]> bbs.cooldavid.org Git - net-next-2.6.git/blame - security/selinux/hooks.c
git://bbs.cooldavid.org / net-next-2.6.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/ralf/upstrea...
[net-next-2.6.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
effad8df
PM		 15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
788e7dd4
YN		 17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
23 */
24
1da177e4
LT		 25#include <linux/init.h>
26#include <linux/kernel.h>
27#include <linux/ptrace.h>
28#include <linux/errno.h>
29#include <linux/sched.h>
30#include <linux/security.h>
31#include <linux/xattr.h>
32#include <linux/capability.h>
33#include <linux/unistd.h>
34#include <linux/mm.h>
35#include <linux/mman.h>
36#include <linux/slab.h>
37#include <linux/pagemap.h>
38#include <linux/swap.h>
1da177e4
LT		 39#include <linux/spinlock.h>
40#include <linux/syscalls.h>
41#include <linux/file.h>
42#include <linux/namei.h>
43#include <linux/mount.h>
44#include <linux/ext2_fs.h>
45#include <linux/proc_fs.h>
46#include <linux/kd.h>
47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 53#include <net/net_namespace.h>
d621d35e 54#include <net/netlabel.h>
1da177e4 55#include <asm/uaccess.h>
1da177e4 56#include <asm/ioctls.h>
d621d35e 57#include <asm/atomic.h>
1da177e4
LT		 58#include <linux/bitops.h>
59#include <linux/interrupt.h>
60#include <linux/netdevice.h> /* for network interface checks */
61#include <linux/netlink.h>
62#include <linux/tcp.h>
63#include <linux/udp.h>
2ee92d46 64#include <linux/dccp.h>
1da177e4
LT		 65#include <linux/quota.h>
66#include <linux/un.h> /* for Unix socket types */
67#include <net/af_unix.h> /* for Unix socket types */
68#include <linux/parser.h>
69#include <linux/nfs_mount.h>
70#include <net/ipv6.h>
71#include <linux/hugetlb.h>
72#include <linux/personality.h>
73#include <linux/sysctl.h>
74#include <linux/audit.h>
6931dfc9 75#include <linux/string.h>
877ce7c1 76#include <linux/selinux.h>
23970741 77#include <linux/mutex.h>
1da177e4
LT		 78
79#include "avc.h"
80#include "objsec.h"
81#include "netif.h"
224dfbd8 82#include "netnode.h"
d28d1e08 83#include "xfrm.h"
c60475bf 84#include "netlabel.h"
1da177e4
LT		 85
86#define XATTR_SELINUX_SUFFIX "selinux"
87#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
c9180a57
EP		 89#define NUM_SEL_MNT_OPTS 4
90
1da177e4
LT		 91extern unsigned int policydb_loaded_version;
92extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 93extern int selinux_compat_net;
20510f2f 94extern struct security_operations *security_ops;
1da177e4 95
d621d35e
PM		 96/* SECMARK reference count */
97atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
1da177e4
LT		 99#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100int selinux_enforcing = 0;
101
102static int __init enforcing_setup(char *str)
103{
104 selinux_enforcing = simple_strtol(str,NULL,0);
105 return 1;
106}
107__setup("enforcing=", enforcing_setup);
108#endif
109
110#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113static int __init selinux_enabled_setup(char *str)
114{
115 selinux_enabled = simple_strtol(str, NULL, 0);
116 return 1;
117}
118__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 119#else
120int selinux_enabled = 1;
1da177e4
LT		 121#endif
122
123/* Original (dummy) security module. */
124static struct security_operations *original_ops = NULL;
125
126/* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130static struct security_operations *secondary_ops = NULL;
131
132/* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134static LIST_HEAD(superblock_security_head);
135static DEFINE_SPINLOCK(sb_security_lock);
136
e18b890b 137static struct kmem_cache *sel_inode_cache;
7cae7e26 138
d621d35e
PM		 139/**
140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
141 *
142 * Description:
143 * This function checks the SECMARK reference counter to see if any SECMARK
144 * targets are currently configured, if the reference counter is greater than
145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
146 * enabled, false (0) if SECMARK is disabled.
147 *
148 */
149static int selinux_secmark_enabled(void)
150{
151 return (atomic_read(&selinux_secmark_refcount) > 0);
152}
153
1da177e4
LT		 154/* Allocate and free functions for each kind of security blob. */
155
156static int task_alloc_security(struct task_struct *task)
157{
158 struct task_security_struct *tsec;
159
89d155ef 160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 161 if (!tsec)
162 return -ENOMEM;
163
1da177e4
LT		 164 tsec->task = task;
165 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166 task->security = tsec;
167
168 return 0;
169}
170
171static void task_free_security(struct task_struct *task)
172{
173 struct task_security_struct *tsec = task->security;
1da177e4
LT		 174 task->security = NULL;
175 kfree(tsec);
176}
177
178static int inode_alloc_security(struct inode *inode)
179{
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
182
a02fe132 183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 184 if (!isec)
185 return -ENOMEM;
186
23970741 187 mutex_init(&isec->lock);
1da177e4 188 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 189 isec->inode = inode;
190 isec->sid = SECINITSID_UNLABELED;
191 isec->sclass = SECCLASS_FILE;
9ac49d22 192 isec->task_sid = tsec->sid;
1da177e4
LT		 193 inode->i_security = isec;
194
195 return 0;
196}
197
198static void inode_free_security(struct inode *inode)
199{
200 struct inode_security_struct *isec = inode->i_security;
201 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
1da177e4
LT		 203 spin_lock(&sbsec->isec_lock);
204 if (!list_empty(&isec->list))
205 list_del_init(&isec->list);
206 spin_unlock(&sbsec->isec_lock);
207
208 inode->i_security = NULL;
7cae7e26 209 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 210}
211
212static int file_alloc_security(struct file *file)
213{
214 struct task_security_struct *tsec = current->security;
215 struct file_security_struct *fsec;
216
26d2a4be 217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 218 if (!fsec)
219 return -ENOMEM;
220
1da177e4 221 fsec->file = file;
9ac49d22
SS		 222 fsec->sid = tsec->sid;
223 fsec->fown_sid = tsec->sid;
1da177e4
LT		 224 file->f_security = fsec;
225
226 return 0;
227}
228
229static void file_free_security(struct file *file)
230{
231 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 232 file->f_security = NULL;
233 kfree(fsec);
234}
235
236static int superblock_alloc_security(struct super_block *sb)
237{
238 struct superblock_security_struct *sbsec;
239
89d155ef 240 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 241 if (!sbsec)
242 return -ENOMEM;
243
bc7e982b 244 mutex_init(&sbsec->lock);
1da177e4
LT		 245 INIT_LIST_HEAD(&sbsec->list);
246 INIT_LIST_HEAD(&sbsec->isec_head);
247 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 248 sbsec->sb = sb;
249 sbsec->sid = SECINITSID_UNLABELED;
250 sbsec->def_sid = SECINITSID_FILE;
c312feb2 251 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 252 sb->s_security = sbsec;
253
254 return 0;
255}
256
257static void superblock_free_security(struct super_block *sb)
258{
259 struct superblock_security_struct *sbsec = sb->s_security;
260
1da177e4
LT		 261 spin_lock(&sb_security_lock);
262 if (!list_empty(&sbsec->list))
263 list_del_init(&sbsec->list);
264 spin_unlock(&sb_security_lock);
265
266 sb->s_security = NULL;
267 kfree(sbsec);
268}
269
7d877f3b 270static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 271{
272 struct sk_security_struct *ssec;
273
89d155ef 274 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 275 if (!ssec)
276 return -ENOMEM;
277
1da177e4
LT		 278 ssec->sk = sk;
279 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 280 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 281 sk->sk_security = ssec;
282
99f59ed0
PM		 283 selinux_netlbl_sk_security_init(ssec, family);
284
1da177e4
LT		 285 return 0;
286}
287
288static void sk_free_security(struct sock *sk)
289{
290 struct sk_security_struct *ssec = sk->sk_security;
291
1da177e4
LT		 292 sk->sk_security = NULL;
293 kfree(ssec);
294}
1da177e4
LT		 295
296/* The security server must be initialized before
297 any labeling or access decisions can be provided. */
298extern int ss_initialized;
299
300/* The file system's label must be initialized prior to use. */
301
302static char *labeling_behaviors[6] = {
303 "uses xattr",
304 "uses transition SIDs",
305 "uses task SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
309};
310
311static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313static inline int inode_doinit(struct inode *inode)
314{
315 return inode_doinit_with_dentry(inode, NULL);
316}
317
318enum {
31e87930 319 Opt_error = -1,
1da177e4
LT		 320 Opt_context = 1,
321 Opt_fscontext = 2,
c9180a57
EP		 322 Opt_defcontext = 3,
323 Opt_rootcontext = 4,
1da177e4
LT		 324};
325
326static match_table_t tokens = {
327 {Opt_context, "context=%s"},
328 {Opt_fscontext, "fscontext=%s"},
329 {Opt_defcontext, "defcontext=%s"},
0808925e 330 {Opt_rootcontext, "rootcontext=%s"},
31e87930 331 {Opt_error, NULL},
1da177e4
LT		 332};
333
334#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
335
c312feb2
EP		 336static int may_context_mount_sb_relabel(u32 sid,
337 struct superblock_security_struct *sbsec,
338 struct task_security_struct *tsec)
339{
340 int rc;
341
342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343 FILESYSTEM__RELABELFROM, NULL);
344 if (rc)
345 return rc;
346
347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELTO, NULL);
349 return rc;
350}
351
0808925e
EP		 352static int may_context_mount_inode_relabel(u32 sid,
353 struct superblock_security_struct *sbsec,
354 struct task_security_struct *tsec)
355{
356 int rc;
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
359 if (rc)
360 return rc;
361
362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__ASSOCIATE, NULL);
364 return rc;
365}
366
c9180a57 367static int sb_finish_set_opts(struct super_block *sb)
1da177e4 368{
1da177e4 369 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 370 struct dentry *root = sb->s_root;
371 struct inode *root_inode = root->d_inode;
372 int rc = 0;
1da177e4 373
c9180a57
EP		 374 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375 /* Make sure that the xattr handler exists and that no
376 error other than -ENODATA is returned by getxattr on
377 the root directory. -ENODATA is ok, as this may be
378 the first boot of the SELinux kernel before we have
379 assigned xattr values to the filesystem. */
380 if (!root_inode->i_op->getxattr) {
381 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382 "xattr support\n", sb->s_id, sb->s_type->name);
383 rc = -EOPNOTSUPP;
384 goto out;
385 }
386 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387 if (rc < 0 && rc != -ENODATA) {
388 if (rc == -EOPNOTSUPP)
389 printk(KERN_WARNING "SELinux: (dev %s, type "
390 "%s) has no security xattr handler\n",
391 sb->s_id, sb->s_type->name);
392 else
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) getxattr errno %d\n", sb->s_id,
395 sb->s_type->name, -rc);
396 goto out;
397 }
398 }
1da177e4 399
c9180a57 400 sbsec->initialized = 1;
1da177e4 401
c9180a57
EP		 402 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404 sb->s_id, sb->s_type->name);
405 else
406 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407 sb->s_id, sb->s_type->name,
408 labeling_behaviors[sbsec->behavior-1]);
1da177e4 409
c9180a57
EP		 410 /* Initialize the root inode. */
411 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 412
c9180a57
EP		 413 /* Initialize any other inodes associated with the superblock, e.g.
414 inodes created prior to initial policy load or inodes created
415 during get_sb by a pseudo filesystem that directly
416 populates itself. */
417 spin_lock(&sbsec->isec_lock);
418next_inode:
419 if (!list_empty(&sbsec->isec_head)) {
420 struct inode_security_struct *isec =
421 list_entry(sbsec->isec_head.next,
422 struct inode_security_struct, list);
423 struct inode *inode = isec->inode;
424 spin_unlock(&sbsec->isec_lock);
425 inode = igrab(inode);
426 if (inode) {
427 if (!IS_PRIVATE(inode))
428 inode_doinit(inode);
429 iput(inode);
430 }
431 spin_lock(&sbsec->isec_lock);
432 list_del_init(&isec->list);
433 goto next_inode;
434 }
435 spin_unlock(&sbsec->isec_lock);
436out:
437 return rc;
438}
1da177e4 439
c9180a57
EP		 440/*
441 * This function should allow an FS to ask what it's mount security
442 * options were so it can use those later for submounts, displaying
443 * mount options, or whatever.
444 */
445static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 446 struct security_mnt_opts *opts)
c9180a57
EP		 447{
448 int rc = 0, i;
449 struct superblock_security_struct *sbsec = sb->s_security;
450 char *context = NULL;
451 u32 len;
452 char tmp;
1da177e4 453
e0007529 454 security_init_mnt_opts(opts);
1da177e4 455
c9180a57
EP		 456 if (!sbsec->initialized)
457 return -EINVAL;
1da177e4 458
c9180a57
EP		 459 if (!ss_initialized)
460 return -EINVAL;
1da177e4 461
c9180a57
EP		 462 /*
463 * if we ever use sbsec flags for anything other than tracking mount
464 * settings this is going to need a mask
465 */
466 tmp = sbsec->flags;
467 /* count the number of mount options for this sb */
468 for (i = 0; i < 8; i++) {
469 if (tmp & 0x01)
e0007529 470 opts->num_mnt_opts++;
c9180a57
EP		 471 tmp >>= 1;
472 }
1da177e4 473
e0007529
EP		 474 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
475 if (!opts->mnt_opts) {
c9180a57
EP		 476 rc = -ENOMEM;
477 goto out_free;
478 }
1da177e4 479
e0007529
EP		 480 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
481 if (!opts->mnt_opts_flags) {
c9180a57
EP		 482 rc = -ENOMEM;
483 goto out_free;
484 }
1da177e4 485
c9180a57
EP		 486 i = 0;
487 if (sbsec->flags & FSCONTEXT_MNT) {
488 rc = security_sid_to_context(sbsec->sid, &context, &len);
489 if (rc)
490 goto out_free;
e0007529
EP		 491 opts->mnt_opts[i] = context;
492 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 493 }
494 if (sbsec->flags & CONTEXT_MNT) {
495 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
496 if (rc)
497 goto out_free;
e0007529
EP		 498 opts->mnt_opts[i] = context;
499 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 500 }
501 if (sbsec->flags & DEFCONTEXT_MNT) {
502 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
503 if (rc)
504 goto out_free;
e0007529
EP		 505 opts->mnt_opts[i] = context;
506 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 507 }
508 if (sbsec->flags & ROOTCONTEXT_MNT) {
509 struct inode *root = sbsec->sb->s_root->d_inode;
510 struct inode_security_struct *isec = root->i_security;
0808925e 511
c9180a57
EP		 512 rc = security_sid_to_context(isec->sid, &context, &len);
513 if (rc)
514 goto out_free;
e0007529
EP		 515 opts->mnt_opts[i] = context;
516 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 517 }
1da177e4 518
e0007529 519 BUG_ON(i != opts->num_mnt_opts);
1da177e4 520
c9180a57
EP		 521 return 0;
522
523out_free:
e0007529 524 security_free_mnt_opts(opts);
c9180a57
EP		 525 return rc;
526}
1da177e4 527
c9180a57
EP		 528static int bad_option(struct superblock_security_struct *sbsec, char flag,
529 u32 old_sid, u32 new_sid)
530{
531 /* check if the old mount command had the same options */
532 if (sbsec->initialized)
533 if (!(sbsec->flags & flag) ||
534 (old_sid != new_sid))
535 return 1;
536
537 /* check if we were passed the same options twice,
538 * aka someone passed context=a,context=b
539 */
540 if (!sbsec->initialized)
541 if (sbsec->flags & flag)
542 return 1;
543 return 0;
544}
e0007529 545
c9180a57
EP		 546/*
547 * Allow filesystems with binary mount data to explicitly set mount point
548 * labeling information.
549 */
e0007529
EP		 550static int selinux_set_mnt_opts(struct super_block *sb,
551 struct security_mnt_opts *opts)
c9180a57
EP		 552{
553 int rc = 0, i;
554 struct task_security_struct *tsec = current->security;
555 struct superblock_security_struct *sbsec = sb->s_security;
556 const char *name = sb->s_type->name;
557 struct inode *inode = sbsec->sb->s_root->d_inode;
558 struct inode_security_struct *root_isec = inode->i_security;
559 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
560 u32 defcontext_sid = 0;
e0007529
EP		 561 char **mount_options = opts->mnt_opts;
562 int *flags = opts->mnt_opts_flags;
563 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 564
565 mutex_lock(&sbsec->lock);
566
567 if (!ss_initialized) {
568 if (!num_opts) {
569 /* Defer initialization until selinux_complete_init,
570 after the initial policy is loaded and the security
571 server is ready to handle calls. */
572 spin_lock(&sb_security_lock);
573 if (list_empty(&sbsec->list))
574 list_add(&sbsec->list, &superblock_security_head);
575 spin_unlock(&sb_security_lock);
576 goto out;
577 }
578 rc = -EINVAL;
579 printk(KERN_WARNING "Unable to set superblock options before "
580 "the security server is initialized\n");
1da177e4 581 goto out;
c9180a57 582 }
1da177e4 583
e0007529
EP		 584 /*
585 * Binary mount data FS will come through this function twice. Once
586 * from an explicit call and once from the generic calls from the vfs.
587 * Since the generic VFS calls will not contain any security mount data
588 * we need to skip the double mount verification.
589 *
590 * This does open a hole in which we will not notice if the first
591 * mount using this sb set explict options and a second mount using
592 * this sb does not set any security options. (The first options
593 * will be used for both mounts)
594 */
595 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
596 && (num_opts == 0))
597 goto out;
598
c9180a57
EP		 599 /*
600 * parse the mount options, check if they are valid sids.
601 * also check if someone is trying to mount the same sb more
602 * than once with different security options.
603 */
604 for (i = 0; i < num_opts; i++) {
605 u32 sid;
606 rc = security_context_to_sid(mount_options[i],
607 strlen(mount_options[i]), &sid);
1da177e4
LT		 608 if (rc) {
609 printk(KERN_WARNING "SELinux: security_context_to_sid"
610 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 611 mount_options[i], sb->s_id, name, rc);
612 goto out;
613 }
614 switch (flags[i]) {
615 case FSCONTEXT_MNT:
616 fscontext_sid = sid;
617
618 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
619 fscontext_sid))
620 goto out_double_mount;
621
622 sbsec->flags |= FSCONTEXT_MNT;
623 break;
624 case CONTEXT_MNT:
625 context_sid = sid;
626
627 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
628 context_sid))
629 goto out_double_mount;
630
631 sbsec->flags |= CONTEXT_MNT;
632 break;
633 case ROOTCONTEXT_MNT:
634 rootcontext_sid = sid;
635
636 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
637 rootcontext_sid))
638 goto out_double_mount;
639
640 sbsec->flags |= ROOTCONTEXT_MNT;
641
642 break;
643 case DEFCONTEXT_MNT:
644 defcontext_sid = sid;
645
646 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
647 defcontext_sid))
648 goto out_double_mount;
649
650 sbsec->flags |= DEFCONTEXT_MNT;
651
652 break;
653 default:
654 rc = -EINVAL;
655 goto out;
1da177e4 656 }
c9180a57
EP		 657 }
658
659 if (sbsec->initialized) {
660 /* previously mounted with options, but not on this attempt? */
661 if (sbsec->flags && !num_opts)
662 goto out_double_mount;
663 rc = 0;
664 goto out;
665 }
666
667 if (strcmp(sb->s_type->name, "proc") == 0)
668 sbsec->proc = 1;
669
670 /* Determine the labeling behavior to use for this filesystem type. */
671 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
672 if (rc) {
673 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674 __FUNCTION__, sb->s_type->name, rc);
675 goto out;
676 }
1da177e4 677
c9180a57
EP		 678 /* sets the context of the superblock for the fs being mounted. */
679 if (fscontext_sid) {
680
681 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
1da177e4 682 if (rc)
c9180a57 683 goto out;
1da177e4 684
c9180a57 685 sbsec->sid = fscontext_sid;
c312feb2
EP		 686 }
687
688 /*
689 * Switch to using mount point labeling behavior.
690 * sets the label used on all file below the mountpoint, and will set
691 * the superblock context if not already set.
692 */
c9180a57
EP		 693 if (context_sid) {
694 if (!fscontext_sid) {
695 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
b04ea3ce 696 if (rc)
c9180a57
EP		 697 goto out;
698 sbsec->sid = context_sid;
b04ea3ce 699 } else {
c9180a57 700 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
b04ea3ce 701 if (rc)
c9180a57 702 goto out;
b04ea3ce 703 }
c9180a57
EP		 704 if (!rootcontext_sid)
705 rootcontext_sid = context_sid;
1da177e4 706
c9180a57 707 sbsec->mntpoint_sid = context_sid;
c312feb2 708 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 709 }
710
c9180a57
EP		 711 if (rootcontext_sid) {
712 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
0808925e 713 if (rc)
c9180a57 714 goto out;
0808925e 715
c9180a57
EP		 716 root_isec->sid = rootcontext_sid;
717 root_isec->initialized = 1;
0808925e
EP		 718 }
719
c9180a57
EP		 720 if (defcontext_sid) {
721 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
722 rc = -EINVAL;
723 printk(KERN_WARNING "SELinux: defcontext option is "
724 "invalid for this filesystem type\n");
725 goto out;
1da177e4
LT		 726 }
727
c9180a57
EP		 728 if (defcontext_sid != sbsec->def_sid) {
729 rc = may_context_mount_inode_relabel(defcontext_sid,
730 sbsec, tsec);
731 if (rc)
732 goto out;
733 }
1da177e4 734
c9180a57 735 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 736 }
737
c9180a57 738 rc = sb_finish_set_opts(sb);
1da177e4 739out:
c9180a57 740 mutex_unlock(&sbsec->lock);
1da177e4 741 return rc;
c9180a57
EP		 742out_double_mount:
743 rc = -EINVAL;
744 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
745 "security settings for (dev %s, type %s)\n", sb->s_id, name);
746 goto out;
1da177e4
LT		 747}
748
c9180a57
EP		 749static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
750 struct super_block *newsb)
1da177e4 751{
c9180a57
EP		 752 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
753 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 754
c9180a57
EP		 755 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
756 int set_context = (oldsbsec->flags & CONTEXT_MNT);
757 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 758
c9180a57
EP		 759 /* we can't error, we can't save the info, this shouldn't get called
760 * this early in the boot process. */
761 BUG_ON(!ss_initialized);
762
763 /* this might go away sometime down the line if there is a new user
764 * of clone, but for now, nfs better not get here... */
765 BUG_ON(newsbsec->initialized);
766
767 /* how can we clone if the old one wasn't set up?? */
768 BUG_ON(!oldsbsec->initialized);
769
770 mutex_lock(&newsbsec->lock);
771
772 newsbsec->flags = oldsbsec->flags;
773
774 newsbsec->sid = oldsbsec->sid;
775 newsbsec->def_sid = oldsbsec->def_sid;
776 newsbsec->behavior = oldsbsec->behavior;
777
778 if (set_context) {
779 u32 sid = oldsbsec->mntpoint_sid;
780
781 if (!set_fscontext)
782 newsbsec->sid = sid;
783 if (!set_rootcontext) {
784 struct inode *newinode = newsb->s_root->d_inode;
785 struct inode_security_struct *newisec = newinode->i_security;
786 newisec->sid = sid;
787 }
788 newsbsec->mntpoint_sid = sid;
1da177e4 789 }
c9180a57
EP		 790 if (set_rootcontext) {
791 const struct inode *oldinode = oldsb->s_root->d_inode;
792 const struct inode_security_struct *oldisec = oldinode->i_security;
793 struct inode *newinode = newsb->s_root->d_inode;
794 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 795
c9180a57 796 newisec->sid = oldisec->sid;
1da177e4
LT		 797 }
798
c9180a57
EP		 799 sb_finish_set_opts(newsb);
800 mutex_unlock(&newsbsec->lock);
801}
802
2e1479d9
AB		 803static int selinux_parse_opts_str(char *options,
804 struct security_mnt_opts *opts)
c9180a57 805{
e0007529 806 char *p;
c9180a57
EP		 807 char *context = NULL, *defcontext = NULL;
808 char *fscontext = NULL, *rootcontext = NULL;
e0007529 809 int rc, num_mnt_opts = 0;
1da177e4 810
e0007529 811 opts->num_mnt_opts = 0;
1da177e4 812
c9180a57
EP		 813 /* Standard string-based options. */
814 while ((p = strsep(&options, "|")) != NULL) {
815 int token;
816 substring_t args[MAX_OPT_ARGS];
1da177e4 817
c9180a57
EP		 818 if (!*p)
819 continue;
1da177e4 820
c9180a57 821 token = match_token(p, tokens, args);
1da177e4 822
c9180a57
EP		 823 switch (token) {
824 case Opt_context:
825 if (context || defcontext) {
826 rc = -EINVAL;
827 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
828 goto out_err;
829 }
830 context = match_strdup(&args[0]);
831 if (!context) {
832 rc = -ENOMEM;
833 goto out_err;
834 }
835 break;
836
837 case Opt_fscontext:
838 if (fscontext) {
839 rc = -EINVAL;
840 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
841 goto out_err;
842 }
843 fscontext = match_strdup(&args[0]);
844 if (!fscontext) {
845 rc = -ENOMEM;
846 goto out_err;
847 }
848 break;
849
850 case Opt_rootcontext:
851 if (rootcontext) {
852 rc = -EINVAL;
853 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
854 goto out_err;
855 }
856 rootcontext = match_strdup(&args[0]);
857 if (!rootcontext) {
858 rc = -ENOMEM;
859 goto out_err;
860 }
861 break;
862
863 case Opt_defcontext:
864 if (context || defcontext) {
865 rc = -EINVAL;
866 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
867 goto out_err;
868 }
869 defcontext = match_strdup(&args[0]);
870 if (!defcontext) {
871 rc = -ENOMEM;
872 goto out_err;
873 }
874 break;
875
876 default:
877 rc = -EINVAL;
878 printk(KERN_WARNING "SELinux: unknown mount option\n");
879 goto out_err;
1da177e4 880
1da177e4 881 }
1da177e4 882 }
c9180a57 883
e0007529
EP		 884 rc = -ENOMEM;
885 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
886 if (!opts->mnt_opts)
887 goto out_err;
888
889 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
890 if (!opts->mnt_opts_flags) {
891 kfree(opts->mnt_opts);
892 goto out_err;
893 }
894
c9180a57 895 if (fscontext) {
e0007529
EP		 896 opts->mnt_opts[num_mnt_opts] = fscontext;
897 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 898 }
899 if (context) {
e0007529
EP		 900 opts->mnt_opts[num_mnt_opts] = context;
901 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 902 }
903 if (rootcontext) {
e0007529
EP		 904 opts->mnt_opts[num_mnt_opts] = rootcontext;
905 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 906 }
907 if (defcontext) {
e0007529
EP		 908 opts->mnt_opts[num_mnt_opts] = defcontext;
909 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 910 }
911
e0007529
EP		 912 opts->num_mnt_opts = num_mnt_opts;
913 return 0;
914
c9180a57
EP		 915out_err:
916 kfree(context);
917 kfree(defcontext);
918 kfree(fscontext);
919 kfree(rootcontext);
1da177e4
LT		 920 return rc;
921}
e0007529
EP		 922/*
923 * string mount options parsing and call set the sbsec
924 */
925static int superblock_doinit(struct super_block *sb, void *data)
926{
927 int rc = 0;
928 char *options = data;
929 struct security_mnt_opts opts;
930
931 security_init_mnt_opts(&opts);
932
933 if (!data)
934 goto out;
935
936 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
937
938 rc = selinux_parse_opts_str(options, &opts);
939 if (rc)
940 goto out_err;
941
942out:
943 rc = selinux_set_mnt_opts(sb, &opts);
944
945out_err:
946 security_free_mnt_opts(&opts);
947 return rc;
948}
1da177e4
LT		 949
950static inline u16 inode_mode_to_security_class(umode_t mode)
951{
952 switch (mode & S_IFMT) {
953 case S_IFSOCK:
954 return SECCLASS_SOCK_FILE;
955 case S_IFLNK:
956 return SECCLASS_LNK_FILE;
957 case S_IFREG:
958 return SECCLASS_FILE;
959 case S_IFBLK:
960 return SECCLASS_BLK_FILE;
961 case S_IFDIR:
962 return SECCLASS_DIR;
963 case S_IFCHR:
964 return SECCLASS_CHR_FILE;
965 case S_IFIFO:
966 return SECCLASS_FIFO_FILE;
967
968 }
969
970 return SECCLASS_FILE;
971}
972
13402580
JM		 973static inline int default_protocol_stream(int protocol)
974{
975 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
976}
977
978static inline int default_protocol_dgram(int protocol)
979{
980 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
981}
982
1da177e4
LT		 983static inline u16 socket_type_to_security_class(int family, int type, int protocol)
984{
985 switch (family) {
986 case PF_UNIX:
987 switch (type) {
988 case SOCK_STREAM:
989 case SOCK_SEQPACKET:
990 return SECCLASS_UNIX_STREAM_SOCKET;
991 case SOCK_DGRAM:
992 return SECCLASS_UNIX_DGRAM_SOCKET;
993 }
994 break;
995 case PF_INET:
996 case PF_INET6:
997 switch (type) {
998 case SOCK_STREAM:
13402580
JM		 999 if (default_protocol_stream(protocol))
1000 return SECCLASS_TCP_SOCKET;
1001 else
1002 return SECCLASS_RAWIP_SOCKET;
1da177e4 1003 case SOCK_DGRAM:
13402580
JM		 1004 if (default_protocol_dgram(protocol))
1005 return SECCLASS_UDP_SOCKET;
1006 else
1007 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1008 case SOCK_DCCP:
1009 return SECCLASS_DCCP_SOCKET;
13402580 1010 default:
1da177e4
LT		 1011 return SECCLASS_RAWIP_SOCKET;
1012 }
1013 break;
1014 case PF_NETLINK:
1015 switch (protocol) {
1016 case NETLINK_ROUTE:
1017 return SECCLASS_NETLINK_ROUTE_SOCKET;
1018 case NETLINK_FIREWALL:
1019 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1020 case NETLINK_INET_DIAG:
1da177e4
LT		 1021 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1022 case NETLINK_NFLOG:
1023 return SECCLASS_NETLINK_NFLOG_SOCKET;
1024 case NETLINK_XFRM:
1025 return SECCLASS_NETLINK_XFRM_SOCKET;
1026 case NETLINK_SELINUX:
1027 return SECCLASS_NETLINK_SELINUX_SOCKET;
1028 case NETLINK_AUDIT:
1029 return SECCLASS_NETLINK_AUDIT_SOCKET;
1030 case NETLINK_IP6_FW:
1031 return SECCLASS_NETLINK_IP6FW_SOCKET;
1032 case NETLINK_DNRTMSG:
1033 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1034 case NETLINK_KOBJECT_UEVENT:
1035 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1036 default:
1037 return SECCLASS_NETLINK_SOCKET;
1038 }
1039 case PF_PACKET:
1040 return SECCLASS_PACKET_SOCKET;
1041 case PF_KEY:
1042 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1043 case PF_APPLETALK:
1044 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1045 }
1046
1047 return SECCLASS_SOCKET;
1048}
1049
1050#ifdef CONFIG_PROC_FS
1051static int selinux_proc_get_sid(struct proc_dir_entry *de,
1052 u16 tclass,
1053 u32 *sid)
1054{
1055 int buflen, rc;
1056 char *buffer, *path, *end;
1057
1058 buffer = (char*)__get_free_page(GFP_KERNEL);
1059 if (!buffer)
1060 return -ENOMEM;
1061
1062 buflen = PAGE_SIZE;
1063 end = buffer+buflen;
1064 *--end = '\0';
1065 buflen--;
1066 path = end-1;
1067 *path = '/';
1068 while (de && de != de->parent) {
1069 buflen -= de->namelen + 1;
1070 if (buflen < 0)
1071 break;
1072 end -= de->namelen;
1073 memcpy(end, de->name, de->namelen);
1074 *--end = '/';
1075 path = end;
1076 de = de->parent;
1077 }
1078 rc = security_genfs_sid("proc", path, tclass, sid);
1079 free_page((unsigned long)buffer);
1080 return rc;
1081}
1082#else
1083static int selinux_proc_get_sid(struct proc_dir_entry *de,
1084 u16 tclass,
1085 u32 *sid)
1086{
1087 return -EINVAL;
1088}
1089#endif
1090
1091/* The inode's security attributes must be initialized before first use. */
1092static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1093{
1094 struct superblock_security_struct *sbsec = NULL;
1095 struct inode_security_struct *isec = inode->i_security;
1096 u32 sid;
1097 struct dentry *dentry;
1098#define INITCONTEXTLEN 255
1099 char *context = NULL;
1100 unsigned len = 0;
1101 int rc = 0;
1da177e4
LT		 1102
1103 if (isec->initialized)
1104 goto out;
1105
23970741 1106 mutex_lock(&isec->lock);
1da177e4 1107 if (isec->initialized)
23970741 1108 goto out_unlock;
1da177e4
LT		 1109
1110 sbsec = inode->i_sb->s_security;
1111 if (!sbsec->initialized) {
1112 /* Defer initialization until selinux_complete_init,
1113 after the initial policy is loaded and the security
1114 server is ready to handle calls. */
1115 spin_lock(&sbsec->isec_lock);
1116 if (list_empty(&isec->list))
1117 list_add(&isec->list, &sbsec->isec_head);
1118 spin_unlock(&sbsec->isec_lock);
23970741 1119 goto out_unlock;
1da177e4
LT		 1120 }
1121
1122 switch (sbsec->behavior) {
1123 case SECURITY_FS_USE_XATTR:
1124 if (!inode->i_op->getxattr) {
1125 isec->sid = sbsec->def_sid;
1126 break;
1127 }
1128
1129 /* Need a dentry, since the xattr API requires one.
1130 Life would be simpler if we could just pass the inode. */
1131 if (opt_dentry) {
1132 /* Called from d_instantiate or d_splice_alias. */
1133 dentry = dget(opt_dentry);
1134 } else {
1135 /* Called from selinux_complete_init, try to find a dentry. */
1136 dentry = d_find_alias(inode);
1137 }
1138 if (!dentry) {
1139 printk(KERN_WARNING "%s: no dentry for dev=%s "
1140 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1141 inode->i_ino);
23970741 1142 goto out_unlock;
1da177e4
LT		 1143 }
1144
1145 len = INITCONTEXTLEN;
1146 context = kmalloc(len, GFP_KERNEL);
1147 if (!context) {
1148 rc = -ENOMEM;
1149 dput(dentry);
23970741 1150 goto out_unlock;
1da177e4
LT		 1151 }
1152 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1153 context, len);
1154 if (rc == -ERANGE) {
1155 /* Need a larger buffer. Query for the right size. */
1156 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1157 NULL, 0);
1158 if (rc < 0) {
1159 dput(dentry);
23970741 1160 goto out_unlock;
1da177e4
LT		 1161 }
1162 kfree(context);
1163 len = rc;
1164 context = kmalloc(len, GFP_KERNEL);
1165 if (!context) {
1166 rc = -ENOMEM;
1167 dput(dentry);
23970741 1168 goto out_unlock;
1da177e4
LT		 1169 }
1170 rc = inode->i_op->getxattr(dentry,
1171 XATTR_NAME_SELINUX,
1172 context, len);
1173 }
1174 dput(dentry);
1175 if (rc < 0) {
1176 if (rc != -ENODATA) {
1177 printk(KERN_WARNING "%s: getxattr returned "
1178 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1179 -rc, inode->i_sb->s_id, inode->i_ino);
1180 kfree(context);
23970741 1181 goto out_unlock;
1da177e4
LT		 1182 }
1183 /* Map ENODATA to the default file SID */
1184 sid = sbsec->def_sid;
1185 rc = 0;
1186 } else {
f5c1d5b2
JM		 1187 rc = security_context_to_sid_default(context, rc, &sid,
1188 sbsec->def_sid);
1da177e4
LT		 1189 if (rc) {
1190 printk(KERN_WARNING "%s: context_to_sid(%s) "
1191 "returned %d for dev=%s ino=%ld\n",
1192 __FUNCTION__, context, -rc,
1193 inode->i_sb->s_id, inode->i_ino);
1194 kfree(context);
1195 /* Leave with the unlabeled SID */
1196 rc = 0;
1197 break;
1198 }
1199 }
1200 kfree(context);
1201 isec->sid = sid;
1202 break;
1203 case SECURITY_FS_USE_TASK:
1204 isec->sid = isec->task_sid;
1205 break;
1206 case SECURITY_FS_USE_TRANS:
1207 /* Default to the fs SID. */
1208 isec->sid = sbsec->sid;
1209
1210 /* Try to obtain a transition SID. */
1211 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1212 rc = security_transition_sid(isec->task_sid,
1213 sbsec->sid,
1214 isec->sclass,
1215 &sid);
1216 if (rc)
23970741 1217 goto out_unlock;
1da177e4
LT		 1218 isec->sid = sid;
1219 break;
c312feb2
EP		 1220 case SECURITY_FS_USE_MNTPOINT:
1221 isec->sid = sbsec->mntpoint_sid;
1222 break;
1da177e4 1223 default:
c312feb2 1224 /* Default to the fs superblock SID. */
1da177e4
LT		 1225 isec->sid = sbsec->sid;
1226
1227 if (sbsec->proc) {
1228 struct proc_inode *proci = PROC_I(inode);
1229 if (proci->pde) {
1230 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1231 rc = selinux_proc_get_sid(proci->pde,
1232 isec->sclass,
1233 &sid);
1234 if (rc)
23970741 1235 goto out_unlock;
1da177e4
LT		 1236 isec->sid = sid;
1237 }
1238 }
1239 break;
1240 }
1241
1242 isec->initialized = 1;
1243
23970741
EP		 1244out_unlock:
1245 mutex_unlock(&isec->lock);
1da177e4
LT		 1246out:
1247 if (isec->sclass == SECCLASS_FILE)
1248 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1249 return rc;
1250}
1251
1252/* Convert a Linux signal to an access vector. */
1253static inline u32 signal_to_av(int sig)
1254{
1255 u32 perm = 0;
1256
1257 switch (sig) {
1258 case SIGCHLD:
1259 /* Commonly granted from child to parent. */
1260 perm = PROCESS__SIGCHLD;
1261 break;
1262 case SIGKILL:
1263 /* Cannot be caught or ignored */
1264 perm = PROCESS__SIGKILL;
1265 break;
1266 case SIGSTOP:
1267 /* Cannot be caught or ignored */
1268 perm = PROCESS__SIGSTOP;
1269 break;
1270 default:
1271 /* All other signals. */
1272 perm = PROCESS__SIGNAL;
1273 break;
1274 }
1275
1276 return perm;
1277}
1278
1279/* Check permission betweeen a pair of tasks, e.g. signal checks,
1280 fork check, ptrace check, etc. */
1281static int task_has_perm(struct task_struct *tsk1,
1282 struct task_struct *tsk2,
1283 u32 perms)
1284{
1285 struct task_security_struct *tsec1, *tsec2;
1286
1287 tsec1 = tsk1->security;
1288 tsec2 = tsk2->security;
1289 return avc_has_perm(tsec1->sid, tsec2->sid,
1290 SECCLASS_PROCESS, perms, NULL);
1291}
1292
b68e418c
SS		 1293#if CAP_LAST_CAP > 63
1294#error Fix SELinux to handle capabilities > 63.
1295#endif
1296
1da177e4
LT		 1297/* Check whether a task is allowed to use a capability. */
1298static int task_has_capability(struct task_struct *tsk,
1299 int cap)
1300{
1301 struct task_security_struct *tsec;
1302 struct avc_audit_data ad;
b68e418c
SS		 1303 u16 sclass;
1304 u32 av = CAP_TO_MASK(cap);
1da177e4
LT		 1305
1306 tsec = tsk->security;
1307
1308 AVC_AUDIT_DATA_INIT(&ad,CAP);
1309 ad.tsk = tsk;
1310 ad.u.cap = cap;
1311
b68e418c
SS		 1312 switch (CAP_TO_INDEX(cap)) {
1313 case 0:
1314 sclass = SECCLASS_CAPABILITY;
1315 break;
1316 case 1:
1317 sclass = SECCLASS_CAPABILITY2;
1318 break;
1319 default:
1320 printk(KERN_ERR
1321 "SELinux: out of range capability %d\n", cap);
1322 BUG();
1323 }
1324 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1da177e4
LT		 1325}
1326
1327/* Check whether a task is allowed to use a system operation. */
1328static int task_has_system(struct task_struct *tsk,
1329 u32 perms)
1330{
1331 struct task_security_struct *tsec;
1332
1333 tsec = tsk->security;
1334
1335 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1336 SECCLASS_SYSTEM, perms, NULL);
1337}
1338
1339/* Check whether a task has a particular permission to an inode.
1340 The 'adp' parameter is optional and allows other audit
1341 data to be passed (e.g. the dentry). */
1342static int inode_has_perm(struct task_struct *tsk,
1343 struct inode *inode,
1344 u32 perms,
1345 struct avc_audit_data *adp)
1346{
1347 struct task_security_struct *tsec;
1348 struct inode_security_struct *isec;
1349 struct avc_audit_data ad;
1350
bbaca6c2
SS		 1351 if (unlikely (IS_PRIVATE (inode)))
1352 return 0;
1353
1da177e4
LT		 1354 tsec = tsk->security;
1355 isec = inode->i_security;
1356
1357 if (!adp) {
1358 adp = &ad;
1359 AVC_AUDIT_DATA_INIT(&ad, FS);
1360 ad.u.fs.inode = inode;
1361 }
1362
1363 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1364}
1365
1366/* Same as inode_has_perm, but pass explicit audit data containing
1367 the dentry to help the auditing code to more easily generate the
1368 pathname if needed. */
1369static inline int dentry_has_perm(struct task_struct *tsk,
1370 struct vfsmount *mnt,
1371 struct dentry *dentry,
1372 u32 av)
1373{
1374 struct inode *inode = dentry->d_inode;
1375 struct avc_audit_data ad;
1376 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf
JB		 1377 ad.u.fs.path.mnt = mnt;
1378 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1379 return inode_has_perm(tsk, inode, av, &ad);
1380}
1381
1382/* Check whether a task can use an open file descriptor to
1383 access an inode in a given way. Check access to the
1384 descriptor itself, and then use dentry_has_perm to
1385 check a particular permission to the file.
1386 Access to the descriptor is implicitly granted if it
1387 has the same SID as the process. If av is zero, then
1388 access to the file is not checked, e.g. for cases
1389 where only the descriptor is affected like seek. */
858119e1 1390static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1391 struct file *file,
1392 u32 av)
1393{
1394 struct task_security_struct *tsec = tsk->security;
1395 struct file_security_struct *fsec = file->f_security;
44707fdf 1396 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 1397 struct avc_audit_data ad;
1398 int rc;
1399
1400 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1401 ad.u.fs.path = file->f_path;
1da177e4
LT		 1402
1403 if (tsec->sid != fsec->sid) {
1404 rc = avc_has_perm(tsec->sid, fsec->sid,
1405 SECCLASS_FD,
1406 FD__USE,
1407 &ad);
1408 if (rc)
1409 return rc;
1410 }
1411
1412 /* av is zero if only checking access to the descriptor. */
1413 if (av)
1414 return inode_has_perm(tsk, inode, av, &ad);
1415
1416 return 0;
1417}
1418
1419/* Check whether a task can create a file. */
1420static int may_create(struct inode *dir,
1421 struct dentry *dentry,
1422 u16 tclass)
1423{
1424 struct task_security_struct *tsec;
1425 struct inode_security_struct *dsec;
1426 struct superblock_security_struct *sbsec;
1427 u32 newsid;
1428 struct avc_audit_data ad;
1429 int rc;
1430
1431 tsec = current->security;
1432 dsec = dir->i_security;
1433 sbsec = dir->i_sb->s_security;
1434
1435 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1436 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1437
1438 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1439 DIR__ADD_NAME | DIR__SEARCH,
1440 &ad);
1441 if (rc)
1442 return rc;
1443
1444 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1445 newsid = tsec->create_sid;
1446 } else {
1447 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1448 &newsid);
1449 if (rc)
1450 return rc;
1451 }
1452
1453 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1454 if (rc)
1455 return rc;
1456
1457 return avc_has_perm(newsid, sbsec->sid,
1458 SECCLASS_FILESYSTEM,
1459 FILESYSTEM__ASSOCIATE, &ad);
1460}
1461
4eb582cf
ML		 1462/* Check whether a task can create a key. */
1463static int may_create_key(u32 ksid,
1464 struct task_struct *ctx)
1465{
1466 struct task_security_struct *tsec;
1467
1468 tsec = ctx->security;
1469
1470 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1471}
1472
1da177e4
LT		 1473#define MAY_LINK 0
1474#define MAY_UNLINK 1
1475#define MAY_RMDIR 2
1476
1477/* Check whether a task can link, unlink, or rmdir a file/directory. */
1478static int may_link(struct inode *dir,
1479 struct dentry *dentry,
1480 int kind)
1481
1482{
1483 struct task_security_struct *tsec;
1484 struct inode_security_struct *dsec, *isec;
1485 struct avc_audit_data ad;
1486 u32 av;
1487 int rc;
1488
1489 tsec = current->security;
1490 dsec = dir->i_security;
1491 isec = dentry->d_inode->i_security;
1492
1493 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1494 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1495
1496 av = DIR__SEARCH;
1497 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1498 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1499 if (rc)
1500 return rc;
1501
1502 switch (kind) {
1503 case MAY_LINK:
1504 av = FILE__LINK;
1505 break;
1506 case MAY_UNLINK:
1507 av = FILE__UNLINK;
1508 break;
1509 case MAY_RMDIR:
1510 av = DIR__RMDIR;
1511 break;
1512 default:
1513 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1514 return 0;
1515 }
1516
1517 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1518 return rc;
1519}
1520
1521static inline int may_rename(struct inode *old_dir,
1522 struct dentry *old_dentry,
1523 struct inode *new_dir,
1524 struct dentry *new_dentry)
1525{
1526 struct task_security_struct *tsec;
1527 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1528 struct avc_audit_data ad;
1529 u32 av;
1530 int old_is_dir, new_is_dir;
1531 int rc;
1532
1533 tsec = current->security;
1534 old_dsec = old_dir->i_security;
1535 old_isec = old_dentry->d_inode->i_security;
1536 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1537 new_dsec = new_dir->i_security;
1538
1539 AVC_AUDIT_DATA_INIT(&ad, FS);
1540
44707fdf 1541 ad.u.fs.path.dentry = old_dentry;
1da177e4
LT		 1542 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1543 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1544 if (rc)
1545 return rc;
1546 rc = avc_has_perm(tsec->sid, old_isec->sid,
1547 old_isec->sclass, FILE__RENAME, &ad);
1548 if (rc)
1549 return rc;
1550 if (old_is_dir && new_dir != old_dir) {
1551 rc = avc_has_perm(tsec->sid, old_isec->sid,
1552 old_isec->sclass, DIR__REPARENT, &ad);
1553 if (rc)
1554 return rc;
1555 }
1556
44707fdf 1557 ad.u.fs.path.dentry = new_dentry;
1da177e4
LT		 1558 av = DIR__ADD_NAME | DIR__SEARCH;
1559 if (new_dentry->d_inode)
1560 av |= DIR__REMOVE_NAME;
1561 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1562 if (rc)
1563 return rc;
1564 if (new_dentry->d_inode) {
1565 new_isec = new_dentry->d_inode->i_security;
1566 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1567 rc = avc_has_perm(tsec->sid, new_isec->sid,
1568 new_isec->sclass,
1569 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1570 if (rc)
1571 return rc;
1572 }
1573
1574 return 0;
1575}
1576
1577/* Check whether a task can perform a filesystem operation. */
1578static int superblock_has_perm(struct task_struct *tsk,
1579 struct super_block *sb,
1580 u32 perms,
1581 struct avc_audit_data *ad)
1582{
1583 struct task_security_struct *tsec;
1584 struct superblock_security_struct *sbsec;
1585
1586 tsec = tsk->security;
1587 sbsec = sb->s_security;
1588 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1589 perms, ad);
1590}
1591
1592/* Convert a Linux mode and permission mask to an access vector. */
1593static inline u32 file_mask_to_av(int mode, int mask)
1594{
1595 u32 av = 0;
1596
1597 if ((mode & S_IFMT) != S_IFDIR) {
1598 if (mask & MAY_EXEC)
1599 av |= FILE__EXECUTE;
1600 if (mask & MAY_READ)
1601 av |= FILE__READ;
1602
1603 if (mask & MAY_APPEND)
1604 av |= FILE__APPEND;
1605 else if (mask & MAY_WRITE)
1606 av |= FILE__WRITE;
1607
1608 } else {
1609 if (mask & MAY_EXEC)
1610 av |= DIR__SEARCH;
1611 if (mask & MAY_WRITE)
1612 av |= DIR__WRITE;
1613 if (mask & MAY_READ)
1614 av |= DIR__READ;
1615 }
1616
1617 return av;
1618}
1619
1620/* Convert a Linux file to an access vector. */
1621static inline u32 file_to_av(struct file *file)
1622{
1623 u32 av = 0;
1624
1625 if (file->f_mode & FMODE_READ)
1626 av |= FILE__READ;
1627 if (file->f_mode & FMODE_WRITE) {
1628 if (file->f_flags & O_APPEND)
1629 av |= FILE__APPEND;
1630 else
1631 av |= FILE__WRITE;
1632 }
0794c66d
SS		 1633 if (!av) {
1634 /*
1635 * Special file opened with flags 3 for ioctl-only use.
1636 */
1637 av = FILE__IOCTL;
1638 }
1da177e4
LT		 1639
1640 return av;
1641}
1642
1da177e4
LT		 1643/* Hook functions begin here. */
1644
1645static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1646{
1647 struct task_security_struct *psec = parent->security;
1648 struct task_security_struct *csec = child->security;
1649 int rc;
1650
1651 rc = secondary_ops->ptrace(parent,child);
1652 if (rc)
1653 return rc;
1654
1655 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1656 /* Save the SID of the tracing process for later use in apply_creds. */
341c2d80 1657 if (!(child->ptrace & PT_PTRACED) && !rc)
1da177e4
LT		 1658 csec->ptrace_sid = psec->sid;
1659 return rc;
1660}
1661
1662static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1663 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1664{
1665 int error;
1666
1667 error = task_has_perm(current, target, PROCESS__GETCAP);
1668 if (error)
1669 return error;
1670
1671 return secondary_ops->capget(target, effective, inheritable, permitted);
1672}
1673
1674static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1675 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1676{
1677 int error;
1678
1679 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1680 if (error)
1681 return error;
1682
1683 return task_has_perm(current, target, PROCESS__SETCAP);
1684}
1685
1686static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1687 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1688{
1689 secondary_ops->capset_set(target, effective, inheritable, permitted);
1690}
1691
1692static int selinux_capable(struct task_struct *tsk, int cap)
1693{
1694 int rc;
1695
1696 rc = secondary_ops->capable(tsk, cap);
1697 if (rc)
1698 return rc;
1699
1700 return task_has_capability(tsk,cap);
1701}
1702
3fbfa981
EB		 1703static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1704{
1705 int buflen, rc;
1706 char *buffer, *path, *end;
1707
1708 rc = -ENOMEM;
1709 buffer = (char*)__get_free_page(GFP_KERNEL);
1710 if (!buffer)
1711 goto out;
1712
1713 buflen = PAGE_SIZE;
1714 end = buffer+buflen;
1715 *--end = '\0';
1716 buflen--;
1717 path = end-1;
1718 *path = '/';
1719 while (table) {
1720 const char *name = table->procname;
1721 size_t namelen = strlen(name);
1722 buflen -= namelen + 1;
1723 if (buflen < 0)
1724 goto out_free;
1725 end -= namelen;
1726 memcpy(end, name, namelen);
1727 *--end = '/';
1728 path = end;
1729 table = table->parent;
1730 }
b599fdfd
EB		 1731 buflen -= 4;
1732 if (buflen < 0)
1733 goto out_free;
1734 end -= 4;
1735 memcpy(end, "/sys", 4);
1736 path = end;
3fbfa981
EB		 1737 rc = security_genfs_sid("proc", path, tclass, sid);
1738out_free:
1739 free_page((unsigned long)buffer);
1740out:
1741 return rc;
1742}
1743
1da177e4
LT		 1744static int selinux_sysctl(ctl_table *table, int op)
1745{
1746 int error = 0;
1747 u32 av;
1748 struct task_security_struct *tsec;
1749 u32 tsid;
1750 int rc;
1751
1752 rc = secondary_ops->sysctl(table, op);
1753 if (rc)
1754 return rc;
1755
1756 tsec = current->security;
1757
3fbfa981
EB		 1758 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1759 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1760 if (rc) {
1761 /* Default to the well-defined sysctl SID. */
1762 tsid = SECINITSID_SYSCTL;
1763 }
1764
1765 /* The op values are "defined" in sysctl.c, thereby creating
1766 * a bad coupling between this module and sysctl.c */
1767 if(op == 001) {
1768 error = avc_has_perm(tsec->sid, tsid,
1769 SECCLASS_DIR, DIR__SEARCH, NULL);
1770 } else {
1771 av = 0;
1772 if (op & 004)
1773 av |= FILE__READ;
1774 if (op & 002)
1775 av |= FILE__WRITE;
1776 if (av)
1777 error = avc_has_perm(tsec->sid, tsid,
1778 SECCLASS_FILE, av, NULL);
1779 }
1780
1781 return error;
1782}
1783
1784static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1785{
1786 int rc = 0;
1787
1788 if (!sb)
1789 return 0;
1790
1791 switch (cmds) {
1792 case Q_SYNC:
1793 case Q_QUOTAON:
1794 case Q_QUOTAOFF:
1795 case Q_SETINFO:
1796 case Q_SETQUOTA:
1797 rc = superblock_has_perm(current,
1798 sb,
1799 FILESYSTEM__QUOTAMOD, NULL);
1800 break;
1801 case Q_GETFMT:
1802 case Q_GETINFO:
1803 case Q_GETQUOTA:
1804 rc = superblock_has_perm(current,
1805 sb,
1806 FILESYSTEM__QUOTAGET, NULL);
1807 break;
1808 default:
1809 rc = 0; /* let the kernel handle invalid cmds */
1810 break;
1811 }
1812 return rc;
1813}
1814
1815static int selinux_quota_on(struct dentry *dentry)
1816{
1817 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1818}
1819
1820static int selinux_syslog(int type)
1821{
1822 int rc;
1823
1824 rc = secondary_ops->syslog(type);
1825 if (rc)
1826 return rc;
1827
1828 switch (type) {
1829 case 3: /* Read last kernel messages */
1830 case 10: /* Return size of the log buffer */
1831 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1832 break;
1833 case 6: /* Disable logging to console */
1834 case 7: /* Enable logging to console */
1835 case 8: /* Set level of messages printed to console */
1836 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1837 break;
1838 case 0: /* Close log */
1839 case 1: /* Open log */
1840 case 2: /* Read from log */
1841 case 4: /* Read/clear last kernel messages */
1842 case 5: /* Clear ring buffer */
1843 default:
1844 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1845 break;
1846 }
1847 return rc;
1848}
1849
1850/*
1851 * Check that a process has enough memory to allocate a new virtual
1852 * mapping. 0 means there is enough memory for the allocation to
1853 * succeed and -ENOMEM implies there is not.
1854 *
1855 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1856 * if the capability is granted, but __vm_enough_memory requires 1 if
1857 * the capability is granted.
1858 *
1859 * Do not audit the selinux permission check, as this is applied to all
1860 * processes that allocate mappings.
1861 */
34b4e4aa 1862static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1863{
1864 int rc, cap_sys_admin = 0;
1865 struct task_security_struct *tsec = current->security;
1866
1867 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1868 if (rc == 0)
1869 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2c3c05db
SS		 1870 SECCLASS_CAPABILITY,
1871 CAP_TO_MASK(CAP_SYS_ADMIN),
1872 0,
1873 NULL);
1da177e4
LT		 1874
1875 if (rc == 0)
1876 cap_sys_admin = 1;
1877
34b4e4aa 1878 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 1879}
1880
1881/* binprm security operations */
1882
1883static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1884{
1885 struct bprm_security_struct *bsec;
1886
89d155ef 1887 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1888 if (!bsec)
1889 return -ENOMEM;
1890
1da177e4
LT		 1891 bsec->bprm = bprm;
1892 bsec->sid = SECINITSID_UNLABELED;
1893 bsec->set = 0;
1894
1895 bprm->security = bsec;
1896 return 0;
1897}
1898
1899static int selinux_bprm_set_security(struct linux_binprm *bprm)
1900{
1901 struct task_security_struct *tsec;
3d5ff529 1902 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 1903 struct inode_security_struct *isec;
1904 struct bprm_security_struct *bsec;
1905 u32 newsid;
1906 struct avc_audit_data ad;
1907 int rc;
1908
1909 rc = secondary_ops->bprm_set_security(bprm);
1910 if (rc)
1911 return rc;
1912
1913 bsec = bprm->security;
1914
1915 if (bsec->set)
1916 return 0;
1917
1918 tsec = current->security;
1919 isec = inode->i_security;
1920
1921 /* Default to the current task SID. */
1922 bsec->sid = tsec->sid;
1923
28eba5bf 1924 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1925 tsec->create_sid = 0;
28eba5bf 1926 tsec->keycreate_sid = 0;
42c3e03e 1927 tsec->sockcreate_sid = 0;
1da177e4
LT		 1928
1929 if (tsec->exec_sid) {
1930 newsid = tsec->exec_sid;
1931 /* Reset exec SID on execve. */
1932 tsec->exec_sid = 0;
1933 } else {
1934 /* Check for a default transition on this program. */
1935 rc = security_transition_sid(tsec->sid, isec->sid,
1936 SECCLASS_PROCESS, &newsid);
1937 if (rc)
1938 return rc;
1939 }
1940
1941 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1942 ad.u.fs.path = bprm->file->f_path;
1da177e4 1943
3d5ff529 1944 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1da177e4
LT		 1945 newsid = tsec->sid;
1946
1947 if (tsec->sid == newsid) {
1948 rc = avc_has_perm(tsec->sid, isec->sid,
1949 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1950 if (rc)
1951 return rc;
1952 } else {
1953 /* Check permissions for the transition. */
1954 rc = avc_has_perm(tsec->sid, newsid,
1955 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1956 if (rc)
1957 return rc;
1958
1959 rc = avc_has_perm(newsid, isec->sid,
1960 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1961 if (rc)
1962 return rc;
1963
1964 /* Clear any possibly unsafe personality bits on exec: */
1965 current->personality &= ~PER_CLEAR_ON_SETID;
1966
1967 /* Set the security field to the new SID. */
1968 bsec->sid = newsid;
1969 }
1970
1971 bsec->set = 1;
1972 return 0;
1973}
1974
1975static int selinux_bprm_check_security (struct linux_binprm *bprm)
1976{
1977 return secondary_ops->bprm_check_security(bprm);
1978}
1979
1980
1981static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1982{
1983 struct task_security_struct *tsec = current->security;
1984 int atsecure = 0;
1985
1986 if (tsec->osid != tsec->sid) {
1987 /* Enable secure mode for SIDs transitions unless
1988 the noatsecure permission is granted between
1989 the two SIDs, i.e. ahp returns 0. */
1990 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1991 SECCLASS_PROCESS,
1992 PROCESS__NOATSECURE, NULL);
1993 }
1994
1995 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1996}
1997
1998static void selinux_bprm_free_security(struct linux_binprm *bprm)
1999{
9a5f04bf 2000 kfree(bprm->security);
1da177e4 2001 bprm->security = NULL;
1da177e4
LT		 2002}
2003
2004extern struct vfsmount *selinuxfs_mount;
2005extern struct dentry *selinux_null;
2006
2007/* Derived from fs/exec.c:flush_old_files. */
2008static inline void flush_unauthorized_files(struct files_struct * files)
2009{
2010 struct avc_audit_data ad;
2011 struct file *file, *devnull = NULL;
b20c8122 2012 struct tty_struct *tty;
badf1662 2013 struct fdtable *fdt;
1da177e4 2014 long j = -1;
24ec839c 2015 int drop_tty = 0;
1da177e4 2016
b20c8122 2017 mutex_lock(&tty_mutex);
24ec839c 2018 tty = get_current_tty();
1da177e4
LT		 2019 if (tty) {
2020 file_list_lock();
2f512016 2021 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 2022 if (file) {
2023 /* Revalidate access to controlling tty.
2024 Use inode_has_perm on the tty inode directly rather
2025 than using file_has_perm, as this particular open
2026 file may belong to another process and we are only
2027 interested in the inode-based check here. */
3d5ff529 2028 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2029 if (inode_has_perm(current, inode,
2030 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2031 drop_tty = 1;
1da177e4
LT		 2032 }
2033 }
2034 file_list_unlock();
2035 }
b20c8122 2036 mutex_unlock(&tty_mutex);
98a27ba4
EB		 2037 /* Reset controlling tty. */
2038 if (drop_tty)
2039 no_tty();
1da177e4
LT		 2040
2041 /* Revalidate access to inherited open files. */
2042
2043 AVC_AUDIT_DATA_INIT(&ad,FS);
2044
2045 spin_lock(&files->file_lock);
2046 for (;;) {
2047 unsigned long set, i;
2048 int fd;
2049
2050 j++;
2051 i = j * __NFDBITS;
badf1662 2052 fdt = files_fdtable(files);
bbea9f69 2053 if (i >= fdt->max_fds)
1da177e4 2054 break;
badf1662 2055 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2056 if (!set)
2057 continue;
2058 spin_unlock(&files->file_lock);
2059 for ( ; set ; i++,set >>= 1) {
2060 if (set & 1) {
2061 file = fget(i);
2062 if (!file)
2063 continue;
2064 if (file_has_perm(current,
2065 file,
2066 file_to_av(file))) {
2067 sys_close(i);
2068 fd = get_unused_fd();
2069 if (fd != i) {
2070 if (fd >= 0)
2071 put_unused_fd(fd);
2072 fput(file);
2073 continue;
2074 }
2075 if (devnull) {
095975da 2076 get_file(devnull);
1da177e4
LT		 2077 } else {
2078 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
fc5d81e6
AM		 2079 if (IS_ERR(devnull)) {
2080 devnull = NULL;
1da177e4
LT		 2081 put_unused_fd(fd);
2082 fput(file);
2083 continue;
2084 }
2085 }
2086 fd_install(fd, devnull);
2087 }
2088 fput(file);
2089 }
2090 }
2091 spin_lock(&files->file_lock);
2092
2093 }
2094 spin_unlock(&files->file_lock);
2095}
2096
2097static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2098{
2099 struct task_security_struct *tsec;
2100 struct bprm_security_struct *bsec;
2101 u32 sid;
2102 int rc;
2103
2104 secondary_ops->bprm_apply_creds(bprm, unsafe);
2105
2106 tsec = current->security;
2107
2108 bsec = bprm->security;
2109 sid = bsec->sid;
2110
2111 tsec->osid = tsec->sid;
2112 bsec->unsafe = 0;
2113 if (tsec->sid != sid) {
2114 /* Check for shared state. If not ok, leave SID
2115 unchanged and kill. */
2116 if (unsafe & LSM_UNSAFE_SHARE) {
2117 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2118 PROCESS__SHARE, NULL);
2119 if (rc) {
2120 bsec->unsafe = 1;
2121 return;
2122 }
2123 }
2124
2125 /* Check for ptracing, and update the task SID if ok.
2126 Otherwise, leave SID unchanged and kill. */
2127 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2128 rc = avc_has_perm(tsec->ptrace_sid, sid,
2129 SECCLASS_PROCESS, PROCESS__PTRACE,
2130 NULL);
2131 if (rc) {
2132 bsec->unsafe = 1;
2133 return;
2134 }
2135 }
2136 tsec->sid = sid;
2137 }
2138}
2139
2140/*
2141 * called after apply_creds without the task lock held
2142 */
2143static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2144{
2145 struct task_security_struct *tsec;
2146 struct rlimit *rlim, *initrlim;
2147 struct itimerval itimer;
2148 struct bprm_security_struct *bsec;
2149 int rc, i;
2150
2151 tsec = current->security;
2152 bsec = bprm->security;
2153
2154 if (bsec->unsafe) {
2155 force_sig_specific(SIGKILL, current);
2156 return;
2157 }
2158 if (tsec->osid == tsec->sid)
2159 return;
2160
2161 /* Close files for which the new task SID is not authorized. */
2162 flush_unauthorized_files(current->files);
2163
2164 /* Check whether the new SID can inherit signal state
2165 from the old SID. If not, clear itimers to avoid
2166 subsequent signal generation and flush and unblock
2167 signals. This must occur _after_ the task SID has
2168 been updated so that any kill done after the flush
2169 will be checked against the new SID. */
2170 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2171 PROCESS__SIGINH, NULL);
2172 if (rc) {
2173 memset(&itimer, 0, sizeof itimer);
2174 for (i = 0; i < 3; i++)
2175 do_setitimer(i, &itimer, NULL);
2176 flush_signals(current);
2177 spin_lock_irq(&current->sighand->siglock);
2178 flush_signal_handlers(current, 1);
2179 sigemptyset(&current->blocked);
2180 recalc_sigpending();
2181 spin_unlock_irq(&current->sighand->siglock);
2182 }
2183
4ac212ad
SS		 2184 /* Always clear parent death signal on SID transitions. */
2185 current->pdeath_signal = 0;
2186
1da177e4
LT		 2187 /* Check whether the new SID can inherit resource limits
2188 from the old SID. If not, reset all soft limits to
2189 the lower of the current task's hard limit and the init
2190 task's soft limit. Note that the setting of hard limits
2191 (even to lower them) can be controlled by the setrlimit
2192 check. The inclusion of the init task's soft limit into
2193 the computation is to avoid resetting soft limits higher
2194 than the default soft limit for cases where the default
2195 is lower than the hard limit, e.g. RLIMIT_CORE or
2196 RLIMIT_STACK.*/
2197 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2198 PROCESS__RLIMITINH, NULL);
2199 if (rc) {
2200 for (i = 0; i < RLIM_NLIMITS; i++) {
2201 rlim = current->signal->rlim + i;
2202 initrlim = init_task.signal->rlim+i;
2203 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2204 }
2205 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2206 /*
2207 * This will cause RLIMIT_CPU calculations
2208 * to be refigured.
2209 */
2210 current->it_prof_expires = jiffies_to_cputime(1);
2211 }
2212 }
2213
2214 /* Wake up the parent if it is waiting so that it can
2215 recheck wait permission to the new task SID. */
2216 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2217}
2218
2219/* superblock security operations */
2220
2221static int selinux_sb_alloc_security(struct super_block *sb)
2222{
2223 return superblock_alloc_security(sb);
2224}
2225
2226static void selinux_sb_free_security(struct super_block *sb)
2227{
2228 superblock_free_security(sb);
2229}
2230
2231static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2232{
2233 if (plen > olen)
2234 return 0;
2235
2236 return !memcmp(prefix, option, plen);
2237}
2238
2239static inline int selinux_option(char *option, int len)
2240{
2241 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2242 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
0808925e
EP		 2243 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2244 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1da177e4
LT		 2245}
2246
2247static inline void take_option(char **to, char *from, int *first, int len)
2248{
2249 if (!*first) {
2250 **to = ',';
2251 *to += 1;
3528a953 2252 } else
1da177e4
LT		 2253 *first = 0;
2254 memcpy(*to, from, len);
2255 *to += len;
2256}
2257
3528a953
CO		 2258static inline void take_selinux_option(char **to, char *from, int *first,
2259 int len)
2260{
2261 int current_size = 0;
2262
2263 if (!*first) {
2264 **to = '|';
2265 *to += 1;
2266 }
2267 else
2268 *first = 0;
2269
2270 while (current_size < len) {
2271 if (*from != '"') {
2272 **to = *from;
2273 *to += 1;
2274 }
2275 from += 1;
2276 current_size += 1;
2277 }
2278}
2279
e0007529 2280static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2281{
2282 int fnosec, fsec, rc = 0;
2283 char *in_save, *in_curr, *in_end;
2284 char *sec_curr, *nosec_save, *nosec;
3528a953 2285 int open_quote = 0;
1da177e4
LT		 2286
2287 in_curr = orig;
2288 sec_curr = copy;
2289
1da177e4
LT		 2290 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2291 if (!nosec) {
2292 rc = -ENOMEM;
2293 goto out;
2294 }
2295
2296 nosec_save = nosec;
2297 fnosec = fsec = 1;
2298 in_save = in_end = orig;
2299
2300 do {
3528a953
CO		 2301 if (*in_end == '"')
2302 open_quote = !open_quote;
2303 if ((*in_end == ',' && open_quote == 0) ||
2304 *in_end == '\0') {
1da177e4
LT		 2305 int len = in_end - in_curr;
2306
2307 if (selinux_option(in_curr, len))
3528a953 2308 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2309 else
2310 take_option(&nosec, in_curr, &fnosec, len);
2311
2312 in_curr = in_end + 1;
2313 }
2314 } while (*in_end++);
2315
6931dfc9 2316 strcpy(in_save, nosec_save);
da3caa20 2317 free_page((unsigned long)nosec_save);
1da177e4
LT		 2318out:
2319 return rc;
2320}
2321
2322static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2323{
2324 struct avc_audit_data ad;
2325 int rc;
2326
2327 rc = superblock_doinit(sb, data);
2328 if (rc)
2329 return rc;
2330
2331 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf 2332 ad.u.fs.path.dentry = sb->s_root;
1da177e4
LT		 2333 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2334}
2335
726c3342 2336static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2337{
2338 struct avc_audit_data ad;
2339
2340 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf 2341 ad.u.fs.path.dentry = dentry->d_sb->s_root;
726c3342 2342 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2343}
2344
2345static int selinux_mount(char * dev_name,
2346 struct nameidata *nd,
2347 char * type,
2348 unsigned long flags,
2349 void * data)
2350{
2351 int rc;
2352
2353 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2354 if (rc)
2355 return rc;
2356
2357 if (flags & MS_REMOUNT)
4ac91378 2358 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
1da177e4
LT		 2359 FILESYSTEM__REMOUNT, NULL);
2360 else
4ac91378 2361 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
1da177e4
LT		 2362 FILE__MOUNTON);
2363}
2364
2365static int selinux_umount(struct vfsmount *mnt, int flags)
2366{
2367 int rc;
2368
2369 rc = secondary_ops->sb_umount(mnt, flags);
2370 if (rc)
2371 return rc;
2372
2373 return superblock_has_perm(current,mnt->mnt_sb,
2374 FILESYSTEM__UNMOUNT,NULL);
2375}
2376
2377/* inode security operations */
2378
2379static int selinux_inode_alloc_security(struct inode *inode)
2380{
2381 return inode_alloc_security(inode);
2382}
2383
2384static void selinux_inode_free_security(struct inode *inode)
2385{
2386 inode_free_security(inode);
2387}
2388
5e41ff9e
SS		 2389static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2390 char **name, void **value,
2391 size_t *len)
2392{
2393 struct task_security_struct *tsec;
2394 struct inode_security_struct *dsec;
2395 struct superblock_security_struct *sbsec;
570bc1c2 2396 u32 newsid, clen;
5e41ff9e 2397 int rc;
570bc1c2 2398 char *namep = NULL, *context;
5e41ff9e
SS		 2399
2400 tsec = current->security;
2401 dsec = dir->i_security;
2402 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2403
2404 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2405 newsid = tsec->create_sid;
2406 } else {
2407 rc = security_transition_sid(tsec->sid, dsec->sid,
2408 inode_mode_to_security_class(inode->i_mode),
2409 &newsid);
2410 if (rc) {
2411 printk(KERN_WARNING "%s: "
2412 "security_transition_sid failed, rc=%d (dev=%s "
2413 "ino=%ld)\n",
2414 __FUNCTION__,
2415 -rc, inode->i_sb->s_id, inode->i_ino);
2416 return rc;
2417 }
2418 }
2419
296fddf7
EP		 2420 /* Possibly defer initialization to selinux_complete_init. */
2421 if (sbsec->initialized) {
2422 struct inode_security_struct *isec = inode->i_security;
2423 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2424 isec->sid = newsid;
2425 isec->initialized = 1;
2426 }
5e41ff9e 2427
8aad3875 2428 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2429 return -EOPNOTSUPP;
2430
570bc1c2 2431 if (name) {
a02fe132 2432 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2433 if (!namep)
2434 return -ENOMEM;
2435 *name = namep;
2436 }
5e41ff9e 2437
570bc1c2
SS		 2438 if (value && len) {
2439 rc = security_sid_to_context(newsid, &context, &clen);
2440 if (rc) {
2441 kfree(namep);
2442 return rc;
2443 }
2444 *value = context;
2445 *len = clen;
5e41ff9e 2446 }
5e41ff9e 2447
5e41ff9e
SS		 2448 return 0;
2449}
2450
1da177e4
LT		 2451static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2452{
2453 return may_create(dir, dentry, SECCLASS_FILE);
2454}
2455
1da177e4
LT		 2456static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2457{
2458 int rc;
2459
2460 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2461 if (rc)
2462 return rc;
2463 return may_link(dir, old_dentry, MAY_LINK);
2464}
2465
1da177e4
LT		 2466static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2467{
2468 int rc;
2469
2470 rc = secondary_ops->inode_unlink(dir, dentry);
2471 if (rc)
2472 return rc;
2473 return may_link(dir, dentry, MAY_UNLINK);
2474}
2475
2476static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2477{
2478 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2479}
2480
1da177e4
LT		 2481static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2482{
2483 return may_create(dir, dentry, SECCLASS_DIR);
2484}
2485
1da177e4
LT		 2486static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2487{
2488 return may_link(dir, dentry, MAY_RMDIR);
2489}
2490
2491static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2492{
2493 int rc;
2494
2495 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2496 if (rc)
2497 return rc;
2498
2499 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2500}
2501
1da177e4
LT		 2502static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2503 struct inode *new_inode, struct dentry *new_dentry)
2504{
2505 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2506}
2507
1da177e4
LT		 2508static int selinux_inode_readlink(struct dentry *dentry)
2509{
2510 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2511}
2512
2513static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2514{
2515 int rc;
2516
2517 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2518 if (rc)
2519 return rc;
2520 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2521}
2522
2523static int selinux_inode_permission(struct inode *inode, int mask,
2524 struct nameidata *nd)
2525{
2526 int rc;
2527
2528 rc = secondary_ops->inode_permission(inode, mask, nd);
2529 if (rc)
2530 return rc;
2531
2532 if (!mask) {
2533 /* No permission to check. Existence test. */
2534 return 0;
2535 }
2536
2537 return inode_has_perm(current, inode,
2538 file_mask_to_av(inode->i_mode, mask), NULL);
2539}
2540
2541static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2542{
2543 int rc;
2544
2545 rc = secondary_ops->inode_setattr(dentry, iattr);
2546 if (rc)
2547 return rc;
2548
2549 if (iattr->ia_valid & ATTR_FORCE)
2550 return 0;
2551
2552 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2553 ATTR_ATIME_SET | ATTR_MTIME_SET))
2554 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2555
2556 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2557}
2558
2559static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2560{
2561 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2562}
2563
b5376771
SH		 2564static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2565{
2566 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2567 sizeof XATTR_SECURITY_PREFIX - 1)) {
2568 if (!strcmp(name, XATTR_NAME_CAPS)) {
2569 if (!capable(CAP_SETFCAP))
2570 return -EPERM;
2571 } else if (!capable(CAP_SYS_ADMIN)) {
2572 /* A different attribute in the security namespace.
2573 Restrict to administrator. */
2574 return -EPERM;
2575 }
2576 }
2577
2578 /* Not an attribute we recognize, so just check the
2579 ordinary setattr permission. */
2580 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2581}
2582
1da177e4
LT		 2583static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2584{
2585 struct task_security_struct *tsec = current->security;
2586 struct inode *inode = dentry->d_inode;
2587 struct inode_security_struct *isec = inode->i_security;
2588 struct superblock_security_struct *sbsec;
2589 struct avc_audit_data ad;
2590 u32 newsid;
2591 int rc = 0;
2592
b5376771
SH		 2593 if (strcmp(name, XATTR_NAME_SELINUX))
2594 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2595
2596 sbsec = inode->i_sb->s_security;
2597 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2598 return -EOPNOTSUPP;
2599
3bd858ab 2600 if (!is_owner_or_cap(inode))
1da177e4
LT		 2601 return -EPERM;
2602
2603 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf 2604 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 2605
2606 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2607 FILE__RELABELFROM, &ad);
2608 if (rc)
2609 return rc;
2610
2611 rc = security_context_to_sid(value, size, &newsid);
2612 if (rc)
2613 return rc;
2614
2615 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2616 FILE__RELABELTO, &ad);
2617 if (rc)
2618 return rc;
2619
2620 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2621 isec->sclass);
2622 if (rc)
2623 return rc;
2624
2625 return avc_has_perm(newsid,
2626 sbsec->sid,
2627 SECCLASS_FILESYSTEM,
2628 FILESYSTEM__ASSOCIATE,
2629 &ad);
2630}
2631
2632static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2633 void *value, size_t size, int flags)
2634{
2635 struct inode *inode = dentry->d_inode;
2636 struct inode_security_struct *isec = inode->i_security;
2637 u32 newsid;
2638 int rc;
2639
2640 if (strcmp(name, XATTR_NAME_SELINUX)) {
2641 /* Not an attribute we recognize, so nothing to do. */
2642 return;
2643 }
2644
2645 rc = security_context_to_sid(value, size, &newsid);
2646 if (rc) {
2647 printk(KERN_WARNING "%s: unable to obtain SID for context "
2648 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2649 return;
2650 }
2651
2652 isec->sid = newsid;
2653 return;
2654}
2655
2656static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2657{
1da177e4
LT		 2658 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2659}
2660
2661static int selinux_inode_listxattr (struct dentry *dentry)
2662{
2663 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2664}
2665
2666static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2667{
b5376771
SH		 2668 if (strcmp(name, XATTR_NAME_SELINUX))
2669 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2670
2671 /* No one is allowed to remove a SELinux security label.
2672 You can change the label, but all data must be labeled. */
2673 return -EACCES;
2674}
2675
d381d8a9
JM		 2676/*
2677 * Copy the in-core inode security context value to the user. If the
2678 * getxattr() prior to this succeeded, check to see if we need to
2679 * canonicalize the value to be finally returned to the user.
2680 *
2681 * Permission check is handled by selinux_inode_getxattr hook.
2682 */
42492594 2683static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2684{
42492594
DQ		 2685 u32 size;
2686 int error;
2687 char *context = NULL;
1da177e4 2688 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2689
8c8570fb
DK		 2690 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2691 return -EOPNOTSUPP;
d381d8a9 2692
42492594
DQ		 2693 error = security_sid_to_context(isec->sid, &context, &size);
2694 if (error)
2695 return error;
2696 error = size;
2697 if (alloc) {
2698 *buffer = context;
2699 goto out_nofree;
2700 }
2701 kfree(context);
2702out_nofree:
2703 return error;
1da177e4
LT		 2704}
2705
2706static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2707 const void *value, size_t size, int flags)
2708{
2709 struct inode_security_struct *isec = inode->i_security;
2710 u32 newsid;
2711 int rc;
2712
2713 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2714 return -EOPNOTSUPP;
2715
2716 if (!value || !size)
2717 return -EACCES;
2718
2719 rc = security_context_to_sid((void*)value, size, &newsid);
2720 if (rc)
2721 return rc;
2722
2723 isec->sid = newsid;
2724 return 0;
2725}
2726
2727static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2728{
2729 const int len = sizeof(XATTR_NAME_SELINUX);
2730 if (buffer && len <= buffer_size)
2731 memcpy(buffer, XATTR_NAME_SELINUX, len);
2732 return len;
2733}
2734
b5376771
SH		 2735static int selinux_inode_need_killpriv(struct dentry *dentry)
2736{
2737 return secondary_ops->inode_need_killpriv(dentry);
2738}
2739
2740static int selinux_inode_killpriv(struct dentry *dentry)
2741{
2742 return secondary_ops->inode_killpriv(dentry);
2743}
2744
1da177e4
LT		 2745/* file security operations */
2746
788e7dd4 2747static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2748{
7420ed23 2749 int rc;
3d5ff529 2750 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2751
2752 if (!mask) {
2753 /* No permission to check. Existence test. */
2754 return 0;
2755 }
2756
2757 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2758 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2759 mask |= MAY_APPEND;
2760
7420ed23
VY		 2761 rc = file_has_perm(current, file,
2762 file_mask_to_av(inode->i_mode, mask));
2763 if (rc)
2764 return rc;
2765
2766 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2767}
2768
788e7dd4
YN		 2769static int selinux_file_permission(struct file *file, int mask)
2770{
2771 struct inode *inode = file->f_path.dentry->d_inode;
2772 struct task_security_struct *tsec = current->security;
2773 struct file_security_struct *fsec = file->f_security;
2774 struct inode_security_struct *isec = inode->i_security;
2775
2776 if (!mask) {
2777 /* No permission to check. Existence test. */
2778 return 0;
2779 }
2780
2781 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2782 && fsec->pseqno == avc_policy_seqno())
2783 return selinux_netlbl_inode_permission(inode, mask);
2784
2785 return selinux_revalidate_file_permission(file, mask);
2786}
2787
1da177e4
LT		 2788static int selinux_file_alloc_security(struct file *file)
2789{
2790 return file_alloc_security(file);
2791}
2792
2793static void selinux_file_free_security(struct file *file)
2794{
2795 file_free_security(file);
2796}
2797
2798static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2799 unsigned long arg)
2800{
2801 int error = 0;
2802
2803 switch (cmd) {
2804 case FIONREAD:
2805 /* fall through */
2806 case FIBMAP:
2807 /* fall through */
2808 case FIGETBSZ:
2809 /* fall through */
2810 case EXT2_IOC_GETFLAGS:
2811 /* fall through */
2812 case EXT2_IOC_GETVERSION:
2813 error = file_has_perm(current, file, FILE__GETATTR);
2814 break;
2815
2816 case EXT2_IOC_SETFLAGS:
2817 /* fall through */
2818 case EXT2_IOC_SETVERSION:
2819 error = file_has_perm(current, file, FILE__SETATTR);
2820 break;
2821
2822 /* sys_ioctl() checks */
2823 case FIONBIO:
2824 /* fall through */
2825 case FIOASYNC:
2826 error = file_has_perm(current, file, 0);
2827 break;
2828
2829 case KDSKBENT:
2830 case KDSKBSENT:
2831 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2832 break;
2833
2834 /* default case assumes that the command will go
2835 * to the file's ioctl() function.
2836 */
2837 default:
2838 error = file_has_perm(current, file, FILE__IOCTL);
2839
2840 }
2841 return error;
2842}
2843
2844static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2845{
2846#ifndef CONFIG_PPC32
2847 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2848 /*
2849 * We are making executable an anonymous mapping or a
2850 * private file mapping that will also be writable.
2851 * This has an additional check.
2852 */
2853 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2854 if (rc)
2855 return rc;
2856 }
2857#endif
2858
2859 if (file) {
2860 /* read access is always possible with a mapping */
2861 u32 av = FILE__READ;
2862
2863 /* write access only matters if the mapping is shared */
2864 if (shared && (prot & PROT_WRITE))
2865 av |= FILE__WRITE;
2866
2867 if (prot & PROT_EXEC)
2868 av |= FILE__EXECUTE;
2869
2870 return file_has_perm(current, file, av);
2871 }
2872 return 0;
2873}
2874
2875static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 2876 unsigned long prot, unsigned long flags,
2877 unsigned long addr, unsigned long addr_only)
1da177e4 2878{
ed032189
EP		 2879 int rc = 0;
2880 u32 sid = ((struct task_security_struct*)(current->security))->sid;
1da177e4 2881
ed032189
EP		 2882 if (addr < mmap_min_addr)
2883 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2884 MEMPROTECT__MMAP_ZERO, NULL);
2885 if (rc || addr_only)
1da177e4
LT		 2886 return rc;
2887
2888 if (selinux_checkreqprot)
2889 prot = reqprot;
2890
2891 return file_map_prot_check(file, prot,
2892 (flags & MAP_TYPE) == MAP_SHARED);
2893}
2894
2895static int selinux_file_mprotect(struct vm_area_struct *vma,
2896 unsigned long reqprot,
2897 unsigned long prot)
2898{
2899 int rc;
2900
2901 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2902 if (rc)
2903 return rc;
2904
2905 if (selinux_checkreqprot)
2906 prot = reqprot;
2907
2908#ifndef CONFIG_PPC32
db4c9641
SS		 2909 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2910 rc = 0;
2911 if (vma->vm_start >= vma->vm_mm->start_brk &&
2912 vma->vm_end <= vma->vm_mm->brk) {
2913 rc = task_has_perm(current, current,
2914 PROCESS__EXECHEAP);
2915 } else if (!vma->vm_file &&
2916 vma->vm_start <= vma->vm_mm->start_stack &&
2917 vma->vm_end >= vma->vm_mm->start_stack) {
2918 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2919 } else if (vma->vm_file && vma->anon_vma) {
2920 /*
2921 * We are making executable a file mapping that has
2922 * had some COW done. Since pages might have been
2923 * written, check ability to execute the possibly
2924 * modified content. This typically should only
2925 * occur for text relocations.
2926 */
2927 rc = file_has_perm(current, vma->vm_file,
2928 FILE__EXECMOD);
2929 }