]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: Implementation for inode_copy_up_xattr() hook
[mirror_ubuntu-bionic-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
3c4ed7bd 32#include <linux/lsm_hooks.h>
1da177e4
LT		 33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
1da177e4 54#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 55#include <net/inet_connection_sock.h>
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
60063497 60#include <linux/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
77954983 64#include <net/netlink.h>
1da177e4
LT		 65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
44fc7ea0 83#include <linux/export.h>
40401530
AV		 84#include <linux/msg.h>
85#include <linux/shm.h>
1da177e4
LT		 86
87#include "avc.h"
88#include "objsec.h"
89#include "netif.h"
224dfbd8 90#include "netnode.h"
3e112172 91#include "netport.h"
d28d1e08 92#include "xfrm.h"
c60475bf 93#include "netlabel.h"
9d57a7f9 94#include "audit.h"
7b98a585 95#include "avc_ss.h"
1da177e4 96
d621d35e 97/* SECMARK reference count */
56a4ca99 98static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 99
1da177e4 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 101int selinux_enforcing;
1da177e4
LT		 102
103static int __init enforcing_setup(char *str)
104{
f5269710 105 unsigned long enforcing;
29707b20 106 if (!kstrtoul(str, 0, &enforcing))
f5269710 107 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 108 return 1;
109}
110__setup("enforcing=", enforcing_setup);
111#endif
112
113#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116static int __init selinux_enabled_setup(char *str)
117{
f5269710 118 unsigned long enabled;
29707b20 119 if (!kstrtoul(str, 0, &enabled))
f5269710 120 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 121 return 1;
122}
123__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 124#else
125int selinux_enabled = 1;
1da177e4
LT		 126#endif
127
e18b890b 128static struct kmem_cache *sel_inode_cache;
63205654 129static struct kmem_cache *file_security_cache;
7cae7e26 130
d621d35e
PM		 131/**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 140 *
141 */
142static int selinux_secmark_enabled(void)
143{
2be4d74f
CP		 144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145}
146
147/**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157static int selinux_peerlbl_enabled(void)
158{
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 160}
161
615e51fd
PM		 162static int selinux_netcache_avc_callback(u32 event)
163{
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171}
172
d84f4f99
DH		 173/*
174 * initialise the security for the init task
175 */
176static void cred_init_security(void)
1da177e4 177{
3b11a1de 178 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 179 struct task_security_struct *tsec;
180
89d155ef 181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 182 if (!tsec)
d84f4f99 183 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 184
d84f4f99 185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 186 cred->security = tsec;
1da177e4
LT		 187}
188
88e67f3b
DH		 189/*
190 * get the security ID of a set of credentials
191 */
192static inline u32 cred_sid(const struct cred *cred)
193{
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198}
199
275bb41e 200/*
3b11a1de 201 * get the objective security ID of a task
275bb41e
DH		 202 */
203static inline u32 task_sid(const struct task_struct *task)
204{
275bb41e
DH		 205 u32 sid;
206
207 rcu_read_lock();
88e67f3b 208 sid = cred_sid(__task_cred(task));
275bb41e
DH		 209 rcu_read_unlock();
210 return sid;
211}
212
213/*
3b11a1de 214 * get the subjective security ID of the current task
275bb41e
DH		 215 */
216static inline u32 current_sid(void)
217{
5fb49870 218 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 219
220 return tsec->sid;
221}
222
88e67f3b
DH		 223/* Allocate and free functions for each kind of security blob. */
224
1da177e4
LT		 225static int inode_alloc_security(struct inode *inode)
226{
1da177e4 227 struct inode_security_struct *isec;
275bb41e 228 u32 sid = current_sid();
1da177e4 229
a02fe132 230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 231 if (!isec)
232 return -ENOMEM;
233
23970741 234 mutex_init(&isec->lock);
1da177e4 235 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
275bb41e 239 isec->task_sid = sid;
1da177e4
LT		 240 inode->i_security = isec;
241
242 return 0;
243}
244
5d226df4
AG		 245static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246
247/*
248 * Try reloading inode security labels that have been marked as invalid. The
249 * @may_sleep parameter indicates when sleeping and thus reloading labels is
250 * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is
251 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
252 * when no dentry is available, set it to NULL instead.
253 */
254static int __inode_security_revalidate(struct inode *inode,
255 struct dentry *opt_dentry,
256 bool may_sleep)
257{
258 struct inode_security_struct *isec = inode->i_security;
259
260 might_sleep_if(may_sleep);
261
1ac42476 262 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 263 if (!may_sleep)
264 return -ECHILD;
265
266 /*
267 * Try reloading the inode security label. This will fail if
268 * @opt_dentry is NULL and no dentry for this inode can be
269 * found; in that case, continue using the old label.
270 */
271 inode_doinit_with_dentry(inode, opt_dentry);
272 }
273 return 0;
274}
275
5d226df4
AG		 276static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277{
278 return inode->i_security;
279}
280
281static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282{
283 int error;
284
285 error = __inode_security_revalidate(inode, NULL, !rcu);
286 if (error)
287 return ERR_PTR(error);
288 return inode->i_security;
289}
290
83da53c5
AG		 291/*
292 * Get the security label of an inode.
293 */
294static struct inode_security_struct *inode_security(struct inode *inode)
295{
5d226df4 296 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 297 return inode->i_security;
298}
299
2c97165b
PM		 300static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301{
302 struct inode *inode = d_backing_inode(dentry);
303
304 return inode->i_security;
305}
306
83da53c5
AG		 307/*
308 * Get the security label of a dentry's backing inode.
309 */
310static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
311{
312 struct inode *inode = d_backing_inode(dentry);
313
5d226df4 314 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 315 return inode->i_security;
316}
317
3dc91d43
SR		 318static void inode_free_rcu(struct rcu_head *head)
319{
320 struct inode_security_struct *isec;
321
322 isec = container_of(head, struct inode_security_struct, rcu);
323 kmem_cache_free(sel_inode_cache, isec);
324}
325
1da177e4
LT		 326static void inode_free_security(struct inode *inode)
327{
328 struct inode_security_struct *isec = inode->i_security;
329 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
330
9629d04a
WL		 331 /*
332 * As not all inode security structures are in a list, we check for
333 * empty list outside of the lock to make sure that we won't waste
334 * time taking a lock doing nothing.
335 *
336 * The list_del_init() function can be safely called more than once.
337 * It should not be possible for this function to be called with
338 * concurrent list_add(), but for better safety against future changes
339 * in the code, we use list_empty_careful() here.
340 */
341 if (!list_empty_careful(&isec->list)) {
342 spin_lock(&sbsec->isec_lock);
1da177e4 343 list_del_init(&isec->list);
9629d04a
WL		 344 spin_unlock(&sbsec->isec_lock);
345 }
1da177e4 346
3dc91d43
SR		 347 /*
348 * The inode may still be referenced in a path walk and
349 * a call to selinux_inode_permission() can be made
350 * after inode_free_security() is called. Ideally, the VFS
351 * wouldn't do this, but fixing that is a much harder
352 * job. For now, simply free the i_security via RCU, and
353 * leave the current inode->i_security pointer intact.
354 * The inode will be freed after the RCU grace period too.
355 */
356 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 357}
358
359static int file_alloc_security(struct file *file)
360{
1da177e4 361 struct file_security_struct *fsec;
275bb41e 362 u32 sid = current_sid();
1da177e4 363
63205654 364 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 365 if (!fsec)
366 return -ENOMEM;
367
275bb41e
DH		 368 fsec->sid = sid;
369 fsec->fown_sid = sid;
1da177e4
LT		 370 file->f_security = fsec;
371
372 return 0;
373}
374
375static void file_free_security(struct file *file)
376{
377 struct file_security_struct *fsec = file->f_security;
1da177e4 378 file->f_security = NULL;
63205654 379 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 380}
381
382static int superblock_alloc_security(struct super_block *sb)
383{
384 struct superblock_security_struct *sbsec;
385
89d155ef 386 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 387 if (!sbsec)
388 return -ENOMEM;
389
bc7e982b 390 mutex_init(&sbsec->lock);
1da177e4
LT		 391 INIT_LIST_HEAD(&sbsec->isec_head);
392 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 393 sbsec->sb = sb;
394 sbsec->sid = SECINITSID_UNLABELED;
395 sbsec->def_sid = SECINITSID_FILE;
c312feb2 396 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 397 sb->s_security = sbsec;
398
399 return 0;
400}
401
402static void superblock_free_security(struct super_block *sb)
403{
404 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 405 sb->s_security = NULL;
406 kfree(sbsec);
407}
408
1da177e4
LT		 409/* The file system's label must be initialized prior to use. */
410
eb9ae686 411static const char *labeling_behaviors[7] = {
1da177e4
LT		 412 "uses xattr",
413 "uses transition SIDs",
414 "uses task SIDs",
415 "uses genfs_contexts",
416 "not configured for labeling",
417 "uses mountpoint labeling",
eb9ae686 418 "uses native labeling",
1da177e4
LT		 419};
420
1da177e4
LT		 421static inline int inode_doinit(struct inode *inode)
422{
423 return inode_doinit_with_dentry(inode, NULL);
424}
425
426enum {
31e87930 427 Opt_error = -1,
1da177e4
LT		 428 Opt_context = 1,
429 Opt_fscontext = 2,
c9180a57
EP		 430 Opt_defcontext = 3,
431 Opt_rootcontext = 4,
11689d47 432 Opt_labelsupport = 5,
d355987f 433 Opt_nextmntopt = 6,
1da177e4
LT		 434};
435
d355987f
EP		 436#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
437
a447c093 438static const match_table_t tokens = {
832cbd9a
EP		 439 {Opt_context, CONTEXT_STR "%s"},
440 {Opt_fscontext, FSCONTEXT_STR "%s"},
441 {Opt_defcontext, DEFCONTEXT_STR "%s"},
442 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 443 {Opt_labelsupport, LABELSUPP_STR},
31e87930 444 {Opt_error, NULL},
1da177e4
LT		 445};
446
447#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
448
c312feb2
EP		 449static int may_context_mount_sb_relabel(u32 sid,
450 struct superblock_security_struct *sbsec,
275bb41e 451 const struct cred *cred)
c312feb2 452{
275bb41e 453 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 454 int rc;
455
456 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
457 FILESYSTEM__RELABELFROM, NULL);
458 if (rc)
459 return rc;
460
461 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
462 FILESYSTEM__RELABELTO, NULL);
463 return rc;
464}
465
0808925e
EP		 466static int may_context_mount_inode_relabel(u32 sid,
467 struct superblock_security_struct *sbsec,
275bb41e 468 const struct cred *cred)
0808925e 469{
275bb41e 470 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 471 int rc;
472 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
473 FILESYSTEM__RELABELFROM, NULL);
474 if (rc)
475 return rc;
476
477 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__ASSOCIATE, NULL);
479 return rc;
480}
481
b43e725d
EP		 482static int selinux_is_sblabel_mnt(struct super_block *sb)
483{
484 struct superblock_security_struct *sbsec = sb->s_security;
485
d5f3a5f6
MS		 486 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
487 sbsec->behavior == SECURITY_FS_USE_TRANS ||
488 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 489 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 490 /* Special handling. Genfs but also in-core setxattr handler */
491 !strcmp(sb->s_type->name, "sysfs") ||
492 !strcmp(sb->s_type->name, "pstore") ||
493 !strcmp(sb->s_type->name, "debugfs") ||
494 !strcmp(sb->s_type->name, "rootfs");
b43e725d
EP		 495}
496
c9180a57 497static int sb_finish_set_opts(struct super_block *sb)
1da177e4 498{
1da177e4 499 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 500 struct dentry *root = sb->s_root;
c6f493d6 501 struct inode *root_inode = d_backing_inode(root);
c9180a57 502 int rc = 0;
1da177e4 503
c9180a57
EP		 504 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
505 /* Make sure that the xattr handler exists and that no
506 error other than -ENODATA is returned by getxattr on
507 the root directory. -ENODATA is ok, as this may be
508 the first boot of the SELinux kernel before we have
509 assigned xattr values to the filesystem. */
510 if (!root_inode->i_op->getxattr) {
29b1deb2
LT		 511 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
512 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 513 rc = -EOPNOTSUPP;
514 goto out;
515 }
ce23e640
AV		 516 rc = root_inode->i_op->getxattr(root, root_inode,
517 XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 518 if (rc < 0 && rc != -ENODATA) {
519 if (rc == -EOPNOTSUPP)
520 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 521 "%s) has no security xattr handler\n",
522 sb->s_id, sb->s_type->name);
c9180a57
EP		 523 else
524 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 525 "%s) getxattr errno %d\n", sb->s_id,
526 sb->s_type->name, -rc);
c9180a57
EP		 527 goto out;
528 }
529 }
1da177e4 530
c9180a57 531 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 532 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
533 sb->s_id, sb->s_type->name);
1da177e4 534
eadcabc6 535 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 536 if (selinux_is_sblabel_mnt(sb))
12f348b9 537 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 538
c9180a57
EP		 539 /* Initialize the root inode. */
540 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 541
c9180a57
EP		 542 /* Initialize any other inodes associated with the superblock, e.g.
543 inodes created prior to initial policy load or inodes created
544 during get_sb by a pseudo filesystem that directly
545 populates itself. */
546 spin_lock(&sbsec->isec_lock);
547next_inode:
548 if (!list_empty(&sbsec->isec_head)) {
549 struct inode_security_struct *isec =
550 list_entry(sbsec->isec_head.next,
551 struct inode_security_struct, list);
552 struct inode *inode = isec->inode;
923190d3 553 list_del_init(&isec->list);
c9180a57
EP		 554 spin_unlock(&sbsec->isec_lock);
555 inode = igrab(inode);
556 if (inode) {
557 if (!IS_PRIVATE(inode))
558 inode_doinit(inode);
559 iput(inode);
560 }
561 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 562 goto next_inode;
563 }
564 spin_unlock(&sbsec->isec_lock);
565out:
566 return rc;
567}
1da177e4 568
c9180a57
EP		 569/*
570 * This function should allow an FS to ask what it's mount security
571 * options were so it can use those later for submounts, displaying
572 * mount options, or whatever.
573 */
574static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 575 struct security_mnt_opts *opts)
c9180a57
EP		 576{
577 int rc = 0, i;
578 struct superblock_security_struct *sbsec = sb->s_security;
579 char *context = NULL;
580 u32 len;
581 char tmp;
1da177e4 582
e0007529 583 security_init_mnt_opts(opts);
1da177e4 584
0d90a7ec 585 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 586 return -EINVAL;
1da177e4 587
c9180a57
EP		 588 if (!ss_initialized)
589 return -EINVAL;
1da177e4 590
af8e50cc
EP		 591 /* make sure we always check enough bits to cover the mask */
592 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593
0d90a7ec 594 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 595 /* count the number of mount options for this sb */
af8e50cc 596 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 597 if (tmp & 0x01)
e0007529 598 opts->num_mnt_opts++;
c9180a57
EP		 599 tmp >>= 1;
600 }
11689d47 601 /* Check if the Label support flag is set */
0b4bdb35 602 if (sbsec->flags & SBLABEL_MNT)
11689d47 603 opts->num_mnt_opts++;
1da177e4 604
e0007529
EP		 605 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606 if (!opts->mnt_opts) {
c9180a57
EP		 607 rc = -ENOMEM;
608 goto out_free;
609 }
1da177e4 610
e0007529
EP		 611 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612 if (!opts->mnt_opts_flags) {
c9180a57
EP		 613 rc = -ENOMEM;
614 goto out_free;
615 }
1da177e4 616
c9180a57
EP		 617 i = 0;
618 if (sbsec->flags & FSCONTEXT_MNT) {
619 rc = security_sid_to_context(sbsec->sid, &context, &len);
620 if (rc)
621 goto out_free;
e0007529
EP		 622 opts->mnt_opts[i] = context;
623 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 624 }
625 if (sbsec->flags & CONTEXT_MNT) {
626 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627 if (rc)
628 goto out_free;
e0007529
EP		 629 opts->mnt_opts[i] = context;
630 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 631 }
632 if (sbsec->flags & DEFCONTEXT_MNT) {
633 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634 if (rc)
635 goto out_free;
e0007529
EP		 636 opts->mnt_opts[i] = context;
637 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 638 }
639 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 640 struct dentry *root = sbsec->sb->s_root;
641 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 642
c9180a57
EP		 643 rc = security_sid_to_context(isec->sid, &context, &len);
644 if (rc)
645 goto out_free;
e0007529
EP		 646 opts->mnt_opts[i] = context;
647 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 648 }
12f348b9 649 if (sbsec->flags & SBLABEL_MNT) {
11689d47 650 opts->mnt_opts[i] = NULL;
12f348b9 651 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 652 }
1da177e4 653
e0007529 654 BUG_ON(i != opts->num_mnt_opts);
1da177e4 655
c9180a57
EP		 656 return 0;
657
658out_free:
e0007529 659 security_free_mnt_opts(opts);
c9180a57
EP		 660 return rc;
661}
1da177e4 662
c9180a57
EP		 663static int bad_option(struct superblock_security_struct *sbsec, char flag,
664 u32 old_sid, u32 new_sid)
665{
0d90a7ec
DQ		 666 char mnt_flags = sbsec->flags & SE_MNTMASK;
667
c9180a57 668 /* check if the old mount command had the same options */
0d90a7ec 669 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 670 if (!(sbsec->flags & flag) ||
671 (old_sid != new_sid))
672 return 1;
673
674 /* check if we were passed the same options twice,
675 * aka someone passed context=a,context=b
676 */
0d90a7ec
DQ		 677 if (!(sbsec->flags & SE_SBINITIALIZED))
678 if (mnt_flags & flag)
c9180a57
EP		 679 return 1;
680 return 0;
681}
e0007529 682
c9180a57
EP		 683/*
684 * Allow filesystems with binary mount data to explicitly set mount point
685 * labeling information.
686 */
e0007529 687static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 688 struct security_mnt_opts *opts,
689 unsigned long kern_flags,
690 unsigned long *set_kern_flags)
c9180a57 691{
275bb41e 692 const struct cred *cred = current_cred();
c9180a57 693 int rc = 0, i;
c9180a57 694 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 695 const char *name = sb->s_type->name;
83da53c5 696 struct dentry *root = sbsec->sb->s_root;
2c97165b 697 struct inode_security_struct *root_isec;
c9180a57
EP		 698 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699 u32 defcontext_sid = 0;
e0007529
EP		 700 char **mount_options = opts->mnt_opts;
701 int *flags = opts->mnt_opts_flags;
702 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 703
704 mutex_lock(&sbsec->lock);
705
706 if (!ss_initialized) {
707 if (!num_opts) {
708 /* Defer initialization until selinux_complete_init,
709 after the initial policy is loaded and the security
710 server is ready to handle calls. */
c9180a57
EP		 711 goto out;
712 }
713 rc = -EINVAL;
744ba35e
EP		 714 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715 "before the security server is initialized\n");
1da177e4 716 goto out;
c9180a57 717 }
649f6e77
DQ		 718 if (kern_flags && !set_kern_flags) {
719 /* Specifying internal flags without providing a place to
720 * place the results is not allowed */
721 rc = -EINVAL;
722 goto out;
723 }
1da177e4 724
e0007529
EP		 725 /*
726 * Binary mount data FS will come through this function twice. Once
727 * from an explicit call and once from the generic calls from the vfs.
728 * Since the generic VFS calls will not contain any security mount data
729 * we need to skip the double mount verification.
730 *
731 * This does open a hole in which we will not notice if the first
732 * mount using this sb set explict options and a second mount using
733 * this sb does not set any security options. (The first options
734 * will be used for both mounts)
735 */
0d90a7ec 736 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 737 && (num_opts == 0))
f5269710 738 goto out;
e0007529 739
2c97165b
PM		 740 root_isec = backing_inode_security_novalidate(root);
741
c9180a57
EP		 742 /*
743 * parse the mount options, check if they are valid sids.
744 * also check if someone is trying to mount the same sb more
745 * than once with different security options.
746 */
747 for (i = 0; i < num_opts; i++) {
748 u32 sid;
11689d47 749
12f348b9 750 if (flags[i] == SBLABEL_MNT)
11689d47 751 continue;
44be2f65 752 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 753 if (rc) {
44be2f65 754 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 755 "(%s) failed for (dev %s, type %s) errno=%d\n",
756 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 757 goto out;
758 }
759 switch (flags[i]) {
760 case FSCONTEXT_MNT:
761 fscontext_sid = sid;
762
763 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764 fscontext_sid))
765 goto out_double_mount;
766
767 sbsec->flags |= FSCONTEXT_MNT;
768 break;
769 case CONTEXT_MNT:
770 context_sid = sid;
771
772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773 context_sid))
774 goto out_double_mount;
775
776 sbsec->flags |= CONTEXT_MNT;
777 break;
778 case ROOTCONTEXT_MNT:
779 rootcontext_sid = sid;
780
781 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782 rootcontext_sid))
783 goto out_double_mount;
784
785 sbsec->flags |= ROOTCONTEXT_MNT;
786
787 break;
788 case DEFCONTEXT_MNT:
789 defcontext_sid = sid;
790
791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792 defcontext_sid))
793 goto out_double_mount;
794
795 sbsec->flags |= DEFCONTEXT_MNT;
796
797 break;
798 default:
799 rc = -EINVAL;
800 goto out;
1da177e4 801 }
c9180a57
EP		 802 }
803
0d90a7ec 804 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 805 /* previously mounted with options, but not on this attempt? */
0d90a7ec 806 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 807 goto out_double_mount;
808 rc = 0;
809 goto out;
810 }
811
089be43e 812 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 813 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814
8e014720
SS		 815 if (!strcmp(sb->s_type->name, "debugfs") ||
816 !strcmp(sb->s_type->name, "sysfs") ||
817 !strcmp(sb->s_type->name, "pstore"))
134509d5 818 sbsec->flags |= SE_SBGENFS;
c9180a57 819
eb9ae686
DQ		 820 if (!sbsec->behavior) {
821 /*
822 * Determine the labeling behavior to use for this
823 * filesystem type.
824 */
98f700f3 825 rc = security_fs_use(sb);
eb9ae686
DQ		 826 if (rc) {
827 printk(KERN_WARNING
828 "%s: security_fs_use(%s) returned %d\n",
829 __func__, sb->s_type->name, rc);
830 goto out;
831 }
c9180a57 832 }
aad82892
SF		 833
834 /*
835 * If this is a user namespace mount, no contexts are allowed
836 * on the command line and security labels must be ignored.
837 */
838 if (sb->s_user_ns != &init_user_ns) {
839 if (context_sid || fscontext_sid || rootcontext_sid ||
840 defcontext_sid) {
841 rc = -EACCES;
842 goto out;
843 }
844 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
845 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
846 rc = security_transition_sid(current_sid(), current_sid(),
847 SECCLASS_FILE, NULL,
848 &sbsec->mntpoint_sid);
849 if (rc)
850 goto out;
851 }
852 goto out_set_opts;
853 }
854
c9180a57
EP		 855 /* sets the context of the superblock for the fs being mounted. */
856 if (fscontext_sid) {
275bb41e 857 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 858 if (rc)
c9180a57 859 goto out;
1da177e4 860
c9180a57 861 sbsec->sid = fscontext_sid;
c312feb2
EP		 862 }
863
864 /*
865 * Switch to using mount point labeling behavior.
866 * sets the label used on all file below the mountpoint, and will set
867 * the superblock context if not already set.
868 */
eb9ae686
DQ		 869 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
870 sbsec->behavior = SECURITY_FS_USE_NATIVE;
871 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
872 }
873
c9180a57
EP		 874 if (context_sid) {
875 if (!fscontext_sid) {
275bb41e
DH		 876 rc = may_context_mount_sb_relabel(context_sid, sbsec,
877 cred);
b04ea3ce 878 if (rc)
c9180a57
EP		 879 goto out;
880 sbsec->sid = context_sid;
b04ea3ce 881 } else {
275bb41e
DH		 882 rc = may_context_mount_inode_relabel(context_sid, sbsec,
883 cred);
b04ea3ce 884 if (rc)
c9180a57 885 goto out;
b04ea3ce 886 }
c9180a57
EP		 887 if (!rootcontext_sid)
888 rootcontext_sid = context_sid;
1da177e4 889
c9180a57 890 sbsec->mntpoint_sid = context_sid;
c312feb2 891 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 892 }
893
c9180a57 894 if (rootcontext_sid) {
275bb41e
DH		 895 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
896 cred);
0808925e 897 if (rc)
c9180a57 898 goto out;
0808925e 899
c9180a57 900 root_isec->sid = rootcontext_sid;
6f3be9f5 901 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 902 }
903
c9180a57 904 if (defcontext_sid) {
eb9ae686
DQ		 905 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
906 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 907 rc = -EINVAL;
908 printk(KERN_WARNING "SELinux: defcontext option is "
909 "invalid for this filesystem type\n");
910 goto out;
1da177e4
LT		 911 }
912
c9180a57
EP		 913 if (defcontext_sid != sbsec->def_sid) {
914 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 915 sbsec, cred);
c9180a57
EP		 916 if (rc)
917 goto out;
918 }
1da177e4 919
c9180a57 920 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 921 }
922
aad82892 923out_set_opts:
c9180a57 924 rc = sb_finish_set_opts(sb);
1da177e4 925out:
c9180a57 926 mutex_unlock(&sbsec->lock);
1da177e4 927 return rc;
c9180a57
EP		 928out_double_mount:
929 rc = -EINVAL;
930 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 931 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 932 goto out;
1da177e4
LT		 933}
934
094f7b69
JL		 935static int selinux_cmp_sb_context(const struct super_block *oldsb,
936 const struct super_block *newsb)
937{
938 struct superblock_security_struct *old = oldsb->s_security;
939 struct superblock_security_struct *new = newsb->s_security;
940 char oldflags = old->flags & SE_MNTMASK;
941 char newflags = new->flags & SE_MNTMASK;
942
943 if (oldflags != newflags)
944 goto mismatch;
945 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
946 goto mismatch;
947 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
948 goto mismatch;
949 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
950 goto mismatch;
951 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 952 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
953 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 954 if (oldroot->sid != newroot->sid)
955 goto mismatch;
956 }
957 return 0;
958mismatch:
959 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
960 "different security settings for (dev %s, "
961 "type %s)\n", newsb->s_id, newsb->s_type->name);
962 return -EBUSY;
963}
964
965static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 966 struct super_block *newsb)
1da177e4 967{
c9180a57
EP		 968 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
969 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 970
c9180a57
EP		 971 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
972 int set_context = (oldsbsec->flags & CONTEXT_MNT);
973 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 974
0f5e6420
EP		 975 /*
976 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 977 * mount options. thus we can safely deal with this superblock later
0f5e6420 978 */
e8c26255 979 if (!ss_initialized)
094f7b69 980 return 0;
c9180a57 981
c9180a57 982 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 983 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 984
094f7b69 985 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 986 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 987 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 988
c9180a57
EP		 989 mutex_lock(&newsbsec->lock);
990
991 newsbsec->flags = oldsbsec->flags;
992
993 newsbsec->sid = oldsbsec->sid;
994 newsbsec->def_sid = oldsbsec->def_sid;
995 newsbsec->behavior = oldsbsec->behavior;
996
997 if (set_context) {
998 u32 sid = oldsbsec->mntpoint_sid;
999
1000 if (!set_fscontext)
1001 newsbsec->sid = sid;
1002 if (!set_rootcontext) {
83da53c5 1003 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 1004 newisec->sid = sid;
1005 }
1006 newsbsec->mntpoint_sid = sid;
1da177e4 1007 }
c9180a57 1008 if (set_rootcontext) {
83da53c5
AG		 1009 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1010 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 1011
c9180a57 1012 newisec->sid = oldisec->sid;
1da177e4
LT		 1013 }
1014
c9180a57
EP		 1015 sb_finish_set_opts(newsb);
1016 mutex_unlock(&newsbsec->lock);
094f7b69 1017 return 0;
c9180a57
EP		 1018}
1019
2e1479d9
AB		 1020static int selinux_parse_opts_str(char *options,
1021 struct security_mnt_opts *opts)
c9180a57 1022{
e0007529 1023 char *p;
c9180a57
EP		 1024 char *context = NULL, *defcontext = NULL;
1025 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1026 int rc, num_mnt_opts = 0;
1da177e4 1027
e0007529 1028 opts->num_mnt_opts = 0;
1da177e4 1029
c9180a57
EP		 1030 /* Standard string-based options. */
1031 while ((p = strsep(&options, "|")) != NULL) {
1032 int token;
1033 substring_t args[MAX_OPT_ARGS];
1da177e4 1034
c9180a57
EP		 1035 if (!*p)
1036 continue;
1da177e4 1037
c9180a57 1038 token = match_token(p, tokens, args);
1da177e4 1039
c9180a57
EP		 1040 switch (token) {
1041 case Opt_context:
1042 if (context || defcontext) {
1043 rc = -EINVAL;
1044 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1045 goto out_err;
1046 }
1047 context = match_strdup(&args[0]);
1048 if (!context) {
1049 rc = -ENOMEM;
1050 goto out_err;
1051 }
1052 break;
1053
1054 case Opt_fscontext:
1055 if (fscontext) {
1056 rc = -EINVAL;
1057 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1058 goto out_err;
1059 }
1060 fscontext = match_strdup(&args[0]);
1061 if (!fscontext) {
1062 rc = -ENOMEM;
1063 goto out_err;
1064 }
1065 break;
1066
1067 case Opt_rootcontext:
1068 if (rootcontext) {
1069 rc = -EINVAL;
1070 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1071 goto out_err;
1072 }
1073 rootcontext = match_strdup(&args[0]);
1074 if (!rootcontext) {
1075 rc = -ENOMEM;
1076 goto out_err;
1077 }
1078 break;
1079
1080 case Opt_defcontext:
1081 if (context || defcontext) {
1082 rc = -EINVAL;
1083 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1084 goto out_err;
1085 }
1086 defcontext = match_strdup(&args[0]);
1087 if (!defcontext) {
1088 rc = -ENOMEM;
1089 goto out_err;
1090 }
1091 break;
11689d47
DQ		 1092 case Opt_labelsupport:
1093 break;
c9180a57
EP		 1094 default:
1095 rc = -EINVAL;
1096 printk(KERN_WARNING "SELinux: unknown mount option\n");
1097 goto out_err;
1da177e4 1098
1da177e4 1099 }
1da177e4 1100 }
c9180a57 1101
e0007529
EP		 1102 rc = -ENOMEM;
1103 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1104 if (!opts->mnt_opts)
1105 goto out_err;
1106
1107 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1108 if (!opts->mnt_opts_flags) {
1109 kfree(opts->mnt_opts);
1110 goto out_err;
1111 }
1112
c9180a57 1113 if (fscontext) {
e0007529
EP		 1114 opts->mnt_opts[num_mnt_opts] = fscontext;
1115 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1116 }
1117 if (context) {
e0007529
EP		 1118 opts->mnt_opts[num_mnt_opts] = context;
1119 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1120 }
1121 if (rootcontext) {
e0007529
EP		 1122 opts->mnt_opts[num_mnt_opts] = rootcontext;
1123 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1124 }
1125 if (defcontext) {
e0007529
EP		 1126 opts->mnt_opts[num_mnt_opts] = defcontext;
1127 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1128 }
1129
e0007529
EP		 1130 opts->num_mnt_opts = num_mnt_opts;
1131 return 0;
1132
c9180a57
EP		 1133out_err:
1134 kfree(context);
1135 kfree(defcontext);
1136 kfree(fscontext);
1137 kfree(rootcontext);
1da177e4
LT		 1138 return rc;
1139}
e0007529
EP		 1140/*
1141 * string mount options parsing and call set the sbsec
1142 */
1143static int superblock_doinit(struct super_block *sb, void *data)
1144{
1145 int rc = 0;
1146 char *options = data;
1147 struct security_mnt_opts opts;
1148
1149 security_init_mnt_opts(&opts);
1150
1151 if (!data)
1152 goto out;
1153
1154 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1155
1156 rc = selinux_parse_opts_str(options, &opts);
1157 if (rc)
1158 goto out_err;
1159
1160out:
649f6e77 1161 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1162
1163out_err:
1164 security_free_mnt_opts(&opts);
1165 return rc;
1166}
1da177e4 1167
3583a711
AB		 1168static void selinux_write_opts(struct seq_file *m,
1169 struct security_mnt_opts *opts)
2069f457
EP		 1170{
1171 int i;
1172 char *prefix;
1173
1174 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1175 char *has_comma;
1176
1177 if (opts->mnt_opts[i])
1178 has_comma = strchr(opts->mnt_opts[i], ',');
1179 else
1180 has_comma = NULL;
2069f457
EP		 1181
1182 switch (opts->mnt_opts_flags[i]) {
1183 case CONTEXT_MNT:
1184 prefix = CONTEXT_STR;
1185 break;
1186 case FSCONTEXT_MNT:
1187 prefix = FSCONTEXT_STR;
1188 break;
1189 case ROOTCONTEXT_MNT:
1190 prefix = ROOTCONTEXT_STR;
1191 break;
1192 case DEFCONTEXT_MNT:
1193 prefix = DEFCONTEXT_STR;
1194 break;
12f348b9 1195 case SBLABEL_MNT:
11689d47
DQ		 1196 seq_putc(m, ',');
1197 seq_puts(m, LABELSUPP_STR);
1198 continue;
2069f457
EP		 1199 default:
1200 BUG();
a35c6c83 1201 return;
2069f457
EP		 1202 };
1203 /* we need a comma before each option */
1204 seq_putc(m, ',');
1205 seq_puts(m, prefix);
1206 if (has_comma)
1207 seq_putc(m, '\"');
a068acf2 1208 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1209 if (has_comma)
1210 seq_putc(m, '\"');
1211 }
1212}
1213
1214static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1215{
1216 struct security_mnt_opts opts;
1217 int rc;
1218
1219 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1220 if (rc) {
1221 /* before policy load we may get EINVAL, don't show anything */
1222 if (rc == -EINVAL)
1223 rc = 0;
2069f457 1224 return rc;
383795c2 1225 }
2069f457
EP		 1226
1227 selinux_write_opts(m, &opts);
1228
1229 security_free_mnt_opts(&opts);
1230
1231 return rc;
1232}
1233
1da177e4
LT		 1234static inline u16 inode_mode_to_security_class(umode_t mode)
1235{
1236 switch (mode & S_IFMT) {
1237 case S_IFSOCK:
1238 return SECCLASS_SOCK_FILE;
1239 case S_IFLNK:
1240 return SECCLASS_LNK_FILE;
1241 case S_IFREG:
1242 return SECCLASS_FILE;
1243 case S_IFBLK:
1244 return SECCLASS_BLK_FILE;
1245 case S_IFDIR:
1246 return SECCLASS_DIR;
1247 case S_IFCHR:
1248 return SECCLASS_CHR_FILE;
1249 case S_IFIFO:
1250 return SECCLASS_FIFO_FILE;
1251
1252 }
1253
1254 return SECCLASS_FILE;
1255}
1256
13402580
JM		 1257static inline int default_protocol_stream(int protocol)
1258{
1259 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1260}
1261
1262static inline int default_protocol_dgram(int protocol)
1263{
1264 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1265}
1266
1da177e4
LT		 1267static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1268{
1269 switch (family) {
1270 case PF_UNIX:
1271 switch (type) {
1272 case SOCK_STREAM:
1273 case SOCK_SEQPACKET:
1274 return SECCLASS_UNIX_STREAM_SOCKET;
1275 case SOCK_DGRAM:
1276 return SECCLASS_UNIX_DGRAM_SOCKET;
1277 }
1278 break;
1279 case PF_INET:
1280 case PF_INET6:
1281 switch (type) {
1282 case SOCK_STREAM:
13402580
JM		 1283 if (default_protocol_stream(protocol))
1284 return SECCLASS_TCP_SOCKET;
1285 else
1286 return SECCLASS_RAWIP_SOCKET;
1da177e4 1287 case SOCK_DGRAM:
13402580
JM		 1288 if (default_protocol_dgram(protocol))
1289 return SECCLASS_UDP_SOCKET;
1290 else
1291 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1292 case SOCK_DCCP:
1293 return SECCLASS_DCCP_SOCKET;
13402580 1294 default:
1da177e4
LT		 1295 return SECCLASS_RAWIP_SOCKET;
1296 }
1297 break;
1298 case PF_NETLINK:
1299 switch (protocol) {
1300 case NETLINK_ROUTE:
1301 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1302 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1303 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1304 case NETLINK_NFLOG:
1305 return SECCLASS_NETLINK_NFLOG_SOCKET;
1306 case NETLINK_XFRM:
1307 return SECCLASS_NETLINK_XFRM_SOCKET;
1308 case NETLINK_SELINUX:
1309 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1310 case NETLINK_ISCSI:
1311 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1312 case NETLINK_AUDIT:
1313 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1314 case NETLINK_FIB_LOOKUP:
1315 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1316 case NETLINK_CONNECTOR:
1317 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1318 case NETLINK_NETFILTER:
1319 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1320 case NETLINK_DNRTMSG:
1321 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1322 case NETLINK_KOBJECT_UEVENT:
1323 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1324 case NETLINK_GENERIC:
1325 return SECCLASS_NETLINK_GENERIC_SOCKET;
1326 case NETLINK_SCSITRANSPORT:
1327 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1328 case NETLINK_RDMA:
1329 return SECCLASS_NETLINK_RDMA_SOCKET;
1330 case NETLINK_CRYPTO:
1331 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1332 default:
1333 return SECCLASS_NETLINK_SOCKET;
1334 }
1335 case PF_PACKET:
1336 return SECCLASS_PACKET_SOCKET;
1337 case PF_KEY:
1338 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1339 case PF_APPLETALK:
1340 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1341 }
1342
1343 return SECCLASS_SOCKET;
1344}
1345
134509d5
SS		 1346static int selinux_genfs_get_sid(struct dentry *dentry,
1347 u16 tclass,
1348 u16 flags,
1349 u32 *sid)
1da177e4 1350{
8e6c9693 1351 int rc;
fc64005c 1352 struct super_block *sb = dentry->d_sb;
8e6c9693 1353 char *buffer, *path;
1da177e4 1354
828dfe1d 1355 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1356 if (!buffer)
1357 return -ENOMEM;
1358
8e6c9693
LAG		 1359 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1360 if (IS_ERR(path))
1361 rc = PTR_ERR(path);
1362 else {
134509d5
SS		 1363 if (flags & SE_SBPROC) {
1364 /* each process gets a /proc/PID/ entry. Strip off the
1365 * PID part to get a valid selinux labeling.
1366 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1367 while (path[1] >= '0' && path[1] <= '9') {
1368 path[1] = '/';
1369 path++;
1370 }
8e6c9693 1371 }
134509d5 1372 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1373 }
1da177e4
LT		 1374 free_page((unsigned long)buffer);
1375 return rc;
1376}
1da177e4
LT		 1377
1378/* The inode's security attributes must be initialized before first use. */
1379static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1380{
1381 struct superblock_security_struct *sbsec = NULL;
1382 struct inode_security_struct *isec = inode->i_security;
1383 u32 sid;
1384 struct dentry *dentry;
1385#define INITCONTEXTLEN 255
1386 char *context = NULL;
1387 unsigned len = 0;
1388 int rc = 0;
1da177e4 1389
6f3be9f5 1390 if (isec->initialized == LABEL_INITIALIZED)
1da177e4
LT		 1391 goto out;
1392
23970741 1393 mutex_lock(&isec->lock);
6f3be9f5 1394 if (isec->initialized == LABEL_INITIALIZED)
23970741 1395 goto out_unlock;
1da177e4
LT		 1396
1397 sbsec = inode->i_sb->s_security;
0d90a7ec 1398 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1399 /* Defer initialization until selinux_complete_init,
1400 after the initial policy is loaded and the security
1401 server is ready to handle calls. */
1402 spin_lock(&sbsec->isec_lock);
1403 if (list_empty(&isec->list))
1404 list_add(&isec->list, &sbsec->isec_head);
1405 spin_unlock(&sbsec->isec_lock);
23970741 1406 goto out_unlock;
1da177e4
LT		 1407 }
1408
1409 switch (sbsec->behavior) {
eb9ae686
DQ		 1410 case SECURITY_FS_USE_NATIVE:
1411 break;
1da177e4
LT		 1412 case SECURITY_FS_USE_XATTR:
1413 if (!inode->i_op->getxattr) {
1414 isec->sid = sbsec->def_sid;
1415 break;
1416 }
1417
1418 /* Need a dentry, since the xattr API requires one.
1419 Life would be simpler if we could just pass the inode. */
1420 if (opt_dentry) {
1421 /* Called from d_instantiate or d_splice_alias. */
1422 dentry = dget(opt_dentry);
1423 } else {
1424 /* Called from selinux_complete_init, try to find a dentry. */
1425 dentry = d_find_alias(inode);
1426 }
1427 if (!dentry) {
df7f54c0
EP		 1428 /*
1429 * this is can be hit on boot when a file is accessed
1430 * before the policy is loaded. When we load policy we
1431 * may find inodes that have no dentry on the
1432 * sbsec->isec_head list. No reason to complain as these
1433 * will get fixed up the next time we go through
1434 * inode_doinit with a dentry, before these inodes could
1435 * be used again by userspace.
1436 */
23970741 1437 goto out_unlock;
1da177e4
LT		 1438 }
1439
1440 len = INITCONTEXTLEN;
4cb912f1 1441 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1442 if (!context) {
1443 rc = -ENOMEM;
1444 dput(dentry);
23970741 1445 goto out_unlock;
1da177e4 1446 }
4cb912f1 1447 context[len] = '\0';
ce23e640 1448 rc = inode->i_op->getxattr(dentry, inode, XATTR_NAME_SELINUX,
1da177e4
LT		 1449 context, len);
1450 if (rc == -ERANGE) {
314dabb8
JM		 1451 kfree(context);
1452
1da177e4 1453 /* Need a larger buffer. Query for the right size. */
ce23e640 1454 rc = inode->i_op->getxattr(dentry, inode, XATTR_NAME_SELINUX,
1da177e4
LT		 1455 NULL, 0);
1456 if (rc < 0) {
1457 dput(dentry);
23970741 1458 goto out_unlock;
1da177e4 1459 }
1da177e4 1460 len = rc;
4cb912f1 1461 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1462 if (!context) {
1463 rc = -ENOMEM;
1464 dput(dentry);
23970741 1465 goto out_unlock;
1da177e4 1466 }
4cb912f1 1467 context[len] = '\0';
ce23e640 1468 rc = inode->i_op->getxattr(dentry, inode,
1da177e4
LT		 1469 XATTR_NAME_SELINUX,
1470 context, len);
1471 }
1472 dput(dentry);
1473 if (rc < 0) {
1474 if (rc != -ENODATA) {
744ba35e 1475 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1476 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1477 -rc, inode->i_sb->s_id, inode->i_ino);
1478 kfree(context);
23970741 1479 goto out_unlock;
1da177e4
LT		 1480 }
1481 /* Map ENODATA to the default file SID */
1482 sid = sbsec->def_sid;
1483 rc = 0;
1484 } else {
f5c1d5b2 1485 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1486 sbsec->def_sid,
1487 GFP_NOFS);
1da177e4 1488 if (rc) {
4ba0a8ad
EP		 1489 char *dev = inode->i_sb->s_id;
1490 unsigned long ino = inode->i_ino;
1491
1492 if (rc == -EINVAL) {
1493 if (printk_ratelimit())
1494 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1495 "context=%s. This indicates you may need to relabel the inode or the "
1496 "filesystem in question.\n", ino, dev, context);
1497 } else {
1498 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1499 "returned %d for dev=%s ino=%ld\n",
1500 __func__, context, -rc, dev, ino);
1501 }
1da177e4
LT		 1502 kfree(context);
1503 /* Leave with the unlabeled SID */
1504 rc = 0;
1505 break;
1506 }
1507 }
1508 kfree(context);
1509 isec->sid = sid;
1510 break;
1511 case SECURITY_FS_USE_TASK:
1512 isec->sid = isec->task_sid;
1513 break;
1514 case SECURITY_FS_USE_TRANS:
1515 /* Default to the fs SID. */
1516 isec->sid = sbsec->sid;
1517
1518 /* Try to obtain a transition SID. */
1519 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1520 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1521 isec->sclass, NULL, &sid);
1da177e4 1522 if (rc)
23970741 1523 goto out_unlock;
1da177e4
LT		 1524 isec->sid = sid;
1525 break;
c312feb2
EP		 1526 case SECURITY_FS_USE_MNTPOINT:
1527 isec->sid = sbsec->mntpoint_sid;
1528 break;
1da177e4 1529 default:
c312feb2 1530 /* Default to the fs superblock SID. */
1da177e4
LT		 1531 isec->sid = sbsec->sid;
1532
134509d5 1533 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1534 /* We must have a dentry to determine the label on
1535 * procfs inodes */
1536 if (opt_dentry)
1537 /* Called from d_instantiate or
1538 * d_splice_alias. */
1539 dentry = dget(opt_dentry);
1540 else
1541 /* Called from selinux_complete_init, try to
1542 * find a dentry. */
1543 dentry = d_find_alias(inode);
1544 /*
1545 * This can be hit on boot when a file is accessed
1546 * before the policy is loaded. When we load policy we
1547 * may find inodes that have no dentry on the
1548 * sbsec->isec_head list. No reason to complain as
1549 * these will get fixed up the next time we go through
1550 * inode_doinit() with a dentry, before these inodes
1551 * could be used again by userspace.
1552 */
1553 if (!dentry)
1554 goto out_unlock;
1555 isec->sclass = inode_mode_to_security_class(inode->i_mode);
134509d5
SS		 1556 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1557 sbsec->flags, &sid);
f64410ec
PM		 1558 dput(dentry);
1559 if (rc)
1560 goto out_unlock;
1561 isec->sid = sid;
1da177e4
LT		 1562 }
1563 break;
1564 }
1565
6f3be9f5 1566 isec->initialized = LABEL_INITIALIZED;
1da177e4 1567
23970741
EP		 1568out_unlock:
1569 mutex_unlock(&isec->lock);
1da177e4
LT		 1570out:
1571 if (isec->sclass == SECCLASS_FILE)
1572 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1573 return rc;
1574}
1575
1576/* Convert a Linux signal to an access vector. */
1577static inline u32 signal_to_av(int sig)
1578{
1579 u32 perm = 0;
1580
1581 switch (sig) {
1582 case SIGCHLD:
1583 /* Commonly granted from child to parent. */
1584 perm = PROCESS__SIGCHLD;
1585 break;
1586 case SIGKILL:
1587 /* Cannot be caught or ignored */
1588 perm = PROCESS__SIGKILL;
1589 break;
1590 case SIGSTOP:
1591 /* Cannot be caught or ignored */
1592 perm = PROCESS__SIGSTOP;
1593 break;
1594 default:
1595 /* All other signals. */
1596 perm = PROCESS__SIGNAL;
1597 break;
1598 }
1599
1600 return perm;
1601}
1602
d84f4f99
DH		 1603/*
1604 * Check permission between a pair of credentials
1605 * fork check, ptrace check, etc.
1606 */
1607static int cred_has_perm(const struct cred *actor,
1608 const struct cred *target,
1609 u32 perms)
1610{
1611 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1612
1613 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1614}
1615
275bb41e 1616/*
88e67f3b 1617 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1618 * fork check, ptrace check, etc.
1619 * tsk1 is the actor and tsk2 is the target
3b11a1de 1620 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1621 */
1622static int task_has_perm(const struct task_struct *tsk1,
1623 const struct task_struct *tsk2,
1da177e4
LT		 1624 u32 perms)
1625{
275bb41e
DH		 1626 const struct task_security_struct *__tsec1, *__tsec2;
1627 u32 sid1, sid2;
1da177e4 1628
275bb41e
DH		 1629 rcu_read_lock();
1630 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1631 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1632 rcu_read_unlock();
1633 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1634}
1635
3b11a1de
DH		 1636/*
1637 * Check permission between current and another task, e.g. signal checks,
1638 * fork check, ptrace check, etc.
1639 * current is the actor and tsk2 is the target
1640 * - this uses current's subjective creds
1641 */
1642static int current_has_perm(const struct task_struct *tsk,
1643 u32 perms)
1644{
1645 u32 sid, tsid;
1646
1647 sid = current_sid();
1648 tsid = task_sid(tsk);
1649 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1650}
1651
b68e418c
SS		 1652#if CAP_LAST_CAP > 63
1653#error Fix SELinux to handle capabilities > 63.
1654#endif
1655
1da177e4 1656/* Check whether a task is allowed to use a capability. */
6a9de491 1657static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1658 int cap, int audit, bool initns)
1da177e4 1659{
2bf49690 1660 struct common_audit_data ad;
06112163 1661 struct av_decision avd;
b68e418c 1662 u16 sclass;
3699c53c 1663 u32 sid = cred_sid(cred);
b68e418c 1664 u32 av = CAP_TO_MASK(cap);
06112163 1665 int rc;
1da177e4 1666
50c205f5 1667 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1668 ad.u.cap = cap;
1669
b68e418c
SS		 1670 switch (CAP_TO_INDEX(cap)) {
1671 case 0:
8e4ff6f2 1672 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1673 break;
1674 case 1:
8e4ff6f2 1675 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1676 break;
1677 default:
1678 printk(KERN_ERR
1679 "SELinux: out of range capability %d\n", cap);
1680 BUG();
a35c6c83 1681 return -EINVAL;
b68e418c 1682 }
06112163 1683
275bb41e 1684 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1685 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1686 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1687 if (rc2)
1688 return rc2;
1689 }
06112163 1690 return rc;
1da177e4
LT		 1691}
1692
1693/* Check whether a task is allowed to use a system operation. */
1694static int task_has_system(struct task_struct *tsk,
1695 u32 perms)
1696{
275bb41e 1697 u32 sid = task_sid(tsk);
1da177e4 1698
275bb41e 1699 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1700 SECCLASS_SYSTEM, perms, NULL);
1701}
1702
1703/* Check whether a task has a particular permission to an inode.
1704 The 'adp' parameter is optional and allows other audit
1705 data to be passed (e.g. the dentry). */
88e67f3b 1706static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1707 struct inode *inode,
1708 u32 perms,
19e49834 1709 struct common_audit_data *adp)
1da177e4 1710{
1da177e4 1711 struct inode_security_struct *isec;
275bb41e 1712 u32 sid;
1da177e4 1713
e0e81739
DH		 1714 validate_creds(cred);
1715
828dfe1d 1716 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1717 return 0;
1718
88e67f3b 1719 sid = cred_sid(cred);
1da177e4
LT		 1720 isec = inode->i_security;
1721
19e49834 1722 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1723}
1724
1725/* Same as inode_has_perm, but pass explicit audit data containing
1726 the dentry to help the auditing code to more easily generate the
1727 pathname if needed. */
88e67f3b 1728static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1729 struct dentry *dentry,
1730 u32 av)
1731{
c6f493d6 1732 struct inode *inode = d_backing_inode(dentry);
2bf49690 1733 struct common_audit_data ad;
88e67f3b 1734
50c205f5 1735 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1736 ad.u.dentry = dentry;
5d226df4 1737 __inode_security_revalidate(inode, dentry, true);
19e49834 1738 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1739}
1740
1741/* Same as inode_has_perm, but pass explicit audit data containing
1742 the path to help the auditing code to more easily generate the
1743 pathname if needed. */
1744static inline int path_has_perm(const struct cred *cred,
3f7036a0 1745 const struct path *path,
2875fa00
EP		 1746 u32 av)
1747{
c6f493d6 1748 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1749 struct common_audit_data ad;
1750
50c205f5 1751 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1752 ad.u.path = *path;
5d226df4 1753 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1754 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1755}
1756
13f8e981
DH		 1757/* Same as path_has_perm, but uses the inode from the file struct. */
1758static inline int file_path_has_perm(const struct cred *cred,
1759 struct file *file,
1760 u32 av)
1761{
1762 struct common_audit_data ad;
1763
1764 ad.type = LSM_AUDIT_DATA_PATH;
1765 ad.u.path = file->f_path;
19e49834 1766 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1767}
1768
1da177e4
LT		 1769/* Check whether a task can use an open file descriptor to
1770 access an inode in a given way. Check access to the
1771 descriptor itself, and then use dentry_has_perm to
1772 check a particular permission to the file.
1773 Access to the descriptor is implicitly granted if it
1774 has the same SID as the process. If av is zero, then
1775 access to the file is not checked, e.g. for cases
1776 where only the descriptor is affected like seek. */
88e67f3b
DH		 1777static int file_has_perm(const struct cred *cred,
1778 struct file *file,
1779 u32 av)
1da177e4 1780{
1da177e4 1781 struct file_security_struct *fsec = file->f_security;
496ad9aa 1782 struct inode *inode = file_inode(file);
2bf49690 1783 struct common_audit_data ad;
88e67f3b 1784 u32 sid = cred_sid(cred);
1da177e4
LT		 1785 int rc;
1786
50c205f5 1787 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 1788 ad.u.path = file->f_path;
1da177e4 1789
275bb41e
DH		 1790 if (sid != fsec->sid) {
1791 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1792 SECCLASS_FD,
1793 FD__USE,
1794 &ad);
1795 if (rc)
88e67f3b 1796 goto out;
1da177e4
LT		 1797 }
1798
1799 /* av is zero if only checking access to the descriptor. */
88e67f3b 1800 rc = 0;
1da177e4 1801 if (av)
19e49834 1802 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1803
88e67f3b
DH		 1804out:
1805 return rc;
1da177e4
LT		 1806}
1807
c3c188b2
DH		 1808/*
1809 * Determine the label for an inode that might be unioned.
1810 */
83da53c5 1811static int selinux_determine_inode_label(struct inode *dir,
c3c188b2
DH		 1812 const struct qstr *name,
1813 u16 tclass,
1814 u32 *_new_isid)
1815{
1816 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1817 const struct task_security_struct *tsec = current_security();
1818
1819 if ((sbsec->flags & SE_SBINITIALIZED) &&
1820 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1821 *_new_isid = sbsec->mntpoint_sid;
1822 } else if ((sbsec->flags & SBLABEL_MNT) &&
1823 tsec->create_sid) {
1824 *_new_isid = tsec->create_sid;
1825 } else {
20cdef8d 1826 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1827 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1828 name, _new_isid);
1829 }
1830
1831 return 0;
1832}
1833
1da177e4
LT		 1834/* Check whether a task can create a file. */
1835static int may_create(struct inode *dir,
1836 struct dentry *dentry,
1837 u16 tclass)
1838{
5fb49870 1839 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1840 struct inode_security_struct *dsec;
1841 struct superblock_security_struct *sbsec;
275bb41e 1842 u32 sid, newsid;
2bf49690 1843 struct common_audit_data ad;
1da177e4
LT		 1844 int rc;
1845
83da53c5 1846 dsec = inode_security(dir);
1da177e4
LT		 1847 sbsec = dir->i_sb->s_security;
1848
275bb41e 1849 sid = tsec->sid;
275bb41e 1850
50c205f5 1851 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1852 ad.u.dentry = dentry;
1da177e4 1853
275bb41e 1854 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1855 DIR__ADD_NAME | DIR__SEARCH,
1856 &ad);
1857 if (rc)
1858 return rc;
1859
c3c188b2
DH		 1860 rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
1861 &newsid);
1862 if (rc)
1863 return rc;
1da177e4 1864
275bb41e 1865 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1866 if (rc)
1867 return rc;
1868
1869 return avc_has_perm(newsid, sbsec->sid,
1870 SECCLASS_FILESYSTEM,
1871 FILESYSTEM__ASSOCIATE, &ad);
1872}
1873
4eb582cf
ML		 1874/* Check whether a task can create a key. */
1875static int may_create_key(u32 ksid,
1876 struct task_struct *ctx)
1877{
275bb41e 1878 u32 sid = task_sid(ctx);
4eb582cf 1879
275bb41e 1880 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1881}
1882
828dfe1d
EP		 1883#define MAY_LINK 0
1884#define MAY_UNLINK 1
1885#define MAY_RMDIR 2
1da177e4
LT		 1886
1887/* Check whether a task can link, unlink, or rmdir a file/directory. */
1888static int may_link(struct inode *dir,
1889 struct dentry *dentry,
1890 int kind)
1891
1892{
1da177e4 1893 struct inode_security_struct *dsec, *isec;
2bf49690 1894 struct common_audit_data ad;
275bb41e 1895 u32 sid = current_sid();
1da177e4
LT		 1896 u32 av;
1897 int rc;
1898
83da53c5
AG		 1899 dsec = inode_security(dir);
1900 isec = backing_inode_security(dentry);
1da177e4 1901
50c205f5 1902 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1903 ad.u.dentry = dentry;
1da177e4
LT		 1904
1905 av = DIR__SEARCH;
1906 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1907 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1908 if (rc)
1909 return rc;
1910
1911 switch (kind) {
1912 case MAY_LINK:
1913 av = FILE__LINK;
1914 break;
1915 case MAY_UNLINK:
1916 av = FILE__UNLINK;
1917 break;
1918 case MAY_RMDIR:
1919 av = DIR__RMDIR;
1920 break;
1921 default:
744ba35e
EP		 1922 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1923 __func__, kind);
1da177e4
LT		 1924 return 0;
1925 }
1926
275bb41e 1927 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1928 return rc;
1929}
1930
1931static inline int may_rename(struct inode *old_dir,
1932 struct dentry *old_dentry,
1933 struct inode *new_dir,
1934 struct dentry *new_dentry)
1935{
1da177e4 1936 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1937 struct common_audit_data ad;
275bb41e 1938 u32 sid = current_sid();
1da177e4
LT		 1939 u32 av;
1940 int old_is_dir, new_is_dir;
1941 int rc;
1942
83da53c5
AG		 1943 old_dsec = inode_security(old_dir);
1944 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1945 old_is_dir = d_is_dir(old_dentry);
83da53c5 1946 new_dsec = inode_security(new_dir);
1da177e4 1947
50c205f5 1948 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1949
a269434d 1950 ad.u.dentry = old_dentry;
275bb41e 1951 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1952 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1953 if (rc)
1954 return rc;
275bb41e 1955 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1956 old_isec->sclass, FILE__RENAME, &ad);
1957 if (rc)
1958 return rc;
1959 if (old_is_dir && new_dir != old_dir) {
275bb41e 1960 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1961 old_isec->sclass, DIR__REPARENT, &ad);
1962 if (rc)
1963 return rc;
1964 }
1965
a269434d 1966 ad.u.dentry = new_dentry;
1da177e4 1967 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1968 if (d_is_positive(new_dentry))
1da177e4 1969 av |= DIR__REMOVE_NAME;
275bb41e 1970 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1971 if (rc)
1972 return rc;
2c616d4d 1973 if (d_is_positive(new_dentry)) {
83da53c5 1974 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1975 new_is_dir = d_is_dir(new_dentry);
275bb41e 1976 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1977 new_isec->sclass,
1978 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1979 if (rc)
1980 return rc;
1981 }
1982
1983 return 0;
1984}
1985
1986/* Check whether a task can perform a filesystem operation. */
88e67f3b 1987static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1988 struct super_block *sb,
1989 u32 perms,
2bf49690 1990 struct common_audit_data *ad)
1da177e4 1991{
1da177e4 1992 struct superblock_security_struct *sbsec;
88e67f3b 1993 u32 sid = cred_sid(cred);
1da177e4 1994
1da177e4 1995 sbsec = sb->s_security;
275bb41e 1996 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1997}
1998
1999/* Convert a Linux mode and permission mask to an access vector. */
2000static inline u32 file_mask_to_av(int mode, int mask)
2001{
2002 u32 av = 0;
2003
dba19c60 2004 if (!S_ISDIR(mode)) {
1da177e4
LT		 2005 if (mask & MAY_EXEC)
2006 av |= FILE__EXECUTE;
2007 if (mask & MAY_READ)
2008 av |= FILE__READ;
2009
2010 if (mask & MAY_APPEND)
2011 av |= FILE__APPEND;
2012 else if (mask & MAY_WRITE)
2013 av |= FILE__WRITE;
2014
2015 } else {
2016 if (mask & MAY_EXEC)
2017 av |= DIR__SEARCH;
2018 if (mask & MAY_WRITE)
2019 av |= DIR__WRITE;
2020 if (mask & MAY_READ)
2021 av |= DIR__READ;
2022 }
2023
2024 return av;
2025}
2026
8b6a5a37
EP		 2027/* Convert a Linux file to an access vector. */
2028static inline u32 file_to_av(struct file *file)
2029{
2030 u32 av = 0;
2031
2032 if (file->f_mode & FMODE_READ)
2033 av |= FILE__READ;
2034 if (file->f_mode & FMODE_WRITE) {
2035 if (file->f_flags & O_APPEND)
2036 av |= FILE__APPEND;
2037 else
2038 av |= FILE__WRITE;
2039 }
2040 if (!av) {
2041 /*
2042 * Special file opened with flags 3 for ioctl-only use.
2043 */
2044 av = FILE__IOCTL;
2045 }
2046
2047 return av;
2048}
2049
b0c636b9 2050/*
8b6a5a37 2051 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2052 * open permission.
2053 */
8b6a5a37 2054static inline u32 open_file_to_av(struct file *file)
b0c636b9 2055{
8b6a5a37 2056 u32 av = file_to_av(file);
b0c636b9 2057
49b7b8de
EP		 2058 if (selinux_policycap_openperm)
2059 av |= FILE__OPEN;
2060
b0c636b9
EP		 2061 return av;
2062}
2063
1da177e4
LT		 2064/* Hook functions begin here. */
2065
79af7307
SS		 2066static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2067{
2068 u32 mysid = current_sid();
2069 u32 mgrsid = task_sid(mgr);
2070
2071 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2072 BINDER__SET_CONTEXT_MGR, NULL);
2073}
2074
2075static int selinux_binder_transaction(struct task_struct *from,
2076 struct task_struct *to)
2077{
2078 u32 mysid = current_sid();
2079 u32 fromsid = task_sid(from);
2080 u32 tosid = task_sid(to);
2081 int rc;
2082
2083 if (mysid != fromsid) {
2084 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2085 BINDER__IMPERSONATE, NULL);
2086 if (rc)
2087 return rc;
2088 }
2089
2090 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2091 NULL);
2092}
2093
2094static int selinux_binder_transfer_binder(struct task_struct *from,
2095 struct task_struct *to)
2096{
2097 u32 fromsid = task_sid(from);
2098 u32 tosid = task_sid(to);
2099
2100 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2101 NULL);
2102}
2103
2104static int selinux_binder_transfer_file(struct task_struct *from,
2105 struct task_struct *to,
2106 struct file *file)
2107{
2108 u32 sid = task_sid(to);
2109 struct file_security_struct *fsec = file->f_security;
83da53c5 2110 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2111 struct inode_security_struct *isec;
79af7307
SS		 2112 struct common_audit_data ad;
2113 int rc;
2114
2115 ad.type = LSM_AUDIT_DATA_PATH;
2116 ad.u.path = file->f_path;
2117
2118 if (sid != fsec->sid) {
2119 rc = avc_has_perm(sid, fsec->sid,
2120 SECCLASS_FD,
2121 FD__USE,
2122 &ad);
2123 if (rc)
2124 return rc;
2125 }
2126
83da53c5 2127 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2128 return 0;
2129
20cdef8d 2130 isec = backing_inode_security(dentry);
79af7307
SS		 2131 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2132 &ad);
2133}
2134
9e48858f 2135static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2136 unsigned int mode)
1da177e4 2137{
69f594a3 2138 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 2139 u32 sid = current_sid();
2140 u32 csid = task_sid(child);
2141 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 2142 }
2143
3b11a1de 2144 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 2145}
2146
2147static int selinux_ptrace_traceme(struct task_struct *parent)
2148{
5cd9c58f 2149 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 2150}
2151
2152static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2153 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2154{
b1d9e6b0 2155 return current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 2156}
2157
d84f4f99
DH		 2158static int selinux_capset(struct cred *new, const struct cred *old,
2159 const kernel_cap_t *effective,
2160 const kernel_cap_t *inheritable,
2161 const kernel_cap_t *permitted)
1da177e4 2162{
d84f4f99 2163 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 2164}
2165
5626d3e8
JM		 2166/*
2167 * (This comment used to live with the selinux_task_setuid hook,
2168 * which was removed).
2169 *
2170 * Since setuid only affects the current process, and since the SELinux
2171 * controls are not based on the Linux identity attributes, SELinux does not
2172 * need to control this operation. However, SELinux does control the use of
2173 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2174 */
2175
6a9de491
EP		 2176static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2177 int cap, int audit)
1da177e4 2178{
8e4ff6f2 2179 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2180}
2181
1da177e4
LT		 2182static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2183{
88e67f3b 2184 const struct cred *cred = current_cred();
1da177e4
LT		 2185 int rc = 0;
2186
2187 if (!sb)
2188 return 0;
2189
2190 switch (cmds) {
828dfe1d
EP		 2191 case Q_SYNC:
2192 case Q_QUOTAON:
2193 case Q_QUOTAOFF:
2194 case Q_SETINFO:
2195 case Q_SETQUOTA:
88e67f3b 2196 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2197 break;
2198 case Q_GETFMT:
2199 case Q_GETINFO:
2200 case Q_GETQUOTA:
88e67f3b 2201 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2202 break;
2203 default:
2204 rc = 0; /* let the kernel handle invalid cmds */
2205 break;
1da177e4
LT		 2206 }
2207 return rc;
2208}
2209
2210static int selinux_quota_on(struct dentry *dentry)
2211{
88e67f3b
DH		 2212 const struct cred *cred = current_cred();
2213
2875fa00 2214 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2215}
2216
12b3052c 2217static int selinux_syslog(int type)
1da177e4
LT		 2218{
2219 int rc;
2220
1da177e4 2221 switch (type) {
d78ca3cd
KC		 2222 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2223 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2224 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2225 break;
d78ca3cd
KC		 2226 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2227 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2228 /* Set level of messages printed to console */
2229 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2230 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2231 break;
d78ca3cd
KC		 2232 case SYSLOG_ACTION_CLOSE: /* Close log */
2233 case SYSLOG_ACTION_OPEN: /* Open log */
2234 case SYSLOG_ACTION_READ: /* Read from log */
2235 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2236 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2237 default:
2238 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2239 break;
1da177e4
LT		 2240 }
2241 return rc;
2242}
2243
2244/*
2245 * Check that a process has enough memory to allocate a new virtual
2246 * mapping. 0 means there is enough memory for the allocation to
2247 * succeed and -ENOMEM implies there is not.
2248 *
1da177e4
LT		 2249 * Do not audit the selinux permission check, as this is applied to all
2250 * processes that allocate mappings.
2251 */
34b4e4aa 2252static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2253{
2254 int rc, cap_sys_admin = 0;
1da177e4 2255
b1d9e6b0 2256 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2257 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2258 if (rc == 0)
2259 cap_sys_admin = 1;
2260
b1d9e6b0 2261 return cap_sys_admin;
1da177e4
LT		 2262}
2263
2264/* binprm security operations */
2265
0c6181cb
PM		 2266static u32 ptrace_parent_sid(struct task_struct *task)
2267{
2268 u32 sid = 0;
2269 struct task_struct *tracer;
2270
2271 rcu_read_lock();
2272 tracer = ptrace_parent(task);
2273 if (tracer)
2274 sid = task_sid(tracer);
2275 rcu_read_unlock();
2276
2277 return sid;
2278}
2279
7b0d0b40
SS		 2280static int check_nnp_nosuid(const struct linux_binprm *bprm,
2281 const struct task_security_struct *old_tsec,
2282 const struct task_security_struct *new_tsec)
2283{
2284 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2285 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40
SS		 2286 int rc;
2287
2288 if (!nnp && !nosuid)
2289 return 0; /* neither NNP nor nosuid */
2290
2291 if (new_tsec->sid == old_tsec->sid)
2292 return 0; /* No change in credentials */
2293
2294 /*
2295 * The only transitions we permit under NNP or nosuid
2296 * are transitions to bounded SIDs, i.e. SIDs that are
2297 * guaranteed to only be allowed a subset of the permissions
2298 * of the current SID.
2299 */
2300 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2301 if (rc) {
2302 /*
2303 * On failure, preserve the errno values for NNP vs nosuid.
2304 * NNP: Operation not permitted for caller.
2305 * nosuid: Permission denied to file.
2306 */
2307 if (nnp)
2308 return -EPERM;
2309 else
2310 return -EACCES;
2311 }
2312 return 0;
2313}
2314
a6f76f23 2315static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2316{
a6f76f23
DH		 2317 const struct task_security_struct *old_tsec;
2318 struct task_security_struct *new_tsec;
1da177e4 2319 struct inode_security_struct *isec;
2bf49690 2320 struct common_audit_data ad;
496ad9aa 2321 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2322 int rc;
2323
a6f76f23
DH		 2324 /* SELinux context only depends on initial program or script and not
2325 * the script interpreter */
2326 if (bprm->cred_prepared)
1da177e4
LT		 2327 return 0;
2328
a6f76f23
DH		 2329 old_tsec = current_security();
2330 new_tsec = bprm->cred->security;
83da53c5 2331 isec = inode_security(inode);
1da177e4
LT		 2332
2333 /* Default to the current task SID. */
a6f76f23
DH		 2334 new_tsec->sid = old_tsec->sid;
2335 new_tsec->osid = old_tsec->sid;
1da177e4 2336
28eba5bf 2337 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2338 new_tsec->create_sid = 0;
2339 new_tsec->keycreate_sid = 0;
2340 new_tsec->sockcreate_sid = 0;
1da177e4 2341
a6f76f23
DH		 2342 if (old_tsec->exec_sid) {
2343 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2344 /* Reset exec SID on execve. */
a6f76f23 2345 new_tsec->exec_sid = 0;
259e5e6c 2346
7b0d0b40
SS		 2347 /* Fail on NNP or nosuid if not an allowed transition. */
2348 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2349 if (rc)
2350 return rc;
1da177e4
LT		 2351 } else {
2352 /* Check for a default transition on this program. */
a6f76f23 2353 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2354 SECCLASS_PROCESS, NULL,
2355 &new_tsec->sid);
1da177e4
LT		 2356 if (rc)
2357 return rc;
7b0d0b40
SS		 2358
2359 /*
2360 * Fallback to old SID on NNP or nosuid if not an allowed
2361 * transition.
2362 */
2363 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2364 if (rc)
2365 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2366 }
2367
50c205f5 2368 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 2369 ad.u.path = bprm->file->f_path;
1da177e4 2370
a6f76f23
DH		 2371 if (new_tsec->sid == old_tsec->sid) {
2372 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2373 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2374 if (rc)
2375 return rc;
2376 } else {
2377 /* Check permissions for the transition. */
a6f76f23 2378 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2379 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2380 if (rc)
2381 return rc;
2382
a6f76f23 2383 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2384 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2385 if (rc)
2386 return rc;
2387
a6f76f23
DH		 2388 /* Check for shared state */
2389 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2390 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2391 SECCLASS_PROCESS, PROCESS__SHARE,
2392 NULL);
2393 if (rc)
2394 return -EPERM;
2395 }
2396
2397 /* Make sure that anyone attempting to ptrace over a task that
2398 * changes its SID has the appropriate permit */
2399 if (bprm->unsafe &
2400 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
0c6181cb 2401 u32 ptsid = ptrace_parent_sid(current);
a6f76f23
DH		 2402 if (ptsid != 0) {
2403 rc = avc_has_perm(ptsid, new_tsec->sid,
2404 SECCLASS_PROCESS,
2405 PROCESS__PTRACE, NULL);
2406 if (rc)
2407 return -EPERM;
2408 }
2409 }
1da177e4 2410
a6f76f23
DH		 2411 /* Clear any possibly unsafe personality bits on exec: */
2412 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2413 }
2414
1da177e4
LT		 2415 return 0;
2416}
2417
828dfe1d 2418static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2419{
5fb49870 2420 const struct task_security_struct *tsec = current_security();
275bb41e 2421 u32 sid, osid;
1da177e4
LT		 2422 int atsecure = 0;
2423
275bb41e
DH		 2424 sid = tsec->sid;
2425 osid = tsec->osid;
2426
2427 if (osid != sid) {
1da177e4
LT		 2428 /* Enable secure mode for SIDs transitions unless
2429 the noatsecure permission is granted between
2430 the two SIDs, i.e. ahp returns 0. */
275bb41e 2431 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2432 SECCLASS_PROCESS,
2433 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2434 }
2435
b1d9e6b0 2436 return !!atsecure;
1da177e4
LT		 2437}
2438
c3c073f8
AV		 2439static int match_file(const void *p, struct file *file, unsigned fd)
2440{
2441 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2442}
2443
1da177e4 2444/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2445static inline void flush_unauthorized_files(const struct cred *cred,
2446 struct files_struct *files)
1da177e4 2447{
1da177e4 2448 struct file *file, *devnull = NULL;
b20c8122 2449 struct tty_struct *tty;
24ec839c 2450 int drop_tty = 0;
c3c073f8 2451 unsigned n;
1da177e4 2452
24ec839c 2453 tty = get_current_tty();
1da177e4 2454 if (tty) {
4a510969 2455 spin_lock(&tty->files_lock);
37dd0bd0 2456 if (!list_empty(&tty->tty_files)) {
d996b62a 2457 struct tty_file_private *file_priv;
37dd0bd0 2458
1da177e4 2459 /* Revalidate access to controlling tty.
13f8e981
DH		 2460 Use file_path_has_perm on the tty path directly
2461 rather than using file_has_perm, as this particular
2462 open file may belong to another process and we are
2463 only interested in the inode-based check here. */
d996b62a
NP		 2464 file_priv = list_first_entry(&tty->tty_files,
2465 struct tty_file_private, list);
2466 file = file_priv->file;
13f8e981 2467 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2468 drop_tty = 1;
1da177e4 2469 }
4a510969 2470 spin_unlock(&tty->files_lock);
452a00d2 2471 tty_kref_put(tty);
1da177e4 2472 }
98a27ba4
EB		 2473 /* Reset controlling tty. */
2474 if (drop_tty)
2475 no_tty();
1da177e4
LT		 2476
2477 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2478 n = iterate_fd(files, 0, match_file, cred);
2479 if (!n) /* none found? */
2480 return;
1da177e4 2481
c3c073f8 2482 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2483 if (IS_ERR(devnull))
2484 devnull = NULL;
2485 /* replace all the matching ones with this */
2486 do {
2487 replace_fd(n - 1, devnull, 0);
2488 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2489 if (devnull)
c3c073f8 2490 fput(devnull);
1da177e4
LT		 2491}
2492
a6f76f23
DH		 2493/*
2494 * Prepare a process for imminent new credential changes due to exec
2495 */
2496static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2497{
a6f76f23
DH		 2498 struct task_security_struct *new_tsec;
2499 struct rlimit *rlim, *initrlim;
2500 int rc, i;
d84f4f99 2501
a6f76f23
DH		 2502 new_tsec = bprm->cred->security;
2503 if (new_tsec->sid == new_tsec->osid)
2504 return;
1da177e4 2505
a6f76f23
DH		 2506 /* Close files for which the new task SID is not authorized. */
2507 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2508
a6f76f23
DH		 2509 /* Always clear parent death signal on SID transitions. */
2510 current->pdeath_signal = 0;
0356357c 2511
a6f76f23
DH		 2512 /* Check whether the new SID can inherit resource limits from the old
2513 * SID. If not, reset all soft limits to the lower of the current
2514 * task's hard limit and the init task's soft limit.
2515 *
2516 * Note that the setting of hard limits (even to lower them) can be
2517 * controlled by the setrlimit check. The inclusion of the init task's
2518 * soft limit into the computation is to avoid resetting soft limits
2519 * higher than the default soft limit for cases where the default is
2520 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2521 */
2522 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2523 PROCESS__RLIMITINH, NULL);
2524 if (rc) {
eb2d55a3
ON		 2525 /* protect against do_prlimit() */
2526 task_lock(current);
a6f76f23
DH		 2527 for (i = 0; i < RLIM_NLIMITS; i++) {
2528 rlim = current->signal->rlim + i;
2529 initrlim = init_task.signal->rlim + i;
2530 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2531 }
eb2d55a3
ON		 2532 task_unlock(current);
2533 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2534 }
2535}
2536
2537/*
a6f76f23
DH		 2538 * Clean up the process immediately after the installation of new credentials
2539 * due to exec
1da177e4 2540 */
a6f76f23 2541static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2542{
a6f76f23 2543 const struct task_security_struct *tsec = current_security();
1da177e4 2544 struct itimerval itimer;
a6f76f23 2545 u32 osid, sid;
1da177e4
LT		 2546 int rc, i;
2547
a6f76f23
DH		 2548 osid = tsec->osid;
2549 sid = tsec->sid;
2550
2551 if (sid == osid)
1da177e4
LT		 2552 return;
2553
a6f76f23
DH		 2554 /* Check whether the new SID can inherit signal state from the old SID.
2555 * If not, clear itimers to avoid subsequent signal generation and
2556 * flush and unblock signals.
2557 *
2558 * This must occur _after_ the task SID has been updated so that any
2559 * kill done after the flush will be checked against the new SID.
2560 */
2561 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2562 if (rc) {
2563 memset(&itimer, 0, sizeof itimer);
2564 for (i = 0; i < 3; i++)
2565 do_setitimer(i, &itimer, NULL);
1da177e4 2566 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2567 if (!fatal_signal_pending(current)) {
2568 flush_sigqueue(&current->pending);
2569 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2570 flush_signal_handlers(current, 1);
2571 sigemptyset(&current->blocked);
9e7c8f8c 2572 recalc_sigpending();
3bcac026 2573 }
1da177e4
LT		 2574 spin_unlock_irq(&current->sighand->siglock);
2575 }
2576
a6f76f23
DH		 2577 /* Wake up the parent if it is waiting so that it can recheck
2578 * wait permission to the new task SID. */
ecd6de3c 2579 read_lock(&tasklist_lock);
0b7570e7 2580 __wake_up_parent(current, current->real_parent);
ecd6de3c 2581 read_unlock(&tasklist_lock);
1da177e4
LT		 2582}
2583
2584/* superblock security operations */
2585
2586static int selinux_sb_alloc_security(struct super_block *sb)
2587{
2588 return superblock_alloc_security(sb);
2589}
2590
2591static void selinux_sb_free_security(struct super_block *sb)
2592{
2593 superblock_free_security(sb);
2594}
2595
2596static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2597{
2598 if (plen > olen)
2599 return 0;
2600
2601 return !memcmp(prefix, option, plen);
2602}
2603
2604static inline int selinux_option(char *option, int len)
2605{
832cbd9a
EP		 2606 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2607 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2608 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2609 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2610 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2611}
2612
2613static inline void take_option(char **to, char *from, int *first, int len)
2614{
2615 if (!*first) {
2616 **to = ',';
2617 *to += 1;
3528a953 2618 } else
1da177e4
LT		 2619 *first = 0;
2620 memcpy(*to, from, len);
2621 *to += len;
2622}
2623
828dfe1d
EP		 2624static inline void take_selinux_option(char **to, char *from, int *first,
2625 int len)
3528a953
CO		 2626{
2627 int current_size = 0;
2628
2629 if (!*first) {
2630 **to = '|';
2631 *to += 1;
828dfe1d 2632 } else
3528a953
CO		 2633 *first = 0;
2634
2635 while (current_size < len) {
2636 if (*from != '"') {
2637 **to = *from;
2638 *to += 1;
2639 }
2640 from += 1;
2641 current_size += 1;
2642 }
2643}
2644
e0007529 2645static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2646{
2647 int fnosec, fsec, rc = 0;
2648 char *in_save, *in_curr, *in_end;
2649 char *sec_curr, *nosec_save, *nosec;
3528a953 2650 int open_quote = 0;
1da177e4
LT		 2651
2652 in_curr = orig;
2653 sec_curr = copy;
2654
1da177e4
LT		 2655 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2656 if (!nosec) {
2657 rc = -ENOMEM;
2658 goto out;
2659 }
2660
2661 nosec_save = nosec;
2662 fnosec = fsec = 1;
2663 in_save = in_end = orig;
2664
2665 do {
3528a953
CO		 2666 if (*in_end == '"')
2667 open_quote = !open_quote;
2668 if ((*in_end == ',' && open_quote == 0) ||
2669 *in_end == '\0') {
1da177e4
LT		 2670 int len = in_end - in_curr;
2671
2672 if (selinux_option(in_curr, len))
3528a953 2673 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2674 else
2675 take_option(&nosec, in_curr, &fnosec, len);
2676
2677 in_curr = in_end + 1;
2678 }
2679 } while (*in_end++);
2680
6931dfc9 2681 strcpy(in_save, nosec_save);
da3caa20 2682 free_page((unsigned long)nosec_save);
1da177e4
LT		 2683out:
2684 return rc;
2685}
2686
026eb167
EP		 2687static int selinux_sb_remount(struct super_block *sb, void *data)
2688{
2689 int rc, i, *flags;
2690 struct security_mnt_opts opts;
2691 char *secdata, **mount_options;
2692 struct superblock_security_struct *sbsec = sb->s_security;
2693
2694 if (!(sbsec->flags & SE_SBINITIALIZED))
2695 return 0;
2696
2697 if (!data)
2698 return 0;
2699
2700 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2701 return 0;
2702
2703 security_init_mnt_opts(&opts);
2704 secdata = alloc_secdata();
2705 if (!secdata)
2706 return -ENOMEM;
2707 rc = selinux_sb_copy_data(data, secdata);
2708 if (rc)
2709 goto out_free_secdata;
2710
2711 rc = selinux_parse_opts_str(secdata, &opts);
2712 if (rc)
2713 goto out_free_secdata;
2714
2715 mount_options = opts.mnt_opts;
2716 flags = opts.mnt_opts_flags;
2717
2718 for (i = 0; i < opts.num_mnt_opts; i++) {
2719 u32 sid;
026eb167 2720
12f348b9 2721 if (flags[i] == SBLABEL_MNT)
026eb167 2722 continue;
44be2f65 2723 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2724 if (rc) {
44be2f65 2725 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2726 "(%s) failed for (dev %s, type %s) errno=%d\n",
2727 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2728 goto out_free_opts;
2729 }
2730 rc = -EINVAL;
2731 switch (flags[i]) {
2732 case FSCONTEXT_MNT:
2733 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2734 goto out_bad_option;
2735 break;
2736 case CONTEXT_MNT:
2737 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2738 goto out_bad_option;
2739 break;
2740 case ROOTCONTEXT_MNT: {
2741 struct inode_security_struct *root_isec;
83da53c5 2742 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2743
2744 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2745 goto out_bad_option;
2746 break;
2747 }
2748 case DEFCONTEXT_MNT:
2749 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2750 goto out_bad_option;
2751 break;
2752 default:
2753 goto out_free_opts;
2754 }
2755 }
2756
2757 rc = 0;
2758out_free_opts:
2759 security_free_mnt_opts(&opts);
2760out_free_secdata:
2761 free_secdata(secdata);
2762 return rc;
2763out_bad_option:
2764 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2765 "during remount (dev %s, type=%s)\n", sb->s_id,
2766 sb->s_type->name);
026eb167
EP		 2767 goto out_free_opts;
2768}
2769
12204e24 2770static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2771{
88e67f3b 2772 const struct cred *cred = current_cred();
2bf49690 2773 struct common_audit_data ad;
1da177e4
LT		 2774 int rc;
2775
2776 rc = superblock_doinit(sb, data);
2777 if (rc)
2778 return rc;
2779
74192246
JM		 2780 /* Allow all mounts performed by the kernel */
2781 if (flags & MS_KERNMOUNT)
2782 return 0;
2783
50c205f5 2784 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2785 ad.u.dentry = sb->s_root;
88e67f3b 2786 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2787}
2788
726c3342 2789static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2790{
88e67f3b 2791 const struct cred *cred = current_cred();
2bf49690 2792 struct common_audit_data ad;
1da177e4 2793
50c205f5 2794 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2795 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2796 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2797}
2798
808d4e3c 2799static int selinux_mount(const char *dev_name,
8a04c43b 2800 const struct path *path,
808d4e3c 2801 const char *type,
828dfe1d
EP		 2802 unsigned long flags,
2803 void *data)
1da177e4 2804{
88e67f3b 2805 const struct cred *cred = current_cred();
1da177e4
LT		 2806
2807 if (flags & MS_REMOUNT)
d8c9584e 2808 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2809 FILESYSTEM__REMOUNT, NULL);
1da177e4 2810 else
2875fa00 2811 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2812}
2813
2814static int selinux_umount(struct vfsmount *mnt, int flags)
2815{
88e67f3b 2816 const struct cred *cred = current_cred();
1da177e4 2817
88e67f3b 2818 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2819 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2820}
2821
2822/* inode security operations */
2823
2824static int selinux_inode_alloc_security(struct inode *inode)
2825{
2826 return inode_alloc_security(inode);
2827}
2828
2829static void selinux_inode_free_security(struct inode *inode)
2830{
2831 inode_free_security(inode);
2832}
2833
d47be3df 2834static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2835 const struct qstr *name, void **ctx,
d47be3df
DQ		 2836 u32 *ctxlen)
2837{
d47be3df
DQ		 2838 u32 newsid;
2839 int rc;
2840
c3c188b2
DH		 2841 rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
2842 inode_mode_to_security_class(mode),
2843 &newsid);
2844 if (rc)
2845 return rc;
d47be3df
DQ		 2846
2847 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2848}
2849
5e41ff9e 2850static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2851 const struct qstr *qstr,
2852 const char **name,
2a7dba39 2853 void **value, size_t *len)
5e41ff9e 2854{
5fb49870 2855 const struct task_security_struct *tsec = current_security();
5e41ff9e 2856 struct superblock_security_struct *sbsec;
275bb41e 2857 u32 sid, newsid, clen;
5e41ff9e 2858 int rc;
9548906b 2859 char *context;
5e41ff9e 2860
5e41ff9e 2861 sbsec = dir->i_sb->s_security;
5e41ff9e 2862
275bb41e
DH		 2863 sid = tsec->sid;
2864 newsid = tsec->create_sid;
2865
c3c188b2
DH		 2866 rc = selinux_determine_inode_label(
2867 dir, qstr,
2868 inode_mode_to_security_class(inode->i_mode),
2869 &newsid);
2870 if (rc)
2871 return rc;
5e41ff9e 2872
296fddf7 2873 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2874 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2875 struct inode_security_struct *isec = inode->i_security;
2876 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2877 isec->sid = newsid;
6f3be9f5 2878 isec->initialized = LABEL_INITIALIZED;
296fddf7 2879 }
5e41ff9e 2880
12f348b9 2881 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2882 return -EOPNOTSUPP;
2883
9548906b
TH		 2884 if (name)
2885 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2886
570bc1c2 2887 if (value && len) {
12b29f34 2888 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2889 if (rc)
570bc1c2 2890 return rc;
570bc1c2
SS		 2891 *value = context;
2892 *len = clen;
5e41ff9e 2893 }
5e41ff9e 2894
5e41ff9e
SS		 2895 return 0;
2896}
2897
4acdaf27 2898static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2899{
2900 return may_create(dir, dentry, SECCLASS_FILE);
2901}
2902
1da177e4
LT		 2903static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2904{
1da177e4
LT		 2905 return may_link(dir, old_dentry, MAY_LINK);
2906}
2907
1da177e4
LT		 2908static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2909{
1da177e4
LT		 2910 return may_link(dir, dentry, MAY_UNLINK);
2911}
2912
2913static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2914{
2915 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2916}
2917
18bb1db3 2918static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2919{
2920 return may_create(dir, dentry, SECCLASS_DIR);
2921}
2922
1da177e4
LT		 2923static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2924{
2925 return may_link(dir, dentry, MAY_RMDIR);
2926}
2927
1a67aafb 2928static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2929{
1da177e4
LT		 2930 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2931}
2932
1da177e4 2933static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2934 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2935{
2936 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2937}
2938
1da177e4
LT		 2939static int selinux_inode_readlink(struct dentry *dentry)
2940{
88e67f3b
DH		 2941 const struct cred *cred = current_cred();
2942
2875fa00 2943 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2944}
2945
bda0be7a
N		 2946static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2947 bool rcu)
1da177e4 2948{
88e67f3b 2949 const struct cred *cred = current_cred();
bda0be7a
N		 2950 struct common_audit_data ad;
2951 struct inode_security_struct *isec;
2952 u32 sid;
1da177e4 2953
bda0be7a
N		 2954 validate_creds(cred);
2955
2956 ad.type = LSM_AUDIT_DATA_DENTRY;
2957 ad.u.dentry = dentry;
2958 sid = cred_sid(cred);
5d226df4
AG		 2959 isec = inode_security_rcu(inode, rcu);
2960 if (IS_ERR(isec))
2961 return PTR_ERR(isec);
bda0be7a
N		 2962
2963 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2964 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 2965}
2966
d4cf970d
EP		 2967static noinline int audit_inode_permission(struct inode *inode,
2968 u32 perms, u32 audited, u32 denied,
626b9740 2969 int result,
d4cf970d 2970 unsigned flags)
1da177e4 2971{
b782e0a6 2972 struct common_audit_data ad;
d4cf970d
EP		 2973 struct inode_security_struct *isec = inode->i_security;
2974 int rc;
2975
50c205f5 2976 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2977 ad.u.inode = inode;
2978
2979 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 2980 audited, denied, result, &ad, flags);
d4cf970d
EP		 2981 if (rc)
2982 return rc;
2983 return 0;
2984}
2985
e74f71eb 2986static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2987{
88e67f3b 2988 const struct cred *cred = current_cred();
b782e0a6
EP		 2989 u32 perms;
2990 bool from_access;
cf1dd1da 2991 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2992 struct inode_security_struct *isec;
2993 u32 sid;
2994 struct av_decision avd;
2995 int rc, rc2;
2996 u32 audited, denied;
1da177e4 2997
b782e0a6 2998 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2999 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3000
b782e0a6
EP		 3001 /* No permission to check. Existence test. */
3002 if (!mask)
1da177e4 3003 return 0;
1da177e4 3004
2e334057 3005 validate_creds(cred);
b782e0a6 3006
2e334057
EP		 3007 if (unlikely(IS_PRIVATE(inode)))
3008 return 0;
b782e0a6
EP		 3009
3010 perms = file_mask_to_av(inode->i_mode, mask);
3011
2e334057 3012 sid = cred_sid(cred);
5d226df4
AG		 3013 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3014 if (IS_ERR(isec))
3015 return PTR_ERR(isec);
2e334057
EP		 3016
3017 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3018 audited = avc_audit_required(perms, &avd, rc,
3019 from_access ? FILE__AUDIT_ACCESS : 0,
3020 &denied);
3021 if (likely(!audited))
3022 return rc;
3023
626b9740 3024 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3025 if (rc2)
3026 return rc2;
3027 return rc;
1da177e4
LT		 3028}
3029
3030static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3031{
88e67f3b 3032 const struct cred *cred = current_cred();
bc6a6008 3033 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3034 __u32 av = FILE__WRITE;
1da177e4 3035
bc6a6008
AW		 3036 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3037 if (ia_valid & ATTR_FORCE) {
3038 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3039 ATTR_FORCE);
3040 if (!ia_valid)
3041 return 0;
3042 }
1da177e4 3043
bc6a6008
AW		 3044 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3045 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3046 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3047
44d37ad3
JVS		 3048 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3049 && !(ia_valid & ATTR_FILE))
95dbf739
EP		 3050 av |= FILE__OPEN;
3051
3052 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3053}
3054
3f7036a0 3055static int selinux_inode_getattr(const struct path *path)
1da177e4 3056{
3f7036a0 3057 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3058}
3059
8f0cfa52 3060static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 3061{
88e67f3b
DH		 3062 const struct cred *cred = current_cred();
3063
b5376771
SH		 3064 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3065 sizeof XATTR_SECURITY_PREFIX - 1)) {
3066 if (!strcmp(name, XATTR_NAME_CAPS)) {
3067 if (!capable(CAP_SETFCAP))
3068 return -EPERM;
3069 } else if (!capable(CAP_SYS_ADMIN)) {
3070 /* A different attribute in the security namespace.
3071 Restrict to administrator. */
3072 return -EPERM;
3073 }
3074 }
3075
3076 /* Not an attribute we recognize, so just check the
3077 ordinary setattr permission. */
2875fa00 3078 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 3079}
3080
8f0cfa52
DH		 3081static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3082 const void *value, size_t size, int flags)
1da177e4 3083{
c6f493d6 3084 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3085 struct inode_security_struct *isec;
1da177e4 3086 struct superblock_security_struct *sbsec;
2bf49690 3087 struct common_audit_data ad;
275bb41e 3088 u32 newsid, sid = current_sid();
1da177e4
LT		 3089 int rc = 0;
3090
b5376771
SH		 3091 if (strcmp(name, XATTR_NAME_SELINUX))
3092 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3093
3094 sbsec = inode->i_sb->s_security;
12f348b9 3095 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3096 return -EOPNOTSUPP;
3097
2e149670 3098 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3099 return -EPERM;
3100
50c205f5 3101 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3102 ad.u.dentry = dentry;
1da177e4 3103
20cdef8d 3104 isec = backing_inode_security(dentry);
275bb41e 3105 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3106 FILE__RELABELFROM, &ad);
3107 if (rc)
3108 return rc;
3109
52a4c640 3110 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3111 if (rc == -EINVAL) {
d6ea83ec
EP		 3112 if (!capable(CAP_MAC_ADMIN)) {
3113 struct audit_buffer *ab;
3114 size_t audit_size;
3115 const char *str;
3116
3117 /* We strip a nul only if it is at the end, otherwise the
3118 * context contains a nul and we should audit that */
e3fea3f7
AV		 3119 if (value) {
3120 str = value;
3121 if (str[size - 1] == '\0')
3122 audit_size = size - 1;
3123 else
3124 audit_size = size;
3125 } else {
3126 str = "";
3127 audit_size = 0;
3128 }
d6ea83ec
EP		 3129 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3130 audit_log_format(ab, "op=setxattr invalid_context=");
3131 audit_log_n_untrustedstring(ab, value, audit_size);
3132 audit_log_end(ab);
3133
12b29f34 3134 return rc;
d6ea83ec 3135 }
12b29f34
SS		 3136 rc = security_context_to_sid_force(value, size, &newsid);
3137 }
1da177e4
LT		 3138 if (rc)
3139 return rc;
3140
275bb41e 3141 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3142 FILE__RELABELTO, &ad);
3143 if (rc)
3144 return rc;
3145
275bb41e 3146 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3147 isec->sclass);
1da177e4
LT		 3148 if (rc)
3149 return rc;
3150
3151 return avc_has_perm(newsid,
3152 sbsec->sid,
3153 SECCLASS_FILESYSTEM,
3154 FILESYSTEM__ASSOCIATE,
3155 &ad);
3156}
3157
8f0cfa52 3158static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3159 const void *value, size_t size,
8f0cfa52 3160 int flags)
1da177e4 3161{
c6f493d6 3162 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3163 struct inode_security_struct *isec;
1da177e4
LT		 3164 u32 newsid;
3165 int rc;
3166
3167 if (strcmp(name, XATTR_NAME_SELINUX)) {
3168 /* Not an attribute we recognize, so nothing to do. */
3169 return;
3170 }
3171
12b29f34 3172 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3173 if (rc) {
12b29f34
SS		 3174 printk(KERN_ERR "SELinux: unable to map context to SID"
3175 "for (%s, %lu), rc=%d\n",
3176 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3177 return;
3178 }
3179
20cdef8d 3180 isec = backing_inode_security(dentry);
aa9c2669 3181 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3182 isec->sid = newsid;
6f3be9f5 3183 isec->initialized = LABEL_INITIALIZED;
aa9c2669 3184
1da177e4
LT		 3185 return;
3186}
3187
8f0cfa52 3188static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3189{
88e67f3b
DH		 3190 const struct cred *cred = current_cred();
3191
2875fa00 3192 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3193}
3194
828dfe1d 3195static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3196{
88e67f3b
DH		 3197 const struct cred *cred = current_cred();
3198
2875fa00 3199 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3200}
3201
8f0cfa52 3202static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3203{
b5376771
SH		 3204 if (strcmp(name, XATTR_NAME_SELINUX))
3205 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3206
3207 /* No one is allowed to remove a SELinux security label.
3208 You can change the label, but all data must be labeled. */
3209 return -EACCES;
3210}
3211
d381d8a9 3212/*
abc69bb6 3213 * Copy the inode security context value to the user.
d381d8a9
JM		 3214 *
3215 * Permission check is handled by selinux_inode_getxattr hook.
3216 */
ea861dfd 3217static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3218{
42492594
DQ		 3219 u32 size;
3220 int error;
3221 char *context = NULL;
20cdef8d 3222 struct inode_security_struct *isec;
d381d8a9 3223
8c8570fb
DK		 3224 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3225 return -EOPNOTSUPP;
d381d8a9 3226
abc69bb6
SS		 3227 /*
3228 * If the caller has CAP_MAC_ADMIN, then get the raw context
3229 * value even if it is not defined by current policy; otherwise,
3230 * use the in-core value under current policy.
3231 * Use the non-auditing forms of the permission checks since
3232 * getxattr may be called by unprivileged processes commonly
3233 * and lack of permission just means that we fall back to the
3234 * in-core context value, not a denial.
3235 */
b1d9e6b0
CS		 3236 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3237 SECURITY_CAP_NOAUDIT);
3238 if (!error)
3239 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
8e4ff6f2 3240 SECURITY_CAP_NOAUDIT, true);
20cdef8d 3241 isec = inode_security(inode);
abc69bb6
SS		 3242 if (!error)
3243 error = security_sid_to_context_force(isec->sid, &context,
3244 &size);
3245 else
3246 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3247 if (error)
3248 return error;
3249 error = size;
3250 if (alloc) {
3251 *buffer = context;
3252 goto out_nofree;
3253 }
3254 kfree(context);
3255out_nofree:
3256 return error;
1da177e4
LT		 3257}
3258
3259static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3260 const void *value, size_t size, int flags)
1da177e4 3261{
2c97165b 3262 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3263 u32 newsid;
3264 int rc;
3265
3266 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3267 return -EOPNOTSUPP;
3268
3269 if (!value || !size)
3270 return -EACCES;
3271
20ba96ae 3272 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3273 if (rc)
3274 return rc;
3275
aa9c2669 3276 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3277 isec->sid = newsid;
6f3be9f5 3278 isec->initialized = LABEL_INITIALIZED;
1da177e4
LT		 3279 return 0;
3280}
3281
3282static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3283{
3284 const int len = sizeof(XATTR_NAME_SELINUX);
3285 if (buffer && len <= buffer_size)
3286 memcpy(buffer, XATTR_NAME_SELINUX, len);
3287 return len;
3288}
3289
d6335d77 3290static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3291{
e817c2f3 3292 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3293 *secid = isec->sid;
3294}
3295
56909eb3
VG		 3296static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3297{
3298 u32 sid;
3299 struct task_security_struct *tsec;
3300 struct cred *new_creds = *new;
3301
3302 if (new_creds == NULL) {
3303 new_creds = prepare_creds();
3304 if (!new_creds)
3305 return -ENOMEM;
3306 }
3307
3308 tsec = new_creds->security;
3309 /* Get label from overlay inode and set it in create_sid */
3310 selinux_inode_getsecid(d_inode(src), &sid);
3311 tsec->create_sid = sid;
3312 *new = new_creds;
3313 return 0;
3314}
3315
19472b69
VG		 3316static int selinux_inode_copy_up_xattr(const char *name)
3317{
3318 /* The copy_up hook above sets the initial context on an inode, but we
3319 * don't then want to overwrite it by blindly copying all the lower
3320 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3321 */
3322 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3323 return 1; /* Discard */
3324 /*
3325 * Any other attribute apart from SELINUX is not claimed, supported
3326 * by selinux.
3327 */
3328 return -EOPNOTSUPP;
3329}
3330
1da177e4
LT		 3331/* file security operations */
3332
788e7dd4 3333static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3334{
88e67f3b 3335 const struct cred *cred = current_cred();
496ad9aa 3336 struct inode *inode = file_inode(file);
1da177e4 3337
1da177e4
LT		 3338 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3339 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3340 mask |= MAY_APPEND;
3341
389fb800
PM		 3342 return file_has_perm(cred, file,
3343 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3344}
3345
788e7dd4
YN		 3346static int selinux_file_permission(struct file *file, int mask)
3347{
496ad9aa 3348 struct inode *inode = file_inode(file);
20dda18b 3349 struct file_security_struct *fsec = file->f_security;
b197367e 3350 struct inode_security_struct *isec;
20dda18b
SS		 3351 u32 sid = current_sid();
3352
389fb800 3353 if (!mask)
788e7dd4
YN		 3354 /* No permission to check. Existence test. */
3355 return 0;
788e7dd4 3356
b197367e 3357 isec = inode_security(inode);
20dda18b
SS		 3358 if (sid == fsec->sid && fsec->isid == isec->sid &&
3359 fsec->pseqno == avc_policy_seqno())
83d49856 3360 /* No change since file_open check. */
20dda18b
SS		 3361 return 0;
3362
788e7dd4
YN		 3363 return selinux_revalidate_file_permission(file, mask);
3364}
3365
1da177e4
LT		 3366static int selinux_file_alloc_security(struct file *file)
3367{
3368 return file_alloc_security(file);
3369}
3370
3371static void selinux_file_free_security(struct file *file)
3372{
3373 file_free_security(file);
3374}
3375
fa1aa143
JVS		 3376/*
3377 * Check whether a task has the ioctl permission and cmd
3378 * operation to an inode.
3379 */
1d2a168a 3380static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3381 u32 requested, u16 cmd)
3382{
3383 struct common_audit_data ad;
3384 struct file_security_struct *fsec = file->f_security;
3385 struct inode *inode = file_inode(file);
20cdef8d 3386 struct inode_security_struct *isec;
fa1aa143
JVS		 3387 struct lsm_ioctlop_audit ioctl;
3388 u32 ssid = cred_sid(cred);
3389 int rc;
3390 u8 driver = cmd >> 8;
3391 u8 xperm = cmd & 0xff;
3392
3393 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3394 ad.u.op = &ioctl;
3395 ad.u.op->cmd = cmd;
3396 ad.u.op->path = file->f_path;
3397
3398 if (ssid != fsec->sid) {
3399 rc = avc_has_perm(ssid, fsec->sid,
3400 SECCLASS_FD,
3401 FD__USE,
3402 &ad);
3403 if (rc)
3404 goto out;
3405 }
3406
3407 if (unlikely(IS_PRIVATE(inode)))
3408 return 0;
3409
20cdef8d 3410 isec = inode_security(inode);
fa1aa143
JVS		 3411 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3412 requested, driver, xperm, &ad);
3413out:
3414 return rc;
3415}
3416
1da177e4
LT		 3417static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3418 unsigned long arg)
3419{
88e67f3b 3420 const struct cred *cred = current_cred();
0b24dcb7 3421 int error = 0;
1da177e4 3422
0b24dcb7
EP		 3423 switch (cmd) {
3424 case FIONREAD:
3425 /* fall through */
3426 case FIBMAP:
3427 /* fall through */
3428 case FIGETBSZ:
3429 /* fall through */
2f99c369 3430 case FS_IOC_GETFLAGS:
0b24dcb7 3431 /* fall through */
2f99c369 3432 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3433 error = file_has_perm(cred, file, FILE__GETATTR);
3434 break;
1da177e4 3435
2f99c369 3436 case FS_IOC_SETFLAGS:
0b24dcb7 3437 /* fall through */
2f99c369 3438 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3439 error = file_has_perm(cred, file, FILE__SETATTR);
3440 break;
3441
3442 /* sys_ioctl() checks */
3443 case FIONBIO:
3444 /* fall through */
3445 case FIOASYNC:
3446 error = file_has_perm(cred, file, 0);
3447 break;
1da177e4 3448
0b24dcb7
EP		 3449 case KDSKBENT:
3450 case KDSKBSENT:
6a9de491 3451 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3452 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3453 break;
3454
3455 /* default case assumes that the command will go
3456 * to the file's ioctl() function.
3457 */
3458 default:
fa1aa143 3459 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3460 }
3461 return error;
1da177e4
LT		 3462}
3463
fcaaade1
SS		 3464static int default_noexec;
3465
1da177e4
LT		 3466static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3467{
88e67f3b 3468 const struct cred *cred = current_cred();
d84f4f99 3469 int rc = 0;
88e67f3b 3470
fcaaade1 3471 if (default_noexec &&
892e8cac
SS		 3472 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3473 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3474 /*
3475 * We are making executable an anonymous mapping or a
3476 * private file mapping that will also be writable.
3477 * This has an additional check.
3478 */
d84f4f99 3479 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3480 if (rc)
d84f4f99 3481 goto error;
1da177e4 3482 }
1da177e4
LT		 3483
3484 if (file) {
3485 /* read access is always possible with a mapping */
3486 u32 av = FILE__READ;
3487
3488 /* write access only matters if the mapping is shared */
3489 if (shared && (prot & PROT_WRITE))
3490 av |= FILE__WRITE;
3491
3492 if (prot & PROT_EXEC)
3493 av |= FILE__EXECUTE;
3494
88e67f3b 3495 return file_has_perm(cred, file, av);
1da177e4 3496 }
d84f4f99
DH		 3497
3498error:
3499 return rc;
1da177e4
LT		 3500}
3501
e5467859 3502static int selinux_mmap_addr(unsigned long addr)
1da177e4 3503{
b1d9e6b0 3504 int rc = 0;
1da177e4 3505
a2551df7 3506 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3507 u32 sid = current_sid();
ed032189
EP		 3508 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3509 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3510 }
3511
98883bfd 3512 return rc;
e5467859 3513}
1da177e4 3514
e5467859
AV		 3515static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3516 unsigned long prot, unsigned long flags)
3517{
1da177e4
LT		 3518 if (selinux_checkreqprot)
3519 prot = reqprot;
3520
3521 return file_map_prot_check(file, prot,
3522 (flags & MAP_TYPE) == MAP_SHARED);
3523}
3524
3525static int selinux_file_mprotect(struct vm_area_struct *vma,
3526 unsigned long reqprot,
3527 unsigned long prot)
3528{
88e67f3b 3529 const struct cred *cred = current_cred();
1da177e4
LT		 3530
3531 if (selinux_checkreqprot)
3532 prot = reqprot;
3533
fcaaade1
SS		 3534 if (default_noexec &&
3535 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3536 int rc = 0;
db4c9641
SS		 3537 if (vma->vm_start >= vma->vm_mm->start_brk &&
3538 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3539 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641 3540 } else if (!vma->vm_file &&
c2316dbf
SS		 3541 ((vma->vm_start <= vma->vm_mm->start_stack &&
3542 vma->vm_end >= vma->vm_mm->start_stack) ||
3543 vma_is_stack_for_task(vma, current))) {
3b11a1de 3544 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3545 } else if (vma->vm_file && vma->anon_vma) {
3546 /*
3547 * We are making executable a file mapping that has
3548 * had some COW done. Since pages might have been
3549 * written, check ability to execute the possibly
3550 * modified content. This typically should only
3551 * occur for text relocations.
3552 */
d84f4f99 3553 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3554 }