]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-hirsute-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
SELinux: tune avtab to reduce memory usage
[mirror_ubuntu-hirsute-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
7420ed23
VY		 15 * Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
16 * Paul Moore, <paul.moore@hp.com>
1da177e4
LT		 17 *
18 * This program is free software; you can redistribute it and/or modify
19 * it under the terms of the GNU General Public License version 2,
20 * as published by the Free Software Foundation.
21 */
22
1da177e4
LT		 23#include <linux/module.h>
24#include <linux/init.h>
25#include <linux/kernel.h>
26#include <linux/ptrace.h>
27#include <linux/errno.h>
28#include <linux/sched.h>
29#include <linux/security.h>
30#include <linux/xattr.h>
31#include <linux/capability.h>
32#include <linux/unistd.h>
33#include <linux/mm.h>
34#include <linux/mman.h>
35#include <linux/slab.h>
36#include <linux/pagemap.h>
37#include <linux/swap.h>
1da177e4
LT		 38#include <linux/spinlock.h>
39#include <linux/syscalls.h>
40#include <linux/file.h>
41#include <linux/namei.h>
42#include <linux/mount.h>
43#include <linux/ext2_fs.h>
44#include <linux/proc_fs.h>
45#include <linux/kd.h>
46#include <linux/netfilter_ipv4.h>
47#include <linux/netfilter_ipv6.h>
48#include <linux/tty.h>
49#include <net/icmp.h>
227b60f5 50#include <net/ip.h> /* for local_port_range[] */
1da177e4
LT		 51#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
52#include <asm/uaccess.h>
1da177e4
LT		 53#include <asm/ioctls.h>
54#include <linux/bitops.h>
55#include <linux/interrupt.h>
56#include <linux/netdevice.h> /* for network interface checks */
57#include <linux/netlink.h>
58#include <linux/tcp.h>
59#include <linux/udp.h>
2ee92d46 60#include <linux/dccp.h>
1da177e4
LT		 61#include <linux/quota.h>
62#include <linux/un.h> /* for Unix socket types */
63#include <net/af_unix.h> /* for Unix socket types */
64#include <linux/parser.h>
65#include <linux/nfs_mount.h>
66#include <net/ipv6.h>
67#include <linux/hugetlb.h>
68#include <linux/personality.h>
69#include <linux/sysctl.h>
70#include <linux/audit.h>
6931dfc9 71#include <linux/string.h>
877ce7c1 72#include <linux/selinux.h>
23970741 73#include <linux/mutex.h>
1da177e4
LT		 74
75#include "avc.h"
76#include "objsec.h"
77#include "netif.h"
d28d1e08 78#include "xfrm.h"
c60475bf 79#include "netlabel.h"
1da177e4
LT		 80
81#define XATTR_SELINUX_SUFFIX "selinux"
82#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
83
84extern unsigned int policydb_loaded_version;
85extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 86extern int selinux_compat_net;
1da177e4
LT		 87
88#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
89int selinux_enforcing = 0;
90
91static int __init enforcing_setup(char *str)
92{
93 selinux_enforcing = simple_strtol(str,NULL,0);
94 return 1;
95}
96__setup("enforcing=", enforcing_setup);
97#endif
98
99#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
100int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
101
102static int __init selinux_enabled_setup(char *str)
103{
104 selinux_enabled = simple_strtol(str, NULL, 0);
105 return 1;
106}
107__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 108#else
109int selinux_enabled = 1;
1da177e4
LT		 110#endif
111
112/* Original (dummy) security module. */
113static struct security_operations *original_ops = NULL;
114
115/* Minimal support for a secondary security module,
116 just to allow the use of the dummy or capability modules.
117 The owlsm module can alternatively be used as a secondary
118 module as long as CONFIG_OWLSM_FD is not enabled. */
119static struct security_operations *secondary_ops = NULL;
120
121/* Lists of inode and superblock security structures initialized
122 before the policy was loaded. */
123static LIST_HEAD(superblock_security_head);
124static DEFINE_SPINLOCK(sb_security_lock);
125
e18b890b 126static struct kmem_cache *sel_inode_cache;
7cae7e26 127
8c8570fb
DK		 128/* Return security context for a given sid or just the context
129 length if the buffer is null or length is 0 */
130static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
131{
132 char *context;
133 unsigned len;
134 int rc;
135
136 rc = security_sid_to_context(sid, &context, &len);
137 if (rc)
138 return rc;
139
140 if (!buffer || !size)
141 goto getsecurity_exit;
142
143 if (size < len) {
144 len = -ERANGE;
145 goto getsecurity_exit;
146 }
147 memcpy(buffer, context, len);
148
149getsecurity_exit:
150 kfree(context);
151 return len;
152}
153
1da177e4
LT		 154/* Allocate and free functions for each kind of security blob. */
155
156static int task_alloc_security(struct task_struct *task)
157{
158 struct task_security_struct *tsec;
159
89d155ef 160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 161 if (!tsec)
162 return -ENOMEM;
163
1da177e4
LT		 164 tsec->task = task;
165 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166 task->security = tsec;
167
168 return 0;
169}
170
171static void task_free_security(struct task_struct *task)
172{
173 struct task_security_struct *tsec = task->security;
1da177e4
LT		 174 task->security = NULL;
175 kfree(tsec);
176}
177
178static int inode_alloc_security(struct inode *inode)
179{
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
182
c3762229 183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
1da177e4
LT		 184 if (!isec)
185 return -ENOMEM;
186
23970741 187 mutex_init(&isec->lock);
1da177e4 188 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 189 isec->inode = inode;
190 isec->sid = SECINITSID_UNLABELED;
191 isec->sclass = SECCLASS_FILE;
9ac49d22 192 isec->task_sid = tsec->sid;
1da177e4
LT		 193 inode->i_security = isec;
194
195 return 0;
196}
197
198static void inode_free_security(struct inode *inode)
199{
200 struct inode_security_struct *isec = inode->i_security;
201 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
1da177e4
LT		 203 spin_lock(&sbsec->isec_lock);
204 if (!list_empty(&isec->list))
205 list_del_init(&isec->list);
206 spin_unlock(&sbsec->isec_lock);
207
208 inode->i_security = NULL;
7cae7e26 209 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 210}
211
212static int file_alloc_security(struct file *file)
213{
214 struct task_security_struct *tsec = current->security;
215 struct file_security_struct *fsec;
216
26d2a4be 217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 218 if (!fsec)
219 return -ENOMEM;
220
1da177e4 221 fsec->file = file;
9ac49d22
SS		 222 fsec->sid = tsec->sid;
223 fsec->fown_sid = tsec->sid;
1da177e4
LT		 224 file->f_security = fsec;
225
226 return 0;
227}
228
229static void file_free_security(struct file *file)
230{
231 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 232 file->f_security = NULL;
233 kfree(fsec);
234}
235
236static int superblock_alloc_security(struct super_block *sb)
237{
238 struct superblock_security_struct *sbsec;
239
89d155ef 240 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 241 if (!sbsec)
242 return -ENOMEM;
243
bc7e982b 244 mutex_init(&sbsec->lock);
1da177e4
LT		 245 INIT_LIST_HEAD(&sbsec->list);
246 INIT_LIST_HEAD(&sbsec->isec_head);
247 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 248 sbsec->sb = sb;
249 sbsec->sid = SECINITSID_UNLABELED;
250 sbsec->def_sid = SECINITSID_FILE;
c312feb2 251 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 252 sb->s_security = sbsec;
253
254 return 0;
255}
256
257static void superblock_free_security(struct super_block *sb)
258{
259 struct superblock_security_struct *sbsec = sb->s_security;
260
1da177e4
LT		 261 spin_lock(&sb_security_lock);
262 if (!list_empty(&sbsec->list))
263 list_del_init(&sbsec->list);
264 spin_unlock(&sb_security_lock);
265
266 sb->s_security = NULL;
267 kfree(sbsec);
268}
269
7d877f3b 270static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 271{
272 struct sk_security_struct *ssec;
273
89d155ef 274 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 275 if (!ssec)
276 return -ENOMEM;
277
1da177e4
LT		 278 ssec->sk = sk;
279 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 280 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 281 sk->sk_security = ssec;
282
99f59ed0
PM		 283 selinux_netlbl_sk_security_init(ssec, family);
284
1da177e4
LT		 285 return 0;
286}
287
288static void sk_free_security(struct sock *sk)
289{
290 struct sk_security_struct *ssec = sk->sk_security;
291
1da177e4
LT		 292 sk->sk_security = NULL;
293 kfree(ssec);
294}
1da177e4
LT		 295
296/* The security server must be initialized before
297 any labeling or access decisions can be provided. */
298extern int ss_initialized;
299
300/* The file system's label must be initialized prior to use. */
301
302static char *labeling_behaviors[6] = {
303 "uses xattr",
304 "uses transition SIDs",
305 "uses task SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
309};
310
311static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313static inline int inode_doinit(struct inode *inode)
314{
315 return inode_doinit_with_dentry(inode, NULL);
316}
317
318enum {
31e87930 319 Opt_error = -1,
1da177e4
LT		 320 Opt_context = 1,
321 Opt_fscontext = 2,
322 Opt_defcontext = 4,
0808925e 323 Opt_rootcontext = 8,
1da177e4
LT		 324};
325
326static match_table_t tokens = {
327 {Opt_context, "context=%s"},
328 {Opt_fscontext, "fscontext=%s"},
329 {Opt_defcontext, "defcontext=%s"},
0808925e 330 {Opt_rootcontext, "rootcontext=%s"},
31e87930 331 {Opt_error, NULL},
1da177e4
LT		 332};
333
334#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
335
c312feb2
EP		 336static int may_context_mount_sb_relabel(u32 sid,
337 struct superblock_security_struct *sbsec,
338 struct task_security_struct *tsec)
339{
340 int rc;
341
342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343 FILESYSTEM__RELABELFROM, NULL);
344 if (rc)
345 return rc;
346
347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELTO, NULL);
349 return rc;
350}
351
0808925e
EP		 352static int may_context_mount_inode_relabel(u32 sid,
353 struct superblock_security_struct *sbsec,
354 struct task_security_struct *tsec)
355{
356 int rc;
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
359 if (rc)
360 return rc;
361
362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__ASSOCIATE, NULL);
364 return rc;
365}
366
1da177e4
LT		 367static int try_context_mount(struct super_block *sb, void *data)
368{
369 char *context = NULL, *defcontext = NULL;
0808925e 370 char *fscontext = NULL, *rootcontext = NULL;
1da177e4
LT		 371 const char *name;
372 u32 sid;
373 int alloc = 0, rc = 0, seen = 0;
374 struct task_security_struct *tsec = current->security;
375 struct superblock_security_struct *sbsec = sb->s_security;
376
377 if (!data)
378 goto out;
379
380 name = sb->s_type->name;
381
382 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
383
384 /* NFS we understand. */
385 if (!strcmp(name, "nfs")) {
386 struct nfs_mount_data *d = data;
387
388 if (d->version < NFS_MOUNT_VERSION)
389 goto out;
390
391 if (d->context[0]) {
392 context = d->context;
393 seen |= Opt_context;
394 }
395 } else
396 goto out;
397
398 } else {
399 /* Standard string-based options. */
400 char *p, *options = data;
401
3528a953 402 while ((p = strsep(&options, "|")) != NULL) {
1da177e4
LT		 403 int token;
404 substring_t args[MAX_OPT_ARGS];
405
406 if (!*p)
407 continue;
408
409 token = match_token(p, tokens, args);
410
411 switch (token) {
412 case Opt_context:
c312feb2 413 if (seen & (Opt_context|Opt_defcontext)) {
1da177e4
LT		 414 rc = -EINVAL;
415 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
416 goto out_free;
417 }
418 context = match_strdup(&args[0]);
419 if (!context) {
420 rc = -ENOMEM;
421 goto out_free;
422 }
423 if (!alloc)
424 alloc = 1;
425 seen |= Opt_context;
426 break;
427
428 case Opt_fscontext:
c312feb2 429 if (seen & Opt_fscontext) {
1da177e4
LT		 430 rc = -EINVAL;
431 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
432 goto out_free;
433 }
c312feb2
EP		 434 fscontext = match_strdup(&args[0]);
435 if (!fscontext) {
1da177e4
LT		 436 rc = -ENOMEM;
437 goto out_free;
438 }
439 if (!alloc)
440 alloc = 1;
441 seen |= Opt_fscontext;
442 break;
443
0808925e
EP		 444 case Opt_rootcontext:
445 if (seen & Opt_rootcontext) {
446 rc = -EINVAL;
447 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
448 goto out_free;
449 }
450 rootcontext = match_strdup(&args[0]);
451 if (!rootcontext) {
452 rc = -ENOMEM;
453 goto out_free;
454 }
455 if (!alloc)
456 alloc = 1;
457 seen |= Opt_rootcontext;
458 break;
459
1da177e4
LT		 460 case Opt_defcontext:
461 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
462 rc = -EINVAL;
463 printk(KERN_WARNING "SELinux: "
464 "defcontext option is invalid "
465 "for this filesystem type\n");
466 goto out_free;
467 }
468 if (seen & (Opt_context|Opt_defcontext)) {
469 rc = -EINVAL;
470 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
471 goto out_free;
472 }
473 defcontext = match_strdup(&args[0]);
474 if (!defcontext) {
475 rc = -ENOMEM;
476 goto out_free;
477 }
478 if (!alloc)
479 alloc = 1;
480 seen |= Opt_defcontext;
481 break;
482
483 default:
484 rc = -EINVAL;
485 printk(KERN_WARNING "SELinux: unknown mount "
486 "option\n");
487 goto out_free;
488
489 }
490 }
491 }
492
493 if (!seen)
494 goto out;
495
c312feb2
EP		 496 /* sets the context of the superblock for the fs being mounted. */
497 if (fscontext) {
498 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
1da177e4
LT		 499 if (rc) {
500 printk(KERN_WARNING "SELinux: security_context_to_sid"
501 "(%s) failed for (dev %s, type %s) errno=%d\n",
c312feb2 502 fscontext, sb->s_id, name, rc);
1da177e4
LT		 503 goto out_free;
504 }
505
c312feb2 506 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
1da177e4
LT		 507 if (rc)
508 goto out_free;
509
c312feb2
EP		 510 sbsec->sid = sid;
511 }
512
513 /*
514 * Switch to using mount point labeling behavior.
515 * sets the label used on all file below the mountpoint, and will set
516 * the superblock context if not already set.
517 */
518 if (context) {
519 rc = security_context_to_sid(context, strlen(context), &sid);
520 if (rc) {
521 printk(KERN_WARNING "SELinux: security_context_to_sid"
522 "(%s) failed for (dev %s, type %s) errno=%d\n",
523 context, sb->s_id, name, rc);
524 goto out_free;
525 }
526
b04ea3ce
EP		 527 if (!fscontext) {
528 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
529 if (rc)
530 goto out_free;
c312feb2 531 sbsec->sid = sid;
b04ea3ce
EP		 532 } else {
533 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
534 if (rc)
535 goto out_free;
536 }
c312feb2 537 sbsec->mntpoint_sid = sid;
1da177e4 538
c312feb2 539 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 540 }
541
0808925e
EP		 542 if (rootcontext) {
543 struct inode *inode = sb->s_root->d_inode;
544 struct inode_security_struct *isec = inode->i_security;
545 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
546 if (rc) {
547 printk(KERN_WARNING "SELinux: security_context_to_sid"
548 "(%s) failed for (dev %s, type %s) errno=%d\n",
549 rootcontext, sb->s_id, name, rc);
550 goto out_free;
551 }
552
553 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
554 if (rc)
555 goto out_free;
556
557 isec->sid = sid;
558 isec->initialized = 1;
559 }
560
1da177e4
LT		 561 if (defcontext) {
562 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
563 if (rc) {
564 printk(KERN_WARNING "SELinux: security_context_to_sid"
565 "(%s) failed for (dev %s, type %s) errno=%d\n",
566 defcontext, sb->s_id, name, rc);
567 goto out_free;
568 }
569
570 if (sid == sbsec->def_sid)
571 goto out_free;
572
0808925e 573 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
1da177e4
LT		 574 if (rc)
575 goto out_free;
576
577 sbsec->def_sid = sid;
578 }
579
580out_free:
581 if (alloc) {
582 kfree(context);
583 kfree(defcontext);
c312feb2 584 kfree(fscontext);
0808925e 585 kfree(rootcontext);
1da177e4
LT		 586 }
587out:
588 return rc;
589}
590
591static int superblock_doinit(struct super_block *sb, void *data)
592{
593 struct superblock_security_struct *sbsec = sb->s_security;
594 struct dentry *root = sb->s_root;
595 struct inode *inode = root->d_inode;
596 int rc = 0;
597
bc7e982b 598 mutex_lock(&sbsec->lock);
1da177e4
LT		 599 if (sbsec->initialized)
600 goto out;
601
602 if (!ss_initialized) {
603 /* Defer initialization until selinux_complete_init,
604 after the initial policy is loaded and the security
605 server is ready to handle calls. */
606 spin_lock(&sb_security_lock);
607 if (list_empty(&sbsec->list))
608 list_add(&sbsec->list, &superblock_security_head);
609 spin_unlock(&sb_security_lock);
610 goto out;
611 }
612
613 /* Determine the labeling behavior to use for this filesystem type. */
614 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
615 if (rc) {
616 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
617 __FUNCTION__, sb->s_type->name, rc);
618 goto out;
619 }
620
621 rc = try_context_mount(sb, data);
622 if (rc)
623 goto out;
624
625 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
626 /* Make sure that the xattr handler exists and that no
627 error other than -ENODATA is returned by getxattr on
628 the root directory. -ENODATA is ok, as this may be
629 the first boot of the SELinux kernel before we have
630 assigned xattr values to the filesystem. */
631 if (!inode->i_op->getxattr) {
632 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
633 "xattr support\n", sb->s_id, sb->s_type->name);
634 rc = -EOPNOTSUPP;
635 goto out;
636 }
637 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
638 if (rc < 0 && rc != -ENODATA) {
639 if (rc == -EOPNOTSUPP)
640 printk(KERN_WARNING "SELinux: (dev %s, type "
641 "%s) has no security xattr handler\n",
642 sb->s_id, sb->s_type->name);
643 else
644 printk(KERN_WARNING "SELinux: (dev %s, type "
645 "%s) getxattr errno %d\n", sb->s_id,
646 sb->s_type->name, -rc);
647 goto out;
648 }
649 }
650
651 if (strcmp(sb->s_type->name, "proc") == 0)
652 sbsec->proc = 1;
653
654 sbsec->initialized = 1;
655
656 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
fadcdb45 657 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
1da177e4
LT		 658 sb->s_id, sb->s_type->name);
659 }
660 else {
fadcdb45 661 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
1da177e4
LT		 662 sb->s_id, sb->s_type->name,
663 labeling_behaviors[sbsec->behavior-1]);
664 }
665
666 /* Initialize the root inode. */
667 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
668
669 /* Initialize any other inodes associated with the superblock, e.g.
670 inodes created prior to initial policy load or inodes created
671 during get_sb by a pseudo filesystem that directly
672 populates itself. */
673 spin_lock(&sbsec->isec_lock);
674next_inode:
675 if (!list_empty(&sbsec->isec_head)) {
676 struct inode_security_struct *isec =
677 list_entry(sbsec->isec_head.next,
678 struct inode_security_struct, list);
679 struct inode *inode = isec->inode;
680 spin_unlock(&sbsec->isec_lock);
681 inode = igrab(inode);
682 if (inode) {
683 if (!IS_PRIVATE (inode))
684 inode_doinit(inode);
685 iput(inode);
686 }
687 spin_lock(&sbsec->isec_lock);
688 list_del_init(&isec->list);
689 goto next_inode;
690 }
691 spin_unlock(&sbsec->isec_lock);
692out:
bc7e982b 693 mutex_unlock(&sbsec->lock);
1da177e4
LT		 694 return rc;
695}
696
697static inline u16 inode_mode_to_security_class(umode_t mode)
698{
699 switch (mode & S_IFMT) {
700 case S_IFSOCK:
701 return SECCLASS_SOCK_FILE;
702 case S_IFLNK:
703 return SECCLASS_LNK_FILE;
704 case S_IFREG:
705 return SECCLASS_FILE;
706 case S_IFBLK:
707 return SECCLASS_BLK_FILE;
708 case S_IFDIR:
709 return SECCLASS_DIR;
710 case S_IFCHR:
711 return SECCLASS_CHR_FILE;
712 case S_IFIFO:
713 return SECCLASS_FIFO_FILE;
714
715 }
716
717 return SECCLASS_FILE;
718}
719
13402580
JM		 720static inline int default_protocol_stream(int protocol)
721{
722 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
723}
724
725static inline int default_protocol_dgram(int protocol)
726{
727 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
728}
729
1da177e4
LT		 730static inline u16 socket_type_to_security_class(int family, int type, int protocol)
731{
732 switch (family) {
733 case PF_UNIX:
734 switch (type) {
735 case SOCK_STREAM:
736 case SOCK_SEQPACKET:
737 return SECCLASS_UNIX_STREAM_SOCKET;
738 case SOCK_DGRAM:
739 return SECCLASS_UNIX_DGRAM_SOCKET;
740 }
741 break;
742 case PF_INET:
743 case PF_INET6:
744 switch (type) {
745 case SOCK_STREAM:
13402580
JM		 746 if (default_protocol_stream(protocol))
747 return SECCLASS_TCP_SOCKET;
748 else
749 return SECCLASS_RAWIP_SOCKET;
1da177e4 750 case SOCK_DGRAM:
13402580
JM		 751 if (default_protocol_dgram(protocol))
752 return SECCLASS_UDP_SOCKET;
753 else
754 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 755 case SOCK_DCCP:
756 return SECCLASS_DCCP_SOCKET;
13402580 757 default:
1da177e4
LT		 758 return SECCLASS_RAWIP_SOCKET;
759 }
760 break;
761 case PF_NETLINK:
762 switch (protocol) {
763 case NETLINK_ROUTE:
764 return SECCLASS_NETLINK_ROUTE_SOCKET;
765 case NETLINK_FIREWALL:
766 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 767 case NETLINK_INET_DIAG:
1da177e4
LT		 768 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
769 case NETLINK_NFLOG:
770 return SECCLASS_NETLINK_NFLOG_SOCKET;
771 case NETLINK_XFRM:
772 return SECCLASS_NETLINK_XFRM_SOCKET;
773 case NETLINK_SELINUX:
774 return SECCLASS_NETLINK_SELINUX_SOCKET;
775 case NETLINK_AUDIT:
776 return SECCLASS_NETLINK_AUDIT_SOCKET;
777 case NETLINK_IP6_FW:
778 return SECCLASS_NETLINK_IP6FW_SOCKET;
779 case NETLINK_DNRTMSG:
780 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 781 case NETLINK_KOBJECT_UEVENT:
782 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 783 default:
784 return SECCLASS_NETLINK_SOCKET;
785 }
786 case PF_PACKET:
787 return SECCLASS_PACKET_SOCKET;
788 case PF_KEY:
789 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 790 case PF_APPLETALK:
791 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 792 }
793
794 return SECCLASS_SOCKET;
795}
796
797#ifdef CONFIG_PROC_FS
798static int selinux_proc_get_sid(struct proc_dir_entry *de,
799 u16 tclass,
800 u32 *sid)
801{
802 int buflen, rc;
803 char *buffer, *path, *end;
804
805 buffer = (char*)__get_free_page(GFP_KERNEL);
806 if (!buffer)
807 return -ENOMEM;
808
809 buflen = PAGE_SIZE;
810 end = buffer+buflen;
811 *--end = '\0';
812 buflen--;
813 path = end-1;
814 *path = '/';
815 while (de && de != de->parent) {
816 buflen -= de->namelen + 1;
817 if (buflen < 0)
818 break;
819 end -= de->namelen;
820 memcpy(end, de->name, de->namelen);
821 *--end = '/';
822 path = end;
823 de = de->parent;
824 }
825 rc = security_genfs_sid("proc", path, tclass, sid);
826 free_page((unsigned long)buffer);
827 return rc;
828}
829#else
830static int selinux_proc_get_sid(struct proc_dir_entry *de,
831 u16 tclass,
832 u32 *sid)
833{
834 return -EINVAL;
835}
836#endif
837
838/* The inode's security attributes must be initialized before first use. */
839static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
840{
841 struct superblock_security_struct *sbsec = NULL;
842 struct inode_security_struct *isec = inode->i_security;
843 u32 sid;
844 struct dentry *dentry;
845#define INITCONTEXTLEN 255
846 char *context = NULL;
847 unsigned len = 0;
848 int rc = 0;
1da177e4
LT		 849
850 if (isec->initialized)
851 goto out;
852
23970741 853 mutex_lock(&isec->lock);
1da177e4 854 if (isec->initialized)
23970741 855 goto out_unlock;
1da177e4
LT		 856
857 sbsec = inode->i_sb->s_security;
858 if (!sbsec->initialized) {
859 /* Defer initialization until selinux_complete_init,
860 after the initial policy is loaded and the security
861 server is ready to handle calls. */
862 spin_lock(&sbsec->isec_lock);
863 if (list_empty(&isec->list))
864 list_add(&isec->list, &sbsec->isec_head);
865 spin_unlock(&sbsec->isec_lock);
23970741 866 goto out_unlock;
1da177e4
LT		 867 }
868
869 switch (sbsec->behavior) {
870 case SECURITY_FS_USE_XATTR:
871 if (!inode->i_op->getxattr) {
872 isec->sid = sbsec->def_sid;
873 break;
874 }
875
876 /* Need a dentry, since the xattr API requires one.
877 Life would be simpler if we could just pass the inode. */
878 if (opt_dentry) {
879 /* Called from d_instantiate or d_splice_alias. */
880 dentry = dget(opt_dentry);
881 } else {
882 /* Called from selinux_complete_init, try to find a dentry. */
883 dentry = d_find_alias(inode);
884 }
885 if (!dentry) {
886 printk(KERN_WARNING "%s: no dentry for dev=%s "
887 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
888 inode->i_ino);
23970741 889 goto out_unlock;
1da177e4
LT		 890 }
891
892 len = INITCONTEXTLEN;
893 context = kmalloc(len, GFP_KERNEL);
894 if (!context) {
895 rc = -ENOMEM;
896 dput(dentry);
23970741 897 goto out_unlock;
1da177e4
LT		 898 }
899 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
900 context, len);
901 if (rc == -ERANGE) {
902 /* Need a larger buffer. Query for the right size. */
903 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
904 NULL, 0);
905 if (rc < 0) {
906 dput(dentry);
23970741 907 goto out_unlock;
1da177e4
LT		 908 }
909 kfree(context);
910 len = rc;
911 context = kmalloc(len, GFP_KERNEL);
912 if (!context) {
913 rc = -ENOMEM;
914 dput(dentry);
23970741 915 goto out_unlock;
1da177e4
LT		 916 }
917 rc = inode->i_op->getxattr(dentry,
918 XATTR_NAME_SELINUX,
919 context, len);
920 }
921 dput(dentry);
922 if (rc < 0) {
923 if (rc != -ENODATA) {
924 printk(KERN_WARNING "%s: getxattr returned "
925 "%d for dev=%s ino=%ld\n", __FUNCTION__,
926 -rc, inode->i_sb->s_id, inode->i_ino);
927 kfree(context);
23970741 928 goto out_unlock;
1da177e4
LT		 929 }
930 /* Map ENODATA to the default file SID */
931 sid = sbsec->def_sid;
932 rc = 0;
933 } else {
f5c1d5b2
JM		 934 rc = security_context_to_sid_default(context, rc, &sid,
935 sbsec->def_sid);
1da177e4
LT		 936 if (rc) {
937 printk(KERN_WARNING "%s: context_to_sid(%s) "
938 "returned %d for dev=%s ino=%ld\n",
939 __FUNCTION__, context, -rc,
940 inode->i_sb->s_id, inode->i_ino);
941 kfree(context);
942 /* Leave with the unlabeled SID */
943 rc = 0;
944 break;
945 }
946 }
947 kfree(context);
948 isec->sid = sid;
949 break;
950 case SECURITY_FS_USE_TASK:
951 isec->sid = isec->task_sid;
952 break;
953 case SECURITY_FS_USE_TRANS:
954 /* Default to the fs SID. */
955 isec->sid = sbsec->sid;
956
957 /* Try to obtain a transition SID. */
958 isec->sclass = inode_mode_to_security_class(inode->i_mode);
959 rc = security_transition_sid(isec->task_sid,
960 sbsec->sid,
961 isec->sclass,
962 &sid);
963 if (rc)
23970741 964 goto out_unlock;
1da177e4
LT		 965 isec->sid = sid;
966 break;
c312feb2
EP		 967 case SECURITY_FS_USE_MNTPOINT:
968 isec->sid = sbsec->mntpoint_sid;
969 break;
1da177e4 970 default:
c312feb2 971 /* Default to the fs superblock SID. */
1da177e4
LT		 972 isec->sid = sbsec->sid;
973
974 if (sbsec->proc) {
975 struct proc_inode *proci = PROC_I(inode);
976 if (proci->pde) {
977 isec->sclass = inode_mode_to_security_class(inode->i_mode);
978 rc = selinux_proc_get_sid(proci->pde,
979 isec->sclass,
980 &sid);
981 if (rc)
23970741 982 goto out_unlock;
1da177e4
LT		 983 isec->sid = sid;
984 }
985 }
986 break;
987 }
988
989 isec->initialized = 1;
990
23970741
EP		 991out_unlock:
992 mutex_unlock(&isec->lock);
1da177e4
LT		 993out:
994 if (isec->sclass == SECCLASS_FILE)
995 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 996 return rc;
997}
998
999/* Convert a Linux signal to an access vector. */
1000static inline u32 signal_to_av(int sig)
1001{
1002 u32 perm = 0;
1003
1004 switch (sig) {
1005 case SIGCHLD:
1006 /* Commonly granted from child to parent. */
1007 perm = PROCESS__SIGCHLD;
1008 break;
1009 case SIGKILL:
1010 /* Cannot be caught or ignored */
1011 perm = PROCESS__SIGKILL;
1012 break;
1013 case SIGSTOP:
1014 /* Cannot be caught or ignored */
1015 perm = PROCESS__SIGSTOP;
1016 break;
1017 default:
1018 /* All other signals. */
1019 perm = PROCESS__SIGNAL;
1020 break;
1021 }
1022
1023 return perm;
1024}
1025
1026/* Check permission betweeen a pair of tasks, e.g. signal checks,
1027 fork check, ptrace check, etc. */
1028static int task_has_perm(struct task_struct *tsk1,
1029 struct task_struct *tsk2,
1030 u32 perms)
1031{
1032 struct task_security_struct *tsec1, *tsec2;
1033
1034 tsec1 = tsk1->security;
1035 tsec2 = tsk2->security;
1036 return avc_has_perm(tsec1->sid, tsec2->sid,
1037 SECCLASS_PROCESS, perms, NULL);
1038}
1039
1040/* Check whether a task is allowed to use a capability. */
1041static int task_has_capability(struct task_struct *tsk,
1042 int cap)
1043{
1044 struct task_security_struct *tsec;
1045 struct avc_audit_data ad;
1046
1047 tsec = tsk->security;
1048
1049 AVC_AUDIT_DATA_INIT(&ad,CAP);
1050 ad.tsk = tsk;
1051 ad.u.cap = cap;
1052
1053 return avc_has_perm(tsec->sid, tsec->sid,
1054 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1055}
1056
1057/* Check whether a task is allowed to use a system operation. */
1058static int task_has_system(struct task_struct *tsk,
1059 u32 perms)
1060{
1061 struct task_security_struct *tsec;
1062
1063 tsec = tsk->security;
1064
1065 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1066 SECCLASS_SYSTEM, perms, NULL);
1067}
1068
1069/* Check whether a task has a particular permission to an inode.
1070 The 'adp' parameter is optional and allows other audit
1071 data to be passed (e.g. the dentry). */
1072static int inode_has_perm(struct task_struct *tsk,
1073 struct inode *inode,
1074 u32 perms,
1075 struct avc_audit_data *adp)
1076{
1077 struct task_security_struct *tsec;
1078 struct inode_security_struct *isec;
1079 struct avc_audit_data ad;
1080
bbaca6c2
SS		 1081 if (unlikely (IS_PRIVATE (inode)))
1082 return 0;
1083
1da177e4
LT		 1084 tsec = tsk->security;
1085 isec = inode->i_security;
1086
1087 if (!adp) {
1088 adp = &ad;
1089 AVC_AUDIT_DATA_INIT(&ad, FS);
1090 ad.u.fs.inode = inode;
1091 }
1092
1093 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1094}
1095
1096/* Same as inode_has_perm, but pass explicit audit data containing
1097 the dentry to help the auditing code to more easily generate the
1098 pathname if needed. */
1099static inline int dentry_has_perm(struct task_struct *tsk,
1100 struct vfsmount *mnt,
1101 struct dentry *dentry,
1102 u32 av)
1103{
1104 struct inode *inode = dentry->d_inode;
1105 struct avc_audit_data ad;
1106 AVC_AUDIT_DATA_INIT(&ad,FS);
1107 ad.u.fs.mnt = mnt;
1108 ad.u.fs.dentry = dentry;
1109 return inode_has_perm(tsk, inode, av, &ad);
1110}
1111
1112/* Check whether a task can use an open file descriptor to
1113 access an inode in a given way. Check access to the
1114 descriptor itself, and then use dentry_has_perm to
1115 check a particular permission to the file.
1116 Access to the descriptor is implicitly granted if it
1117 has the same SID as the process. If av is zero, then
1118 access to the file is not checked, e.g. for cases
1119 where only the descriptor is affected like seek. */
858119e1 1120static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1121 struct file *file,
1122 u32 av)
1123{
1124 struct task_security_struct *tsec = tsk->security;
1125 struct file_security_struct *fsec = file->f_security;
3d5ff529
JS		 1126 struct vfsmount *mnt = file->f_path.mnt;
1127 struct dentry *dentry = file->f_path.dentry;
1da177e4
LT		 1128 struct inode *inode = dentry->d_inode;
1129 struct avc_audit_data ad;
1130 int rc;
1131
1132 AVC_AUDIT_DATA_INIT(&ad, FS);
1133 ad.u.fs.mnt = mnt;
1134 ad.u.fs.dentry = dentry;
1135
1136 if (tsec->sid != fsec->sid) {
1137 rc = avc_has_perm(tsec->sid, fsec->sid,
1138 SECCLASS_FD,
1139 FD__USE,
1140 &ad);
1141 if (rc)
1142 return rc;
1143 }
1144
1145 /* av is zero if only checking access to the descriptor. */
1146 if (av)
1147 return inode_has_perm(tsk, inode, av, &ad);
1148
1149 return 0;
1150}
1151
1152/* Check whether a task can create a file. */
1153static int may_create(struct inode *dir,
1154 struct dentry *dentry,
1155 u16 tclass)
1156{
1157 struct task_security_struct *tsec;
1158 struct inode_security_struct *dsec;
1159 struct superblock_security_struct *sbsec;
1160 u32 newsid;
1161 struct avc_audit_data ad;
1162 int rc;
1163
1164 tsec = current->security;
1165 dsec = dir->i_security;
1166 sbsec = dir->i_sb->s_security;
1167
1168 AVC_AUDIT_DATA_INIT(&ad, FS);
1169 ad.u.fs.dentry = dentry;
1170
1171 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1172 DIR__ADD_NAME | DIR__SEARCH,
1173 &ad);
1174 if (rc)
1175 return rc;
1176
1177 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1178 newsid = tsec->create_sid;
1179 } else {
1180 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1181 &newsid);
1182 if (rc)
1183 return rc;
1184 }
1185
1186 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1187 if (rc)
1188 return rc;
1189
1190 return avc_has_perm(newsid, sbsec->sid,
1191 SECCLASS_FILESYSTEM,
1192 FILESYSTEM__ASSOCIATE, &ad);
1193}
1194
4eb582cf
ML		 1195/* Check whether a task can create a key. */
1196static int may_create_key(u32 ksid,
1197 struct task_struct *ctx)
1198{
1199 struct task_security_struct *tsec;
1200
1201 tsec = ctx->security;
1202
1203 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1204}
1205
1da177e4
LT		 1206#define MAY_LINK 0
1207#define MAY_UNLINK 1
1208#define MAY_RMDIR 2
1209
1210/* Check whether a task can link, unlink, or rmdir a file/directory. */
1211static int may_link(struct inode *dir,
1212 struct dentry *dentry,
1213 int kind)
1214
1215{
1216 struct task_security_struct *tsec;
1217 struct inode_security_struct *dsec, *isec;
1218 struct avc_audit_data ad;
1219 u32 av;
1220 int rc;
1221
1222 tsec = current->security;
1223 dsec = dir->i_security;
1224 isec = dentry->d_inode->i_security;
1225
1226 AVC_AUDIT_DATA_INIT(&ad, FS);
1227 ad.u.fs.dentry = dentry;
1228
1229 av = DIR__SEARCH;
1230 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1231 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1232 if (rc)
1233 return rc;
1234
1235 switch (kind) {
1236 case MAY_LINK:
1237 av = FILE__LINK;
1238 break;
1239 case MAY_UNLINK:
1240 av = FILE__UNLINK;
1241 break;
1242 case MAY_RMDIR:
1243 av = DIR__RMDIR;
1244 break;
1245 default:
1246 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1247 return 0;
1248 }
1249
1250 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1251 return rc;
1252}
1253
1254static inline int may_rename(struct inode *old_dir,
1255 struct dentry *old_dentry,
1256 struct inode *new_dir,
1257 struct dentry *new_dentry)
1258{
1259 struct task_security_struct *tsec;
1260 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1261 struct avc_audit_data ad;
1262 u32 av;
1263 int old_is_dir, new_is_dir;
1264 int rc;
1265
1266 tsec = current->security;
1267 old_dsec = old_dir->i_security;
1268 old_isec = old_dentry->d_inode->i_security;
1269 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1270 new_dsec = new_dir->i_security;
1271
1272 AVC_AUDIT_DATA_INIT(&ad, FS);
1273
1274 ad.u.fs.dentry = old_dentry;
1275 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1276 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1277 if (rc)
1278 return rc;
1279 rc = avc_has_perm(tsec->sid, old_isec->sid,
1280 old_isec->sclass, FILE__RENAME, &ad);
1281 if (rc)
1282 return rc;
1283 if (old_is_dir && new_dir != old_dir) {
1284 rc = avc_has_perm(tsec->sid, old_isec->sid,
1285 old_isec->sclass, DIR__REPARENT, &ad);
1286 if (rc)
1287 return rc;
1288 }
1289
1290 ad.u.fs.dentry = new_dentry;
1291 av = DIR__ADD_NAME | DIR__SEARCH;
1292 if (new_dentry->d_inode)
1293 av |= DIR__REMOVE_NAME;
1294 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1295 if (rc)
1296 return rc;
1297 if (new_dentry->d_inode) {
1298 new_isec = new_dentry->d_inode->i_security;
1299 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1300 rc = avc_has_perm(tsec->sid, new_isec->sid,
1301 new_isec->sclass,
1302 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1303 if (rc)
1304 return rc;
1305 }
1306
1307 return 0;
1308}
1309
1310/* Check whether a task can perform a filesystem operation. */
1311static int superblock_has_perm(struct task_struct *tsk,
1312 struct super_block *sb,
1313 u32 perms,
1314 struct avc_audit_data *ad)
1315{
1316 struct task_security_struct *tsec;
1317 struct superblock_security_struct *sbsec;
1318
1319 tsec = tsk->security;
1320 sbsec = sb->s_security;
1321 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1322 perms, ad);
1323}
1324
1325/* Convert a Linux mode and permission mask to an access vector. */
1326static inline u32 file_mask_to_av(int mode, int mask)
1327{
1328 u32 av = 0;
1329
1330 if ((mode & S_IFMT) != S_IFDIR) {
1331 if (mask & MAY_EXEC)
1332 av |= FILE__EXECUTE;
1333 if (mask & MAY_READ)
1334 av |= FILE__READ;
1335
1336 if (mask & MAY_APPEND)
1337 av |= FILE__APPEND;
1338 else if (mask & MAY_WRITE)
1339 av |= FILE__WRITE;
1340
1341 } else {
1342 if (mask & MAY_EXEC)
1343 av |= DIR__SEARCH;
1344 if (mask & MAY_WRITE)
1345 av |= DIR__WRITE;
1346 if (mask & MAY_READ)
1347 av |= DIR__READ;
1348 }
1349
1350 return av;
1351}
1352
1353/* Convert a Linux file to an access vector. */
1354static inline u32 file_to_av(struct file *file)
1355{
1356 u32 av = 0;
1357
1358 if (file->f_mode & FMODE_READ)
1359 av |= FILE__READ;
1360 if (file->f_mode & FMODE_WRITE) {
1361 if (file->f_flags & O_APPEND)
1362 av |= FILE__APPEND;
1363 else
1364 av |= FILE__WRITE;
1365 }
1366
1367 return av;
1368}
1369
1da177e4
LT		 1370/* Hook functions begin here. */
1371
1372static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1373{
1374 struct task_security_struct *psec = parent->security;
1375 struct task_security_struct *csec = child->security;
1376 int rc;
1377
1378 rc = secondary_ops->ptrace(parent,child);
1379 if (rc)
1380 return rc;
1381
1382 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1383 /* Save the SID of the tracing process for later use in apply_creds. */
341c2d80 1384 if (!(child->ptrace & PT_PTRACED) && !rc)
1da177e4
LT		 1385 csec->ptrace_sid = psec->sid;
1386 return rc;
1387}
1388
1389static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1390 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1391{
1392 int error;
1393
1394 error = task_has_perm(current, target, PROCESS__GETCAP);
1395 if (error)
1396 return error;
1397
1398 return secondary_ops->capget(target, effective, inheritable, permitted);
1399}
1400
1401static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1402 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1403{
1404 int error;
1405
1406 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1407 if (error)
1408 return error;
1409
1410 return task_has_perm(current, target, PROCESS__SETCAP);
1411}
1412
1413static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1414 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1415{
1416 secondary_ops->capset_set(target, effective, inheritable, permitted);
1417}
1418
1419static int selinux_capable(struct task_struct *tsk, int cap)
1420{
1421 int rc;
1422
1423 rc = secondary_ops->capable(tsk, cap);
1424 if (rc)
1425 return rc;
1426
1427 return task_has_capability(tsk,cap);
1428}
1429
3fbfa981
EB		 1430static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1431{
1432 int buflen, rc;
1433 char *buffer, *path, *end;
1434
1435 rc = -ENOMEM;
1436 buffer = (char*)__get_free_page(GFP_KERNEL);
1437 if (!buffer)
1438 goto out;
1439
1440 buflen = PAGE_SIZE;
1441 end = buffer+buflen;
1442 *--end = '\0';
1443 buflen--;
1444 path = end-1;
1445 *path = '/';
1446 while (table) {
1447 const char *name = table->procname;
1448 size_t namelen = strlen(name);
1449 buflen -= namelen + 1;
1450 if (buflen < 0)
1451 goto out_free;
1452 end -= namelen;
1453 memcpy(end, name, namelen);
1454 *--end = '/';
1455 path = end;
1456 table = table->parent;
1457 }
b599fdfd
EB		 1458 buflen -= 4;
1459 if (buflen < 0)
1460 goto out_free;
1461 end -= 4;
1462 memcpy(end, "/sys", 4);
1463 path = end;
3fbfa981
EB		 1464 rc = security_genfs_sid("proc", path, tclass, sid);
1465out_free:
1466 free_page((unsigned long)buffer);
1467out:
1468 return rc;
1469}
1470
1da177e4
LT		 1471static int selinux_sysctl(ctl_table *table, int op)
1472{
1473 int error = 0;
1474 u32 av;
1475 struct task_security_struct *tsec;
1476 u32 tsid;
1477 int rc;
1478
1479 rc = secondary_ops->sysctl(table, op);
1480 if (rc)
1481 return rc;
1482
1483 tsec = current->security;
1484
3fbfa981
EB		 1485 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1486 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1487 if (rc) {
1488 /* Default to the well-defined sysctl SID. */
1489 tsid = SECINITSID_SYSCTL;
1490 }
1491
1492 /* The op values are "defined" in sysctl.c, thereby creating
1493 * a bad coupling between this module and sysctl.c */
1494 if(op == 001) {
1495 error = avc_has_perm(tsec->sid, tsid,
1496 SECCLASS_DIR, DIR__SEARCH, NULL);
1497 } else {
1498 av = 0;
1499 if (op & 004)
1500 av |= FILE__READ;
1501 if (op & 002)
1502 av |= FILE__WRITE;
1503 if (av)
1504 error = avc_has_perm(tsec->sid, tsid,
1505 SECCLASS_FILE, av, NULL);
1506 }
1507
1508 return error;
1509}
1510
1511static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1512{
1513 int rc = 0;
1514
1515 if (!sb)
1516 return 0;
1517
1518 switch (cmds) {
1519 case Q_SYNC:
1520 case Q_QUOTAON:
1521 case Q_QUOTAOFF:
1522 case Q_SETINFO:
1523 case Q_SETQUOTA:
1524 rc = superblock_has_perm(current,
1525 sb,
1526 FILESYSTEM__QUOTAMOD, NULL);
1527 break;
1528 case Q_GETFMT:
1529 case Q_GETINFO:
1530 case Q_GETQUOTA:
1531 rc = superblock_has_perm(current,
1532 sb,
1533 FILESYSTEM__QUOTAGET, NULL);
1534 break;
1535 default:
1536 rc = 0; /* let the kernel handle invalid cmds */
1537 break;
1538 }
1539 return rc;
1540}
1541
1542static int selinux_quota_on(struct dentry *dentry)
1543{
1544 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1545}
1546
1547static int selinux_syslog(int type)
1548{
1549 int rc;
1550
1551 rc = secondary_ops->syslog(type);
1552 if (rc)
1553 return rc;
1554
1555 switch (type) {
1556 case 3: /* Read last kernel messages */
1557 case 10: /* Return size of the log buffer */
1558 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1559 break;
1560 case 6: /* Disable logging to console */
1561 case 7: /* Enable logging to console */
1562 case 8: /* Set level of messages printed to console */
1563 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1564 break;
1565 case 0: /* Close log */
1566 case 1: /* Open log */
1567 case 2: /* Read from log */
1568 case 4: /* Read/clear last kernel messages */
1569 case 5: /* Clear ring buffer */
1570 default:
1571 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1572 break;
1573 }
1574 return rc;
1575}
1576
1577/*
1578 * Check that a process has enough memory to allocate a new virtual
1579 * mapping. 0 means there is enough memory for the allocation to
1580 * succeed and -ENOMEM implies there is not.
1581 *
1582 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1583 * if the capability is granted, but __vm_enough_memory requires 1 if
1584 * the capability is granted.
1585 *
1586 * Do not audit the selinux permission check, as this is applied to all
1587 * processes that allocate mappings.
1588 */
34b4e4aa 1589static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1590{
1591 int rc, cap_sys_admin = 0;
1592 struct task_security_struct *tsec = current->security;
1593
1594 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1595 if (rc == 0)
1596 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2c3c05db
SS		 1597 SECCLASS_CAPABILITY,
1598 CAP_TO_MASK(CAP_SYS_ADMIN),
1599 0,
1600 NULL);
1da177e4
LT		 1601
1602 if (rc == 0)
1603 cap_sys_admin = 1;
1604
34b4e4aa 1605 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 1606}
1607
1608/* binprm security operations */
1609
1610static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1611{
1612 struct bprm_security_struct *bsec;
1613
89d155ef 1614 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1615 if (!bsec)
1616 return -ENOMEM;
1617
1da177e4
LT		 1618 bsec->bprm = bprm;
1619 bsec->sid = SECINITSID_UNLABELED;
1620 bsec->set = 0;
1621
1622 bprm->security = bsec;
1623 return 0;
1624}
1625
1626static int selinux_bprm_set_security(struct linux_binprm *bprm)
1627{
1628 struct task_security_struct *tsec;
3d5ff529 1629 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 1630 struct inode_security_struct *isec;
1631 struct bprm_security_struct *bsec;
1632 u32 newsid;
1633 struct avc_audit_data ad;
1634 int rc;
1635
1636 rc = secondary_ops->bprm_set_security(bprm);
1637 if (rc)
1638 return rc;
1639
1640 bsec = bprm->security;
1641
1642 if (bsec->set)
1643 return 0;
1644
1645 tsec = current->security;
1646 isec = inode->i_security;
1647
1648 /* Default to the current task SID. */
1649 bsec->sid = tsec->sid;
1650
28eba5bf 1651 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1652 tsec->create_sid = 0;
28eba5bf 1653 tsec->keycreate_sid = 0;
42c3e03e 1654 tsec->sockcreate_sid = 0;
1da177e4
LT		 1655
1656 if (tsec->exec_sid) {
1657 newsid = tsec->exec_sid;
1658 /* Reset exec SID on execve. */
1659 tsec->exec_sid = 0;
1660 } else {
1661 /* Check for a default transition on this program. */
1662 rc = security_transition_sid(tsec->sid, isec->sid,
1663 SECCLASS_PROCESS, &newsid);
1664 if (rc)
1665 return rc;
1666 }
1667
1668 AVC_AUDIT_DATA_INIT(&ad, FS);
3d5ff529
JS		 1669 ad.u.fs.mnt = bprm->file->f_path.mnt;
1670 ad.u.fs.dentry = bprm->file->f_path.dentry;
1da177e4 1671
3d5ff529 1672 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1da177e4
LT		 1673 newsid = tsec->sid;
1674
1675 if (tsec->sid == newsid) {
1676 rc = avc_has_perm(tsec->sid, isec->sid,
1677 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1678 if (rc)
1679 return rc;
1680 } else {
1681 /* Check permissions for the transition. */
1682 rc = avc_has_perm(tsec->sid, newsid,
1683 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1684 if (rc)
1685 return rc;
1686
1687 rc = avc_has_perm(newsid, isec->sid,
1688 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1689 if (rc)
1690 return rc;
1691
1692 /* Clear any possibly unsafe personality bits on exec: */
1693 current->personality &= ~PER_CLEAR_ON_SETID;
1694
1695 /* Set the security field to the new SID. */
1696 bsec->sid = newsid;
1697 }
1698
1699 bsec->set = 1;
1700 return 0;
1701}
1702
1703static int selinux_bprm_check_security (struct linux_binprm *bprm)
1704{
1705 return secondary_ops->bprm_check_security(bprm);
1706}
1707
1708
1709static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1710{
1711 struct task_security_struct *tsec = current->security;
1712 int atsecure = 0;
1713
1714 if (tsec->osid != tsec->sid) {
1715 /* Enable secure mode for SIDs transitions unless
1716 the noatsecure permission is granted between
1717 the two SIDs, i.e. ahp returns 0. */
1718 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1719 SECCLASS_PROCESS,
1720 PROCESS__NOATSECURE, NULL);
1721 }
1722
1723 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1724}
1725
1726static void selinux_bprm_free_security(struct linux_binprm *bprm)
1727{
9a5f04bf 1728 kfree(bprm->security);
1da177e4 1729 bprm->security = NULL;
1da177e4
LT		 1730}
1731
1732extern struct vfsmount *selinuxfs_mount;
1733extern struct dentry *selinux_null;
1734
1735/* Derived from fs/exec.c:flush_old_files. */
1736static inline void flush_unauthorized_files(struct files_struct * files)
1737{
1738 struct avc_audit_data ad;
1739 struct file *file, *devnull = NULL;
b20c8122 1740 struct tty_struct *tty;
badf1662 1741 struct fdtable *fdt;
1da177e4 1742 long j = -1;
24ec839c 1743 int drop_tty = 0;
1da177e4 1744
b20c8122 1745 mutex_lock(&tty_mutex);
24ec839c 1746 tty = get_current_tty();
1da177e4
LT		 1747 if (tty) {
1748 file_list_lock();
2f512016 1749 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 1750 if (file) {
1751 /* Revalidate access to controlling tty.
1752 Use inode_has_perm on the tty inode directly rather
1753 than using file_has_perm, as this particular open
1754 file may belong to another process and we are only
1755 interested in the inode-based check here. */
3d5ff529 1756 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 1757 if (inode_has_perm(current, inode,
1758 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 1759 drop_tty = 1;
1da177e4
LT		 1760 }
1761 }
1762 file_list_unlock();
1763 }
b20c8122 1764 mutex_unlock(&tty_mutex);
98a27ba4
EB		 1765 /* Reset controlling tty. */
1766 if (drop_tty)
1767 no_tty();
1da177e4
LT		 1768
1769 /* Revalidate access to inherited open files. */
1770
1771 AVC_AUDIT_DATA_INIT(&ad,FS);
1772
1773 spin_lock(&files->file_lock);
1774 for (;;) {
1775 unsigned long set, i;
1776 int fd;
1777
1778 j++;
1779 i = j * __NFDBITS;
badf1662 1780 fdt = files_fdtable(files);
bbea9f69 1781 if (i >= fdt->max_fds)
1da177e4 1782 break;
badf1662 1783 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 1784 if (!set)
1785 continue;
1786 spin_unlock(&files->file_lock);
1787 for ( ; set ; i++,set >>= 1) {
1788 if (set & 1) {
1789 file = fget(i);
1790 if (!file)
1791 continue;
1792 if (file_has_perm(current,
1793 file,
1794 file_to_av(file))) {
1795 sys_close(i);
1796 fd = get_unused_fd();
1797 if (fd != i) {
1798 if (fd >= 0)
1799 put_unused_fd(fd);
1800 fput(file);
1801 continue;
1802 }
1803 if (devnull) {
095975da 1804 get_file(devnull);
1da177e4
LT		 1805 } else {
1806 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
fc5d81e6
AM		 1807 if (IS_ERR(devnull)) {
1808 devnull = NULL;
1da177e4
LT		 1809 put_unused_fd(fd);
1810 fput(file);
1811 continue;
1812 }
1813 }
1814 fd_install(fd, devnull);
1815 }
1816 fput(file);
1817 }
1818 }
1819 spin_lock(&files->file_lock);
1820
1821 }
1822 spin_unlock(&files->file_lock);
1823}
1824
1825static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1826{
1827 struct task_security_struct *tsec;
1828 struct bprm_security_struct *bsec;
1829 u32 sid;
1830 int rc;
1831
1832 secondary_ops->bprm_apply_creds(bprm, unsafe);
1833
1834 tsec = current->security;
1835
1836 bsec = bprm->security;
1837 sid = bsec->sid;
1838
1839 tsec->osid = tsec->sid;
1840 bsec->unsafe = 0;
1841 if (tsec->sid != sid) {
1842 /* Check for shared state. If not ok, leave SID
1843 unchanged and kill. */
1844 if (unsafe & LSM_UNSAFE_SHARE) {
1845 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1846 PROCESS__SHARE, NULL);
1847 if (rc) {
1848 bsec->unsafe = 1;
1849 return;
1850 }
1851 }
1852
1853 /* Check for ptracing, and update the task SID if ok.
1854 Otherwise, leave SID unchanged and kill. */
1855 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1856 rc = avc_has_perm(tsec->ptrace_sid, sid,
1857 SECCLASS_PROCESS, PROCESS__PTRACE,
1858 NULL);
1859 if (rc) {
1860 bsec->unsafe = 1;
1861 return;
1862 }
1863 }
1864 tsec->sid = sid;
1865 }
1866}
1867
1868/*
1869 * called after apply_creds without the task lock held
1870 */
1871static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1872{
1873 struct task_security_struct *tsec;
1874 struct rlimit *rlim, *initrlim;
1875 struct itimerval itimer;
1876 struct bprm_security_struct *bsec;
1877 int rc, i;
1878
1879 tsec = current->security;
1880 bsec = bprm->security;
1881
1882 if (bsec->unsafe) {
1883 force_sig_specific(SIGKILL, current);
1884 return;
1885 }
1886 if (tsec->osid == tsec->sid)
1887 return;
1888
1889 /* Close files for which the new task SID is not authorized. */
1890 flush_unauthorized_files(current->files);
1891
1892 /* Check whether the new SID can inherit signal state
1893 from the old SID. If not, clear itimers to avoid
1894 subsequent signal generation and flush and unblock
1895 signals. This must occur _after_ the task SID has
1896 been updated so that any kill done after the flush
1897 will be checked against the new SID. */
1898 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1899 PROCESS__SIGINH, NULL);
1900 if (rc) {
1901 memset(&itimer, 0, sizeof itimer);
1902 for (i = 0; i < 3; i++)
1903 do_setitimer(i, &itimer, NULL);
1904 flush_signals(current);
1905 spin_lock_irq(&current->sighand->siglock);
1906 flush_signal_handlers(current, 1);
1907 sigemptyset(&current->blocked);
1908 recalc_sigpending();
1909 spin_unlock_irq(&current->sighand->siglock);
1910 }
1911
4ac212ad
SS		 1912 /* Always clear parent death signal on SID transitions. */
1913 current->pdeath_signal = 0;
1914
1da177e4
LT		 1915 /* Check whether the new SID can inherit resource limits
1916 from the old SID. If not, reset all soft limits to
1917 the lower of the current task's hard limit and the init
1918 task's soft limit. Note that the setting of hard limits
1919 (even to lower them) can be controlled by the setrlimit
1920 check. The inclusion of the init task's soft limit into
1921 the computation is to avoid resetting soft limits higher
1922 than the default soft limit for cases where the default
1923 is lower than the hard limit, e.g. RLIMIT_CORE or
1924 RLIMIT_STACK.*/
1925 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1926 PROCESS__RLIMITINH, NULL);
1927 if (rc) {
1928 for (i = 0; i < RLIM_NLIMITS; i++) {
1929 rlim = current->signal->rlim + i;
1930 initrlim = init_task.signal->rlim+i;
1931 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1932 }
1933 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1934 /*
1935 * This will cause RLIMIT_CPU calculations
1936 * to be refigured.
1937 */
1938 current->it_prof_expires = jiffies_to_cputime(1);
1939 }
1940 }
1941
1942 /* Wake up the parent if it is waiting so that it can
1943 recheck wait permission to the new task SID. */
1944 wake_up_interruptible(&current->parent->signal->wait_chldexit);
1945}
1946
1947/* superblock security operations */
1948
1949static int selinux_sb_alloc_security(struct super_block *sb)
1950{
1951 return superblock_alloc_security(sb);
1952}
1953
1954static void selinux_sb_free_security(struct super_block *sb)
1955{
1956 superblock_free_security(sb);
1957}
1958
1959static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1960{
1961 if (plen > olen)
1962 return 0;
1963
1964 return !memcmp(prefix, option, plen);
1965}
1966
1967static inline int selinux_option(char *option, int len)
1968{
1969 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1970 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
0808925e
EP		 1971 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1972 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1da177e4
LT		 1973}
1974
1975static inline void take_option(char **to, char *from, int *first, int len)
1976{
1977 if (!*first) {
1978 **to = ',';
1979 *to += 1;
3528a953 1980 } else
1da177e4
LT		 1981 *first = 0;
1982 memcpy(*to, from, len);
1983 *to += len;
1984}
1985
3528a953
CO		 1986static inline void take_selinux_option(char **to, char *from, int *first,
1987 int len)
1988{
1989 int current_size = 0;
1990
1991 if (!*first) {
1992 **to = '|';
1993 *to += 1;
1994 }
1995 else
1996 *first = 0;
1997
1998 while (current_size < len) {
1999 if (*from != '"') {
2000 **to = *from;
2001 *to += 1;
2002 }
2003 from += 1;
2004 current_size += 1;
2005 }
2006}
2007
1da177e4
LT		 2008static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2009{
2010 int fnosec, fsec, rc = 0;
2011 char *in_save, *in_curr, *in_end;
2012 char *sec_curr, *nosec_save, *nosec;
3528a953 2013 int open_quote = 0;
1da177e4
LT		 2014
2015 in_curr = orig;
2016 sec_curr = copy;
2017
2018 /* Binary mount data: just copy */
2019 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2020 copy_page(sec_curr, in_curr);
2021 goto out;
2022 }
2023
2024 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2025 if (!nosec) {
2026 rc = -ENOMEM;
2027 goto out;
2028 }
2029
2030 nosec_save = nosec;
2031 fnosec = fsec = 1;
2032 in_save = in_end = orig;
2033
2034 do {
3528a953
CO		 2035 if (*in_end == '"')
2036 open_quote = !open_quote;
2037 if ((*in_end == ',' && open_quote == 0) ||
2038 *in_end == '\0') {
1da177e4
LT		 2039 int len = in_end - in_curr;
2040
2041 if (selinux_option(in_curr, len))
3528a953 2042 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2043 else
2044 take_option(&nosec, in_curr, &fnosec, len);
2045
2046 in_curr = in_end + 1;
2047 }
2048 } while (*in_end++);
2049
6931dfc9 2050 strcpy(in_save, nosec_save);
da3caa20 2051 free_page((unsigned long)nosec_save);
1da177e4
LT		 2052out:
2053 return rc;
2054}
2055
2056static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2057{
2058 struct avc_audit_data ad;
2059 int rc;
2060
2061 rc = superblock_doinit(sb, data);
2062 if (rc)
2063 return rc;
2064
2065 AVC_AUDIT_DATA_INIT(&ad,FS);
2066 ad.u.fs.dentry = sb->s_root;
2067 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2068}
2069
726c3342 2070static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2071{
2072 struct avc_audit_data ad;
2073
2074 AVC_AUDIT_DATA_INIT(&ad,FS);
726c3342
DH		 2075 ad.u.fs.dentry = dentry->d_sb->s_root;
2076 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2077}
2078
2079static int selinux_mount(char * dev_name,
2080 struct nameidata *nd,
2081 char * type,
2082 unsigned long flags,
2083 void * data)
2084{
2085 int rc;
2086
2087 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2088 if (rc)
2089 return rc;
2090
2091 if (flags & MS_REMOUNT)
2092 return superblock_has_perm(current, nd->mnt->mnt_sb,
2093 FILESYSTEM__REMOUNT, NULL);
2094 else
2095 return dentry_has_perm(current, nd->mnt, nd->dentry,
2096 FILE__MOUNTON);
2097}
2098
2099static int selinux_umount(struct vfsmount *mnt, int flags)
2100{
2101 int rc;
2102
2103 rc = secondary_ops->sb_umount(mnt, flags);
2104 if (rc)
2105 return rc;
2106
2107 return superblock_has_perm(current,mnt->mnt_sb,
2108 FILESYSTEM__UNMOUNT,NULL);
2109}
2110
2111/* inode security operations */
2112
2113static int selinux_inode_alloc_security(struct inode *inode)
2114{
2115 return inode_alloc_security(inode);
2116}
2117
2118static void selinux_inode_free_security(struct inode *inode)
2119{
2120 inode_free_security(inode);
2121}
2122
5e41ff9e
SS		 2123static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2124 char **name, void **value,
2125 size_t *len)
2126{
2127 struct task_security_struct *tsec;
2128 struct inode_security_struct *dsec;
2129 struct superblock_security_struct *sbsec;
570bc1c2 2130 u32 newsid, clen;
5e41ff9e 2131 int rc;
570bc1c2 2132 char *namep = NULL, *context;
5e41ff9e
SS		 2133
2134 tsec = current->security;
2135 dsec = dir->i_security;
2136 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2137
2138 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2139 newsid = tsec->create_sid;
2140 } else {
2141 rc = security_transition_sid(tsec->sid, dsec->sid,
2142 inode_mode_to_security_class(inode->i_mode),
2143 &newsid);
2144 if (rc) {
2145 printk(KERN_WARNING "%s: "
2146 "security_transition_sid failed, rc=%d (dev=%s "
2147 "ino=%ld)\n",
2148 __FUNCTION__,
2149 -rc, inode->i_sb->s_id, inode->i_ino);
2150 return rc;
2151 }
2152 }
2153
296fddf7
EP		 2154 /* Possibly defer initialization to selinux_complete_init. */
2155 if (sbsec->initialized) {
2156 struct inode_security_struct *isec = inode->i_security;
2157 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2158 isec->sid = newsid;
2159 isec->initialized = 1;
2160 }
5e41ff9e 2161
8aad3875 2162 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2163 return -EOPNOTSUPP;
2164
570bc1c2
SS		 2165 if (name) {
2166 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2167 if (!namep)
2168 return -ENOMEM;
2169 *name = namep;
2170 }
5e41ff9e 2171
570bc1c2
SS		 2172 if (value && len) {
2173 rc = security_sid_to_context(newsid, &context, &clen);
2174 if (rc) {
2175 kfree(namep);
2176 return rc;
2177 }
2178 *value = context;
2179 *len = clen;
5e41ff9e 2180 }
5e41ff9e 2181
5e41ff9e
SS		 2182 return 0;
2183}
2184
1da177e4
LT		 2185static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2186{
2187 return may_create(dir, dentry, SECCLASS_FILE);
2188}
2189
1da177e4
LT		 2190static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2191{
2192 int rc;
2193
2194 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2195 if (rc)
2196 return rc;
2197 return may_link(dir, old_dentry, MAY_LINK);
2198}
2199
1da177e4
LT		 2200static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2201{
2202 int rc;
2203
2204 rc = secondary_ops->inode_unlink(dir, dentry);
2205 if (rc)
2206 return rc;
2207 return may_link(dir, dentry, MAY_UNLINK);
2208}
2209
2210static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2211{
2212 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2213}
2214
1da177e4
LT		 2215static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2216{
2217 return may_create(dir, dentry, SECCLASS_DIR);
2218}
2219
1da177e4
LT		 2220static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2221{
2222 return may_link(dir, dentry, MAY_RMDIR);
2223}
2224
2225static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2226{
2227 int rc;
2228
2229 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2230 if (rc)
2231 return rc;
2232
2233 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2234}
2235
1da177e4
LT		 2236static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2237 struct inode *new_inode, struct dentry *new_dentry)
2238{
2239 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2240}
2241
1da177e4
LT		 2242static int selinux_inode_readlink(struct dentry *dentry)
2243{
2244 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2245}
2246
2247static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2248{
2249 int rc;
2250
2251 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2252 if (rc)
2253 return rc;
2254 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2255}
2256
2257static int selinux_inode_permission(struct inode *inode, int mask,
2258 struct nameidata *nd)
2259{
2260 int rc;
2261
2262 rc = secondary_ops->inode_permission(inode, mask, nd);
2263 if (rc)
2264 return rc;
2265
2266 if (!mask) {
2267 /* No permission to check. Existence test. */
2268 return 0;
2269 }
2270
2271 return inode_has_perm(current, inode,
2272 file_mask_to_av(inode->i_mode, mask), NULL);
2273}
2274
2275static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2276{
2277 int rc;
2278
2279 rc = secondary_ops->inode_setattr(dentry, iattr);
2280 if (rc)
2281 return rc;
2282
2283 if (iattr->ia_valid & ATTR_FORCE)
2284 return 0;
2285
2286 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2287 ATTR_ATIME_SET | ATTR_MTIME_SET))
2288 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2289
2290 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2291}
2292
2293static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2294{
2295 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2296}
2297
2298static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2299{
2300 struct task_security_struct *tsec = current->security;
2301 struct inode *inode = dentry->d_inode;
2302 struct inode_security_struct *isec = inode->i_security;
2303 struct superblock_security_struct *sbsec;
2304 struct avc_audit_data ad;
2305 u32 newsid;
2306 int rc = 0;
2307
2308 if (strcmp(name, XATTR_NAME_SELINUX)) {
2309 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2310 sizeof XATTR_SECURITY_PREFIX - 1) &&
2311 !capable(CAP_SYS_ADMIN)) {
2312 /* A different attribute in the security namespace.
2313 Restrict to administrator. */
2314 return -EPERM;
2315 }
2316
2317 /* Not an attribute we recognize, so just check the
2318 ordinary setattr permission. */
2319 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2320 }
2321
2322 sbsec = inode->i_sb->s_security;
2323 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2324 return -EOPNOTSUPP;
2325
3bd858ab 2326 if (!is_owner_or_cap(inode))
1da177e4
LT		 2327 return -EPERM;
2328
2329 AVC_AUDIT_DATA_INIT(&ad,FS);
2330 ad.u.fs.dentry = dentry;
2331
2332 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2333 FILE__RELABELFROM, &ad);
2334 if (rc)
2335 return rc;
2336
2337 rc = security_context_to_sid(value, size, &newsid);
2338 if (rc)
2339 return rc;
2340
2341 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2342 FILE__RELABELTO, &ad);
2343 if (rc)
2344 return rc;
2345
2346 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2347 isec->sclass);
2348 if (rc)
2349 return rc;
2350
2351 return avc_has_perm(newsid,
2352 sbsec->sid,
2353 SECCLASS_FILESYSTEM,
2354 FILESYSTEM__ASSOCIATE,
2355 &ad);
2356}
2357
2358static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2359 void *value, size_t size, int flags)
2360{
2361 struct inode *inode = dentry->d_inode;
2362 struct inode_security_struct *isec = inode->i_security;
2363 u32 newsid;
2364 int rc;
2365
2366 if (strcmp(name, XATTR_NAME_SELINUX)) {
2367 /* Not an attribute we recognize, so nothing to do. */
2368 return;
2369 }
2370
2371 rc = security_context_to_sid(value, size, &newsid);
2372 if (rc) {
2373 printk(KERN_WARNING "%s: unable to obtain SID for context "
2374 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2375 return;
2376 }
2377
2378 isec->sid = newsid;
2379 return;
2380}
2381
2382static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2383{
1da177e4
LT		 2384 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2385}
2386
2387static int selinux_inode_listxattr (struct dentry *dentry)
2388{
2389 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2390}
2391
2392static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2393{
2394 if (strcmp(name, XATTR_NAME_SELINUX)) {
2395 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2396 sizeof XATTR_SECURITY_PREFIX - 1) &&
2397 !capable(CAP_SYS_ADMIN)) {
2398 /* A different attribute in the security namespace.
2399 Restrict to administrator. */
2400 return -EPERM;
2401 }
2402
2403 /* Not an attribute we recognize, so just check the
2404 ordinary setattr permission. Might want a separate
2405 permission for removexattr. */
2406 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2407 }
2408
2409 /* No one is allowed to remove a SELinux security label.
2410 You can change the label, but all data must be labeled. */
2411 return -EACCES;
2412}
2413
8c8570fb
DK		 2414static const char *selinux_inode_xattr_getsuffix(void)
2415{
2416 return XATTR_SELINUX_SUFFIX;
2417}
2418
d381d8a9
JM		 2419/*
2420 * Copy the in-core inode security context value to the user. If the
2421 * getxattr() prior to this succeeded, check to see if we need to
2422 * canonicalize the value to be finally returned to the user.
2423 *
2424 * Permission check is handled by selinux_inode_getxattr hook.
2425 */
7306a0b9 2426static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
1da177e4
LT		 2427{
2428 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2429
8c8570fb
DK		 2430 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2431 return -EOPNOTSUPP;
d381d8a9 2432
8c8570fb 2433 return selinux_getsecurity(isec->sid, buffer, size);
1da177e4
LT		 2434}
2435
2436static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2437 const void *value, size_t size, int flags)
2438{
2439 struct inode_security_struct *isec = inode->i_security;
2440 u32 newsid;
2441 int rc;
2442
2443 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2444 return -EOPNOTSUPP;
2445
2446 if (!value || !size)
2447 return -EACCES;
2448
2449 rc = security_context_to_sid((void*)value, size, &newsid);
2450 if (rc)
2451 return rc;
2452
2453 isec->sid = newsid;
2454 return 0;
2455}
2456
2457static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2458{
2459 const int len = sizeof(XATTR_NAME_SELINUX);
2460 if (buffer && len <= buffer_size)
2461 memcpy(buffer, XATTR_NAME_SELINUX, len);
2462 return len;
2463}
2464
2465/* file security operations */
2466
2467static int selinux_file_permission(struct file *file, int mask)
2468{
7420ed23 2469 int rc;
3d5ff529 2470 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2471
2472 if (!mask) {
2473 /* No permission to check. Existence test. */
2474 return 0;
2475 }
2476
2477 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2478 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2479 mask |= MAY_APPEND;
2480
7420ed23
VY		 2481 rc = file_has_perm(current, file,
2482 file_mask_to_av(inode->i_mode, mask));
2483 if (rc)
2484 return rc;
2485
2486 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2487}
2488
2489static int selinux_file_alloc_security(struct file *file)
2490{
2491 return file_alloc_security(file);
2492}
2493
2494static void selinux_file_free_security(struct file *file)
2495{
2496 file_free_security(file);
2497}
2498
2499static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2500 unsigned long arg)
2501{
2502 int error = 0;
2503
2504 switch (cmd) {
2505 case FIONREAD:
2506 /* fall through */
2507 case FIBMAP:
2508 /* fall through */
2509 case FIGETBSZ:
2510 /* fall through */
2511 case EXT2_IOC_GETFLAGS:
2512 /* fall through */
2513 case EXT2_IOC_GETVERSION:
2514 error = file_has_perm(current, file, FILE__GETATTR);
2515 break;
2516
2517 case EXT2_IOC_SETFLAGS:
2518 /* fall through */
2519 case EXT2_IOC_SETVERSION:
2520 error = file_has_perm(current, file, FILE__SETATTR);
2521 break;
2522
2523 /* sys_ioctl() checks */
2524 case FIONBIO:
2525 /* fall through */
2526 case FIOASYNC:
2527 error = file_has_perm(current, file, 0);
2528 break;
2529
2530 case KDSKBENT:
2531 case KDSKBSENT:
2532 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2533 break;
2534
2535 /* default case assumes that the command will go
2536 * to the file's ioctl() function.
2537 */
2538 default:
2539 error = file_has_perm(current, file, FILE__IOCTL);
2540
2541 }
2542 return error;
2543}
2544
2545static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2546{
2547#ifndef CONFIG_PPC32
2548 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2549 /*
2550 * We are making executable an anonymous mapping or a
2551 * private file mapping that will also be writable.
2552 * This has an additional check.
2553 */
2554 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2555 if (rc)
2556 return rc;
2557 }
2558#endif
2559
2560 if (file) {
2561 /* read access is always possible with a mapping */
2562 u32 av = FILE__READ;
2563
2564 /* write access only matters if the mapping is shared */
2565 if (shared && (prot & PROT_WRITE))
2566 av |= FILE__WRITE;
2567
2568 if (prot & PROT_EXEC)
2569 av |= FILE__EXECUTE;
2570
2571 return file_has_perm(current, file, av);
2572 }
2573 return 0;
2574}
2575
2576static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 2577 unsigned long prot, unsigned long flags,
2578 unsigned long addr, unsigned long addr_only)
1da177e4 2579{
ed032189
EP		 2580 int rc = 0;
2581 u32 sid = ((struct task_security_struct*)(current->security))->sid;
1da177e4 2582
ed032189
EP		 2583 if (addr < mmap_min_addr)
2584 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2585 MEMPROTECT__MMAP_ZERO, NULL);
2586 if (rc || addr_only)
1da177e4
LT		 2587 return rc;
2588
2589 if (selinux_checkreqprot)
2590 prot = reqprot;
2591
2592 return file_map_prot_check(file, prot,
2593 (flags & MAP_TYPE) == MAP_SHARED);
2594}
2595
2596static int selinux_file_mprotect(struct vm_area_struct *vma,
2597 unsigned long reqprot,
2598 unsigned long prot)
2599{
2600 int rc;
2601
2602 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2603 if (rc)
2604 return rc;
2605
2606 if (selinux_checkreqprot)
2607 prot = reqprot;
2608
2609#ifndef CONFIG_PPC32
db4c9641
SS		 2610 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2611 rc = 0;
2612 if (vma->vm_start >= vma->vm_mm->start_brk &&
2613 vma->vm_end <= vma->vm_mm->brk) {
2614 rc = task_has_perm(current, current,
2615 PROCESS__EXECHEAP);
2616 } else if (!vma->vm_file &&
2617 vma->vm_start <= vma->vm_mm->start_stack &&
2618 vma->vm_end >= vma->vm_mm->start_stack) {
2619 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2620 } else if (vma->vm_file && vma->anon_vma) {
2621 /*
2622 * We are making executable a file mapping that has
2623 * had some COW done. Since pages might have been
2624 * written, check ability to execute the possibly
2625 * modified content. This typically should only
2626 * occur for text relocations.
2627 */
2628 rc = file_has_perm(current, vma->vm_file,
2629 FILE__EXECMOD);
2630 }