]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
syslog: distinguish between /proc/kmsg and syscalls
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4
PM		 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4
LT		 26#include <linux/init.h>
27#include <linux/kernel.h>
0d094efe 28#include <linux/tracehook.h>
1da177e4
LT		 29#include <linux/errno.h>
30#include <linux/sched.h>
31#include <linux/security.h>
32#include <linux/xattr.h>
33#include <linux/capability.h>
34#include <linux/unistd.h>
35#include <linux/mm.h>
36#include <linux/mman.h>
37#include <linux/slab.h>
38#include <linux/pagemap.h>
39#include <linux/swap.h>
1da177e4
LT		 40#include <linux/spinlock.h>
41#include <linux/syscalls.h>
42#include <linux/file.h>
9f3acc31 43#include <linux/fdtable.h>
1da177e4
LT		 44#include <linux/namei.h>
45#include <linux/mount.h>
1da177e4 46#include <linux/proc_fs.h>
1da177e4
LT		 47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 53#include <net/net_namespace.h>
d621d35e 54#include <net/netlabel.h>
f5269710 55#include <linux/uaccess.h>
1da177e4 56#include <asm/ioctls.h>
d621d35e 57#include <asm/atomic.h>
1da177e4
LT		 58#include <linux/bitops.h>
59#include <linux/interrupt.h>
60#include <linux/netdevice.h> /* for network interface checks */
61#include <linux/netlink.h>
62#include <linux/tcp.h>
63#include <linux/udp.h>
2ee92d46 64#include <linux/dccp.h>
1da177e4
LT		 65#include <linux/quota.h>
66#include <linux/un.h> /* for Unix socket types */
67#include <net/af_unix.h> /* for Unix socket types */
68#include <linux/parser.h>
69#include <linux/nfs_mount.h>
70#include <net/ipv6.h>
71#include <linux/hugetlb.h>
72#include <linux/personality.h>
73#include <linux/sysctl.h>
74#include <linux/audit.h>
6931dfc9 75#include <linux/string.h>
877ce7c1 76#include <linux/selinux.h>
23970741 77#include <linux/mutex.h>
f06febc9 78#include <linux/posix-timers.h>
00234592 79#include <linux/syslog.h>
1da177e4
LT		 80
81#include "avc.h"
82#include "objsec.h"
83#include "netif.h"
224dfbd8 84#include "netnode.h"
3e112172 85#include "netport.h"
d28d1e08 86#include "xfrm.h"
c60475bf 87#include "netlabel.h"
9d57a7f9 88#include "audit.h"
1da177e4
LT		 89
90#define XATTR_SELINUX_SUFFIX "selinux"
91#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
92
11689d47 93#define NUM_SEL_MNT_OPTS 5
c9180a57 94
1da177e4 95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
20510f2f 96extern struct security_operations *security_ops;
1da177e4 97
d621d35e
PM		 98/* SECMARK reference count */
99atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
1da177e4 101#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 102int selinux_enforcing;
1da177e4
LT		 103
104static int __init enforcing_setup(char *str)
105{
f5269710
EP		 106 unsigned long enforcing;
107 if (!strict_strtoul(str, 0, &enforcing))
108 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 109 return 1;
110}
111__setup("enforcing=", enforcing_setup);
112#endif
113
114#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117static int __init selinux_enabled_setup(char *str)
118{
f5269710
EP		 119 unsigned long enabled;
120 if (!strict_strtoul(str, 0, &enabled))
121 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 122 return 1;
123}
124__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 125#else
126int selinux_enabled = 1;
1da177e4
LT		 127#endif
128
1da177e4 129
6f0f0fd4
JM		 130/*
131 * Minimal support for a secondary security module,
132 * just to allow the use of the capability module.
133 */
828dfe1d 134static struct security_operations *secondary_ops;
1da177e4
LT		 135
136/* Lists of inode and superblock security structures initialized
137 before the policy was loaded. */
138static LIST_HEAD(superblock_security_head);
139static DEFINE_SPINLOCK(sb_security_lock);
140
e18b890b 141static struct kmem_cache *sel_inode_cache;
7cae7e26 142
d621d35e
PM		 143/**
144 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
145 *
146 * Description:
147 * This function checks the SECMARK reference counter to see if any SECMARK
148 * targets are currently configured, if the reference counter is greater than
149 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
150 * enabled, false (0) if SECMARK is disabled.
151 *
152 */
153static int selinux_secmark_enabled(void)
154{
155 return (atomic_read(&selinux_secmark_refcount) > 0);
156}
157
d84f4f99
DH		 158/*
159 * initialise the security for the init task
160 */
161static void cred_init_security(void)
1da177e4 162{
3b11a1de 163 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 164 struct task_security_struct *tsec;
165
89d155ef 166 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 167 if (!tsec)
d84f4f99 168 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 169
d84f4f99 170 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 171 cred->security = tsec;
1da177e4
LT		 172}
173
88e67f3b
DH		 174/*
175 * get the security ID of a set of credentials
176 */
177static inline u32 cred_sid(const struct cred *cred)
178{
179 const struct task_security_struct *tsec;
180
181 tsec = cred->security;
182 return tsec->sid;
183}
184
275bb41e 185/*
3b11a1de 186 * get the objective security ID of a task
275bb41e
DH		 187 */
188static inline u32 task_sid(const struct task_struct *task)
189{
275bb41e
DH		 190 u32 sid;
191
192 rcu_read_lock();
88e67f3b 193 sid = cred_sid(__task_cred(task));
275bb41e
DH		 194 rcu_read_unlock();
195 return sid;
196}
197
198/*
3b11a1de 199 * get the subjective security ID of the current task
275bb41e
DH		 200 */
201static inline u32 current_sid(void)
202{
203 const struct task_security_struct *tsec = current_cred()->security;
204
205 return tsec->sid;
206}
207
88e67f3b
DH		 208/* Allocate and free functions for each kind of security blob. */
209
1da177e4
LT		 210static int inode_alloc_security(struct inode *inode)
211{
1da177e4 212 struct inode_security_struct *isec;
275bb41e 213 u32 sid = current_sid();
1da177e4 214
a02fe132 215 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 216 if (!isec)
217 return -ENOMEM;
218
23970741 219 mutex_init(&isec->lock);
1da177e4 220 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 221 isec->inode = inode;
222 isec->sid = SECINITSID_UNLABELED;
223 isec->sclass = SECCLASS_FILE;
275bb41e 224 isec->task_sid = sid;
1da177e4
LT		 225 inode->i_security = isec;
226
227 return 0;
228}
229
230static void inode_free_security(struct inode *inode)
231{
232 struct inode_security_struct *isec = inode->i_security;
233 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
234
1da177e4
LT		 235 spin_lock(&sbsec->isec_lock);
236 if (!list_empty(&isec->list))
237 list_del_init(&isec->list);
238 spin_unlock(&sbsec->isec_lock);
239
240 inode->i_security = NULL;
7cae7e26 241 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 242}
243
244static int file_alloc_security(struct file *file)
245{
1da177e4 246 struct file_security_struct *fsec;
275bb41e 247 u32 sid = current_sid();
1da177e4 248
26d2a4be 249 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 250 if (!fsec)
251 return -ENOMEM;
252
275bb41e
DH		 253 fsec->sid = sid;
254 fsec->fown_sid = sid;
1da177e4
LT		 255 file->f_security = fsec;
256
257 return 0;
258}
259
260static void file_free_security(struct file *file)
261{
262 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 263 file->f_security = NULL;
264 kfree(fsec);
265}
266
267static int superblock_alloc_security(struct super_block *sb)
268{
269 struct superblock_security_struct *sbsec;
270
89d155ef 271 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 272 if (!sbsec)
273 return -ENOMEM;
274
bc7e982b 275 mutex_init(&sbsec->lock);
1da177e4
LT		 276 INIT_LIST_HEAD(&sbsec->list);
277 INIT_LIST_HEAD(&sbsec->isec_head);
278 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 279 sbsec->sb = sb;
280 sbsec->sid = SECINITSID_UNLABELED;
281 sbsec->def_sid = SECINITSID_FILE;
c312feb2 282 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 283 sb->s_security = sbsec;
284
285 return 0;
286}
287
288static void superblock_free_security(struct super_block *sb)
289{
290 struct superblock_security_struct *sbsec = sb->s_security;
291
1da177e4
LT		 292 spin_lock(&sb_security_lock);
293 if (!list_empty(&sbsec->list))
294 list_del_init(&sbsec->list);
295 spin_unlock(&sb_security_lock);
296
297 sb->s_security = NULL;
298 kfree(sbsec);
299}
300
7d877f3b 301static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 302{
303 struct sk_security_struct *ssec;
304
89d155ef 305 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 306 if (!ssec)
307 return -ENOMEM;
308
1da177e4 309 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 310 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 311 sk->sk_security = ssec;
312
389fb800 313 selinux_netlbl_sk_security_reset(ssec);
99f59ed0 314
1da177e4
LT		 315 return 0;
316}
317
318static void sk_free_security(struct sock *sk)
319{
320 struct sk_security_struct *ssec = sk->sk_security;
321
1da177e4 322 sk->sk_security = NULL;
6c5b3fc0 323 selinux_netlbl_sk_security_free(ssec);
1da177e4
LT		 324 kfree(ssec);
325}
1da177e4
LT		 326
327/* The security server must be initialized before
328 any labeling or access decisions can be provided. */
329extern int ss_initialized;
330
331/* The file system's label must be initialized prior to use. */
332
333static char *labeling_behaviors[6] = {
334 "uses xattr",
335 "uses transition SIDs",
336 "uses task SIDs",
337 "uses genfs_contexts",
338 "not configured for labeling",
339 "uses mountpoint labeling",
340};
341
342static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
343
344static inline int inode_doinit(struct inode *inode)
345{
346 return inode_doinit_with_dentry(inode, NULL);
347}
348
349enum {
31e87930 350 Opt_error = -1,
1da177e4
LT		 351 Opt_context = 1,
352 Opt_fscontext = 2,
c9180a57
EP		 353 Opt_defcontext = 3,
354 Opt_rootcontext = 4,
11689d47 355 Opt_labelsupport = 5,
1da177e4
LT		 356};
357
a447c093 358static const match_table_t tokens = {
832cbd9a
EP		 359 {Opt_context, CONTEXT_STR "%s"},
360 {Opt_fscontext, FSCONTEXT_STR "%s"},
361 {Opt_defcontext, DEFCONTEXT_STR "%s"},
362 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 363 {Opt_labelsupport, LABELSUPP_STR},
31e87930 364 {Opt_error, NULL},
1da177e4
LT		 365};
366
367#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
368
c312feb2
EP		 369static int may_context_mount_sb_relabel(u32 sid,
370 struct superblock_security_struct *sbsec,
275bb41e 371 const struct cred *cred)
c312feb2 372{
275bb41e 373 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 374 int rc;
375
376 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
377 FILESYSTEM__RELABELFROM, NULL);
378 if (rc)
379 return rc;
380
381 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
382 FILESYSTEM__RELABELTO, NULL);
383 return rc;
384}
385
0808925e
EP		 386static int may_context_mount_inode_relabel(u32 sid,
387 struct superblock_security_struct *sbsec,
275bb41e 388 const struct cred *cred)
0808925e 389{
275bb41e 390 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 391 int rc;
392 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
393 FILESYSTEM__RELABELFROM, NULL);
394 if (rc)
395 return rc;
396
397 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
398 FILESYSTEM__ASSOCIATE, NULL);
399 return rc;
400}
401
c9180a57 402static int sb_finish_set_opts(struct super_block *sb)
1da177e4 403{
1da177e4 404 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 405 struct dentry *root = sb->s_root;
406 struct inode *root_inode = root->d_inode;
407 int rc = 0;
1da177e4 408
c9180a57
EP		 409 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
410 /* Make sure that the xattr handler exists and that no
411 error other than -ENODATA is returned by getxattr on
412 the root directory. -ENODATA is ok, as this may be
413 the first boot of the SELinux kernel before we have
414 assigned xattr values to the filesystem. */
415 if (!root_inode->i_op->getxattr) {
416 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
417 "xattr support\n", sb->s_id, sb->s_type->name);
418 rc = -EOPNOTSUPP;
419 goto out;
420 }
421 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
422 if (rc < 0 && rc != -ENODATA) {
423 if (rc == -EOPNOTSUPP)
424 printk(KERN_WARNING "SELinux: (dev %s, type "
425 "%s) has no security xattr handler\n",
426 sb->s_id, sb->s_type->name);
427 else
428 printk(KERN_WARNING "SELinux: (dev %s, type "
429 "%s) getxattr errno %d\n", sb->s_id,
430 sb->s_type->name, -rc);
431 goto out;
432 }
433 }
1da177e4 434
11689d47 435 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
1da177e4 436
c9180a57
EP		 437 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
438 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
439 sb->s_id, sb->s_type->name);
440 else
441 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
442 sb->s_id, sb->s_type->name,
443 labeling_behaviors[sbsec->behavior-1]);
1da177e4 444
11689d47
DQ		 445 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
446 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
447 sbsec->behavior == SECURITY_FS_USE_NONE ||
448 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
449 sbsec->flags &= ~SE_SBLABELSUPP;
450
ddd29ec6
DQ		 451 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
452 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
453 sbsec->flags |= SE_SBLABELSUPP;
454
c9180a57
EP		 455 /* Initialize the root inode. */
456 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 457
c9180a57
EP		 458 /* Initialize any other inodes associated with the superblock, e.g.
459 inodes created prior to initial policy load or inodes created
460 during get_sb by a pseudo filesystem that directly
461 populates itself. */
462 spin_lock(&sbsec->isec_lock);
463next_inode:
464 if (!list_empty(&sbsec->isec_head)) {
465 struct inode_security_struct *isec =
466 list_entry(sbsec->isec_head.next,
467 struct inode_security_struct, list);
468 struct inode *inode = isec->inode;
469 spin_unlock(&sbsec->isec_lock);
470 inode = igrab(inode);
471 if (inode) {
472 if (!IS_PRIVATE(inode))
473 inode_doinit(inode);
474 iput(inode);
475 }
476 spin_lock(&sbsec->isec_lock);
477 list_del_init(&isec->list);
478 goto next_inode;
479 }
480 spin_unlock(&sbsec->isec_lock);
481out:
482 return rc;
483}
1da177e4 484
c9180a57
EP		 485/*
486 * This function should allow an FS to ask what it's mount security
487 * options were so it can use those later for submounts, displaying
488 * mount options, or whatever.
489 */
490static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 491 struct security_mnt_opts *opts)
c9180a57
EP		 492{
493 int rc = 0, i;
494 struct superblock_security_struct *sbsec = sb->s_security;
495 char *context = NULL;
496 u32 len;
497 char tmp;
1da177e4 498
e0007529 499 security_init_mnt_opts(opts);
1da177e4 500
0d90a7ec 501 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 502 return -EINVAL;
1da177e4 503
c9180a57
EP		 504 if (!ss_initialized)
505 return -EINVAL;
1da177e4 506
0d90a7ec 507 tmp = sbsec->flags & SE_MNTMASK;
c9180a57
EP		 508 /* count the number of mount options for this sb */
509 for (i = 0; i < 8; i++) {
510 if (tmp & 0x01)
e0007529 511 opts->num_mnt_opts++;
c9180a57
EP		 512 tmp >>= 1;
513 }
11689d47
DQ		 514 /* Check if the Label support flag is set */
515 if (sbsec->flags & SE_SBLABELSUPP)
516 opts->num_mnt_opts++;
1da177e4 517
e0007529
EP		 518 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
519 if (!opts->mnt_opts) {
c9180a57
EP		 520 rc = -ENOMEM;
521 goto out_free;
522 }
1da177e4 523
e0007529
EP		 524 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
525 if (!opts->mnt_opts_flags) {
c9180a57
EP		 526 rc = -ENOMEM;
527 goto out_free;
528 }
1da177e4 529
c9180a57
EP		 530 i = 0;
531 if (sbsec->flags & FSCONTEXT_MNT) {
532 rc = security_sid_to_context(sbsec->sid, &context, &len);
533 if (rc)
534 goto out_free;
e0007529
EP		 535 opts->mnt_opts[i] = context;
536 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 537 }
538 if (sbsec->flags & CONTEXT_MNT) {
539 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
540 if (rc)
541 goto out_free;
e0007529
EP		 542 opts->mnt_opts[i] = context;
543 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 544 }
545 if (sbsec->flags & DEFCONTEXT_MNT) {
546 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
547 if (rc)
548 goto out_free;
e0007529
EP		 549 opts->mnt_opts[i] = context;
550 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 551 }
552 if (sbsec->flags & ROOTCONTEXT_MNT) {
553 struct inode *root = sbsec->sb->s_root->d_inode;
554 struct inode_security_struct *isec = root->i_security;
0808925e 555
c9180a57
EP		 556 rc = security_sid_to_context(isec->sid, &context, &len);
557 if (rc)
558 goto out_free;
e0007529
EP		 559 opts->mnt_opts[i] = context;
560 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 561 }
11689d47
DQ		 562 if (sbsec->flags & SE_SBLABELSUPP) {
563 opts->mnt_opts[i] = NULL;
564 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
565 }
1da177e4 566
e0007529 567 BUG_ON(i != opts->num_mnt_opts);
1da177e4 568
c9180a57
EP		 569 return 0;
570
571out_free:
e0007529 572 security_free_mnt_opts(opts);
c9180a57
EP		 573 return rc;
574}
1da177e4 575
c9180a57
EP		 576static int bad_option(struct superblock_security_struct *sbsec, char flag,
577 u32 old_sid, u32 new_sid)
578{
0d90a7ec
DQ		 579 char mnt_flags = sbsec->flags & SE_MNTMASK;
580
c9180a57 581 /* check if the old mount command had the same options */
0d90a7ec 582 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 583 if (!(sbsec->flags & flag) ||
584 (old_sid != new_sid))
585 return 1;
586
587 /* check if we were passed the same options twice,
588 * aka someone passed context=a,context=b
589 */
0d90a7ec
DQ		 590 if (!(sbsec->flags & SE_SBINITIALIZED))
591 if (mnt_flags & flag)
c9180a57
EP		 592 return 1;
593 return 0;
594}
e0007529 595
c9180a57
EP		 596/*
597 * Allow filesystems with binary mount data to explicitly set mount point
598 * labeling information.
599 */
e0007529
EP		 600static int selinux_set_mnt_opts(struct super_block *sb,
601 struct security_mnt_opts *opts)
c9180a57 602{
275bb41e 603 const struct cred *cred = current_cred();
c9180a57 604 int rc = 0, i;
c9180a57
EP		 605 struct superblock_security_struct *sbsec = sb->s_security;
606 const char *name = sb->s_type->name;
089be43e
JM		 607 struct inode *inode = sbsec->sb->s_root->d_inode;
608 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 609 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
610 u32 defcontext_sid = 0;
e0007529
EP		 611 char **mount_options = opts->mnt_opts;
612 int *flags = opts->mnt_opts_flags;
613 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 614
615 mutex_lock(&sbsec->lock);
616
617 if (!ss_initialized) {
618 if (!num_opts) {
619 /* Defer initialization until selinux_complete_init,
620 after the initial policy is loaded and the security
621 server is ready to handle calls. */
622 spin_lock(&sb_security_lock);
623 if (list_empty(&sbsec->list))
624 list_add(&sbsec->list, &superblock_security_head);
625 spin_unlock(&sb_security_lock);
626 goto out;
627 }
628 rc = -EINVAL;
744ba35e
EP		 629 printk(KERN_WARNING "SELinux: Unable to set superblock options "
630 "before the security server is initialized\n");
1da177e4 631 goto out;
c9180a57 632 }
1da177e4 633
e0007529
EP		 634 /*
635 * Binary mount data FS will come through this function twice. Once
636 * from an explicit call and once from the generic calls from the vfs.
637 * Since the generic VFS calls will not contain any security mount data
638 * we need to skip the double mount verification.
639 *
640 * This does open a hole in which we will not notice if the first
641 * mount using this sb set explict options and a second mount using
642 * this sb does not set any security options. (The first options
643 * will be used for both mounts)
644 */
0d90a7ec 645 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 646 && (num_opts == 0))
f5269710 647 goto out;
e0007529 648
c9180a57
EP		 649 /*
650 * parse the mount options, check if they are valid sids.
651 * also check if someone is trying to mount the same sb more
652 * than once with different security options.
653 */
654 for (i = 0; i < num_opts; i++) {
655 u32 sid;
11689d47
DQ		 656
657 if (flags[i] == SE_SBLABELSUPP)
658 continue;
c9180a57
EP		 659 rc = security_context_to_sid(mount_options[i],
660 strlen(mount_options[i]), &sid);
1da177e4
LT		 661 if (rc) {
662 printk(KERN_WARNING "SELinux: security_context_to_sid"
663 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 664 mount_options[i], sb->s_id, name, rc);
665 goto out;
666 }
667 switch (flags[i]) {
668 case FSCONTEXT_MNT:
669 fscontext_sid = sid;
670
671 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
672 fscontext_sid))
673 goto out_double_mount;
674
675 sbsec->flags |= FSCONTEXT_MNT;
676 break;
677 case CONTEXT_MNT:
678 context_sid = sid;
679
680 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
681 context_sid))
682 goto out_double_mount;
683
684 sbsec->flags |= CONTEXT_MNT;
685 break;
686 case ROOTCONTEXT_MNT:
687 rootcontext_sid = sid;
688
689 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
690 rootcontext_sid))
691 goto out_double_mount;
692
693 sbsec->flags |= ROOTCONTEXT_MNT;
694
695 break;
696 case DEFCONTEXT_MNT:
697 defcontext_sid = sid;
698
699 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
700 defcontext_sid))
701 goto out_double_mount;
702
703 sbsec->flags |= DEFCONTEXT_MNT;
704
705 break;
706 default:
707 rc = -EINVAL;
708 goto out;
1da177e4 709 }
c9180a57
EP		 710 }
711
0d90a7ec 712 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 713 /* previously mounted with options, but not on this attempt? */
0d90a7ec 714 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 715 goto out_double_mount;
716 rc = 0;
717 goto out;
718 }
719
089be43e 720 if (strcmp(sb->s_type->name, "proc") == 0)
0d90a7ec 721 sbsec->flags |= SE_SBPROC;
c9180a57
EP		 722
723 /* Determine the labeling behavior to use for this filesystem type. */
0d90a7ec 724 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
c9180a57
EP		 725 if (rc) {
726 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
089be43e 727 __func__, sb->s_type->name, rc);
c9180a57
EP		 728 goto out;
729 }
1da177e4 730
c9180a57
EP		 731 /* sets the context of the superblock for the fs being mounted. */
732 if (fscontext_sid) {
275bb41e 733 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 734 if (rc)
c9180a57 735 goto out;
1da177e4 736
c9180a57 737 sbsec->sid = fscontext_sid;
c312feb2
EP		 738 }
739
740 /*
741 * Switch to using mount point labeling behavior.
742 * sets the label used on all file below the mountpoint, and will set
743 * the superblock context if not already set.
744 */
c9180a57
EP		 745 if (context_sid) {
746 if (!fscontext_sid) {
275bb41e
DH		 747 rc = may_context_mount_sb_relabel(context_sid, sbsec,
748 cred);
b04ea3ce 749 if (rc)
c9180a57
EP		 750 goto out;
751 sbsec->sid = context_sid;
b04ea3ce 752 } else {
275bb41e
DH		 753 rc = may_context_mount_inode_relabel(context_sid, sbsec,
754 cred);
b04ea3ce 755 if (rc)
c9180a57 756 goto out;
b04ea3ce 757 }
c9180a57
EP		 758 if (!rootcontext_sid)
759 rootcontext_sid = context_sid;
1da177e4 760
c9180a57 761 sbsec->mntpoint_sid = context_sid;
c312feb2 762 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 763 }
764
c9180a57 765 if (rootcontext_sid) {
275bb41e
DH		 766 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
767 cred);
0808925e 768 if (rc)
c9180a57 769 goto out;
0808925e 770
c9180a57
EP		 771 root_isec->sid = rootcontext_sid;
772 root_isec->initialized = 1;
0808925e
EP		 773 }
774
c9180a57
EP		 775 if (defcontext_sid) {
776 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
777 rc = -EINVAL;
778 printk(KERN_WARNING "SELinux: defcontext option is "
779 "invalid for this filesystem type\n");
780 goto out;
1da177e4
LT		 781 }
782
c9180a57
EP		 783 if (defcontext_sid != sbsec->def_sid) {
784 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 785 sbsec, cred);
c9180a57
EP		 786 if (rc)
787 goto out;
788 }
1da177e4 789
c9180a57 790 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 791 }
792
c9180a57 793 rc = sb_finish_set_opts(sb);
1da177e4 794out:
c9180a57 795 mutex_unlock(&sbsec->lock);
1da177e4 796 return rc;
c9180a57
EP		 797out_double_mount:
798 rc = -EINVAL;
799 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
800 "security settings for (dev %s, type %s)\n", sb->s_id, name);
801 goto out;
1da177e4
LT		 802}
803
c9180a57
EP		 804static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
805 struct super_block *newsb)
1da177e4 806{
c9180a57
EP		 807 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
808 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 809
c9180a57
EP		 810 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
811 int set_context = (oldsbsec->flags & CONTEXT_MNT);
812 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 813
0f5e6420
EP		 814 /*
815 * if the parent was able to be mounted it clearly had no special lsm
816 * mount options. thus we can safely put this sb on the list and deal
817 * with it later
818 */
819 if (!ss_initialized) {
820 spin_lock(&sb_security_lock);
821 if (list_empty(&newsbsec->list))
822 list_add(&newsbsec->list, &superblock_security_head);
823 spin_unlock(&sb_security_lock);
824 return;
825 }
c9180a57 826
c9180a57 827 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 828 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 829
5a552617 830 /* if fs is reusing a sb, just let its options stand... */
0d90a7ec 831 if (newsbsec->flags & SE_SBINITIALIZED)
5a552617
EP		 832 return;
833
c9180a57
EP		 834 mutex_lock(&newsbsec->lock);
835
836 newsbsec->flags = oldsbsec->flags;
837
838 newsbsec->sid = oldsbsec->sid;
839 newsbsec->def_sid = oldsbsec->def_sid;
840 newsbsec->behavior = oldsbsec->behavior;
841
842 if (set_context) {
843 u32 sid = oldsbsec->mntpoint_sid;
844
845 if (!set_fscontext)
846 newsbsec->sid = sid;
847 if (!set_rootcontext) {
848 struct inode *newinode = newsb->s_root->d_inode;
849 struct inode_security_struct *newisec = newinode->i_security;
850 newisec->sid = sid;
851 }
852 newsbsec->mntpoint_sid = sid;
1da177e4 853 }
c9180a57
EP		 854 if (set_rootcontext) {
855 const struct inode *oldinode = oldsb->s_root->d_inode;
856 const struct inode_security_struct *oldisec = oldinode->i_security;
857 struct inode *newinode = newsb->s_root->d_inode;
858 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 859
c9180a57 860 newisec->sid = oldisec->sid;
1da177e4
LT		 861 }
862
c9180a57
EP		 863 sb_finish_set_opts(newsb);
864 mutex_unlock(&newsbsec->lock);
865}
866
2e1479d9
AB		 867static int selinux_parse_opts_str(char *options,
868 struct security_mnt_opts *opts)
c9180a57 869{
e0007529 870 char *p;
c9180a57
EP		 871 char *context = NULL, *defcontext = NULL;
872 char *fscontext = NULL, *rootcontext = NULL;
e0007529 873 int rc, num_mnt_opts = 0;
1da177e4 874
e0007529 875 opts->num_mnt_opts = 0;
1da177e4 876
c9180a57
EP		 877 /* Standard string-based options. */
878 while ((p = strsep(&options, "|")) != NULL) {
879 int token;
880 substring_t args[MAX_OPT_ARGS];
1da177e4 881
c9180a57
EP		 882 if (!*p)
883 continue;
1da177e4 884
c9180a57 885 token = match_token(p, tokens, args);
1da177e4 886
c9180a57
EP		 887 switch (token) {
888 case Opt_context:
889 if (context || defcontext) {
890 rc = -EINVAL;
891 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
892 goto out_err;
893 }
894 context = match_strdup(&args[0]);
895 if (!context) {
896 rc = -ENOMEM;
897 goto out_err;
898 }
899 break;
900
901 case Opt_fscontext:
902 if (fscontext) {
903 rc = -EINVAL;
904 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
905 goto out_err;
906 }
907 fscontext = match_strdup(&args[0]);
908 if (!fscontext) {
909 rc = -ENOMEM;
910 goto out_err;
911 }
912 break;
913
914 case Opt_rootcontext:
915 if (rootcontext) {
916 rc = -EINVAL;
917 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
918 goto out_err;
919 }
920 rootcontext = match_strdup(&args[0]);
921 if (!rootcontext) {
922 rc = -ENOMEM;
923 goto out_err;
924 }
925 break;
926
927 case Opt_defcontext:
928 if (context || defcontext) {
929 rc = -EINVAL;
930 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
931 goto out_err;
932 }
933 defcontext = match_strdup(&args[0]);
934 if (!defcontext) {
935 rc = -ENOMEM;
936 goto out_err;
937 }
938 break;
11689d47
DQ		 939 case Opt_labelsupport:
940 break;
c9180a57
EP		 941 default:
942 rc = -EINVAL;
943 printk(KERN_WARNING "SELinux: unknown mount option\n");
944 goto out_err;
1da177e4 945
1da177e4 946 }
1da177e4 947 }
c9180a57 948
e0007529
EP		 949 rc = -ENOMEM;
950 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
951 if (!opts->mnt_opts)
952 goto out_err;
953
954 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
955 if (!opts->mnt_opts_flags) {
956 kfree(opts->mnt_opts);
957 goto out_err;
958 }
959
c9180a57 960 if (fscontext) {
e0007529
EP		 961 opts->mnt_opts[num_mnt_opts] = fscontext;
962 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 963 }
964 if (context) {
e0007529
EP		 965 opts->mnt_opts[num_mnt_opts] = context;
966 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 967 }
968 if (rootcontext) {
e0007529
EP		 969 opts->mnt_opts[num_mnt_opts] = rootcontext;
970 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 971 }
972 if (defcontext) {
e0007529
EP		 973 opts->mnt_opts[num_mnt_opts] = defcontext;
974 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 975 }
976
e0007529
EP		 977 opts->num_mnt_opts = num_mnt_opts;
978 return 0;
979
c9180a57
EP		 980out_err:
981 kfree(context);
982 kfree(defcontext);
983 kfree(fscontext);
984 kfree(rootcontext);
1da177e4
LT		 985 return rc;
986}
e0007529
EP		 987/*
988 * string mount options parsing and call set the sbsec
989 */
990static int superblock_doinit(struct super_block *sb, void *data)
991{
992 int rc = 0;
993 char *options = data;
994 struct security_mnt_opts opts;
995
996 security_init_mnt_opts(&opts);
997
998 if (!data)
999 goto out;
1000
1001 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1002
1003 rc = selinux_parse_opts_str(options, &opts);
1004 if (rc)
1005 goto out_err;
1006
1007out:
1008 rc = selinux_set_mnt_opts(sb, &opts);
1009
1010out_err:
1011 security_free_mnt_opts(&opts);
1012 return rc;
1013}
1da177e4 1014
3583a711
AB		 1015static void selinux_write_opts(struct seq_file *m,
1016 struct security_mnt_opts *opts)
2069f457
EP		 1017{
1018 int i;
1019 char *prefix;
1020
1021 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1022 char *has_comma;
1023
1024 if (opts->mnt_opts[i])
1025 has_comma = strchr(opts->mnt_opts[i], ',');
1026 else
1027 has_comma = NULL;
2069f457
EP		 1028
1029 switch (opts->mnt_opts_flags[i]) {
1030 case CONTEXT_MNT:
1031 prefix = CONTEXT_STR;
1032 break;
1033 case FSCONTEXT_MNT:
1034 prefix = FSCONTEXT_STR;
1035 break;
1036 case ROOTCONTEXT_MNT:
1037 prefix = ROOTCONTEXT_STR;
1038 break;
1039 case DEFCONTEXT_MNT:
1040 prefix = DEFCONTEXT_STR;
1041 break;
11689d47
DQ		 1042 case SE_SBLABELSUPP:
1043 seq_putc(m, ',');
1044 seq_puts(m, LABELSUPP_STR);
1045 continue;
2069f457
EP		 1046 default:
1047 BUG();
1048 };
1049 /* we need a comma before each option */
1050 seq_putc(m, ',');
1051 seq_puts(m, prefix);
1052 if (has_comma)
1053 seq_putc(m, '\"');
1054 seq_puts(m, opts->mnt_opts[i]);
1055 if (has_comma)
1056 seq_putc(m, '\"');
1057 }
1058}
1059
1060static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1061{
1062 struct security_mnt_opts opts;
1063 int rc;
1064
1065 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1066 if (rc) {
1067 /* before policy load we may get EINVAL, don't show anything */
1068 if (rc == -EINVAL)
1069 rc = 0;
2069f457 1070 return rc;
383795c2 1071 }
2069f457
EP		 1072
1073 selinux_write_opts(m, &opts);
1074
1075 security_free_mnt_opts(&opts);
1076
1077 return rc;
1078}
1079
1da177e4
LT		 1080static inline u16 inode_mode_to_security_class(umode_t mode)
1081{
1082 switch (mode & S_IFMT) {
1083 case S_IFSOCK:
1084 return SECCLASS_SOCK_FILE;
1085 case S_IFLNK:
1086 return SECCLASS_LNK_FILE;
1087 case S_IFREG:
1088 return SECCLASS_FILE;
1089 case S_IFBLK:
1090 return SECCLASS_BLK_FILE;
1091 case S_IFDIR:
1092 return SECCLASS_DIR;
1093 case S_IFCHR:
1094 return SECCLASS_CHR_FILE;
1095 case S_IFIFO:
1096 return SECCLASS_FIFO_FILE;
1097
1098 }
1099
1100 return SECCLASS_FILE;
1101}
1102
13402580
JM		 1103static inline int default_protocol_stream(int protocol)
1104{
1105 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1106}
1107
1108static inline int default_protocol_dgram(int protocol)
1109{
1110 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1111}
1112
1da177e4
LT		 1113static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1114{
1115 switch (family) {
1116 case PF_UNIX:
1117 switch (type) {
1118 case SOCK_STREAM:
1119 case SOCK_SEQPACKET:
1120 return SECCLASS_UNIX_STREAM_SOCKET;
1121 case SOCK_DGRAM:
1122 return SECCLASS_UNIX_DGRAM_SOCKET;
1123 }
1124 break;
1125 case PF_INET:
1126 case PF_INET6:
1127 switch (type) {
1128 case SOCK_STREAM:
13402580
JM		 1129 if (default_protocol_stream(protocol))
1130 return SECCLASS_TCP_SOCKET;
1131 else
1132 return SECCLASS_RAWIP_SOCKET;
1da177e4 1133 case SOCK_DGRAM:
13402580
JM		 1134 if (default_protocol_dgram(protocol))
1135 return SECCLASS_UDP_SOCKET;
1136 else
1137 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1138 case SOCK_DCCP:
1139 return SECCLASS_DCCP_SOCKET;
13402580 1140 default:
1da177e4
LT		 1141 return SECCLASS_RAWIP_SOCKET;
1142 }
1143 break;
1144 case PF_NETLINK:
1145 switch (protocol) {
1146 case NETLINK_ROUTE:
1147 return SECCLASS_NETLINK_ROUTE_SOCKET;
1148 case NETLINK_FIREWALL:
1149 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1150 case NETLINK_INET_DIAG:
1da177e4
LT		 1151 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1152 case NETLINK_NFLOG:
1153 return SECCLASS_NETLINK_NFLOG_SOCKET;
1154 case NETLINK_XFRM:
1155 return SECCLASS_NETLINK_XFRM_SOCKET;
1156 case NETLINK_SELINUX:
1157 return SECCLASS_NETLINK_SELINUX_SOCKET;
1158 case NETLINK_AUDIT:
1159 return SECCLASS_NETLINK_AUDIT_SOCKET;
1160 case NETLINK_IP6_FW:
1161 return SECCLASS_NETLINK_IP6FW_SOCKET;
1162 case NETLINK_DNRTMSG:
1163 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1164 case NETLINK_KOBJECT_UEVENT:
1165 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1166 default:
1167 return SECCLASS_NETLINK_SOCKET;
1168 }
1169 case PF_PACKET:
1170 return SECCLASS_PACKET_SOCKET;
1171 case PF_KEY:
1172 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1173 case PF_APPLETALK:
1174 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1175 }
1176
1177 return SECCLASS_SOCKET;
1178}
1179
1180#ifdef CONFIG_PROC_FS
1181static int selinux_proc_get_sid(struct proc_dir_entry *de,
1182 u16 tclass,
1183 u32 *sid)
1184{
1185 int buflen, rc;
1186 char *buffer, *path, *end;
1187
828dfe1d 1188 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1189 if (!buffer)
1190 return -ENOMEM;
1191
1192 buflen = PAGE_SIZE;
1193 end = buffer+buflen;
1194 *--end = '\0';
1195 buflen--;
1196 path = end-1;
1197 *path = '/';
1198 while (de && de != de->parent) {
1199 buflen -= de->namelen + 1;
1200 if (buflen < 0)
1201 break;
1202 end -= de->namelen;
1203 memcpy(end, de->name, de->namelen);
1204 *--end = '/';
1205 path = end;
1206 de = de->parent;
1207 }
1208 rc = security_genfs_sid("proc", path, tclass, sid);
1209 free_page((unsigned long)buffer);
1210 return rc;
1211}
1212#else
1213static int selinux_proc_get_sid(struct proc_dir_entry *de,
1214 u16 tclass,
1215 u32 *sid)
1216{
1217 return -EINVAL;
1218}
1219#endif
1220
1221/* The inode's security attributes must be initialized before first use. */
1222static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1223{
1224 struct superblock_security_struct *sbsec = NULL;
1225 struct inode_security_struct *isec = inode->i_security;
1226 u32 sid;
1227 struct dentry *dentry;
1228#define INITCONTEXTLEN 255
1229 char *context = NULL;
1230 unsigned len = 0;
1231 int rc = 0;
1da177e4
LT		 1232
1233 if (isec->initialized)
1234 goto out;
1235
23970741 1236 mutex_lock(&isec->lock);
1da177e4 1237 if (isec->initialized)
23970741 1238 goto out_unlock;
1da177e4
LT		 1239
1240 sbsec = inode->i_sb->s_security;
0d90a7ec 1241 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1242 /* Defer initialization until selinux_complete_init,
1243 after the initial policy is loaded and the security
1244 server is ready to handle calls. */
1245 spin_lock(&sbsec->isec_lock);
1246 if (list_empty(&isec->list))
1247 list_add(&isec->list, &sbsec->isec_head);
1248 spin_unlock(&sbsec->isec_lock);
23970741 1249 goto out_unlock;
1da177e4
LT		 1250 }
1251
1252 switch (sbsec->behavior) {
1253 case SECURITY_FS_USE_XATTR:
1254 if (!inode->i_op->getxattr) {
1255 isec->sid = sbsec->def_sid;
1256 break;
1257 }
1258
1259 /* Need a dentry, since the xattr API requires one.
1260 Life would be simpler if we could just pass the inode. */
1261 if (opt_dentry) {
1262 /* Called from d_instantiate or d_splice_alias. */
1263 dentry = dget(opt_dentry);
1264 } else {
1265 /* Called from selinux_complete_init, try to find a dentry. */
1266 dentry = d_find_alias(inode);
1267 }
1268 if (!dentry) {
df7f54c0
EP		 1269 /*
1270 * this is can be hit on boot when a file is accessed
1271 * before the policy is loaded. When we load policy we
1272 * may find inodes that have no dentry on the
1273 * sbsec->isec_head list. No reason to complain as these
1274 * will get fixed up the next time we go through
1275 * inode_doinit with a dentry, before these inodes could
1276 * be used again by userspace.
1277 */
23970741 1278 goto out_unlock;
1da177e4
LT		 1279 }
1280
1281 len = INITCONTEXTLEN;
4cb912f1 1282 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1283 if (!context) {
1284 rc = -ENOMEM;
1285 dput(dentry);
23970741 1286 goto out_unlock;
1da177e4 1287 }
4cb912f1 1288 context[len] = '\0';
1da177e4
LT		 1289 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1290 context, len);
1291 if (rc == -ERANGE) {
314dabb8
JM		 1292 kfree(context);
1293
1da177e4
LT		 1294 /* Need a larger buffer. Query for the right size. */
1295 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1296 NULL, 0);
1297 if (rc < 0) {
1298 dput(dentry);
23970741 1299 goto out_unlock;
1da177e4 1300 }
1da177e4 1301 len = rc;
4cb912f1 1302 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1303 if (!context) {
1304 rc = -ENOMEM;
1305 dput(dentry);
23970741 1306 goto out_unlock;
1da177e4 1307 }
4cb912f1 1308 context[len] = '\0';
1da177e4
LT		 1309 rc = inode->i_op->getxattr(dentry,
1310 XATTR_NAME_SELINUX,
1311 context, len);
1312 }
1313 dput(dentry);
1314 if (rc < 0) {
1315 if (rc != -ENODATA) {
744ba35e 1316 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1317 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1318 -rc, inode->i_sb->s_id, inode->i_ino);
1319 kfree(context);
23970741 1320 goto out_unlock;
1da177e4
LT		 1321 }
1322 /* Map ENODATA to the default file SID */
1323 sid = sbsec->def_sid;
1324 rc = 0;
1325 } else {
f5c1d5b2 1326 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1327 sbsec->def_sid,
1328 GFP_NOFS);
1da177e4 1329 if (rc) {
4ba0a8ad
EP		 1330 char *dev = inode->i_sb->s_id;
1331 unsigned long ino = inode->i_ino;
1332
1333 if (rc == -EINVAL) {
1334 if (printk_ratelimit())
1335 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1336 "context=%s. This indicates you may need to relabel the inode or the "
1337 "filesystem in question.\n", ino, dev, context);
1338 } else {
1339 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1340 "returned %d for dev=%s ino=%ld\n",
1341 __func__, context, -rc, dev, ino);
1342 }
1da177e4
LT		 1343 kfree(context);
1344 /* Leave with the unlabeled SID */
1345 rc = 0;
1346 break;
1347 }
1348 }
1349 kfree(context);
1350 isec->sid = sid;
1351 break;
1352 case SECURITY_FS_USE_TASK:
1353 isec->sid = isec->task_sid;
1354 break;
1355 case SECURITY_FS_USE_TRANS:
1356 /* Default to the fs SID. */
1357 isec->sid = sbsec->sid;
1358
1359 /* Try to obtain a transition SID. */
1360 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1361 rc = security_transition_sid(isec->task_sid,
1362 sbsec->sid,
1363 isec->sclass,
1364 &sid);
1365 if (rc)
23970741 1366 goto out_unlock;
1da177e4
LT		 1367 isec->sid = sid;
1368 break;
c312feb2
EP		 1369 case SECURITY_FS_USE_MNTPOINT:
1370 isec->sid = sbsec->mntpoint_sid;
1371 break;
1da177e4 1372 default:
c312feb2 1373 /* Default to the fs superblock SID. */
1da177e4
LT		 1374 isec->sid = sbsec->sid;
1375
0d90a7ec 1376 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1da177e4
LT		 1377 struct proc_inode *proci = PROC_I(inode);
1378 if (proci->pde) {
1379 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1380 rc = selinux_proc_get_sid(proci->pde,
1381 isec->sclass,
1382 &sid);
1383 if (rc)
23970741 1384 goto out_unlock;
1da177e4
LT		 1385 isec->sid = sid;
1386 }
1387 }
1388 break;
1389 }
1390
1391 isec->initialized = 1;
1392
23970741
EP		 1393out_unlock:
1394 mutex_unlock(&isec->lock);
1da177e4
LT		 1395out:
1396 if (isec->sclass == SECCLASS_FILE)
1397 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1398 return rc;
1399}
1400
1401/* Convert a Linux signal to an access vector. */
1402static inline u32 signal_to_av(int sig)
1403{
1404 u32 perm = 0;
1405
1406 switch (sig) {
1407 case SIGCHLD:
1408 /* Commonly granted from child to parent. */
1409 perm = PROCESS__SIGCHLD;
1410 break;
1411 case SIGKILL:
1412 /* Cannot be caught or ignored */
1413 perm = PROCESS__SIGKILL;
1414 break;
1415 case SIGSTOP:
1416 /* Cannot be caught or ignored */
1417 perm = PROCESS__SIGSTOP;
1418 break;
1419 default:
1420 /* All other signals. */
1421 perm = PROCESS__SIGNAL;
1422 break;
1423 }
1424
1425 return perm;
1426}
1427
d84f4f99
DH		 1428/*
1429 * Check permission between a pair of credentials
1430 * fork check, ptrace check, etc.
1431 */
1432static int cred_has_perm(const struct cred *actor,
1433 const struct cred *target,
1434 u32 perms)
1435{
1436 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1437
1438 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1439}
1440
275bb41e 1441/*
88e67f3b 1442 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1443 * fork check, ptrace check, etc.
1444 * tsk1 is the actor and tsk2 is the target
3b11a1de 1445 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1446 */
1447static int task_has_perm(const struct task_struct *tsk1,
1448 const struct task_struct *tsk2,
1da177e4
LT		 1449 u32 perms)
1450{
275bb41e
DH		 1451 const struct task_security_struct *__tsec1, *__tsec2;
1452 u32 sid1, sid2;
1da177e4 1453
275bb41e
DH		 1454 rcu_read_lock();
1455 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1456 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1457 rcu_read_unlock();
1458 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1459}
1460
3b11a1de
DH		 1461/*
1462 * Check permission between current and another task, e.g. signal checks,
1463 * fork check, ptrace check, etc.
1464 * current is the actor and tsk2 is the target
1465 * - this uses current's subjective creds
1466 */
1467static int current_has_perm(const struct task_struct *tsk,
1468 u32 perms)
1469{
1470 u32 sid, tsid;
1471
1472 sid = current_sid();
1473 tsid = task_sid(tsk);
1474 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1475}
1476
b68e418c
SS		 1477#if CAP_LAST_CAP > 63
1478#error Fix SELinux to handle capabilities > 63.
1479#endif
1480
1da177e4
LT		 1481/* Check whether a task is allowed to use a capability. */
1482static int task_has_capability(struct task_struct *tsk,
3699c53c 1483 const struct cred *cred,
06112163 1484 int cap, int audit)
1da177e4 1485{
2bf49690 1486 struct common_audit_data ad;
06112163 1487 struct av_decision avd;
b68e418c 1488 u16 sclass;
3699c53c 1489 u32 sid = cred_sid(cred);
b68e418c 1490 u32 av = CAP_TO_MASK(cap);
06112163 1491 int rc;
1da177e4 1492
2bf49690 1493 COMMON_AUDIT_DATA_INIT(&ad, CAP);
1da177e4
LT		 1494 ad.tsk = tsk;
1495 ad.u.cap = cap;
1496
b68e418c
SS		 1497 switch (CAP_TO_INDEX(cap)) {
1498 case 0:
1499 sclass = SECCLASS_CAPABILITY;
1500 break;
1501 case 1:
1502 sclass = SECCLASS_CAPABILITY2;
1503 break;
1504 default:
1505 printk(KERN_ERR
1506 "SELinux: out of range capability %d\n", cap);
1507 BUG();
1508 }
06112163 1509
275bb41e 1510 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
06112163 1511 if (audit == SECURITY_CAP_AUDIT)
275bb41e 1512 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
06112163 1513 return rc;
1da177e4
LT		 1514}
1515
1516/* Check whether a task is allowed to use a system operation. */
1517static int task_has_system(struct task_struct *tsk,
1518 u32 perms)
1519{
275bb41e 1520 u32 sid = task_sid(tsk);
1da177e4 1521
275bb41e 1522 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1523 SECCLASS_SYSTEM, perms, NULL);
1524}
1525
1526/* Check whether a task has a particular permission to an inode.
1527 The 'adp' parameter is optional and allows other audit
1528 data to be passed (e.g. the dentry). */
88e67f3b 1529static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1530 struct inode *inode,
1531 u32 perms,
2bf49690 1532 struct common_audit_data *adp)
1da177e4 1533{
1da177e4 1534 struct inode_security_struct *isec;
2bf49690 1535 struct common_audit_data ad;
275bb41e 1536 u32 sid;
1da177e4 1537
e0e81739
DH		 1538 validate_creds(cred);
1539
828dfe1d 1540 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1541 return 0;
1542
88e67f3b 1543 sid = cred_sid(cred);
1da177e4
LT		 1544 isec = inode->i_security;
1545
1546 if (!adp) {
1547 adp = &ad;
2bf49690 1548 COMMON_AUDIT_DATA_INIT(&ad, FS);
1da177e4
LT		 1549 ad.u.fs.inode = inode;
1550 }
1551
275bb41e 1552 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1553}
1554
1555/* Same as inode_has_perm, but pass explicit audit data containing
1556 the dentry to help the auditing code to more easily generate the
1557 pathname if needed. */
88e67f3b 1558static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1559 struct vfsmount *mnt,
1560 struct dentry *dentry,
1561 u32 av)
1562{
1563 struct inode *inode = dentry->d_inode;
2bf49690 1564 struct common_audit_data ad;
88e67f3b 1565
2bf49690 1566 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf
JB		 1567 ad.u.fs.path.mnt = mnt;
1568 ad.u.fs.path.dentry = dentry;
88e67f3b 1569 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1570}
1571
1572/* Check whether a task can use an open file descriptor to
1573 access an inode in a given way. Check access to the
1574 descriptor itself, and then use dentry_has_perm to
1575 check a particular permission to the file.
1576 Access to the descriptor is implicitly granted if it
1577 has the same SID as the process. If av is zero, then
1578 access to the file is not checked, e.g. for cases
1579 where only the descriptor is affected like seek. */
88e67f3b
DH		 1580static int file_has_perm(const struct cred *cred,
1581 struct file *file,
1582 u32 av)
1da177e4 1583{
1da177e4 1584 struct file_security_struct *fsec = file->f_security;
44707fdf 1585 struct inode *inode = file->f_path.dentry->d_inode;
2bf49690 1586 struct common_audit_data ad;
88e67f3b 1587 u32 sid = cred_sid(cred);
1da177e4
LT		 1588 int rc;
1589
2bf49690 1590 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1591 ad.u.fs.path = file->f_path;
1da177e4 1592
275bb41e
DH		 1593 if (sid != fsec->sid) {
1594 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1595 SECCLASS_FD,
1596 FD__USE,
1597 &ad);
1598 if (rc)
88e67f3b 1599 goto out;
1da177e4
LT		 1600 }
1601
1602 /* av is zero if only checking access to the descriptor. */
88e67f3b 1603 rc = 0;
1da177e4 1604 if (av)
88e67f3b 1605 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1606
88e67f3b
DH		 1607out:
1608 return rc;
1da177e4
LT		 1609}
1610
1611/* Check whether a task can create a file. */
1612static int may_create(struct inode *dir,
1613 struct dentry *dentry,
1614 u16 tclass)
1615{
275bb41e
DH		 1616 const struct cred *cred = current_cred();
1617 const struct task_security_struct *tsec = cred->security;
1da177e4
LT		 1618 struct inode_security_struct *dsec;
1619 struct superblock_security_struct *sbsec;
275bb41e 1620 u32 sid, newsid;
2bf49690 1621 struct common_audit_data ad;
1da177e4
LT		 1622 int rc;
1623
1da177e4
LT		 1624 dsec = dir->i_security;
1625 sbsec = dir->i_sb->s_security;
1626
275bb41e
DH		 1627 sid = tsec->sid;
1628 newsid = tsec->create_sid;
1629
2bf49690 1630 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1631 ad.u.fs.path.dentry = dentry;
1da177e4 1632
275bb41e 1633 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1634 DIR__ADD_NAME | DIR__SEARCH,
1635 &ad);
1636 if (rc)
1637 return rc;
1638
cd89596f 1639 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
275bb41e 1640 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1da177e4
LT		 1641 if (rc)
1642 return rc;
1643 }
1644
275bb41e 1645 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1646 if (rc)
1647 return rc;
1648
1649 return avc_has_perm(newsid, sbsec->sid,
1650 SECCLASS_FILESYSTEM,
1651 FILESYSTEM__ASSOCIATE, &ad);
1652}
1653
4eb582cf
ML		 1654/* Check whether a task can create a key. */
1655static int may_create_key(u32 ksid,
1656 struct task_struct *ctx)
1657{
275bb41e 1658 u32 sid = task_sid(ctx);
4eb582cf 1659
275bb41e 1660 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1661}
1662
828dfe1d
EP		 1663#define MAY_LINK 0
1664#define MAY_UNLINK 1
1665#define MAY_RMDIR 2
1da177e4
LT		 1666
1667/* Check whether a task can link, unlink, or rmdir a file/directory. */
1668static int may_link(struct inode *dir,
1669 struct dentry *dentry,
1670 int kind)
1671
1672{
1da177e4 1673 struct inode_security_struct *dsec, *isec;
2bf49690 1674 struct common_audit_data ad;
275bb41e 1675 u32 sid = current_sid();
1da177e4
LT		 1676 u32 av;
1677 int rc;
1678
1da177e4
LT		 1679 dsec = dir->i_security;
1680 isec = dentry->d_inode->i_security;
1681
2bf49690 1682 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1683 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1684
1685 av = DIR__SEARCH;
1686 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1687 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1688 if (rc)
1689 return rc;
1690
1691 switch (kind) {
1692 case MAY_LINK:
1693 av = FILE__LINK;
1694 break;
1695 case MAY_UNLINK:
1696 av = FILE__UNLINK;
1697 break;
1698 case MAY_RMDIR:
1699 av = DIR__RMDIR;
1700 break;
1701 default:
744ba35e
EP		 1702 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1703 __func__, kind);
1da177e4
LT		 1704 return 0;
1705 }
1706
275bb41e 1707 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1708 return rc;
1709}
1710
1711static inline int may_rename(struct inode *old_dir,
1712 struct dentry *old_dentry,
1713 struct inode *new_dir,
1714 struct dentry *new_dentry)
1715{
1da177e4 1716 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1717 struct common_audit_data ad;
275bb41e 1718 u32 sid = current_sid();
1da177e4
LT		 1719 u32 av;
1720 int old_is_dir, new_is_dir;
1721 int rc;
1722
1da177e4
LT		 1723 old_dsec = old_dir->i_security;
1724 old_isec = old_dentry->d_inode->i_security;
1725 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1726 new_dsec = new_dir->i_security;
1727
2bf49690 1728 COMMON_AUDIT_DATA_INIT(&ad, FS);
1da177e4 1729
44707fdf 1730 ad.u.fs.path.dentry = old_dentry;
275bb41e 1731 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1732 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1733 if (rc)
1734 return rc;
275bb41e 1735 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1736 old_isec->sclass, FILE__RENAME, &ad);
1737 if (rc)
1738 return rc;
1739 if (old_is_dir && new_dir != old_dir) {
275bb41e 1740 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1741 old_isec->sclass, DIR__REPARENT, &ad);
1742 if (rc)
1743 return rc;
1744 }
1745
44707fdf 1746 ad.u.fs.path.dentry = new_dentry;
1da177e4
LT		 1747 av = DIR__ADD_NAME | DIR__SEARCH;
1748 if (new_dentry->d_inode)
1749 av |= DIR__REMOVE_NAME;
275bb41e 1750 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1751 if (rc)
1752 return rc;
1753 if (new_dentry->d_inode) {
1754 new_isec = new_dentry->d_inode->i_security;
1755 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
275bb41e 1756 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1757 new_isec->sclass,
1758 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1759 if (rc)
1760 return rc;
1761 }
1762
1763 return 0;
1764}
1765
1766/* Check whether a task can perform a filesystem operation. */
88e67f3b 1767static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1768 struct super_block *sb,
1769 u32 perms,
2bf49690 1770 struct common_audit_data *ad)
1da177e4 1771{
1da177e4 1772 struct superblock_security_struct *sbsec;
88e67f3b 1773 u32 sid = cred_sid(cred);
1da177e4 1774
1da177e4 1775 sbsec = sb->s_security;
275bb41e 1776 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1777}
1778
1779/* Convert a Linux mode and permission mask to an access vector. */
1780static inline u32 file_mask_to_av(int mode, int mask)
1781{
1782 u32 av = 0;
1783
1784 if ((mode & S_IFMT) != S_IFDIR) {
1785 if (mask & MAY_EXEC)
1786 av |= FILE__EXECUTE;
1787 if (mask & MAY_READ)
1788 av |= FILE__READ;
1789
1790 if (mask & MAY_APPEND)
1791 av |= FILE__APPEND;
1792 else if (mask & MAY_WRITE)
1793 av |= FILE__WRITE;
1794
1795 } else {
1796 if (mask & MAY_EXEC)
1797 av |= DIR__SEARCH;
1798 if (mask & MAY_WRITE)
1799 av |= DIR__WRITE;
1800 if (mask & MAY_READ)
1801 av |= DIR__READ;
1802 }
1803
1804 return av;
1805}
1806
8b6a5a37
EP		 1807/* Convert a Linux file to an access vector. */
1808static inline u32 file_to_av(struct file *file)
1809{
1810 u32 av = 0;
1811
1812 if (file->f_mode & FMODE_READ)
1813 av |= FILE__READ;
1814 if (file->f_mode & FMODE_WRITE) {
1815 if (file->f_flags & O_APPEND)
1816 av |= FILE__APPEND;
1817 else
1818 av |= FILE__WRITE;
1819 }
1820 if (!av) {
1821 /*
1822 * Special file opened with flags 3 for ioctl-only use.
1823 */
1824 av = FILE__IOCTL;
1825 }
1826
1827 return av;
1828}
1829
b0c636b9 1830/*
8b6a5a37 1831 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1832 * open permission.
1833 */
8b6a5a37 1834static inline u32 open_file_to_av(struct file *file)
b0c636b9 1835{
8b6a5a37 1836 u32 av = file_to_av(file);
b0c636b9
EP		 1837
1838 if (selinux_policycap_openperm) {
8b6a5a37 1839 mode_t mode = file->f_path.dentry->d_inode->i_mode;
b0c636b9
EP		 1840 /*
1841 * lnk files and socks do not really have an 'open'
1842 */
1843 if (S_ISREG(mode))
1844 av |= FILE__OPEN;
1845 else if (S_ISCHR(mode))
1846 av |= CHR_FILE__OPEN;
1847 else if (S_ISBLK(mode))
1848 av |= BLK_FILE__OPEN;
1849 else if (S_ISFIFO(mode))
1850 av |= FIFO_FILE__OPEN;
1851 else if (S_ISDIR(mode))
1852 av |= DIR__OPEN;
6a25b27d
EP		 1853 else if (S_ISSOCK(mode))
1854 av |= SOCK_FILE__OPEN;
b0c636b9 1855 else
744ba35e 1856 printk(KERN_ERR "SELinux: WARNING: inside %s with "
8b6a5a37 1857 "unknown mode:%o\n", __func__, mode);
b0c636b9
EP		 1858 }
1859 return av;
1860}
1861
1da177e4
LT		 1862/* Hook functions begin here. */
1863
9e48858f 1864static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 1865 unsigned int mode)
1da177e4 1866{
1da177e4
LT		 1867 int rc;
1868
9e48858f 1869 rc = cap_ptrace_access_check(child, mode);
1da177e4
LT		 1870 if (rc)
1871 return rc;
1872
006ebb40 1873 if (mode == PTRACE_MODE_READ) {
275bb41e
DH		 1874 u32 sid = current_sid();
1875 u32 csid = task_sid(child);
1876 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 1877 }
1878
3b11a1de 1879 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 1880}
1881
1882static int selinux_ptrace_traceme(struct task_struct *parent)
1883{
1884 int rc;
1885
200ac532 1886 rc = cap_ptrace_traceme(parent);
5cd9c58f
DH		 1887 if (rc)
1888 return rc;
1889
1890 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 1891}
1892
1893static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1894 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1895{
1896 int error;
1897
3b11a1de 1898 error = current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 1899 if (error)
1900 return error;
1901
200ac532 1902 return cap_capget(target, effective, inheritable, permitted);
1da177e4
LT		 1903}
1904
d84f4f99
DH		 1905static int selinux_capset(struct cred *new, const struct cred *old,
1906 const kernel_cap_t *effective,
1907 const kernel_cap_t *inheritable,
1908 const kernel_cap_t *permitted)
1da177e4
LT		 1909{
1910 int error;
1911
200ac532 1912 error = cap_capset(new, old,
d84f4f99 1913 effective, inheritable, permitted);
1da177e4
LT		 1914 if (error)
1915 return error;
1916
d84f4f99 1917 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 1918}
1919
5626d3e8
JM		 1920/*
1921 * (This comment used to live with the selinux_task_setuid hook,
1922 * which was removed).
1923 *
1924 * Since setuid only affects the current process, and since the SELinux
1925 * controls are not based on the Linux identity attributes, SELinux does not
1926 * need to control this operation. However, SELinux does control the use of
1927 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1928 */
1929
3699c53c
DH		 1930static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1931 int cap, int audit)
1da177e4
LT		 1932{
1933 int rc;
1934
200ac532 1935 rc = cap_capable(tsk, cred, cap, audit);
1da177e4
LT		 1936 if (rc)
1937 return rc;
1938
3699c53c 1939 return task_has_capability(tsk, cred, cap, audit);
1da177e4
LT		 1940}
1941
3fbfa981
EB		 1942static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1943{
1944 int buflen, rc;
1945 char *buffer, *path, *end;
1946
1947 rc = -ENOMEM;
828dfe1d 1948 buffer = (char *)__get_free_page(GFP_KERNEL);
3fbfa981
EB		 1949 if (!buffer)
1950 goto out;
1951
1952 buflen = PAGE_SIZE;
1953 end = buffer+buflen;
1954 *--end = '\0';
1955 buflen--;
1956 path = end-1;
1957 *path = '/';
1958 while (table) {
1959 const char *name = table->procname;
1960 size_t namelen = strlen(name);
1961 buflen -= namelen + 1;
1962 if (buflen < 0)
1963 goto out_free;
1964 end -= namelen;
1965 memcpy(end, name, namelen);
1966 *--end = '/';
1967 path = end;
1968 table = table->parent;
1969 }
b599fdfd
EB		 1970 buflen -= 4;
1971 if (buflen < 0)
1972 goto out_free;
1973 end -= 4;
1974 memcpy(end, "/sys", 4);
1975 path = end;
3fbfa981
EB		 1976 rc = security_genfs_sid("proc", path, tclass, sid);
1977out_free:
1978 free_page((unsigned long)buffer);
1979out:
1980 return rc;
1981}
1982
1da177e4
LT		 1983static int selinux_sysctl(ctl_table *table, int op)
1984{
1985 int error = 0;
1986 u32 av;
275bb41e 1987 u32 tsid, sid;
1da177e4
LT		 1988 int rc;
1989
275bb41e 1990 sid = current_sid();
1da177e4 1991
3fbfa981
EB		 1992 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1993 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1994 if (rc) {
1995 /* Default to the well-defined sysctl SID. */
1996 tsid = SECINITSID_SYSCTL;
1997 }
1998
1999 /* The op values are "defined" in sysctl.c, thereby creating
2000 * a bad coupling between this module and sysctl.c */
828dfe1d 2001 if (op == 001) {
275bb41e 2002 error = avc_has_perm(sid, tsid,
1da177e4
LT		 2003 SECCLASS_DIR, DIR__SEARCH, NULL);
2004 } else {
2005 av = 0;
2006 if (op & 004)
2007 av |= FILE__READ;
2008 if (op & 002)
2009 av |= FILE__WRITE;
2010 if (av)
275bb41e 2011 error = avc_has_perm(sid, tsid,
1da177e4 2012 SECCLASS_FILE, av, NULL);
828dfe1d 2013 }
1da177e4
LT		 2014
2015 return error;
2016}
2017
2018static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2019{
88e67f3b 2020 const struct cred *cred = current_cred();
1da177e4
LT		 2021 int rc = 0;
2022
2023 if (!sb)
2024 return 0;
2025
2026 switch (cmds) {
828dfe1d
EP		 2027 case Q_SYNC:
2028 case Q_QUOTAON:
2029 case Q_QUOTAOFF:
2030 case Q_SETINFO:
2031 case Q_SETQUOTA:
88e67f3b 2032 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2033 break;
2034 case Q_GETFMT:
2035 case Q_GETINFO:
2036 case Q_GETQUOTA:
88e67f3b 2037 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2038 break;
2039 default:
2040 rc = 0; /* let the kernel handle invalid cmds */
2041 break;
1da177e4
LT		 2042 }
2043 return rc;
2044}
2045
2046static int selinux_quota_on(struct dentry *dentry)
2047{
88e67f3b
DH		 2048 const struct cred *cred = current_cred();
2049
2050 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1da177e4
LT		 2051}
2052
00234592 2053static int selinux_syslog(int type, bool from_file)
1da177e4
LT		 2054{
2055 int rc;
2056
00234592 2057 rc = cap_syslog(type, from_file);
1da177e4
LT		 2058 if (rc)
2059 return rc;
2060
2061 switch (type) {
828dfe1d
EP		 2062 case 3: /* Read last kernel messages */
2063 case 10: /* Return size of the log buffer */
2064 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2065 break;
2066 case 6: /* Disable logging to console */
2067 case 7: /* Enable logging to console */
2068 case 8: /* Set level of messages printed to console */
2069 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2070 break;
2071 case 0: /* Close log */
2072 case 1: /* Open log */
2073 case 2: /* Read from log */
2074 case 4: /* Read/clear last kernel messages */
2075 case 5: /* Clear ring buffer */
2076 default:
2077 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2078 break;
1da177e4
LT		 2079 }
2080 return rc;
2081}
2082
2083/*
2084 * Check that a process has enough memory to allocate a new virtual
2085 * mapping. 0 means there is enough memory for the allocation to
2086 * succeed and -ENOMEM implies there is not.
2087 *
1da177e4
LT		 2088 * Do not audit the selinux permission check, as this is applied to all
2089 * processes that allocate mappings.
2090 */
34b4e4aa 2091static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2092{
2093 int rc, cap_sys_admin = 0;
1da177e4 2094
3699c53c
DH		 2095 rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
2096 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2097 if (rc == 0)
2098 cap_sys_admin = 1;
2099
34b4e4aa 2100 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 2101}
2102
2103/* binprm security operations */
2104
a6f76f23 2105static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2106{
a6f76f23
DH		 2107 const struct task_security_struct *old_tsec;
2108 struct task_security_struct *new_tsec;
1da177e4 2109 struct inode_security_struct *isec;
2bf49690 2110 struct common_audit_data ad;
a6f76f23 2111 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 2112 int rc;
2113
200ac532 2114 rc = cap_bprm_set_creds(bprm);
1da177e4
LT		 2115 if (rc)
2116 return rc;
2117
a6f76f23
DH		 2118 /* SELinux context only depends on initial program or script and not
2119 * the script interpreter */
2120 if (bprm->cred_prepared)
1da177e4
LT		 2121 return 0;
2122
a6f76f23
DH		 2123 old_tsec = current_security();
2124 new_tsec = bprm->cred->security;
1da177e4
LT		 2125 isec = inode->i_security;
2126
2127 /* Default to the current task SID. */
a6f76f23
DH		 2128 new_tsec->sid = old_tsec->sid;
2129 new_tsec->osid = old_tsec->sid;
1da177e4 2130
28eba5bf 2131 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2132 new_tsec->create_sid = 0;
2133 new_tsec->keycreate_sid = 0;
2134 new_tsec->sockcreate_sid = 0;
1da177e4 2135
a6f76f23
DH		 2136 if (old_tsec->exec_sid) {
2137 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2138 /* Reset exec SID on execve. */
a6f76f23 2139 new_tsec->exec_sid = 0;
1da177e4
LT		 2140 } else {
2141 /* Check for a default transition on this program. */
a6f76f23
DH		 2142 rc = security_transition_sid(old_tsec->sid, isec->sid,
2143 SECCLASS_PROCESS, &new_tsec->sid);
1da177e4
LT		 2144 if (rc)
2145 return rc;
2146 }
2147
2bf49690 2148 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2149 ad.u.fs.path = bprm->file->f_path;
1da177e4 2150
3d5ff529 2151 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
a6f76f23 2152 new_tsec->sid = old_tsec->sid;
1da177e4 2153
a6f76f23
DH		 2154 if (new_tsec->sid == old_tsec->sid) {
2155 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2156 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2157 if (rc)
2158 return rc;
2159 } else {
2160 /* Check permissions for the transition. */
a6f76f23 2161 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2162 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2163 if (rc)
2164 return rc;
2165
a6f76f23 2166 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2167 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2168 if (rc)
2169 return rc;
2170
a6f76f23
DH		 2171 /* Check for shared state */
2172 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2173 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2174 SECCLASS_PROCESS, PROCESS__SHARE,
2175 NULL);
2176 if (rc)
2177 return -EPERM;
2178 }
2179
2180 /* Make sure that anyone attempting to ptrace over a task that
2181 * changes its SID has the appropriate permit */
2182 if (bprm->unsafe &
2183 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2184 struct task_struct *tracer;
2185 struct task_security_struct *sec;
2186 u32 ptsid = 0;
2187
2188 rcu_read_lock();
2189 tracer = tracehook_tracer_task(current);
2190 if (likely(tracer != NULL)) {
2191 sec = __task_cred(tracer)->security;
2192 ptsid = sec->sid;
2193 }
2194 rcu_read_unlock();
2195
2196 if (ptsid != 0) {
2197 rc = avc_has_perm(ptsid, new_tsec->sid,
2198 SECCLASS_PROCESS,
2199 PROCESS__PTRACE, NULL);
2200 if (rc)
2201 return -EPERM;
2202 }
2203 }
1da177e4 2204
a6f76f23
DH		 2205 /* Clear any possibly unsafe personality bits on exec: */
2206 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2207 }
2208
1da177e4
LT		 2209 return 0;
2210}
2211
828dfe1d 2212static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2213{
275bb41e
DH		 2214 const struct cred *cred = current_cred();
2215 const struct task_security_struct *tsec = cred->security;
2216 u32 sid, osid;
1da177e4
LT		 2217 int atsecure = 0;
2218
275bb41e
DH		 2219 sid = tsec->sid;
2220 osid = tsec->osid;
2221
2222 if (osid != sid) {
1da177e4
LT		 2223 /* Enable secure mode for SIDs transitions unless
2224 the noatsecure permission is granted between
2225 the two SIDs, i.e. ahp returns 0. */
275bb41e 2226 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2227 SECCLASS_PROCESS,
2228 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2229 }
2230
200ac532 2231 return (atsecure || cap_bprm_secureexec(bprm));
1da177e4
LT		 2232}
2233
1da177e4
LT		 2234extern struct vfsmount *selinuxfs_mount;
2235extern struct dentry *selinux_null;
2236
2237/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2238static inline void flush_unauthorized_files(const struct cred *cred,
2239 struct files_struct *files)
1da177e4 2240{
2bf49690 2241 struct common_audit_data ad;
1da177e4 2242 struct file *file, *devnull = NULL;
b20c8122 2243 struct tty_struct *tty;
badf1662 2244 struct fdtable *fdt;
1da177e4 2245 long j = -1;
24ec839c 2246 int drop_tty = 0;
1da177e4 2247
24ec839c 2248 tty = get_current_tty();
1da177e4
LT		 2249 if (tty) {
2250 file_list_lock();
37dd0bd0
EP		 2251 if (!list_empty(&tty->tty_files)) {
2252 struct inode *inode;
2253
1da177e4
LT		 2254 /* Revalidate access to controlling tty.
2255 Use inode_has_perm on the tty inode directly rather
2256 than using file_has_perm, as this particular open
2257 file may belong to another process and we are only
2258 interested in the inode-based check here. */
37dd0bd0
EP		 2259 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2260 inode = file->f_path.dentry->d_inode;
88e67f3b 2261 if (inode_has_perm(cred, inode,
1da177e4 2262 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2263 drop_tty = 1;
1da177e4
LT		 2264 }
2265 }
2266 file_list_unlock();
452a00d2 2267 tty_kref_put(tty);
1da177e4 2268 }
98a27ba4
EB		 2269 /* Reset controlling tty. */
2270 if (drop_tty)
2271 no_tty();
1da177e4
LT		 2272
2273 /* Revalidate access to inherited open files. */
2274
2bf49690 2275 COMMON_AUDIT_DATA_INIT(&ad, FS);
1da177e4
LT		 2276
2277 spin_lock(&files->file_lock);
2278 for (;;) {
2279 unsigned long set, i;
2280 int fd;
2281
2282 j++;
2283 i = j * __NFDBITS;
badf1662 2284 fdt = files_fdtable(files);
bbea9f69 2285 if (i >= fdt->max_fds)
1da177e4 2286 break;
badf1662 2287 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2288 if (!set)
2289 continue;
2290 spin_unlock(&files->file_lock);
828dfe1d 2291 for ( ; set ; i++, set >>= 1) {
1da177e4
LT		 2292 if (set & 1) {
2293 file = fget(i);
2294 if (!file)
2295 continue;
88e67f3b 2296 if (file_has_perm(cred,
1da177e4
LT		 2297 file,
2298 file_to_av(file))) {
2299 sys_close(i);
2300 fd = get_unused_fd();
2301 if (fd != i) {
2302 if (fd >= 0)
2303 put_unused_fd(fd);
2304 fput(file);
2305 continue;
2306 }
2307 if (devnull) {
095975da 2308 get_file(devnull);
1da177e4 2309 } else {
745ca247
DH		 2310 devnull = dentry_open(
2311 dget(selinux_null),
2312 mntget(selinuxfs_mount),
2313 O_RDWR, cred);
fc5d81e6
AM		 2314 if (IS_ERR(devnull)) {
2315 devnull = NULL;
1da177e4
LT		 2316 put_unused_fd(fd);
2317 fput(file);
2318 continue;
2319 }
2320 }
2321 fd_install(fd, devnull);
2322 }
2323 fput(file);
2324 }
2325 }
2326 spin_lock(&files->file_lock);
2327
2328 }
2329 spin_unlock(&files->file_lock);
2330}
2331
a6f76f23
DH		 2332/*
2333 * Prepare a process for imminent new credential changes due to exec
2334 */
2335static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2336{
a6f76f23
DH		 2337 struct task_security_struct *new_tsec;
2338 struct rlimit *rlim, *initrlim;
2339 int rc, i;
d84f4f99 2340
a6f76f23
DH		 2341 new_tsec = bprm->cred->security;
2342 if (new_tsec->sid == new_tsec->osid)
2343 return;
1da177e4 2344
a6f76f23
DH		 2345 /* Close files for which the new task SID is not authorized. */
2346 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2347
a6f76f23
DH		 2348 /* Always clear parent death signal on SID transitions. */
2349 current->pdeath_signal = 0;
0356357c 2350
a6f76f23
DH		 2351 /* Check whether the new SID can inherit resource limits from the old
2352 * SID. If not, reset all soft limits to the lower of the current
2353 * task's hard limit and the init task's soft limit.
2354 *
2355 * Note that the setting of hard limits (even to lower them) can be
2356 * controlled by the setrlimit check. The inclusion of the init task's
2357 * soft limit into the computation is to avoid resetting soft limits
2358 * higher than the default soft limit for cases where the default is
2359 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2360 */
2361 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2362 PROCESS__RLIMITINH, NULL);
2363 if (rc) {
2364 for (i = 0; i < RLIM_NLIMITS; i++) {
2365 rlim = current->signal->rlim + i;
2366 initrlim = init_task.signal->rlim + i;
2367 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2368 }
17740d89 2369 update_rlimit_cpu(current->signal->rlim[RLIMIT_CPU].rlim_cur);
1da177e4
LT		 2370 }
2371}
2372
2373/*
a6f76f23
DH		 2374 * Clean up the process immediately after the installation of new credentials
2375 * due to exec
1da177e4 2376 */
a6f76f23 2377static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2378{
a6f76f23 2379 const struct task_security_struct *tsec = current_security();
1da177e4 2380 struct itimerval itimer;
a6f76f23 2381 u32 osid, sid;
1da177e4
LT		 2382 int rc, i;
2383
a6f76f23
DH		 2384 osid = tsec->osid;
2385 sid = tsec->sid;
2386
2387 if (sid == osid)
1da177e4
LT		 2388 return;
2389
a6f76f23
DH		 2390 /* Check whether the new SID can inherit signal state from the old SID.
2391 * If not, clear itimers to avoid subsequent signal generation and
2392 * flush and unblock signals.
2393 *
2394 * This must occur _after_ the task SID has been updated so that any
2395 * kill done after the flush will be checked against the new SID.
2396 */
2397 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2398 if (rc) {
2399 memset(&itimer, 0, sizeof itimer);
2400 for (i = 0; i < 3; i++)
2401 do_setitimer(i, &itimer, NULL);
1da177e4 2402 spin_lock_irq(&current->sighand->siglock);
3bcac026
DH		 2403 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2404 __flush_signals(current);
2405 flush_signal_handlers(current, 1);
2406 sigemptyset(&current->blocked);
2407 }
1da177e4
LT		 2408 spin_unlock_irq(&current->sighand->siglock);
2409 }
2410
a6f76f23
DH		 2411 /* Wake up the parent if it is waiting so that it can recheck
2412 * wait permission to the new task SID. */
ecd6de3c 2413 read_lock(&tasklist_lock);
0b7570e7 2414 __wake_up_parent(current, current->real_parent);
ecd6de3c 2415 read_unlock(&tasklist_lock);
1da177e4
LT		 2416}
2417
2418/* superblock security operations */
2419
2420static int selinux_sb_alloc_security(struct super_block *sb)
2421{
2422 return superblock_alloc_security(sb);
2423}
2424
2425static void selinux_sb_free_security(struct super_block *sb)
2426{
2427 superblock_free_security(sb);
2428}
2429
2430static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2431{
2432 if (plen > olen)
2433 return 0;
2434
2435 return !memcmp(prefix, option, plen);
2436}
2437
2438static inline int selinux_option(char *option, int len)
2439{
832cbd9a
EP		 2440 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2441 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2442 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2443 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2444 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2445}
2446
2447static inline void take_option(char **to, char *from, int *first, int len)
2448{
2449 if (!*first) {
2450 **to = ',';
2451 *to += 1;
3528a953 2452 } else
1da177e4
LT		 2453 *first = 0;
2454 memcpy(*to, from, len);
2455 *to += len;
2456}
2457
828dfe1d
EP		 2458static inline void take_selinux_option(char **to, char *from, int *first,
2459 int len)
3528a953
CO		 2460{
2461 int current_size = 0;
2462
2463 if (!*first) {
2464 **to = '|';
2465 *to += 1;
828dfe1d 2466 } else
3528a953
CO		 2467 *first = 0;
2468
2469 while (current_size < len) {
2470 if (*from != '"') {
2471 **to = *from;
2472 *to += 1;
2473 }
2474 from += 1;
2475 current_size += 1;
2476 }
2477}
2478
e0007529 2479static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2480{
2481 int fnosec, fsec, rc = 0;
2482 char *in_save, *in_curr, *in_end;
2483 char *sec_curr, *nosec_save, *nosec;
3528a953 2484 int open_quote = 0;
1da177e4
LT		 2485
2486 in_curr = orig;
2487 sec_curr = copy;
2488
1da177e4
LT		 2489 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2490 if (!nosec) {
2491 rc = -ENOMEM;
2492 goto out;
2493 }
2494
2495 nosec_save = nosec;
2496 fnosec = fsec = 1;
2497 in_save = in_end = orig;
2498
2499 do {
3528a953
CO		 2500 if (*in_end == '"')
2501 open_quote = !open_quote;
2502 if ((*in_end == ',' && open_quote == 0) ||
2503 *in_end == '\0') {
1da177e4
LT		 2504 int len = in_end - in_curr;
2505
2506 if (selinux_option(in_curr, len))
3528a953 2507 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2508 else
2509 take_option(&nosec, in_curr, &fnosec, len);
2510
2511 in_curr = in_end + 1;
2512 }
2513 } while (*in_end++);
2514
6931dfc9 2515 strcpy(in_save, nosec_save);
da3caa20 2516 free_page((unsigned long)nosec_save);
1da177e4
LT		 2517out:
2518 return rc;
2519}
2520
12204e24 2521static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2522{
88e67f3b 2523 const struct cred *cred = current_cred();
2bf49690 2524 struct common_audit_data ad;
1da177e4
LT		 2525 int rc;
2526
2527 rc = superblock_doinit(sb, data);
2528 if (rc)
2529 return rc;
2530
74192246
JM		 2531 /* Allow all mounts performed by the kernel */
2532 if (flags & MS_KERNMOUNT)
2533 return 0;
2534
2bf49690 2535 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2536 ad.u.fs.path.dentry = sb->s_root;
88e67f3b 2537 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2538}
2539
726c3342 2540static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2541{
88e67f3b 2542 const struct cred *cred = current_cred();
2bf49690 2543 struct common_audit_data ad;
1da177e4 2544
2bf49690 2545 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2546 ad.u.fs.path.dentry = dentry->d_sb->s_root;
88e67f3b 2547 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2548}
2549
828dfe1d 2550static int selinux_mount(char *dev_name,
b5266eb4 2551 struct path *path,
828dfe1d
EP		 2552 char *type,
2553 unsigned long flags,
2554 void *data)
1da177e4 2555{
88e67f3b 2556 const struct cred *cred = current_cred();
1da177e4
LT		 2557
2558 if (flags & MS_REMOUNT)
88e67f3b 2559 return superblock_has_perm(cred, path->mnt->mnt_sb,
828dfe1d 2560 FILESYSTEM__REMOUNT, NULL);
1da177e4 2561 else
88e67f3b 2562 return dentry_has_perm(cred, path->mnt, path->dentry,
828dfe1d 2563 FILE__MOUNTON);
1da177e4
LT		 2564}
2565
2566static int selinux_umount(struct vfsmount *mnt, int flags)
2567{
88e67f3b 2568 const struct cred *cred = current_cred();
1da177e4 2569
88e67f3b 2570 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2571 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2572}
2573
2574/* inode security operations */
2575
2576static int selinux_inode_alloc_security(struct inode *inode)
2577{
2578 return inode_alloc_security(inode);
2579}
2580
2581static void selinux_inode_free_security(struct inode *inode)
2582{
2583 inode_free_security(inode);
2584}
2585
5e41ff9e
SS		 2586static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2587 char **name, void **value,
2588 size_t *len)
2589{
275bb41e
DH		 2590 const struct cred *cred = current_cred();
2591 const struct task_security_struct *tsec = cred->security;
5e41ff9e
SS		 2592 struct inode_security_struct *dsec;
2593 struct superblock_security_struct *sbsec;
275bb41e 2594 u32 sid, newsid, clen;
5e41ff9e 2595 int rc;
570bc1c2 2596 char *namep = NULL, *context;
5e41ff9e 2597
5e41ff9e
SS		 2598 dsec = dir->i_security;
2599 sbsec = dir->i_sb->s_security;
5e41ff9e 2600
275bb41e
DH		 2601 sid = tsec->sid;
2602 newsid = tsec->create_sid;
2603
cd89596f 2604 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
275bb41e 2605 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e
SS		 2606 inode_mode_to_security_class(inode->i_mode),
2607 &newsid);
2608 if (rc) {
2609 printk(KERN_WARNING "%s: "
2610 "security_transition_sid failed, rc=%d (dev=%s "
2611 "ino=%ld)\n",
dd6f953a 2612 __func__,
5e41ff9e
SS		 2613 -rc, inode->i_sb->s_id, inode->i_ino);
2614 return rc;
2615 }
2616 }
2617
296fddf7 2618 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2619 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2620 struct inode_security_struct *isec = inode->i_security;
2621 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2622 isec->sid = newsid;
2623 isec->initialized = 1;
2624 }
5e41ff9e 2625
cd89596f 2626 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
25a74f3b
SS		 2627 return -EOPNOTSUPP;
2628
570bc1c2 2629 if (name) {
a02fe132 2630 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2631 if (!namep)
2632 return -ENOMEM;
2633 *name = namep;
2634 }
5e41ff9e 2635
570bc1c2 2636 if (value && len) {
12b29f34 2637 rc = security_sid_to_context_force(newsid, &context, &clen);
570bc1c2
SS		 2638 if (rc) {
2639 kfree(namep);
2640 return rc;
2641 }
2642 *value = context;
2643 *len = clen;
5e41ff9e 2644 }
5e41ff9e 2645
5e41ff9e
SS		 2646 return 0;
2647}
2648
1da177e4
LT		 2649static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2650{
2651 return may_create(dir, dentry, SECCLASS_FILE);
2652}
2653
1da177e4
LT		 2654static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2655{
1da177e4
LT		 2656 return may_link(dir, old_dentry, MAY_LINK);
2657}
2658
1da177e4
LT		 2659static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2660{
1da177e4
LT		 2661 return may_link(dir, dentry, MAY_UNLINK);
2662}
2663
2664static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2665{
2666 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2667}
2668
1da177e4
LT		 2669static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2670{
2671 return may_create(dir, dentry, SECCLASS_DIR);
2672}
2673
1da177e4
LT		 2674static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2675{
2676 return may_link(dir, dentry, MAY_RMDIR);
2677}
2678
2679static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2680{
1da177e4
LT		 2681 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2682}
2683
1da177e4 2684static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2685 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2686{
2687 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2688}
2689
1da177e4
LT		 2690static int selinux_inode_readlink(struct dentry *dentry)
2691{
88e67f3b
DH		 2692 const struct cred *cred = current_cred();
2693
2694 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
1da177e4
LT		 2695}
2696
2697static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2698{
88e67f3b 2699 const struct cred *cred = current_cred();
1da177e4 2700
88e67f3b 2701 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
1da177e4
LT		 2702}
2703
b77b0646 2704static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2705{
88e67f3b 2706 const struct cred *cred = current_cred();
1da177e4
LT		 2707
2708 if (!mask) {
2709 /* No permission to check. Existence test. */
2710 return 0;
2711 }
2712
88e67f3b 2713 return inode_has_perm(cred, inode,
8b6a5a37 2714 file_mask_to_av(inode->i_mode, mask), NULL);
1da177e4
LT		 2715}
2716
2717static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2718{
88e67f3b 2719 const struct cred *cred = current_cred();
bc6a6008 2720 unsigned int ia_valid = iattr->ia_valid;
1da177e4 2721
bc6a6008
AW		 2722 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2723 if (ia_valid & ATTR_FORCE) {
2724 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2725 ATTR_FORCE);
2726 if (!ia_valid)
2727 return 0;
2728 }
1da177e4 2729
bc6a6008
AW		 2730 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2731 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
88e67f3b 2732 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
1da177e4 2733
88e67f3b 2734 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
1da177e4
LT		 2735}
2736
2737static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2738{
88e67f3b
DH		 2739 const struct cred *cred = current_cred();
2740
2741 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
1da177e4
LT		 2742}
2743
8f0cfa52 2744static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2745{
88e67f3b
DH		 2746 const struct cred *cred = current_cred();
2747
b5376771
SH		 2748 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2749 sizeof XATTR_SECURITY_PREFIX - 1)) {
2750 if (!strcmp(name, XATTR_NAME_CAPS)) {
2751 if (!capable(CAP_SETFCAP))
2752 return -EPERM;
2753 } else if (!capable(CAP_SYS_ADMIN)) {
2754 /* A different attribute in the security namespace.
2755 Restrict to administrator. */
2756 return -EPERM;
2757 }
2758 }
2759
2760 /* Not an attribute we recognize, so just check the
2761 ordinary setattr permission. */
88e67f3b 2762 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
b5376771
SH		 2763}
2764
8f0cfa52
DH		 2765static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2766 const void *value, size_t size, int flags)
1da177e4 2767{
1da177e4
LT		 2768 struct inode *inode = dentry->d_inode;
2769 struct inode_security_struct *isec = inode->i_security;
2770 struct superblock_security_struct *sbsec;
2bf49690 2771 struct common_audit_data ad;
275bb41e 2772 u32 newsid, sid = current_sid();
1da177e4
LT		 2773 int rc = 0;
2774
b5376771
SH		 2775 if (strcmp(name, XATTR_NAME_SELINUX))
2776 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2777
2778 sbsec = inode->i_sb->s_security;
cd89596f 2779 if (!(sbsec->flags & SE_SBLABELSUPP))
1da177e4
LT		 2780 return -EOPNOTSUPP;
2781
3bd858ab 2782 if (!is_owner_or_cap(inode))
1da177e4
LT		 2783 return -EPERM;
2784
2bf49690 2785 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2786 ad.u.fs.path.dentry = dentry;
1da177e4 2787
275bb41e 2788 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 2789 FILE__RELABELFROM, &ad);
2790 if (rc)
2791 return rc;
2792
2793 rc = security_context_to_sid(value, size, &newsid);
12b29f34
SS		 2794 if (rc == -EINVAL) {
2795 if (!capable(CAP_MAC_ADMIN))
2796 return rc;
2797 rc = security_context_to_sid_force(value, size, &newsid);
2798 }
1da177e4
LT		 2799 if (rc)
2800 return rc;
2801
275bb41e 2802 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 2803 FILE__RELABELTO, &ad);
2804 if (rc)
2805 return rc;
2806
275bb41e 2807 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 2808 isec->sclass);
1da177e4
LT		 2809 if (rc)
2810 return rc;
2811
2812 return avc_has_perm(newsid,
2813 sbsec->sid,
2814 SECCLASS_FILESYSTEM,
2815 FILESYSTEM__ASSOCIATE,
2816 &ad);
2817}
2818
8f0cfa52 2819static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 2820 const void *value, size_t size,
8f0cfa52 2821 int flags)
1da177e4
LT		 2822{
2823 struct inode *inode = dentry->d_inode;
2824 struct inode_security_struct *isec = inode->i_security;
2825 u32 newsid;
2826 int rc;
2827
2828 if (strcmp(name, XATTR_NAME_SELINUX)) {
2829 /* Not an attribute we recognize, so nothing to do. */
2830 return;
2831 }
2832
12b29f34 2833 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 2834 if (rc) {
12b29f34
SS		 2835 printk(KERN_ERR "SELinux: unable to map context to SID"
2836 "for (%s, %lu), rc=%d\n",
2837 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 2838 return;
2839 }
2840
2841 isec->sid = newsid;
2842 return;
2843}
2844
8f0cfa52 2845static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 2846{
88e67f3b
DH		 2847 const struct cred *cred = current_cred();
2848
2849 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
1da177e4
LT		 2850}
2851
828dfe1d 2852static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 2853{
88e67f3b
DH		 2854 const struct cred *cred = current_cred();
2855
2856 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
1da177e4
LT		 2857}
2858
8f0cfa52 2859static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 2860{
b5376771
SH		 2861 if (strcmp(name, XATTR_NAME_SELINUX))
2862 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2863
2864 /* No one is allowed to remove a SELinux security label.
2865 You can change the label, but all data must be labeled. */
2866 return -EACCES;
2867}
2868
d381d8a9 2869/*
abc69bb6 2870 * Copy the inode security context value to the user.
d381d8a9
JM		 2871 *
2872 * Permission check is handled by selinux_inode_getxattr hook.
2873 */
42492594 2874static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2875{
42492594
DQ		 2876 u32 size;
2877 int error;
2878 char *context = NULL;
1da177e4 2879 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2880
8c8570fb
DK		 2881 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2882 return -EOPNOTSUPP;
d381d8a9 2883
abc69bb6
SS		 2884 /*
2885 * If the caller has CAP_MAC_ADMIN, then get the raw context
2886 * value even if it is not defined by current policy; otherwise,
2887 * use the in-core value under current policy.
2888 * Use the non-auditing forms of the permission checks since
2889 * getxattr may be called by unprivileged processes commonly
2890 * and lack of permission just means that we fall back to the
2891 * in-core context value, not a denial.
2892 */
3699c53c
DH		 2893 error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2894 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 2895 if (!error)
2896 error = security_sid_to_context_force(isec->sid, &context,
2897 &size);
2898 else
2899 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 2900 if (error)
2901 return error;
2902 error = size;
2903 if (alloc) {
2904 *buffer = context;
2905 goto out_nofree;
2906 }
2907 kfree(context);
2908out_nofree:
2909 return error;
1da177e4
LT		 2910}
2911
2912static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 2913 const void *value, size_t size, int flags)
1da177e4
LT		 2914{
2915 struct inode_security_struct *isec = inode->i_security;
2916 u32 newsid;
2917 int rc;
2918
2919 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2920 return -EOPNOTSUPP;
2921
2922 if (!value || !size)
2923 return -EACCES;
2924
828dfe1d 2925 rc = security_context_to_sid((void *)value, size, &newsid);
1da177e4
LT		 2926 if (rc)
2927 return rc;
2928
2929 isec->sid = newsid;
ddd29ec6 2930 isec->initialized = 1;
1da177e4
LT		 2931 return 0;
2932}
2933
2934static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2935{
2936 const int len = sizeof(XATTR_NAME_SELINUX);
2937 if (buffer && len <= buffer_size)
2938 memcpy(buffer, XATTR_NAME_SELINUX, len);
2939 return len;
2940}
2941
713a04ae
AD		 2942static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2943{
2944 struct inode_security_struct *isec = inode->i_security;
2945 *secid = isec->sid;
2946}
2947
1da177e4
LT		 2948/* file security operations */
2949
788e7dd4 2950static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2951{
88e67f3b 2952 const struct cred *cred = current_cred();
3d5ff529 2953 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4 2954
1da177e4
LT		 2955 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2956 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2957 mask |= MAY_APPEND;
2958
389fb800
PM		 2959 return file_has_perm(cred, file,
2960 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 2961}
2962
788e7dd4
YN		 2963static int selinux_file_permission(struct file *file, int mask)
2964{
20dda18b
SS		 2965 struct inode *inode = file->f_path.dentry->d_inode;
2966 struct file_security_struct *fsec = file->f_security;
2967 struct inode_security_struct *isec = inode->i_security;
2968 u32 sid = current_sid();
2969
389fb800 2970 if (!mask)
788e7dd4
YN		 2971 /* No permission to check. Existence test. */
2972 return 0;
788e7dd4 2973
20dda18b
SS		 2974 if (sid == fsec->sid && fsec->isid == isec->sid &&
2975 fsec->pseqno == avc_policy_seqno())
2976 /* No change since dentry_open check. */
2977 return 0;
2978
788e7dd4
YN		 2979 return selinux_revalidate_file_permission(file, mask);
2980}
2981
1da177e4
LT		 2982static int selinux_file_alloc_security(struct file *file)
2983{
2984 return file_alloc_security(file);
2985}
2986
2987static void selinux_file_free_security(struct file *file)
2988{
2989 file_free_security(file);
2990}
2991
2992static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2993 unsigned long arg)
2994{
88e67f3b 2995 const struct cred *cred = current_cred();
242631c4 2996 u32 av = 0;
1da177e4 2997
242631c4
SS		 2998 if (_IOC_DIR(cmd) & _IOC_WRITE)
2999 av |= FILE__WRITE;
3000 if (_IOC_DIR(cmd) & _IOC_READ)
3001 av |= FILE__READ;
3002 if (!av)
3003 av = FILE__IOCTL;
1da177e4 3004
88e67f3b 3005 return file_has_perm(cred, file, av);
1da177e4
LT		 3006}
3007
3008static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3009{
88e67f3b 3010 const struct cred *cred = current_cred();
d84f4f99 3011 int rc = 0;
88e67f3b 3012
1da177e4
LT		 3013#ifndef CONFIG_PPC32
3014 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3015 /*
3016 * We are making executable an anonymous mapping or a
3017 * private file mapping that will also be writable.
3018 * This has an additional check.
3019 */
d84f4f99 3020 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3021 if (rc)
d84f4f99 3022 goto error;
1da177e4
LT		 3023 }
3024#endif
3025
3026 if (file) {
3027 /* read access is always possible with a mapping */
3028 u32 av = FILE__READ;
3029
3030 /* write access only matters if the mapping is shared */
3031 if (shared && (prot & PROT_WRITE))
3032 av |= FILE__WRITE;
3033
3034 if (prot & PROT_EXEC)
3035 av |= FILE__EXECUTE;
3036
88e67f3b 3037 return file_has_perm(cred, file, av);
1da177e4 3038 }
d84f4f99
DH		 3039
3040error:
3041 return rc;
1da177e4
LT		 3042}
3043
3044static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 3045 unsigned long prot, unsigned long flags,
3046 unsigned long addr, unsigned long addr_only)
1da177e4 3047{
ed032189 3048 int rc = 0;
275bb41e 3049 u32 sid = current_sid();
1da177e4 3050
84336d1a
EP		 3051 /*
3052 * notice that we are intentionally putting the SELinux check before
3053 * the secondary cap_file_mmap check. This is such a likely attempt
3054 * at bad behaviour/exploit that we always want to get the AVC, even
3055 * if DAC would have also denied the operation.
3056 */
a2551df7 3057 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
ed032189
EP		 3058 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3059 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3060 if (rc)
3061 return rc;
3062 }
3063
3064 /* do DAC check on address space usage */
3065 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
ed032189 3066 if (rc || addr_only)
1da177e4
LT		 3067 return rc;
3068
3069 if (selinux_checkreqprot)
3070 prot = reqprot;
3071
3072 return file_map_prot_check(file, prot,
3073 (flags & MAP_TYPE) == MAP_SHARED);
3074}
3075
3076static int selinux_file_mprotect(struct vm_area_struct *vma,
3077 unsigned long reqprot,
3078 unsigned long prot)
3079{
88e67f3b 3080 const struct cred *cred = current_cred();
1da177e4
LT		 3081
3082 if (selinux_checkreqprot)
3083 prot = reqprot;
3084
3085#ifndef CONFIG_PPC32
db4c9641 3086 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3087 int rc = 0;
db4c9641
SS		 3088 if (vma->vm_start >= vma->vm_mm->start_brk &&
3089 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3090 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3091 } else if (!vma->vm_file &&
3092 vma->vm_start <= vma->vm_mm->start_stack &&
3093 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3094 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3095 } else if (vma->vm_file && vma->anon_vma) {
3096 /*
3097 * We are making executable a file mapping that has
3098 * had some COW done. Since pages might have been
3099 * written, check ability to execute the possibly
3100 * modified content. This typically should only
3101 * occur for text relocations.
3102 */
d84f4f99 3103 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3104 }