]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blame - security/selinux/hooks.c
selinux/ss/services.c should #include <linux/selinux.h>
[mirror_ubuntu-hirsute-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT
1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
effad8df
PM
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
788e7dd4
YN
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT
19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
23 */
24
1da177e4
LT
25#include <linux/init.h>
26#include <linux/kernel.h>
27#include <linux/ptrace.h>
28#include <linux/errno.h>
29#include <linux/sched.h>
30#include <linux/security.h>
31#include <linux/xattr.h>
32#include <linux/capability.h>
33#include <linux/unistd.h>
34#include <linux/mm.h>
35#include <linux/mman.h>
36#include <linux/slab.h>
37#include <linux/pagemap.h>
38#include <linux/swap.h>
1da177e4
LT
39#include <linux/spinlock.h>
40#include <linux/syscalls.h>
41#include <linux/file.h>
42#include <linux/namei.h>
43#include <linux/mount.h>
44#include <linux/ext2_fs.h>
45#include <linux/proc_fs.h>
46#include <linux/kd.h>
47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 53#include <net/net_namespace.h>
d621d35e 54#include <net/netlabel.h>
1da177e4 55#include <asm/uaccess.h>
1da177e4 56#include <asm/ioctls.h>
d621d35e 57#include <asm/atomic.h>
1da177e4
LT
58#include <linux/bitops.h>
59#include <linux/interrupt.h>
60#include <linux/netdevice.h> /* for network interface checks */
61#include <linux/netlink.h>
62#include <linux/tcp.h>
63#include <linux/udp.h>
2ee92d46 64#include <linux/dccp.h>
1da177e4
LT
65#include <linux/quota.h>
66#include <linux/un.h> /* for Unix socket types */
67#include <net/af_unix.h> /* for Unix socket types */
68#include <linux/parser.h>
69#include <linux/nfs_mount.h>
70#include <net/ipv6.h>
71#include <linux/hugetlb.h>
72#include <linux/personality.h>
73#include <linux/sysctl.h>
74#include <linux/audit.h>
6931dfc9 75#include <linux/string.h>
877ce7c1 76#include <linux/selinux.h>
23970741 77#include <linux/mutex.h>
1da177e4
LT
78
79#include "avc.h"
80#include "objsec.h"
81#include "netif.h"
224dfbd8 82#include "netnode.h"
d28d1e08 83#include "xfrm.h"
c60475bf 84#include "netlabel.h"
1da177e4
LT
85
86#define XATTR_SELINUX_SUFFIX "selinux"
87#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
c9180a57
EP
89#define NUM_SEL_MNT_OPTS 4
90
1da177e4
LT
91extern unsigned int policydb_loaded_version;
92extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 93extern int selinux_compat_net;
20510f2f 94extern struct security_operations *security_ops;
1da177e4 95
d621d35e
PM
96/* SECMARK reference count */
97atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
1da177e4
LT
99#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100int selinux_enforcing = 0;
101
102static int __init enforcing_setup(char *str)
103{
104 selinux_enforcing = simple_strtol(str,NULL,0);
105 return 1;
106}
107__setup("enforcing=", enforcing_setup);
108#endif
109
110#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113static int __init selinux_enabled_setup(char *str)
114{
115 selinux_enabled = simple_strtol(str, NULL, 0);
116 return 1;
117}
118__setup("selinux=", selinux_enabled_setup);
30d55280
SS
119#else
120int selinux_enabled = 1;
1da177e4
LT
121#endif
122
123/* Original (dummy) security module. */
124static struct security_operations *original_ops = NULL;
125
126/* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130static struct security_operations *secondary_ops = NULL;
131
132/* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134static LIST_HEAD(superblock_security_head);
135static DEFINE_SPINLOCK(sb_security_lock);
136
e18b890b 137static struct kmem_cache *sel_inode_cache;
7cae7e26 138
d621d35e
PM
139/**
140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
141 *
142 * Description:
143 * This function checks the SECMARK reference counter to see if any SECMARK
144 * targets are currently configured, if the reference counter is greater than
145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
146 * enabled, false (0) if SECMARK is disabled.
147 *
148 */
149static int selinux_secmark_enabled(void)
150{
151 return (atomic_read(&selinux_secmark_refcount) > 0);
152}
153
1da177e4
LT
154/* Allocate and free functions for each kind of security blob. */
155
156static int task_alloc_security(struct task_struct *task)
157{
158 struct task_security_struct *tsec;
159
89d155ef 160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT
161 if (!tsec)
162 return -ENOMEM;
163
0356357c 164 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
1da177e4
LT
165 task->security = tsec;
166
167 return 0;
168}
169
170static void task_free_security(struct task_struct *task)
171{
172 struct task_security_struct *tsec = task->security;
1da177e4
LT
173 task->security = NULL;
174 kfree(tsec);
175}
176
177static int inode_alloc_security(struct inode *inode)
178{
179 struct task_security_struct *tsec = current->security;
180 struct inode_security_struct *isec;
181
a02fe132 182 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT
183 if (!isec)
184 return -ENOMEM;
185
23970741 186 mutex_init(&isec->lock);
1da177e4 187 INIT_LIST_HEAD(&isec->list);
1da177e4
LT
188 isec->inode = inode;
189 isec->sid = SECINITSID_UNLABELED;
190 isec->sclass = SECCLASS_FILE;
9ac49d22 191 isec->task_sid = tsec->sid;
1da177e4
LT
192 inode->i_security = isec;
193
194 return 0;
195}
196
197static void inode_free_security(struct inode *inode)
198{
199 struct inode_security_struct *isec = inode->i_security;
200 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
201
1da177e4
LT
202 spin_lock(&sbsec->isec_lock);
203 if (!list_empty(&isec->list))
204 list_del_init(&isec->list);
205 spin_unlock(&sbsec->isec_lock);
206
207 inode->i_security = NULL;
7cae7e26 208 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT
209}
210
211static int file_alloc_security(struct file *file)
212{
213 struct task_security_struct *tsec = current->security;
214 struct file_security_struct *fsec;
215
26d2a4be 216 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT
217 if (!fsec)
218 return -ENOMEM;
219
9ac49d22
SS
220 fsec->sid = tsec->sid;
221 fsec->fown_sid = tsec->sid;
1da177e4
LT
222 file->f_security = fsec;
223
224 return 0;
225}
226
227static void file_free_security(struct file *file)
228{
229 struct file_security_struct *fsec = file->f_security;
1da177e4
LT
230 file->f_security = NULL;
231 kfree(fsec);
232}
233
234static int superblock_alloc_security(struct super_block *sb)
235{
236 struct superblock_security_struct *sbsec;
237
89d155ef 238 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT
239 if (!sbsec)
240 return -ENOMEM;
241
bc7e982b 242 mutex_init(&sbsec->lock);
1da177e4
LT
243 INIT_LIST_HEAD(&sbsec->list);
244 INIT_LIST_HEAD(&sbsec->isec_head);
245 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT
246 sbsec->sb = sb;
247 sbsec->sid = SECINITSID_UNLABELED;
248 sbsec->def_sid = SECINITSID_FILE;
c312feb2 249 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT
250 sb->s_security = sbsec;
251
252 return 0;
253}
254
255static void superblock_free_security(struct super_block *sb)
256{
257 struct superblock_security_struct *sbsec = sb->s_security;
258
1da177e4
LT
259 spin_lock(&sb_security_lock);
260 if (!list_empty(&sbsec->list))
261 list_del_init(&sbsec->list);
262 spin_unlock(&sb_security_lock);
263
264 sb->s_security = NULL;
265 kfree(sbsec);
266}
267
7d877f3b 268static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT
269{
270 struct sk_security_struct *ssec;
271
89d155ef 272 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT
273 if (!ssec)
274 return -ENOMEM;
275
1da177e4 276 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 277 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT
278 sk->sk_security = ssec;
279
f74af6e8 280 selinux_netlbl_sk_security_reset(ssec, family);
99f59ed0 281
1da177e4
LT
282 return 0;
283}
284
285static void sk_free_security(struct sock *sk)
286{
287 struct sk_security_struct *ssec = sk->sk_security;
288
1da177e4
LT
289 sk->sk_security = NULL;
290 kfree(ssec);
291}
1da177e4
LT
292
293/* The security server must be initialized before
294 any labeling or access decisions can be provided. */
295extern int ss_initialized;
296
297/* The file system's label must be initialized prior to use. */
298
299static char *labeling_behaviors[6] = {
300 "uses xattr",
301 "uses transition SIDs",
302 "uses task SIDs",
303 "uses genfs_contexts",
304 "not configured for labeling",
305 "uses mountpoint labeling",
306};
307
308static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
309
310static inline int inode_doinit(struct inode *inode)
311{
312 return inode_doinit_with_dentry(inode, NULL);
313}
314
315enum {
31e87930 316 Opt_error = -1,
1da177e4
LT
317 Opt_context = 1,
318 Opt_fscontext = 2,
c9180a57
EP
319 Opt_defcontext = 3,
320 Opt_rootcontext = 4,
1da177e4
LT
321};
322
323static match_table_t tokens = {
324 {Opt_context, "context=%s"},
325 {Opt_fscontext, "fscontext=%s"},
326 {Opt_defcontext, "defcontext=%s"},
0808925e 327 {Opt_rootcontext, "rootcontext=%s"},
31e87930 328 {Opt_error, NULL},
1da177e4
LT
329};
330
331#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
332
c312feb2
EP
333static int may_context_mount_sb_relabel(u32 sid,
334 struct superblock_security_struct *sbsec,
335 struct task_security_struct *tsec)
336{
337 int rc;
338
339 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
340 FILESYSTEM__RELABELFROM, NULL);
341 if (rc)
342 return rc;
343
344 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
345 FILESYSTEM__RELABELTO, NULL);
346 return rc;
347}
348
0808925e
EP
349static int may_context_mount_inode_relabel(u32 sid,
350 struct superblock_security_struct *sbsec,
351 struct task_security_struct *tsec)
352{
353 int rc;
354 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
355 FILESYSTEM__RELABELFROM, NULL);
356 if (rc)
357 return rc;
358
359 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
360 FILESYSTEM__ASSOCIATE, NULL);
361 return rc;
362}
363
c9180a57 364static int sb_finish_set_opts(struct super_block *sb)
1da177e4 365{
1da177e4 366 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP
367 struct dentry *root = sb->s_root;
368 struct inode *root_inode = root->d_inode;
369 int rc = 0;
1da177e4 370
c9180a57
EP
371 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
372 /* Make sure that the xattr handler exists and that no
373 error other than -ENODATA is returned by getxattr on
374 the root directory. -ENODATA is ok, as this may be
375 the first boot of the SELinux kernel before we have
376 assigned xattr values to the filesystem. */
377 if (!root_inode->i_op->getxattr) {
378 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
379 "xattr support\n", sb->s_id, sb->s_type->name);
380 rc = -EOPNOTSUPP;
381 goto out;
382 }
383 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
384 if (rc < 0 && rc != -ENODATA) {
385 if (rc == -EOPNOTSUPP)
386 printk(KERN_WARNING "SELinux: (dev %s, type "
387 "%s) has no security xattr handler\n",
388 sb->s_id, sb->s_type->name);
389 else
390 printk(KERN_WARNING "SELinux: (dev %s, type "
391 "%s) getxattr errno %d\n", sb->s_id,
392 sb->s_type->name, -rc);
393 goto out;
394 }
395 }
1da177e4 396
c9180a57 397 sbsec->initialized = 1;
1da177e4 398
c9180a57
EP
399 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
400 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
401 sb->s_id, sb->s_type->name);
402 else
403 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
404 sb->s_id, sb->s_type->name,
405 labeling_behaviors[sbsec->behavior-1]);
1da177e4 406
c9180a57
EP
407 /* Initialize the root inode. */
408 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 409
c9180a57
EP
410 /* Initialize any other inodes associated with the superblock, e.g.
411 inodes created prior to initial policy load or inodes created
412 during get_sb by a pseudo filesystem that directly
413 populates itself. */
414 spin_lock(&sbsec->isec_lock);
415next_inode:
416 if (!list_empty(&sbsec->isec_head)) {
417 struct inode_security_struct *isec =
418 list_entry(sbsec->isec_head.next,
419 struct inode_security_struct, list);
420 struct inode *inode = isec->inode;
421 spin_unlock(&sbsec->isec_lock);
422 inode = igrab(inode);
423 if (inode) {
424 if (!IS_PRIVATE(inode))
425 inode_doinit(inode);
426 iput(inode);
427 }
428 spin_lock(&sbsec->isec_lock);
429 list_del_init(&isec->list);
430 goto next_inode;
431 }
432 spin_unlock(&sbsec->isec_lock);
433out:
434 return rc;
435}
1da177e4 436
c9180a57
EP
437/*
438 * This function should allow an FS to ask what it's mount security
439 * options were so it can use those later for submounts, displaying
440 * mount options, or whatever.
441 */
442static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 443 struct security_mnt_opts *opts)
c9180a57
EP
444{
445 int rc = 0, i;
446 struct superblock_security_struct *sbsec = sb->s_security;
447 char *context = NULL;
448 u32 len;
449 char tmp;
1da177e4 450
e0007529 451 security_init_mnt_opts(opts);
1da177e4 452
c9180a57
EP
453 if (!sbsec->initialized)
454 return -EINVAL;
1da177e4 455
c9180a57
EP
456 if (!ss_initialized)
457 return -EINVAL;
1da177e4 458
c9180a57
EP
459 /*
460 * if we ever use sbsec flags for anything other than tracking mount
461 * settings this is going to need a mask
462 */
463 tmp = sbsec->flags;
464 /* count the number of mount options for this sb */
465 for (i = 0; i < 8; i++) {
466 if (tmp & 0x01)
e0007529 467 opts->num_mnt_opts++;
c9180a57
EP
468 tmp >>= 1;
469 }
1da177e4 470
e0007529
EP
471 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
472 if (!opts->mnt_opts) {
c9180a57
EP
473 rc = -ENOMEM;
474 goto out_free;
475 }
1da177e4 476
e0007529
EP
477 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
478 if (!opts->mnt_opts_flags) {
c9180a57
EP
479 rc = -ENOMEM;
480 goto out_free;
481 }
1da177e4 482
c9180a57
EP
483 i = 0;
484 if (sbsec->flags & FSCONTEXT_MNT) {
485 rc = security_sid_to_context(sbsec->sid, &context, &len);
486 if (rc)
487 goto out_free;
e0007529
EP
488 opts->mnt_opts[i] = context;
489 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP
490 }
491 if (sbsec->flags & CONTEXT_MNT) {
492 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
493 if (rc)
494 goto out_free;
e0007529
EP
495 opts->mnt_opts[i] = context;
496 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP
497 }
498 if (sbsec->flags & DEFCONTEXT_MNT) {
499 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
500 if (rc)
501 goto out_free;
e0007529
EP
502 opts->mnt_opts[i] = context;
503 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP
504 }
505 if (sbsec->flags & ROOTCONTEXT_MNT) {
506 struct inode *root = sbsec->sb->s_root->d_inode;
507 struct inode_security_struct *isec = root->i_security;
0808925e 508
c9180a57
EP
509 rc = security_sid_to_context(isec->sid, &context, &len);
510 if (rc)
511 goto out_free;
e0007529
EP
512 opts->mnt_opts[i] = context;
513 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 514 }
1da177e4 515
e0007529 516 BUG_ON(i != opts->num_mnt_opts);
1da177e4 517
c9180a57
EP
518 return 0;
519
520out_free:
e0007529 521 security_free_mnt_opts(opts);
c9180a57
EP
522 return rc;
523}
1da177e4 524
c9180a57
EP
525static int bad_option(struct superblock_security_struct *sbsec, char flag,
526 u32 old_sid, u32 new_sid)
527{
528 /* check if the old mount command had the same options */
529 if (sbsec->initialized)
530 if (!(sbsec->flags & flag) ||
531 (old_sid != new_sid))
532 return 1;
533
534 /* check if we were passed the same options twice,
535 * aka someone passed context=a,context=b
536 */
537 if (!sbsec->initialized)
538 if (sbsec->flags & flag)
539 return 1;
540 return 0;
541}
e0007529 542
c9180a57
EP
543/*
544 * Allow filesystems with binary mount data to explicitly set mount point
545 * labeling information.
546 */
e0007529
EP
547static int selinux_set_mnt_opts(struct super_block *sb,
548 struct security_mnt_opts *opts)
c9180a57
EP
549{
550 int rc = 0, i;
551 struct task_security_struct *tsec = current->security;
552 struct superblock_security_struct *sbsec = sb->s_security;
553 const char *name = sb->s_type->name;
554 struct inode *inode = sbsec->sb->s_root->d_inode;
555 struct inode_security_struct *root_isec = inode->i_security;
556 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
557 u32 defcontext_sid = 0;
e0007529
EP
558 char **mount_options = opts->mnt_opts;
559 int *flags = opts->mnt_opts_flags;
560 int num_opts = opts->num_mnt_opts;
c9180a57
EP
561
562 mutex_lock(&sbsec->lock);
563
564 if (!ss_initialized) {
565 if (!num_opts) {
566 /* Defer initialization until selinux_complete_init,
567 after the initial policy is loaded and the security
568 server is ready to handle calls. */
569 spin_lock(&sb_security_lock);
570 if (list_empty(&sbsec->list))
571 list_add(&sbsec->list, &superblock_security_head);
572 spin_unlock(&sb_security_lock);
573 goto out;
574 }
575 rc = -EINVAL;
576 printk(KERN_WARNING "Unable to set superblock options before "
577 "the security server is initialized\n");
1da177e4 578 goto out;
c9180a57 579 }
1da177e4 580
e0007529
EP
581 /*
582 * Binary mount data FS will come through this function twice. Once
583 * from an explicit call and once from the generic calls from the vfs.
584 * Since the generic VFS calls will not contain any security mount data
585 * we need to skip the double mount verification.
586 *
587 * This does open a hole in which we will not notice if the first
588 * mount using this sb set explict options and a second mount using
589 * this sb does not set any security options. (The first options
590 * will be used for both mounts)
591 */
592 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
593 && (num_opts == 0))
594 goto out;
595
c9180a57
EP
596 /*
597 * parse the mount options, check if they are valid sids.
598 * also check if someone is trying to mount the same sb more
599 * than once with different security options.
600 */
601 for (i = 0; i < num_opts; i++) {
602 u32 sid;
603 rc = security_context_to_sid(mount_options[i],
604 strlen(mount_options[i]), &sid);
1da177e4
LT
605 if (rc) {
606 printk(KERN_WARNING "SELinux: security_context_to_sid"
607 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP
608 mount_options[i], sb->s_id, name, rc);
609 goto out;
610 }
611 switch (flags[i]) {
612 case FSCONTEXT_MNT:
613 fscontext_sid = sid;
614
615 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
616 fscontext_sid))
617 goto out_double_mount;
618
619 sbsec->flags |= FSCONTEXT_MNT;
620 break;
621 case CONTEXT_MNT:
622 context_sid = sid;
623
624 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
625 context_sid))
626 goto out_double_mount;
627
628 sbsec->flags |= CONTEXT_MNT;
629 break;
630 case ROOTCONTEXT_MNT:
631 rootcontext_sid = sid;
632
633 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
634 rootcontext_sid))
635 goto out_double_mount;
636
637 sbsec->flags |= ROOTCONTEXT_MNT;
638
639 break;
640 case DEFCONTEXT_MNT:
641 defcontext_sid = sid;
642
643 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
644 defcontext_sid))
645 goto out_double_mount;
646
647 sbsec->flags |= DEFCONTEXT_MNT;
648
649 break;
650 default:
651 rc = -EINVAL;
652 goto out;
1da177e4 653 }
c9180a57
EP
654 }
655
656 if (sbsec->initialized) {
657 /* previously mounted with options, but not on this attempt? */
658 if (sbsec->flags && !num_opts)
659 goto out_double_mount;
660 rc = 0;
661 goto out;
662 }
663
664 if (strcmp(sb->s_type->name, "proc") == 0)
665 sbsec->proc = 1;
666
667 /* Determine the labeling behavior to use for this filesystem type. */
668 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
669 if (rc) {
670 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
dd6f953a 671 __func__, sb->s_type->name, rc);
c9180a57
EP
672 goto out;
673 }
1da177e4 674
c9180a57
EP
675 /* sets the context of the superblock for the fs being mounted. */
676 if (fscontext_sid) {
677
678 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
1da177e4 679 if (rc)
c9180a57 680 goto out;
1da177e4 681
c9180a57 682 sbsec->sid = fscontext_sid;
c312feb2
EP
683 }
684
685 /*
686 * Switch to using mount point labeling behavior.
687 * sets the label used on all file below the mountpoint, and will set
688 * the superblock context if not already set.
689 */
c9180a57
EP
690 if (context_sid) {
691 if (!fscontext_sid) {
692 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
b04ea3ce 693 if (rc)
c9180a57
EP
694 goto out;
695 sbsec->sid = context_sid;
b04ea3ce 696 } else {
c9180a57 697 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
b04ea3ce 698 if (rc)
c9180a57 699 goto out;
b04ea3ce 700 }
c9180a57
EP
701 if (!rootcontext_sid)
702 rootcontext_sid = context_sid;
1da177e4 703
c9180a57 704 sbsec->mntpoint_sid = context_sid;
c312feb2 705 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT
706 }
707
c9180a57
EP
708 if (rootcontext_sid) {
709 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
0808925e 710 if (rc)
c9180a57 711 goto out;
0808925e 712
c9180a57
EP
713 root_isec->sid = rootcontext_sid;
714 root_isec->initialized = 1;
0808925e
EP
715 }
716
c9180a57
EP
717 if (defcontext_sid) {
718 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
719 rc = -EINVAL;
720 printk(KERN_WARNING "SELinux: defcontext option is "
721 "invalid for this filesystem type\n");
722 goto out;
1da177e4
LT
723 }
724
c9180a57
EP
725 if (defcontext_sid != sbsec->def_sid) {
726 rc = may_context_mount_inode_relabel(defcontext_sid,
727 sbsec, tsec);
728 if (rc)
729 goto out;
730 }
1da177e4 731
c9180a57 732 sbsec->def_sid = defcontext_sid;
1da177e4
LT
733 }
734
c9180a57 735 rc = sb_finish_set_opts(sb);
1da177e4 736out:
c9180a57 737 mutex_unlock(&sbsec->lock);
1da177e4 738 return rc;
c9180a57
EP
739out_double_mount:
740 rc = -EINVAL;
741 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
742 "security settings for (dev %s, type %s)\n", sb->s_id, name);
743 goto out;
1da177e4
LT
744}
745
c9180a57
EP
746static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
747 struct super_block *newsb)
1da177e4 748{
c9180a57
EP
749 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
750 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 751
c9180a57
EP
752 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
753 int set_context = (oldsbsec->flags & CONTEXT_MNT);
754 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 755
c9180a57
EP
756 /* we can't error, we can't save the info, this shouldn't get called
757 * this early in the boot process. */
758 BUG_ON(!ss_initialized);
759
c9180a57
EP
760 /* how can we clone if the old one wasn't set up?? */
761 BUG_ON(!oldsbsec->initialized);
762
5a552617
EP
763 /* if fs is reusing a sb, just let its options stand... */
764 if (newsbsec->initialized)
765 return;
766
c9180a57
EP
767 mutex_lock(&newsbsec->lock);
768
769 newsbsec->flags = oldsbsec->flags;
770
771 newsbsec->sid = oldsbsec->sid;
772 newsbsec->def_sid = oldsbsec->def_sid;
773 newsbsec->behavior = oldsbsec->behavior;
774
775 if (set_context) {
776 u32 sid = oldsbsec->mntpoint_sid;
777
778 if (!set_fscontext)
779 newsbsec->sid = sid;
780 if (!set_rootcontext) {
781 struct inode *newinode = newsb->s_root->d_inode;
782 struct inode_security_struct *newisec = newinode->i_security;
783 newisec->sid = sid;
784 }
785 newsbsec->mntpoint_sid = sid;
1da177e4 786 }
c9180a57
EP
787 if (set_rootcontext) {
788 const struct inode *oldinode = oldsb->s_root->d_inode;
789 const struct inode_security_struct *oldisec = oldinode->i_security;
790 struct inode *newinode = newsb->s_root->d_inode;
791 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 792
c9180a57 793 newisec->sid = oldisec->sid;
1da177e4
LT
794 }
795
c9180a57
EP
796 sb_finish_set_opts(newsb);
797 mutex_unlock(&newsbsec->lock);
798}
799
2e1479d9
AB
800static int selinux_parse_opts_str(char *options,
801 struct security_mnt_opts *opts)
c9180a57 802{
e0007529 803 char *p;
c9180a57
EP
804 char *context = NULL, *defcontext = NULL;
805 char *fscontext = NULL, *rootcontext = NULL;
e0007529 806 int rc, num_mnt_opts = 0;
1da177e4 807
e0007529 808 opts->num_mnt_opts = 0;
1da177e4 809
c9180a57
EP
810 /* Standard string-based options. */
811 while ((p = strsep(&options, "|")) != NULL) {
812 int token;
813 substring_t args[MAX_OPT_ARGS];
1da177e4 814
c9180a57
EP
815 if (!*p)
816 continue;
1da177e4 817
c9180a57 818 token = match_token(p, tokens, args);
1da177e4 819
c9180a57
EP
820 switch (token) {
821 case Opt_context:
822 if (context || defcontext) {
823 rc = -EINVAL;
824 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
825 goto out_err;
826 }
827 context = match_strdup(&args[0]);
828 if (!context) {
829 rc = -ENOMEM;
830 goto out_err;
831 }
832 break;
833
834 case Opt_fscontext:
835 if (fscontext) {
836 rc = -EINVAL;
837 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
838 goto out_err;
839 }
840 fscontext = match_strdup(&args[0]);
841 if (!fscontext) {
842 rc = -ENOMEM;
843 goto out_err;
844 }
845 break;
846
847 case Opt_rootcontext:
848 if (rootcontext) {
849 rc = -EINVAL;
850 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
851 goto out_err;
852 }
853 rootcontext = match_strdup(&args[0]);
854 if (!rootcontext) {
855 rc = -ENOMEM;
856 goto out_err;
857 }
858 break;
859
860 case Opt_defcontext:
861 if (context || defcontext) {
862 rc = -EINVAL;
863 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
864 goto out_err;
865 }
866 defcontext = match_strdup(&args[0]);
867 if (!defcontext) {
868 rc = -ENOMEM;
869 goto out_err;
870 }
871 break;
872
873 default:
874 rc = -EINVAL;
875 printk(KERN_WARNING "SELinux: unknown mount option\n");
876 goto out_err;
1da177e4 877
1da177e4 878 }
1da177e4 879 }
c9180a57 880
e0007529
EP
881 rc = -ENOMEM;
882 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
883 if (!opts->mnt_opts)
884 goto out_err;
885
886 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
887 if (!opts->mnt_opts_flags) {
888 kfree(opts->mnt_opts);
889 goto out_err;
890 }
891
c9180a57 892 if (fscontext) {
e0007529
EP
893 opts->mnt_opts[num_mnt_opts] = fscontext;
894 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP
895 }
896 if (context) {
e0007529
EP
897 opts->mnt_opts[num_mnt_opts] = context;
898 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP
899 }
900 if (rootcontext) {
e0007529
EP
901 opts->mnt_opts[num_mnt_opts] = rootcontext;
902 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP
903 }
904 if (defcontext) {
e0007529
EP
905 opts->mnt_opts[num_mnt_opts] = defcontext;
906 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP
907 }
908
e0007529
EP
909 opts->num_mnt_opts = num_mnt_opts;
910 return 0;
911
c9180a57
EP
912out_err:
913 kfree(context);
914 kfree(defcontext);
915 kfree(fscontext);
916 kfree(rootcontext);
1da177e4
LT
917 return rc;
918}
e0007529
EP
919/*
920 * string mount options parsing and call set the sbsec
921 */
922static int superblock_doinit(struct super_block *sb, void *data)
923{
924 int rc = 0;
925 char *options = data;
926 struct security_mnt_opts opts;
927
928 security_init_mnt_opts(&opts);
929
930 if (!data)
931 goto out;
932
933 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
934
935 rc = selinux_parse_opts_str(options, &opts);
936 if (rc)
937 goto out_err;
938
939out:
940 rc = selinux_set_mnt_opts(sb, &opts);
941
942out_err:
943 security_free_mnt_opts(&opts);
944 return rc;
945}
1da177e4
LT
946
947static inline u16 inode_mode_to_security_class(umode_t mode)
948{
949 switch (mode & S_IFMT) {
950 case S_IFSOCK:
951 return SECCLASS_SOCK_FILE;
952 case S_IFLNK:
953 return SECCLASS_LNK_FILE;
954 case S_IFREG:
955 return SECCLASS_FILE;
956 case S_IFBLK:
957 return SECCLASS_BLK_FILE;
958 case S_IFDIR:
959 return SECCLASS_DIR;
960 case S_IFCHR:
961 return SECCLASS_CHR_FILE;
962 case S_IFIFO:
963 return SECCLASS_FIFO_FILE;
964
965 }
966
967 return SECCLASS_FILE;
968}
969
13402580
JM
970static inline int default_protocol_stream(int protocol)
971{
972 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
973}
974
975static inline int default_protocol_dgram(int protocol)
976{
977 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
978}
979
1da177e4
LT
980static inline u16 socket_type_to_security_class(int family, int type, int protocol)
981{
982 switch (family) {
983 case PF_UNIX:
984 switch (type) {
985 case SOCK_STREAM:
986 case SOCK_SEQPACKET:
987 return SECCLASS_UNIX_STREAM_SOCKET;
988 case SOCK_DGRAM:
989 return SECCLASS_UNIX_DGRAM_SOCKET;
990 }
991 break;
992 case PF_INET:
993 case PF_INET6:
994 switch (type) {
995 case SOCK_STREAM:
13402580
JM
996 if (default_protocol_stream(protocol))
997 return SECCLASS_TCP_SOCKET;
998 else
999 return SECCLASS_RAWIP_SOCKET;
1da177e4 1000 case SOCK_DGRAM:
13402580
JM
1001 if (default_protocol_dgram(protocol))
1002 return SECCLASS_UDP_SOCKET;
1003 else
1004 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM
1005 case SOCK_DCCP:
1006 return SECCLASS_DCCP_SOCKET;
13402580 1007 default:
1da177e4
LT
1008 return SECCLASS_RAWIP_SOCKET;
1009 }
1010 break;
1011 case PF_NETLINK:
1012 switch (protocol) {
1013 case NETLINK_ROUTE:
1014 return SECCLASS_NETLINK_ROUTE_SOCKET;
1015 case NETLINK_FIREWALL:
1016 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1017 case NETLINK_INET_DIAG:
1da177e4
LT
1018 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1019 case NETLINK_NFLOG:
1020 return SECCLASS_NETLINK_NFLOG_SOCKET;
1021 case NETLINK_XFRM:
1022 return SECCLASS_NETLINK_XFRM_SOCKET;
1023 case NETLINK_SELINUX:
1024 return SECCLASS_NETLINK_SELINUX_SOCKET;
1025 case NETLINK_AUDIT:
1026 return SECCLASS_NETLINK_AUDIT_SOCKET;
1027 case NETLINK_IP6_FW:
1028 return SECCLASS_NETLINK_IP6FW_SOCKET;
1029 case NETLINK_DNRTMSG:
1030 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM
1031 case NETLINK_KOBJECT_UEVENT:
1032 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT
1033 default:
1034 return SECCLASS_NETLINK_SOCKET;
1035 }
1036 case PF_PACKET:
1037 return SECCLASS_PACKET_SOCKET;
1038 case PF_KEY:
1039 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP
1040 case PF_APPLETALK:
1041 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT
1042 }
1043
1044 return SECCLASS_SOCKET;
1045}
1046
1047#ifdef CONFIG_PROC_FS
1048static int selinux_proc_get_sid(struct proc_dir_entry *de,
1049 u16 tclass,
1050 u32 *sid)
1051{
1052 int buflen, rc;
1053 char *buffer, *path, *end;
1054
1055 buffer = (char*)__get_free_page(GFP_KERNEL);
1056 if (!buffer)
1057 return -ENOMEM;
1058
1059 buflen = PAGE_SIZE;
1060 end = buffer+buflen;
1061 *--end = '\0';
1062 buflen--;
1063 path = end-1;
1064 *path = '/';
1065 while (de && de != de->parent) {
1066 buflen -= de->namelen + 1;
1067 if (buflen < 0)
1068 break;
1069 end -= de->namelen;
1070 memcpy(end, de->name, de->namelen);
1071 *--end = '/';
1072 path = end;
1073 de = de->parent;
1074 }
1075 rc = security_genfs_sid("proc", path, tclass, sid);
1076 free_page((unsigned long)buffer);
1077 return rc;
1078}
1079#else
1080static int selinux_proc_get_sid(struct proc_dir_entry *de,
1081 u16 tclass,
1082 u32 *sid)
1083{
1084 return -EINVAL;
1085}
1086#endif
1087
1088/* The inode's security attributes must be initialized before first use. */
1089static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1090{
1091 struct superblock_security_struct *sbsec = NULL;
1092 struct inode_security_struct *isec = inode->i_security;
1093 u32 sid;
1094 struct dentry *dentry;
1095#define INITCONTEXTLEN 255
1096 char *context = NULL;
1097 unsigned len = 0;
1098 int rc = 0;
1da177e4
LT
1099
1100 if (isec->initialized)
1101 goto out;
1102
23970741 1103 mutex_lock(&isec->lock);
1da177e4 1104 if (isec->initialized)
23970741 1105 goto out_unlock;
1da177e4
LT
1106
1107 sbsec = inode->i_sb->s_security;
1108 if (!sbsec->initialized) {
1109 /* Defer initialization until selinux_complete_init,
1110 after the initial policy is loaded and the security
1111 server is ready to handle calls. */
1112 spin_lock(&sbsec->isec_lock);
1113 if (list_empty(&isec->list))
1114 list_add(&isec->list, &sbsec->isec_head);
1115 spin_unlock(&sbsec->isec_lock);
23970741 1116 goto out_unlock;
1da177e4
LT
1117 }
1118
1119 switch (sbsec->behavior) {
1120 case SECURITY_FS_USE_XATTR:
1121 if (!inode->i_op->getxattr) {
1122 isec->sid = sbsec->def_sid;
1123 break;
1124 }
1125
1126 /* Need a dentry, since the xattr API requires one.
1127 Life would be simpler if we could just pass the inode. */
1128 if (opt_dentry) {
1129 /* Called from d_instantiate or d_splice_alias. */
1130 dentry = dget(opt_dentry);
1131 } else {
1132 /* Called from selinux_complete_init, try to find a dentry. */
1133 dentry = d_find_alias(inode);
1134 }
1135 if (!dentry) {
1136 printk(KERN_WARNING "%s: no dentry for dev=%s "
dd6f953a 1137 "ino=%ld\n", __func__, inode->i_sb->s_id,
1da177e4 1138 inode->i_ino);
23970741 1139 goto out_unlock;
1da177e4
LT
1140 }
1141
1142 len = INITCONTEXTLEN;
869ab514 1143 context = kmalloc(len, GFP_NOFS);
1da177e4
LT
1144 if (!context) {
1145 rc = -ENOMEM;
1146 dput(dentry);
23970741 1147 goto out_unlock;
1da177e4
LT
1148 }
1149 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1150 context, len);
1151 if (rc == -ERANGE) {
1152 /* Need a larger buffer. Query for the right size. */
1153 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1154 NULL, 0);
1155 if (rc < 0) {
1156 dput(dentry);
23970741 1157 goto out_unlock;
1da177e4
LT
1158 }
1159 kfree(context);
1160 len = rc;
869ab514 1161 context = kmalloc(len, GFP_NOFS);
1da177e4
LT
1162 if (!context) {
1163 rc = -ENOMEM;
1164 dput(dentry);
23970741 1165 goto out_unlock;
1da177e4
LT
1166 }
1167 rc = inode->i_op->getxattr(dentry,
1168 XATTR_NAME_SELINUX,
1169 context, len);
1170 }
1171 dput(dentry);
1172 if (rc < 0) {
1173 if (rc != -ENODATA) {
1174 printk(KERN_WARNING "%s: getxattr returned "
dd6f953a 1175 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT
1176 -rc, inode->i_sb->s_id, inode->i_ino);
1177 kfree(context);
23970741 1178 goto out_unlock;
1da177e4
LT
1179 }
1180 /* Map ENODATA to the default file SID */
1181 sid = sbsec->def_sid;
1182 rc = 0;
1183 } else {
f5c1d5b2 1184 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS
1185 sbsec->def_sid,
1186 GFP_NOFS);
1da177e4
LT
1187 if (rc) {
1188 printk(KERN_WARNING "%s: context_to_sid(%s) "
1189 "returned %d for dev=%s ino=%ld\n",
dd6f953a 1190 __func__, context, -rc,
1da177e4
LT
1191 inode->i_sb->s_id, inode->i_ino);
1192 kfree(context);
1193 /* Leave with the unlabeled SID */
1194 rc = 0;
1195 break;
1196 }
1197 }
1198 kfree(context);
1199 isec->sid = sid;
1200 break;
1201 case SECURITY_FS_USE_TASK:
1202 isec->sid = isec->task_sid;
1203 break;
1204 case SECURITY_FS_USE_TRANS:
1205 /* Default to the fs SID. */
1206 isec->sid = sbsec->sid;
1207
1208 /* Try to obtain a transition SID. */
1209 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1210 rc = security_transition_sid(isec->task_sid,
1211 sbsec->sid,
1212 isec->sclass,
1213 &sid);
1214 if (rc)
23970741 1215 goto out_unlock;
1da177e4
LT
1216 isec->sid = sid;
1217 break;
c312feb2
EP
1218 case SECURITY_FS_USE_MNTPOINT:
1219 isec->sid = sbsec->mntpoint_sid;
1220 break;
1da177e4 1221 default:
c312feb2 1222 /* Default to the fs superblock SID. */
1da177e4
LT
1223 isec->sid = sbsec->sid;
1224
1225 if (sbsec->proc) {
1226 struct proc_inode *proci = PROC_I(inode);
1227 if (proci->pde) {
1228 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1229 rc = selinux_proc_get_sid(proci->pde,
1230 isec->sclass,
1231 &sid);
1232 if (rc)
23970741 1233 goto out_unlock;
1da177e4
LT
1234 isec->sid = sid;
1235 }
1236 }
1237 break;
1238 }
1239
1240 isec->initialized = 1;
1241
23970741
EP
1242out_unlock:
1243 mutex_unlock(&isec->lock);
1da177e4
LT
1244out:
1245 if (isec->sclass == SECCLASS_FILE)
1246 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT
1247 return rc;
1248}
1249
1250/* Convert a Linux signal to an access vector. */
1251static inline u32 signal_to_av(int sig)
1252{
1253 u32 perm = 0;
1254
1255 switch (sig) {
1256 case SIGCHLD:
1257 /* Commonly granted from child to parent. */
1258 perm = PROCESS__SIGCHLD;
1259 break;
1260 case SIGKILL:
1261 /* Cannot be caught or ignored */
1262 perm = PROCESS__SIGKILL;
1263 break;
1264 case SIGSTOP:
1265 /* Cannot be caught or ignored */
1266 perm = PROCESS__SIGSTOP;
1267 break;
1268 default:
1269 /* All other signals. */
1270 perm = PROCESS__SIGNAL;
1271 break;
1272 }
1273
1274 return perm;
1275}
1276
1277/* Check permission betweeen a pair of tasks, e.g. signal checks,
1278 fork check, ptrace check, etc. */
1279static int task_has_perm(struct task_struct *tsk1,
1280 struct task_struct *tsk2,
1281 u32 perms)
1282{
1283 struct task_security_struct *tsec1, *tsec2;
1284
1285 tsec1 = tsk1->security;
1286 tsec2 = tsk2->security;
1287 return avc_has_perm(tsec1->sid, tsec2->sid,
1288 SECCLASS_PROCESS, perms, NULL);
1289}
1290
b68e418c
SS
1291#if CAP_LAST_CAP > 63
1292#error Fix SELinux to handle capabilities > 63.
1293#endif
1294
1da177e4
LT
1295/* Check whether a task is allowed to use a capability. */
1296static int task_has_capability(struct task_struct *tsk,
1297 int cap)
1298{
1299 struct task_security_struct *tsec;
1300 struct avc_audit_data ad;
b68e418c
SS
1301 u16 sclass;
1302 u32 av = CAP_TO_MASK(cap);
1da177e4
LT
1303
1304 tsec = tsk->security;
1305
1306 AVC_AUDIT_DATA_INIT(&ad,CAP);
1307 ad.tsk = tsk;
1308 ad.u.cap = cap;
1309
b68e418c
SS
1310 switch (CAP_TO_INDEX(cap)) {
1311 case 0:
1312 sclass = SECCLASS_CAPABILITY;
1313 break;
1314 case 1:
1315 sclass = SECCLASS_CAPABILITY2;
1316 break;
1317 default:
1318 printk(KERN_ERR
1319 "SELinux: out of range capability %d\n", cap);
1320 BUG();
1321 }
1322 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1da177e4
LT
1323}
1324
1325/* Check whether a task is allowed to use a system operation. */
1326static int task_has_system(struct task_struct *tsk,
1327 u32 perms)
1328{
1329 struct task_security_struct *tsec;
1330
1331 tsec = tsk->security;
1332
1333 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1334 SECCLASS_SYSTEM, perms, NULL);
1335}
1336
1337/* Check whether a task has a particular permission to an inode.
1338 The 'adp' parameter is optional and allows other audit
1339 data to be passed (e.g. the dentry). */
1340static int inode_has_perm(struct task_struct *tsk,
1341 struct inode *inode,
1342 u32 perms,
1343 struct avc_audit_data *adp)
1344{
1345 struct task_security_struct *tsec;
1346 struct inode_security_struct *isec;
1347 struct avc_audit_data ad;
1348
bbaca6c2
SS
1349 if (unlikely (IS_PRIVATE (inode)))
1350 return 0;
1351
1da177e4
LT
1352 tsec = tsk->security;
1353 isec = inode->i_security;
1354
1355 if (!adp) {
1356 adp = &ad;
1357 AVC_AUDIT_DATA_INIT(&ad, FS);
1358 ad.u.fs.inode = inode;
1359 }
1360
1361 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1362}
1363
1364/* Same as inode_has_perm, but pass explicit audit data containing
1365 the dentry to help the auditing code to more easily generate the
1366 pathname if needed. */
1367static inline int dentry_has_perm(struct task_struct *tsk,
1368 struct vfsmount *mnt,
1369 struct dentry *dentry,
1370 u32 av)
1371{
1372 struct inode *inode = dentry->d_inode;
1373 struct avc_audit_data ad;
1374 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf
JB
1375 ad.u.fs.path.mnt = mnt;
1376 ad.u.fs.path.dentry = dentry;
1da177e4
LT
1377 return inode_has_perm(tsk, inode, av, &ad);
1378}
1379
1380/* Check whether a task can use an open file descriptor to
1381 access an inode in a given way. Check access to the
1382 descriptor itself, and then use dentry_has_perm to
1383 check a particular permission to the file.
1384 Access to the descriptor is implicitly granted if it
1385 has the same SID as the process. If av is zero, then
1386 access to the file is not checked, e.g. for cases
1387 where only the descriptor is affected like seek. */
858119e1 1388static int file_has_perm(struct task_struct *tsk,
1da177e4
LT
1389 struct file *file,
1390 u32 av)
1391{
1392 struct task_security_struct *tsec = tsk->security;
1393 struct file_security_struct *fsec = file->f_security;
44707fdf 1394 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT
1395 struct avc_audit_data ad;
1396 int rc;
1397
1398 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1399 ad.u.fs.path = file->f_path;
1da177e4
LT
1400
1401 if (tsec->sid != fsec->sid) {
1402 rc = avc_has_perm(tsec->sid, fsec->sid,
1403 SECCLASS_FD,
1404 FD__USE,
1405 &ad);
1406 if (rc)
1407 return rc;
1408 }
1409
1410 /* av is zero if only checking access to the descriptor. */
1411 if (av)
1412 return inode_has_perm(tsk, inode, av, &ad);
1413
1414 return 0;
1415}
1416
1417/* Check whether a task can create a file. */
1418static int may_create(struct inode *dir,
1419 struct dentry *dentry,
1420 u16 tclass)
1421{
1422 struct task_security_struct *tsec;
1423 struct inode_security_struct *dsec;
1424 struct superblock_security_struct *sbsec;
1425 u32 newsid;
1426 struct avc_audit_data ad;
1427 int rc;
1428
1429 tsec = current->security;
1430 dsec = dir->i_security;
1431 sbsec = dir->i_sb->s_security;
1432
1433 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1434 ad.u.fs.path.dentry = dentry;
1da177e4
LT
1435
1436 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1437 DIR__ADD_NAME | DIR__SEARCH,
1438 &ad);
1439 if (rc)
1440 return rc;
1441
1442 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1443 newsid = tsec->create_sid;
1444 } else {
1445 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1446 &newsid);
1447 if (rc)
1448 return rc;
1449 }
1450
1451 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1452 if (rc)
1453 return rc;
1454
1455 return avc_has_perm(newsid, sbsec->sid,
1456 SECCLASS_FILESYSTEM,
1457 FILESYSTEM__ASSOCIATE, &ad);
1458}
1459
4eb582cf
ML
1460/* Check whether a task can create a key. */
1461static int may_create_key(u32 ksid,
1462 struct task_struct *ctx)
1463{
1464 struct task_security_struct *tsec;
1465
1466 tsec = ctx->security;
1467
1468 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1469}
1470
1da177e4
LT
1471#define MAY_LINK 0
1472#define MAY_UNLINK 1
1473#define MAY_RMDIR 2
1474
1475/* Check whether a task can link, unlink, or rmdir a file/directory. */
1476static int may_link(struct inode *dir,
1477 struct dentry *dentry,
1478 int kind)
1479
1480{
1481 struct task_security_struct *tsec;
1482 struct inode_security_struct *dsec, *isec;
1483 struct avc_audit_data ad;
1484 u32 av;
1485 int rc;
1486
1487 tsec = current->security;
1488 dsec = dir->i_security;
1489 isec = dentry->d_inode->i_security;
1490
1491 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1492 ad.u.fs.path.dentry = dentry;
1da177e4
LT
1493
1494 av = DIR__SEARCH;
1495 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1496 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1497 if (rc)
1498 return rc;
1499
1500 switch (kind) {
1501 case MAY_LINK:
1502 av = FILE__LINK;
1503 break;
1504 case MAY_UNLINK:
1505 av = FILE__UNLINK;
1506 break;
1507 case MAY_RMDIR:
1508 av = DIR__RMDIR;
1509 break;
1510 default:
1511 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1512 return 0;
1513 }
1514
1515 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1516 return rc;
1517}
1518
1519static inline int may_rename(struct inode *old_dir,
1520 struct dentry *old_dentry,
1521 struct inode *new_dir,
1522 struct dentry *new_dentry)
1523{
1524 struct task_security_struct *tsec;
1525 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1526 struct avc_audit_data ad;
1527 u32 av;
1528 int old_is_dir, new_is_dir;
1529 int rc;
1530
1531 tsec = current->security;
1532 old_dsec = old_dir->i_security;
1533 old_isec = old_dentry->d_inode->i_security;
1534 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1535 new_dsec = new_dir->i_security;
1536
1537 AVC_AUDIT_DATA_INIT(&ad, FS);
1538
44707fdf 1539 ad.u.fs.path.dentry = old_dentry;
1da177e4
LT
1540 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1541 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1542 if (rc)
1543 return rc;
1544 rc = avc_has_perm(tsec->sid, old_isec->sid,
1545 old_isec->sclass, FILE__RENAME, &ad);
1546 if (rc)
1547 return rc;
1548 if (old_is_dir && new_dir != old_dir) {
1549 rc = avc_has_perm(tsec->sid, old_isec->sid,
1550 old_isec->sclass, DIR__REPARENT, &ad);
1551 if (rc)
1552 return rc;
1553 }
1554
44707fdf 1555 ad.u.fs.path.dentry = new_dentry;
1da177e4
LT
1556 av = DIR__ADD_NAME | DIR__SEARCH;
1557 if (new_dentry->d_inode)
1558 av |= DIR__REMOVE_NAME;
1559 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1560 if (rc)
1561 return rc;
1562 if (new_dentry->d_inode) {
1563 new_isec = new_dentry->d_inode->i_security;
1564 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1565 rc = avc_has_perm(tsec->sid, new_isec->sid,
1566 new_isec->sclass,
1567 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1568 if (rc)
1569 return rc;
1570 }
1571
1572 return 0;
1573}
1574
1575/* Check whether a task can perform a filesystem operation. */
1576static int superblock_has_perm(struct task_struct *tsk,
1577 struct super_block *sb,
1578 u32 perms,
1579 struct avc_audit_data *ad)
1580{
1581 struct task_security_struct *tsec;
1582 struct superblock_security_struct *sbsec;
1583
1584 tsec = tsk->security;
1585 sbsec = sb->s_security;
1586 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1587 perms, ad);
1588}
1589
1590/* Convert a Linux mode and permission mask to an access vector. */
1591static inline u32 file_mask_to_av(int mode, int mask)
1592{
1593 u32 av = 0;
1594
1595 if ((mode & S_IFMT) != S_IFDIR) {
1596 if (mask & MAY_EXEC)
1597 av |= FILE__EXECUTE;
1598 if (mask & MAY_READ)
1599 av |= FILE__READ;
1600
1601 if (mask & MAY_APPEND)
1602 av |= FILE__APPEND;
1603 else if (mask & MAY_WRITE)
1604 av |= FILE__WRITE;
1605
1606 } else {
1607 if (mask & MAY_EXEC)
1608 av |= DIR__SEARCH;
1609 if (mask & MAY_WRITE)
1610 av |= DIR__WRITE;
1611 if (mask & MAY_READ)
1612 av |= DIR__READ;
1613 }
1614
1615 return av;
1616}
1617
b0c636b9
EP
1618/*
1619 * Convert a file mask to an access vector and include the correct open
1620 * open permission.
1621 */
1622static inline u32 open_file_mask_to_av(int mode, int mask)
1623{
1624 u32 av = file_mask_to_av(mode, mask);
1625
1626 if (selinux_policycap_openperm) {
1627 /*
1628 * lnk files and socks do not really have an 'open'
1629 */
1630 if (S_ISREG(mode))
1631 av |= FILE__OPEN;
1632 else if (S_ISCHR(mode))
1633 av |= CHR_FILE__OPEN;
1634 else if (S_ISBLK(mode))
1635 av |= BLK_FILE__OPEN;
1636 else if (S_ISFIFO(mode))
1637 av |= FIFO_FILE__OPEN;
1638 else if (S_ISDIR(mode))
1639 av |= DIR__OPEN;
1640 else
1641 printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
1642 "with unknown mode:%x\n", mode);
1643 }
1644 return av;
1645}
1646
1da177e4
LT
1647/* Convert a Linux file to an access vector. */
1648static inline u32 file_to_av(struct file *file)
1649{
1650 u32 av = 0;
1651
1652 if (file->f_mode & FMODE_READ)
1653 av |= FILE__READ;
1654 if (file->f_mode & FMODE_WRITE) {
1655 if (file->f_flags & O_APPEND)
1656 av |= FILE__APPEND;
1657 else
1658 av |= FILE__WRITE;
1659 }
0794c66d
SS
1660 if (!av) {
1661 /*
1662 * Special file opened with flags 3 for ioctl-only use.
1663 */
1664 av = FILE__IOCTL;
1665 }
1da177e4
LT
1666
1667 return av;
1668}
1669
1da177e4
LT
1670/* Hook functions begin here. */
1671
1672static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1673{
1da177e4
LT
1674 int rc;
1675
1676 rc = secondary_ops->ptrace(parent,child);
1677 if (rc)
1678 return rc;
1679
0356357c 1680 return task_has_perm(parent, child, PROCESS__PTRACE);
1da177e4
LT
1681}
1682
1683static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1684 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1685{
1686 int error;
1687
1688 error = task_has_perm(current, target, PROCESS__GETCAP);
1689 if (error)
1690 return error;
1691
1692 return secondary_ops->capget(target, effective, inheritable, permitted);
1693}
1694
1695static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1696 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1697{
1698 int error;
1699
1700 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1701 if (error)
1702 return error;
1703
1704 return task_has_perm(current, target, PROCESS__SETCAP);
1705}
1706
1707static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1708 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1709{
1710 secondary_ops->capset_set(target, effective, inheritable, permitted);
1711}
1712
1713static int selinux_capable(struct task_struct *tsk, int cap)
1714{
1715 int rc;
1716
1717 rc = secondary_ops->capable(tsk, cap);
1718 if (rc)
1719 return rc;
1720
1721 return task_has_capability(tsk,cap);
1722}
1723
3fbfa981
EB
1724static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1725{
1726 int buflen, rc;
1727 char *buffer, *path, *end;
1728
1729 rc = -ENOMEM;
1730 buffer = (char*)__get_free_page(GFP_KERNEL);
1731 if (!buffer)
1732 goto out;
1733
1734 buflen = PAGE_SIZE;
1735 end = buffer+buflen;
1736 *--end = '\0';
1737 buflen--;
1738 path = end-1;
1739 *path = '/';
1740 while (table) {
1741 const char *name = table->procname;
1742 size_t namelen = strlen(name);
1743 buflen -= namelen + 1;
1744 if (buflen < 0)
1745 goto out_free;
1746 end -= namelen;
1747 memcpy(end, name, namelen);
1748 *--end = '/';
1749 path = end;
1750 table = table->parent;
1751 }
b599fdfd
EB
1752 buflen -= 4;
1753 if (buflen < 0)
1754 goto out_free;
1755 end -= 4;
1756 memcpy(end, "/sys", 4);
1757 path = end;
3fbfa981
EB
1758 rc = security_genfs_sid("proc", path, tclass, sid);
1759out_free:
1760 free_page((unsigned long)buffer);
1761out:
1762 return rc;
1763}
1764
1da177e4
LT
1765static int selinux_sysctl(ctl_table *table, int op)
1766{
1767 int error = 0;
1768 u32 av;
1769 struct task_security_struct *tsec;
1770 u32 tsid;
1771 int rc;
1772
1773 rc = secondary_ops->sysctl(table, op);
1774 if (rc)
1775 return rc;
1776
1777 tsec = current->security;
1778
3fbfa981
EB
1779 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1780 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT
1781 if (rc) {
1782 /* Default to the well-defined sysctl SID. */
1783 tsid = SECINITSID_SYSCTL;
1784 }
1785
1786 /* The op values are "defined" in sysctl.c, thereby creating
1787 * a bad coupling between this module and sysctl.c */
1788 if(op == 001) {
1789 error = avc_has_perm(tsec->sid, tsid,
1790 SECCLASS_DIR, DIR__SEARCH, NULL);
1791 } else {
1792 av = 0;
1793 if (op & 004)
1794 av |= FILE__READ;
1795 if (op & 002)
1796 av |= FILE__WRITE;
1797 if (av)
1798 error = avc_has_perm(tsec->sid, tsid,
1799 SECCLASS_FILE, av, NULL);
1800 }
1801
1802 return error;
1803}
1804
1805static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1806{
1807 int rc = 0;
1808
1809 if (!sb)
1810 return 0;
1811
1812 switch (cmds) {
1813 case Q_SYNC:
1814 case Q_QUOTAON:
1815 case Q_QUOTAOFF:
1816 case Q_SETINFO:
1817 case Q_SETQUOTA:
1818 rc = superblock_has_perm(current,
1819 sb,
1820 FILESYSTEM__QUOTAMOD, NULL);
1821 break;
1822 case Q_GETFMT:
1823 case Q_GETINFO:
1824 case Q_GETQUOTA:
1825 rc = superblock_has_perm(current,
1826 sb,
1827 FILESYSTEM__QUOTAGET, NULL);
1828 break;
1829 default:
1830 rc = 0; /* let the kernel handle invalid cmds */
1831 break;
1832 }
1833 return rc;
1834}
1835
1836static int selinux_quota_on(struct dentry *dentry)
1837{
1838 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1839}
1840
1841static int selinux_syslog(int type)
1842{
1843 int rc;
1844
1845 rc = secondary_ops->syslog(type);
1846 if (rc)
1847 return rc;
1848
1849 switch (type) {
1850 case 3: /* Read last kernel messages */
1851 case 10: /* Return size of the log buffer */
1852 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1853 break;
1854 case 6: /* Disable logging to console */
1855 case 7: /* Enable logging to console */
1856 case 8: /* Set level of messages printed to console */
1857 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1858 break;
1859 case 0: /* Close log */
1860 case 1: /* Open log */
1861 case 2: /* Read from log */
1862 case 4: /* Read/clear last kernel messages */
1863 case 5: /* Clear ring buffer */
1864 default:
1865 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1866 break;
1867 }
1868 return rc;
1869}
1870
1871/*
1872 * Check that a process has enough memory to allocate a new virtual
1873 * mapping. 0 means there is enough memory for the allocation to
1874 * succeed and -ENOMEM implies there is not.
1875 *
1876 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1877 * if the capability is granted, but __vm_enough_memory requires 1 if
1878 * the capability is granted.
1879 *
1880 * Do not audit the selinux permission check, as this is applied to all
1881 * processes that allocate mappings.
1882 */
34b4e4aa 1883static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT
1884{
1885 int rc, cap_sys_admin = 0;
1886 struct task_security_struct *tsec = current->security;
1887
1888 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1889 if (rc == 0)
1890 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2c3c05db
SS
1891 SECCLASS_CAPABILITY,
1892 CAP_TO_MASK(CAP_SYS_ADMIN),
1893 0,
1894 NULL);
1da177e4
LT
1895
1896 if (rc == 0)
1897 cap_sys_admin = 1;
1898
34b4e4aa 1899 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT
1900}
1901
0356357c
RM
1902/**
1903 * task_tracer_task - return the task that is tracing the given task
1904 * @task: task to consider
1905 *
1906 * Returns NULL if noone is tracing @task, or the &struct task_struct
1907 * pointer to its tracer.
1908 *
1909 * Must be called under rcu_read_lock().
1910 */
1911static struct task_struct *task_tracer_task(struct task_struct *task)
1912{
1913 if (task->ptrace & PT_PTRACED)
1914 return rcu_dereference(task->parent);
1915 return NULL;
1916}
1917
1da177e4
LT
1918/* binprm security operations */
1919
1920static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1921{
1922 struct bprm_security_struct *bsec;
1923
89d155ef 1924 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT
1925 if (!bsec)
1926 return -ENOMEM;
1927
1da177e4
LT
1928 bsec->sid = SECINITSID_UNLABELED;
1929 bsec->set = 0;
1930
1931 bprm->security = bsec;
1932 return 0;
1933}
1934
1935static int selinux_bprm_set_security(struct linux_binprm *bprm)
1936{
1937 struct task_security_struct *tsec;
3d5ff529 1938 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT
1939 struct inode_security_struct *isec;
1940 struct bprm_security_struct *bsec;
1941 u32 newsid;
1942 struct avc_audit_data ad;
1943 int rc;
1944
1945 rc = secondary_ops->bprm_set_security(bprm);
1946 if (rc)
1947 return rc;
1948
1949 bsec = bprm->security;
1950
1951 if (bsec->set)
1952 return 0;
1953
1954 tsec = current->security;
1955 isec = inode->i_security;
1956
1957 /* Default to the current task SID. */
1958 bsec->sid = tsec->sid;
1959
28eba5bf 1960 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1961 tsec->create_sid = 0;
28eba5bf 1962 tsec->keycreate_sid = 0;
42c3e03e 1963 tsec->sockcreate_sid = 0;
1da177e4
LT
1964
1965 if (tsec->exec_sid) {
1966 newsid = tsec->exec_sid;
1967 /* Reset exec SID on execve. */
1968 tsec->exec_sid = 0;
1969 } else {
1970 /* Check for a default transition on this program. */
1971 rc = security_transition_sid(tsec->sid, isec->sid,
1972 SECCLASS_PROCESS, &newsid);
1973 if (rc)
1974 return rc;
1975 }
1976
1977 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1978 ad.u.fs.path = bprm->file->f_path;
1da177e4 1979
3d5ff529 1980 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1da177e4
LT
1981 newsid = tsec->sid;
1982
1983 if (tsec->sid == newsid) {
1984 rc = avc_has_perm(tsec->sid, isec->sid,
1985 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1986 if (rc)
1987 return rc;
1988 } else {
1989 /* Check permissions for the transition. */
1990 rc = avc_has_perm(tsec->sid, newsid,
1991 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1992 if (rc)
1993 return rc;
1994
1995 rc = avc_has_perm(newsid, isec->sid,
1996 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1997 if (rc)
1998 return rc;
1999
2000 /* Clear any possibly unsafe personality bits on exec: */
2001 current->personality &= ~PER_CLEAR_ON_SETID;
2002
2003 /* Set the security field to the new SID. */
2004 bsec->sid = newsid;
2005 }
2006
2007 bsec->set = 1;
2008 return 0;
2009}
2010
2011static int selinux_bprm_check_security (struct linux_binprm *bprm)
2012{
2013 return secondary_ops->bprm_check_security(bprm);
2014}
2015
2016
2017static int selinux_bprm_secureexec (struct linux_binprm *bprm)
2018{
2019 struct task_security_struct *tsec = current->security;
2020 int atsecure = 0;
2021
2022 if (tsec->osid != tsec->sid) {
2023 /* Enable secure mode for SIDs transitions unless
2024 the noatsecure permission is granted between
2025 the two SIDs, i.e. ahp returns 0. */
2026 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2027 SECCLASS_PROCESS,
2028 PROCESS__NOATSECURE, NULL);
2029 }
2030
2031 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2032}
2033
2034static void selinux_bprm_free_security(struct linux_binprm *bprm)
2035{
9a5f04bf 2036 kfree(bprm->security);
1da177e4 2037 bprm->security = NULL;
1da177e4
LT
2038}
2039
2040extern struct vfsmount *selinuxfs_mount;
2041extern struct dentry *selinux_null;
2042
2043/* Derived from fs/exec.c:flush_old_files. */
2044static inline void flush_unauthorized_files(struct files_struct * files)
2045{
2046 struct avc_audit_data ad;
2047 struct file *file, *devnull = NULL;
b20c8122 2048 struct tty_struct *tty;
badf1662 2049 struct fdtable *fdt;
1da177e4 2050 long j = -1;
24ec839c 2051 int drop_tty = 0;
1da177e4 2052
b20c8122 2053 mutex_lock(&tty_mutex);
24ec839c 2054 tty = get_current_tty();
1da177e4
LT
2055 if (tty) {
2056 file_list_lock();
2f512016 2057 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT
2058 if (file) {
2059 /* Revalidate access to controlling tty.
2060 Use inode_has_perm on the tty inode directly rather
2061 than using file_has_perm, as this particular open
2062 file may belong to another process and we are only
2063 interested in the inode-based check here. */
3d5ff529 2064 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT
2065 if (inode_has_perm(current, inode,
2066 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2067 drop_tty = 1;
1da177e4
LT
2068 }
2069 }
2070 file_list_unlock();
2071 }
b20c8122 2072 mutex_unlock(&tty_mutex);
98a27ba4
EB
2073 /* Reset controlling tty. */
2074 if (drop_tty)
2075 no_tty();
1da177e4
LT
2076
2077 /* Revalidate access to inherited open files. */
2078
2079 AVC_AUDIT_DATA_INIT(&ad,FS);
2080
2081 spin_lock(&files->file_lock);
2082 for (;;) {
2083 unsigned long set, i;
2084 int fd;
2085
2086 j++;
2087 i = j * __NFDBITS;
badf1662 2088 fdt = files_fdtable(files);
bbea9f69 2089 if (i >= fdt->max_fds)
1da177e4 2090 break;
badf1662 2091 set = fdt->open_fds->fds_bits[j];
1da177e4
LT
2092 if (!set)
2093 continue;
2094 spin_unlock(&files->file_lock);
2095 for ( ; set ; i++,set >>= 1) {
2096 if (set & 1) {
2097 file = fget(i);
2098 if (!file)
2099 continue;
2100 if (file_has_perm(current,
2101 file,
2102 file_to_av(file))) {
2103 sys_close(i);
2104 fd = get_unused_fd();
2105 if (fd != i) {
2106 if (fd >= 0)
2107 put_unused_fd(fd);
2108 fput(file);
2109 continue;
2110 }
2111 if (devnull) {
095975da 2112 get_file(devnull);
1da177e4
LT
2113 } else {
2114 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
fc5d81e6
AM
2115 if (IS_ERR(devnull)) {
2116 devnull = NULL;
1da177e4
LT
2117 put_unused_fd(fd);
2118 fput(file);
2119 continue;
2120 }
2121 }
2122 fd_install(fd, devnull);
2123 }
2124 fput(file);
2125 }
2126 }
2127 spin_lock(&files->file_lock);
2128
2129 }
2130 spin_unlock(&files->file_lock);
2131}
2132
2133static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2134{
2135 struct task_security_struct *tsec;
2136 struct bprm_security_struct *bsec;
2137 u32 sid;
2138 int rc;
2139
2140 secondary_ops->bprm_apply_creds(bprm, unsafe);
2141
2142 tsec = current->security;
2143
2144 bsec = bprm->security;
2145 sid = bsec->sid;
2146
2147 tsec->osid = tsec->sid;
2148 bsec->unsafe = 0;
2149 if (tsec->sid != sid) {
2150 /* Check for shared state. If not ok, leave SID
2151 unchanged and kill. */
2152 if (unsafe & LSM_UNSAFE_SHARE) {
2153 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2154 PROCESS__SHARE, NULL);
2155 if (rc) {
2156 bsec->unsafe = 1;
2157 return;
2158 }
2159 }
2160
2161 /* Check for ptracing, and update the task SID if ok.
2162 Otherwise, leave SID unchanged and kill. */
2163 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
0356357c
RM
2164 struct task_struct *tracer;
2165 struct task_security_struct *sec;
2166 u32 ptsid = 0;
2167
2168 rcu_read_lock();
2169 tracer = task_tracer_task(current);
2170 if (likely(tracer != NULL)) {
2171 sec = tracer->security;
2172 ptsid = sec->sid;
2173 }
2174 rcu_read_unlock();
2175
2176 if (ptsid != 0) {
2177 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2178 PROCESS__PTRACE, NULL);
2179 if (rc) {
2180 bsec->unsafe = 1;
2181 return;
2182 }
1da177e4
LT
2183 }
2184 }
2185 tsec->sid = sid;
2186 }
2187}
2188
2189/*
2190 * called after apply_creds without the task lock held
2191 */
2192static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2193{
2194 struct task_security_struct *tsec;
2195 struct rlimit *rlim, *initrlim;
2196 struct itimerval itimer;
2197 struct bprm_security_struct *bsec;
2198 int rc, i;
2199
2200 tsec = current->security;
2201 bsec = bprm->security;
2202
2203 if (bsec->unsafe) {
2204 force_sig_specific(SIGKILL, current);
2205 return;
2206 }
2207 if (tsec->osid == tsec->sid)
2208 return;
2209
2210 /* Close files for which the new task SID is not authorized. */
2211 flush_unauthorized_files(current->files);
2212
2213 /* Check whether the new SID can inherit signal state
2214 from the old SID. If not, clear itimers to avoid
2215 subsequent signal generation and flush and unblock
2216 signals. This must occur _after_ the task SID has
2217 been updated so that any kill done after the flush
2218 will be checked against the new SID. */
2219 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2220 PROCESS__SIGINH, NULL);
2221 if (rc) {
2222 memset(&itimer, 0, sizeof itimer);
2223 for (i = 0; i < 3; i++)
2224 do_setitimer(i, &itimer, NULL);
2225 flush_signals(current);
2226 spin_lock_irq(&current->sighand->siglock);
2227 flush_signal_handlers(current, 1);
2228 sigemptyset(&current->blocked);
2229 recalc_sigpending();
2230 spin_unlock_irq(&current->sighand->siglock);
2231 }
2232
4ac212ad
SS
2233 /* Always clear parent death signal on SID transitions. */
2234 current->pdeath_signal = 0;
2235
1da177e4
LT
2236 /* Check whether the new SID can inherit resource limits
2237 from the old SID. If not, reset all soft limits to
2238 the lower of the current task's hard limit and the init
2239 task's soft limit. Note that the setting of hard limits
2240 (even to lower them) can be controlled by the setrlimit
2241 check. The inclusion of the init task's soft limit into
2242 the computation is to avoid resetting soft limits higher
2243 than the default soft limit for cases where the default
2244 is lower than the hard limit, e.g. RLIMIT_CORE or
2245 RLIMIT_STACK.*/
2246 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2247 PROCESS__RLIMITINH, NULL);
2248 if (rc) {
2249 for (i = 0; i < RLIM_NLIMITS; i++) {
2250 rlim = current->signal->rlim + i;
2251 initrlim = init_task.signal->rlim+i;
2252 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2253 }
2254 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2255 /*
2256 * This will cause RLIMIT_CPU calculations
2257 * to be refigured.
2258 */
2259 current->it_prof_expires = jiffies_to_cputime(1);
2260 }
2261 }
2262
2263 /* Wake up the parent if it is waiting so that it can
2264 recheck wait permission to the new task SID. */
2265 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2266}
2267
2268/* superblock security operations */
2269
2270static int selinux_sb_alloc_security(struct super_block *sb)
2271{
2272 return superblock_alloc_security(sb);
2273}
2274
2275static void selinux_sb_free_security(struct super_block *sb)
2276{
2277 superblock_free_security(sb);
2278}
2279
2280static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2281{
2282 if (plen > olen)
2283 return 0;
2284
2285 return !memcmp(prefix, option, plen);
2286}
2287
2288static inline int selinux_option(char *option, int len)
2289{
2290 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2291 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
0808925e
EP
2292 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2293 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1da177e4
LT
2294}
2295
2296static inline void take_option(char **to, char *from, int *first, int len)
2297{
2298 if (!*first) {
2299 **to = ',';
2300 *to += 1;
3528a953 2301 } else
1da177e4
LT
2302 *first = 0;
2303 memcpy(*to, from, len);
2304 *to += len;
2305}
2306
3528a953
CO
2307static inline void take_selinux_option(char **to, char *from, int *first,
2308 int len)
2309{
2310 int current_size = 0;
2311
2312 if (!*first) {
2313 **to = '|';
2314 *to += 1;
2315 }
2316 else
2317 *first = 0;
2318
2319 while (current_size < len) {
2320 if (*from != '"') {
2321 **to = *from;
2322 *to += 1;
2323 }
2324 from += 1;
2325 current_size += 1;
2326 }
2327}
2328
e0007529 2329static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT
2330{
2331 int fnosec, fsec, rc = 0;
2332 char *in_save, *in_curr, *in_end;
2333 char *sec_curr, *nosec_save, *nosec;
3528a953 2334 int open_quote = 0;
1da177e4
LT
2335
2336 in_curr = orig;
2337 sec_curr = copy;
2338
1da177e4
LT
2339 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2340 if (!nosec) {
2341 rc = -ENOMEM;
2342 goto out;
2343 }
2344
2345 nosec_save = nosec;
2346 fnosec = fsec = 1;
2347 in_save = in_end = orig;
2348
2349 do {
3528a953
CO
2350 if (*in_end == '"')
2351 open_quote = !open_quote;
2352 if ((*in_end == ',' && open_quote == 0) ||
2353 *in_end == '\0') {
1da177e4
LT
2354 int len = in_end - in_curr;
2355
2356 if (selinux_option(in_curr, len))
3528a953 2357 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT
2358 else
2359 take_option(&nosec, in_curr, &fnosec, len);
2360
2361 in_curr = in_end + 1;
2362 }
2363 } while (*in_end++);
2364
6931dfc9 2365 strcpy(in_save, nosec_save);
da3caa20 2366 free_page((unsigned long)nosec_save);
1da177e4
LT
2367out:
2368 return rc;
2369}
2370
2371static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2372{
2373 struct avc_audit_data ad;
2374 int rc;
2375
2376 rc = superblock_doinit(sb, data);
2377 if (rc)
2378 return rc;
2379
2380 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf 2381 ad.u.fs.path.dentry = sb->s_root;
1da177e4
LT
2382 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2383}
2384
726c3342 2385static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT
2386{
2387 struct avc_audit_data ad;
2388
2389 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf 2390 ad.u.fs.path.dentry = dentry->d_sb->s_root;
726c3342 2391 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT
2392}
2393
2394static int selinux_mount(char * dev_name,
2395 struct nameidata *nd,
2396 char * type,
2397 unsigned long flags,
2398 void * data)
2399{
2400 int rc;
2401
2402 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2403 if (rc)
2404 return rc;
2405
2406 if (flags & MS_REMOUNT)
4ac91378 2407 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
1da177e4
LT
2408 FILESYSTEM__REMOUNT, NULL);
2409 else
4ac91378 2410 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
1da177e4
LT
2411 FILE__MOUNTON);
2412}
2413
2414static int selinux_umount(struct vfsmount *mnt, int flags)
2415{
2416 int rc;
2417
2418 rc = secondary_ops->sb_umount(mnt, flags);
2419 if (rc)
2420 return rc;
2421
2422 return superblock_has_perm(current,mnt->mnt_sb,
2423 FILESYSTEM__UNMOUNT,NULL);
2424}
2425
2426/* inode security operations */
2427
2428static int selinux_inode_alloc_security(struct inode *inode)
2429{
2430 return inode_alloc_security(inode);
2431}
2432
2433static void selinux_inode_free_security(struct inode *inode)
2434{
2435 inode_free_security(inode);
2436}
2437
5e41ff9e
SS
2438static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2439 char **name, void **value,
2440 size_t *len)
2441{
2442 struct task_security_struct *tsec;
2443 struct inode_security_struct *dsec;
2444 struct superblock_security_struct *sbsec;
570bc1c2 2445 u32 newsid, clen;
5e41ff9e 2446 int rc;
570bc1c2 2447 char *namep = NULL, *context;
5e41ff9e
SS
2448
2449 tsec = current->security;
2450 dsec = dir->i_security;
2451 sbsec = dir->i_sb->s_security;
5e41ff9e
SS
2452
2453 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2454 newsid = tsec->create_sid;
2455 } else {
2456 rc = security_transition_sid(tsec->sid, dsec->sid,
2457 inode_mode_to_security_class(inode->i_mode),
2458 &newsid);
2459 if (rc) {
2460 printk(KERN_WARNING "%s: "
2461 "security_transition_sid failed, rc=%d (dev=%s "
2462 "ino=%ld)\n",
dd6f953a 2463 __func__,
5e41ff9e
SS
2464 -rc, inode->i_sb->s_id, inode->i_ino);
2465 return rc;
2466 }
2467 }
2468
296fddf7
EP
2469 /* Possibly defer initialization to selinux_complete_init. */
2470 if (sbsec->initialized) {
2471 struct inode_security_struct *isec = inode->i_security;
2472 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2473 isec->sid = newsid;
2474 isec->initialized = 1;
2475 }
5e41ff9e 2476
8aad3875 2477 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS
2478 return -EOPNOTSUPP;
2479
570bc1c2 2480 if (name) {
a02fe132 2481 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS
2482 if (!namep)
2483 return -ENOMEM;
2484 *name = namep;
2485 }
5e41ff9e 2486
570bc1c2
SS
2487 if (value && len) {
2488 rc = security_sid_to_context(newsid, &context, &clen);
2489 if (rc) {
2490 kfree(namep);
2491 return rc;
2492 }
2493 *value = context;
2494 *len = clen;
5e41ff9e 2495 }
5e41ff9e 2496
5e41ff9e
SS
2497 return 0;
2498}
2499
1da177e4
LT
2500static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2501{
2502 return may_create(dir, dentry, SECCLASS_FILE);
2503}
2504
1da177e4
LT
2505static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2506{
2507 int rc;
2508
2509 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2510 if (rc)
2511 return rc;
2512 return may_link(dir, old_dentry, MAY_LINK);
2513}
2514
1da177e4
LT
2515static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2516{
2517 int rc;
2518
2519 rc = secondary_ops->inode_unlink(dir, dentry);
2520 if (rc)
2521 return rc;
2522 return may_link(dir, dentry, MAY_UNLINK);
2523}
2524
2525static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2526{
2527 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2528}
2529
1da177e4
LT
2530static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2531{
2532 return may_create(dir, dentry, SECCLASS_DIR);
2533}
2534
1da177e4
LT
2535static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2536{
2537 return may_link(dir, dentry, MAY_RMDIR);
2538}
2539
2540static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2541{
2542 int rc;
2543
2544 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2545 if (rc)
2546 return rc;
2547
2548 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2549}
2550
1da177e4
LT
2551static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2552 struct inode *new_inode, struct dentry *new_dentry)
2553{
2554 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2555}
2556
1da177e4
LT
2557static int selinux_inode_readlink(struct dentry *dentry)
2558{
2559 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2560}
2561
2562static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2563{
2564 int rc;
2565
2566 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2567 if (rc)
2568 return rc;
2569 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2570}
2571
2572static int selinux_inode_permission(struct inode *inode, int mask,
2573 struct nameidata *nd)
2574{
2575 int rc;
2576
2577 rc = secondary_ops->inode_permission(inode, mask, nd);
2578 if (rc)
2579 return rc;
2580
2581 if (!mask) {
2582 /* No permission to check. Existence test. */
2583 return 0;
2584 }
2585
2586 return inode_has_perm(current, inode,
b0c636b9 2587 open_file_mask_to_av(inode->i_mode, mask), NULL);
1da177e4
LT
2588}
2589
2590static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2591{
2592 int rc;
2593
2594 rc = secondary_ops->inode_setattr(dentry, iattr);
2595 if (rc)
2596 return rc;
2597
2598 if (iattr->ia_valid & ATTR_FORCE)
2599 return 0;
2600
2601 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2602 ATTR_ATIME_SET | ATTR_MTIME_SET))
2603 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2604
2605 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2606}
2607
2608static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2609{
2610 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2611}
2612
b5376771
SH
2613static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2614{
2615 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2616 sizeof XATTR_SECURITY_PREFIX - 1)) {
2617 if (!strcmp(name, XATTR_NAME_CAPS)) {
2618 if (!capable(CAP_SETFCAP))
2619 return -EPERM;
2620 } else if (!capable(CAP_SYS_ADMIN)) {
2621 /* A different attribute in the security namespace.
2622 Restrict to administrator. */
2623 return -EPERM;
2624 }
2625 }
2626
2627 /* Not an attribute we recognize, so just check the
2628 ordinary setattr permission. */
2629 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2630}
2631
1da177e4
LT
2632static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2633{
2634 struct task_security_struct *tsec = current->security;
2635 struct inode *inode = dentry->d_inode;
2636 struct inode_security_struct *isec = inode->i_security;
2637 struct superblock_security_struct *sbsec;
2638 struct avc_audit_data ad;
2639 u32 newsid;
2640 int rc = 0;
2641
b5376771
SH
2642 if (strcmp(name, XATTR_NAME_SELINUX))
2643 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT
2644
2645 sbsec = inode->i_sb->s_security;
2646 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2647 return -EOPNOTSUPP;
2648
3bd858ab 2649 if (!is_owner_or_cap(inode))
1da177e4
LT
2650 return -EPERM;
2651
2652 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf 2653 ad.u.fs.path.dentry = dentry;
1da177e4
LT
2654
2655 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2656 FILE__RELABELFROM, &ad);
2657 if (rc)
2658 return rc;
2659
2660 rc = security_context_to_sid(value, size, &newsid);
2661 if (rc)
2662 return rc;
2663
2664 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2665 FILE__RELABELTO, &ad);
2666 if (rc)
2667 return rc;
2668
2669 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2670 isec->sclass);
2671 if (rc)
2672 return rc;
2673
2674 return avc_has_perm(newsid,
2675 sbsec->sid,
2676 SECCLASS_FILESYSTEM,
2677 FILESYSTEM__ASSOCIATE,
2678 &ad);
2679}
2680
2681static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2682 void *value, size_t size, int flags)
2683{
2684 struct inode *inode = dentry->d_inode;
2685 struct inode_security_struct *isec = inode->i_security;
2686 u32 newsid;
2687 int rc;
2688
2689 if (strcmp(name, XATTR_NAME_SELINUX)) {
2690 /* Not an attribute we recognize, so nothing to do. */
2691 return;
2692 }
2693
2694 rc = security_context_to_sid(value, size, &newsid);
2695 if (rc) {
2696 printk(KERN_WARNING "%s: unable to obtain SID for context "
f0115e6c 2697 "%s, rc=%d\n", __func__, (char *)value, -rc);
1da177e4
LT
2698 return;
2699 }
2700
2701 isec->sid = newsid;
2702 return;
2703}
2704
2705static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2706{
1da177e4
LT
2707 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2708}
2709
2710static int selinux_inode_listxattr (struct dentry *dentry)
2711{
2712 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2713}
2714
2715static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2716{
b5376771
SH
2717 if (strcmp(name, XATTR_NAME_SELINUX))
2718 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT
2719
2720 /* No one is allowed to remove a SELinux security label.
2721 You can change the label, but all data must be labeled. */
2722 return -EACCES;
2723}
2724
d381d8a9
JM
2725/*
2726 * Copy the in-core inode security context value to the user. If the
2727 * getxattr() prior to this succeeded, check to see if we need to
2728 * canonicalize the value to be finally returned to the user.
2729 *
2730 * Permission check is handled by selinux_inode_getxattr hook.
2731 */
42492594 2732static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2733{
42492594
DQ
2734 u32 size;
2735 int error;
2736 char *context = NULL;
1da177e4 2737 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2738
8c8570fb
DK
2739 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2740 return -EOPNOTSUPP;
d381d8a9 2741
42492594
DQ
2742 error = security_sid_to_context(isec->sid, &context, &size);
2743 if (error)
2744 return error;
2745 error = size;
2746 if (alloc) {
2747 *buffer = context;
2748 goto out_nofree;
2749 }
2750 kfree(context);
2751out_nofree:
2752 return error;
1da177e4
LT
2753}
2754
2755static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2756 const void *value, size_t size, int flags)
2757{
2758 struct inode_security_struct *isec = inode->i_security;
2759 u32 newsid;
2760 int rc;
2761
2762 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2763 return -EOPNOTSUPP;
2764
2765 if (!value || !size)
2766 return -EACCES;
2767
2768 rc = security_context_to_sid((void*)value, size, &newsid);
2769 if (rc)
2770 return rc;
2771
2772 isec->sid = newsid;
2773 return 0;
2774}
2775
2776static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2777{
2778 const int len = sizeof(XATTR_NAME_SELINUX);
2779 if (buffer && len <= buffer_size)
2780 memcpy(buffer, XATTR_NAME_SELINUX, len);
2781 return len;
2782}
2783
b5376771
SH
2784static int selinux_inode_need_killpriv(struct dentry *dentry)
2785{
2786 return secondary_ops->inode_need_killpriv(dentry);
2787}
2788
2789static int selinux_inode_killpriv(struct dentry *dentry)
2790{
2791 return secondary_ops->inode_killpriv(dentry);
2792}
2793
1da177e4
LT
2794/* file security operations */
2795
788e7dd4 2796static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2797{
7420ed23 2798 int rc;
3d5ff529 2799 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT
2800
2801 if (!mask) {
2802 /* No permission to check. Existence test. */
2803 return 0;
2804 }
2805
2806 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2807 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2808 mask |= MAY_APPEND;
2809
7420ed23
VY
2810 rc = file_has_perm(current, file,
2811 file_mask_to_av(inode->i_mode, mask));
2812 if (rc)
2813 return rc;
2814
2815 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT
2816}
2817
788e7dd4
YN
2818static int selinux_file_permission(struct file *file, int mask)
2819{
2820 struct inode *inode = file->f_path.dentry->d_inode;
2821 struct task_security_struct *tsec = current->security;
2822 struct file_security_struct *fsec = file->f_security;
2823 struct inode_security_struct *isec = inode->i_security;
2824
2825 if (!mask) {
2826 /* No permission to check. Existence test. */
2827 return 0;
2828 }
2829
2830 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2831 && fsec->pseqno == avc_policy_seqno())
2832 return selinux_netlbl_inode_permission(inode, mask);
2833
2834 return selinux_revalidate_file_permission(file, mask);
2835}
2836
1da177e4
LT
2837static int selinux_file_alloc_security(struct file *file)
2838{
2839 return file_alloc_security(file);
2840}
2841
2842static void selinux_file_free_security(struct file *file)
2843{
2844 file_free_security(file);
2845}
2846
2847static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2848 unsigned long arg)
2849{
2850 int error = 0;
2851
2852 switch (cmd) {
2853 case FIONREAD:
2854 /* fall through */
2855 case FIBMAP:
2856 /* fall through */
2857 case FIGETBSZ:
2858 /* fall through */
2859 case EXT2_IOC_GETFLAGS:
2860 /* fall through */
2861 case EXT2_IOC_GETVERSION:
2862 error = file_has_perm(current, file, FILE__GETATTR);
2863 break;
2864
2865 case EXT2_IOC_SETFLAGS:
2866 /* fall through */
2867 case EXT2_IOC_SETVERSION:
2868 error = file_has_perm(current, file, FILE__SETATTR);
2869 break;
2870
2871 /* sys_ioctl() checks */
2872 case FIONBIO:
2873 /* fall through */
2874 case FIOASYNC:
2875 error = file_has_perm(current, file, 0);
2876 break;
2877
2878 case KDSKBENT:
2879 case KDSKBSENT:
2880 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2881 break;
2882
2883 /* default case assumes that the command will go
2884 * to the file's ioctl() function.
2885 */
2886 default:
2887 error = file_has_perm(current, file, FILE__IOCTL);
2888
2889 }
2890 return error;
2891}
2892
2893static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2894{
2895#ifndef CONFIG_PPC32
2896 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2897 /*
2898 * We are making executable an anonymous mapping or a
2899 * private file mapping that will also be writable.
2900 * This has an additional check.
2901 */
2902 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2903 if (rc)
2904 return rc;
2905 }
2906#endif
2907
2908 if (file) {
2909 /* read access is always possible with a mapping */
2910 u32 av = FILE__READ;
2911
2912 /* write access only matters if the mapping is shared */
2913 if (shared && (prot & PROT_WRITE))
2914 av |= FILE__WRITE;
2915
2916 if (prot & PROT_EXEC)
2917 av |= FILE__EXECUTE;
2918
2919 return file_has_perm(current, file, av);
2920 }
2921 return 0;
2922}
2923
2924static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP
2925 unsigned long prot, unsigned long flags,
2926 unsigned long addr, unsigned long addr_only)
1da177e4 2927{
ed032189
EP
2928 int rc = 0;
2929 u32 sid = ((struct task_security_struct*)(current->security))->sid;
1da177e4 2930
ed032189
EP
2931 if (addr < mmap_min_addr)
2932 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2933 MEMPROTECT__MMAP_ZERO, NULL);
2934 if (rc || addr_only)
1da177e4
LT
2935 return rc;
2936
2937 if (selinux_checkreqprot)
2938 prot = reqprot;
2939
2940 return file_map_prot_check(file, prot,
2941 (flags & MAP_TYPE) == MAP_SHARED);
2942}
2943
2944static int selinux_file_mprotect(struct vm_area_struct *vma,
2945 unsigned long reqprot,
2946 unsigned long prot)
2947{
2948 int rc;
2949
2950 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2951 if (rc)
2952 return rc;
2953
2954 if (selinux_checkreqprot)
2955 prot = reqprot;
2956
2957#ifndef CONFIG_PPC32
db4c9641
SS
2958 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2959 rc = 0;
2960 if (vma->vm_start >= vma->vm_mm->start_brk &&
2961 vma->vm_end <= vma->vm_mm->brk) {
2962 rc = task_has_perm(current, current,
2963 PROCESS__EXECHEAP);
2964 } else if (!vma->vm_file &&
2965 vma->vm_start <= vma->vm_mm->start_stack &&
2966 vma->vm_end >= vma->vm_mm->start_stack) {
2967 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2968 } else if (vma->vm_file && vma->anon_vma) {
2969 /*
2970 * We are making executable a file mapping that has
2971 * had some COW done. Since pages might have been
2972 * written, check ability to execute the possibly
2973 * modified content. This typically should only
2974 * occur for text relocations.
2975 */
2976 rc = file_has_perm(current, vma->vm_file,
2977 FILE__EXECMOD);
2978 }