security_struct *bsec;
1785 u32 sid;
1786 int rc;
1787
1788 secondary_ops->bprm_apply_creds(bprm, unsafe);
1789
1790 tsec = current->security;
1791
1792 bsec = bprm->security;
1793 sid = bsec->sid;
1794
1795 tsec->osid = tsec->sid;
1796 bsec->unsafe = 0;
1797 if (tsec->sid != sid) {
1798 /* Check for shared state. If not ok, leave SID
1799 unchanged and kill. */
1800 if (unsafe & LSM_UNSAFE_SHARE) {
1801 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1802 PROCESS__SHARE, NULL);
1803 if (rc) {
1804 bsec->unsafe = 1;
1805 return;
1806 }
1807 }
1808
1809 /* Check for ptracing, and update the task SID if ok.
1810 Otherwise, leave SID unchanged and kill. */
1811 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1812 rc = avc_has_perm(tsec->ptrace_sid, sid,
1813 SECCLASS_PROCESS, PROCESS__PTRACE,
1814 NULL);
1815 if (rc) {
1816 bsec->unsafe = 1;
1817 return;
1818 }
1819 }
1820 tsec->sid = sid;
1821 }
1822}
1823
1824/*
1825 * called after apply_creds without the task lock held
1826 */
1827static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1828{
1829 struct task_security_struct *tsec;
1830 struct rlimit *rlim, *initrlim;
1831 struct itimerval itimer;
1832 struct bprm_security_struct *bsec;
1833 int rc, i;
1834
1835 tsec = current->security;
1836 bsec = bprm->security;
1837
1838 if (bsec->unsafe) {
1839 force_sig_specific(SIGKILL, current);
1840 return;
1841 }
1842 if (tsec->osid == tsec->sid)
1843 return;
1844
1845 /* Close files for which the new task SID is not authorized. */
1846 flush_unauthorized_files(current->files);
1847
1848 /* Check whether the new SID can inherit signal state
1849 from the old SID. If not, clear itimers to avoid
1850 subsequent signal generation and flush and unblock
1851 signals. This must occur _after_ the task SID has
1852 been updated so that any kill done after the flush
1853 will be checked against the new SID. */
1854 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1855 PROCESS__SIGINH, NULL);
1856 if (rc) {
1857 memset(&itimer, 0, sizeof itimer);
1858 for (i = 0; i < 3; i++)
1859 do_setitimer(i, &itimer, NULL);
1860 flush_signals(current);
1861 spin_lock_irq(&current->sighand->siglock);
1862 flush_signal_handlers(current, 1);
1863 sigemptyset(&current->blocked);
1864 recalc_sigpending();
1865 spin_unlock_irq(&current->sighand->siglock);
1866 }
1867
1868 /* Check whether the new SID can inherit resource limits
1869 from the old SID. If not, reset all soft limits to
1870 the lower of the current task's hard limit and the init
1871 task's soft limit. Note that the setting of hard limits
1872 (even to lower them) can be controlled by the setrlimit
1873 check. The inclusion of the init task's soft limit into
1874 the computation is to avoid resetting soft limits higher
1875 than the default soft limit for cases where the default
1876 is lower than the hard limit, e.g. RLIMIT_CORE or
1877 RLIMIT_STACK.*/
1878 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1879 PROCESS__RLIMITINH, NULL);
1880 if (rc) {
1881 for (i = 0; i < RLIM_NLIMITS; i++) {
1882 rlim = current->signal->rlim + i;
1883 initrlim = init_task.signal->rlim+i;
1884 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1885 }
1886 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1887 /*
1888 * This will cause RLIMIT_CPU calculations
1889 * to be refigured.
1890 */
1891 current->it_prof_expires = jiffies_to_cputime(1);
1892 }
1893 }
1894
1895 /* Wake up the parent if it is waiting so that it can
1896 recheck wait permission to the new task SID. */
1897 wake_up_interruptible(&current->parent->signal->wait_chldexit);
1898}
1899
1900/* superblock security operations */
1901
1902static int selinux_sb_alloc_security(struct super_block *sb)
1903{
1904 return superblock_alloc_security(sb);
1905}
1906
1907static void selinux_sb_free_security(struct super_block *sb)
1908{
1909 superblock_free_security(sb);
1910}
1911
1912static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1913{
1914 if (plen > olen)
1915 return 0;
1916
1917 return !memcmp(prefix, option, plen);
1918}
1919
1920static inline int selinux_option(char *option, int len)
1921{
1922 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1923 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
0808925e
EP		 1924 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1925 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1da177e4
LT		 1926}
1927
1928static inline void take_option(char **to, char *from, int *first, int len)
1929{
1930 if (!*first) {
1931 **to = ',';
1932 *to += 1;
3528a953 1933 } else
1da177e4
LT		 1934 *first = 0;
1935 memcpy(*to, from, len);
1936 *to += len;
1937}
1938
3528a953
CO		 1939static inline void take_selinux_option(char **to, char *from, int *first,
1940 int len)
1941{
1942 int current_size = 0;
1943
1944 if (!*first) {
1945 **to = '|';
1946 *to += 1;
1947 }
1948 else
1949 *first = 0;
1950
1951 while (current_size < len) {
1952 if (*from != '"') {
1953 **to = *from;
1954 *to += 1;
1955 }
1956 from += 1;
1957 current_size += 1;
1958 }
1959}
1960
1da177e4
LT		 1961static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1962{
1963 int fnosec, fsec, rc = 0;
1964 char *in_save, *in_curr, *in_end;
1965 char *sec_curr, *nosec_save, *nosec;
3528a953 1966 int open_quote = 0;
1da177e4
LT		 1967
1968 in_curr = orig;
1969 sec_curr = copy;
1970
1971 /* Binary mount data: just copy */
1972 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1973 copy_page(sec_curr, in_curr);
1974 goto out;
1975 }
1976
1977 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1978 if (!nosec) {
1979 rc = -ENOMEM;
1980 goto out;
1981 }
1982
1983 nosec_save = nosec;
1984 fnosec = fsec = 1;
1985 in_save = in_end = orig;
1986
1987 do {
3528a953
CO		 1988 if (*in_end == '"')
1989 open_quote = !open_quote;
1990 if ((*in_end == ',' && open_quote == 0) ||
1991 *in_end == '\0') {
1da177e4
LT		 1992 int len = in_end - in_curr;
1993
1994 if (selinux_option(in_curr, len))
3528a953 1995 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 1996 else
1997 take_option(&nosec, in_curr, &fnosec, len);
1998
1999 in_curr = in_end + 1;
2000 }
2001 } while (*in_end++);
2002
6931dfc9 2003 strcpy(in_save, nosec_save);
da3caa20 2004 free_page((unsigned long)nosec_save);
1da177e4
LT		 2005out:
2006 return rc;
2007}
2008
2009static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2010{
2011 struct avc_audit_data ad;
2012 int rc;
2013
2014 rc = superblock_doinit(sb, data);
2015 if (rc)
2016 return rc;
2017
2018 AVC_AUDIT_DATA_INIT(&ad,FS);
2019 ad.u.fs.dentry = sb->s_root;
2020 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2021}
2022
726c3342 2023static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2024{
2025 struct avc_audit_data ad;
2026
2027 AVC_AUDIT_DATA_INIT(&ad,FS);
726c3342
DH		 2028 ad.u.fs.dentry = dentry->d_sb->s_root;
2029 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2030}
2031
2032static int selinux_mount(char * dev_name,
2033 struct nameidata *nd,
2034 char * type,
2035 unsigned long flags,
2036 void * data)
2037{
2038 int rc;
2039
2040 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2041 if (rc)
2042 return rc;
2043
2044 if (flags & MS_REMOUNT)
2045 return superblock_has_perm(current, nd->mnt->mnt_sb,
2046 FILESYSTEM__REMOUNT, NULL);
2047 else
2048 return dentry_has_perm(current, nd->mnt, nd->dentry,
2049 FILE__MOUNTON);
2050}
2051
2052static int selinux_umount(struct vfsmount *mnt, int flags)
2053{
2054 int rc;
2055
2056 rc = secondary_ops->sb_umount(mnt, flags);
2057 if (rc)
2058 return rc;
2059
2060 return superblock_has_perm(current,mnt->mnt_sb,
2061 FILESYSTEM__UNMOUNT,NULL);
2062}
2063
2064/* inode security operations */
2065
2066static int selinux_inode_alloc_security(struct inode *inode)
2067{
2068 return inode_alloc_security(inode);
2069}
2070
2071static void selinux_inode_free_security(struct inode *inode)
2072{
2073 inode_free_security(inode);
2074}
2075
5e41ff9e
SS		 2076static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2077 char **name, void **value,
2078 size_t *len)
2079{
2080 struct task_security_struct *tsec;
2081 struct inode_security_struct *dsec;
2082 struct superblock_security_struct *sbsec;
570bc1c2 2083 u32 newsid, clen;
5e41ff9e 2084 int rc;
570bc1c2 2085 char *namep = NULL, *context;
5e41ff9e
SS		 2086
2087 tsec = current->security;
2088 dsec = dir->i_security;
2089 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2090
2091 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2092 newsid = tsec->create_sid;
2093 } else {
2094 rc = security_transition_sid(tsec->sid, dsec->sid,
2095 inode_mode_to_security_class(inode->i_mode),
2096 &newsid);
2097 if (rc) {
2098 printk(KERN_WARNING "%s: "
2099 "security_transition_sid failed, rc=%d (dev=%s "
2100 "ino=%ld)\n",
2101 __FUNCTION__,
2102 -rc, inode->i_sb->s_id, inode->i_ino);
2103 return rc;
2104 }
2105 }
2106
296fddf7
EP		 2107 /* Possibly defer initialization to selinux_complete_init. */
2108 if (sbsec->initialized) {
2109 struct inode_security_struct *isec = inode->i_security;
2110 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2111 isec->sid = newsid;
2112 isec->initialized = 1;
2113 }
5e41ff9e 2114
8aad3875 2115 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2116 return -EOPNOTSUPP;
2117
570bc1c2
SS		 2118 if (name) {
2119 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2120 if (!namep)
2121 return -ENOMEM;
2122 *name = namep;
2123 }
5e41ff9e 2124
570bc1c2
SS		 2125 if (value && len) {
2126 rc = security_sid_to_context(newsid, &context, &clen);
2127 if (rc) {
2128 kfree(namep);
2129 return rc;
2130 }
2131 *value = context;
2132 *len = clen;
5e41ff9e 2133 }
5e41ff9e 2134
5e41ff9e
SS		 2135 return 0;
2136}
2137
1da177e4
LT		 2138static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2139{
2140 return may_create(dir, dentry, SECCLASS_FILE);
2141}
2142
1da177e4
LT		 2143static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2144{
2145 int rc;
2146
2147 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2148 if (rc)
2149 return rc;
2150 return may_link(dir, old_dentry, MAY_LINK);
2151}
2152
1da177e4
LT		 2153static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2154{
2155 int rc;
2156
2157 rc = secondary_ops->inode_unlink(dir, dentry);
2158 if (rc)
2159 return rc;
2160 return may_link(dir, dentry, MAY_UNLINK);
2161}
2162
2163static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2164{
2165 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2166}
2167
1da177e4
LT		 2168static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2169{
2170 return may_create(dir, dentry, SECCLASS_DIR);
2171}
2172
1da177e4
LT		 2173static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2174{
2175 return may_link(dir, dentry, MAY_RMDIR);
2176}
2177
2178static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2179{
2180 int rc;
2181
2182 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2183 if (rc)
2184 return rc;
2185
2186 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2187}
2188
1da177e4
LT		 2189static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2190 struct inode *new_inode, struct dentry *new_dentry)
2191{
2192 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2193}
2194
1da177e4
LT		 2195static int selinux_inode_readlink(struct dentry *dentry)
2196{
2197 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2198}
2199
2200static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2201{
2202 int rc;
2203
2204 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2205 if (rc)
2206 return rc;
2207 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2208}
2209
2210static int selinux_inode_permission(struct inode *inode, int mask,
2211 struct nameidata *nd)
2212{
2213 int rc;
2214
2215 rc = secondary_ops->inode_permission(inode, mask, nd);
2216 if (rc)
2217 return rc;
2218
2219 if (!mask) {
2220 /* No permission to check. Existence test. */
2221 return 0;
2222 }
2223
2224 return inode_has_perm(current, inode,
2225 file_mask_to_av(inode->i_mode, mask), NULL);
2226}
2227
2228static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2229{
2230 int rc;
2231
2232 rc = secondary_ops->inode_setattr(dentry, iattr);
2233 if (rc)
2234 return rc;
2235
2236 if (iattr->ia_valid & ATTR_FORCE)
2237 return 0;
2238
2239 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2240 ATTR_ATIME_SET | ATTR_MTIME_SET))
2241 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2242
2243 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2244}
2245
2246static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2247{
2248 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2249}
2250
2251static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2252{
2253 struct task_security_struct *tsec = current->security;
2254 struct inode *inode = dentry->d_inode;
2255 struct inode_security_struct *isec = inode->i_security;
2256 struct superblock_security_struct *sbsec;
2257 struct avc_audit_data ad;
2258 u32 newsid;
2259 int rc = 0;
2260
2261 if (strcmp(name, XATTR_NAME_SELINUX)) {
2262 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2263 sizeof XATTR_SECURITY_PREFIX - 1) &&
2264 !capable(CAP_SYS_ADMIN)) {
2265 /* A different attribute in the security namespace.
2266 Restrict to administrator. */
2267 return -EPERM;
2268 }
2269
2270 /* Not an attribute we recognize, so just check the
2271 ordinary setattr permission. */
2272 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2273 }
2274
2275 sbsec = inode->i_sb->s_security;
2276 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2277 return -EOPNOTSUPP;
2278
2279 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2280 return -EPERM;
2281
2282 AVC_AUDIT_DATA_INIT(&ad,FS);
2283 ad.u.fs.dentry = dentry;
2284
2285 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2286 FILE__RELABELFROM, &ad);
2287 if (rc)
2288 return rc;
2289
2290 rc = security_context_to_sid(value, size, &newsid);
2291 if (rc)
2292 return rc;
2293
2294 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2295 FILE__RELABELTO, &ad);
2296 if (rc)
2297 return rc;
2298
2299 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2300 isec->sclass);
2301 if (rc)
2302 return rc;
2303
2304 return avc_has_perm(newsid,
2305 sbsec->sid,
2306 SECCLASS_FILESYSTEM,
2307 FILESYSTEM__ASSOCIATE,
2308 &ad);
2309}
2310
2311static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2312 void *value, size_t size, int flags)
2313{
2314 struct inode *inode = dentry->d_inode;
2315 struct inode_security_struct *isec = inode->i_security;
2316 u32 newsid;
2317 int rc;
2318
2319 if (strcmp(name, XATTR_NAME_SELINUX)) {
2320 /* Not an attribute we recognize, so nothing to do. */
2321 return;
2322 }
2323
2324 rc = security_context_to_sid(value, size, &newsid);
2325 if (rc) {
2326 printk(KERN_WARNING "%s: unable to obtain SID for context "
2327 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2328 return;
2329 }
2330
2331 isec->sid = newsid;
2332 return;
2333}
2334
2335static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2336{
1da177e4
LT		 2337 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2338}
2339
2340static int selinux_inode_listxattr (struct dentry *dentry)
2341{
2342 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2343}
2344
2345static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2346{
2347 if (strcmp(name, XATTR_NAME_SELINUX)) {
2348 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2349 sizeof XATTR_SECURITY_PREFIX - 1) &&
2350 !capable(CAP_SYS_ADMIN)) {
2351 /* A different attribute in the security namespace.
2352 Restrict to administrator. */
2353 return -EPERM;
2354 }
2355
2356 /* Not an attribute we recognize, so just check the
2357 ordinary setattr permission. Might want a separate
2358 permission for removexattr. */
2359 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2360 }
2361
2362 /* No one is allowed to remove a SELinux security label.
2363 You can change the label, but all data must be labeled. */
2364 return -EACCES;
2365}
2366
8c8570fb
DK		 2367static const char *selinux_inode_xattr_getsuffix(void)
2368{
2369 return XATTR_SELINUX_SUFFIX;
2370}
2371
d381d8a9
JM		 2372/*
2373 * Copy the in-core inode security context value to the user. If the
2374 * getxattr() prior to this succeeded, check to see if we need to
2375 * canonicalize the value to be finally returned to the user.
2376 *
2377 * Permission check is handled by selinux_inode_getxattr hook.
2378 */
7306a0b9 2379static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
1da177e4
LT		 2380{
2381 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2382
8c8570fb
DK		 2383 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2384 return -EOPNOTSUPP;
d381d8a9 2385
8c8570fb 2386 return selinux_getsecurity(isec->sid, buffer, size);
1da177e4
LT		 2387}
2388
2389static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2390 const void *value, size_t size, int flags)
2391{
2392 struct inode_security_struct *isec = inode->i_security;
2393 u32 newsid;
2394 int rc;
2395
2396 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2397 return -EOPNOTSUPP;
2398
2399 if (!value || !size)
2400 return -EACCES;
2401
2402 rc = security_context_to_sid((void*)value, size, &newsid);
2403 if (rc)
2404 return rc;
2405
2406 isec->sid = newsid;
2407 return 0;
2408}
2409
2410static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2411{
2412 const int len = sizeof(XATTR_NAME_SELINUX);
2413 if (buffer && len <= buffer_size)
2414 memcpy(buffer, XATTR_NAME_SELINUX, len);
2415 return len;
2416}
2417
2418/* file security operations */
2419
2420static int selinux_file_permission(struct file *file, int mask)
2421{
7420ed23 2422 int rc;
3d5ff529 2423 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2424
2425 if (!mask) {
2426 /* No permission to check. Existence test. */
2427 return 0;
2428 }
2429
2430 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2431 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2432 mask |= MAY_APPEND;
2433
7420ed23
VY		 2434 rc = file_has_perm(current, file,
2435 file_mask_to_av(inode->i_mode, mask));
2436 if (rc)
2437 return rc;
2438
2439 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2440}
2441
2442static int selinux_file_alloc_security(struct file *file)
2443{
2444 return file_alloc_security(file);
2445}
2446
2447static void selinux_file_free_security(struct file *file)
2448{
2449 file_free_security(file);
2450}
2451
2452static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2453 unsigned long arg)
2454{
2455 int error = 0;
2456
2457 switch (cmd) {
2458 case FIONREAD:
2459 /* fall through */
2460 case FIBMAP:
2461 /* fall through */
2462 case FIGETBSZ:
2463 /* fall through */
2464 case EXT2_IOC_GETFLAGS:
2465 /* fall through */
2466 case EXT2_IOC_GETVERSION:
2467 error = file_has_perm(current, file, FILE__GETATTR);
2468 break;
2469
2470 case EXT2_IOC_SETFLAGS:
2471 /* fall through */
2472 case EXT2_IOC_SETVERSION:
2473 error = file_has_perm(current, file, FILE__SETATTR);
2474 break;
2475
2476 /* sys_ioctl() checks */
2477 case FIONBIO:
2478 /* fall through */
2479 case FIOASYNC:
2480 error = file_has_perm(current, file, 0);
2481 break;
2482
2483 case KDSKBENT:
2484 case KDSKBSENT:
2485 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2486 break;
2487
2488 /* default case assumes that the command will go
2489 * to the file's ioctl() function.
2490 */
2491 default:
2492 error = file_has_perm(current, file, FILE__IOCTL);
2493
2494 }
2495 return error;
2496}
2497
2498static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2499{
2500#ifndef CONFIG_PPC32
2501 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2502 /*
2503 * We are making executable an anonymous mapping or a
2504 * private file mapping that will also be writable.
2505 * This has an additional check.
2506 */
2507 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2508 if (rc)
2509 return rc;
2510 }
2511#endif
2512
2513 if (file) {
2514 /* read access is always possible with a mapping */
2515 u32 av = FILE__READ;
2516
2517 /* write access only matters if the mapping is shared */
2518 if (shared && (prot & PROT_WRITE))
2519 av |= FILE__WRITE;
2520
2521 if (prot & PROT_EXEC)
2522 av |= FILE__EXECUTE;
2523
2524 return file_has_perm(current, file, av);
2525 }
2526 return 0;
2527}
2528
2529static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2530 unsigned long prot, unsigned long flags)
2531{
2532 int rc;
2533
2534 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2535 if (rc)
2536 return rc;
2537
2538 if (selinux_checkreqprot)
2539 prot = reqprot;
2540
2541 return file_map_prot_check(file, prot,
2542 (flags & MAP_TYPE) == MAP_SHARED);
2543}
2544
2545static int selinux_file_mprotect(struct vm_area_struct *vma,
2546 unsigned long reqprot,
2547 unsigned long prot)
2548{
2549 int rc;
2550
2551 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2552 if (rc)
2553 return rc;
2554
2555 if (selinux_checkreqprot)
2556 prot = reqprot;
2557
2558#ifndef CONFIG_PPC32
db4c9641
SS		 2559 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2560 rc = 0;
2561 if (vma->vm_start >= vma->vm_mm->start_brk &&
2562 vma->vm_end <= vma->vm_mm->brk) {
2563 rc = task_has_perm(current, current,
2564 PROCESS__EXECHEAP);
2565 } else if (!vma->vm_file &&
2566 vma->vm_start <= vma->vm_mm->start_stack &&
2567 vma->vm_end >= vma->vm_mm->start_stack) {
2568 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2569 } else if (vma->vm_file && vma->anon_vma) {
2570 /*
2571 * We are making executable a file mapping that has
2572 * had some COW done. Since pages might have been
2573 * written, check ability to execute the possibly
2574 * modified content. This typically should only
2575 * occur for text relocations.
2576 */
2577 rc = file_has_perm(current, vma->vm_file,
2578 FILE__EXECMOD);
2579 }