]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-hirsute-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Linux 2.6.25-rc4
[mirror_ubuntu-hirsute-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
effad8df
PM		 15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
788e7dd4
YN		 17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
23 */
24
1da177e4
LT		 25#include <linux/init.h>
26#include <linux/kernel.h>
27#include <linux/ptrace.h>
28#include <linux/errno.h>
29#include <linux/sched.h>
30#include <linux/security.h>
31#include <linux/xattr.h>
32#include <linux/capability.h>
33#include <linux/unistd.h>
34#include <linux/mm.h>
35#include <linux/mman.h>
36#include <linux/slab.h>
37#include <linux/pagemap.h>
38#include <linux/swap.h>
1da177e4
LT		 39#include <linux/spinlock.h>
40#include <linux/syscalls.h>
41#include <linux/file.h>
42#include <linux/namei.h>
43#include <linux/mount.h>
44#include <linux/ext2_fs.h>
45#include <linux/proc_fs.h>
46#include <linux/kd.h>
47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 53#include <net/net_namespace.h>
d621d35e 54#include <net/netlabel.h>
1da177e4 55#include <asm/uaccess.h>
1da177e4 56#include <asm/ioctls.h>
d621d35e 57#include <asm/atomic.h>
1da177e4
LT		 58#include <linux/bitops.h>
59#include <linux/interrupt.h>
60#include <linux/netdevice.h> /* for network interface checks */
61#include <linux/netlink.h>
62#include <linux/tcp.h>
63#include <linux/udp.h>
2ee92d46 64#include <linux/dccp.h>
1da177e4
LT		 65#include <linux/quota.h>
66#include <linux/un.h> /* for Unix socket types */
67#include <net/af_unix.h> /* for Unix socket types */
68#include <linux/parser.h>
69#include <linux/nfs_mount.h>
70#include <net/ipv6.h>
71#include <linux/hugetlb.h>
72#include <linux/personality.h>
73#include <linux/sysctl.h>
74#include <linux/audit.h>
6931dfc9 75#include <linux/string.h>
877ce7c1 76#include <linux/selinux.h>
23970741 77#include <linux/mutex.h>
1da177e4
LT		 78
79#include "avc.h"
80#include "objsec.h"
81#include "netif.h"
224dfbd8 82#include "netnode.h"
d28d1e08 83#include "xfrm.h"
c60475bf 84#include "netlabel.h"
1da177e4
LT		 85
86#define XATTR_SELINUX_SUFFIX "selinux"
87#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
c9180a57
EP		 89#define NUM_SEL_MNT_OPTS 4
90
1da177e4
LT		 91extern unsigned int policydb_loaded_version;
92extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 93extern int selinux_compat_net;
20510f2f 94extern struct security_operations *security_ops;
1da177e4 95
d621d35e
PM		 96/* SECMARK reference count */
97atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
1da177e4
LT		 99#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100int selinux_enforcing = 0;
101
102static int __init enforcing_setup(char *str)
103{
104 selinux_enforcing = simple_strtol(str,NULL,0);
105 return 1;
106}
107__setup("enforcing=", enforcing_setup);
108#endif
109
110#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113static int __init selinux_enabled_setup(char *str)
114{
115 selinux_enabled = simple_strtol(str, NULL, 0);
116 return 1;
117}
118__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 119#else
120int selinux_enabled = 1;
1da177e4
LT		 121#endif
122
123/* Original (dummy) security module. */
124static struct security_operations *original_ops = NULL;
125
126/* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130static struct security_operations *secondary_ops = NULL;
131
132/* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134static LIST_HEAD(superblock_security_head);
135static DEFINE_SPINLOCK(sb_security_lock);
136
e18b890b 137static struct kmem_cache *sel_inode_cache;
7cae7e26 138
d621d35e
PM		 139/**
140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
141 *
142 * Description:
143 * This function checks the SECMARK reference counter to see if any SECMARK
144 * targets are currently configured, if the reference counter is greater than
145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
146 * enabled, false (0) if SECMARK is disabled.
147 *
148 */
149static int selinux_secmark_enabled(void)
150{
151 return (atomic_read(&selinux_secmark_refcount) > 0);
152}
153
1da177e4
LT		 154/* Allocate and free functions for each kind of security blob. */
155
156static int task_alloc_security(struct task_struct *task)
157{
158 struct task_security_struct *tsec;
159
89d155ef 160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 161 if (!tsec)
162 return -ENOMEM;
163
1da177e4
LT		 164 tsec->task = task;
165 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166 task->security = tsec;
167
168 return 0;
169}
170
171static void task_free_security(struct task_struct *task)
172{
173 struct task_security_struct *tsec = task->security;
1da177e4
LT		 174 task->security = NULL;
175 kfree(tsec);
176}
177
178static int inode_alloc_security(struct inode *inode)
179{
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
182
c3762229 183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
1da177e4
LT		 184 if (!isec)
185 return -ENOMEM;
186
23970741 187 mutex_init(&isec->lock);
1da177e4 188 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 189 isec->inode = inode;
190 isec->sid = SECINITSID_UNLABELED;
191 isec->sclass = SECCLASS_FILE;
9ac49d22 192 isec->task_sid = tsec->sid;
1da177e4
LT		 193 inode->i_security = isec;
194
195 return 0;
196}
197
198static void inode_free_security(struct inode *inode)
199{
200 struct inode_security_struct *isec = inode->i_security;
201 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
1da177e4
LT		 203 spin_lock(&sbsec->isec_lock);
204 if (!list_empty(&isec->list))
205 list_del_init(&isec->list);
206 spin_unlock(&sbsec->isec_lock);
207
208 inode->i_security = NULL;
7cae7e26 209 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 210}
211
212static int file_alloc_security(struct file *file)
213{
214 struct task_security_struct *tsec = current->security;
215 struct file_security_struct *fsec;
216
26d2a4be 217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 218 if (!fsec)
219 return -ENOMEM;
220
1da177e4 221 fsec->file = file;
9ac49d22
SS		 222 fsec->sid = tsec->sid;
223 fsec->fown_sid = tsec->sid;
1da177e4
LT		 224 file->f_security = fsec;
225
226 return 0;
227}
228
229static void file_free_security(struct file *file)
230{
231 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 232 file->f_security = NULL;
233 kfree(fsec);
234}
235
236static int superblock_alloc_security(struct super_block *sb)
237{
238 struct superblock_security_struct *sbsec;
239
89d155ef 240 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 241 if (!sbsec)
242 return -ENOMEM;
243
bc7e982b 244 mutex_init(&sbsec->lock);
1da177e4
LT		 245 INIT_LIST_HEAD(&sbsec->list);
246 INIT_LIST_HEAD(&sbsec->isec_head);
247 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 248 sbsec->sb = sb;
249 sbsec->sid = SECINITSID_UNLABELED;
250 sbsec->def_sid = SECINITSID_FILE;
c312feb2 251 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 252 sb->s_security = sbsec;
253
254 return 0;
255}
256
257static void superblock_free_security(struct super_block *sb)
258{
259 struct superblock_security_struct *sbsec = sb->s_security;
260
1da177e4
LT		 261 spin_lock(&sb_security_lock);
262 if (!list_empty(&sbsec->list))
263 list_del_init(&sbsec->list);
264 spin_unlock(&sb_security_lock);
265
266 sb->s_security = NULL;
267 kfree(sbsec);
268}
269
7d877f3b 270static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 271{
272 struct sk_security_struct *ssec;
273
89d155ef 274 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 275 if (!ssec)
276 return -ENOMEM;
277
1da177e4
LT		 278 ssec->sk = sk;
279 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 280 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 281 sk->sk_security = ssec;
282
99f59ed0
PM		 283 selinux_netlbl_sk_security_init(ssec, family);
284
1da177e4
LT		 285 return 0;
286}
287
288static void sk_free_security(struct sock *sk)
289{
290 struct sk_security_struct *ssec = sk->sk_security;
291
1da177e4
LT		 292 sk->sk_security = NULL;
293 kfree(ssec);
294}
1da177e4
LT		 295
296/* The security server must be initialized before
297 any labeling or access decisions can be provided. */
298extern int ss_initialized;
299
300/* The file system's label must be initialized prior to use. */
301
302static char *labeling_behaviors[6] = {
303 "uses xattr",
304 "uses transition SIDs",
305 "uses task SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
309};
310
311static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313static inline int inode_doinit(struct inode *inode)
314{
315 return inode_doinit_with_dentry(inode, NULL);
316}
317
318enum {
31e87930 319 Opt_error = -1,
1da177e4
LT		 320 Opt_context = 1,
321 Opt_fscontext = 2,
c9180a57
EP		 322 Opt_defcontext = 3,
323 Opt_rootcontext = 4,
1da177e4
LT		 324};
325
326static match_table_t tokens = {
327 {Opt_context, "context=%s"},
328 {Opt_fscontext, "fscontext=%s"},
329 {Opt_defcontext, "defcontext=%s"},
0808925e 330 {Opt_rootcontext, "rootcontext=%s"},
31e87930 331 {Opt_error, NULL},
1da177e4
LT		 332};
333
334#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
335
c312feb2
EP		 336static int may_context_mount_sb_relabel(u32 sid,
337 struct superblock_security_struct *sbsec,
338 struct task_security_struct *tsec)
339{
340 int rc;
341
342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343 FILESYSTEM__RELABELFROM, NULL);
344 if (rc)
345 return rc;
346
347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELTO, NULL);
349 return rc;
350}
351
0808925e
EP		 352static int may_context_mount_inode_relabel(u32 sid,
353 struct superblock_security_struct *sbsec,
354 struct task_security_struct *tsec)
355{
356 int rc;
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
359 if (rc)
360 return rc;
361
362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__ASSOCIATE, NULL);
364 return rc;
365}
366
c9180a57 367static int sb_finish_set_opts(struct super_block *sb)
1da177e4 368{
1da177e4 369 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 370 struct dentry *root = sb->s_root;
371 struct inode *root_inode = root->d_inode;
372 int rc = 0;
1da177e4 373
c9180a57
EP		 374 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375 /* Make sure that the xattr handler exists and that no
376 error other than -ENODATA is returned by getxattr on
377 the root directory. -ENODATA is ok, as this may be
378 the first boot of the SELinux kernel before we have
379 assigned xattr values to the filesystem. */
380 if (!root_inode->i_op->getxattr) {
381 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382 "xattr support\n", sb->s_id, sb->s_type->name);
383 rc = -EOPNOTSUPP;
384 goto out;
385 }
386 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387 if (rc < 0 && rc != -ENODATA) {
388 if (rc == -EOPNOTSUPP)
389 printk(KERN_WARNING "SELinux: (dev %s, type "
390 "%s) has no security xattr handler\n",
391 sb->s_id, sb->s_type->name);
392 else
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) getxattr errno %d\n", sb->s_id,
395 sb->s_type->name, -rc);
396 goto out;
397 }
398 }
1da177e4 399
c9180a57 400 sbsec->initialized = 1;
1da177e4 401
c9180a57
EP		 402 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404 sb->s_id, sb->s_type->name);
405 else
406 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407 sb->s_id, sb->s_type->name,
408 labeling_behaviors[sbsec->behavior-1]);
1da177e4 409
c9180a57
EP		 410 /* Initialize the root inode. */
411 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 412
c9180a57
EP		 413 /* Initialize any other inodes associated with the superblock, e.g.
414 inodes created prior to initial policy load or inodes created
415 during get_sb by a pseudo filesystem that directly
416 populates itself. */
417 spin_lock(&sbsec->isec_lock);
418next_inode:
419 if (!list_empty(&sbsec->isec_head)) {
420 struct inode_security_struct *isec =
421 list_entry(sbsec->isec_head.next,
422 struct inode_security_struct, list);
423 struct inode *inode = isec->inode;
424 spin_unlock(&sbsec->isec_lock);
425 inode = igrab(inode);
426 if (inode) {
427 if (!IS_PRIVATE(inode))
428 inode_doinit(inode);
429 iput(inode);
430 }
431 spin_lock(&sbsec->isec_lock);
432 list_del_init(&isec->list);
433 goto next_inode;
434 }
435 spin_unlock(&sbsec->isec_lock);
436out:
437 return rc;
438}
1da177e4 439
c9180a57
EP		 440/*
441 * This function should allow an FS to ask what it's mount security
442 * options were so it can use those later for submounts, displaying
443 * mount options, or whatever.
444 */
445static int selinux_get_mnt_opts(const struct super_block *sb,
446 char ***mount_options, int **mnt_opts_flags,
447 int *num_opts)
448{
449 int rc = 0, i;
450 struct superblock_security_struct *sbsec = sb->s_security;
451 char *context = NULL;
452 u32 len;
453 char tmp;
1da177e4 454
c9180a57
EP		 455 *num_opts = 0;
456 *mount_options = NULL;
457 *mnt_opts_flags = NULL;
1da177e4 458
c9180a57
EP		 459 if (!sbsec->initialized)
460 return -EINVAL;
1da177e4 461
c9180a57
EP		 462 if (!ss_initialized)
463 return -EINVAL;
1da177e4 464
c9180a57
EP		 465 /*
466 * if we ever use sbsec flags for anything other than tracking mount
467 * settings this is going to need a mask
468 */
469 tmp = sbsec->flags;
470 /* count the number of mount options for this sb */
471 for (i = 0; i < 8; i++) {
472 if (tmp & 0x01)
473 (*num_opts)++;
474 tmp >>= 1;
475 }
1da177e4 476
c9180a57
EP		 477 *mount_options = kcalloc(*num_opts, sizeof(char *), GFP_ATOMIC);
478 if (!*mount_options) {
479 rc = -ENOMEM;
480 goto out_free;
481 }
1da177e4 482
c9180a57
EP		 483 *mnt_opts_flags = kcalloc(*num_opts, sizeof(int), GFP_ATOMIC);
484 if (!*mnt_opts_flags) {
485 rc = -ENOMEM;
486 goto out_free;
487 }
1da177e4 488
c9180a57
EP		 489 i = 0;
490 if (sbsec->flags & FSCONTEXT_MNT) {
491 rc = security_sid_to_context(sbsec->sid, &context, &len);
492 if (rc)
493 goto out_free;
494 (*mount_options)[i] = context;
495 (*mnt_opts_flags)[i++] = FSCONTEXT_MNT;
496 }
497 if (sbsec->flags & CONTEXT_MNT) {
498 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
499 if (rc)
500 goto out_free;
501 (*mount_options)[i] = context;
502 (*mnt_opts_flags)[i++] = CONTEXT_MNT;
503 }
504 if (sbsec->flags & DEFCONTEXT_MNT) {
505 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
506 if (rc)
507 goto out_free;
508 (*mount_options)[i] = context;
509 (*mnt_opts_flags)[i++] = DEFCONTEXT_MNT;
510 }
511 if (sbsec->flags & ROOTCONTEXT_MNT) {
512 struct inode *root = sbsec->sb->s_root->d_inode;
513 struct inode_security_struct *isec = root->i_security;
0808925e 514
c9180a57
EP		 515 rc = security_sid_to_context(isec->sid, &context, &len);
516 if (rc)
517 goto out_free;
518 (*mount_options)[i] = context;
519 (*mnt_opts_flags)[i++] = ROOTCONTEXT_MNT;
520 }
1da177e4 521
c9180a57 522 BUG_ON(i != *num_opts);
1da177e4 523
c9180a57
EP		 524 return 0;
525
526out_free:
527 /* don't leak context string if security_sid_to_context had an error */
528 if (*mount_options && i)
529 for (; i > 0; i--)
530 kfree((*mount_options)[i-1]);
531 kfree(*mount_options);
532 *mount_options = NULL;
533 kfree(*mnt_opts_flags);
534 *mnt_opts_flags = NULL;
535 *num_opts = 0;
536 return rc;
537}
1da177e4 538
c9180a57
EP		 539static int bad_option(struct superblock_security_struct *sbsec, char flag,
540 u32 old_sid, u32 new_sid)
541{
542 /* check if the old mount command had the same options */
543 if (sbsec->initialized)
544 if (!(sbsec->flags & flag) ||
545 (old_sid != new_sid))
546 return 1;
547
548 /* check if we were passed the same options twice,
549 * aka someone passed context=a,context=b
550 */
551 if (!sbsec->initialized)
552 if (sbsec->flags & flag)
553 return 1;
554 return 0;
555}
556/*
557 * Allow filesystems with binary mount data to explicitly set mount point
558 * labeling information.
559 */
374ea019
AB		 560static int selinux_set_mnt_opts(struct super_block *sb, char **mount_options,
561 int *flags, int num_opts)
c9180a57
EP		 562{
563 int rc = 0, i;
564 struct task_security_struct *tsec = current->security;
565 struct superblock_security_struct *sbsec = sb->s_security;
566 const char *name = sb->s_type->name;
567 struct inode *inode = sbsec->sb->s_root->d_inode;
568 struct inode_security_struct *root_isec = inode->i_security;
569 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
570 u32 defcontext_sid = 0;
571
572 mutex_lock(&sbsec->lock);
573
574 if (!ss_initialized) {
575 if (!num_opts) {
576 /* Defer initialization until selinux_complete_init,
577 after the initial policy is loaded and the security
578 server is ready to handle calls. */
579 spin_lock(&sb_security_lock);
580 if (list_empty(&sbsec->list))
581 list_add(&sbsec->list, &superblock_security_head);
582 spin_unlock(&sb_security_lock);
583 goto out;
584 }
585 rc = -EINVAL;
586 printk(KERN_WARNING "Unable to set superblock options before "
587 "the security server is initialized\n");
1da177e4 588 goto out;
c9180a57 589 }
1da177e4 590
c9180a57
EP		 591 /*
592 * parse the mount options, check if they are valid sids.
593 * also check if someone is trying to mount the same sb more
594 * than once with different security options.
595 */
596 for (i = 0; i < num_opts; i++) {
597 u32 sid;
598 rc = security_context_to_sid(mount_options[i],
599 strlen(mount_options[i]), &sid);
1da177e4
LT		 600 if (rc) {
601 printk(KERN_WARNING "SELinux: security_context_to_sid"
602 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 603 mount_options[i], sb->s_id, name, rc);
604 goto out;
605 }
606 switch (flags[i]) {
607 case FSCONTEXT_MNT:
608 fscontext_sid = sid;
609
610 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
611 fscontext_sid))
612 goto out_double_mount;
613
614 sbsec->flags |= FSCONTEXT_MNT;
615 break;
616 case CONTEXT_MNT:
617 context_sid = sid;
618
619 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
620 context_sid))
621 goto out_double_mount;
622
623 sbsec->flags |= CONTEXT_MNT;
624 break;
625 case ROOTCONTEXT_MNT:
626 rootcontext_sid = sid;
627
628 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
629 rootcontext_sid))
630 goto out_double_mount;
631
632 sbsec->flags |= ROOTCONTEXT_MNT;
633
634 break;
635 case DEFCONTEXT_MNT:
636 defcontext_sid = sid;
637
638 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
639 defcontext_sid))
640 goto out_double_mount;
641
642 sbsec->flags |= DEFCONTEXT_MNT;
643
644 break;
645 default:
646 rc = -EINVAL;
647 goto out;
1da177e4 648 }
c9180a57
EP		 649 }
650
651 if (sbsec->initialized) {
652 /* previously mounted with options, but not on this attempt? */
653 if (sbsec->flags && !num_opts)
654 goto out_double_mount;
655 rc = 0;
656 goto out;
657 }
658
659 if (strcmp(sb->s_type->name, "proc") == 0)
660 sbsec->proc = 1;
661
662 /* Determine the labeling behavior to use for this filesystem type. */
663 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
664 if (rc) {
665 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
666 __FUNCTION__, sb->s_type->name, rc);
667 goto out;
668 }
1da177e4 669
c9180a57
EP		 670 /* sets the context of the superblock for the fs being mounted. */
671 if (fscontext_sid) {
672
673 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
1da177e4 674 if (rc)
c9180a57 675 goto out;
1da177e4 676
c9180a57 677 sbsec->sid = fscontext_sid;
c312feb2
EP		 678 }
679
680 /*
681 * Switch to using mount point labeling behavior.
682 * sets the label used on all file below the mountpoint, and will set
683 * the superblock context if not already set.
684 */
c9180a57
EP		 685 if (context_sid) {
686 if (!fscontext_sid) {
687 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
b04ea3ce 688 if (rc)
c9180a57
EP		 689 goto out;
690 sbsec->sid = context_sid;
b04ea3ce 691 } else {
c9180a57 692 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
b04ea3ce 693 if (rc)
c9180a57 694 goto out;
b04ea3ce 695 }
c9180a57
EP		 696 if (!rootcontext_sid)
697 rootcontext_sid = context_sid;
1da177e4 698
c9180a57 699 sbsec->mntpoint_sid = context_sid;
c312feb2 700 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 701 }
702
c9180a57
EP		 703 if (rootcontext_sid) {
704 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
0808925e 705 if (rc)
c9180a57 706 goto out;
0808925e 707
c9180a57
EP		 708 root_isec->sid = rootcontext_sid;
709 root_isec->initialized = 1;
0808925e
EP		 710 }
711
c9180a57
EP		 712 if (defcontext_sid) {
713 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
714 rc = -EINVAL;
715 printk(KERN_WARNING "SELinux: defcontext option is "
716 "invalid for this filesystem type\n");
717 goto out;
1da177e4
LT		 718 }
719
c9180a57
EP		 720 if (defcontext_sid != sbsec->def_sid) {
721 rc = may_context_mount_inode_relabel(defcontext_sid,
722 sbsec, tsec);
723 if (rc)
724 goto out;
725 }
1da177e4 726
c9180a57 727 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 728 }
729
c9180a57 730 rc = sb_finish_set_opts(sb);
1da177e4 731out:
c9180a57 732 mutex_unlock(&sbsec->lock);
1da177e4 733 return rc;
c9180a57
EP		 734out_double_mount:
735 rc = -EINVAL;
736 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
737 "security settings for (dev %s, type %s)\n", sb->s_id, name);
738 goto out;
1da177e4
LT		 739}
740
c9180a57
EP		 741static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
742 struct super_block *newsb)
1da177e4 743{
c9180a57
EP		 744 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
745 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 746
c9180a57
EP		 747 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
748 int set_context = (oldsbsec->flags & CONTEXT_MNT);
749 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 750
c9180a57
EP		 751 /* we can't error, we can't save the info, this shouldn't get called
752 * this early in the boot process. */
753 BUG_ON(!ss_initialized);
754
755 /* this might go away sometime down the line if there is a new user
756 * of clone, but for now, nfs better not get here... */
757 BUG_ON(newsbsec->initialized);
758
759 /* how can we clone if the old one wasn't set up?? */
760 BUG_ON(!oldsbsec->initialized);
761
762 mutex_lock(&newsbsec->lock);
763
764 newsbsec->flags = oldsbsec->flags;
765
766 newsbsec->sid = oldsbsec->sid;
767 newsbsec->def_sid = oldsbsec->def_sid;
768 newsbsec->behavior = oldsbsec->behavior;
769
770 if (set_context) {
771 u32 sid = oldsbsec->mntpoint_sid;
772
773 if (!set_fscontext)
774 newsbsec->sid = sid;
775 if (!set_rootcontext) {
776 struct inode *newinode = newsb->s_root->d_inode;
777 struct inode_security_struct *newisec = newinode->i_security;
778 newisec->sid = sid;
779 }
780 newsbsec->mntpoint_sid = sid;
1da177e4 781 }
c9180a57
EP		 782 if (set_rootcontext) {
783 const struct inode *oldinode = oldsb->s_root->d_inode;
784 const struct inode_security_struct *oldisec = oldinode->i_security;
785 struct inode *newinode = newsb->s_root->d_inode;
786 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 787
c9180a57 788 newisec->sid = oldisec->sid;
1da177e4
LT		 789 }
790
c9180a57
EP		 791 sb_finish_set_opts(newsb);
792 mutex_unlock(&newsbsec->lock);
793}
794
795/*
796 * string mount options parsing and call set the sbsec
797 */
798static int superblock_doinit(struct super_block *sb, void *data)
799{
800 char *context = NULL, *defcontext = NULL;
801 char *fscontext = NULL, *rootcontext = NULL;
802 int rc = 0;
803 char *p, *options = data;
804 /* selinux only know about a fixed number of mount options */
805 char *mnt_opts[NUM_SEL_MNT_OPTS];
806 int mnt_opts_flags[NUM_SEL_MNT_OPTS], num_mnt_opts = 0;
807
808 if (!data)
1da177e4
LT		 809 goto out;
810
c9180a57
EP		 811 /* with the nfs patch this will become a goto out; */
812 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
813 const char *name = sb->s_type->name;
814 /* NFS we understand. */
815 if (!strcmp(name, "nfs")) {
816 struct nfs_mount_data *d = data;
817
818 if (d->version != NFS_MOUNT_VERSION)
819 goto out;
820
821 if (d->context[0]) {
822 context = kstrdup(d->context, GFP_KERNEL);
823 if (!context) {
824 rc = -ENOMEM;
825 goto out;
826 }
827 }
828 goto build_flags;
829 } else
1da177e4 830 goto out;
1da177e4
LT		 831 }
832
c9180a57
EP		 833 /* Standard string-based options. */
834 while ((p = strsep(&options, "|")) != NULL) {
835 int token;
836 substring_t args[MAX_OPT_ARGS];
1da177e4 837
c9180a57
EP		 838 if (!*p)
839 continue;
1da177e4 840
c9180a57 841 token = match_token(p, tokens, args);
1da177e4 842
c9180a57
EP		 843 switch (token) {
844 case Opt_context:
845 if (context || defcontext) {
846 rc = -EINVAL;
847 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
848 goto out_err;
849 }
850 context = match_strdup(&args[0]);
851 if (!context) {
852 rc = -ENOMEM;
853 goto out_err;
854 }
855 break;
856
857 case Opt_fscontext:
858 if (fscontext) {
859 rc = -EINVAL;
860 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
861 goto out_err;
862 }
863 fscontext = match_strdup(&args[0]);
864 if (!fscontext) {
865 rc = -ENOMEM;
866 goto out_err;
867 }
868 break;
869
870 case Opt_rootcontext:
871 if (rootcontext) {
872 rc = -EINVAL;
873 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
874 goto out_err;
875 }
876 rootcontext = match_strdup(&args[0]);
877 if (!rootcontext) {
878 rc = -ENOMEM;
879 goto out_err;
880 }
881 break;
882
883 case Opt_defcontext:
884 if (context || defcontext) {
885 rc = -EINVAL;
886 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
887 goto out_err;
888 }
889 defcontext = match_strdup(&args[0]);
890 if (!defcontext) {
891 rc = -ENOMEM;
892 goto out_err;
893 }
894 break;
895
896 default:
897 rc = -EINVAL;
898 printk(KERN_WARNING "SELinux: unknown mount option\n");
899 goto out_err;
1da177e4 900
1da177e4 901 }
1da177e4 902 }
c9180a57
EP		 903
904build_flags:
905 if (fscontext) {
906 mnt_opts[num_mnt_opts] = fscontext;
907 mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
908 }
909 if (context) {
910 mnt_opts[num_mnt_opts] = context;
911 mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
912 }
913 if (rootcontext) {
914 mnt_opts[num_mnt_opts] = rootcontext;
915 mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
916 }
917 if (defcontext) {
918 mnt_opts[num_mnt_opts] = defcontext;
919 mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
920 }
921
1da177e4 922out:
c9180a57
EP		 923 rc = selinux_set_mnt_opts(sb, mnt_opts, mnt_opts_flags, num_mnt_opts);
924out_err:
925 kfree(context);
926 kfree(defcontext);
927 kfree(fscontext);
928 kfree(rootcontext);
1da177e4
LT		 929 return rc;
930}
931
932static inline u16 inode_mode_to_security_class(umode_t mode)
933{
934 switch (mode & S_IFMT) {
935 case S_IFSOCK:
936 return SECCLASS_SOCK_FILE;
937 case S_IFLNK:
938 return SECCLASS_LNK_FILE;
939 case S_IFREG:
940 return SECCLASS_FILE;
941 case S_IFBLK:
942 return SECCLASS_BLK_FILE;
943 case S_IFDIR:
944 return SECCLASS_DIR;
945 case S_IFCHR:
946 return SECCLASS_CHR_FILE;
947 case S_IFIFO:
948 return SECCLASS_FIFO_FILE;
949
950 }
951
952 return SECCLASS_FILE;
953}
954
13402580
JM		 955static inline int default_protocol_stream(int protocol)
956{
957 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
958}
959
960static inline int default_protocol_dgram(int protocol)
961{
962 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
963}
964
1da177e4
LT		 965static inline u16 socket_type_to_security_class(int family, int type, int protocol)
966{
967 switch (family) {
968 case PF_UNIX:
969 switch (type) {
970 case SOCK_STREAM:
971 case SOCK_SEQPACKET:
972 return SECCLASS_UNIX_STREAM_SOCKET;
973 case SOCK_DGRAM:
974 return SECCLASS_UNIX_DGRAM_SOCKET;
975 }
976 break;
977 case PF_INET:
978 case PF_INET6:
979 switch (type) {
980 case SOCK_STREAM:
13402580
JM		 981 if (default_protocol_stream(protocol))
982 return SECCLASS_TCP_SOCKET;
983 else
984 return SECCLASS_RAWIP_SOCKET;
1da177e4 985 case SOCK_DGRAM:
13402580
JM		 986 if (default_protocol_dgram(protocol))
987 return SECCLASS_UDP_SOCKET;
988 else
989 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 990 case SOCK_DCCP:
991 return SECCLASS_DCCP_SOCKET;
13402580 992 default:
1da177e4
LT		 993 return SECCLASS_RAWIP_SOCKET;
994 }
995 break;
996 case PF_NETLINK:
997 switch (protocol) {
998 case NETLINK_ROUTE:
999 return SECCLASS_NETLINK_ROUTE_SOCKET;
1000 case NETLINK_FIREWALL:
1001 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1002 case NETLINK_INET_DIAG:
1da177e4
LT		 1003 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1004 case NETLINK_NFLOG:
1005 return SECCLASS_NETLINK_NFLOG_SOCKET;
1006 case NETLINK_XFRM:
1007 return SECCLASS_NETLINK_XFRM_SOCKET;
1008 case NETLINK_SELINUX:
1009 return SECCLASS_NETLINK_SELINUX_SOCKET;
1010 case NETLINK_AUDIT:
1011 return SECCLASS_NETLINK_AUDIT_SOCKET;
1012 case NETLINK_IP6_FW:
1013 return SECCLASS_NETLINK_IP6FW_SOCKET;
1014 case NETLINK_DNRTMSG:
1015 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1016 case NETLINK_KOBJECT_UEVENT:
1017 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1018 default:
1019 return SECCLASS_NETLINK_SOCKET;
1020 }
1021 case PF_PACKET:
1022 return SECCLASS_PACKET_SOCKET;
1023 case PF_KEY:
1024 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1025 case PF_APPLETALK:
1026 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1027 }
1028
1029 return SECCLASS_SOCKET;
1030}
1031
1032#ifdef CONFIG_PROC_FS
1033static int selinux_proc_get_sid(struct proc_dir_entry *de,
1034 u16 tclass,
1035 u32 *sid)
1036{
1037 int buflen, rc;
1038 char *buffer, *path, *end;
1039
1040 buffer = (char*)__get_free_page(GFP_KERNEL);
1041 if (!buffer)
1042 return -ENOMEM;
1043
1044 buflen = PAGE_SIZE;
1045 end = buffer+buflen;
1046 *--end = '\0';
1047 buflen--;
1048 path = end-1;
1049 *path = '/';
1050 while (de && de != de->parent) {
1051 buflen -= de->namelen + 1;
1052 if (buflen < 0)
1053 break;
1054 end -= de->namelen;
1055 memcpy(end, de->name, de->namelen);
1056 *--end = '/';
1057 path = end;
1058 de = de->parent;
1059 }
1060 rc = security_genfs_sid("proc", path, tclass, sid);
1061 free_page((unsigned long)buffer);
1062 return rc;
1063}
1064#else
1065static int selinux_proc_get_sid(struct proc_dir_entry *de,
1066 u16 tclass,
1067 u32 *sid)
1068{
1069 return -EINVAL;
1070}
1071#endif
1072
1073/* The inode's security attributes must be initialized before first use. */
1074static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1075{
1076 struct superblock_security_struct *sbsec = NULL;
1077 struct inode_security_struct *isec = inode->i_security;
1078 u32 sid;
1079 struct dentry *dentry;
1080#define INITCONTEXTLEN 255
1081 char *context = NULL;
1082 unsigned len = 0;
1083 int rc = 0;
1da177e4
LT		 1084
1085 if (isec->initialized)
1086 goto out;
1087
23970741 1088 mutex_lock(&isec->lock);
1da177e4 1089 if (isec->initialized)
23970741 1090 goto out_unlock;
1da177e4
LT		 1091
1092 sbsec = inode->i_sb->s_security;
1093 if (!sbsec->initialized) {
1094 /* Defer initialization until selinux_complete_init,
1095 after the initial policy is loaded and the security
1096 server is ready to handle calls. */
1097 spin_lock(&sbsec->isec_lock);
1098 if (list_empty(&isec->list))
1099 list_add(&isec->list, &sbsec->isec_head);
1100 spin_unlock(&sbsec->isec_lock);
23970741 1101 goto out_unlock;
1da177e4
LT		 1102 }
1103
1104 switch (sbsec->behavior) {
1105 case SECURITY_FS_USE_XATTR:
1106 if (!inode->i_op->getxattr) {
1107 isec->sid = sbsec->def_sid;
1108 break;
1109 }
1110
1111 /* Need a dentry, since the xattr API requires one.
1112 Life would be simpler if we could just pass the inode. */
1113 if (opt_dentry) {
1114 /* Called from d_instantiate or d_splice_alias. */
1115 dentry = dget(opt_dentry);
1116 } else {
1117 /* Called from selinux_complete_init, try to find a dentry. */
1118 dentry = d_find_alias(inode);
1119 }
1120 if (!dentry) {
1121 printk(KERN_WARNING "%s: no dentry for dev=%s "
1122 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1123 inode->i_ino);
23970741 1124 goto out_unlock;
1da177e4
LT		 1125 }
1126
1127 len = INITCONTEXTLEN;
1128 context = kmalloc(len, GFP_KERNEL);
1129 if (!context) {
1130 rc = -ENOMEM;
1131 dput(dentry);
23970741 1132 goto out_unlock;
1da177e4
LT		 1133 }
1134 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1135 context, len);
1136 if (rc == -ERANGE) {
1137 /* Need a larger buffer. Query for the right size. */
1138 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1139 NULL, 0);
1140 if (rc < 0) {
1141 dput(dentry);
23970741 1142 goto out_unlock;
1da177e4
LT		 1143 }
1144 kfree(context);
1145 len = rc;
1146 context = kmalloc(len, GFP_KERNEL);
1147 if (!context) {
1148 rc = -ENOMEM;
1149 dput(dentry);
23970741 1150 goto out_unlock;
1da177e4
LT		 1151 }
1152 rc = inode->i_op->getxattr(dentry,
1153 XATTR_NAME_SELINUX,
1154 context, len);
1155 }
1156 dput(dentry);
1157 if (rc < 0) {
1158 if (rc != -ENODATA) {
1159 printk(KERN_WARNING "%s: getxattr returned "
1160 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1161 -rc, inode->i_sb->s_id, inode->i_ino);
1162 kfree(context);
23970741 1163 goto out_unlock;
1da177e4
LT		 1164 }
1165 /* Map ENODATA to the default file SID */
1166 sid = sbsec->def_sid;
1167 rc = 0;
1168 } else {
f5c1d5b2
JM		 1169 rc = security_context_to_sid_default(context, rc, &sid,
1170 sbsec->def_sid);
1da177e4
LT		 1171 if (rc) {
1172 printk(KERN_WARNING "%s: context_to_sid(%s) "
1173 "returned %d for dev=%s ino=%ld\n",
1174 __FUNCTION__, context, -rc,
1175 inode->i_sb->s_id, inode->i_ino);
1176 kfree(context);
1177 /* Leave with the unlabeled SID */
1178 rc = 0;
1179 break;
1180 }
1181 }
1182 kfree(context);
1183 isec->sid = sid;
1184 break;
1185 case SECURITY_FS_USE_TASK:
1186 isec->sid = isec->task_sid;
1187 break;
1188 case SECURITY_FS_USE_TRANS:
1189 /* Default to the fs SID. */
1190 isec->sid = sbsec->sid;
1191
1192 /* Try to obtain a transition SID. */
1193 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1194 rc = security_transition_sid(isec->task_sid,
1195 sbsec->sid,
1196 isec->sclass,
1197 &sid);
1198 if (rc)
23970741 1199 goto out_unlock;
1da177e4
LT		 1200 isec->sid = sid;
1201 break;
c312feb2
EP		 1202 case SECURITY_FS_USE_MNTPOINT:
1203 isec->sid = sbsec->mntpoint_sid;
1204 break;
1da177e4 1205 default:
c312feb2 1206 /* Default to the fs superblock SID. */
1da177e4
LT		 1207 isec->sid = sbsec->sid;
1208
1209 if (sbsec->proc) {
1210 struct proc_inode *proci = PROC_I(inode);
1211 if (proci->pde) {
1212 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1213 rc = selinux_proc_get_sid(proci->pde,
1214 isec->sclass,
1215 &sid);
1216 if (rc)
23970741 1217 goto out_unlock;
1da177e4
LT		 1218 isec->sid = sid;
1219 }
1220 }
1221 break;
1222 }
1223
1224 isec->initialized = 1;
1225
23970741
EP		 1226out_unlock:
1227 mutex_unlock(&isec->lock);
1da177e4
LT		 1228out:
1229 if (isec->sclass == SECCLASS_FILE)
1230 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1231 return rc;
1232}
1233
1234/* Convert a Linux signal to an access vector. */
1235static inline u32 signal_to_av(int sig)
1236{
1237 u32 perm = 0;
1238
1239 switch (sig) {
1240 case SIGCHLD:
1241 /* Commonly granted from child to parent. */
1242 perm = PROCESS__SIGCHLD;
1243 break;
1244 case SIGKILL:
1245 /* Cannot be caught or ignored */
1246 perm = PROCESS__SIGKILL;
1247 break;
1248 case SIGSTOP:
1249 /* Cannot be caught or ignored */
1250 perm = PROCESS__SIGSTOP;
1251 break;
1252 default:
1253 /* All other signals. */
1254 perm = PROCESS__SIGNAL;
1255 break;
1256 }
1257
1258 return perm;
1259}
1260
1261/* Check permission betweeen a pair of tasks, e.g. signal checks,
1262 fork check, ptrace check, etc. */
1263static int task_has_perm(struct task_struct *tsk1,
1264 struct task_struct *tsk2,
1265 u32 perms)
1266{
1267 struct task_security_struct *tsec1, *tsec2;
1268
1269 tsec1 = tsk1->security;
1270 tsec2 = tsk2->security;
1271 return avc_has_perm(tsec1->sid, tsec2->sid,
1272 SECCLASS_PROCESS, perms, NULL);
1273}
1274
b68e418c
SS		 1275#if CAP_LAST_CAP > 63
1276#error Fix SELinux to handle capabilities > 63.
1277#endif
1278
1da177e4
LT		 1279/* Check whether a task is allowed to use a capability. */
1280static int task_has_capability(struct task_struct *tsk,
1281 int cap)
1282{
1283 struct task_security_struct *tsec;
1284 struct avc_audit_data ad;
b68e418c
SS		 1285 u16 sclass;
1286 u32 av = CAP_TO_MASK(cap);
1da177e4
LT		 1287
1288 tsec = tsk->security;
1289
1290 AVC_AUDIT_DATA_INIT(&ad,CAP);
1291 ad.tsk = tsk;
1292 ad.u.cap = cap;
1293
b68e418c
SS		 1294 switch (CAP_TO_INDEX(cap)) {
1295 case 0:
1296 sclass = SECCLASS_CAPABILITY;
1297 break;
1298 case 1:
1299 sclass = SECCLASS_CAPABILITY2;
1300 break;
1301 default:
1302 printk(KERN_ERR
1303 "SELinux: out of range capability %d\n", cap);
1304 BUG();
1305 }
1306 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1da177e4
LT		 1307}
1308
1309/* Check whether a task is allowed to use a system operation. */
1310static int task_has_system(struct task_struct *tsk,
1311 u32 perms)
1312{
1313 struct task_security_struct *tsec;
1314
1315 tsec = tsk->security;
1316
1317 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1318 SECCLASS_SYSTEM, perms, NULL);
1319}
1320
1321/* Check whether a task has a particular permission to an inode.
1322 The 'adp' parameter is optional and allows other audit
1323 data to be passed (e.g. the dentry). */
1324static int inode_has_perm(struct task_struct *tsk,
1325 struct inode *inode,
1326 u32 perms,
1327 struct avc_audit_data *adp)
1328{
1329 struct task_security_struct *tsec;
1330 struct inode_security_struct *isec;
1331 struct avc_audit_data ad;
1332
bbaca6c2
SS		 1333 if (unlikely (IS_PRIVATE (inode)))
1334 return 0;
1335
1da177e4
LT		 1336 tsec = tsk->security;
1337 isec = inode->i_security;
1338
1339 if (!adp) {
1340 adp = &ad;
1341 AVC_AUDIT_DATA_INIT(&ad, FS);
1342 ad.u.fs.inode = inode;
1343 }
1344
1345 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1346}
1347
1348/* Same as inode_has_perm, but pass explicit audit data containing
1349 the dentry to help the auditing code to more easily generate the
1350 pathname if needed. */
1351static inline int dentry_has_perm(struct task_struct *tsk,
1352 struct vfsmount *mnt,
1353 struct dentry *dentry,
1354 u32 av)
1355{
1356 struct inode *inode = dentry->d_inode;
1357 struct avc_audit_data ad;
1358 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf
JB		 1359 ad.u.fs.path.mnt = mnt;
1360 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1361 return inode_has_perm(tsk, inode, av, &ad);
1362}
1363
1364/* Check whether a task can use an open file descriptor to
1365 access an inode in a given way. Check access to the
1366 descriptor itself, and then use dentry_has_perm to
1367 check a particular permission to the file.
1368 Access to the descriptor is implicitly granted if it
1369 has the same SID as the process. If av is zero, then
1370 access to the file is not checked, e.g. for cases
1371 where only the descriptor is affected like seek. */
858119e1 1372static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1373 struct file *file,
1374 u32 av)
1375{
1376 struct task_security_struct *tsec = tsk->security;
1377 struct file_security_struct *fsec = file->f_security;
44707fdf 1378 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 1379 struct avc_audit_data ad;
1380 int rc;
1381
1382 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1383 ad.u.fs.path = file->f_path;
1da177e4
LT		 1384
1385 if (tsec->sid != fsec->sid) {
1386 rc = avc_has_perm(tsec->sid, fsec->sid,
1387 SECCLASS_FD,
1388 FD__USE,
1389 &ad);
1390 if (rc)
1391 return rc;
1392 }
1393
1394 /* av is zero if only checking access to the descriptor. */
1395 if (av)
1396 return inode_has_perm(tsk, inode, av, &ad);
1397
1398 return 0;
1399}
1400
1401/* Check whether a task can create a file. */
1402static int may_create(struct inode *dir,
1403 struct dentry *dentry,
1404 u16 tclass)
1405{
1406 struct task_security_struct *tsec;
1407 struct inode_security_struct *dsec;
1408 struct superblock_security_struct *sbsec;
1409 u32 newsid;
1410 struct avc_audit_data ad;
1411 int rc;
1412
1413 tsec = current->security;
1414 dsec = dir->i_security;
1415 sbsec = dir->i_sb->s_security;
1416
1417 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1418 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1419
1420 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1421 DIR__ADD_NAME | DIR__SEARCH,
1422 &ad);
1423 if (rc)
1424 return rc;
1425
1426 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1427 newsid = tsec->create_sid;
1428 } else {
1429 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1430 &newsid);
1431 if (rc)
1432 return rc;
1433 }
1434
1435 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1436 if (rc)
1437 return rc;
1438
1439 return avc_has_perm(newsid, sbsec->sid,
1440 SECCLASS_FILESYSTEM,
1441 FILESYSTEM__ASSOCIATE, &ad);
1442}
1443
4eb582cf
ML		 1444/* Check whether a task can create a key. */
1445static int may_create_key(u32 ksid,
1446 struct task_struct *ctx)
1447{
1448 struct task_security_struct *tsec;
1449
1450 tsec = ctx->security;
1451
1452 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1453}
1454
1da177e4
LT		 1455#define MAY_LINK 0
1456#define MAY_UNLINK 1
1457#define MAY_RMDIR 2
1458
1459/* Check whether a task can link, unlink, or rmdir a file/directory. */
1460static int may_link(struct inode *dir,
1461 struct dentry *dentry,
1462 int kind)
1463
1464{
1465 struct task_security_struct *tsec;
1466 struct inode_security_struct *dsec, *isec;
1467 struct avc_audit_data ad;
1468 u32 av;
1469 int rc;
1470
1471 tsec = current->security;
1472 dsec = dir->i_security;
1473 isec = dentry->d_inode->i_security;
1474
1475 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1476 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1477
1478 av = DIR__SEARCH;
1479 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1480 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1481 if (rc)
1482 return rc;
1483
1484 switch (kind) {
1485 case MAY_LINK:
1486 av = FILE__LINK;
1487 break;
1488 case MAY_UNLINK:
1489 av = FILE__UNLINK;
1490 break;
1491 case MAY_RMDIR:
1492 av = DIR__RMDIR;
1493 break;
1494 default:
1495 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1496 return 0;
1497 }
1498
1499 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1500 return rc;
1501}
1502
1503static inline int may_rename(struct inode *old_dir,
1504 struct dentry *old_dentry,
1505 struct inode *new_dir,
1506 struct dentry *new_dentry)
1507{
1508 struct task_security_struct *tsec;
1509 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1510 struct avc_audit_data ad;
1511 u32 av;
1512 int old_is_dir, new_is_dir;
1513 int rc;
1514
1515 tsec = current->security;
1516 old_dsec = old_dir->i_security;
1517 old_isec = old_dentry->d_inode->i_security;
1518 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1519 new_dsec = new_dir->i_security;
1520
1521 AVC_AUDIT_DATA_INIT(&ad, FS);
1522
44707fdf 1523 ad.u.fs.path.dentry = old_dentry;
1da177e4
LT		 1524 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1525 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1526 if (rc)
1527 return rc;
1528 rc = avc_has_perm(tsec->sid, old_isec->sid,
1529 old_isec->sclass, FILE__RENAME, &ad);
1530 if (rc)
1531 return rc;
1532 if (old_is_dir && new_dir != old_dir) {
1533 rc = avc_has_perm(tsec->sid, old_isec->sid,
1534 old_isec->sclass, DIR__REPARENT, &ad);
1535 if (rc)
1536 return rc;
1537 }
1538
44707fdf 1539 ad.u.fs.path.dentry = new_dentry;
1da177e4
LT		 1540 av = DIR__ADD_NAME | DIR__SEARCH;
1541 if (new_dentry->d_inode)
1542 av |= DIR__REMOVE_NAME;
1543 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1544 if (rc)
1545 return rc;
1546 if (new_dentry->d_inode) {
1547 new_isec = new_dentry->d_inode->i_security;
1548 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1549 rc = avc_has_perm(tsec->sid, new_isec->sid,
1550 new_isec->sclass,
1551 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1552 if (rc)
1553 return rc;
1554 }
1555
1556 return 0;
1557}
1558
1559/* Check whether a task can perform a filesystem operation. */
1560static int superblock_has_perm(struct task_struct *tsk,
1561 struct super_block *sb,
1562 u32 perms,
1563 struct avc_audit_data *ad)
1564{
1565 struct task_security_struct *tsec;
1566 struct superblock_security_struct *sbsec;
1567
1568 tsec = tsk->security;
1569 sbsec = sb->s_security;
1570 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1571 perms, ad);
1572}
1573
1574/* Convert a Linux mode and permission mask to an access vector. */
1575static inline u32 file_mask_to_av(int mode, int mask)
1576{
1577 u32 av = 0;
1578
1579 if ((mode & S_IFMT) != S_IFDIR) {
1580 if (mask & MAY_EXEC)
1581 av |= FILE__EXECUTE;
1582 if (mask & MAY_READ)
1583 av |= FILE__READ;
1584
1585 if (mask & MAY_APPEND)
1586 av |= FILE__APPEND;
1587 else if (mask & MAY_WRITE)
1588 av |= FILE__WRITE;
1589
1590 } else {
1591 if (mask & MAY_EXEC)
1592 av |= DIR__SEARCH;
1593 if (mask & MAY_WRITE)
1594 av |= DIR__WRITE;
1595 if (mask & MAY_READ)
1596 av |= DIR__READ;
1597 }
1598
1599 return av;
1600}
1601
1602/* Convert a Linux file to an access vector. */
1603static inline u32 file_to_av(struct file *file)
1604{
1605 u32 av = 0;
1606
1607 if (file->f_mode & FMODE_READ)
1608 av |= FILE__READ;
1609 if (file->f_mode & FMODE_WRITE) {
1610 if (file->f_flags & O_APPEND)
1611 av |= FILE__APPEND;
1612 else
1613 av |= FILE__WRITE;
1614 }
1615
1616 return av;
1617}
1618
1da177e4
LT		 1619/* Hook functions begin here. */
1620
1621static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1622{
1623 struct task_security_struct *psec = parent->security;
1624 struct task_security_struct *csec = child->security;
1625 int rc;
1626
1627 rc = secondary_ops->ptrace(parent,child);
1628 if (rc)
1629 return rc;
1630
1631 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1632 /* Save the SID of the tracing process for later use in apply_creds. */
341c2d80 1633 if (!(child->ptrace & PT_PTRACED) && !rc)
1da177e4
LT		 1634 csec->ptrace_sid = psec->sid;
1635 return rc;
1636}
1637
1638static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1639 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1640{
1641 int error;
1642
1643 error = task_has_perm(current, target, PROCESS__GETCAP);
1644 if (error)
1645 return error;
1646
1647 return secondary_ops->capget(target, effective, inheritable, permitted);
1648}
1649
1650static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1651 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1652{
1653 int error;
1654
1655 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1656 if (error)
1657 return error;
1658
1659 return task_has_perm(current, target, PROCESS__SETCAP);
1660}
1661
1662static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1663 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1664{
1665 secondary_ops->capset_set(target, effective, inheritable, permitted);
1666}
1667
1668static int selinux_capable(struct task_struct *tsk, int cap)
1669{
1670 int rc;
1671
1672 rc = secondary_ops->capable(tsk, cap);
1673 if (rc)
1674 return rc;
1675
1676 return task_has_capability(tsk,cap);
1677}
1678
3fbfa981
EB		 1679static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1680{
1681 int buflen, rc;
1682 char *buffer, *path, *end;
1683
1684 rc = -ENOMEM;
1685 buffer = (char*)__get_free_page(GFP_KERNEL);
1686 if (!buffer)
1687 goto out;
1688
1689 buflen = PAGE_SIZE;
1690 end = buffer+buflen;
1691 *--end = '\0';
1692 buflen--;
1693 path = end-1;
1694 *path = '/';
1695 while (table) {
1696 const char *name = table->procname;
1697 size_t namelen = strlen(name);
1698 buflen -= namelen + 1;
1699 if (buflen < 0)
1700 goto out_free;
1701 end -= namelen;
1702 memcpy(end, name, namelen);
1703 *--end = '/';
1704 path = end;
1705 table = table->parent;
1706 }
b599fdfd
EB		 1707 buflen -= 4;
1708 if (buflen < 0)
1709 goto out_free;
1710 end -= 4;
1711 memcpy(end, "/sys", 4);
1712 path = end;
3fbfa981
EB		 1713 rc = security_genfs_sid("proc", path, tclass, sid);
1714out_free:
1715 free_page((unsigned long)buffer);
1716out:
1717 return rc;
1718}
1719
1da177e4
LT		 1720static int selinux_sysctl(ctl_table *table, int op)
1721{
1722 int error = 0;
1723 u32 av;
1724 struct task_security_struct *tsec;
1725 u32 tsid;
1726 int rc;
1727
1728 rc = secondary_ops->sysctl(table, op);
1729 if (rc)
1730 return rc;
1731
1732 tsec = current->security;
1733
3fbfa981
EB		 1734 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1735 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1736 if (rc) {
1737 /* Default to the well-defined sysctl SID. */
1738 tsid = SECINITSID_SYSCTL;
1739 }
1740
1741 /* The op values are "defined" in sysctl.c, thereby creating
1742 * a bad coupling between this module and sysctl.c */
1743 if(op == 001) {
1744 error = avc_has_perm(tsec->sid, tsid,
1745 SECCLASS_DIR, DIR__SEARCH, NULL);
1746 } else {
1747 av = 0;
1748 if (op & 004)
1749 av |= FILE__READ;
1750 if (op & 002)
1751 av |= FILE__WRITE;
1752 if (av)
1753 error = avc_has_perm(tsec->sid, tsid,
1754 SECCLASS_FILE, av, NULL);
1755 }
1756
1757 return error;
1758}
1759
1760static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1761{
1762 int rc = 0;
1763
1764 if (!sb)
1765 return 0;
1766
1767 switch (cmds) {
1768 case Q_SYNC:
1769 case Q_QUOTAON:
1770 case Q_QUOTAOFF:
1771 case Q_SETINFO:
1772 case Q_SETQUOTA:
1773 rc = superblock_has_perm(current,
1774 sb,
1775 FILESYSTEM__QUOTAMOD, NULL);
1776 break;
1777 case Q_GETFMT:
1778 case Q_GETINFO:
1779 case Q_GETQUOTA:
1780 rc = superblock_has_perm(current,
1781 sb,
1782 FILESYSTEM__QUOTAGET, NULL);
1783 break;
1784 default:
1785 rc = 0; /* let the kernel handle invalid cmds */
1786 break;
1787 }
1788 return rc;
1789}
1790
1791static int selinux_quota_on(struct dentry *dentry)
1792{
1793 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1794}
1795
1796static int selinux_syslog(int type)
1797{
1798 int rc;
1799
1800 rc = secondary_ops->syslog(type);
1801 if (rc)
1802 return rc;
1803
1804 switch (type) {
1805 case 3: /* Read last kernel messages */
1806 case 10: /* Return size of the log buffer */
1807 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1808 break;
1809 case 6: /* Disable logging to console */
1810 case 7: /* Enable logging to console */
1811 case 8: /* Set level of messages printed to console */
1812 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1813 break;
1814 case 0: /* Close log */
1815 case 1: /* Open log */
1816 case 2: /* Read from log */
1817 case 4: /* Read/clear last kernel messages */
1818 case 5: /* Clear ring buffer */
1819 default:
1820 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1821 break;
1822 }
1823 return rc;
1824}
1825
1826/*
1827 * Check that a process has enough memory to allocate a new virtual
1828 * mapping. 0 means there is enough memory for the allocation to
1829 * succeed and -ENOMEM implies there is not.
1830 *
1831 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1832 * if the capability is granted, but __vm_enough_memory requires 1 if
1833 * the capability is granted.
1834 *
1835 * Do not audit the selinux permission check, as this is applied to all
1836 * processes that allocate mappings.
1837 */
34b4e4aa 1838static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1839{
1840 int rc, cap_sys_admin = 0;
1841 struct task_security_struct *tsec = current->security;
1842
1843 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1844 if (rc == 0)
1845 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2c3c05db
SS		 1846 SECCLASS_CAPABILITY,
1847 CAP_TO_MASK(CAP_SYS_ADMIN),
1848 0,
1849 NULL);
1da177e4
LT		 1850
1851 if (rc == 0)
1852 cap_sys_admin = 1;
1853
34b4e4aa 1854 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 1855}
1856
1857/* binprm security operations */
1858
1859static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1860{
1861 struct bprm_security_struct *bsec;
1862
89d155ef 1863 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1864 if (!bsec)
1865 return -ENOMEM;
1866
1da177e4
LT		 1867 bsec->bprm = bprm;
1868 bsec->sid = SECINITSID_UNLABELED;
1869 bsec->set = 0;
1870
1871 bprm->security = bsec;
1872 return 0;
1873}
1874
1875static int selinux_bprm_set_security(struct linux_binprm *bprm)
1876{
1877 struct task_security_struct *tsec;
3d5ff529 1878 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 1879 struct inode_security_struct *isec;
1880 struct bprm_security_struct *bsec;
1881 u32 newsid;
1882 struct avc_audit_data ad;
1883 int rc;
1884
1885 rc = secondary_ops->bprm_set_security(bprm);
1886 if (rc)
1887 return rc;
1888
1889 bsec = bprm->security;
1890
1891 if (bsec->set)
1892 return 0;
1893
1894 tsec = current->security;
1895 isec = inode->i_security;
1896
1897 /* Default to the current task SID. */
1898 bsec->sid = tsec->sid;
1899
28eba5bf 1900 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1901 tsec->create_sid = 0;
28eba5bf 1902 tsec->keycreate_sid = 0;
42c3e03e 1903 tsec->sockcreate_sid = 0;
1da177e4
LT		 1904
1905 if (tsec->exec_sid) {
1906 newsid = tsec->exec_sid;
1907 /* Reset exec SID on execve. */
1908 tsec->exec_sid = 0;
1909 } else {
1910 /* Check for a default transition on this program. */
1911 rc = security_transition_sid(tsec->sid, isec->sid,
1912 SECCLASS_PROCESS, &newsid);
1913 if (rc)
1914 return rc;
1915 }
1916
1917 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1918 ad.u.fs.path = bprm->file->f_path;
1da177e4 1919
3d5ff529 1920 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1da177e4
LT		 1921 newsid = tsec->sid;
1922
1923 if (tsec->sid == newsid) {
1924 rc = avc_has_perm(tsec->sid, isec->sid,
1925 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1926 if (rc)
1927 return rc;
1928 } else {
1929 /* Check permissions for the transition. */
1930 rc = avc_has_perm(tsec->sid, newsid,
1931 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1932 if (rc)
1933 return rc;
1934
1935 rc = avc_has_perm(newsid, isec->sid,
1936 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1937 if (rc)
1938 return rc;
1939
1940 /* Clear any possibly unsafe personality bits on exec: */
1941 current->personality &= ~PER_CLEAR_ON_SETID;
1942
1943 /* Set the security field to the new SID. */
1944 bsec->sid = newsid;
1945 }
1946
1947 bsec->set = 1;
1948 return 0;
1949}
1950
1951static int selinux_bprm_check_security (struct linux_binprm *bprm)
1952{
1953 return secondary_ops->bprm_check_security(bprm);
1954}
1955
1956
1957static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1958{
1959 struct task_security_struct *tsec = current->security;
1960 int atsecure = 0;
1961
1962 if (tsec->osid != tsec->sid) {
1963 /* Enable secure mode for SIDs transitions unless
1964 the noatsecure permission is granted between
1965 the two SIDs, i.e. ahp returns 0. */
1966 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1967 SECCLASS_PROCESS,
1968 PROCESS__NOATSECURE, NULL);
1969 }
1970
1971 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1972}
1973
1974static void selinux_bprm_free_security(struct linux_binprm *bprm)
1975{
9a5f04bf 1976 kfree(bprm->security);
1da177e4 1977 bprm->security = NULL;
1da177e4
LT		 1978}
1979
1980extern struct vfsmount *selinuxfs_mount;
1981extern struct dentry *selinux_null;
1982
1983/* Derived from fs/exec.c:flush_old_files. */
1984static inline void flush_unauthorized_files(struct files_struct * files)
1985{
1986 struct avc_audit_data ad;
1987 struct file *file, *devnull = NULL;
b20c8122 1988 struct tty_struct *tty;
badf1662 1989 struct fdtable *fdt;
1da177e4 1990 long j = -1;
24ec839c 1991 int drop_tty = 0;
1da177e4 1992
b20c8122 1993 mutex_lock(&tty_mutex);
24ec839c 1994 tty = get_current_tty();
1da177e4
LT		 1995 if (tty) {
1996 file_list_lock();
2f512016 1997 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 1998 if (file) {
1999 /* Revalidate access to controlling tty.
2000 Use inode_has_perm on the tty inode directly rather
2001 than using file_has_perm, as this particular open
2002 file may belong to another process and we are only
2003 interested in the inode-based check here. */
3d5ff529 2004 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2005 if (inode_has_perm(current, inode,
2006 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2007 drop_tty = 1;
1da177e4
LT		 2008 }
2009 }
2010 file_list_unlock();
2011 }
b20c8122 2012 mutex_unlock(&tty_mutex);
98a27ba4
EB		 2013 /* Reset controlling tty. */
2014 if (drop_tty)
2015 no_tty();
1da177e4
LT		 2016
2017 /* Revalidate access to inherited open files. */
2018
2019 AVC_AUDIT_DATA_INIT(&ad,FS);
2020
2021 spin_lock(&files->file_lock);
2022 for (;;) {
2023 unsigned long set, i;
2024 int fd;
2025
2026 j++;
2027 i = j * __NFDBITS;
badf1662 2028 fdt = files_fdtable(files);
bbea9f69 2029 if (i >= fdt->max_fds)
1da177e4 2030 break;
badf1662 2031 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2032 if (!set)
2033 continue;
2034 spin_unlock(&files->file_lock);
2035 for ( ; set ; i++,set >>= 1) {
2036 if (set & 1) {
2037 file = fget(i);
2038 if (!file)
2039 continue;
2040 if (file_has_perm(current,
2041 file,
2042 file_to_av(file))) {
2043 sys_close(i);
2044 fd = get_unused_fd();
2045 if (fd != i) {
2046 if (fd >= 0)
2047 put_unused_fd(fd);
2048 fput(file);
2049 continue;
2050 }
2051 if (devnull) {
095975da 2052 get_file(devnull);
1da177e4
LT		 2053 } else {
2054 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
fc5d81e6
AM		 2055 if (IS_ERR(devnull)) {
2056 devnull = NULL;
1da177e4
LT		 2057 put_unused_fd(fd);
2058 fput(file);
2059 continue;
2060 }
2061 }
2062 fd_install(fd, devnull);
2063 }
2064 fput(file);
2065 }
2066 }
2067 spin_lock(&files->file_lock);
2068
2069 }
2070 spin_unlock(&files->file_lock);
2071}
2072
2073static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2074{
2075 struct task_security_struct *tsec;
2076 struct bprm_security_struct *bsec;
2077 u32 sid;
2078 int rc;
2079
2080 secondary_ops->bprm_apply_creds(bprm, unsafe);
2081
2082 tsec = current->security;
2083
2084 bsec = bprm->security;
2085 sid = bsec->sid;
2086
2087 tsec->osid = tsec->sid;
2088 bsec->unsafe = 0;
2089 if (tsec->sid != sid) {
2090 /* Check for shared state. If not ok, leave SID
2091 unchanged and kill. */
2092 if (unsafe & LSM_UNSAFE_SHARE) {
2093 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2094 PROCESS__SHARE, NULL);
2095 if (rc) {
2096 bsec->unsafe = 1;
2097 return;
2098 }
2099 }
2100
2101 /* Check for ptracing, and update the task SID if ok.
2102 Otherwise, leave SID unchanged and kill. */
2103 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2104 rc = avc_has_perm(tsec->ptrace_sid, sid,
2105 SECCLASS_PROCESS, PROCESS__PTRACE,
2106 NULL);
2107 if (rc) {
2108 bsec->unsafe = 1;
2109 return;
2110 }
2111 }
2112 tsec->sid = sid;
2113 }
2114}
2115
2116/*
2117 * called after apply_creds without the task lock held
2118 */
2119static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2120{
2121 struct task_security_struct *tsec;
2122 struct rlimit *rlim, *initrlim;
2123 struct itimerval itimer;
2124 struct bprm_security_struct *bsec;
2125 int rc, i;
2126
2127 tsec = current->security;
2128 bsec = bprm->security;
2129
2130 if (bsec->unsafe) {
2131 force_sig_specific(SIGKILL, current);
2132 return;
2133 }
2134 if (tsec->osid == tsec->sid)
2135 return;
2136
2137 /* Close files for which the new task SID is not authorized. */
2138 flush_unauthorized_files(current->files);
2139
2140 /* Check whether the new SID can inherit signal state
2141 from the old SID. If not, clear itimers to avoid
2142 subsequent signal generation and flush and unblock
2143 signals. This must occur _after_ the task SID has
2144 been updated so that any kill done after the flush
2145 will be checked against the new SID. */
2146 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2147 PROCESS__SIGINH, NULL);
2148 if (rc) {
2149 memset(&itimer, 0, sizeof itimer);
2150 for (i = 0; i < 3; i++)
2151 do_setitimer(i, &itimer, NULL);
2152 flush_signals(current);
2153 spin_lock_irq(&current->sighand->siglock);
2154 flush_signal_handlers(current, 1);
2155 sigemptyset(&current->blocked);
2156 recalc_sigpending();
2157 spin_unlock_irq(&current->sighand->siglock);
2158 }
2159
4ac212ad
SS		 2160 /* Always clear parent death signal on SID transitions. */
2161 current->pdeath_signal = 0;
2162
1da177e4
LT		 2163 /* Check whether the new SID can inherit resource limits
2164 from the old SID. If not, reset all soft limits to
2165 the lower of the current task's hard limit and the init
2166 task's soft limit. Note that the setting of hard limits
2167 (even to lower them) can be controlled by the setrlimit
2168 check. The inclusion of the init task's soft limit into
2169 the computation is to avoid resetting soft limits higher
2170 than the default soft limit for cases where the default
2171 is lower than the hard limit, e.g. RLIMIT_CORE or
2172 RLIMIT_STACK.*/
2173 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2174 PROCESS__RLIMITINH, NULL);
2175 if (rc) {
2176 for (i = 0; i < RLIM_NLIMITS; i++) {
2177 rlim = current->signal->rlim + i;
2178 initrlim = init_task.signal->rlim+i;
2179 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2180 }
2181 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2182 /*
2183 * This will cause RLIMIT_CPU calculations
2184 * to be refigured.
2185 */
2186 current->it_prof_expires = jiffies_to_cputime(1);
2187 }
2188 }
2189
2190 /* Wake up the parent if it is waiting so that it can
2191 recheck wait permission to the new task SID. */
2192 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2193}
2194
2195/* superblock security operations */
2196
2197static int selinux_sb_alloc_security(struct super_block *sb)
2198{
2199 return superblock_alloc_security(sb);
2200}
2201
2202static void selinux_sb_free_security(struct super_block *sb)
2203{
2204 superblock_free_security(sb);
2205}
2206
2207static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2208{
2209 if (plen > olen)
2210 return 0;
2211
2212 return !memcmp(prefix, option, plen);
2213}
2214
2215static inline int selinux_option(char *option, int len)
2216{
2217 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2218 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
0808925e
EP		 2219 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2220 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1da177e4
LT		 2221}
2222
2223static inline void take_option(char **to, char *from, int *first, int len)
2224{
2225 if (!*first) {
2226 **to = ',';
2227 *to += 1;
3528a953 2228 } else
1da177e4
LT		 2229 *first = 0;
2230 memcpy(*to, from, len);
2231 *to += len;
2232}
2233
3528a953
CO		 2234static inline void take_selinux_option(char **to, char *from, int *first,
2235 int len)
2236{
2237 int current_size = 0;
2238
2239 if (!*first) {
2240 **to = '|';
2241 *to += 1;
2242 }
2243 else
2244 *first = 0;
2245
2246 while (current_size < len) {
2247 if (*from != '"') {
2248 **to = *from;
2249 *to += 1;
2250 }
2251 from += 1;
2252 current_size += 1;
2253 }
2254}
2255
1da177e4
LT		 2256static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2257{
2258 int fnosec, fsec, rc = 0;
2259 char *in_save, *in_curr, *in_end;
2260 char *sec_curr, *nosec_save, *nosec;
3528a953 2261 int open_quote = 0;
1da177e4
LT		 2262
2263 in_curr = orig;
2264 sec_curr = copy;
2265
2266 /* Binary mount data: just copy */
2267 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2268 copy_page(sec_curr, in_curr);
2269 goto out;
2270 }
2271
2272 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2273 if (!nosec) {
2274 rc = -ENOMEM;
2275 goto out;
2276 }
2277
2278 nosec_save = nosec;
2279 fnosec = fsec = 1;
2280 in_save = in_end = orig;
2281
2282 do {
3528a953
CO		 2283 if (*in_end == '"')
2284 open_quote = !open_quote;
2285 if ((*in_end == ',' && open_quote == 0) ||
2286 *in_end == '\0') {
1da177e4
LT		 2287 int len = in_end - in_curr;
2288
2289 if (selinux_option(in_curr, len))
3528a953 2290 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2291 else
2292 take_option(&nosec, in_curr, &fnosec, len);
2293
2294 in_curr = in_end + 1;
2295 }
2296 } while (*in_end++);
2297
6931dfc9 2298 strcpy(in_save, nosec_save);
da3caa20 2299 free_page((unsigned long)nosec_save);
1da177e4
LT		 2300out:
2301 return rc;
2302}
2303
2304static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2305{
2306 struct avc_audit_data ad;
2307 int rc;
2308
2309 rc = superblock_doinit(sb, data);
2310 if (rc)
2311 return rc;
2312
2313 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf 2314 ad.u.fs.path.dentry = sb->s_root;
1da177e4
LT		 2315 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2316}
2317
726c3342 2318static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2319{
2320 struct avc_audit_data ad;
2321
2322 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf 2323 ad.u.fs.path.dentry = dentry->d_sb->s_root;
726c3342 2324 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2325}
2326
2327static int selinux_mount(char * dev_name,
2328 struct nameidata *nd,
2329 char * type,
2330 unsigned long flags,
2331 void * data)
2332{
2333 int rc;
2334
2335 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2336 if (rc)
2337 return rc;
2338
2339 if (flags & MS_REMOUNT)
4ac91378 2340 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
1da177e4
LT		 2341 FILESYSTEM__REMOUNT, NULL);
2342 else
4ac91378 2343 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
1da177e4
LT		 2344 FILE__MOUNTON);
2345}
2346
2347static int selinux_umount(struct vfsmount *mnt, int flags)
2348{
2349 int rc;
2350
2351 rc = secondary_ops->sb_umount(mnt, flags);
2352 if (rc)
2353 return rc;
2354
2355 return superblock_has_perm(current,mnt->mnt_sb,
2356 FILESYSTEM__UNMOUNT,NULL);
2357}
2358
2359/* inode security operations */
2360
2361static int selinux_inode_alloc_security(struct inode *inode)
2362{
2363 return inode_alloc_security(inode);
2364}
2365
2366static void selinux_inode_free_security(struct inode *inode)
2367{
2368 inode_free_security(inode);
2369}
2370
5e41ff9e
SS		 2371static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2372 char **name, void **value,
2373 size_t *len)
2374{
2375 struct task_security_struct *tsec;
2376 struct inode_security_struct *dsec;
2377 struct superblock_security_struct *sbsec;
570bc1c2 2378 u32 newsid, clen;
5e41ff9e 2379 int rc;
570bc1c2 2380 char *namep = NULL, *context;
5e41ff9e
SS		 2381
2382 tsec = current->security;
2383 dsec = dir->i_security;
2384 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2385
2386 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2387 newsid = tsec->create_sid;
2388 } else {
2389 rc = security_transition_sid(tsec->sid, dsec->sid,
2390 inode_mode_to_security_class(inode->i_mode),
2391 &newsid);
2392 if (rc) {
2393 printk(KERN_WARNING "%s: "
2394 "security_transition_sid failed, rc=%d (dev=%s "
2395 "ino=%ld)\n",
2396 __FUNCTION__,
2397 -rc, inode->i_sb->s_id, inode->i_ino);
2398 return rc;
2399 }
2400 }
2401
296fddf7
EP		 2402 /* Possibly defer initialization to selinux_complete_init. */
2403 if (sbsec->initialized) {
2404 struct inode_security_struct *isec = inode->i_security;
2405 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2406 isec->sid = newsid;
2407 isec->initialized = 1;
2408 }
5e41ff9e 2409
8aad3875 2410 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2411 return -EOPNOTSUPP;
2412
570bc1c2
SS		 2413 if (name) {
2414 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2415 if (!namep)
2416 return -ENOMEM;
2417 *name = namep;
2418 }
5e41ff9e 2419
570bc1c2
SS		 2420 if (value && len) {
2421 rc = security_sid_to_context(newsid, &context, &clen);
2422 if (rc) {
2423 kfree(namep);
2424 return rc;
2425 }
2426 *value = context;
2427 *len = clen;
5e41ff9e 2428 }
5e41ff9e 2429
5e41ff9e
SS		 2430 return 0;
2431}
2432
1da177e4
LT		 2433static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2434{
2435 return may_create(dir, dentry, SECCLASS_FILE);
2436}
2437
1da177e4
LT		 2438static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2439{
2440 int rc;
2441
2442 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2443 if (rc)
2444 return rc;
2445 return may_link(dir, old_dentry, MAY_LINK);
2446}
2447
1da177e4
LT		 2448static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2449{
2450 int rc;
2451
2452 rc = secondary_ops->inode_unlink(dir, dentry);
2453 if (rc)
2454 return rc;
2455 return may_link(dir, dentry, MAY_UNLINK);
2456}
2457
2458static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2459{
2460 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2461}
2462
1da177e4
LT		 2463static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2464{
2465 return may_create(dir, dentry, SECCLASS_DIR);
2466}
2467
1da177e4
LT		 2468static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2469{
2470 return may_link(dir, dentry, MAY_RMDIR);
2471}
2472
2473static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2474{
2475 int rc;
2476
2477 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2478 if (rc)
2479 return rc;
2480
2481 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2482}
2483
1da177e4
LT		 2484static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2485 struct inode *new_inode, struct dentry *new_dentry)
2486{
2487 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2488}
2489
1da177e4
LT		 2490static int selinux_inode_readlink(struct dentry *dentry)
2491{
2492 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2493}
2494
2495static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2496{
2497 int rc;
2498
2499 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2500 if (rc)
2501 return rc;
2502 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2503}
2504
2505static int selinux_inode_permission(struct inode *inode, int mask,
2506 struct nameidata *nd)
2507{
2508 int rc;
2509
2510 rc = secondary_ops->inode_permission(inode, mask, nd);
2511 if (rc)
2512 return rc;
2513
2514 if (!mask) {
2515 /* No permission to check. Existence test. */
2516 return 0;
2517 }
2518
2519 return inode_has_perm(current, inode,
2520 file_mask_to_av(inode->i_mode, mask), NULL);
2521}
2522
2523static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2524{
2525 int rc;
2526
2527 rc = secondary_ops->inode_setattr(dentry, iattr);
2528 if (rc)
2529 return rc;
2530
2531 if (iattr->ia_valid & ATTR_FORCE)
2532 return 0;
2533
2534 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2535 ATTR_ATIME_SET | ATTR_MTIME_SET))
2536 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2537
2538 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2539}
2540
2541static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2542{
2543 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2544}
2545
b5376771
SH		 2546static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2547{
2548 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2549 sizeof XATTR_SECURITY_PREFIX - 1)) {
2550 if (!strcmp(name, XATTR_NAME_CAPS)) {
2551 if (!capable(CAP_SETFCAP))
2552 return -EPERM;
2553 } else if (!capable(CAP_SYS_ADMIN)) {
2554 /* A different attribute in the security namespace.
2555 Restrict to administrator. */
2556 return -EPERM;
2557 }
2558 }
2559
2560 /* Not an attribute we recognize, so just check the
2561 ordinary setattr permission. */
2562 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2563}
2564
1da177e4
LT		 2565static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2566{
2567 struct task_security_struct *tsec = current->security;
2568 struct inode *inode = dentry->d_inode;
2569 struct inode_security_struct *isec = inode->i_security;
2570 struct superblock_security_struct *sbsec;
2571 struct avc_audit_data ad;
2572 u32 newsid;
2573 int rc = 0;
2574
b5376771
SH		 2575 if (strcmp(name, XATTR_NAME_SELINUX))
2576 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2577
2578 sbsec = inode->i_sb->s_security;
2579 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2580 return -EOPNOTSUPP;
2581
3bd858ab 2582 if (!is_owner_or_cap(inode))
1da177e4
LT		 2583 return -EPERM;
2584
2585 AVC_AUDIT_DATA_INIT(&ad,FS);
44707fdf 2586 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 2587
2588 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2589 FILE__RELABELFROM, &ad);
2590 if (rc)
2591 return rc;
2592
2593 rc = security_context_to_sid(value, size, &newsid);
2594 if (rc)
2595 return rc;
2596
2597 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2598 FILE__RELABELTO, &ad);
2599 if (rc)
2600 return rc;
2601
2602 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2603 isec->sclass);
2604 if (rc)
2605 return rc;
2606
2607 return avc_has_perm(newsid,
2608 sbsec->sid,
2609 SECCLASS_FILESYSTEM,
2610 FILESYSTEM__ASSOCIATE,
2611 &ad);
2612}
2613
2614static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2615 void *value, size_t size, int flags)
2616{
2617 struct inode *inode = dentry->d_inode;
2618 struct inode_security_struct *isec = inode->i_security;
2619 u32 newsid;
2620 int rc;
2621
2622 if (strcmp(name, XATTR_NAME_SELINUX)) {
2623 /* Not an attribute we recognize, so nothing to do. */
2624 return;
2625 }
2626
2627 rc = security_context_to_sid(value, size, &newsid);
2628 if (rc) {
2629 printk(KERN_WARNING "%s: unable to obtain SID for context "
2630 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2631 return;
2632 }
2633
2634 isec->sid = newsid;
2635 return;
2636}
2637
2638static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2639{
1da177e4
LT		 2640 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2641}
2642
2643static int selinux_inode_listxattr (struct dentry *dentry)
2644{
2645 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2646}
2647
2648static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2649{
b5376771
SH		 2650 if (strcmp(name, XATTR_NAME_SELINUX))
2651 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2652
2653 /* No one is allowed to remove a SELinux security label.
2654 You can change the label, but all data must be labeled. */
2655 return -EACCES;
2656}
2657
d381d8a9
JM		 2658/*
2659 * Copy the in-core inode security context value to the user. If the
2660 * getxattr() prior to this succeeded, check to see if we need to
2661 * canonicalize the value to be finally returned to the user.
2662 *
2663 * Permission check is handled by selinux_inode_getxattr hook.
2664 */
42492594 2665static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2666{
42492594
DQ		 2667 u32 size;
2668 int error;
2669 char *context = NULL;
1da177e4 2670 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2671
8c8570fb
DK		 2672 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2673 return -EOPNOTSUPP;
d381d8a9 2674
42492594
DQ		 2675 error = security_sid_to_context(isec->sid, &context, &size);
2676 if (error)
2677 return error;
2678 error = size;
2679 if (alloc) {
2680 *buffer = context;
2681 goto out_nofree;
2682 }
2683 kfree(context);
2684out_nofree:
2685 return error;
1da177e4
LT		 2686}
2687
2688static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2689 const void *value, size_t size, int flags)
2690{
2691 struct inode_security_struct *isec = inode->i_security;
2692 u32 newsid;
2693 int rc;
2694
2695 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2696 return -EOPNOTSUPP;
2697
2698 if (!value || !size)
2699 return -EACCES;
2700
2701 rc = security_context_to_sid((void*)value, size, &newsid);
2702 if (rc)
2703 return rc;
2704
2705 isec->sid = newsid;
2706 return 0;
2707}
2708
2709static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2710{
2711 const int len = sizeof(XATTR_NAME_SELINUX);
2712 if (buffer && len <= buffer_size)
2713 memcpy(buffer, XATTR_NAME_SELINUX, len);
2714 return len;
2715}
2716
b5376771
SH		 2717static int selinux_inode_need_killpriv(struct dentry *dentry)
2718{
2719 return secondary_ops->inode_need_killpriv(dentry);
2720}
2721
2722static int selinux_inode_killpriv(struct dentry *dentry)
2723{
2724 return secondary_ops->inode_killpriv(dentry);
2725}
2726
1da177e4
LT		 2727/* file security operations */
2728
788e7dd4 2729static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2730{
7420ed23 2731 int rc;
3d5ff529 2732 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2733
2734 if (!mask) {
2735 /* No permission to check. Existence test. */
2736 return 0;
2737 }
2738
2739 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2740 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2741 mask |= MAY_APPEND;
2742
7420ed23
VY		 2743 rc = file_has_perm(current, file,
2744 file_mask_to_av(inode->i_mode, mask));
2745 if (rc)
2746 return rc;
2747
2748 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2749}
2750
788e7dd4
YN		 2751static int selinux_file_permission(struct file *file, int mask)
2752{
2753 struct inode *inode = file->f_path.dentry->d_inode;
2754 struct task_security_struct *tsec = current->security;
2755 struct file_security_struct *fsec = file->f_security;
2756 struct inode_security_struct *isec = inode->i_security;
2757
2758 if (!mask) {
2759 /* No permission to check. Existence test. */
2760 return 0;
2761 }
2762
2763 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2764 && fsec->pseqno == avc_policy_seqno())
2765 return selinux_netlbl_inode_permission(inode, mask);
2766
2767 return selinux_revalidate_file_permission(file, mask);
2768}
2769
1da177e4
LT		 2770static int selinux_file_alloc_security(struct file *file)
2771{
2772 return file_alloc_security(file);
2773}
2774
2775static void selinux_file_free_security(struct file *file)
2776{
2777 file_free_security(file);
2778}
2779
2780static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2781 unsigned long arg)
2782{
2783 int error = 0;
2784
2785 switch (cmd) {
2786 case FIONREAD:
2787 /* fall through */
2788 case FIBMAP:
2789 /* fall through */
2790 case FIGETBSZ:
2791 /* fall through */
2792 case EXT2_IOC_GETFLAGS:
2793 /* fall through */
2794 case EXT2_IOC_GETVERSION:
2795 error = file_has_perm(current, file, FILE__GETATTR);
2796 break;
2797
2798 case EXT2_IOC_SETFLAGS:
2799 /* fall through */
2800 case EXT2_IOC_SETVERSION:
2801 error = file_has_perm(current, file, FILE__SETATTR);
2802 break;
2803
2804 /* sys_ioctl() checks */
2805 case FIONBIO:
2806 /* fall through */
2807 case FIOASYNC:
2808 error = file_has_perm(current, file, 0);
2809 break;
2810
2811 case KDSKBENT:
2812 case KDSKBSENT:
2813 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2814 break;
2815
2816 /* default case assumes that the command will go
2817 * to the file's ioctl() function.
2818 */
2819 default:
2820 error = file_has_perm(current, file, FILE__IOCTL);
2821
2822 }
2823 return error;
2824}
2825
2826static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2827{
2828#ifndef CONFIG_PPC32
2829 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2830 /*
2831 * We are making executable an anonymous mapping or a
2832 * private file mapping that will also be writable.
2833 * This has an additional check.
2834 */
2835 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2836 if (rc)
2837 return rc;
2838 }
2839#endif
2840
2841 if (file) {
2842 /* read access is always possible with a mapping */
2843 u32 av = FILE__READ;
2844
2845 /* write access only matters if the mapping is shared */
2846 if (shared && (prot & PROT_WRITE))
2847 av |= FILE__WRITE;
2848
2849 if (prot & PROT_EXEC)
2850 av |= FILE__EXECUTE;
2851
2852 return file_has_perm(current, file, av);
2853 }
2854 return 0;
2855}
2856
2857static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 2858 unsigned long prot, unsigned long flags,
2859 unsigned long addr, unsigned long addr_only)
1da177e4 2860{
ed032189
EP		 2861 int rc = 0;
2862 u32 sid = ((struct task_security_struct*)(current->security))->sid;
1da177e4 2863
ed032189
EP		 2864 if (addr < mmap_min_addr)
2865 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2866 MEMPROTECT__MMAP_ZERO, NULL);
2867 if (rc || addr_only)
1da177e4
LT		 2868 return rc;
2869
2870 if (selinux_checkreqprot)
2871 prot = reqprot;
2872
2873 return file_map_prot_check(file, prot,
2874 (flags & MAP_TYPE) == MAP_SHARED);
2875}
2876
2877static int selinux_file_mprotect(struct vm_area_struct *vma,
2878 unsigned long reqprot,
2879 unsigned long prot)
2880{
2881 int rc;
2882
2883 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2884 if (rc)
2885 return rc;
2886
2887 if (selinux_checkreqprot)
2888 prot = reqprot;
2889
2890#ifndef CONFIG_PPC32
db4c9641
SS		 2891 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2892 rc = 0;
2893 if (vma->vm_start >= vma->vm_mm->start_brk &&
2894 vma->vm_end <= vma->vm_mm->brk) {
2895 rc = task_has_perm(current, current,
2896 PROCESS__EXECHEAP);
2897 } else if (!vma->vm_file &&
2898 vma->vm_start <= vma->vm_mm->start_stack &&
2899 vma->vm_end >= vma->vm_mm->start_stack) {
2900 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2901 } else if (vma->vm_file && vma->anon_vma) {
2902 /*
2903 * We are making executable a file mapping that has
2904 * had some COW done. Since pages might have been
2905 * written, check ability to execute the possibly
2906 * modified content. This typically should only
2907 * occur for text relocations.
2908 */
2909 rc = file_has_perm(current, vma->vm_file,
2910 FILE__EXECMOD);
2911 }