]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
SELinux: Use d_is_positive() rather than testing dentry->d_inode
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
32#include <linux/security.h>
33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
ca10b9e9 54#include <net/sock.h>
1da177e4 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 56#include <net/inet_connection_sock.h>
220deb96 57#include <net/net_namespace.h>
d621d35e 58#include <net/netlabel.h>
f5269710 59#include <linux/uaccess.h>
1da177e4 60#include <asm/ioctls.h>
60063497 61#include <linux/atomic.h>
1da177e4
LT		 62#include <linux/bitops.h>
63#include <linux/interrupt.h>
64#include <linux/netdevice.h> /* for network interface checks */
77954983 65#include <net/netlink.h>
1da177e4
LT		 66#include <linux/tcp.h>
67#include <linux/udp.h>
2ee92d46 68#include <linux/dccp.h>
1da177e4
LT		 69#include <linux/quota.h>
70#include <linux/un.h> /* for Unix socket types */
71#include <net/af_unix.h> /* for Unix socket types */
72#include <linux/parser.h>
73#include <linux/nfs_mount.h>
74#include <net/ipv6.h>
75#include <linux/hugetlb.h>
76#include <linux/personality.h>
1da177e4 77#include <linux/audit.h>
6931dfc9 78#include <linux/string.h>
877ce7c1 79#include <linux/selinux.h>
23970741 80#include <linux/mutex.h>
f06febc9 81#include <linux/posix-timers.h>
00234592 82#include <linux/syslog.h>
3486740a 83#include <linux/user_namespace.h>
44fc7ea0 84#include <linux/export.h>
40401530
AV		 85#include <linux/msg.h>
86#include <linux/shm.h>
1da177e4
LT		 87
88#include "avc.h"
89#include "objsec.h"
90#include "netif.h"
224dfbd8 91#include "netnode.h"
3e112172 92#include "netport.h"
d28d1e08 93#include "xfrm.h"
c60475bf 94#include "netlabel.h"
9d57a7f9 95#include "audit.h"
7b98a585 96#include "avc_ss.h"
1da177e4 97
d621d35e 98/* SECMARK reference count */
56a4ca99 99static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 100
1da177e4 101#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 102int selinux_enforcing;
1da177e4
LT		 103
104static int __init enforcing_setup(char *str)
105{
f5269710 106 unsigned long enforcing;
29707b20 107 if (!kstrtoul(str, 0, &enforcing))
f5269710 108 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 109 return 1;
110}
111__setup("enforcing=", enforcing_setup);
112#endif
113
114#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117static int __init selinux_enabled_setup(char *str)
118{
f5269710 119 unsigned long enabled;
29707b20 120 if (!kstrtoul(str, 0, &enabled))
f5269710 121 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 122 return 1;
123}
124__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 125#else
126int selinux_enabled = 1;
1da177e4
LT		 127#endif
128
e18b890b 129static struct kmem_cache *sel_inode_cache;
7cae7e26 130
d621d35e
PM		 131/**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 140 *
141 */
142static int selinux_secmark_enabled(void)
143{
2be4d74f
CP		 144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145}
146
147/**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157static int selinux_peerlbl_enabled(void)
158{
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 160}
161
615e51fd
PM		 162static int selinux_netcache_avc_callback(u32 event)
163{
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171}
172
d84f4f99
DH		 173/*
174 * initialise the security for the init task
175 */
176static void cred_init_security(void)
1da177e4 177{
3b11a1de 178 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 179 struct task_security_struct *tsec;
180
89d155ef 181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 182 if (!tsec)
d84f4f99 183 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 184
d84f4f99 185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 186 cred->security = tsec;
1da177e4
LT		 187}
188
88e67f3b
DH		 189/*
190 * get the security ID of a set of credentials
191 */
192static inline u32 cred_sid(const struct cred *cred)
193{
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198}
199
275bb41e 200/*
3b11a1de 201 * get the objective security ID of a task
275bb41e
DH		 202 */
203static inline u32 task_sid(const struct task_struct *task)
204{
275bb41e
DH		 205 u32 sid;
206
207 rcu_read_lock();
88e67f3b 208 sid = cred_sid(__task_cred(task));
275bb41e
DH		 209 rcu_read_unlock();
210 return sid;
211}
212
213/*
3b11a1de 214 * get the subjective security ID of the current task
275bb41e
DH		 215 */
216static inline u32 current_sid(void)
217{
5fb49870 218 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 219
220 return tsec->sid;
221}
222
88e67f3b
DH		 223/* Allocate and free functions for each kind of security blob. */
224
1da177e4
LT		 225static int inode_alloc_security(struct inode *inode)
226{
1da177e4 227 struct inode_security_struct *isec;
275bb41e 228 u32 sid = current_sid();
1da177e4 229
a02fe132 230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 231 if (!isec)
232 return -ENOMEM;
233
23970741 234 mutex_init(&isec->lock);
1da177e4 235 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
275bb41e 239 isec->task_sid = sid;
1da177e4
LT		 240 inode->i_security = isec;
241
242 return 0;
243}
244
3dc91d43
SR		 245static void inode_free_rcu(struct rcu_head *head)
246{
247 struct inode_security_struct *isec;
248
249 isec = container_of(head, struct inode_security_struct, rcu);
250 kmem_cache_free(sel_inode_cache, isec);
251}
252
1da177e4
LT		 253static void inode_free_security(struct inode *inode)
254{
255 struct inode_security_struct *isec = inode->i_security;
256 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
257
1da177e4
LT		 258 spin_lock(&sbsec->isec_lock);
259 if (!list_empty(&isec->list))
260 list_del_init(&isec->list);
261 spin_unlock(&sbsec->isec_lock);
262
3dc91d43
SR		 263 /*
264 * The inode may still be referenced in a path walk and
265 * a call to selinux_inode_permission() can be made
266 * after inode_free_security() is called. Ideally, the VFS
267 * wouldn't do this, but fixing that is a much harder
268 * job. For now, simply free the i_security via RCU, and
269 * leave the current inode->i_security pointer intact.
270 * The inode will be freed after the RCU grace period too.
271 */
272 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 273}
274
275static int file_alloc_security(struct file *file)
276{
1da177e4 277 struct file_security_struct *fsec;
275bb41e 278 u32 sid = current_sid();
1da177e4 279
26d2a4be 280 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 281 if (!fsec)
282 return -ENOMEM;
283
275bb41e
DH		 284 fsec->sid = sid;
285 fsec->fown_sid = sid;
1da177e4
LT		 286 file->f_security = fsec;
287
288 return 0;
289}
290
291static void file_free_security(struct file *file)
292{
293 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 294 file->f_security = NULL;
295 kfree(fsec);
296}
297
298static int superblock_alloc_security(struct super_block *sb)
299{
300 struct superblock_security_struct *sbsec;
301
89d155ef 302 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 303 if (!sbsec)
304 return -ENOMEM;
305
bc7e982b 306 mutex_init(&sbsec->lock);
1da177e4
LT		 307 INIT_LIST_HEAD(&sbsec->isec_head);
308 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 309 sbsec->sb = sb;
310 sbsec->sid = SECINITSID_UNLABELED;
311 sbsec->def_sid = SECINITSID_FILE;
c312feb2 312 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 313 sb->s_security = sbsec;
314
315 return 0;
316}
317
318static void superblock_free_security(struct super_block *sb)
319{
320 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 321 sb->s_security = NULL;
322 kfree(sbsec);
323}
324
1da177e4
LT		 325/* The file system's label must be initialized prior to use. */
326
eb9ae686 327static const char *labeling_behaviors[7] = {
1da177e4
LT		 328 "uses xattr",
329 "uses transition SIDs",
330 "uses task SIDs",
331 "uses genfs_contexts",
332 "not configured for labeling",
333 "uses mountpoint labeling",
eb9ae686 334 "uses native labeling",
1da177e4
LT		 335};
336
337static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
338
339static inline int inode_doinit(struct inode *inode)
340{
341 return inode_doinit_with_dentry(inode, NULL);
342}
343
344enum {
31e87930 345 Opt_error = -1,
1da177e4
LT		 346 Opt_context = 1,
347 Opt_fscontext = 2,
c9180a57
EP		 348 Opt_defcontext = 3,
349 Opt_rootcontext = 4,
11689d47 350 Opt_labelsupport = 5,
d355987f 351 Opt_nextmntopt = 6,
1da177e4
LT		 352};
353
d355987f
EP		 354#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
355
a447c093 356static const match_table_t tokens = {
832cbd9a
EP		 357 {Opt_context, CONTEXT_STR "%s"},
358 {Opt_fscontext, FSCONTEXT_STR "%s"},
359 {Opt_defcontext, DEFCONTEXT_STR "%s"},
360 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 361 {Opt_labelsupport, LABELSUPP_STR},
31e87930 362 {Opt_error, NULL},
1da177e4
LT		 363};
364
365#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
366
c312feb2
EP		 367static int may_context_mount_sb_relabel(u32 sid,
368 struct superblock_security_struct *sbsec,
275bb41e 369 const struct cred *cred)
c312feb2 370{
275bb41e 371 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 372 int rc;
373
374 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
375 FILESYSTEM__RELABELFROM, NULL);
376 if (rc)
377 return rc;
378
379 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
380 FILESYSTEM__RELABELTO, NULL);
381 return rc;
382}
383
0808925e
EP		 384static int may_context_mount_inode_relabel(u32 sid,
385 struct superblock_security_struct *sbsec,
275bb41e 386 const struct cred *cred)
0808925e 387{
275bb41e 388 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 389 int rc;
390 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
391 FILESYSTEM__RELABELFROM, NULL);
392 if (rc)
393 return rc;
394
395 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
396 FILESYSTEM__ASSOCIATE, NULL);
397 return rc;
398}
399
b43e725d
EP		 400static int selinux_is_sblabel_mnt(struct super_block *sb)
401{
402 struct superblock_security_struct *sbsec = sb->s_security;
403
d5f3a5f6
MS		 404 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
405 sbsec->behavior == SECURITY_FS_USE_TRANS ||
406 sbsec->behavior == SECURITY_FS_USE_TASK ||
407 /* Special handling. Genfs but also in-core setxattr handler */
408 !strcmp(sb->s_type->name, "sysfs") ||
409 !strcmp(sb->s_type->name, "pstore") ||
410 !strcmp(sb->s_type->name, "debugfs") ||
411 !strcmp(sb->s_type->name, "rootfs");
b43e725d
EP		 412}
413
c9180a57 414static int sb_finish_set_opts(struct super_block *sb)
1da177e4 415{
1da177e4 416 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 417 struct dentry *root = sb->s_root;
418 struct inode *root_inode = root->d_inode;
419 int rc = 0;
1da177e4 420
c9180a57
EP		 421 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
422 /* Make sure that the xattr handler exists and that no
423 error other than -ENODATA is returned by getxattr on
424 the root directory. -ENODATA is ok, as this may be
425 the first boot of the SELinux kernel before we have
426 assigned xattr values to the filesystem. */
427 if (!root_inode->i_op->getxattr) {
29b1deb2
LT		 428 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
429 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 430 rc = -EOPNOTSUPP;
431 goto out;
432 }
433 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
434 if (rc < 0 && rc != -ENODATA) {
435 if (rc == -EOPNOTSUPP)
436 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 437 "%s) has no security xattr handler\n",
438 sb->s_id, sb->s_type->name);
c9180a57
EP		 439 else
440 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 441 "%s) getxattr errno %d\n", sb->s_id,
442 sb->s_type->name, -rc);
c9180a57
EP		 443 goto out;
444 }
445 }
1da177e4 446
c9180a57 447 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 448 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
449 sb->s_id, sb->s_type->name);
1da177e4 450
eadcabc6 451 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 452 if (selinux_is_sblabel_mnt(sb))
12f348b9 453 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 454
c9180a57
EP		 455 /* Initialize the root inode. */
456 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 457
c9180a57
EP		 458 /* Initialize any other inodes associated with the superblock, e.g.
459 inodes created prior to initial policy load or inodes created
460 during get_sb by a pseudo filesystem that directly
461 populates itself. */
462 spin_lock(&sbsec->isec_lock);
463next_inode:
464 if (!list_empty(&sbsec->isec_head)) {
465 struct inode_security_struct *isec =
466 list_entry(sbsec->isec_head.next,
467 struct inode_security_struct, list);
468 struct inode *inode = isec->inode;
923190d3 469 list_del_init(&isec->list);
c9180a57
EP		 470 spin_unlock(&sbsec->isec_lock);
471 inode = igrab(inode);
472 if (inode) {
473 if (!IS_PRIVATE(inode))
474 inode_doinit(inode);
475 iput(inode);
476 }
477 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 478 goto next_inode;
479 }
480 spin_unlock(&sbsec->isec_lock);
481out:
482 return rc;
483}
1da177e4 484
c9180a57
EP		 485/*
486 * This function should allow an FS to ask what it's mount security
487 * options were so it can use those later for submounts, displaying
488 * mount options, or whatever.
489 */
490static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 491 struct security_mnt_opts *opts)
c9180a57
EP		 492{
493 int rc = 0, i;
494 struct superblock_security_struct *sbsec = sb->s_security;
495 char *context = NULL;
496 u32 len;
497 char tmp;
1da177e4 498
e0007529 499 security_init_mnt_opts(opts);
1da177e4 500
0d90a7ec 501 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 502 return -EINVAL;
1da177e4 503
c9180a57
EP		 504 if (!ss_initialized)
505 return -EINVAL;
1da177e4 506
af8e50cc
EP		 507 /* make sure we always check enough bits to cover the mask */
508 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
509
0d90a7ec 510 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 511 /* count the number of mount options for this sb */
af8e50cc 512 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 513 if (tmp & 0x01)
e0007529 514 opts->num_mnt_opts++;
c9180a57
EP		 515 tmp >>= 1;
516 }
11689d47 517 /* Check if the Label support flag is set */
0b4bdb35 518 if (sbsec->flags & SBLABEL_MNT)
11689d47 519 opts->num_mnt_opts++;
1da177e4 520
e0007529
EP		 521 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
522 if (!opts->mnt_opts) {
c9180a57
EP		 523 rc = -ENOMEM;
524 goto out_free;
525 }
1da177e4 526
e0007529
EP		 527 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
528 if (!opts->mnt_opts_flags) {
c9180a57
EP		 529 rc = -ENOMEM;
530 goto out_free;
531 }
1da177e4 532
c9180a57
EP		 533 i = 0;
534 if (sbsec->flags & FSCONTEXT_MNT) {
535 rc = security_sid_to_context(sbsec->sid, &context, &len);
536 if (rc)
537 goto out_free;
e0007529
EP		 538 opts->mnt_opts[i] = context;
539 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 540 }
541 if (sbsec->flags & CONTEXT_MNT) {
542 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
543 if (rc)
544 goto out_free;
e0007529
EP		 545 opts->mnt_opts[i] = context;
546 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 547 }
548 if (sbsec->flags & DEFCONTEXT_MNT) {
549 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
550 if (rc)
551 goto out_free;
e0007529
EP		 552 opts->mnt_opts[i] = context;
553 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 554 }
555 if (sbsec->flags & ROOTCONTEXT_MNT) {
556 struct inode *root = sbsec->sb->s_root->d_inode;
557 struct inode_security_struct *isec = root->i_security;
0808925e 558
c9180a57
EP		 559 rc = security_sid_to_context(isec->sid, &context, &len);
560 if (rc)
561 goto out_free;
e0007529
EP		 562 opts->mnt_opts[i] = context;
563 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 564 }
12f348b9 565 if (sbsec->flags & SBLABEL_MNT) {
11689d47 566 opts->mnt_opts[i] = NULL;
12f348b9 567 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 568 }
1da177e4 569
e0007529 570 BUG_ON(i != opts->num_mnt_opts);
1da177e4 571
c9180a57
EP		 572 return 0;
573
574out_free:
e0007529 575 security_free_mnt_opts(opts);
c9180a57
EP		 576 return rc;
577}
1da177e4 578
c9180a57
EP		 579static int bad_option(struct superblock_security_struct *sbsec, char flag,
580 u32 old_sid, u32 new_sid)
581{
0d90a7ec
DQ		 582 char mnt_flags = sbsec->flags & SE_MNTMASK;
583
c9180a57 584 /* check if the old mount command had the same options */
0d90a7ec 585 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 586 if (!(sbsec->flags & flag) ||
587 (old_sid != new_sid))
588 return 1;
589
590 /* check if we were passed the same options twice,
591 * aka someone passed context=a,context=b
592 */
0d90a7ec
DQ		 593 if (!(sbsec->flags & SE_SBINITIALIZED))
594 if (mnt_flags & flag)
c9180a57
EP		 595 return 1;
596 return 0;
597}
e0007529 598
c9180a57
EP		 599/*
600 * Allow filesystems with binary mount data to explicitly set mount point
601 * labeling information.
602 */
e0007529 603static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 604 struct security_mnt_opts *opts,
605 unsigned long kern_flags,
606 unsigned long *set_kern_flags)
c9180a57 607{
275bb41e 608 const struct cred *cred = current_cred();
c9180a57 609 int rc = 0, i;
c9180a57 610 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 611 const char *name = sb->s_type->name;
089be43e
JM		 612 struct inode *inode = sbsec->sb->s_root->d_inode;
613 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 614 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
615 u32 defcontext_sid = 0;
e0007529
EP		 616 char **mount_options = opts->mnt_opts;
617 int *flags = opts->mnt_opts_flags;
618 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 619
620 mutex_lock(&sbsec->lock);
621
622 if (!ss_initialized) {
623 if (!num_opts) {
624 /* Defer initialization until selinux_complete_init,
625 after the initial policy is loaded and the security
626 server is ready to handle calls. */
c9180a57
EP		 627 goto out;
628 }
629 rc = -EINVAL;
744ba35e
EP		 630 printk(KERN_WARNING "SELinux: Unable to set superblock options "
631 "before the security server is initialized\n");
1da177e4 632 goto out;
c9180a57 633 }
649f6e77
DQ		 634 if (kern_flags && !set_kern_flags) {
635 /* Specifying internal flags without providing a place to
636 * place the results is not allowed */
637 rc = -EINVAL;
638 goto out;
639 }
1da177e4 640
e0007529
EP		 641 /*
642 * Binary mount data FS will come through this function twice. Once
643 * from an explicit call and once from the generic calls from the vfs.
644 * Since the generic VFS calls will not contain any security mount data
645 * we need to skip the double mount verification.
646 *
647 * This does open a hole in which we will not notice if the first
648 * mount using this sb set explict options and a second mount using
649 * this sb does not set any security options. (The first options
650 * will be used for both mounts)
651 */
0d90a7ec 652 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 653 && (num_opts == 0))
f5269710 654 goto out;
e0007529 655
c9180a57
EP		 656 /*
657 * parse the mount options, check if they are valid sids.
658 * also check if someone is trying to mount the same sb more
659 * than once with different security options.
660 */
661 for (i = 0; i < num_opts; i++) {
662 u32 sid;
11689d47 663
12f348b9 664 if (flags[i] == SBLABEL_MNT)
11689d47 665 continue;
c9180a57 666 rc = security_context_to_sid(mount_options[i],
52a4c640 667 strlen(mount_options[i]), &sid, GFP_KERNEL);
1da177e4
LT		 668 if (rc) {
669 printk(KERN_WARNING "SELinux: security_context_to_sid"
29b1deb2
LT		 670 "(%s) failed for (dev %s, type %s) errno=%d\n",
671 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 672 goto out;
673 }
674 switch (flags[i]) {
675 case FSCONTEXT_MNT:
676 fscontext_sid = sid;
677
678 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
679 fscontext_sid))
680 goto out_double_mount;
681
682 sbsec->flags |= FSCONTEXT_MNT;
683 break;
684 case CONTEXT_MNT:
685 context_sid = sid;
686
687 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
688 context_sid))
689 goto out_double_mount;
690
691 sbsec->flags |= CONTEXT_MNT;
692 break;
693 case ROOTCONTEXT_MNT:
694 rootcontext_sid = sid;
695
696 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
697 rootcontext_sid))
698 goto out_double_mount;
699
700 sbsec->flags |= ROOTCONTEXT_MNT;
701
702 break;
703 case DEFCONTEXT_MNT:
704 defcontext_sid = sid;
705
706 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
707 defcontext_sid))
708 goto out_double_mount;
709
710 sbsec->flags |= DEFCONTEXT_MNT;
711
712 break;
713 default:
714 rc = -EINVAL;
715 goto out;
1da177e4 716 }
c9180a57
EP		 717 }
718
0d90a7ec 719 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 720 /* previously mounted with options, but not on this attempt? */
0d90a7ec 721 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 722 goto out_double_mount;
723 rc = 0;
724 goto out;
725 }
726
089be43e 727 if (strcmp(sb->s_type->name, "proc") == 0)
0d90a7ec 728 sbsec->flags |= SE_SBPROC;
c9180a57 729
eb9ae686
DQ		 730 if (!sbsec->behavior) {
731 /*
732 * Determine the labeling behavior to use for this
733 * filesystem type.
734 */
98f700f3 735 rc = security_fs_use(sb);
eb9ae686
DQ		 736 if (rc) {
737 printk(KERN_WARNING
738 "%s: security_fs_use(%s) returned %d\n",
739 __func__, sb->s_type->name, rc);
740 goto out;
741 }
c9180a57 742 }
c9180a57
EP		 743 /* sets the context of the superblock for the fs being mounted. */
744 if (fscontext_sid) {
275bb41e 745 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 746 if (rc)
c9180a57 747 goto out;
1da177e4 748
c9180a57 749 sbsec->sid = fscontext_sid;
c312feb2
EP		 750 }
751
752 /*
753 * Switch to using mount point labeling behavior.
754 * sets the label used on all file below the mountpoint, and will set
755 * the superblock context if not already set.
756 */
eb9ae686
DQ		 757 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
758 sbsec->behavior = SECURITY_FS_USE_NATIVE;
759 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
760 }
761
c9180a57
EP		 762 if (context_sid) {
763 if (!fscontext_sid) {
275bb41e
DH		 764 rc = may_context_mount_sb_relabel(context_sid, sbsec,
765 cred);
b04ea3ce 766 if (rc)
c9180a57
EP		 767 goto out;
768 sbsec->sid = context_sid;
b04ea3ce 769 } else {
275bb41e
DH		 770 rc = may_context_mount_inode_relabel(context_sid, sbsec,
771 cred);
b04ea3ce 772 if (rc)
c9180a57 773 goto out;
b04ea3ce 774 }
c9180a57
EP		 775 if (!rootcontext_sid)
776 rootcontext_sid = context_sid;
1da177e4 777
c9180a57 778 sbsec->mntpoint_sid = context_sid;
c312feb2 779 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 780 }
781
c9180a57 782 if (rootcontext_sid) {
275bb41e
DH		 783 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
784 cred);
0808925e 785 if (rc)
c9180a57 786 goto out;
0808925e 787
c9180a57
EP		 788 root_isec->sid = rootcontext_sid;
789 root_isec->initialized = 1;
0808925e
EP		 790 }
791
c9180a57 792 if (defcontext_sid) {
eb9ae686
DQ		 793 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
794 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 795 rc = -EINVAL;
796 printk(KERN_WARNING "SELinux: defcontext option is "
797 "invalid for this filesystem type\n");
798 goto out;
1da177e4
LT		 799 }
800
c9180a57
EP		 801 if (defcontext_sid != sbsec->def_sid) {
802 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 803 sbsec, cred);
c9180a57
EP		 804 if (rc)
805 goto out;
806 }
1da177e4 807
c9180a57 808 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 809 }
810
c9180a57 811 rc = sb_finish_set_opts(sb);
1da177e4 812out:
c9180a57 813 mutex_unlock(&sbsec->lock);
1da177e4 814 return rc;
c9180a57
EP		 815out_double_mount:
816 rc = -EINVAL;
817 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 818 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 819 goto out;
1da177e4
LT		 820}
821
094f7b69
JL		 822static int selinux_cmp_sb_context(const struct super_block *oldsb,
823 const struct super_block *newsb)
824{
825 struct superblock_security_struct *old = oldsb->s_security;
826 struct superblock_security_struct *new = newsb->s_security;
827 char oldflags = old->flags & SE_MNTMASK;
828 char newflags = new->flags & SE_MNTMASK;
829
830 if (oldflags != newflags)
831 goto mismatch;
832 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
833 goto mismatch;
834 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
835 goto mismatch;
836 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
837 goto mismatch;
838 if (oldflags & ROOTCONTEXT_MNT) {
839 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
840 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
841 if (oldroot->sid != newroot->sid)
842 goto mismatch;
843 }
844 return 0;
845mismatch:
846 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
847 "different security settings for (dev %s, "
848 "type %s)\n", newsb->s_id, newsb->s_type->name);
849 return -EBUSY;
850}
851
852static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 853 struct super_block *newsb)
1da177e4 854{
c9180a57
EP		 855 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
856 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 857
c9180a57
EP		 858 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
859 int set_context = (oldsbsec->flags & CONTEXT_MNT);
860 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 861
0f5e6420
EP		 862 /*
863 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 864 * mount options. thus we can safely deal with this superblock later
0f5e6420 865 */
e8c26255 866 if (!ss_initialized)
094f7b69 867 return 0;
c9180a57 868
c9180a57 869 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 870 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 871
094f7b69 872 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 873 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 874 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 875
c9180a57
EP		 876 mutex_lock(&newsbsec->lock);
877
878 newsbsec->flags = oldsbsec->flags;
879
880 newsbsec->sid = oldsbsec->sid;
881 newsbsec->def_sid = oldsbsec->def_sid;
882 newsbsec->behavior = oldsbsec->behavior;
883
884 if (set_context) {
885 u32 sid = oldsbsec->mntpoint_sid;
886
887 if (!set_fscontext)
888 newsbsec->sid = sid;
889 if (!set_rootcontext) {
890 struct inode *newinode = newsb->s_root->d_inode;
891 struct inode_security_struct *newisec = newinode->i_security;
892 newisec->sid = sid;
893 }
894 newsbsec->mntpoint_sid = sid;
1da177e4 895 }
c9180a57
EP		 896 if (set_rootcontext) {
897 const struct inode *oldinode = oldsb->s_root->d_inode;
898 const struct inode_security_struct *oldisec = oldinode->i_security;
899 struct inode *newinode = newsb->s_root->d_inode;
900 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 901
c9180a57 902 newisec->sid = oldisec->sid;
1da177e4
LT		 903 }
904
c9180a57
EP		 905 sb_finish_set_opts(newsb);
906 mutex_unlock(&newsbsec->lock);
094f7b69 907 return 0;
c9180a57
EP		 908}
909
2e1479d9
AB		 910static int selinux_parse_opts_str(char *options,
911 struct security_mnt_opts *opts)
c9180a57 912{
e0007529 913 char *p;
c9180a57
EP		 914 char *context = NULL, *defcontext = NULL;
915 char *fscontext = NULL, *rootcontext = NULL;
e0007529 916 int rc, num_mnt_opts = 0;
1da177e4 917
e0007529 918 opts->num_mnt_opts = 0;
1da177e4 919
c9180a57
EP		 920 /* Standard string-based options. */
921 while ((p = strsep(&options, "|")) != NULL) {
922 int token;
923 substring_t args[MAX_OPT_ARGS];
1da177e4 924
c9180a57
EP		 925 if (!*p)
926 continue;
1da177e4 927
c9180a57 928 token = match_token(p, tokens, args);
1da177e4 929
c9180a57
EP		 930 switch (token) {
931 case Opt_context:
932 if (context || defcontext) {
933 rc = -EINVAL;
934 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
935 goto out_err;
936 }
937 context = match_strdup(&args[0]);
938 if (!context) {
939 rc = -ENOMEM;
940 goto out_err;
941 }
942 break;
943
944 case Opt_fscontext:
945 if (fscontext) {
946 rc = -EINVAL;
947 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
948 goto out_err;
949 }
950 fscontext = match_strdup(&args[0]);
951 if (!fscontext) {
952 rc = -ENOMEM;
953 goto out_err;
954 }
955 break;
956
957 case Opt_rootcontext:
958 if (rootcontext) {
959 rc = -EINVAL;
960 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
961 goto out_err;
962 }
963 rootcontext = match_strdup(&args[0]);
964 if (!rootcontext) {
965 rc = -ENOMEM;
966 goto out_err;
967 }
968 break;
969
970 case Opt_defcontext:
971 if (context || defcontext) {
972 rc = -EINVAL;
973 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
974 goto out_err;
975 }
976 defcontext = match_strdup(&args[0]);
977 if (!defcontext) {
978 rc = -ENOMEM;
979 goto out_err;
980 }
981 break;
11689d47
DQ		 982 case Opt_labelsupport:
983 break;
c9180a57
EP		 984 default:
985 rc = -EINVAL;
986 printk(KERN_WARNING "SELinux: unknown mount option\n");
987 goto out_err;
1da177e4 988
1da177e4 989 }
1da177e4 990 }
c9180a57 991
e0007529
EP		 992 rc = -ENOMEM;
993 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
994 if (!opts->mnt_opts)
995 goto out_err;
996
997 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
998 if (!opts->mnt_opts_flags) {
999 kfree(opts->mnt_opts);
1000 goto out_err;
1001 }
1002
c9180a57 1003 if (fscontext) {
e0007529
EP		 1004 opts->mnt_opts[num_mnt_opts] = fscontext;
1005 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1006 }
1007 if (context) {
e0007529
EP		 1008 opts->mnt_opts[num_mnt_opts] = context;
1009 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1010 }
1011 if (rootcontext) {
e0007529
EP		 1012 opts->mnt_opts[num_mnt_opts] = rootcontext;
1013 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1014 }
1015 if (defcontext) {
e0007529
EP		 1016 opts->mnt_opts[num_mnt_opts] = defcontext;
1017 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1018 }
1019
e0007529
EP		 1020 opts->num_mnt_opts = num_mnt_opts;
1021 return 0;
1022
c9180a57
EP		 1023out_err:
1024 kfree(context);
1025 kfree(defcontext);
1026 kfree(fscontext);
1027 kfree(rootcontext);
1da177e4
LT		 1028 return rc;
1029}
e0007529
EP		 1030/*
1031 * string mount options parsing and call set the sbsec
1032 */
1033static int superblock_doinit(struct super_block *sb, void *data)
1034{
1035 int rc = 0;
1036 char *options = data;
1037 struct security_mnt_opts opts;
1038
1039 security_init_mnt_opts(&opts);
1040
1041 if (!data)
1042 goto out;
1043
1044 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1045
1046 rc = selinux_parse_opts_str(options, &opts);
1047 if (rc)
1048 goto out_err;
1049
1050out:
649f6e77 1051 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1052
1053out_err:
1054 security_free_mnt_opts(&opts);
1055 return rc;
1056}
1da177e4 1057
3583a711
AB		 1058static void selinux_write_opts(struct seq_file *m,
1059 struct security_mnt_opts *opts)
2069f457
EP		 1060{
1061 int i;
1062 char *prefix;
1063
1064 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1065 char *has_comma;
1066
1067 if (opts->mnt_opts[i])
1068 has_comma = strchr(opts->mnt_opts[i], ',');
1069 else
1070 has_comma = NULL;
2069f457
EP		 1071
1072 switch (opts->mnt_opts_flags[i]) {
1073 case CONTEXT_MNT:
1074 prefix = CONTEXT_STR;
1075 break;
1076 case FSCONTEXT_MNT:
1077 prefix = FSCONTEXT_STR;
1078 break;
1079 case ROOTCONTEXT_MNT:
1080 prefix = ROOTCONTEXT_STR;
1081 break;
1082 case DEFCONTEXT_MNT:
1083 prefix = DEFCONTEXT_STR;
1084 break;
12f348b9 1085 case SBLABEL_MNT:
11689d47
DQ		 1086 seq_putc(m, ',');
1087 seq_puts(m, LABELSUPP_STR);
1088 continue;
2069f457
EP		 1089 default:
1090 BUG();
a35c6c83 1091 return;
2069f457
EP		 1092 };
1093 /* we need a comma before each option */
1094 seq_putc(m, ',');
1095 seq_puts(m, prefix);
1096 if (has_comma)
1097 seq_putc(m, '\"');
1098 seq_puts(m, opts->mnt_opts[i]);
1099 if (has_comma)
1100 seq_putc(m, '\"');
1101 }
1102}
1103
1104static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1105{
1106 struct security_mnt_opts opts;
1107 int rc;
1108
1109 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1110 if (rc) {
1111 /* before policy load we may get EINVAL, don't show anything */
1112 if (rc == -EINVAL)
1113 rc = 0;
2069f457 1114 return rc;
383795c2 1115 }
2069f457
EP		 1116
1117 selinux_write_opts(m, &opts);
1118
1119 security_free_mnt_opts(&opts);
1120
1121 return rc;
1122}
1123
1da177e4
LT		 1124static inline u16 inode_mode_to_security_class(umode_t mode)
1125{
1126 switch (mode & S_IFMT) {
1127 case S_IFSOCK:
1128 return SECCLASS_SOCK_FILE;
1129 case S_IFLNK:
1130 return SECCLASS_LNK_FILE;
1131 case S_IFREG:
1132 return SECCLASS_FILE;
1133 case S_IFBLK:
1134 return SECCLASS_BLK_FILE;
1135 case S_IFDIR:
1136 return SECCLASS_DIR;
1137 case S_IFCHR:
1138 return SECCLASS_CHR_FILE;
1139 case S_IFIFO:
1140 return SECCLASS_FIFO_FILE;
1141
1142 }
1143
1144 return SECCLASS_FILE;
1145}
1146
13402580
JM		 1147static inline int default_protocol_stream(int protocol)
1148{
1149 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1150}
1151
1152static inline int default_protocol_dgram(int protocol)
1153{
1154 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1155}
1156
1da177e4
LT		 1157static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1158{
1159 switch (family) {
1160 case PF_UNIX:
1161 switch (type) {
1162 case SOCK_STREAM:
1163 case SOCK_SEQPACKET:
1164 return SECCLASS_UNIX_STREAM_SOCKET;
1165 case SOCK_DGRAM:
1166 return SECCLASS_UNIX_DGRAM_SOCKET;
1167 }
1168 break;
1169 case PF_INET:
1170 case PF_INET6:
1171 switch (type) {
1172 case SOCK_STREAM:
13402580
JM		 1173 if (default_protocol_stream(protocol))
1174 return SECCLASS_TCP_SOCKET;
1175 else
1176 return SECCLASS_RAWIP_SOCKET;
1da177e4 1177 case SOCK_DGRAM:
13402580
JM		 1178 if (default_protocol_dgram(protocol))
1179 return SECCLASS_UDP_SOCKET;
1180 else
1181 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1182 case SOCK_DCCP:
1183 return SECCLASS_DCCP_SOCKET;
13402580 1184 default:
1da177e4
LT		 1185 return SECCLASS_RAWIP_SOCKET;
1186 }
1187 break;
1188 case PF_NETLINK:
1189 switch (protocol) {
1190 case NETLINK_ROUTE:
1191 return SECCLASS_NETLINK_ROUTE_SOCKET;
1192 case NETLINK_FIREWALL:
1193 return SECCLASS_NETLINK_FIREWALL_SOCKET;
7f1fb60c 1194 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1195 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1196 case NETLINK_NFLOG:
1197 return SECCLASS_NETLINK_NFLOG_SOCKET;
1198 case NETLINK_XFRM:
1199 return SECCLASS_NETLINK_XFRM_SOCKET;
1200 case NETLINK_SELINUX:
1201 return SECCLASS_NETLINK_SELINUX_SOCKET;
1202 case NETLINK_AUDIT:
1203 return SECCLASS_NETLINK_AUDIT_SOCKET;
1204 case NETLINK_IP6_FW:
1205 return SECCLASS_NETLINK_IP6FW_SOCKET;
1206 case NETLINK_DNRTMSG:
1207 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1208 case NETLINK_KOBJECT_UEVENT:
1209 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1210 default:
1211 return SECCLASS_NETLINK_SOCKET;
1212 }
1213 case PF_PACKET:
1214 return SECCLASS_PACKET_SOCKET;
1215 case PF_KEY:
1216 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1217 case PF_APPLETALK:
1218 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1219 }
1220
1221 return SECCLASS_SOCKET;
1222}
1223
1224#ifdef CONFIG_PROC_FS
8e6c9693 1225static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1226 u16 tclass,
1227 u32 *sid)
1228{
8e6c9693
LAG		 1229 int rc;
1230 char *buffer, *path;
1da177e4 1231
828dfe1d 1232 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1233 if (!buffer)
1234 return -ENOMEM;
1235
8e6c9693
LAG		 1236 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1237 if (IS_ERR(path))
1238 rc = PTR_ERR(path);
1239 else {
1240 /* each process gets a /proc/PID/ entry. Strip off the
1241 * PID part to get a valid selinux labeling.
1242 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1243 while (path[1] >= '0' && path[1] <= '9') {
1244 path[1] = '/';
1245 path++;
1246 }
1247 rc = security_genfs_sid("proc", path, tclass, sid);
1da177e4 1248 }
1da177e4
LT		 1249 free_page((unsigned long)buffer);
1250 return rc;
1251}
1252#else
8e6c9693 1253static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1254 u16 tclass,
1255 u32 *sid)
1256{
1257 return -EINVAL;
1258}
1259#endif
1260
1261/* The inode's security attributes must be initialized before first use. */
1262static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1263{
1264 struct superblock_security_struct *sbsec = NULL;
1265 struct inode_security_struct *isec = inode->i_security;
1266 u32 sid;
1267 struct dentry *dentry;
1268#define INITCONTEXTLEN 255
1269 char *context = NULL;
1270 unsigned len = 0;
1271 int rc = 0;
1da177e4
LT		 1272
1273 if (isec->initialized)
1274 goto out;
1275
23970741 1276 mutex_lock(&isec->lock);
1da177e4 1277 if (isec->initialized)
23970741 1278 goto out_unlock;
1da177e4
LT		 1279
1280 sbsec = inode->i_sb->s_security;
0d90a7ec 1281 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1282 /* Defer initialization until selinux_complete_init,
1283 after the initial policy is loaded and the security
1284 server is ready to handle calls. */
1285 spin_lock(&sbsec->isec_lock);
1286 if (list_empty(&isec->list))
1287 list_add(&isec->list, &sbsec->isec_head);
1288 spin_unlock(&sbsec->isec_lock);
23970741 1289 goto out_unlock;
1da177e4
LT		 1290 }
1291
1292 switch (sbsec->behavior) {
eb9ae686
DQ		 1293 case SECURITY_FS_USE_NATIVE:
1294 break;
1da177e4
LT		 1295 case SECURITY_FS_USE_XATTR:
1296 if (!inode->i_op->getxattr) {
1297 isec->sid = sbsec->def_sid;
1298 break;
1299 }
1300
1301 /* Need a dentry, since the xattr API requires one.
1302 Life would be simpler if we could just pass the inode. */
1303 if (opt_dentry) {
1304 /* Called from d_instantiate or d_splice_alias. */
1305 dentry = dget(opt_dentry);
1306 } else {
1307 /* Called from selinux_complete_init, try to find a dentry. */
1308 dentry = d_find_alias(inode);
1309 }
1310 if (!dentry) {
df7f54c0
EP		 1311 /*
1312 * this is can be hit on boot when a file is accessed
1313 * before the policy is loaded. When we load policy we
1314 * may find inodes that have no dentry on the
1315 * sbsec->isec_head list. No reason to complain as these
1316 * will get fixed up the next time we go through
1317 * inode_doinit with a dentry, before these inodes could
1318 * be used again by userspace.
1319 */
23970741 1320 goto out_unlock;
1da177e4
LT		 1321 }
1322
1323 len = INITCONTEXTLEN;
4cb912f1 1324 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1325 if (!context) {
1326 rc = -ENOMEM;
1327 dput(dentry);
23970741 1328 goto out_unlock;
1da177e4 1329 }
4cb912f1 1330 context[len] = '\0';
1da177e4
LT		 1331 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1332 context, len);
1333 if (rc == -ERANGE) {
314dabb8
JM		 1334 kfree(context);
1335
1da177e4
LT		 1336 /* Need a larger buffer. Query for the right size. */
1337 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1338 NULL, 0);
1339 if (rc < 0) {
1340 dput(dentry);
23970741 1341 goto out_unlock;
1da177e4 1342 }
1da177e4 1343 len = rc;
4cb912f1 1344 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1345 if (!context) {
1346 rc = -ENOMEM;
1347 dput(dentry);
23970741 1348 goto out_unlock;
1da177e4 1349 }
4cb912f1 1350 context[len] = '\0';
1da177e4
LT		 1351 rc = inode->i_op->getxattr(dentry,
1352 XATTR_NAME_SELINUX,
1353 context, len);
1354 }
1355 dput(dentry);
1356 if (rc < 0) {
1357 if (rc != -ENODATA) {
744ba35e 1358 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1359 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1360 -rc, inode->i_sb->s_id, inode->i_ino);
1361 kfree(context);
23970741 1362 goto out_unlock;
1da177e4
LT		 1363 }
1364 /* Map ENODATA to the default file SID */
1365 sid = sbsec->def_sid;
1366 rc = 0;
1367 } else {
f5c1d5b2 1368 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1369 sbsec->def_sid,
1370 GFP_NOFS);
1da177e4 1371 if (rc) {
4ba0a8ad
EP		 1372 char *dev = inode->i_sb->s_id;
1373 unsigned long ino = inode->i_ino;
1374
1375 if (rc == -EINVAL) {
1376 if (printk_ratelimit())
1377 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1378 "context=%s. This indicates you may need to relabel the inode or the "
1379 "filesystem in question.\n", ino, dev, context);
1380 } else {
1381 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1382 "returned %d for dev=%s ino=%ld\n",
1383 __func__, context, -rc, dev, ino);
1384 }
1da177e4
LT		 1385 kfree(context);
1386 /* Leave with the unlabeled SID */
1387 rc = 0;
1388 break;
1389 }
1390 }
1391 kfree(context);
1392 isec->sid = sid;
1393 break;
1394 case SECURITY_FS_USE_TASK:
1395 isec->sid = isec->task_sid;
1396 break;
1397 case SECURITY_FS_USE_TRANS:
1398 /* Default to the fs SID. */
1399 isec->sid = sbsec->sid;
1400
1401 /* Try to obtain a transition SID. */
1402 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1403 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1404 isec->sclass, NULL, &sid);
1da177e4 1405 if (rc)
23970741 1406 goto out_unlock;
1da177e4
LT		 1407 isec->sid = sid;
1408 break;
c312feb2
EP		 1409 case SECURITY_FS_USE_MNTPOINT:
1410 isec->sid = sbsec->mntpoint_sid;
1411 break;
1da177e4 1412 default:
c312feb2 1413 /* Default to the fs superblock SID. */
1da177e4
LT		 1414 isec->sid = sbsec->sid;
1415
0d90a7ec 1416 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1417 /* We must have a dentry to determine the label on
1418 * procfs inodes */
1419 if (opt_dentry)
1420 /* Called from d_instantiate or
1421 * d_splice_alias. */
1422 dentry = dget(opt_dentry);
1423 else
1424 /* Called from selinux_complete_init, try to
1425 * find a dentry. */
1426 dentry = d_find_alias(inode);
1427 /*
1428 * This can be hit on boot when a file is accessed
1429 * before the policy is loaded. When we load policy we
1430 * may find inodes that have no dentry on the
1431 * sbsec->isec_head list. No reason to complain as
1432 * these will get fixed up the next time we go through
1433 * inode_doinit() with a dentry, before these inodes
1434 * could be used again by userspace.
1435 */
1436 if (!dentry)
1437 goto out_unlock;
1438 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1439 rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1440 dput(dentry);
1441 if (rc)
1442 goto out_unlock;
1443 isec->sid = sid;
1da177e4
LT		 1444 }
1445 break;
1446 }
1447
1448 isec->initialized = 1;
1449
23970741
EP		 1450out_unlock:
1451 mutex_unlock(&isec->lock);
1da177e4
LT		 1452out:
1453 if (isec->sclass == SECCLASS_FILE)
1454 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1455 return rc;
1456}
1457
1458/* Convert a Linux signal to an access vector. */
1459static inline u32 signal_to_av(int sig)
1460{
1461 u32 perm = 0;
1462
1463 switch (sig) {
1464 case SIGCHLD:
1465 /* Commonly granted from child to parent. */
1466 perm = PROCESS__SIGCHLD;
1467 break;
1468 case SIGKILL:
1469 /* Cannot be caught or ignored */
1470 perm = PROCESS__SIGKILL;
1471 break;
1472 case SIGSTOP:
1473 /* Cannot be caught or ignored */
1474 perm = PROCESS__SIGSTOP;
1475 break;
1476 default:
1477 /* All other signals. */
1478 perm = PROCESS__SIGNAL;
1479 break;
1480 }
1481
1482 return perm;
1483}
1484
d84f4f99
DH		 1485/*
1486 * Check permission between a pair of credentials
1487 * fork check, ptrace check, etc.
1488 */
1489static int cred_has_perm(const struct cred *actor,
1490 const struct cred *target,
1491 u32 perms)
1492{
1493 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1494
1495 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1496}
1497
275bb41e 1498/*
88e67f3b 1499 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1500 * fork check, ptrace check, etc.
1501 * tsk1 is the actor and tsk2 is the target
3b11a1de 1502 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1503 */
1504static int task_has_perm(const struct task_struct *tsk1,
1505 const struct task_struct *tsk2,
1da177e4
LT		 1506 u32 perms)
1507{
275bb41e
DH		 1508 const struct task_security_struct *__tsec1, *__tsec2;
1509 u32 sid1, sid2;
1da177e4 1510
275bb41e
DH		 1511 rcu_read_lock();
1512 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1513 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1514 rcu_read_unlock();
1515 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1516}
1517
3b11a1de
DH		 1518/*
1519 * Check permission between current and another task, e.g. signal checks,
1520 * fork check, ptrace check, etc.
1521 * current is the actor and tsk2 is the target
1522 * - this uses current's subjective creds
1523 */
1524static int current_has_perm(const struct task_struct *tsk,
1525 u32 perms)
1526{
1527 u32 sid, tsid;
1528
1529 sid = current_sid();
1530 tsid = task_sid(tsk);
1531 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1532}
1533
b68e418c
SS		 1534#if CAP_LAST_CAP > 63
1535#error Fix SELinux to handle capabilities > 63.
1536#endif
1537
1da177e4 1538/* Check whether a task is allowed to use a capability. */
6a9de491 1539static int cred_has_capability(const struct cred *cred,
06112163 1540 int cap, int audit)
1da177e4 1541{
2bf49690 1542 struct common_audit_data ad;
06112163 1543 struct av_decision avd;
b68e418c 1544 u16 sclass;
3699c53c 1545 u32 sid = cred_sid(cred);
b68e418c 1546 u32 av = CAP_TO_MASK(cap);
06112163 1547 int rc;
1da177e4 1548
50c205f5 1549 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1550 ad.u.cap = cap;
1551
b68e418c
SS		 1552 switch (CAP_TO_INDEX(cap)) {
1553 case 0:
1554 sclass = SECCLASS_CAPABILITY;
1555 break;
1556 case 1:
1557 sclass = SECCLASS_CAPABILITY2;
1558 break;
1559 default:
1560 printk(KERN_ERR
1561 "SELinux: out of range capability %d\n", cap);
1562 BUG();
a35c6c83 1563 return -EINVAL;
b68e418c 1564 }
06112163 1565
275bb41e 1566 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1567 if (audit == SECURITY_CAP_AUDIT) {
ab354062 1568 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
9ade0cf4
EP		 1569 if (rc2)
1570 return rc2;
1571 }
06112163 1572 return rc;
1da177e4
LT		 1573}
1574
1575/* Check whether a task is allowed to use a system operation. */
1576static int task_has_system(struct task_struct *tsk,
1577 u32 perms)
1578{
275bb41e 1579 u32 sid = task_sid(tsk);
1da177e4 1580
275bb41e 1581 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1582 SECCLASS_SYSTEM, perms, NULL);
1583}
1584
1585/* Check whether a task has a particular permission to an inode.
1586 The 'adp' parameter is optional and allows other audit
1587 data to be passed (e.g. the dentry). */
88e67f3b 1588static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1589 struct inode *inode,
1590 u32 perms,
19e49834 1591 struct common_audit_data *adp)
1da177e4 1592{
1da177e4 1593 struct inode_security_struct *isec;
275bb41e 1594 u32 sid;
1da177e4 1595
e0e81739
DH		 1596 validate_creds(cred);
1597
828dfe1d 1598 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1599 return 0;
1600
88e67f3b 1601 sid = cred_sid(cred);
1da177e4
LT		 1602 isec = inode->i_security;
1603
19e49834 1604 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1605}
1606
1607/* Same as inode_has_perm, but pass explicit audit data containing
1608 the dentry to help the auditing code to more easily generate the
1609 pathname if needed. */
88e67f3b 1610static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1611 struct dentry *dentry,
1612 u32 av)
1613{
1614 struct inode *inode = dentry->d_inode;
2bf49690 1615 struct common_audit_data ad;
88e67f3b 1616
50c205f5 1617 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1618 ad.u.dentry = dentry;
19e49834 1619 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1620}
1621
1622/* Same as inode_has_perm, but pass explicit audit data containing
1623 the path to help the auditing code to more easily generate the
1624 pathname if needed. */
1625static inline int path_has_perm(const struct cred *cred,
1626 struct path *path,
1627 u32 av)
1628{
1629 struct inode *inode = path->dentry->d_inode;
1630 struct common_audit_data ad;
1631
50c205f5 1632 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1633 ad.u.path = *path;
19e49834 1634 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1635}
1636
13f8e981
DH		 1637/* Same as path_has_perm, but uses the inode from the file struct. */
1638static inline int file_path_has_perm(const struct cred *cred,
1639 struct file *file,
1640 u32 av)
1641{
1642 struct common_audit_data ad;
1643
1644 ad.type = LSM_AUDIT_DATA_PATH;
1645 ad.u.path = file->f_path;
19e49834 1646 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1647}
1648
1da177e4
LT		 1649/* Check whether a task can use an open file descriptor to
1650 access an inode in a given way. Check access to the
1651 descriptor itself, and then use dentry_has_perm to
1652 check a particular permission to the file.
1653 Access to the descriptor is implicitly granted if it
1654 has the same SID as the process. If av is zero, then
1655 access to the file is not checked, e.g. for cases
1656 where only the descriptor is affected like seek. */
88e67f3b
DH		 1657static int file_has_perm(const struct cred *cred,
1658 struct file *file,
1659 u32 av)
1da177e4 1660{
1da177e4 1661 struct file_security_struct *fsec = file->f_security;
496ad9aa 1662 struct inode *inode = file_inode(file);
2bf49690 1663 struct common_audit_data ad;
88e67f3b 1664 u32 sid = cred_sid(cred);
1da177e4
LT		 1665 int rc;
1666
50c205f5 1667 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 1668 ad.u.path = file->f_path;
1da177e4 1669
275bb41e
DH		 1670 if (sid != fsec->sid) {
1671 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1672 SECCLASS_FD,
1673 FD__USE,
1674 &ad);
1675 if (rc)
88e67f3b 1676 goto out;
1da177e4
LT		 1677 }
1678
1679 /* av is zero if only checking access to the descriptor. */
88e67f3b 1680 rc = 0;
1da177e4 1681 if (av)
19e49834 1682 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1683
88e67f3b
DH		 1684out:
1685 return rc;
1da177e4
LT		 1686}
1687
1688/* Check whether a task can create a file. */
1689static int may_create(struct inode *dir,
1690 struct dentry *dentry,
1691 u16 tclass)
1692{
5fb49870 1693 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1694 struct inode_security_struct *dsec;
1695 struct superblock_security_struct *sbsec;
275bb41e 1696 u32 sid, newsid;
2bf49690 1697 struct common_audit_data ad;
1da177e4
LT		 1698 int rc;
1699
1da177e4
LT		 1700 dsec = dir->i_security;
1701 sbsec = dir->i_sb->s_security;
1702
275bb41e
DH		 1703 sid = tsec->sid;
1704 newsid = tsec->create_sid;
1705
50c205f5 1706 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1707 ad.u.dentry = dentry;
1da177e4 1708
275bb41e 1709 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1710 DIR__ADD_NAME | DIR__SEARCH,
1711 &ad);
1712 if (rc)
1713 return rc;
1714
12f348b9 1715 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
cb1e922f
EP		 1716 rc = security_transition_sid(sid, dsec->sid, tclass,
1717 &dentry->d_name, &newsid);
1da177e4
LT		 1718 if (rc)
1719 return rc;
1720 }
1721
275bb41e 1722 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1723 if (rc)
1724 return rc;
1725
1726 return avc_has_perm(newsid, sbsec->sid,
1727 SECCLASS_FILESYSTEM,
1728 FILESYSTEM__ASSOCIATE, &ad);
1729}
1730
4eb582cf
ML		 1731/* Check whether a task can create a key. */
1732static int may_create_key(u32 ksid,
1733 struct task_struct *ctx)
1734{
275bb41e 1735 u32 sid = task_sid(ctx);
4eb582cf 1736
275bb41e 1737 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1738}
1739
828dfe1d
EP		 1740#define MAY_LINK 0
1741#define MAY_UNLINK 1
1742#define MAY_RMDIR 2
1da177e4
LT		 1743
1744/* Check whether a task can link, unlink, or rmdir a file/directory. */
1745static int may_link(struct inode *dir,
1746 struct dentry *dentry,
1747 int kind)
1748
1749{
1da177e4 1750 struct inode_security_struct *dsec, *isec;
2bf49690 1751 struct common_audit_data ad;
275bb41e 1752 u32 sid = current_sid();
1da177e4
LT		 1753 u32 av;
1754 int rc;
1755
1da177e4
LT		 1756 dsec = dir->i_security;
1757 isec = dentry->d_inode->i_security;
1758
50c205f5 1759 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1760 ad.u.dentry = dentry;
1da177e4
LT		 1761
1762 av = DIR__SEARCH;
1763 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1764 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1765 if (rc)
1766 return rc;
1767
1768 switch (kind) {
1769 case MAY_LINK:
1770 av = FILE__LINK;
1771 break;
1772 case MAY_UNLINK:
1773 av = FILE__UNLINK;
1774 break;
1775 case MAY_RMDIR:
1776 av = DIR__RMDIR;
1777 break;
1778 default:
744ba35e
EP		 1779 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1780 __func__, kind);
1da177e4
LT		 1781 return 0;
1782 }
1783
275bb41e 1784 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1785 return rc;
1786}
1787
1788static inline int may_rename(struct inode *old_dir,
1789 struct dentry *old_dentry,
1790 struct inode *new_dir,
1791 struct dentry *new_dentry)
1792{
1da177e4 1793 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1794 struct common_audit_data ad;
275bb41e 1795 u32 sid = current_sid();
1da177e4
LT		 1796 u32 av;
1797 int old_is_dir, new_is_dir;
1798 int rc;
1799
1da177e4
LT		 1800 old_dsec = old_dir->i_security;
1801 old_isec = old_dentry->d_inode->i_security;
1802 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1803 new_dsec = new_dir->i_security;
1804
50c205f5 1805 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1806
a269434d 1807 ad.u.dentry = old_dentry;
275bb41e 1808 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1809 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1810 if (rc)
1811 return rc;
275bb41e 1812 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1813 old_isec->sclass, FILE__RENAME, &ad);
1814 if (rc)
1815 return rc;
1816 if (old_is_dir && new_dir != old_dir) {
275bb41e 1817 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1818 old_isec->sclass, DIR__REPARENT, &ad);
1819 if (rc)
1820 return rc;
1821 }
1822
a269434d 1823 ad.u.dentry = new_dentry;
1da177e4 1824 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1825 if (d_is_positive(new_dentry))
1da177e4 1826 av |= DIR__REMOVE_NAME;
275bb41e 1827 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1828 if (rc)
1829 return rc;
2c616d4d 1830 if (d_is_positive(new_dentry)) {
1da177e4
LT		 1831 new_isec = new_dentry->d_inode->i_security;
1832 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
275bb41e 1833 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1834 new_isec->sclass,
1835 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1836 if (rc)
1837 return rc;
1838 }
1839
1840 return 0;
1841}
1842
1843/* Check whether a task can perform a filesystem operation. */
88e67f3b 1844static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1845 struct super_block *sb,
1846 u32 perms,
2bf49690 1847 struct common_audit_data *ad)
1da177e4 1848{
1da177e4 1849 struct superblock_security_struct *sbsec;
88e67f3b 1850 u32 sid = cred_sid(cred);
1da177e4 1851
1da177e4 1852 sbsec = sb->s_security;
275bb41e 1853 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1854}
1855
1856/* Convert a Linux mode and permission mask to an access vector. */
1857static inline u32 file_mask_to_av(int mode, int mask)
1858{
1859 u32 av = 0;
1860
dba19c60 1861 if (!S_ISDIR(mode)) {
1da177e4
LT		 1862 if (mask & MAY_EXEC)
1863 av |= FILE__EXECUTE;
1864 if (mask & MAY_READ)
1865 av |= FILE__READ;
1866
1867 if (mask & MAY_APPEND)
1868 av |= FILE__APPEND;
1869 else if (mask & MAY_WRITE)
1870 av |= FILE__WRITE;
1871
1872 } else {
1873 if (mask & MAY_EXEC)
1874 av |= DIR__SEARCH;
1875 if (mask & MAY_WRITE)
1876 av |= DIR__WRITE;
1877 if (mask & MAY_READ)
1878 av |= DIR__READ;
1879 }
1880
1881 return av;
1882}
1883
8b6a5a37
EP		 1884/* Convert a Linux file to an access vector. */
1885static inline u32 file_to_av(struct file *file)
1886{
1887 u32 av = 0;
1888
1889 if (file->f_mode & FMODE_READ)
1890 av |= FILE__READ;
1891 if (file->f_mode & FMODE_WRITE) {
1892 if (file->f_flags & O_APPEND)
1893 av |= FILE__APPEND;
1894 else
1895 av |= FILE__WRITE;
1896 }
1897 if (!av) {
1898 /*
1899 * Special file opened with flags 3 for ioctl-only use.
1900 */
1901 av = FILE__IOCTL;
1902 }
1903
1904 return av;
1905}
1906
b0c636b9 1907/*
8b6a5a37 1908 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1909 * open permission.
1910 */
8b6a5a37 1911static inline u32 open_file_to_av(struct file *file)
b0c636b9 1912{
8b6a5a37 1913 u32 av = file_to_av(file);
b0c636b9 1914
49b7b8de
EP		 1915 if (selinux_policycap_openperm)
1916 av |= FILE__OPEN;
1917
b0c636b9
EP		 1918 return av;
1919}
1920
1da177e4
LT		 1921/* Hook functions begin here. */
1922
79af7307
SS		 1923static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1924{
1925 u32 mysid = current_sid();
1926 u32 mgrsid = task_sid(mgr);
1927
1928 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
1929 BINDER__SET_CONTEXT_MGR, NULL);
1930}
1931
1932static int selinux_binder_transaction(struct task_struct *from,
1933 struct task_struct *to)
1934{
1935 u32 mysid = current_sid();
1936 u32 fromsid = task_sid(from);
1937 u32 tosid = task_sid(to);
1938 int rc;
1939
1940 if (mysid != fromsid) {
1941 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
1942 BINDER__IMPERSONATE, NULL);
1943 if (rc)
1944 return rc;
1945 }
1946
1947 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
1948 NULL);
1949}
1950
1951static int selinux_binder_transfer_binder(struct task_struct *from,
1952 struct task_struct *to)
1953{
1954 u32 fromsid = task_sid(from);
1955 u32 tosid = task_sid(to);
1956
1957 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
1958 NULL);
1959}
1960
1961static int selinux_binder_transfer_file(struct task_struct *from,
1962 struct task_struct *to,
1963 struct file *file)
1964{
1965 u32 sid = task_sid(to);
1966 struct file_security_struct *fsec = file->f_security;
1967 struct inode *inode = file->f_path.dentry->d_inode;
1968 struct inode_security_struct *isec = inode->i_security;
1969 struct common_audit_data ad;
1970 int rc;
1971
1972 ad.type = LSM_AUDIT_DATA_PATH;
1973 ad.u.path = file->f_path;
1974
1975 if (sid != fsec->sid) {
1976 rc = avc_has_perm(sid, fsec->sid,
1977 SECCLASS_FD,
1978 FD__USE,
1979 &ad);
1980 if (rc)
1981 return rc;
1982 }
1983
1984 if (unlikely(IS_PRIVATE(inode)))
1985 return 0;
1986
1987 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
1988 &ad);
1989}
1990
9e48858f 1991static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 1992 unsigned int mode)
1da177e4 1993{
1da177e4
LT		 1994 int rc;
1995
9e48858f 1996 rc = cap_ptrace_access_check(child, mode);
1da177e4
LT		 1997 if (rc)
1998 return rc;
1999
69f594a3 2000 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 2001 u32 sid = current_sid();
2002 u32 csid = task_sid(child);
2003 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 2004 }
2005
3b11a1de 2006 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 2007}
2008
2009static int selinux_ptrace_traceme(struct task_struct *parent)
2010{
2011 int rc;
2012
200ac532 2013 rc = cap_ptrace_traceme(parent);
5cd9c58f
DH		 2014 if (rc)
2015 return rc;
2016
2017 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 2018}
2019
2020static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2021 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 2022{
2023 int error;
2024
3b11a1de 2025 error = current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 2026 if (error)
2027 return error;
2028
200ac532 2029 return cap_capget(target, effective, inheritable, permitted);
1da177e4
LT		 2030}
2031
d84f4f99
DH		 2032static int selinux_capset(struct cred *new, const struct cred *old,
2033 const kernel_cap_t *effective,
2034 const kernel_cap_t *inheritable,
2035 const kernel_cap_t *permitted)
1da177e4
LT		 2036{
2037 int error;
2038
200ac532 2039 error = cap_capset(new, old,
d84f4f99 2040 effective, inheritable, permitted);
1da177e4
LT		 2041 if (error)
2042 return error;
2043
d84f4f99 2044 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 2045}
2046
5626d3e8
JM		 2047/*
2048 * (This comment used to live with the selinux_task_setuid hook,
2049 * which was removed).
2050 *
2051 * Since setuid only affects the current process, and since the SELinux
2052 * controls are not based on the Linux identity attributes, SELinux does not
2053 * need to control this operation. However, SELinux does control the use of
2054 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2055 */
2056
6a9de491
EP		 2057static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2058 int cap, int audit)
1da177e4
LT		 2059{
2060 int rc;
2061
6a9de491 2062 rc = cap_capable(cred, ns, cap, audit);
1da177e4
LT		 2063 if (rc)
2064 return rc;
2065
6a9de491 2066 return cred_has_capability(cred, cap, audit);
1da177e4
LT		 2067}
2068
1da177e4
LT		 2069static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2070{
88e67f3b 2071 const struct cred *cred = current_cred();
1da177e4
LT		 2072 int rc = 0;
2073
2074 if (!sb)
2075 return 0;
2076
2077 switch (cmds) {
828dfe1d
EP		 2078 case Q_SYNC:
2079 case Q_QUOTAON:
2080 case Q_QUOTAOFF:
2081 case Q_SETINFO:
2082 case Q_SETQUOTA:
88e67f3b 2083 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2084 break;
2085 case Q_GETFMT:
2086 case Q_GETINFO:
2087 case Q_GETQUOTA:
88e67f3b 2088 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2089 break;
2090 default:
2091 rc = 0; /* let the kernel handle invalid cmds */
2092 break;
1da177e4
LT		 2093 }
2094 return rc;
2095}
2096
2097static int selinux_quota_on(struct dentry *dentry)
2098{
88e67f3b
DH		 2099 const struct cred *cred = current_cred();
2100
2875fa00 2101 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2102}
2103
12b3052c 2104static int selinux_syslog(int type)
1da177e4
LT		 2105{
2106 int rc;
2107
1da177e4 2108 switch (type) {
d78ca3cd
KC		 2109 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2110 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2111 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2112 break;
d78ca3cd
KC		 2113 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2114 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2115 /* Set level of messages printed to console */
2116 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2117 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2118 break;
d78ca3cd
KC		 2119 case SYSLOG_ACTION_CLOSE: /* Close log */
2120 case SYSLOG_ACTION_OPEN: /* Open log */
2121 case SYSLOG_ACTION_READ: /* Read from log */
2122 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2123 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2124 default:
2125 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2126 break;
1da177e4
LT		 2127 }
2128 return rc;
2129}
2130
2131/*
2132 * Check that a process has enough memory to allocate a new virtual
2133 * mapping. 0 means there is enough memory for the allocation to
2134 * succeed and -ENOMEM implies there is not.
2135 *
1da177e4
LT		 2136 * Do not audit the selinux permission check, as this is applied to all
2137 * processes that allocate mappings.
2138 */
34b4e4aa 2139static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2140{
2141 int rc, cap_sys_admin = 0;
1da177e4 2142
6a9de491 2143 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
3699c53c 2144 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2145 if (rc == 0)
2146 cap_sys_admin = 1;
2147
34b4e4aa 2148 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 2149}
2150
2151/* binprm security operations */
2152
7b0d0b40
SS		 2153static int check_nnp_nosuid(const struct linux_binprm *bprm,
2154 const struct task_security_struct *old_tsec,
2155 const struct task_security_struct *new_tsec)
2156{
2157 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2158 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2159 int rc;
2160
2161 if (!nnp && !nosuid)
2162 return 0; /* neither NNP nor nosuid */
2163
2164 if (new_tsec->sid == old_tsec->sid)
2165 return 0; /* No change in credentials */
2166
2167 /*
2168 * The only transitions we permit under NNP or nosuid
2169 * are transitions to bounded SIDs, i.e. SIDs that are
2170 * guaranteed to only be allowed a subset of the permissions
2171 * of the current SID.
2172 */
2173 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2174 if (rc) {
2175 /*
2176 * On failure, preserve the errno values for NNP vs nosuid.
2177 * NNP: Operation not permitted for caller.
2178 * nosuid: Permission denied to file.
2179 */
2180 if (nnp)
2181 return -EPERM;
2182 else
2183 return -EACCES;
2184 }
2185 return 0;
2186}
2187
a6f76f23 2188static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2189{
a6f76f23
DH		 2190 const struct task_security_struct *old_tsec;
2191 struct task_security_struct *new_tsec;
1da177e4 2192 struct inode_security_struct *isec;
2bf49690 2193 struct common_audit_data ad;
496ad9aa 2194 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2195 int rc;
2196
200ac532 2197 rc = cap_bprm_set_creds(bprm);
1da177e4
LT		 2198 if (rc)
2199 return rc;
2200
a6f76f23
DH		 2201 /* SELinux context only depends on initial program or script and not
2202 * the script interpreter */
2203 if (bprm->cred_prepared)
1da177e4
LT		 2204 return 0;
2205
a6f76f23
DH		 2206 old_tsec = current_security();
2207 new_tsec = bprm->cred->security;
1da177e4
LT		 2208 isec = inode->i_security;
2209
2210 /* Default to the current task SID. */
a6f76f23
DH		 2211 new_tsec->sid = old_tsec->sid;
2212 new_tsec->osid = old_tsec->sid;
1da177e4 2213
28eba5bf 2214 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2215 new_tsec->create_sid = 0;
2216 new_tsec->keycreate_sid = 0;
2217 new_tsec->sockcreate_sid = 0;
1da177e4 2218
a6f76f23
DH		 2219 if (old_tsec->exec_sid) {
2220 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2221 /* Reset exec SID on execve. */
a6f76f23 2222 new_tsec->exec_sid = 0;
259e5e6c 2223
7b0d0b40
SS		 2224 /* Fail on NNP or nosuid if not an allowed transition. */
2225 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2226 if (rc)
2227 return rc;
1da177e4
LT		 2228 } else {
2229 /* Check for a default transition on this program. */
a6f76f23 2230 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2231 SECCLASS_PROCESS, NULL,
2232 &new_tsec->sid);
1da177e4
LT		 2233 if (rc)
2234 return rc;
7b0d0b40
SS		 2235
2236 /*
2237 * Fallback to old SID on NNP or nosuid if not an allowed
2238 * transition.
2239 */
2240 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2241 if (rc)
2242 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2243 }
2244
50c205f5 2245 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 2246 ad.u.path = bprm->file->f_path;
1da177e4 2247
a6f76f23
DH		 2248 if (new_tsec->sid == old_tsec->sid) {
2249 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2250 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2251 if (rc)
2252 return rc;
2253 } else {
2254 /* Check permissions for the transition. */
a6f76f23 2255 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2256 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2257 if (rc)
2258 return rc;
2259
a6f76f23 2260 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2261 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2262 if (rc)
2263 return rc;
2264
a6f76f23
DH		 2265 /* Check for shared state */
2266 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2267 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2268 SECCLASS_PROCESS, PROCESS__SHARE,
2269 NULL);
2270 if (rc)
2271 return -EPERM;
2272 }
2273
2274 /* Make sure that anyone attempting to ptrace over a task that
2275 * changes its SID has the appropriate permit */
2276 if (bprm->unsafe &
2277 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2278 struct task_struct *tracer;
2279 struct task_security_struct *sec;
2280 u32 ptsid = 0;
2281
2282 rcu_read_lock();
06d98473 2283 tracer = ptrace_parent(current);
a6f76f23
DH		 2284 if (likely(tracer != NULL)) {
2285 sec = __task_cred(tracer)->security;
2286 ptsid = sec->sid;
2287 }
2288 rcu_read_unlock();
2289
2290 if (ptsid != 0) {
2291 rc = avc_has_perm(ptsid, new_tsec->sid,
2292 SECCLASS_PROCESS,
2293 PROCESS__PTRACE, NULL);
2294 if (rc)
2295 return -EPERM;
2296 }
2297 }
1da177e4 2298
a6f76f23
DH		 2299 /* Clear any possibly unsafe personality bits on exec: */
2300 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2301 }
2302
1da177e4
LT		 2303 return 0;
2304}
2305
828dfe1d 2306static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2307{
5fb49870 2308 const struct task_security_struct *tsec = current_security();
275bb41e 2309 u32 sid, osid;
1da177e4
LT		 2310 int atsecure = 0;
2311
275bb41e
DH		 2312 sid = tsec->sid;
2313 osid = tsec->osid;
2314
2315 if (osid != sid) {
1da177e4
LT		 2316 /* Enable secure mode for SIDs transitions unless
2317 the noatsecure permission is granted between
2318 the two SIDs, i.e. ahp returns 0. */
275bb41e 2319 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2320 SECCLASS_PROCESS,
2321 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2322 }
2323
200ac532 2324 return (atsecure || cap_bprm_secureexec(bprm));
1da177e4
LT		 2325}
2326
c3c073f8
AV		 2327static int match_file(const void *p, struct file *file, unsigned fd)
2328{
2329 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2330}
2331
1da177e4 2332/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2333static inline void flush_unauthorized_files(const struct cred *cred,
2334 struct files_struct *files)
1da177e4 2335{
1da177e4 2336 struct file *file, *devnull = NULL;
b20c8122 2337 struct tty_struct *tty;
24ec839c 2338 int drop_tty = 0;
c3c073f8 2339 unsigned n;
1da177e4 2340
24ec839c 2341 tty = get_current_tty();
1da177e4 2342 if (tty) {
ee2ffa0d 2343 spin_lock(&tty_files_lock);
37dd0bd0 2344 if (!list_empty(&tty->tty_files)) {
d996b62a 2345 struct tty_file_private *file_priv;
37dd0bd0 2346
1da177e4 2347 /* Revalidate access to controlling tty.
13f8e981
DH		 2348 Use file_path_has_perm on the tty path directly
2349 rather than using file_has_perm, as this particular
2350 open file may belong to another process and we are
2351 only interested in the inode-based check here. */
d996b62a
NP		 2352 file_priv = list_first_entry(&tty->tty_files,
2353 struct tty_file_private, list);
2354 file = file_priv->file;
13f8e981 2355 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2356 drop_tty = 1;
1da177e4 2357 }
ee2ffa0d 2358 spin_unlock(&tty_files_lock);
452a00d2 2359 tty_kref_put(tty);
1da177e4 2360 }
98a27ba4
EB		 2361 /* Reset controlling tty. */
2362 if (drop_tty)
2363 no_tty();
1da177e4
LT		 2364
2365 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2366 n = iterate_fd(files, 0, match_file, cred);
2367 if (!n) /* none found? */
2368 return;
1da177e4 2369
c3c073f8 2370 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2371 if (IS_ERR(devnull))
2372 devnull = NULL;
2373 /* replace all the matching ones with this */
2374 do {
2375 replace_fd(n - 1, devnull, 0);
2376 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2377 if (devnull)
c3c073f8 2378 fput(devnull);
1da177e4
LT		 2379}
2380
a6f76f23
DH		 2381/*
2382 * Prepare a process for imminent new credential changes due to exec
2383 */
2384static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2385{
a6f76f23
DH		 2386 struct task_security_struct *new_tsec;
2387 struct rlimit *rlim, *initrlim;
2388 int rc, i;
d84f4f99 2389
a6f76f23
DH		 2390 new_tsec = bprm->cred->security;
2391 if (new_tsec->sid == new_tsec->osid)
2392 return;
1da177e4 2393
a6f76f23
DH		 2394 /* Close files for which the new task SID is not authorized. */
2395 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2396
a6f76f23
DH		 2397 /* Always clear parent death signal on SID transitions. */
2398 current->pdeath_signal = 0;
0356357c 2399
a6f76f23
DH		 2400 /* Check whether the new SID can inherit resource limits from the old
2401 * SID. If not, reset all soft limits to the lower of the current
2402 * task's hard limit and the init task's soft limit.
2403 *
2404 * Note that the setting of hard limits (even to lower them) can be
2405 * controlled by the setrlimit check. The inclusion of the init task's
2406 * soft limit into the computation is to avoid resetting soft limits
2407 * higher than the default soft limit for cases where the default is
2408 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2409 */
2410 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2411 PROCESS__RLIMITINH, NULL);
2412 if (rc) {
eb2d55a3
ON		 2413 /* protect against do_prlimit() */
2414 task_lock(current);
a6f76f23
DH		 2415 for (i = 0; i < RLIM_NLIMITS; i++) {
2416 rlim = current->signal->rlim + i;
2417 initrlim = init_task.signal->rlim + i;
2418 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2419 }
eb2d55a3
ON		 2420 task_unlock(current);
2421 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2422 }
2423}
2424
2425/*
a6f76f23
DH		 2426 * Clean up the process immediately after the installation of new credentials
2427 * due to exec
1da177e4 2428 */
a6f76f23 2429static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2430{
a6f76f23 2431 const struct task_security_struct *tsec = current_security();
1da177e4 2432 struct itimerval itimer;
a6f76f23 2433 u32 osid, sid;
1da177e4
LT		 2434 int rc, i;
2435
a6f76f23
DH		 2436 osid = tsec->osid;
2437 sid = tsec->sid;
2438
2439 if (sid == osid)
1da177e4
LT		 2440 return;
2441
a6f76f23
DH		 2442 /* Check whether the new SID can inherit signal state from the old SID.
2443 * If not, clear itimers to avoid subsequent signal generation and
2444 * flush and unblock signals.
2445 *
2446 * This must occur _after_ the task SID has been updated so that any
2447 * kill done after the flush will be checked against the new SID.
2448 */
2449 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2450 if (rc) {
2451 memset(&itimer, 0, sizeof itimer);
2452 for (i = 0; i < 3; i++)
2453 do_setitimer(i, &itimer, NULL);
1da177e4 2454 spin_lock_irq(&current->sighand->siglock);
3bcac026
DH		 2455 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2456 __flush_signals(current);
2457 flush_signal_handlers(current, 1);
2458 sigemptyset(&current->blocked);
2459 }
1da177e4
LT		 2460 spin_unlock_irq(&current->sighand->siglock);
2461 }
2462
a6f76f23
DH		 2463 /* Wake up the parent if it is waiting so that it can recheck
2464 * wait permission to the new task SID. */
ecd6de3c 2465 read_lock(&tasklist_lock);
0b7570e7 2466 __wake_up_parent(current, current->real_parent);
ecd6de3c 2467 read_unlock(&tasklist_lock);
1da177e4
LT		 2468}
2469
2470/* superblock security operations */
2471
2472static int selinux_sb_alloc_security(struct super_block *sb)
2473{
2474 return superblock_alloc_security(sb);
2475}
2476
2477static void selinux_sb_free_security(struct super_block *sb)
2478{
2479 superblock_free_security(sb);
2480}
2481
2482static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2483{
2484 if (plen > olen)
2485 return 0;
2486
2487 return !memcmp(prefix, option, plen);
2488}
2489
2490static inline int selinux_option(char *option, int len)
2491{
832cbd9a
EP		 2492 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2493 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2494 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2495 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2496 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2497}
2498
2499static inline void take_option(char **to, char *from, int *first, int len)
2500{
2501 if (!*first) {
2502 **to = ',';
2503 *to += 1;
3528a953 2504 } else
1da177e4
LT		 2505 *first = 0;
2506 memcpy(*to, from, len);
2507 *to += len;
2508}
2509
828dfe1d
EP		 2510static inline void take_selinux_option(char **to, char *from, int *first,
2511 int len)
3528a953
CO		 2512{
2513 int current_size = 0;
2514
2515 if (!*first) {
2516 **to = '|';
2517 *to += 1;
828dfe1d 2518 } else
3528a953
CO		 2519 *first = 0;
2520
2521 while (current_size < len) {
2522 if (*from != '"') {
2523 **to = *from;
2524 *to += 1;
2525 }
2526 from += 1;
2527 current_size += 1;
2528 }
2529}
2530
e0007529 2531static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2532{
2533 int fnosec, fsec, rc = 0;
2534 char *in_save, *in_curr, *in_end;
2535 char *sec_curr, *nosec_save, *nosec;
3528a953 2536 int open_quote = 0;
1da177e4
LT		 2537
2538 in_curr = orig;
2539 sec_curr = copy;
2540
1da177e4
LT		 2541 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2542 if (!nosec) {
2543 rc = -ENOMEM;
2544 goto out;
2545 }
2546
2547 nosec_save = nosec;
2548 fnosec = fsec = 1;
2549 in_save = in_end = orig;
2550
2551 do {
3528a953
CO		 2552 if (*in_end == '"')
2553 open_quote = !open_quote;
2554 if ((*in_end == ',' && open_quote == 0) ||
2555 *in_end == '\0') {
1da177e4
LT		 2556 int len = in_end - in_curr;
2557
2558 if (selinux_option(in_curr, len))
3528a953 2559 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2560 else
2561 take_option(&nosec, in_curr, &fnosec, len);
2562
2563 in_curr = in_end + 1;
2564 }
2565 } while (*in_end++);
2566
6931dfc9 2567 strcpy(in_save, nosec_save);
da3caa20 2568 free_page((unsigned long)nosec_save);
1da177e4
LT		 2569out:
2570 return rc;
2571}
2572
026eb167
EP		 2573static int selinux_sb_remount(struct super_block *sb, void *data)
2574{
2575 int rc, i, *flags;
2576 struct security_mnt_opts opts;
2577 char *secdata, **mount_options;
2578 struct superblock_security_struct *sbsec = sb->s_security;
2579
2580 if (!(sbsec->flags & SE_SBINITIALIZED))
2581 return 0;
2582
2583 if (!data)
2584 return 0;
2585
2586 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2587 return 0;
2588
2589 security_init_mnt_opts(&opts);
2590 secdata = alloc_secdata();
2591 if (!secdata)
2592 return -ENOMEM;
2593 rc = selinux_sb_copy_data(data, secdata);
2594 if (rc)
2595 goto out_free_secdata;
2596
2597 rc = selinux_parse_opts_str(secdata, &opts);
2598 if (rc)
2599 goto out_free_secdata;
2600
2601 mount_options = opts.mnt_opts;
2602 flags = opts.mnt_opts_flags;
2603
2604 for (i = 0; i < opts.num_mnt_opts; i++) {
2605 u32 sid;
2606 size_t len;
2607
12f348b9 2608 if (flags[i] == SBLABEL_MNT)
026eb167
EP		 2609 continue;
2610 len = strlen(mount_options[i]);
52a4c640
NA		 2611 rc = security_context_to_sid(mount_options[i], len, &sid,
2612 GFP_KERNEL);
026eb167
EP		 2613 if (rc) {
2614 printk(KERN_WARNING "SELinux: security_context_to_sid"
29b1deb2
LT		 2615 "(%s) failed for (dev %s, type %s) errno=%d\n",
2616 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2617 goto out_free_opts;
2618 }
2619 rc = -EINVAL;
2620 switch (flags[i]) {
2621 case FSCONTEXT_MNT:
2622 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2623 goto out_bad_option;
2624 break;
2625 case CONTEXT_MNT:
2626 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2627 goto out_bad_option;
2628 break;
2629 case ROOTCONTEXT_MNT: {
2630 struct inode_security_struct *root_isec;
2631 root_isec = sb->s_root->d_inode->i_security;
2632
2633 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2634 goto out_bad_option;
2635 break;
2636 }
2637 case DEFCONTEXT_MNT:
2638 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2639 goto out_bad_option;
2640 break;
2641 default:
2642 goto out_free_opts;
2643 }
2644 }
2645
2646 rc = 0;
2647out_free_opts:
2648 security_free_mnt_opts(&opts);
2649out_free_secdata:
2650 free_secdata(secdata);
2651 return rc;
2652out_bad_option:
2653 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2654 "during remount (dev %s, type=%s)\n", sb->s_id,
2655 sb->s_type->name);
026eb167
EP		 2656 goto out_free_opts;
2657}
2658
12204e24 2659static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2660{
88e67f3b 2661 const struct cred *cred = current_cred();
2bf49690 2662 struct common_audit_data ad;
1da177e4
LT		 2663 int rc;
2664
2665 rc = superblock_doinit(sb, data);
2666 if (rc)
2667 return rc;
2668
74192246
JM		 2669 /* Allow all mounts performed by the kernel */
2670 if (flags & MS_KERNMOUNT)
2671 return 0;
2672
50c205f5 2673 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2674 ad.u.dentry = sb->s_root;
88e67f3b 2675 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2676}
2677
726c3342 2678static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2679{
88e67f3b 2680 const struct cred *cred = current_cred();
2bf49690 2681 struct common_audit_data ad;
1da177e4 2682
50c205f5 2683 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2684 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2685 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2686}
2687
808d4e3c 2688static int selinux_mount(const char *dev_name,
b5266eb4 2689 struct path *path,
808d4e3c 2690 const char *type,
828dfe1d
EP		 2691 unsigned long flags,
2692 void *data)
1da177e4 2693{
88e67f3b 2694 const struct cred *cred = current_cred();
1da177e4
LT		 2695
2696 if (flags & MS_REMOUNT)
d8c9584e 2697 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2698 FILESYSTEM__REMOUNT, NULL);
1da177e4 2699 else
2875fa00 2700 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2701}
2702
2703static int selinux_umount(struct vfsmount *mnt, int flags)
2704{
88e67f3b 2705 const struct cred *cred = current_cred();
1da177e4 2706
88e67f3b 2707 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2708 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2709}
2710
2711/* inode security operations */
2712
2713static int selinux_inode_alloc_security(struct inode *inode)
2714{
2715 return inode_alloc_security(inode);
2716}
2717
2718static void selinux_inode_free_security(struct inode *inode)
2719{
2720 inode_free_security(inode);
2721}
2722
d47be3df
DQ		 2723static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2724 struct qstr *name, void **ctx,
2725 u32 *ctxlen)
2726{
2727 const struct cred *cred = current_cred();
2728 struct task_security_struct *tsec;
2729 struct inode_security_struct *dsec;
2730 struct superblock_security_struct *sbsec;
2731 struct inode *dir = dentry->d_parent->d_inode;
2732 u32 newsid;
2733 int rc;
2734
2735 tsec = cred->security;
2736 dsec = dir->i_security;
2737 sbsec = dir->i_sb->s_security;
2738
2739 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2740 newsid = tsec->create_sid;
2741 } else {
2742 rc = security_transition_sid(tsec->sid, dsec->sid,
2743 inode_mode_to_security_class(mode),
2744 name,
2745 &newsid);
2746 if (rc) {
2747 printk(KERN_WARNING
2748 "%s: security_transition_sid failed, rc=%d\n",
2749 __func__, -rc);
2750 return rc;
2751 }
2752 }
2753
2754 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2755}
2756
5e41ff9e 2757static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2758 const struct qstr *qstr,
2759 const char **name,
2a7dba39 2760 void **value, size_t *len)
5e41ff9e 2761{
5fb49870 2762 const struct task_security_struct *tsec = current_security();
5e41ff9e
SS		 2763 struct inode_security_struct *dsec;
2764 struct superblock_security_struct *sbsec;
275bb41e 2765 u32 sid, newsid, clen;
5e41ff9e 2766 int rc;
9548906b 2767 char *context;
5e41ff9e 2768
5e41ff9e
SS		 2769 dsec = dir->i_security;
2770 sbsec = dir->i_sb->s_security;
5e41ff9e 2771
275bb41e
DH		 2772 sid = tsec->sid;
2773 newsid = tsec->create_sid;
2774
415103f9
EP		 2775 if ((sbsec->flags & SE_SBINITIALIZED) &&
2776 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2777 newsid = sbsec->mntpoint_sid;
12f348b9 2778 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
275bb41e 2779 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e 2780 inode_mode_to_security_class(inode->i_mode),
652bb9b0 2781 qstr, &newsid);
5e41ff9e
SS		 2782 if (rc) {
2783 printk(KERN_WARNING "%s: "
2784 "security_transition_sid failed, rc=%d (dev=%s "
2785 "ino=%ld)\n",
dd6f953a 2786 __func__,
5e41ff9e
SS		 2787 -rc, inode->i_sb->s_id, inode->i_ino);
2788 return rc;
2789 }
2790 }
2791
296fddf7 2792 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2793 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2794 struct inode_security_struct *isec = inode->i_security;
2795 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2796 isec->sid = newsid;
2797 isec->initialized = 1;
2798 }
5e41ff9e 2799
12f348b9 2800 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2801 return -EOPNOTSUPP;
2802
9548906b
TH		 2803 if (name)
2804 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2805
570bc1c2 2806 if (value && len) {
12b29f34 2807 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2808 if (rc)
570bc1c2 2809 return rc;
570bc1c2
SS		 2810 *value = context;
2811 *len = clen;
5e41ff9e 2812 }
5e41ff9e 2813
5e41ff9e
SS		 2814 return 0;
2815}
2816
4acdaf27 2817static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2818{
2819 return may_create(dir, dentry, SECCLASS_FILE);
2820}
2821
1da177e4
LT		 2822static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2823{
1da177e4
LT		 2824 return may_link(dir, old_dentry, MAY_LINK);
2825}
2826
1da177e4
LT		 2827static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2828{
1da177e4
LT		 2829 return may_link(dir, dentry, MAY_UNLINK);
2830}
2831
2832static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2833{
2834 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2835}
2836
18bb1db3 2837static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2838{
2839 return may_create(dir, dentry, SECCLASS_DIR);
2840}
2841
1da177e4
LT		 2842static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2843{
2844 return may_link(dir, dentry, MAY_RMDIR);
2845}
2846
1a67aafb 2847static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2848{
1da177e4
LT		 2849 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2850}
2851
1da177e4 2852static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2853 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2854{
2855 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2856}
2857
1da177e4
LT		 2858static int selinux_inode_readlink(struct dentry *dentry)
2859{
88e67f3b
DH		 2860 const struct cred *cred = current_cred();
2861
2875fa00 2862 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2863}
2864
2865static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2866{
88e67f3b 2867 const struct cred *cred = current_cred();
1da177e4 2868
2875fa00 2869 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2870}
2871
d4cf970d
EP		 2872static noinline int audit_inode_permission(struct inode *inode,
2873 u32 perms, u32 audited, u32 denied,
626b9740 2874 int result,
d4cf970d 2875 unsigned flags)
1da177e4 2876{
b782e0a6 2877 struct common_audit_data ad;
d4cf970d
EP		 2878 struct inode_security_struct *isec = inode->i_security;
2879 int rc;
2880
50c205f5 2881 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2882 ad.u.inode = inode;
2883
2884 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 2885 audited, denied, result, &ad, flags);
d4cf970d
EP		 2886 if (rc)
2887 return rc;
2888 return 0;
2889}
2890
e74f71eb 2891static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2892{
88e67f3b 2893 const struct cred *cred = current_cred();
b782e0a6
EP		 2894 u32 perms;
2895 bool from_access;
cf1dd1da 2896 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2897 struct inode_security_struct *isec;
2898 u32 sid;
2899 struct av_decision avd;
2900 int rc, rc2;
2901 u32 audited, denied;
1da177e4 2902
b782e0a6 2903 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2904 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2905
b782e0a6
EP		 2906 /* No permission to check. Existence test. */
2907 if (!mask)
1da177e4 2908 return 0;
1da177e4 2909
2e334057 2910 validate_creds(cred);
b782e0a6 2911
2e334057
EP		 2912 if (unlikely(IS_PRIVATE(inode)))
2913 return 0;
b782e0a6
EP		 2914
2915 perms = file_mask_to_av(inode->i_mode, mask);
2916
2e334057
EP		 2917 sid = cred_sid(cred);
2918 isec = inode->i_security;
2919
2920 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2921 audited = avc_audit_required(perms, &avd, rc,
2922 from_access ? FILE__AUDIT_ACCESS : 0,
2923 &denied);
2924 if (likely(!audited))
2925 return rc;
2926
626b9740 2927 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 2928 if (rc2)
2929 return rc2;
2930 return rc;
1da177e4
LT		 2931}
2932
2933static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2934{
88e67f3b 2935 const struct cred *cred = current_cred();
bc6a6008 2936 unsigned int ia_valid = iattr->ia_valid;
95dbf739 2937 __u32 av = FILE__WRITE;
1da177e4 2938
bc6a6008
AW		 2939 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2940 if (ia_valid & ATTR_FORCE) {
2941 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2942 ATTR_FORCE);
2943 if (!ia_valid)
2944 return 0;
2945 }
1da177e4 2946
bc6a6008
AW		 2947 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2948 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 2949 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 2950
3d2195c3 2951 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
95dbf739
EP		 2952 av |= FILE__OPEN;
2953
2954 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 2955}
2956
2957static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2958{
88e67f3b 2959 const struct cred *cred = current_cred();
2875fa00
EP		 2960 struct path path;
2961
2962 path.dentry = dentry;
2963 path.mnt = mnt;
88e67f3b 2964
2875fa00 2965 return path_has_perm(cred, &path, FILE__GETATTR);
1da177e4
LT		 2966}
2967
8f0cfa52 2968static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2969{
88e67f3b
DH		 2970 const struct cred *cred = current_cred();
2971
b5376771
SH		 2972 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2973 sizeof XATTR_SECURITY_PREFIX - 1)) {
2974 if (!strcmp(name, XATTR_NAME_CAPS)) {
2975 if (!capable(CAP_SETFCAP))
2976 return -EPERM;
2977 } else if (!capable(CAP_SYS_ADMIN)) {
2978 /* A different attribute in the security namespace.
2979 Restrict to administrator. */
2980 return -EPERM;
2981 }
2982 }
2983
2984 /* Not an attribute we recognize, so just check the
2985 ordinary setattr permission. */
2875fa00 2986 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 2987}
2988
8f0cfa52
DH		 2989static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2990 const void *value, size_t size, int flags)
1da177e4 2991{
1da177e4
LT		 2992 struct inode *inode = dentry->d_inode;
2993 struct inode_security_struct *isec = inode->i_security;
2994 struct superblock_security_struct *sbsec;
2bf49690 2995 struct common_audit_data ad;
275bb41e 2996 u32 newsid, sid = current_sid();
1da177e4
LT		 2997 int rc = 0;
2998
b5376771
SH		 2999 if (strcmp(name, XATTR_NAME_SELINUX))
3000 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3001
3002 sbsec = inode->i_sb->s_security;
12f348b9 3003 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3004 return -EOPNOTSUPP;
3005
2e149670 3006 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3007 return -EPERM;
3008
50c205f5 3009 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3010 ad.u.dentry = dentry;
1da177e4 3011
275bb41e 3012 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3013 FILE__RELABELFROM, &ad);
3014 if (rc)
3015 return rc;
3016
52a4c640 3017 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3018 if (rc == -EINVAL) {
d6ea83ec
EP		 3019 if (!capable(CAP_MAC_ADMIN)) {
3020 struct audit_buffer *ab;
3021 size_t audit_size;
3022 const char *str;
3023
3024 /* We strip a nul only if it is at the end, otherwise the
3025 * context contains a nul and we should audit that */
e3fea3f7
AV		 3026 if (value) {
3027 str = value;
3028 if (str[size - 1] == '\0')
3029 audit_size = size - 1;
3030 else
3031 audit_size = size;
3032 } else {
3033 str = "";
3034 audit_size = 0;
3035 }
d6ea83ec
EP		 3036 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3037 audit_log_format(ab, "op=setxattr invalid_context=");
3038 audit_log_n_untrustedstring(ab, value, audit_size);
3039 audit_log_end(ab);
3040
12b29f34 3041 return rc;
d6ea83ec 3042 }
12b29f34
SS		 3043 rc = security_context_to_sid_force(value, size, &newsid);
3044 }
1da177e4
LT		 3045 if (rc)
3046 return rc;
3047
275bb41e 3048 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3049 FILE__RELABELTO, &ad);
3050 if (rc)
3051 return rc;
3052
275bb41e 3053 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3054 isec->sclass);
1da177e4
LT		 3055 if (rc)
3056 return rc;
3057
3058 return avc_has_perm(newsid,
3059 sbsec->sid,
3060 SECCLASS_FILESYSTEM,
3061 FILESYSTEM__ASSOCIATE,
3062 &ad);
3063}
3064
8f0cfa52 3065static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3066 const void *value, size_t size,
8f0cfa52 3067 int flags)
1da177e4
LT		 3068{
3069 struct inode *inode = dentry->d_inode;
3070 struct inode_security_struct *isec = inode->i_security;
3071 u32 newsid;
3072 int rc;
3073
3074 if (strcmp(name, XATTR_NAME_SELINUX)) {
3075 /* Not an attribute we recognize, so nothing to do. */
3076 return;
3077 }
3078
12b29f34 3079 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3080 if (rc) {
12b29f34
SS		 3081 printk(KERN_ERR "SELinux: unable to map context to SID"
3082 "for (%s, %lu), rc=%d\n",
3083 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3084 return;
3085 }
3086
aa9c2669 3087 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3088 isec->sid = newsid;
aa9c2669
DQ		 3089 isec->initialized = 1;
3090
1da177e4
LT		 3091 return;
3092}
3093
8f0cfa52 3094static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3095{
88e67f3b
DH		 3096 const struct cred *cred = current_cred();
3097
2875fa00 3098 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3099}
3100
828dfe1d 3101static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3102{
88e67f3b
DH		 3103 const struct cred *cred = current_cred();
3104
2875fa00 3105 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3106}
3107
8f0cfa52 3108static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3109{
b5376771
SH		 3110 if (strcmp(name, XATTR_NAME_SELINUX))
3111 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3112
3113 /* No one is allowed to remove a SELinux security label.
3114 You can change the label, but all data must be labeled. */
3115 return -EACCES;
3116}
3117
d381d8a9 3118/*
abc69bb6 3119 * Copy the inode security context value to the user.
d381d8a9
JM		 3120 *
3121 * Permission check is handled by selinux_inode_getxattr hook.
3122 */
42492594 3123static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3124{
42492594
DQ		 3125 u32 size;
3126 int error;
3127 char *context = NULL;
1da177e4 3128 struct inode_security_struct *isec = inode->i_security;
d381d8a9 3129
8c8570fb
DK		 3130 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3131 return -EOPNOTSUPP;
d381d8a9 3132
abc69bb6
SS		 3133 /*
3134 * If the caller has CAP_MAC_ADMIN, then get the raw context
3135 * value even if it is not defined by current policy; otherwise,
3136 * use the in-core value under current policy.
3137 * Use the non-auditing forms of the permission checks since
3138 * getxattr may be called by unprivileged processes commonly
3139 * and lack of permission just means that we fall back to the
3140 * in-core context value, not a denial.
3141 */
6a9de491 3142 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3699c53c 3143 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 3144 if (!error)
3145 error = security_sid_to_context_force(isec->sid, &context,
3146 &size);
3147 else
3148 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3149 if (error)
3150 return error;
3151 error = size;
3152 if (alloc) {
3153 *buffer = context;
3154 goto out_nofree;
3155 }
3156 kfree(context);
3157out_nofree:
3158 return error;
1da177e4
LT		 3159}
3160
3161static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3162 const void *value, size_t size, int flags)
1da177e4
LT		 3163{
3164 struct inode_security_struct *isec = inode->i_security;
3165 u32 newsid;
3166 int rc;
3167
3168 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3169 return -EOPNOTSUPP;
3170
3171 if (!value || !size)
3172 return -EACCES;
3173
52a4c640 3174 rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3175 if (rc)
3176 return rc;
3177
aa9c2669 3178 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3179 isec->sid = newsid;
ddd29ec6 3180 isec->initialized = 1;
1da177e4
LT		 3181 return 0;
3182}
3183
3184static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3185{
3186 const int len = sizeof(XATTR_NAME_SELINUX);
3187 if (buffer && len <= buffer_size)
3188 memcpy(buffer, XATTR_NAME_SELINUX, len);
3189 return len;
3190}
3191
713a04ae
AD		 3192static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3193{
3194 struct inode_security_struct *isec = inode->i_security;
3195 *secid = isec->sid;
3196}
3197
1da177e4
LT		 3198/* file security operations */
3199
788e7dd4 3200static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3201{
88e67f3b 3202 const struct cred *cred = current_cred();
496ad9aa 3203 struct inode *inode = file_inode(file);
1da177e4 3204
1da177e4
LT		 3205 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3206 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3207 mask |= MAY_APPEND;
3208
389fb800
PM		 3209 return file_has_perm(cred, file,
3210 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3211}
3212
788e7dd4
YN		 3213static int selinux_file_permission(struct file *file, int mask)
3214{
496ad9aa 3215 struct inode *inode = file_inode(file);
20dda18b
SS		 3216 struct file_security_struct *fsec = file->f_security;
3217 struct inode_security_struct *isec = inode->i_security;
3218 u32 sid = current_sid();
3219
389fb800 3220 if (!mask)
788e7dd4
YN		 3221 /* No permission to check. Existence test. */
3222 return 0;
788e7dd4 3223
20dda18b
SS		 3224 if (sid == fsec->sid && fsec->isid == isec->sid &&
3225 fsec->pseqno == avc_policy_seqno())
83d49856 3226 /* No change since file_open check. */
20dda18b
SS		 3227 return 0;
3228
788e7dd4
YN		 3229 return selinux_revalidate_file_permission(file, mask);
3230}
3231
1da177e4
LT		 3232static int selinux_file_alloc_security(struct file *file)
3233{
3234 return file_alloc_security(file);
3235}
3236
3237static void selinux_file_free_security(struct file *file)
3238{
3239 file_free_security(file);
3240}
3241
3242static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3243 unsigned long arg)
3244{
88e67f3b 3245 const struct cred *cred = current_cred();
0b24dcb7 3246 int error = 0;
1da177e4 3247
0b24dcb7
EP		 3248 switch (cmd) {
3249 case FIONREAD:
3250 /* fall through */
3251 case FIBMAP:
3252 /* fall through */
3253 case FIGETBSZ:
3254 /* fall through */
2f99c369 3255 case FS_IOC_GETFLAGS:
0b24dcb7 3256 /* fall through */
2f99c369 3257 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3258 error = file_has_perm(cred, file, FILE__GETATTR);
3259 break;
1da177e4 3260
2f99c369 3261 case FS_IOC_SETFLAGS:
0b24dcb7 3262 /* fall through */
2f99c369 3263 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3264 error = file_has_perm(cred, file, FILE__SETATTR);
3265 break;
3266
3267 /* sys_ioctl() checks */
3268 case FIONBIO:
3269 /* fall through */
3270 case FIOASYNC:
3271 error = file_has_perm(cred, file, 0);
3272 break;
1da177e4 3273
0b24dcb7
EP		 3274 case KDSKBENT:
3275 case KDSKBSENT:
6a9de491
EP		 3276 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3277 SECURITY_CAP_AUDIT);
0b24dcb7
EP		 3278 break;
3279
3280 /* default case assumes that the command will go
3281 * to the file's ioctl() function.
3282 */
3283 default:
3284 error = file_has_perm(cred, file, FILE__IOCTL);
3285 }
3286 return error;
1da177e4
LT		 3287}
3288
fcaaade1
SS		 3289static int default_noexec;
3290
1da177e4
LT		 3291static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3292{
88e67f3b 3293 const struct cred *cred = current_cred();
d84f4f99 3294 int rc = 0;
88e67f3b 3295
fcaaade1
SS		 3296 if (default_noexec &&
3297 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3298 /*
3299 * We are making executable an anonymous mapping or a
3300 * private file mapping that will also be writable.
3301 * This has an additional check.
3302 */
d84f4f99 3303 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3304 if (rc)
d84f4f99 3305 goto error;
1da177e4 3306 }
1da177e4
LT		 3307
3308 if (file) {
3309 /* read access is always possible with a mapping */
3310 u32 av = FILE__READ;
3311
3312 /* write access only matters if the mapping is shared */
3313 if (shared && (prot & PROT_WRITE))
3314 av |= FILE__WRITE;
3315
3316 if (prot & PROT_EXEC)
3317 av |= FILE__EXECUTE;
3318
88e67f3b 3319 return file_has_perm(cred, file, av);
1da177e4 3320 }
d84f4f99
DH		 3321
3322error:
3323 return rc;
1da177e4
LT		 3324}
3325
e5467859 3326static int selinux_mmap_addr(unsigned long addr)
1da177e4 3327{
98883bfd
PM		 3328 int rc;
3329
3330 /* do DAC check on address space usage */
3331 rc = cap_mmap_addr(addr);
3332 if (rc)
3333 return rc;
1da177e4 3334
a2551df7 3335 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3336 u32 sid = current_sid();
ed032189
EP		 3337 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3338 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3339 }
3340
98883bfd 3341 return rc;
e5467859 3342}
1da177e4 3343
e5467859
AV		 3344static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3345 unsigned long prot, unsigned long flags)
3346{
1da177e4
LT		 3347 if (selinux_checkreqprot)
3348 prot = reqprot;
3349
3350 return file_map_prot_check(file, prot,
3351 (flags & MAP_TYPE) == MAP_SHARED);
3352}
3353
3354static int selinux_file_mprotect(struct vm_area_struct *vma,
3355 unsigned long reqprot,
3356 unsigned long prot)
3357{
88e67f3b 3358 const struct cred *cred = current_cred();
1da177e4
LT		 3359
3360 if (selinux_checkreqprot)
3361 prot = reqprot;
3362
fcaaade1
SS		 3363 if (default_noexec &&
3364 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3365 int rc = 0;
db4c9641
SS		 3366 if (vma->vm_start >= vma->vm_mm->start_brk &&
3367 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3368 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3369 } else if (!vma->vm_file &&
3370 vma->vm_start <= vma->vm_mm->start_stack &&
3371 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3372 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3373 } else if (vma->vm_file && vma->anon_vma) {
3374 /*
3375 * We are making executable a file mapping that has
3376 * had some COW done. Since pages might have been
3377 * written, check ability to execute the possibly
3378 * modified content. This typically should only
3379 * occur for text relocations.
3380 */
d84f4f99 3381 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3382 }