]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'edac_fixes_for_3.13' of git://git.kernel.org/pub/scm/linux/kernel/git...
[mirror_ubuntu-bionic-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
32#include <linux/security.h>
33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
ca10b9e9 54#include <net/sock.h>
1da177e4 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
60063497 60#include <linux/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
77954983 64#include <net/netlink.h>
1da177e4
LT		 65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
44fc7ea0 83#include <linux/export.h>
eb9ae686 84#include <linux/security.h>
40401530
AV		 85#include <linux/msg.h>
86#include <linux/shm.h>
1da177e4
LT		 87
88#include "avc.h"
89#include "objsec.h"
90#include "netif.h"
224dfbd8 91#include "netnode.h"
3e112172 92#include "netport.h"
d28d1e08 93#include "xfrm.h"
c60475bf 94#include "netlabel.h"
9d57a7f9 95#include "audit.h"
7b98a585 96#include "avc_ss.h"
1da177e4 97
102aefdd
AA		 98#define SB_TYPE_FMT "%s%s%s"
99#define SB_SUBTYPE(sb) (sb->s_subtype && sb->s_subtype[0])
100#define SB_TYPE_ARGS(sb) sb->s_type->name, SB_SUBTYPE(sb) ? "." : "", SB_SUBTYPE(sb) ? sb->s_subtype : ""
c9180a57 101
20510f2f 102extern struct security_operations *security_ops;
1da177e4 103
d621d35e 104/* SECMARK reference count */
56a4ca99 105static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 106
1da177e4 107#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 108int selinux_enforcing;
1da177e4
LT		 109
110static int __init enforcing_setup(char *str)
111{
f5269710
EP		 112 unsigned long enforcing;
113 if (!strict_strtoul(str, 0, &enforcing))
114 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 115 return 1;
116}
117__setup("enforcing=", enforcing_setup);
118#endif
119
120#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
121int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
122
123static int __init selinux_enabled_setup(char *str)
124{
f5269710
EP		 125 unsigned long enabled;
126 if (!strict_strtoul(str, 0, &enabled))
127 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 128 return 1;
129}
130__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 131#else
132int selinux_enabled = 1;
1da177e4
LT		 133#endif
134
e18b890b 135static struct kmem_cache *sel_inode_cache;
7cae7e26 136
d621d35e
PM		 137/**
138 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
139 *
140 * Description:
141 * This function checks the SECMARK reference counter to see if any SECMARK
142 * targets are currently configured, if the reference counter is greater than
143 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 144 * enabled, false (0) if SECMARK is disabled. If the always_check_network
145 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 146 *
147 */
148static int selinux_secmark_enabled(void)
149{
2be4d74f
CP		 150 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
151}
152
153/**
154 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
155 *
156 * Description:
157 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
158 * (1) if any are enabled or false (0) if neither are enabled. If the
159 * always_check_network policy capability is enabled, peer labeling
160 * is always considered enabled.
161 *
162 */
163static int selinux_peerlbl_enabled(void)
164{
165 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 166}
167
d84f4f99
DH		 168/*
169 * initialise the security for the init task
170 */
171static void cred_init_security(void)
1da177e4 172{
3b11a1de 173 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 174 struct task_security_struct *tsec;
175
89d155ef 176 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 177 if (!tsec)
d84f4f99 178 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 179
d84f4f99 180 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 181 cred->security = tsec;
1da177e4
LT		 182}
183
88e67f3b
DH		 184/*
185 * get the security ID of a set of credentials
186 */
187static inline u32 cred_sid(const struct cred *cred)
188{
189 const struct task_security_struct *tsec;
190
191 tsec = cred->security;
192 return tsec->sid;
193}
194
275bb41e 195/*
3b11a1de 196 * get the objective security ID of a task
275bb41e
DH		 197 */
198static inline u32 task_sid(const struct task_struct *task)
199{
275bb41e
DH		 200 u32 sid;
201
202 rcu_read_lock();
88e67f3b 203 sid = cred_sid(__task_cred(task));
275bb41e
DH		 204 rcu_read_unlock();
205 return sid;
206}
207
208/*
3b11a1de 209 * get the subjective security ID of the current task
275bb41e
DH		 210 */
211static inline u32 current_sid(void)
212{
5fb49870 213 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 214
215 return tsec->sid;
216}
217
88e67f3b
DH		 218/* Allocate and free functions for each kind of security blob. */
219
1da177e4
LT		 220static int inode_alloc_security(struct inode *inode)
221{
1da177e4 222 struct inode_security_struct *isec;
275bb41e 223 u32 sid = current_sid();
1da177e4 224
a02fe132 225 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 226 if (!isec)
227 return -ENOMEM;
228
23970741 229 mutex_init(&isec->lock);
1da177e4 230 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 231 isec->inode = inode;
232 isec->sid = SECINITSID_UNLABELED;
233 isec->sclass = SECCLASS_FILE;
275bb41e 234 isec->task_sid = sid;
1da177e4
LT		 235 inode->i_security = isec;
236
237 return 0;
238}
239
240static void inode_free_security(struct inode *inode)
241{
242 struct inode_security_struct *isec = inode->i_security;
243 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
244
1da177e4
LT		 245 spin_lock(&sbsec->isec_lock);
246 if (!list_empty(&isec->list))
247 list_del_init(&isec->list);
248 spin_unlock(&sbsec->isec_lock);
249
250 inode->i_security = NULL;
7cae7e26 251 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 252}
253
254static int file_alloc_security(struct file *file)
255{
1da177e4 256 struct file_security_struct *fsec;
275bb41e 257 u32 sid = current_sid();
1da177e4 258
26d2a4be 259 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 260 if (!fsec)
261 return -ENOMEM;
262
275bb41e
DH		 263 fsec->sid = sid;
264 fsec->fown_sid = sid;
1da177e4
LT		 265 file->f_security = fsec;
266
267 return 0;
268}
269
270static void file_free_security(struct file *file)
271{
272 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 273 file->f_security = NULL;
274 kfree(fsec);
275}
276
277static int superblock_alloc_security(struct super_block *sb)
278{
279 struct superblock_security_struct *sbsec;
280
89d155ef 281 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 282 if (!sbsec)
283 return -ENOMEM;
284
bc7e982b 285 mutex_init(&sbsec->lock);
1da177e4
LT		 286 INIT_LIST_HEAD(&sbsec->isec_head);
287 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 288 sbsec->sb = sb;
289 sbsec->sid = SECINITSID_UNLABELED;
290 sbsec->def_sid = SECINITSID_FILE;
c312feb2 291 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 292 sb->s_security = sbsec;
293
294 return 0;
295}
296
297static void superblock_free_security(struct super_block *sb)
298{
299 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 300 sb->s_security = NULL;
301 kfree(sbsec);
302}
303
1da177e4
LT		 304/* The file system's label must be initialized prior to use. */
305
eb9ae686 306static const char *labeling_behaviors[7] = {
1da177e4
LT		 307 "uses xattr",
308 "uses transition SIDs",
309 "uses task SIDs",
310 "uses genfs_contexts",
311 "not configured for labeling",
312 "uses mountpoint labeling",
eb9ae686 313 "uses native labeling",
1da177e4
LT		 314};
315
316static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
317
318static inline int inode_doinit(struct inode *inode)
319{
320 return inode_doinit_with_dentry(inode, NULL);
321}
322
323enum {
31e87930 324 Opt_error = -1,
1da177e4
LT		 325 Opt_context = 1,
326 Opt_fscontext = 2,
c9180a57
EP		 327 Opt_defcontext = 3,
328 Opt_rootcontext = 4,
11689d47 329 Opt_labelsupport = 5,
d355987f 330 Opt_nextmntopt = 6,
1da177e4
LT		 331};
332
d355987f
EP		 333#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
334
a447c093 335static const match_table_t tokens = {
832cbd9a
EP		 336 {Opt_context, CONTEXT_STR "%s"},
337 {Opt_fscontext, FSCONTEXT_STR "%s"},
338 {Opt_defcontext, DEFCONTEXT_STR "%s"},
339 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 340 {Opt_labelsupport, LABELSUPP_STR},
31e87930 341 {Opt_error, NULL},
1da177e4
LT		 342};
343
344#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
345
c312feb2
EP		 346static int may_context_mount_sb_relabel(u32 sid,
347 struct superblock_security_struct *sbsec,
275bb41e 348 const struct cred *cred)
c312feb2 349{
275bb41e 350 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 351 int rc;
352
353 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
354 FILESYSTEM__RELABELFROM, NULL);
355 if (rc)
356 return rc;
357
358 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
359 FILESYSTEM__RELABELTO, NULL);
360 return rc;
361}
362
0808925e
EP		 363static int may_context_mount_inode_relabel(u32 sid,
364 struct superblock_security_struct *sbsec,
275bb41e 365 const struct cred *cred)
0808925e 366{
275bb41e 367 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 368 int rc;
369 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
370 FILESYSTEM__RELABELFROM, NULL);
371 if (rc)
372 return rc;
373
374 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
375 FILESYSTEM__ASSOCIATE, NULL);
376 return rc;
377}
378
b43e725d
EP		 379static int selinux_is_sblabel_mnt(struct super_block *sb)
380{
381 struct superblock_security_struct *sbsec = sb->s_security;
382
383 if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
384 sbsec->behavior == SECURITY_FS_USE_TRANS ||
385 sbsec->behavior == SECURITY_FS_USE_TASK)
386 return 1;
387
388 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
389 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
390 return 1;
391
392 /*
393 * Special handling for rootfs. Is genfs but supports
394 * setting SELinux context on in-core inodes.
395 */
396 if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
397 return 1;
398
399 return 0;
400}
401
c9180a57 402static int sb_finish_set_opts(struct super_block *sb)
1da177e4 403{
1da177e4 404 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 405 struct dentry *root = sb->s_root;
406 struct inode *root_inode = root->d_inode;
407 int rc = 0;
1da177e4 408
c9180a57
EP		 409 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
410 /* Make sure that the xattr handler exists and that no
411 error other than -ENODATA is returned by getxattr on
412 the root directory. -ENODATA is ok, as this may be
413 the first boot of the SELinux kernel before we have
414 assigned xattr values to the filesystem. */
415 if (!root_inode->i_op->getxattr) {
102aefdd
AA		 416 printk(KERN_WARNING "SELinux: (dev %s, type "SB_TYPE_FMT") has no "
417 "xattr support\n", sb->s_id, SB_TYPE_ARGS(sb));
c9180a57
EP		 418 rc = -EOPNOTSUPP;
419 goto out;
420 }
421 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
422 if (rc < 0 && rc != -ENODATA) {
423 if (rc == -EOPNOTSUPP)
424 printk(KERN_WARNING "SELinux: (dev %s, type "
102aefdd
AA		 425 SB_TYPE_FMT") has no security xattr handler\n",
426 sb->s_id, SB_TYPE_ARGS(sb));
c9180a57
EP		 427 else
428 printk(KERN_WARNING "SELinux: (dev %s, type "
102aefdd
AA		 429 SB_TYPE_FMT") getxattr errno %d\n", sb->s_id,
430 SB_TYPE_ARGS(sb), -rc);
c9180a57
EP		 431 goto out;
432 }
433 }
1da177e4 434
c9180a57 435 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
102aefdd
AA		 436 printk(KERN_ERR "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), unknown behavior\n",
437 sb->s_id, SB_TYPE_ARGS(sb));
c9180a57 438 else
102aefdd
AA		 439 printk(KERN_DEBUG "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), %s\n",
440 sb->s_id, SB_TYPE_ARGS(sb),
c9180a57 441 labeling_behaviors[sbsec->behavior-1]);
1da177e4 442
eadcabc6 443 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 444 if (selinux_is_sblabel_mnt(sb))
12f348b9 445 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 446
c9180a57
EP		 447 /* Initialize the root inode. */
448 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 449
c9180a57
EP		 450 /* Initialize any other inodes associated with the superblock, e.g.
451 inodes created prior to initial policy load or inodes created
452 during get_sb by a pseudo filesystem that directly
453 populates itself. */
454 spin_lock(&sbsec->isec_lock);
455next_inode:
456 if (!list_empty(&sbsec->isec_head)) {
457 struct inode_security_struct *isec =
458 list_entry(sbsec->isec_head.next,
459 struct inode_security_struct, list);
460 struct inode *inode = isec->inode;
461 spin_unlock(&sbsec->isec_lock);
462 inode = igrab(inode);
463 if (inode) {
464 if (!IS_PRIVATE(inode))
465 inode_doinit(inode);
466 iput(inode);
467 }
468 spin_lock(&sbsec->isec_lock);
469 list_del_init(&isec->list);
470 goto next_inode;
471 }
472 spin_unlock(&sbsec->isec_lock);
473out:
474 return rc;
475}
1da177e4 476
c9180a57
EP		 477/*
478 * This function should allow an FS to ask what it's mount security
479 * options were so it can use those later for submounts, displaying
480 * mount options, or whatever.
481 */
482static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 483 struct security_mnt_opts *opts)
c9180a57
EP		 484{
485 int rc = 0, i;
486 struct superblock_security_struct *sbsec = sb->s_security;
487 char *context = NULL;
488 u32 len;
489 char tmp;
1da177e4 490
e0007529 491 security_init_mnt_opts(opts);
1da177e4 492
0d90a7ec 493 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 494 return -EINVAL;
1da177e4 495
c9180a57
EP		 496 if (!ss_initialized)
497 return -EINVAL;
1da177e4 498
af8e50cc
EP		 499 /* make sure we always check enough bits to cover the mask */
500 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
501
0d90a7ec 502 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 503 /* count the number of mount options for this sb */
af8e50cc 504 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 505 if (tmp & 0x01)
e0007529 506 opts->num_mnt_opts++;
c9180a57
EP		 507 tmp >>= 1;
508 }
11689d47 509 /* Check if the Label support flag is set */
0b4bdb35 510 if (sbsec->flags & SBLABEL_MNT)
11689d47 511 opts->num_mnt_opts++;
1da177e4 512
e0007529
EP		 513 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
514 if (!opts->mnt_opts) {
c9180a57
EP		 515 rc = -ENOMEM;
516 goto out_free;
517 }
1da177e4 518
e0007529
EP		 519 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
520 if (!opts->mnt_opts_flags) {
c9180a57
EP		 521 rc = -ENOMEM;
522 goto out_free;
523 }
1da177e4 524
c9180a57
EP		 525 i = 0;
526 if (sbsec->flags & FSCONTEXT_MNT) {
527 rc = security_sid_to_context(sbsec->sid, &context, &len);
528 if (rc)
529 goto out_free;
e0007529
EP		 530 opts->mnt_opts[i] = context;
531 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 532 }
533 if (sbsec->flags & CONTEXT_MNT) {
534 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
535 if (rc)
536 goto out_free;
e0007529
EP		 537 opts->mnt_opts[i] = context;
538 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 539 }
540 if (sbsec->flags & DEFCONTEXT_MNT) {
541 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
542 if (rc)
543 goto out_free;
e0007529
EP		 544 opts->mnt_opts[i] = context;
545 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 546 }
547 if (sbsec->flags & ROOTCONTEXT_MNT) {
548 struct inode *root = sbsec->sb->s_root->d_inode;
549 struct inode_security_struct *isec = root->i_security;
0808925e 550
c9180a57
EP		 551 rc = security_sid_to_context(isec->sid, &context, &len);
552 if (rc)
553 goto out_free;
e0007529
EP		 554 opts->mnt_opts[i] = context;
555 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 556 }
12f348b9 557 if (sbsec->flags & SBLABEL_MNT) {
11689d47 558 opts->mnt_opts[i] = NULL;
12f348b9 559 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 560 }
1da177e4 561
e0007529 562 BUG_ON(i != opts->num_mnt_opts);
1da177e4 563
c9180a57
EP		 564 return 0;
565
566out_free:
e0007529 567 security_free_mnt_opts(opts);
c9180a57
EP		 568 return rc;
569}
1da177e4 570
c9180a57
EP		 571static int bad_option(struct superblock_security_struct *sbsec, char flag,
572 u32 old_sid, u32 new_sid)
573{
0d90a7ec
DQ		 574 char mnt_flags = sbsec->flags & SE_MNTMASK;
575
c9180a57 576 /* check if the old mount command had the same options */
0d90a7ec 577 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 578 if (!(sbsec->flags & flag) ||
579 (old_sid != new_sid))
580 return 1;
581
582 /* check if we were passed the same options twice,
583 * aka someone passed context=a,context=b
584 */
0d90a7ec
DQ		 585 if (!(sbsec->flags & SE_SBINITIALIZED))
586 if (mnt_flags & flag)
c9180a57
EP		 587 return 1;
588 return 0;
589}
e0007529 590
c9180a57
EP		 591/*
592 * Allow filesystems with binary mount data to explicitly set mount point
593 * labeling information.
594 */
e0007529 595static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 596 struct security_mnt_opts *opts,
597 unsigned long kern_flags,
598 unsigned long *set_kern_flags)
c9180a57 599{
275bb41e 600 const struct cred *cred = current_cred();
c9180a57 601 int rc = 0, i;
c9180a57 602 struct superblock_security_struct *sbsec = sb->s_security;
089be43e
JM		 603 struct inode *inode = sbsec->sb->s_root->d_inode;
604 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 605 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
606 u32 defcontext_sid = 0;
e0007529
EP		 607 char **mount_options = opts->mnt_opts;
608 int *flags = opts->mnt_opts_flags;
609 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 610
611 mutex_lock(&sbsec->lock);
612
613 if (!ss_initialized) {
614 if (!num_opts) {
615 /* Defer initialization until selinux_complete_init,
616 after the initial policy is loaded and the security
617 server is ready to handle calls. */
c9180a57
EP		 618 goto out;
619 }
620 rc = -EINVAL;
744ba35e
EP		 621 printk(KERN_WARNING "SELinux: Unable to set superblock options "
622 "before the security server is initialized\n");
1da177e4 623 goto out;
c9180a57 624 }
649f6e77
DQ		 625 if (kern_flags && !set_kern_flags) {
626 /* Specifying internal flags without providing a place to
627 * place the results is not allowed */
628 rc = -EINVAL;
629 goto out;
630 }
1da177e4 631
e0007529
EP		 632 /*
633 * Binary mount data FS will come through this function twice. Once
634 * from an explicit call and once from the generic calls from the vfs.
635 * Since the generic VFS calls will not contain any security mount data
636 * we need to skip the double mount verification.
637 *
638 * This does open a hole in which we will not notice if the first
639 * mount using this sb set explict options and a second mount using
640 * this sb does not set any security options. (The first options
641 * will be used for both mounts)
642 */
0d90a7ec 643 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 644 && (num_opts == 0))
f5269710 645 goto out;
e0007529 646
c9180a57
EP		 647 /*
648 * parse the mount options, check if they are valid sids.
649 * also check if someone is trying to mount the same sb more
650 * than once with different security options.
651 */
652 for (i = 0; i < num_opts; i++) {
653 u32 sid;
11689d47 654
12f348b9 655 if (flags[i] == SBLABEL_MNT)
11689d47 656 continue;
c9180a57
EP		 657 rc = security_context_to_sid(mount_options[i],
658 strlen(mount_options[i]), &sid);
1da177e4
LT		 659 if (rc) {
660 printk(KERN_WARNING "SELinux: security_context_to_sid"
102aefdd
AA		 661 "(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n",
662 mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc);
c9180a57
EP		 663 goto out;
664 }
665 switch (flags[i]) {
666 case FSCONTEXT_MNT:
667 fscontext_sid = sid;
668
669 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
670 fscontext_sid))
671 goto out_double_mount;
672
673 sbsec->flags |= FSCONTEXT_MNT;
674 break;
675 case CONTEXT_MNT:
676 context_sid = sid;
677
678 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
679 context_sid))
680 goto out_double_mount;
681
682 sbsec->flags |= CONTEXT_MNT;
683 break;
684 case ROOTCONTEXT_MNT:
685 rootcontext_sid = sid;
686
687 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
688 rootcontext_sid))
689 goto out_double_mount;
690
691 sbsec->flags |= ROOTCONTEXT_MNT;
692
693 break;
694 case DEFCONTEXT_MNT:
695 defcontext_sid = sid;
696
697 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
698 defcontext_sid))
699 goto out_double_mount;
700
701 sbsec->flags |= DEFCONTEXT_MNT;
702
703 break;
704 default:
705 rc = -EINVAL;
706 goto out;
1da177e4 707 }
c9180a57
EP		 708 }
709
0d90a7ec 710 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 711 /* previously mounted with options, but not on this attempt? */
0d90a7ec 712 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 713 goto out_double_mount;
714 rc = 0;
715 goto out;
716 }
717
089be43e 718 if (strcmp(sb->s_type->name, "proc") == 0)
0d90a7ec 719 sbsec->flags |= SE_SBPROC;
c9180a57 720
eb9ae686
DQ		 721 if (!sbsec->behavior) {
722 /*
723 * Determine the labeling behavior to use for this
724 * filesystem type.
725 */
98f700f3 726 rc = security_fs_use(sb);
eb9ae686
DQ		 727 if (rc) {
728 printk(KERN_WARNING
729 "%s: security_fs_use(%s) returned %d\n",
730 __func__, sb->s_type->name, rc);
731 goto out;
732 }
c9180a57 733 }
c9180a57
EP		 734 /* sets the context of the superblock for the fs being mounted. */
735 if (fscontext_sid) {
275bb41e 736 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 737 if (rc)
c9180a57 738 goto out;
1da177e4 739
c9180a57 740 sbsec->sid = fscontext_sid;
c312feb2
EP		 741 }
742
743 /*
744 * Switch to using mount point labeling behavior.
745 * sets the label used on all file below the mountpoint, and will set
746 * the superblock context if not already set.
747 */
eb9ae686
DQ		 748 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
749 sbsec->behavior = SECURITY_FS_USE_NATIVE;
750 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
751 }
752
c9180a57
EP		 753 if (context_sid) {
754 if (!fscontext_sid) {
275bb41e
DH		 755 rc = may_context_mount_sb_relabel(context_sid, sbsec,
756 cred);
b04ea3ce 757 if (rc)
c9180a57
EP		 758 goto out;
759 sbsec->sid = context_sid;
b04ea3ce 760 } else {
275bb41e
DH		 761 rc = may_context_mount_inode_relabel(context_sid, sbsec,
762 cred);
b04ea3ce 763 if (rc)
c9180a57 764 goto out;
b04ea3ce 765 }
c9180a57
EP		 766 if (!rootcontext_sid)
767 rootcontext_sid = context_sid;
1da177e4 768
c9180a57 769 sbsec->mntpoint_sid = context_sid;
c312feb2 770 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 771 }
772
c9180a57 773 if (rootcontext_sid) {
275bb41e
DH		 774 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
775 cred);
0808925e 776 if (rc)
c9180a57 777 goto out;
0808925e 778
c9180a57
EP		 779 root_isec->sid = rootcontext_sid;
780 root_isec->initialized = 1;
0808925e
EP		 781 }
782
c9180a57 783 if (defcontext_sid) {
eb9ae686
DQ		 784 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
785 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 786 rc = -EINVAL;
787 printk(KERN_WARNING "SELinux: defcontext option is "
788 "invalid for this filesystem type\n");
789 goto out;
1da177e4
LT		 790 }
791
c9180a57
EP		 792 if (defcontext_sid != sbsec->def_sid) {
793 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 794 sbsec, cred);
c9180a57
EP		 795 if (rc)
796 goto out;
797 }
1da177e4 798
c9180a57 799 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 800 }
801
c9180a57 802 rc = sb_finish_set_opts(sb);
1da177e4 803out:
c9180a57 804 mutex_unlock(&sbsec->lock);
1da177e4 805 return rc;
c9180a57
EP		 806out_double_mount:
807 rc = -EINVAL;
808 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
102aefdd
AA		 809 "security settings for (dev %s, type "SB_TYPE_FMT")\n", sb->s_id,
810 SB_TYPE_ARGS(sb));
c9180a57 811 goto out;
1da177e4
LT		 812}
813
094f7b69
JL		 814static int selinux_cmp_sb_context(const struct super_block *oldsb,
815 const struct super_block *newsb)
816{
817 struct superblock_security_struct *old = oldsb->s_security;
818 struct superblock_security_struct *new = newsb->s_security;
819 char oldflags = old->flags & SE_MNTMASK;
820 char newflags = new->flags & SE_MNTMASK;
821
822 if (oldflags != newflags)
823 goto mismatch;
824 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
825 goto mismatch;
826 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
827 goto mismatch;
828 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
829 goto mismatch;
830 if (oldflags & ROOTCONTEXT_MNT) {
831 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
832 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
833 if (oldroot->sid != newroot->sid)
834 goto mismatch;
835 }
836 return 0;
837mismatch:
838 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
839 "different security settings for (dev %s, "
840 "type %s)\n", newsb->s_id, newsb->s_type->name);
841 return -EBUSY;
842}
843
844static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 845 struct super_block *newsb)
1da177e4 846{
c9180a57
EP		 847 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
848 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 849
c9180a57
EP		 850 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
851 int set_context = (oldsbsec->flags & CONTEXT_MNT);
852 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 853
0f5e6420
EP		 854 /*
855 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 856 * mount options. thus we can safely deal with this superblock later
0f5e6420 857 */
e8c26255 858 if (!ss_initialized)
094f7b69 859 return 0;
c9180a57 860
c9180a57 861 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 862 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 863
094f7b69 864 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 865 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 866 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 867
c9180a57
EP		 868 mutex_lock(&newsbsec->lock);
869
870 newsbsec->flags = oldsbsec->flags;
871
872 newsbsec->sid = oldsbsec->sid;
873 newsbsec->def_sid = oldsbsec->def_sid;
874 newsbsec->behavior = oldsbsec->behavior;
875
876 if (set_context) {
877 u32 sid = oldsbsec->mntpoint_sid;
878
879 if (!set_fscontext)
880 newsbsec->sid = sid;
881 if (!set_rootcontext) {
882 struct inode *newinode = newsb->s_root->d_inode;
883 struct inode_security_struct *newisec = newinode->i_security;
884 newisec->sid = sid;
885 }
886 newsbsec->mntpoint_sid = sid;
1da177e4 887 }
c9180a57
EP		 888 if (set_rootcontext) {
889 const struct inode *oldinode = oldsb->s_root->d_inode;
890 const struct inode_security_struct *oldisec = oldinode->i_security;
891 struct inode *newinode = newsb->s_root->d_inode;
892 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 893
c9180a57 894 newisec->sid = oldisec->sid;
1da177e4
LT		 895 }
896
c9180a57
EP		 897 sb_finish_set_opts(newsb);
898 mutex_unlock(&newsbsec->lock);
094f7b69 899 return 0;
c9180a57
EP		 900}
901
2e1479d9
AB		 902static int selinux_parse_opts_str(char *options,
903 struct security_mnt_opts *opts)
c9180a57 904{
e0007529 905 char *p;
c9180a57
EP		 906 char *context = NULL, *defcontext = NULL;
907 char *fscontext = NULL, *rootcontext = NULL;
e0007529 908 int rc, num_mnt_opts = 0;
1da177e4 909
e0007529 910 opts->num_mnt_opts = 0;
1da177e4 911
c9180a57
EP		 912 /* Standard string-based options. */
913 while ((p = strsep(&options, "|")) != NULL) {
914 int token;
915 substring_t args[MAX_OPT_ARGS];
1da177e4 916
c9180a57
EP		 917 if (!*p)
918 continue;
1da177e4 919
c9180a57 920 token = match_token(p, tokens, args);
1da177e4 921
c9180a57
EP		 922 switch (token) {
923 case Opt_context:
924 if (context || defcontext) {
925 rc = -EINVAL;
926 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
927 goto out_err;
928 }
929 context = match_strdup(&args[0]);
930 if (!context) {
931 rc = -ENOMEM;
932 goto out_err;
933 }
934 break;
935
936 case Opt_fscontext:
937 if (fscontext) {
938 rc = -EINVAL;
939 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
940 goto out_err;
941 }
942 fscontext = match_strdup(&args[0]);
943 if (!fscontext) {
944 rc = -ENOMEM;
945 goto out_err;
946 }
947 break;
948
949 case Opt_rootcontext:
950 if (rootcontext) {
951 rc = -EINVAL;
952 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
953 goto out_err;
954 }
955 rootcontext = match_strdup(&args[0]);
956 if (!rootcontext) {
957 rc = -ENOMEM;
958 goto out_err;
959 }
960 break;
961
962 case Opt_defcontext:
963 if (context || defcontext) {
964 rc = -EINVAL;
965 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
966 goto out_err;
967 }
968 defcontext = match_strdup(&args[0]);
969 if (!defcontext) {
970 rc = -ENOMEM;
971 goto out_err;
972 }
973 break;
11689d47
DQ		 974 case Opt_labelsupport:
975 break;
c9180a57
EP		 976 default:
977 rc = -EINVAL;
978 printk(KERN_WARNING "SELinux: unknown mount option\n");
979 goto out_err;
1da177e4 980
1da177e4 981 }
1da177e4 982 }
c9180a57 983
e0007529
EP		 984 rc = -ENOMEM;
985 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
986 if (!opts->mnt_opts)
987 goto out_err;
988
989 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
990 if (!opts->mnt_opts_flags) {
991 kfree(opts->mnt_opts);
992 goto out_err;
993 }
994
c9180a57 995 if (fscontext) {
e0007529
EP		 996 opts->mnt_opts[num_mnt_opts] = fscontext;
997 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 998 }
999 if (context) {
e0007529
EP		 1000 opts->mnt_opts[num_mnt_opts] = context;
1001 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1002 }
1003 if (rootcontext) {
e0007529
EP		 1004 opts->mnt_opts[num_mnt_opts] = rootcontext;
1005 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1006 }
1007 if (defcontext) {
e0007529
EP		 1008 opts->mnt_opts[num_mnt_opts] = defcontext;
1009 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1010 }
1011
e0007529
EP		 1012 opts->num_mnt_opts = num_mnt_opts;
1013 return 0;
1014
c9180a57
EP		 1015out_err:
1016 kfree(context);
1017 kfree(defcontext);
1018 kfree(fscontext);
1019 kfree(rootcontext);
1da177e4
LT		 1020 return rc;
1021}
e0007529
EP		 1022/*
1023 * string mount options parsing and call set the sbsec
1024 */
1025static int superblock_doinit(struct super_block *sb, void *data)
1026{
1027 int rc = 0;
1028 char *options = data;
1029 struct security_mnt_opts opts;
1030
1031 security_init_mnt_opts(&opts);
1032
1033 if (!data)
1034 goto out;
1035
1036 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1037
1038 rc = selinux_parse_opts_str(options, &opts);
1039 if (rc)
1040 goto out_err;
1041
1042out:
649f6e77 1043 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1044
1045out_err:
1046 security_free_mnt_opts(&opts);
1047 return rc;
1048}
1da177e4 1049
3583a711
AB		 1050static void selinux_write_opts(struct seq_file *m,
1051 struct security_mnt_opts *opts)
2069f457
EP		 1052{
1053 int i;
1054 char *prefix;
1055
1056 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1057 char *has_comma;
1058
1059 if (opts->mnt_opts[i])
1060 has_comma = strchr(opts->mnt_opts[i], ',');
1061 else
1062 has_comma = NULL;
2069f457
EP		 1063
1064 switch (opts->mnt_opts_flags[i]) {
1065 case CONTEXT_MNT:
1066 prefix = CONTEXT_STR;
1067 break;
1068 case FSCONTEXT_MNT:
1069 prefix = FSCONTEXT_STR;
1070 break;
1071 case ROOTCONTEXT_MNT:
1072 prefix = ROOTCONTEXT_STR;
1073 break;
1074 case DEFCONTEXT_MNT:
1075 prefix = DEFCONTEXT_STR;
1076 break;
12f348b9 1077 case SBLABEL_MNT:
11689d47
DQ		 1078 seq_putc(m, ',');
1079 seq_puts(m, LABELSUPP_STR);
1080 continue;
2069f457
EP		 1081 default:
1082 BUG();
a35c6c83 1083 return;
2069f457
EP		 1084 };
1085 /* we need a comma before each option */
1086 seq_putc(m, ',');
1087 seq_puts(m, prefix);
1088 if (has_comma)
1089 seq_putc(m, '\"');
1090 seq_puts(m, opts->mnt_opts[i]);
1091 if (has_comma)
1092 seq_putc(m, '\"');
1093 }
1094}
1095
1096static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1097{
1098 struct security_mnt_opts opts;
1099 int rc;
1100
1101 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1102 if (rc) {
1103 /* before policy load we may get EINVAL, don't show anything */
1104 if (rc == -EINVAL)
1105 rc = 0;
2069f457 1106 return rc;
383795c2 1107 }
2069f457
EP		 1108
1109 selinux_write_opts(m, &opts);
1110
1111 security_free_mnt_opts(&opts);
1112
1113 return rc;
1114}
1115
1da177e4
LT		 1116static inline u16 inode_mode_to_security_class(umode_t mode)
1117{
1118 switch (mode & S_IFMT) {
1119 case S_IFSOCK:
1120 return SECCLASS_SOCK_FILE;
1121 case S_IFLNK:
1122 return SECCLASS_LNK_FILE;
1123 case S_IFREG:
1124 return SECCLASS_FILE;
1125 case S_IFBLK:
1126 return SECCLASS_BLK_FILE;
1127 case S_IFDIR:
1128 return SECCLASS_DIR;
1129 case S_IFCHR:
1130 return SECCLASS_CHR_FILE;
1131 case S_IFIFO:
1132 return SECCLASS_FIFO_FILE;
1133
1134 }
1135
1136 return SECCLASS_FILE;
1137}
1138
13402580
JM		 1139static inline int default_protocol_stream(int protocol)
1140{
1141 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1142}
1143
1144static inline int default_protocol_dgram(int protocol)
1145{
1146 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1147}
1148
1da177e4
LT		 1149static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1150{
1151 switch (family) {
1152 case PF_UNIX:
1153 switch (type) {
1154 case SOCK_STREAM:
1155 case SOCK_SEQPACKET:
1156 return SECCLASS_UNIX_STREAM_SOCKET;
1157 case SOCK_DGRAM:
1158 return SECCLASS_UNIX_DGRAM_SOCKET;
1159 }
1160 break;
1161 case PF_INET:
1162 case PF_INET6:
1163 switch (type) {
1164 case SOCK_STREAM:
13402580
JM		 1165 if (default_protocol_stream(protocol))
1166 return SECCLASS_TCP_SOCKET;
1167 else
1168 return SECCLASS_RAWIP_SOCKET;
1da177e4 1169 case SOCK_DGRAM:
13402580
JM		 1170 if (default_protocol_dgram(protocol))
1171 return SECCLASS_UDP_SOCKET;
1172 else
1173 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1174 case SOCK_DCCP:
1175 return SECCLASS_DCCP_SOCKET;
13402580 1176 default:
1da177e4
LT		 1177 return SECCLASS_RAWIP_SOCKET;
1178 }
1179 break;
1180 case PF_NETLINK:
1181 switch (protocol) {
1182 case NETLINK_ROUTE:
1183 return SECCLASS_NETLINK_ROUTE_SOCKET;
1184 case NETLINK_FIREWALL:
1185 return SECCLASS_NETLINK_FIREWALL_SOCKET;
7f1fb60c 1186 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1187 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1188 case NETLINK_NFLOG:
1189 return SECCLASS_NETLINK_NFLOG_SOCKET;
1190 case NETLINK_XFRM:
1191 return SECCLASS_NETLINK_XFRM_SOCKET;
1192 case NETLINK_SELINUX:
1193 return SECCLASS_NETLINK_SELINUX_SOCKET;
1194 case NETLINK_AUDIT:
1195 return SECCLASS_NETLINK_AUDIT_SOCKET;
1196 case NETLINK_IP6_FW:
1197 return SECCLASS_NETLINK_IP6FW_SOCKET;
1198 case NETLINK_DNRTMSG:
1199 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1200 case NETLINK_KOBJECT_UEVENT:
1201 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1202 default:
1203 return SECCLASS_NETLINK_SOCKET;
1204 }
1205 case PF_PACKET:
1206 return SECCLASS_PACKET_SOCKET;
1207 case PF_KEY:
1208 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1209 case PF_APPLETALK:
1210 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1211 }
1212
1213 return SECCLASS_SOCKET;
1214}
1215
1216#ifdef CONFIG_PROC_FS
8e6c9693 1217static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1218 u16 tclass,
1219 u32 *sid)
1220{
8e6c9693
LAG		 1221 int rc;
1222 char *buffer, *path;
1da177e4 1223
828dfe1d 1224 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1225 if (!buffer)
1226 return -ENOMEM;
1227
8e6c9693
LAG		 1228 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1229 if (IS_ERR(path))
1230 rc = PTR_ERR(path);
1231 else {
1232 /* each process gets a /proc/PID/ entry. Strip off the
1233 * PID part to get a valid selinux labeling.
1234 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1235 while (path[1] >= '0' && path[1] <= '9') {
1236 path[1] = '/';
1237 path++;
1238 }
1239 rc = security_genfs_sid("proc", path, tclass, sid);
1da177e4 1240 }
1da177e4
LT		 1241 free_page((unsigned long)buffer);
1242 return rc;
1243}
1244#else
8e6c9693 1245static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1246 u16 tclass,
1247 u32 *sid)
1248{
1249 return -EINVAL;
1250}
1251#endif
1252
1253/* The inode's security attributes must be initialized before first use. */
1254static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1255{
1256 struct superblock_security_struct *sbsec = NULL;
1257 struct inode_security_struct *isec = inode->i_security;
1258 u32 sid;
1259 struct dentry *dentry;
1260#define INITCONTEXTLEN 255
1261 char *context = NULL;
1262 unsigned len = 0;
1263 int rc = 0;
1da177e4
LT		 1264
1265 if (isec->initialized)
1266 goto out;
1267
23970741 1268 mutex_lock(&isec->lock);
1da177e4 1269 if (isec->initialized)
23970741 1270 goto out_unlock;
1da177e4
LT		 1271
1272 sbsec = inode->i_sb->s_security;
0d90a7ec 1273 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1274 /* Defer initialization until selinux_complete_init,
1275 after the initial policy is loaded and the security
1276 server is ready to handle calls. */
1277 spin_lock(&sbsec->isec_lock);
1278 if (list_empty(&isec->list))
1279 list_add(&isec->list, &sbsec->isec_head);
1280 spin_unlock(&sbsec->isec_lock);
23970741 1281 goto out_unlock;
1da177e4
LT		 1282 }
1283
1284 switch (sbsec->behavior) {
eb9ae686
DQ		 1285 case SECURITY_FS_USE_NATIVE:
1286 break;
1da177e4
LT		 1287 case SECURITY_FS_USE_XATTR:
1288 if (!inode->i_op->getxattr) {
1289 isec->sid = sbsec->def_sid;
1290 break;
1291 }
1292
1293 /* Need a dentry, since the xattr API requires one.
1294 Life would be simpler if we could just pass the inode. */
1295 if (opt_dentry) {
1296 /* Called from d_instantiate or d_splice_alias. */
1297 dentry = dget(opt_dentry);
1298 } else {
1299 /* Called from selinux_complete_init, try to find a dentry. */
1300 dentry = d_find_alias(inode);
1301 }
1302 if (!dentry) {
df7f54c0
EP		 1303 /*
1304 * this is can be hit on boot when a file is accessed
1305 * before the policy is loaded. When we load policy we
1306 * may find inodes that have no dentry on the
1307 * sbsec->isec_head list. No reason to complain as these
1308 * will get fixed up the next time we go through
1309 * inode_doinit with a dentry, before these inodes could
1310 * be used again by userspace.
1311 */
23970741 1312 goto out_unlock;
1da177e4
LT		 1313 }
1314
1315 len = INITCONTEXTLEN;
4cb912f1 1316 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1317 if (!context) {
1318 rc = -ENOMEM;
1319 dput(dentry);
23970741 1320 goto out_unlock;
1da177e4 1321 }
4cb912f1 1322 context[len] = '\0';
1da177e4
LT		 1323 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1324 context, len);
1325 if (rc == -ERANGE) {
314dabb8
JM		 1326 kfree(context);
1327
1da177e4
LT		 1328 /* Need a larger buffer. Query for the right size. */
1329 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1330 NULL, 0);
1331 if (rc < 0) {
1332 dput(dentry);
23970741 1333 goto out_unlock;
1da177e4 1334 }
1da177e4 1335 len = rc;
4cb912f1 1336 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1337 if (!context) {
1338 rc = -ENOMEM;
1339 dput(dentry);
23970741 1340 goto out_unlock;
1da177e4 1341 }
4cb912f1 1342 context[len] = '\0';
1da177e4
LT		 1343 rc = inode->i_op->getxattr(dentry,
1344 XATTR_NAME_SELINUX,
1345 context, len);
1346 }
1347 dput(dentry);
1348 if (rc < 0) {
1349 if (rc != -ENODATA) {
744ba35e 1350 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1351 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1352 -rc, inode->i_sb->s_id, inode->i_ino);
1353 kfree(context);
23970741 1354 goto out_unlock;
1da177e4
LT		 1355 }
1356 /* Map ENODATA to the default file SID */
1357 sid = sbsec->def_sid;
1358 rc = 0;
1359 } else {
f5c1d5b2 1360 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1361 sbsec->def_sid,
1362 GFP_NOFS);
1da177e4 1363 if (rc) {
4ba0a8ad
EP		 1364 char *dev = inode->i_sb->s_id;
1365 unsigned long ino = inode->i_ino;
1366
1367 if (rc == -EINVAL) {
1368 if (printk_ratelimit())
1369 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1370 "context=%s. This indicates you may need to relabel the inode or the "
1371 "filesystem in question.\n", ino, dev, context);
1372 } else {
1373 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1374 "returned %d for dev=%s ino=%ld\n",
1375 __func__, context, -rc, dev, ino);
1376 }
1da177e4
LT		 1377 kfree(context);
1378 /* Leave with the unlabeled SID */
1379 rc = 0;
1380 break;
1381 }
1382 }
1383 kfree(context);
1384 isec->sid = sid;
1385 break;
1386 case SECURITY_FS_USE_TASK:
1387 isec->sid = isec->task_sid;
1388 break;
1389 case SECURITY_FS_USE_TRANS:
1390 /* Default to the fs SID. */
1391 isec->sid = sbsec->sid;
1392
1393 /* Try to obtain a transition SID. */
1394 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1395 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1396 isec->sclass, NULL, &sid);
1da177e4 1397 if (rc)
23970741 1398 goto out_unlock;
1da177e4
LT		 1399 isec->sid = sid;
1400 break;
c312feb2
EP		 1401 case SECURITY_FS_USE_MNTPOINT:
1402 isec->sid = sbsec->mntpoint_sid;
1403 break;
1da177e4 1404 default:
c312feb2 1405 /* Default to the fs superblock SID. */
1da177e4
LT		 1406 isec->sid = sbsec->sid;
1407
0d90a7ec 1408 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
8e6c9693 1409 if (opt_dentry) {
1da177e4 1410 isec->sclass = inode_mode_to_security_class(inode->i_mode);
8e6c9693 1411 rc = selinux_proc_get_sid(opt_dentry,
1da177e4
LT		 1412 isec->sclass,
1413 &sid);
1414 if (rc)
23970741 1415 goto out_unlock;
1da177e4
LT		 1416 isec->sid = sid;
1417 }
1418 }
1419 break;
1420 }
1421
1422 isec->initialized = 1;
1423
23970741
EP		 1424out_unlock:
1425 mutex_unlock(&isec->lock);
1da177e4
LT		 1426out:
1427 if (isec->sclass == SECCLASS_FILE)
1428 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1429 return rc;
1430}
1431
1432/* Convert a Linux signal to an access vector. */
1433static inline u32 signal_to_av(int sig)
1434{
1435 u32 perm = 0;
1436
1437 switch (sig) {
1438 case SIGCHLD:
1439 /* Commonly granted from child to parent. */
1440 perm = PROCESS__SIGCHLD;
1441 break;
1442 case SIGKILL:
1443 /* Cannot be caught or ignored */
1444 perm = PROCESS__SIGKILL;
1445 break;
1446 case SIGSTOP:
1447 /* Cannot be caught or ignored */
1448 perm = PROCESS__SIGSTOP;
1449 break;
1450 default:
1451 /* All other signals. */
1452 perm = PROCESS__SIGNAL;
1453 break;
1454 }
1455
1456 return perm;
1457}
1458
d84f4f99
DH		 1459/*
1460 * Check permission between a pair of credentials
1461 * fork check, ptrace check, etc.
1462 */
1463static int cred_has_perm(const struct cred *actor,
1464 const struct cred *target,
1465 u32 perms)
1466{
1467 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1468
1469 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1470}
1471
275bb41e 1472/*
88e67f3b 1473 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1474 * fork check, ptrace check, etc.
1475 * tsk1 is the actor and tsk2 is the target
3b11a1de 1476 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1477 */
1478static int task_has_perm(const struct task_struct *tsk1,
1479 const struct task_struct *tsk2,
1da177e4
LT		 1480 u32 perms)
1481{
275bb41e
DH		 1482 const struct task_security_struct *__tsec1, *__tsec2;
1483 u32 sid1, sid2;
1da177e4 1484
275bb41e
DH		 1485 rcu_read_lock();
1486 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1487 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1488 rcu_read_unlock();
1489 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1490}
1491
3b11a1de
DH		 1492/*
1493 * Check permission between current and another task, e.g. signal checks,
1494 * fork check, ptrace check, etc.
1495 * current is the actor and tsk2 is the target
1496 * - this uses current's subjective creds
1497 */
1498static int current_has_perm(const struct task_struct *tsk,
1499 u32 perms)
1500{
1501 u32 sid, tsid;
1502
1503 sid = current_sid();
1504 tsid = task_sid(tsk);
1505 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1506}
1507
b68e418c
SS		 1508#if CAP_LAST_CAP > 63
1509#error Fix SELinux to handle capabilities > 63.
1510#endif
1511
1da177e4 1512/* Check whether a task is allowed to use a capability. */
6a9de491 1513static int cred_has_capability(const struct cred *cred,
06112163 1514 int cap, int audit)
1da177e4 1515{
2bf49690 1516 struct common_audit_data ad;
06112163 1517 struct av_decision avd;
b68e418c 1518 u16 sclass;
3699c53c 1519 u32 sid = cred_sid(cred);
b68e418c 1520 u32 av = CAP_TO_MASK(cap);
06112163 1521 int rc;
1da177e4 1522
50c205f5 1523 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1524 ad.u.cap = cap;
1525
b68e418c
SS		 1526 switch (CAP_TO_INDEX(cap)) {
1527 case 0:
1528 sclass = SECCLASS_CAPABILITY;
1529 break;
1530 case 1:
1531 sclass = SECCLASS_CAPABILITY2;
1532 break;
1533 default:
1534 printk(KERN_ERR
1535 "SELinux: out of range capability %d\n", cap);
1536 BUG();
a35c6c83 1537 return -EINVAL;
b68e418c 1538 }
06112163 1539
275bb41e 1540 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1541 if (audit == SECURITY_CAP_AUDIT) {
ab354062 1542 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
9ade0cf4
EP		 1543 if (rc2)
1544 return rc2;
1545 }
06112163 1546 return rc;
1da177e4
LT		 1547}
1548
1549/* Check whether a task is allowed to use a system operation. */
1550static int task_has_system(struct task_struct *tsk,
1551 u32 perms)
1552{
275bb41e 1553 u32 sid = task_sid(tsk);
1da177e4 1554
275bb41e 1555 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1556 SECCLASS_SYSTEM, perms, NULL);
1557}
1558
1559/* Check whether a task has a particular permission to an inode.
1560 The 'adp' parameter is optional and allows other audit
1561 data to be passed (e.g. the dentry). */
88e67f3b 1562static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1563 struct inode *inode,
1564 u32 perms,
19e49834 1565 struct common_audit_data *adp)
1da177e4 1566{
1da177e4 1567 struct inode_security_struct *isec;
275bb41e 1568 u32 sid;
1da177e4 1569
e0e81739
DH		 1570 validate_creds(cred);
1571
828dfe1d 1572 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1573 return 0;
1574
88e67f3b 1575 sid = cred_sid(cred);
1da177e4
LT		 1576 isec = inode->i_security;
1577
19e49834 1578 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1579}
1580
1581/* Same as inode_has_perm, but pass explicit audit data containing
1582 the dentry to help the auditing code to more easily generate the
1583 pathname if needed. */
88e67f3b 1584static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1585 struct dentry *dentry,
1586 u32 av)
1587{
1588 struct inode *inode = dentry->d_inode;
2bf49690 1589 struct common_audit_data ad;
88e67f3b 1590
50c205f5 1591 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1592 ad.u.dentry = dentry;
19e49834 1593 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1594}
1595
1596/* Same as inode_has_perm, but pass explicit audit data containing
1597 the path to help the auditing code to more easily generate the
1598 pathname if needed. */
1599static inline int path_has_perm(const struct cred *cred,
1600 struct path *path,
1601 u32 av)
1602{
1603 struct inode *inode = path->dentry->d_inode;
1604 struct common_audit_data ad;
1605
50c205f5 1606 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1607 ad.u.path = *path;
19e49834 1608 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1609}
1610
13f8e981
DH		 1611/* Same as path_has_perm, but uses the inode from the file struct. */
1612static inline int file_path_has_perm(const struct cred *cred,
1613 struct file *file,
1614 u32 av)
1615{
1616 struct common_audit_data ad;
1617
1618 ad.type = LSM_AUDIT_DATA_PATH;
1619 ad.u.path = file->f_path;
19e49834 1620 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1621}
1622
1da177e4
LT		 1623/* Check whether a task can use an open file descriptor to
1624 access an inode in a given way. Check access to the
1625 descriptor itself, and then use dentry_has_perm to
1626 check a particular permission to the file.
1627 Access to the descriptor is implicitly granted if it
1628 has the same SID as the process. If av is zero, then
1629 access to the file is not checked, e.g. for cases
1630 where only the descriptor is affected like seek. */
88e67f3b
DH		 1631static int file_has_perm(const struct cred *cred,
1632 struct file *file,
1633 u32 av)
1da177e4 1634{
1da177e4 1635 struct file_security_struct *fsec = file->f_security;
496ad9aa 1636 struct inode *inode = file_inode(file);
2bf49690 1637 struct common_audit_data ad;
88e67f3b 1638 u32 sid = cred_sid(cred);
1da177e4
LT		 1639 int rc;
1640
50c205f5 1641 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 1642 ad.u.path = file->f_path;
1da177e4 1643
275bb41e
DH		 1644 if (sid != fsec->sid) {
1645 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1646 SECCLASS_FD,
1647 FD__USE,
1648 &ad);
1649 if (rc)
88e67f3b 1650 goto out;
1da177e4
LT		 1651 }
1652
1653 /* av is zero if only checking access to the descriptor. */
88e67f3b 1654 rc = 0;
1da177e4 1655 if (av)
19e49834 1656 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1657
88e67f3b
DH		 1658out:
1659 return rc;
1da177e4
LT		 1660}
1661
1662/* Check whether a task can create a file. */
1663static int may_create(struct inode *dir,
1664 struct dentry *dentry,
1665 u16 tclass)
1666{
5fb49870 1667 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1668 struct inode_security_struct *dsec;
1669 struct superblock_security_struct *sbsec;
275bb41e 1670 u32 sid, newsid;
2bf49690 1671 struct common_audit_data ad;
1da177e4
LT		 1672 int rc;
1673
1da177e4
LT		 1674 dsec = dir->i_security;
1675 sbsec = dir->i_sb->s_security;
1676
275bb41e
DH		 1677 sid = tsec->sid;
1678 newsid = tsec->create_sid;
1679
50c205f5 1680 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1681 ad.u.dentry = dentry;
1da177e4 1682
275bb41e 1683 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1684 DIR__ADD_NAME | DIR__SEARCH,
1685 &ad);
1686 if (rc)
1687 return rc;
1688
12f348b9 1689 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
cb1e922f
EP		 1690 rc = security_transition_sid(sid, dsec->sid, tclass,
1691 &dentry->d_name, &newsid);
1da177e4
LT		 1692 if (rc)
1693 return rc;
1694 }
1695
275bb41e 1696 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1697 if (rc)
1698 return rc;
1699
1700 return avc_has_perm(newsid, sbsec->sid,
1701 SECCLASS_FILESYSTEM,
1702 FILESYSTEM__ASSOCIATE, &ad);
1703}
1704
4eb582cf
ML		 1705/* Check whether a task can create a key. */
1706static int may_create_key(u32 ksid,
1707 struct task_struct *ctx)
1708{
275bb41e 1709 u32 sid = task_sid(ctx);
4eb582cf 1710
275bb41e 1711 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1712}
1713
828dfe1d
EP		 1714#define MAY_LINK 0
1715#define MAY_UNLINK 1
1716#define MAY_RMDIR 2
1da177e4
LT		 1717
1718/* Check whether a task can link, unlink, or rmdir a file/directory. */
1719static int may_link(struct inode *dir,
1720 struct dentry *dentry,
1721 int kind)
1722
1723{
1da177e4 1724 struct inode_security_struct *dsec, *isec;
2bf49690 1725 struct common_audit_data ad;
275bb41e 1726 u32 sid = current_sid();
1da177e4
LT		 1727 u32 av;
1728 int rc;
1729
1da177e4
LT		 1730 dsec = dir->i_security;
1731 isec = dentry->d_inode->i_security;
1732
50c205f5 1733 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1734 ad.u.dentry = dentry;
1da177e4
LT		 1735
1736 av = DIR__SEARCH;
1737 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1738 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1739 if (rc)
1740 return rc;
1741
1742 switch (kind) {
1743 case MAY_LINK:
1744 av = FILE__LINK;
1745 break;
1746 case MAY_UNLINK:
1747 av = FILE__UNLINK;
1748 break;
1749 case MAY_RMDIR:
1750 av = DIR__RMDIR;
1751 break;
1752 default:
744ba35e
EP		 1753 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1754 __func__, kind);
1da177e4
LT		 1755 return 0;
1756 }
1757
275bb41e 1758 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1759 return rc;
1760}
1761
1762static inline int may_rename(struct inode *old_dir,
1763 struct dentry *old_dentry,
1764 struct inode *new_dir,
1765 struct dentry *new_dentry)
1766{
1da177e4 1767 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1768 struct common_audit_data ad;
275bb41e 1769 u32 sid = current_sid();
1da177e4
LT		 1770 u32 av;
1771 int old_is_dir, new_is_dir;
1772 int rc;
1773
1da177e4
LT		 1774 old_dsec = old_dir->i_security;
1775 old_isec = old_dentry->d_inode->i_security;
1776 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1777 new_dsec = new_dir->i_security;
1778
50c205f5 1779 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1780
a269434d 1781 ad.u.dentry = old_dentry;
275bb41e 1782 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1783 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1784 if (rc)
1785 return rc;
275bb41e 1786 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1787 old_isec->sclass, FILE__RENAME, &ad);
1788 if (rc)
1789 return rc;
1790 if (old_is_dir && new_dir != old_dir) {
275bb41e 1791 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1792 old_isec->sclass, DIR__REPARENT, &ad);
1793 if (rc)
1794 return rc;
1795 }
1796
a269434d 1797 ad.u.dentry = new_dentry;
1da177e4
LT		 1798 av = DIR__ADD_NAME | DIR__SEARCH;
1799 if (new_dentry->d_inode)
1800 av |= DIR__REMOVE_NAME;
275bb41e 1801 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1802 if (rc)
1803 return rc;
1804 if (new_dentry->d_inode) {
1805 new_isec = new_dentry->d_inode->i_security;
1806 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
275bb41e 1807 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1808 new_isec->sclass,
1809 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1810 if (rc)
1811 return rc;
1812 }
1813
1814 return 0;
1815}
1816
1817/* Check whether a task can perform a filesystem operation. */
88e67f3b 1818static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1819 struct super_block *sb,
1820 u32 perms,
2bf49690 1821 struct common_audit_data *ad)
1da177e4 1822{
1da177e4 1823 struct superblock_security_struct *sbsec;
88e67f3b 1824 u32 sid = cred_sid(cred);
1da177e4 1825
1da177e4 1826 sbsec = sb->s_security;
275bb41e 1827 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1828}
1829
1830/* Convert a Linux mode and permission mask to an access vector. */
1831static inline u32 file_mask_to_av(int mode, int mask)
1832{
1833 u32 av = 0;
1834
dba19c60 1835 if (!S_ISDIR(mode)) {
1da177e4
LT		 1836 if (mask & MAY_EXEC)
1837 av |= FILE__EXECUTE;
1838 if (mask & MAY_READ)
1839 av |= FILE__READ;
1840
1841 if (mask & MAY_APPEND)
1842 av |= FILE__APPEND;
1843 else if (mask & MAY_WRITE)
1844 av |= FILE__WRITE;
1845
1846 } else {
1847 if (mask & MAY_EXEC)
1848 av |= DIR__SEARCH;
1849 if (mask & MAY_WRITE)
1850 av |= DIR__WRITE;
1851 if (mask & MAY_READ)
1852 av |= DIR__READ;
1853 }
1854
1855 return av;
1856}
1857
8b6a5a37
EP		 1858/* Convert a Linux file to an access vector. */
1859static inline u32 file_to_av(struct file *file)
1860{
1861 u32 av = 0;
1862
1863 if (file->f_mode & FMODE_READ)
1864 av |= FILE__READ;
1865 if (file->f_mode & FMODE_WRITE) {
1866 if (file->f_flags & O_APPEND)
1867 av |= FILE__APPEND;
1868 else
1869 av |= FILE__WRITE;
1870 }
1871 if (!av) {
1872 /*
1873 * Special file opened with flags 3 for ioctl-only use.
1874 */
1875 av = FILE__IOCTL;
1876 }
1877
1878 return av;
1879}
1880
b0c636b9 1881/*
8b6a5a37 1882 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1883 * open permission.
1884 */
8b6a5a37 1885static inline u32 open_file_to_av(struct file *file)
b0c636b9 1886{
8b6a5a37 1887 u32 av = file_to_av(file);
b0c636b9 1888
49b7b8de
EP		 1889 if (selinux_policycap_openperm)
1890 av |= FILE__OPEN;
1891
b0c636b9
EP		 1892 return av;
1893}
1894
1da177e4
LT		 1895/* Hook functions begin here. */
1896
9e48858f 1897static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 1898 unsigned int mode)
1da177e4 1899{
1da177e4
LT		 1900 int rc;
1901
9e48858f 1902 rc = cap_ptrace_access_check(child, mode);
1da177e4
LT		 1903 if (rc)
1904 return rc;
1905
69f594a3 1906 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 1907 u32 sid = current_sid();
1908 u32 csid = task_sid(child);
1909 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 1910 }
1911
3b11a1de 1912 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 1913}
1914
1915static int selinux_ptrace_traceme(struct task_struct *parent)
1916{
1917 int rc;
1918
200ac532 1919 rc = cap_ptrace_traceme(parent);
5cd9c58f
DH		 1920 if (rc)
1921 return rc;
1922
1923 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 1924}
1925
1926static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1927 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1928{
1929 int error;
1930
3b11a1de 1931 error = current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 1932 if (error)
1933 return error;
1934
200ac532 1935 return cap_capget(target, effective, inheritable, permitted);
1da177e4
LT		 1936}
1937
d84f4f99
DH		 1938static int selinux_capset(struct cred *new, const struct cred *old,
1939 const kernel_cap_t *effective,
1940 const kernel_cap_t *inheritable,
1941 const kernel_cap_t *permitted)
1da177e4
LT		 1942{
1943 int error;
1944
200ac532 1945 error = cap_capset(new, old,
d84f4f99 1946 effective, inheritable, permitted);
1da177e4
LT		 1947 if (error)
1948 return error;
1949
d84f4f99 1950 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 1951}
1952
5626d3e8
JM		 1953/*
1954 * (This comment used to live with the selinux_task_setuid hook,
1955 * which was removed).
1956 *
1957 * Since setuid only affects the current process, and since the SELinux
1958 * controls are not based on the Linux identity attributes, SELinux does not
1959 * need to control this operation. However, SELinux does control the use of
1960 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1961 */
1962
6a9de491
EP		 1963static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1964 int cap, int audit)
1da177e4
LT		 1965{
1966 int rc;
1967
6a9de491 1968 rc = cap_capable(cred, ns, cap, audit);
1da177e4
LT		 1969 if (rc)
1970 return rc;
1971
6a9de491 1972 return cred_has_capability(cred, cap, audit);
1da177e4
LT		 1973}
1974
1da177e4
LT		 1975static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1976{
88e67f3b 1977 const struct cred *cred = current_cred();
1da177e4
LT		 1978 int rc = 0;
1979
1980 if (!sb)
1981 return 0;
1982
1983 switch (cmds) {
828dfe1d
EP		 1984 case Q_SYNC:
1985 case Q_QUOTAON:
1986 case Q_QUOTAOFF:
1987 case Q_SETINFO:
1988 case Q_SETQUOTA:
88e67f3b 1989 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 1990 break;
1991 case Q_GETFMT:
1992 case Q_GETINFO:
1993 case Q_GETQUOTA:
88e67f3b 1994 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 1995 break;
1996 default:
1997 rc = 0; /* let the kernel handle invalid cmds */
1998 break;
1da177e4
LT		 1999 }
2000 return rc;
2001}
2002
2003static int selinux_quota_on(struct dentry *dentry)
2004{
88e67f3b
DH		 2005 const struct cred *cred = current_cred();
2006
2875fa00 2007 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2008}
2009
12b3052c 2010static int selinux_syslog(int type)
1da177e4
LT		 2011{
2012 int rc;
2013
1da177e4 2014 switch (type) {
d78ca3cd
KC		 2015 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2016 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2017 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2018 break;
d78ca3cd
KC		 2019 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2020 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2021 /* Set level of messages printed to console */
2022 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2023 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2024 break;
d78ca3cd
KC		 2025 case SYSLOG_ACTION_CLOSE: /* Close log */
2026 case SYSLOG_ACTION_OPEN: /* Open log */
2027 case SYSLOG_ACTION_READ: /* Read from log */
2028 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2029 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2030 default:
2031 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2032 break;
1da177e4
LT		 2033 }
2034 return rc;
2035}
2036
2037/*
2038 * Check that a process has enough memory to allocate a new virtual
2039 * mapping. 0 means there is enough memory for the allocation to
2040 * succeed and -ENOMEM implies there is not.
2041 *
1da177e4
LT		 2042 * Do not audit the selinux permission check, as this is applied to all
2043 * processes that allocate mappings.
2044 */
34b4e4aa 2045static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2046{
2047 int rc, cap_sys_admin = 0;
1da177e4 2048
6a9de491 2049 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
3699c53c 2050 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2051 if (rc == 0)
2052 cap_sys_admin = 1;
2053
34b4e4aa 2054 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 2055}
2056
2057/* binprm security operations */
2058
a6f76f23 2059static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2060{
a6f76f23
DH		 2061 const struct task_security_struct *old_tsec;
2062 struct task_security_struct *new_tsec;
1da177e4 2063 struct inode_security_struct *isec;
2bf49690 2064 struct common_audit_data ad;
496ad9aa 2065 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2066 int rc;
2067
200ac532 2068 rc = cap_bprm_set_creds(bprm);
1da177e4
LT		 2069 if (rc)
2070 return rc;
2071
a6f76f23
DH		 2072 /* SELinux context only depends on initial program or script and not
2073 * the script interpreter */
2074 if (bprm->cred_prepared)
1da177e4
LT		 2075 return 0;
2076
a6f76f23
DH		 2077 old_tsec = current_security();
2078 new_tsec = bprm->cred->security;
1da177e4
LT		 2079 isec = inode->i_security;
2080
2081 /* Default to the current task SID. */
a6f76f23
DH		 2082 new_tsec->sid = old_tsec->sid;
2083 new_tsec->osid = old_tsec->sid;
1da177e4 2084
28eba5bf 2085 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2086 new_tsec->create_sid = 0;
2087 new_tsec->keycreate_sid = 0;
2088 new_tsec->sockcreate_sid = 0;
1da177e4 2089
a6f76f23
DH		 2090 if (old_tsec->exec_sid) {
2091 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2092 /* Reset exec SID on execve. */
a6f76f23 2093 new_tsec->exec_sid = 0;
259e5e6c
AL		 2094
2095 /*
2096 * Minimize confusion: if no_new_privs and a transition is
2097 * explicitly requested, then fail the exec.
2098 */
2099 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2100 return -EPERM;
1da177e4
LT		 2101 } else {
2102 /* Check for a default transition on this program. */
a6f76f23 2103 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2104 SECCLASS_PROCESS, NULL,
2105 &new_tsec->sid);
1da177e4
LT		 2106 if (rc)
2107 return rc;
2108 }
2109
50c205f5 2110 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 2111 ad.u.path = bprm->file->f_path;
1da177e4 2112
259e5e6c
AL		 2113 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2114 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
a6f76f23 2115 new_tsec->sid = old_tsec->sid;
1da177e4 2116
a6f76f23
DH		 2117 if (new_tsec->sid == old_tsec->sid) {
2118 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2119 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2120 if (rc)
2121 return rc;
2122 } else {
2123 /* Check permissions for the transition. */
a6f76f23 2124 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2125 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2126 if (rc)
2127 return rc;
2128
a6f76f23 2129 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2130 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2131 if (rc)
2132 return rc;
2133
a6f76f23
DH		 2134 /* Check for shared state */
2135 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2136 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2137 SECCLASS_PROCESS, PROCESS__SHARE,
2138 NULL);
2139 if (rc)
2140 return -EPERM;
2141 }
2142
2143 /* Make sure that anyone attempting to ptrace over a task that
2144 * changes its SID has the appropriate permit */
2145 if (bprm->unsafe &
2146 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2147 struct task_struct *tracer;
2148 struct task_security_struct *sec;
2149 u32 ptsid = 0;
2150
2151 rcu_read_lock();
06d98473 2152 tracer = ptrace_parent(current);
a6f76f23
DH		 2153 if (likely(tracer != NULL)) {
2154 sec = __task_cred(tracer)->security;
2155 ptsid = sec->sid;
2156 }
2157 rcu_read_unlock();
2158
2159 if (ptsid != 0) {
2160 rc = avc_has_perm(ptsid, new_tsec->sid,
2161 SECCLASS_PROCESS,
2162 PROCESS__PTRACE, NULL);
2163 if (rc)
2164 return -EPERM;
2165 }
2166 }
1da177e4 2167
a6f76f23
DH		 2168 /* Clear any possibly unsafe personality bits on exec: */
2169 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2170 }
2171
1da177e4
LT		 2172 return 0;
2173}
2174
828dfe1d 2175static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2176{
5fb49870 2177 const struct task_security_struct *tsec = current_security();
275bb41e 2178 u32 sid, osid;
1da177e4
LT		 2179 int atsecure = 0;
2180
275bb41e
DH		 2181 sid = tsec->sid;
2182 osid = tsec->osid;
2183
2184 if (osid != sid) {
1da177e4
LT		 2185 /* Enable secure mode for SIDs transitions unless
2186 the noatsecure permission is granted between
2187 the two SIDs, i.e. ahp returns 0. */
275bb41e 2188 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2189 SECCLASS_PROCESS,
2190 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2191 }
2192
200ac532 2193 return (atsecure || cap_bprm_secureexec(bprm));
1da177e4
LT		 2194}
2195
c3c073f8
AV		 2196static int match_file(const void *p, struct file *file, unsigned fd)
2197{
2198 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2199}
2200
1da177e4 2201/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2202static inline void flush_unauthorized_files(const struct cred *cred,
2203 struct files_struct *files)
1da177e4 2204{
1da177e4 2205 struct file *file, *devnull = NULL;
b20c8122 2206 struct tty_struct *tty;
24ec839c 2207 int drop_tty = 0;
c3c073f8 2208 unsigned n;
1da177e4 2209
24ec839c 2210 tty = get_current_tty();
1da177e4 2211 if (tty) {
ee2ffa0d 2212 spin_lock(&tty_files_lock);
37dd0bd0 2213 if (!list_empty(&tty->tty_files)) {
d996b62a 2214 struct tty_file_private *file_priv;
37dd0bd0 2215
1da177e4 2216 /* Revalidate access to controlling tty.
13f8e981
DH		 2217 Use file_path_has_perm on the tty path directly
2218 rather than using file_has_perm, as this particular
2219 open file may belong to another process and we are
2220 only interested in the inode-based check here. */
d996b62a
NP		 2221 file_priv = list_first_entry(&tty->tty_files,
2222 struct tty_file_private, list);
2223 file = file_priv->file;
13f8e981 2224 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2225 drop_tty = 1;
1da177e4 2226 }
ee2ffa0d 2227 spin_unlock(&tty_files_lock);
452a00d2 2228 tty_kref_put(tty);
1da177e4 2229 }
98a27ba4
EB		 2230 /* Reset controlling tty. */
2231 if (drop_tty)
2232 no_tty();
1da177e4
LT		 2233
2234 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2235 n = iterate_fd(files, 0, match_file, cred);
2236 if (!n) /* none found? */
2237 return;
1da177e4 2238
c3c073f8 2239 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2240 if (IS_ERR(devnull))
2241 devnull = NULL;
2242 /* replace all the matching ones with this */
2243 do {
2244 replace_fd(n - 1, devnull, 0);
2245 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2246 if (devnull)
c3c073f8 2247 fput(devnull);
1da177e4
LT		 2248}
2249
a6f76f23
DH		 2250/*
2251 * Prepare a process for imminent new credential changes due to exec
2252 */
2253static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2254{
a6f76f23
DH		 2255 struct task_security_struct *new_tsec;
2256 struct rlimit *rlim, *initrlim;
2257 int rc, i;
d84f4f99 2258
a6f76f23
DH		 2259 new_tsec = bprm->cred->security;
2260 if (new_tsec->sid == new_tsec->osid)
2261 return;
1da177e4 2262
a6f76f23
DH		 2263 /* Close files for which the new task SID is not authorized. */
2264 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2265
a6f76f23
DH		 2266 /* Always clear parent death signal on SID transitions. */
2267 current->pdeath_signal = 0;
0356357c 2268
a6f76f23
DH		 2269 /* Check whether the new SID can inherit resource limits from the old
2270 * SID. If not, reset all soft limits to the lower of the current
2271 * task's hard limit and the init task's soft limit.
2272 *
2273 * Note that the setting of hard limits (even to lower them) can be
2274 * controlled by the setrlimit check. The inclusion of the init task's
2275 * soft limit into the computation is to avoid resetting soft limits
2276 * higher than the default soft limit for cases where the default is
2277 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2278 */
2279 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2280 PROCESS__RLIMITINH, NULL);
2281 if (rc) {
eb2d55a3
ON		 2282 /* protect against do_prlimit() */
2283 task_lock(current);
a6f76f23
DH		 2284 for (i = 0; i < RLIM_NLIMITS; i++) {
2285 rlim = current->signal->rlim + i;
2286 initrlim = init_task.signal->rlim + i;
2287 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2288 }
eb2d55a3
ON		 2289 task_unlock(current);
2290 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2291 }
2292}
2293
2294/*
a6f76f23
DH		 2295 * Clean up the process immediately after the installation of new credentials
2296 * due to exec
1da177e4 2297 */
a6f76f23 2298static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2299{
a6f76f23 2300 const struct task_security_struct *tsec = current_security();
1da177e4 2301 struct itimerval itimer;
a6f76f23 2302 u32 osid, sid;
1da177e4
LT		 2303 int rc, i;
2304
a6f76f23
DH		 2305 osid = tsec->osid;
2306 sid = tsec->sid;
2307
2308 if (sid == osid)
1da177e4
LT		 2309 return;
2310
a6f76f23
DH		 2311 /* Check whether the new SID can inherit signal state from the old SID.
2312 * If not, clear itimers to avoid subsequent signal generation and
2313 * flush and unblock signals.
2314 *
2315 * This must occur _after_ the task SID has been updated so that any
2316 * kill done after the flush will be checked against the new SID.
2317 */
2318 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2319 if (rc) {
2320 memset(&itimer, 0, sizeof itimer);
2321 for (i = 0; i < 3; i++)
2322 do_setitimer(i, &itimer, NULL);
1da177e4 2323 spin_lock_irq(&current->sighand->siglock);
3bcac026
DH		 2324 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2325 __flush_signals(current);
2326 flush_signal_handlers(current, 1);
2327 sigemptyset(&current->blocked);
2328 }
1da177e4
LT		 2329 spin_unlock_irq(&current->sighand->siglock);
2330 }
2331
a6f76f23
DH		 2332 /* Wake up the parent if it is waiting so that it can recheck
2333 * wait permission to the new task SID. */
ecd6de3c 2334 read_lock(&tasklist_lock);
0b7570e7 2335 __wake_up_parent(current, current->real_parent);
ecd6de3c 2336 read_unlock(&tasklist_lock);
1da177e4
LT		 2337}
2338
2339/* superblock security operations */
2340
2341static int selinux_sb_alloc_security(struct super_block *sb)
2342{
2343 return superblock_alloc_security(sb);
2344}
2345
2346static void selinux_sb_free_security(struct super_block *sb)
2347{
2348 superblock_free_security(sb);
2349}
2350
2351static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2352{
2353 if (plen > olen)
2354 return 0;
2355
2356 return !memcmp(prefix, option, plen);
2357}
2358
2359static inline int selinux_option(char *option, int len)
2360{
832cbd9a
EP		 2361 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2362 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2363 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2364 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2365 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2366}
2367
2368static inline void take_option(char **to, char *from, int *first, int len)
2369{
2370 if (!*first) {
2371 **to = ',';
2372 *to += 1;
3528a953 2373 } else
1da177e4
LT		 2374 *first = 0;
2375 memcpy(*to, from, len);
2376 *to += len;
2377}
2378
828dfe1d
EP		 2379static inline void take_selinux_option(char **to, char *from, int *first,
2380 int len)
3528a953
CO		 2381{
2382 int current_size = 0;
2383
2384 if (!*first) {
2385 **to = '|';
2386 *to += 1;
828dfe1d 2387 } else
3528a953
CO		 2388 *first = 0;
2389
2390 while (current_size < len) {
2391 if (*from != '"') {
2392 **to = *from;
2393 *to += 1;
2394 }
2395 from += 1;
2396 current_size += 1;
2397 }
2398}
2399
e0007529 2400static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2401{
2402 int fnosec, fsec, rc = 0;
2403 char *in_save, *in_curr, *in_end;
2404 char *sec_curr, *nosec_save, *nosec;
3528a953 2405 int open_quote = 0;
1da177e4
LT		 2406
2407 in_curr = orig;
2408 sec_curr = copy;
2409
1da177e4
LT		 2410 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2411 if (!nosec) {
2412 rc = -ENOMEM;
2413 goto out;
2414 }
2415
2416 nosec_save = nosec;
2417 fnosec = fsec = 1;
2418 in_save = in_end = orig;
2419
2420 do {
3528a953
CO		 2421 if (*in_end == '"')
2422 open_quote = !open_quote;
2423 if ((*in_end == ',' && open_quote == 0) ||
2424 *in_end == '\0') {
1da177e4
LT		 2425 int len = in_end - in_curr;
2426
2427 if (selinux_option(in_curr, len))
3528a953 2428 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2429 else
2430 take_option(&nosec, in_curr, &fnosec, len);
2431
2432 in_curr = in_end + 1;
2433 }
2434 } while (*in_end++);
2435
6931dfc9 2436 strcpy(in_save, nosec_save);
da3caa20 2437 free_page((unsigned long)nosec_save);
1da177e4
LT		 2438out:
2439 return rc;
2440}
2441
026eb167
EP		 2442static int selinux_sb_remount(struct super_block *sb, void *data)
2443{
2444 int rc, i, *flags;
2445 struct security_mnt_opts opts;
2446 char *secdata, **mount_options;
2447 struct superblock_security_struct *sbsec = sb->s_security;
2448
2449 if (!(sbsec->flags & SE_SBINITIALIZED))
2450 return 0;
2451
2452 if (!data)
2453 return 0;
2454
2455 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2456 return 0;
2457
2458 security_init_mnt_opts(&opts);
2459 secdata = alloc_secdata();
2460 if (!secdata)
2461 return -ENOMEM;
2462 rc = selinux_sb_copy_data(data, secdata);
2463 if (rc)
2464 goto out_free_secdata;
2465
2466 rc = selinux_parse_opts_str(secdata, &opts);
2467 if (rc)
2468 goto out_free_secdata;
2469
2470 mount_options = opts.mnt_opts;
2471 flags = opts.mnt_opts_flags;
2472
2473 for (i = 0; i < opts.num_mnt_opts; i++) {
2474 u32 sid;
2475 size_t len;
2476
12f348b9 2477 if (flags[i] == SBLABEL_MNT)
026eb167
EP		 2478 continue;
2479 len = strlen(mount_options[i]);
2480 rc = security_context_to_sid(mount_options[i], len, &sid);
2481 if (rc) {
2482 printk(KERN_WARNING "SELinux: security_context_to_sid"
102aefdd
AA		 2483 "(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n",
2484 mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc);
026eb167
EP		 2485 goto out_free_opts;
2486 }
2487 rc = -EINVAL;
2488 switch (flags[i]) {
2489 case FSCONTEXT_MNT:
2490 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2491 goto out_bad_option;
2492 break;
2493 case CONTEXT_MNT:
2494 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2495 goto out_bad_option;
2496 break;
2497 case ROOTCONTEXT_MNT: {
2498 struct inode_security_struct *root_isec;
2499 root_isec = sb->s_root->d_inode->i_security;
2500
2501 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2502 goto out_bad_option;
2503 break;
2504 }
2505 case DEFCONTEXT_MNT:
2506 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2507 goto out_bad_option;
2508 break;
2509 default:
2510 goto out_free_opts;
2511 }
2512 }
2513
2514 rc = 0;
2515out_free_opts:
2516 security_free_mnt_opts(&opts);
2517out_free_secdata:
2518 free_secdata(secdata);
2519 return rc;
2520out_bad_option:
2521 printk(KERN_WARNING "SELinux: unable to change security options "
102aefdd
AA		 2522 "during remount (dev %s, type "SB_TYPE_FMT")\n", sb->s_id,
2523 SB_TYPE_ARGS(sb));
026eb167
EP		 2524 goto out_free_opts;
2525}
2526
12204e24 2527static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2528{
88e67f3b 2529 const struct cred *cred = current_cred();
2bf49690 2530 struct common_audit_data ad;
1da177e4
LT		 2531 int rc;
2532
2533 rc = superblock_doinit(sb, data);
2534 if (rc)
2535 return rc;
2536
74192246
JM		 2537 /* Allow all mounts performed by the kernel */
2538 if (flags & MS_KERNMOUNT)
2539 return 0;
2540
50c205f5 2541 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2542 ad.u.dentry = sb->s_root;
88e67f3b 2543 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2544}
2545
726c3342 2546static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2547{
88e67f3b 2548 const struct cred *cred = current_cred();
2bf49690 2549 struct common_audit_data ad;
1da177e4 2550
50c205f5 2551 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2552 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2553 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2554}
2555
808d4e3c 2556static int selinux_mount(const char *dev_name,
b5266eb4 2557 struct path *path,
808d4e3c 2558 const char *type,
828dfe1d
EP		 2559 unsigned long flags,
2560 void *data)
1da177e4 2561{
88e67f3b 2562 const struct cred *cred = current_cred();
1da177e4
LT		 2563
2564 if (flags & MS_REMOUNT)
d8c9584e 2565 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2566 FILESYSTEM__REMOUNT, NULL);
1da177e4 2567 else
2875fa00 2568 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2569}
2570
2571static int selinux_umount(struct vfsmount *mnt, int flags)
2572{
88e67f3b 2573 const struct cred *cred = current_cred();
1da177e4 2574
88e67f3b 2575 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2576 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2577}
2578
2579/* inode security operations */
2580
2581static int selinux_inode_alloc_security(struct inode *inode)
2582{
2583 return inode_alloc_security(inode);
2584}
2585
2586static void selinux_inode_free_security(struct inode *inode)
2587{
2588 inode_free_security(inode);
2589}
2590
d47be3df
DQ		 2591static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2592 struct qstr *name, void **ctx,
2593 u32 *ctxlen)
2594{
2595 const struct cred *cred = current_cred();
2596 struct task_security_struct *tsec;
2597 struct inode_security_struct *dsec;
2598 struct superblock_security_struct *sbsec;
2599 struct inode *dir = dentry->d_parent->d_inode;
2600 u32 newsid;
2601 int rc;
2602
2603 tsec = cred->security;
2604 dsec = dir->i_security;
2605 sbsec = dir->i_sb->s_security;
2606
2607 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2608 newsid = tsec->create_sid;
2609 } else {
2610 rc = security_transition_sid(tsec->sid, dsec->sid,
2611 inode_mode_to_security_class(mode),
2612 name,
2613 &newsid);
2614 if (rc) {
2615 printk(KERN_WARNING
2616 "%s: security_transition_sid failed, rc=%d\n",
2617 __func__, -rc);
2618 return rc;
2619 }
2620 }
2621
2622 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2623}
2624
5e41ff9e 2625static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2626 const struct qstr *qstr,
2627 const char **name,
2a7dba39 2628 void **value, size_t *len)
5e41ff9e 2629{
5fb49870 2630 const struct task_security_struct *tsec = current_security();
5e41ff9e
SS		 2631 struct inode_security_struct *dsec;
2632 struct superblock_security_struct *sbsec;
275bb41e 2633 u32 sid, newsid, clen;
5e41ff9e 2634 int rc;
9548906b 2635 char *context;
5e41ff9e 2636
5e41ff9e
SS		 2637 dsec = dir->i_security;
2638 sbsec = dir->i_sb->s_security;
5e41ff9e 2639
275bb41e
DH		 2640 sid = tsec->sid;
2641 newsid = tsec->create_sid;
2642
415103f9
EP		 2643 if ((sbsec->flags & SE_SBINITIALIZED) &&
2644 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2645 newsid = sbsec->mntpoint_sid;
12f348b9 2646 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
275bb41e 2647 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e 2648 inode_mode_to_security_class(inode->i_mode),
652bb9b0 2649 qstr, &newsid);
5e41ff9e
SS		 2650 if (rc) {
2651 printk(KERN_WARNING "%s: "
2652 "security_transition_sid failed, rc=%d (dev=%s "
2653 "ino=%ld)\n",
dd6f953a 2654 __func__,
5e41ff9e
SS		 2655 -rc, inode->i_sb->s_id, inode->i_ino);
2656 return rc;
2657 }
2658 }
2659
296fddf7 2660 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2661 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2662 struct inode_security_struct *isec = inode->i_security;
2663 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2664 isec->sid = newsid;
2665 isec->initialized = 1;
2666 }
5e41ff9e 2667
12f348b9 2668 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2669 return -EOPNOTSUPP;
2670
9548906b
TH		 2671 if (name)
2672 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2673
570bc1c2 2674 if (value && len) {
12b29f34 2675 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2676 if (rc)
570bc1c2 2677 return rc;
570bc1c2
SS		 2678 *value = context;
2679 *len = clen;
5e41ff9e 2680 }
5e41ff9e 2681
5e41ff9e
SS		 2682 return 0;
2683}
2684
4acdaf27 2685static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2686{
2687 return may_create(dir, dentry, SECCLASS_FILE);
2688}
2689
1da177e4
LT		 2690static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2691{
1da177e4
LT		 2692 return may_link(dir, old_dentry, MAY_LINK);
2693}
2694
1da177e4
LT		 2695static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2696{
1da177e4
LT		 2697 return may_link(dir, dentry, MAY_UNLINK);
2698}
2699
2700static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2701{
2702 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2703}
2704
18bb1db3 2705static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2706{
2707 return may_create(dir, dentry, SECCLASS_DIR);
2708}
2709
1da177e4
LT		 2710static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2711{
2712 return may_link(dir, dentry, MAY_RMDIR);
2713}
2714
1a67aafb 2715static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2716{
1da177e4
LT		 2717 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2718}
2719
1da177e4 2720static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2721 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2722{
2723 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2724}
2725
1da177e4
LT		 2726static int selinux_inode_readlink(struct dentry *dentry)
2727{
88e67f3b
DH		 2728 const struct cred *cred = current_cred();
2729
2875fa00 2730 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2731}
2732
2733static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2734{
88e67f3b 2735 const struct cred *cred = current_cred();
1da177e4 2736
2875fa00 2737 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2738}
2739
d4cf970d
EP		 2740static noinline int audit_inode_permission(struct inode *inode,
2741 u32 perms, u32 audited, u32 denied,
2742 unsigned flags)
1da177e4 2743{
b782e0a6 2744 struct common_audit_data ad;
d4cf970d
EP		 2745 struct inode_security_struct *isec = inode->i_security;
2746 int rc;
2747
50c205f5 2748 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2749 ad.u.inode = inode;
2750
2751 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2752 audited, denied, &ad, flags);
2753 if (rc)
2754 return rc;
2755 return 0;
2756}
2757
e74f71eb 2758static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2759{
88e67f3b 2760 const struct cred *cred = current_cred();
b782e0a6
EP		 2761 u32 perms;
2762 bool from_access;
cf1dd1da 2763 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2764 struct inode_security_struct *isec;
2765 u32 sid;
2766 struct av_decision avd;
2767 int rc, rc2;
2768 u32 audited, denied;
1da177e4 2769
b782e0a6 2770 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2771 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2772
b782e0a6
EP		 2773 /* No permission to check. Existence test. */
2774 if (!mask)
1da177e4 2775 return 0;
1da177e4 2776
2e334057 2777 validate_creds(cred);
b782e0a6 2778
2e334057
EP		 2779 if (unlikely(IS_PRIVATE(inode)))
2780 return 0;
b782e0a6
EP		 2781
2782 perms = file_mask_to_av(inode->i_mode, mask);
2783
2e334057
EP		 2784 sid = cred_sid(cred);
2785 isec = inode->i_security;
2786
2787 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2788 audited = avc_audit_required(perms, &avd, rc,
2789 from_access ? FILE__AUDIT_ACCESS : 0,
2790 &denied);
2791 if (likely(!audited))
2792 return rc;
2793
d4cf970d 2794 rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2e334057
EP		 2795 if (rc2)
2796 return rc2;
2797 return rc;
1da177e4
LT		 2798}
2799
2800static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2801{
88e67f3b 2802 const struct cred *cred = current_cred();
bc6a6008 2803 unsigned int ia_valid = iattr->ia_valid;
95dbf739 2804 __u32 av = FILE__WRITE;
1da177e4 2805
bc6a6008
AW		 2806 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2807 if (ia_valid & ATTR_FORCE) {
2808 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2809 ATTR_FORCE);
2810 if (!ia_valid)
2811 return 0;
2812 }
1da177e4 2813
bc6a6008
AW		 2814 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2815 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 2816 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 2817
3d2195c3 2818 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
95dbf739
EP		 2819 av |= FILE__OPEN;
2820
2821 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 2822}
2823
2824static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2825{
88e67f3b 2826 const struct cred *cred = current_cred();
2875fa00
EP		 2827 struct path path;
2828
2829 path.dentry = dentry;
2830 path.mnt = mnt;
88e67f3b 2831
2875fa00 2832 return path_has_perm(cred, &path, FILE__GETATTR);
1da177e4
LT		 2833}
2834
8f0cfa52 2835static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2836{
88e67f3b
DH		 2837 const struct cred *cred = current_cred();
2838
b5376771
SH		 2839 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2840 sizeof XATTR_SECURITY_PREFIX - 1)) {
2841 if (!strcmp(name, XATTR_NAME_CAPS)) {
2842 if (!capable(CAP_SETFCAP))
2843 return -EPERM;
2844 } else if (!capable(CAP_SYS_ADMIN)) {
2845 /* A different attribute in the security namespace.
2846 Restrict to administrator. */
2847 return -EPERM;
2848 }
2849 }
2850
2851 /* Not an attribute we recognize, so just check the
2852 ordinary setattr permission. */
2875fa00 2853 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 2854}
2855
8f0cfa52
DH		 2856static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2857 const void *value, size_t size, int flags)
1da177e4 2858{
1da177e4
LT		 2859 struct inode *inode = dentry->d_inode;
2860 struct inode_security_struct *isec = inode->i_security;
2861 struct superblock_security_struct *sbsec;
2bf49690 2862 struct common_audit_data ad;
275bb41e 2863 u32 newsid, sid = current_sid();
1da177e4
LT		 2864 int rc = 0;
2865
b5376771
SH		 2866 if (strcmp(name, XATTR_NAME_SELINUX))
2867 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2868
2869 sbsec = inode->i_sb->s_security;
12f348b9 2870 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 2871 return -EOPNOTSUPP;
2872
2e149670 2873 if (!inode_owner_or_capable(inode))
1da177e4
LT		 2874 return -EPERM;
2875
50c205f5 2876 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2877 ad.u.dentry = dentry;
1da177e4 2878
275bb41e 2879 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 2880 FILE__RELABELFROM, &ad);
2881 if (rc)
2882 return rc;
2883
2884 rc = security_context_to_sid(value, size, &newsid);
12b29f34 2885 if (rc == -EINVAL) {
d6ea83ec
EP		 2886 if (!capable(CAP_MAC_ADMIN)) {
2887 struct audit_buffer *ab;
2888 size_t audit_size;
2889 const char *str;
2890
2891 /* We strip a nul only if it is at the end, otherwise the
2892 * context contains a nul and we should audit that */
e3fea3f7
AV		 2893 if (value) {
2894 str = value;
2895 if (str[size - 1] == '\0')
2896 audit_size = size - 1;
2897 else
2898 audit_size = size;
2899 } else {
2900 str = "";
2901 audit_size = 0;
2902 }
d6ea83ec
EP		 2903 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2904 audit_log_format(ab, "op=setxattr invalid_context=");
2905 audit_log_n_untrustedstring(ab, value, audit_size);
2906 audit_log_end(ab);
2907
12b29f34 2908 return rc;
d6ea83ec 2909 }
12b29f34
SS		 2910 rc = security_context_to_sid_force(value, size, &newsid);
2911 }
1da177e4
LT		 2912 if (rc)
2913 return rc;
2914
275bb41e 2915 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 2916 FILE__RELABELTO, &ad);
2917 if (rc)
2918 return rc;
2919
275bb41e 2920 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 2921 isec->sclass);
1da177e4
LT		 2922 if (rc)
2923 return rc;
2924
2925 return avc_has_perm(newsid,
2926 sbsec->sid,
2927 SECCLASS_FILESYSTEM,
2928 FILESYSTEM__ASSOCIATE,
2929 &ad);
2930}
2931
8f0cfa52 2932static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 2933 const void *value, size_t size,
8f0cfa52 2934 int flags)
1da177e4
LT		 2935{
2936 struct inode *inode = dentry->d_inode;
2937 struct inode_security_struct *isec = inode->i_security;
2938 u32 newsid;
2939 int rc;
2940
2941 if (strcmp(name, XATTR_NAME_SELINUX)) {
2942 /* Not an attribute we recognize, so nothing to do. */
2943 return;
2944 }
2945
12b29f34 2946 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 2947 if (rc) {
12b29f34
SS		 2948 printk(KERN_ERR "SELinux: unable to map context to SID"
2949 "for (%s, %lu), rc=%d\n",
2950 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 2951 return;
2952 }
2953
aa9c2669 2954 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 2955 isec->sid = newsid;
aa9c2669
DQ		 2956 isec->initialized = 1;
2957
1da177e4
LT		 2958 return;
2959}
2960
8f0cfa52 2961static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 2962{
88e67f3b
DH		 2963 const struct cred *cred = current_cred();
2964
2875fa00 2965 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 2966}
2967
828dfe1d 2968static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 2969{
88e67f3b
DH		 2970 const struct cred *cred = current_cred();
2971
2875fa00 2972 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 2973}
2974
8f0cfa52 2975static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 2976{
b5376771
SH		 2977 if (strcmp(name, XATTR_NAME_SELINUX))
2978 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2979
2980 /* No one is allowed to remove a SELinux security label.
2981 You can change the label, but all data must be labeled. */
2982 return -EACCES;
2983}
2984
d381d8a9 2985/*
abc69bb6 2986 * Copy the inode security context value to the user.
d381d8a9
JM		 2987 *
2988 * Permission check is handled by selinux_inode_getxattr hook.
2989 */
42492594 2990static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2991{
42492594
DQ		 2992 u32 size;
2993 int error;
2994 char *context = NULL;
1da177e4 2995 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2996
8c8570fb
DK		 2997 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2998 return -EOPNOTSUPP;
d381d8a9 2999
abc69bb6
SS		 3000 /*
3001 * If the caller has CAP_MAC_ADMIN, then get the raw context
3002 * value even if it is not defined by current policy; otherwise,
3003 * use the in-core value under current policy.
3004 * Use the non-auditing forms of the permission checks since
3005 * getxattr may be called by unprivileged processes commonly
3006 * and lack of permission just means that we fall back to the
3007 * in-core context value, not a denial.
3008 */
6a9de491 3009 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3699c53c 3010 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 3011 if (!error)
3012 error = security_sid_to_context_force(isec->sid, &context,
3013 &size);
3014 else
3015 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3016 if (error)
3017 return error;
3018 error = size;
3019 if (alloc) {
3020 *buffer = context;
3021 goto out_nofree;
3022 }
3023 kfree(context);
3024out_nofree:
3025 return error;
1da177e4
LT		 3026}
3027
3028static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3029 const void *value, size_t size, int flags)
1da177e4
LT		 3030{
3031 struct inode_security_struct *isec = inode->i_security;
3032 u32 newsid;
3033 int rc;
3034
3035 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3036 return -EOPNOTSUPP;
3037
3038 if (!value || !size)
3039 return -EACCES;
3040
828dfe1d 3041 rc = security_context_to_sid((void *)value, size, &newsid);
1da177e4
LT		 3042 if (rc)
3043 return rc;
3044
aa9c2669 3045 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3046 isec->sid = newsid;
ddd29ec6 3047 isec->initialized = 1;
1da177e4
LT		 3048 return 0;
3049}
3050
3051static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3052{
3053 const int len = sizeof(XATTR_NAME_SELINUX);
3054 if (buffer && len <= buffer_size)
3055 memcpy(buffer, XATTR_NAME_SELINUX, len);
3056 return len;
3057}
3058
713a04ae
AD		 3059static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3060{
3061 struct inode_security_struct *isec = inode->i_security;
3062 *secid = isec->sid;
3063}
3064
1da177e4
LT		 3065/* file security operations */
3066
788e7dd4 3067static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3068{
88e67f3b 3069 const struct cred *cred = current_cred();
496ad9aa 3070 struct inode *inode = file_inode(file);
1da177e4 3071
1da177e4
LT		 3072 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3073 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3074 mask |= MAY_APPEND;
3075
389fb800
PM		 3076 return file_has_perm(cred, file,
3077 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3078}
3079
788e7dd4
YN		 3080static int selinux_file_permission(struct file *file, int mask)
3081{
496ad9aa 3082 struct inode *inode = file_inode(file);
20dda18b
SS		 3083 struct file_security_struct *fsec = file->f_security;
3084 struct inode_security_struct *isec = inode->i_security;
3085 u32 sid = current_sid();
3086
389fb800 3087 if (!mask)
788e7dd4
YN		 3088 /* No permission to check. Existence test. */
3089 return 0;
788e7dd4 3090
20dda18b
SS		 3091 if (sid == fsec->sid && fsec->isid == isec->sid &&
3092 fsec->pseqno == avc_policy_seqno())
83d49856 3093 /* No change since file_open check. */
20dda18b
SS		 3094 return 0;
3095
788e7dd4
YN		 3096 return selinux_revalidate_file_permission(file, mask);
3097}
3098
1da177e4
LT		 3099static int selinux_file_alloc_security(struct file *file)
3100{
3101 return file_alloc_security(file);
3102}
3103
3104static void selinux_file_free_security(struct file *file)
3105{
3106 file_free_security(file);
3107}
3108
3109static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3110 unsigned long arg)
3111{
88e67f3b 3112 const struct cred *cred = current_cred();
0b24dcb7 3113 int error = 0;
1da177e4 3114
0b24dcb7
EP		 3115 switch (cmd) {
3116 case FIONREAD:
3117 /* fall through */
3118 case FIBMAP:
3119 /* fall through */
3120 case FIGETBSZ:
3121 /* fall through */
2f99c369 3122 case FS_IOC_GETFLAGS:
0b24dcb7 3123 /* fall through */
2f99c369 3124 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3125 error = file_has_perm(cred, file, FILE__GETATTR);
3126 break;
1da177e4 3127
2f99c369 3128 case FS_IOC_SETFLAGS:
0b24dcb7 3129 /* fall through */
2f99c369 3130 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3131 error = file_has_perm(cred, file, FILE__SETATTR);
3132 break;
3133
3134 /* sys_ioctl() checks */
3135 case FIONBIO:
3136 /* fall through */
3137 case FIOASYNC:
3138 error = file_has_perm(cred, file, 0);
3139 break;
1da177e4 3140
0b24dcb7
EP		 3141 case KDSKBENT:
3142 case KDSKBSENT:
6a9de491
EP		 3143 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3144 SECURITY_CAP_AUDIT);
0b24dcb7
EP		 3145 break;
3146
3147 /* default case assumes that the command will go
3148 * to the file's ioctl() function.
3149 */
3150 default:
3151 error = file_has_perm(cred, file, FILE__IOCTL);
3152 }
3153 return error;
1da177e4
LT		 3154}
3155
fcaaade1
SS		 3156static int default_noexec;
3157
1da177e4
LT		 3158static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3159{
88e67f3b 3160 const struct cred *cred = current_cred();
d84f4f99 3161 int rc = 0;
88e67f3b 3162
fcaaade1
SS		 3163 if (default_noexec &&
3164 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3165 /*
3166 * We are making executable an anonymous mapping or a
3167 * private file mapping that will also be writable.
3168 * This has an additional check.
3169 */
d84f4f99 3170 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3171 if (rc)
d84f4f99 3172 goto error;
1da177e4 3173 }
1da177e4
LT		 3174
3175 if (file) {
3176 /* read access is always possible with a mapping */
3177 u32 av = FILE__READ;
3178
3179 /* write access only matters if the mapping is shared */
3180 if (shared && (prot & PROT_WRITE))
3181 av |= FILE__WRITE;
3182
3183 if (prot & PROT_EXEC)
3184 av |= FILE__EXECUTE;
3185
88e67f3b 3186 return file_has_perm(cred, file, av);
1da177e4 3187 }
d84f4f99
DH		 3188
3189error:
3190 return rc;
1da177e4
LT		 3191}
3192
e5467859 3193static int selinux_mmap_addr(unsigned long addr)
1da177e4 3194{
ed032189 3195 int rc = 0;
275bb41e 3196 u32 sid = current_sid();
1da177e4 3197
84336d1a
EP		 3198 /*
3199 * notice that we are intentionally putting the SELinux check before
3200 * the secondary cap_file_mmap check. This is such a likely attempt
3201 * at bad behaviour/exploit that we always want to get the AVC, even
3202 * if DAC would have also denied the operation.
3203 */
a2551df7 3204 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
ed032189
EP		 3205 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3206 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3207 if (rc)
3208 return rc;
3209 }
3210
3211 /* do DAC check on address space usage */
e5467859
AV		 3212 return cap_mmap_addr(addr);
3213}
1da177e4 3214
e5467859
AV		 3215static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3216 unsigned long prot, unsigned long flags)
3217{
1da177e4
LT		 3218 if (selinux_checkreqprot)
3219 prot = reqprot;
3220
3221 return file_map_prot_check(file, prot,
3222 (flags & MAP_TYPE) == MAP_SHARED);
3223}
3224
3225static int selinux_file_mprotect(struct vm_area_struct *vma,
3226 unsigned long reqprot,
3227 unsigned long prot)
3228{
88e67f3b 3229 const struct cred *cred = current_cred();
1da177e4
LT		 3230
3231 if (selinux_checkreqprot)
3232 prot = reqprot;
3233
fcaaade1
SS		 3234 if (default_noexec &&
3235 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3236 int rc = 0;
db4c9641
SS		 3237 if (vma->vm_start >= vma->vm_mm->start_brk &&
3238 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3239 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3240 } else if (!vma->vm_file &&
3241 vma->vm_start <= vma->vm_mm->start_stack &&
3242 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3243 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3244 } else if (vma->vm_file && vma->anon_vma) {
3245 /*
3246 * We are making executable a file mapping that has
3247 * had some COW done. Since pages might have been
3248 * written, check ability to execute the possibly
3249 * modified content. This typically should only
3250 * occur for text relocations.
3251 */
d84f4f99 3252 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3253 }