]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: Remove unused permission definitions
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
3c4ed7bd 32#include <linux/lsm_hooks.h>
1da177e4
LT		 33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
1da177e4 54#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 55#include <net/inet_connection_sock.h>
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
60063497 60#include <linux/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
77954983 64#include <net/netlink.h>
1da177e4
LT		 65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
44fc7ea0 83#include <linux/export.h>
40401530
AV		 84#include <linux/msg.h>
85#include <linux/shm.h>
1da177e4
LT		 86
87#include "avc.h"
88#include "objsec.h"
89#include "netif.h"
224dfbd8 90#include "netnode.h"
3e112172 91#include "netport.h"
d28d1e08 92#include "xfrm.h"
c60475bf 93#include "netlabel.h"
9d57a7f9 94#include "audit.h"
7b98a585 95#include "avc_ss.h"
1da177e4 96
d621d35e 97/* SECMARK reference count */
56a4ca99 98static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 99
1da177e4 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 101int selinux_enforcing;
1da177e4
LT		 102
103static int __init enforcing_setup(char *str)
104{
f5269710 105 unsigned long enforcing;
29707b20 106 if (!kstrtoul(str, 0, &enforcing))
f5269710 107 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 108 return 1;
109}
110__setup("enforcing=", enforcing_setup);
111#endif
112
113#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116static int __init selinux_enabled_setup(char *str)
117{
f5269710 118 unsigned long enabled;
29707b20 119 if (!kstrtoul(str, 0, &enabled))
f5269710 120 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 121 return 1;
122}
123__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 124#else
125int selinux_enabled = 1;
1da177e4
LT		 126#endif
127
e18b890b 128static struct kmem_cache *sel_inode_cache;
7cae7e26 129
d621d35e
PM		 130/**
131 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
132 *
133 * Description:
134 * This function checks the SECMARK reference counter to see if any SECMARK
135 * targets are currently configured, if the reference counter is greater than
136 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 137 * enabled, false (0) if SECMARK is disabled. If the always_check_network
138 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 139 *
140 */
141static int selinux_secmark_enabled(void)
142{
2be4d74f
CP		 143 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
144}
145
146/**
147 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
148 *
149 * Description:
150 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
151 * (1) if any are enabled or false (0) if neither are enabled. If the
152 * always_check_network policy capability is enabled, peer labeling
153 * is always considered enabled.
154 *
155 */
156static int selinux_peerlbl_enabled(void)
157{
158 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 159}
160
615e51fd
PM		 161static int selinux_netcache_avc_callback(u32 event)
162{
163 if (event == AVC_CALLBACK_RESET) {
164 sel_netif_flush();
165 sel_netnode_flush();
166 sel_netport_flush();
167 synchronize_net();
168 }
169 return 0;
170}
171
d84f4f99
DH		 172/*
173 * initialise the security for the init task
174 */
175static void cred_init_security(void)
1da177e4 176{
3b11a1de 177 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 178 struct task_security_struct *tsec;
179
89d155ef 180 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 181 if (!tsec)
d84f4f99 182 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 183
d84f4f99 184 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 185 cred->security = tsec;
1da177e4
LT		 186}
187
88e67f3b
DH		 188/*
189 * get the security ID of a set of credentials
190 */
191static inline u32 cred_sid(const struct cred *cred)
192{
193 const struct task_security_struct *tsec;
194
195 tsec = cred->security;
196 return tsec->sid;
197}
198
275bb41e 199/*
3b11a1de 200 * get the objective security ID of a task
275bb41e
DH		 201 */
202static inline u32 task_sid(const struct task_struct *task)
203{
275bb41e
DH		 204 u32 sid;
205
206 rcu_read_lock();
88e67f3b 207 sid = cred_sid(__task_cred(task));
275bb41e
DH		 208 rcu_read_unlock();
209 return sid;
210}
211
212/*
3b11a1de 213 * get the subjective security ID of the current task
275bb41e
DH		 214 */
215static inline u32 current_sid(void)
216{
5fb49870 217 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 218
219 return tsec->sid;
220}
221
88e67f3b
DH		 222/* Allocate and free functions for each kind of security blob. */
223
1da177e4
LT		 224static int inode_alloc_security(struct inode *inode)
225{
1da177e4 226 struct inode_security_struct *isec;
275bb41e 227 u32 sid = current_sid();
1da177e4 228
a02fe132 229 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 230 if (!isec)
231 return -ENOMEM;
232
23970741 233 mutex_init(&isec->lock);
1da177e4 234 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 235 isec->inode = inode;
236 isec->sid = SECINITSID_UNLABELED;
237 isec->sclass = SECCLASS_FILE;
275bb41e 238 isec->task_sid = sid;
1da177e4
LT		 239 inode->i_security = isec;
240
241 return 0;
242}
243
3dc91d43
SR		 244static void inode_free_rcu(struct rcu_head *head)
245{
246 struct inode_security_struct *isec;
247
248 isec = container_of(head, struct inode_security_struct, rcu);
249 kmem_cache_free(sel_inode_cache, isec);
250}
251
1da177e4
LT		 252static void inode_free_security(struct inode *inode)
253{
254 struct inode_security_struct *isec = inode->i_security;
255 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
256
1da177e4
LT		 257 spin_lock(&sbsec->isec_lock);
258 if (!list_empty(&isec->list))
259 list_del_init(&isec->list);
260 spin_unlock(&sbsec->isec_lock);
261
3dc91d43
SR		 262 /*
263 * The inode may still be referenced in a path walk and
264 * a call to selinux_inode_permission() can be made
265 * after inode_free_security() is called. Ideally, the VFS
266 * wouldn't do this, but fixing that is a much harder
267 * job. For now, simply free the i_security via RCU, and
268 * leave the current inode->i_security pointer intact.
269 * The inode will be freed after the RCU grace period too.
270 */
271 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 272}
273
274static int file_alloc_security(struct file *file)
275{
1da177e4 276 struct file_security_struct *fsec;
275bb41e 277 u32 sid = current_sid();
1da177e4 278
26d2a4be 279 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 280 if (!fsec)
281 return -ENOMEM;
282
275bb41e
DH		 283 fsec->sid = sid;
284 fsec->fown_sid = sid;
1da177e4
LT		 285 file->f_security = fsec;
286
287 return 0;
288}
289
290static void file_free_security(struct file *file)
291{
292 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 293 file->f_security = NULL;
294 kfree(fsec);
295}
296
297static int superblock_alloc_security(struct super_block *sb)
298{
299 struct superblock_security_struct *sbsec;
300
89d155ef 301 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 302 if (!sbsec)
303 return -ENOMEM;
304
bc7e982b 305 mutex_init(&sbsec->lock);
1da177e4
LT		 306 INIT_LIST_HEAD(&sbsec->isec_head);
307 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 308 sbsec->sb = sb;
309 sbsec->sid = SECINITSID_UNLABELED;
310 sbsec->def_sid = SECINITSID_FILE;
c312feb2 311 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 312 sb->s_security = sbsec;
313
314 return 0;
315}
316
317static void superblock_free_security(struct super_block *sb)
318{
319 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 320 sb->s_security = NULL;
321 kfree(sbsec);
322}
323
1da177e4
LT		 324/* The file system's label must be initialized prior to use. */
325
eb9ae686 326static const char *labeling_behaviors[7] = {
1da177e4
LT		 327 "uses xattr",
328 "uses transition SIDs",
329 "uses task SIDs",
330 "uses genfs_contexts",
331 "not configured for labeling",
332 "uses mountpoint labeling",
eb9ae686 333 "uses native labeling",
1da177e4
LT		 334};
335
336static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
337
338static inline int inode_doinit(struct inode *inode)
339{
340 return inode_doinit_with_dentry(inode, NULL);
341}
342
343enum {
31e87930 344 Opt_error = -1,
1da177e4
LT		 345 Opt_context = 1,
346 Opt_fscontext = 2,
c9180a57
EP		 347 Opt_defcontext = 3,
348 Opt_rootcontext = 4,
11689d47 349 Opt_labelsupport = 5,
d355987f 350 Opt_nextmntopt = 6,
1da177e4
LT		 351};
352
d355987f
EP		 353#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
354
a447c093 355static const match_table_t tokens = {
832cbd9a
EP		 356 {Opt_context, CONTEXT_STR "%s"},
357 {Opt_fscontext, FSCONTEXT_STR "%s"},
358 {Opt_defcontext, DEFCONTEXT_STR "%s"},
359 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 360 {Opt_labelsupport, LABELSUPP_STR},
31e87930 361 {Opt_error, NULL},
1da177e4
LT		 362};
363
364#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
365
c312feb2
EP		 366static int may_context_mount_sb_relabel(u32 sid,
367 struct superblock_security_struct *sbsec,
275bb41e 368 const struct cred *cred)
c312feb2 369{
275bb41e 370 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 371 int rc;
372
373 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
374 FILESYSTEM__RELABELFROM, NULL);
375 if (rc)
376 return rc;
377
378 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
379 FILESYSTEM__RELABELTO, NULL);
380 return rc;
381}
382
0808925e
EP		 383static int may_context_mount_inode_relabel(u32 sid,
384 struct superblock_security_struct *sbsec,
275bb41e 385 const struct cred *cred)
0808925e 386{
275bb41e 387 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 388 int rc;
389 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
390 FILESYSTEM__RELABELFROM, NULL);
391 if (rc)
392 return rc;
393
394 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
395 FILESYSTEM__ASSOCIATE, NULL);
396 return rc;
397}
398
b43e725d
EP		 399static int selinux_is_sblabel_mnt(struct super_block *sb)
400{
401 struct superblock_security_struct *sbsec = sb->s_security;
402
d5f3a5f6
MS		 403 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
404 sbsec->behavior == SECURITY_FS_USE_TRANS ||
405 sbsec->behavior == SECURITY_FS_USE_TASK ||
406 /* Special handling. Genfs but also in-core setxattr handler */
407 !strcmp(sb->s_type->name, "sysfs") ||
408 !strcmp(sb->s_type->name, "pstore") ||
409 !strcmp(sb->s_type->name, "debugfs") ||
410 !strcmp(sb->s_type->name, "rootfs");
b43e725d
EP		 411}
412
c9180a57 413static int sb_finish_set_opts(struct super_block *sb)
1da177e4 414{
1da177e4 415 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 416 struct dentry *root = sb->s_root;
c6f493d6 417 struct inode *root_inode = d_backing_inode(root);
c9180a57 418 int rc = 0;
1da177e4 419
c9180a57
EP		 420 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
421 /* Make sure that the xattr handler exists and that no
422 error other than -ENODATA is returned by getxattr on
423 the root directory. -ENODATA is ok, as this may be
424 the first boot of the SELinux kernel before we have
425 assigned xattr values to the filesystem. */
426 if (!root_inode->i_op->getxattr) {
29b1deb2
LT		 427 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
428 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 429 rc = -EOPNOTSUPP;
430 goto out;
431 }
432 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
433 if (rc < 0 && rc != -ENODATA) {
434 if (rc == -EOPNOTSUPP)
435 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 436 "%s) has no security xattr handler\n",
437 sb->s_id, sb->s_type->name);
c9180a57
EP		 438 else
439 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 440 "%s) getxattr errno %d\n", sb->s_id,
441 sb->s_type->name, -rc);
c9180a57
EP		 442 goto out;
443 }
444 }
1da177e4 445
c9180a57 446 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 447 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
448 sb->s_id, sb->s_type->name);
1da177e4 449
eadcabc6 450 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 451 if (selinux_is_sblabel_mnt(sb))
12f348b9 452 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 453
c9180a57
EP		 454 /* Initialize the root inode. */
455 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 456
c9180a57
EP		 457 /* Initialize any other inodes associated with the superblock, e.g.
458 inodes created prior to initial policy load or inodes created
459 during get_sb by a pseudo filesystem that directly
460 populates itself. */
461 spin_lock(&sbsec->isec_lock);
462next_inode:
463 if (!list_empty(&sbsec->isec_head)) {
464 struct inode_security_struct *isec =
465 list_entry(sbsec->isec_head.next,
466 struct inode_security_struct, list);
467 struct inode *inode = isec->inode;
923190d3 468 list_del_init(&isec->list);
c9180a57
EP		 469 spin_unlock(&sbsec->isec_lock);
470 inode = igrab(inode);
471 if (inode) {
472 if (!IS_PRIVATE(inode))
473 inode_doinit(inode);
474 iput(inode);
475 }
476 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 477 goto next_inode;
478 }
479 spin_unlock(&sbsec->isec_lock);
480out:
481 return rc;
482}
1da177e4 483
c9180a57
EP		 484/*
485 * This function should allow an FS to ask what it's mount security
486 * options were so it can use those later for submounts, displaying
487 * mount options, or whatever.
488 */
489static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 490 struct security_mnt_opts *opts)
c9180a57
EP		 491{
492 int rc = 0, i;
493 struct superblock_security_struct *sbsec = sb->s_security;
494 char *context = NULL;
495 u32 len;
496 char tmp;
1da177e4 497
e0007529 498 security_init_mnt_opts(opts);
1da177e4 499
0d90a7ec 500 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 501 return -EINVAL;
1da177e4 502
c9180a57
EP		 503 if (!ss_initialized)
504 return -EINVAL;
1da177e4 505
af8e50cc
EP		 506 /* make sure we always check enough bits to cover the mask */
507 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
508
0d90a7ec 509 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 510 /* count the number of mount options for this sb */
af8e50cc 511 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 512 if (tmp & 0x01)
e0007529 513 opts->num_mnt_opts++;
c9180a57
EP		 514 tmp >>= 1;
515 }
11689d47 516 /* Check if the Label support flag is set */
0b4bdb35 517 if (sbsec->flags & SBLABEL_MNT)
11689d47 518 opts->num_mnt_opts++;
1da177e4 519
e0007529
EP		 520 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
521 if (!opts->mnt_opts) {
c9180a57
EP		 522 rc = -ENOMEM;
523 goto out_free;
524 }
1da177e4 525
e0007529
EP		 526 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
527 if (!opts->mnt_opts_flags) {
c9180a57
EP		 528 rc = -ENOMEM;
529 goto out_free;
530 }
1da177e4 531
c9180a57
EP		 532 i = 0;
533 if (sbsec->flags & FSCONTEXT_MNT) {
534 rc = security_sid_to_context(sbsec->sid, &context, &len);
535 if (rc)
536 goto out_free;
e0007529
EP		 537 opts->mnt_opts[i] = context;
538 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 539 }
540 if (sbsec->flags & CONTEXT_MNT) {
541 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
542 if (rc)
543 goto out_free;
e0007529
EP		 544 opts->mnt_opts[i] = context;
545 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 546 }
547 if (sbsec->flags & DEFCONTEXT_MNT) {
548 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
549 if (rc)
550 goto out_free;
e0007529
EP		 551 opts->mnt_opts[i] = context;
552 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 553 }
554 if (sbsec->flags & ROOTCONTEXT_MNT) {
c6f493d6 555 struct inode *root = d_backing_inode(sbsec->sb->s_root);
c9180a57 556 struct inode_security_struct *isec = root->i_security;
0808925e 557
c9180a57
EP		 558 rc = security_sid_to_context(isec->sid, &context, &len);
559 if (rc)
560 goto out_free;
e0007529
EP		 561 opts->mnt_opts[i] = context;
562 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 563 }
12f348b9 564 if (sbsec->flags & SBLABEL_MNT) {
11689d47 565 opts->mnt_opts[i] = NULL;
12f348b9 566 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 567 }
1da177e4 568
e0007529 569 BUG_ON(i != opts->num_mnt_opts);
1da177e4 570
c9180a57
EP		 571 return 0;
572
573out_free:
e0007529 574 security_free_mnt_opts(opts);
c9180a57
EP		 575 return rc;
576}
1da177e4 577
c9180a57
EP		 578static int bad_option(struct superblock_security_struct *sbsec, char flag,
579 u32 old_sid, u32 new_sid)
580{
0d90a7ec
DQ		 581 char mnt_flags = sbsec->flags & SE_MNTMASK;
582
c9180a57 583 /* check if the old mount command had the same options */
0d90a7ec 584 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 585 if (!(sbsec->flags & flag) ||
586 (old_sid != new_sid))
587 return 1;
588
589 /* check if we were passed the same options twice,
590 * aka someone passed context=a,context=b
591 */
0d90a7ec
DQ		 592 if (!(sbsec->flags & SE_SBINITIALIZED))
593 if (mnt_flags & flag)
c9180a57
EP		 594 return 1;
595 return 0;
596}
e0007529 597
c9180a57
EP		 598/*
599 * Allow filesystems with binary mount data to explicitly set mount point
600 * labeling information.
601 */
e0007529 602static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 603 struct security_mnt_opts *opts,
604 unsigned long kern_flags,
605 unsigned long *set_kern_flags)
c9180a57 606{
275bb41e 607 const struct cred *cred = current_cred();
c9180a57 608 int rc = 0, i;
c9180a57 609 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 610 const char *name = sb->s_type->name;
c6f493d6 611 struct inode *inode = d_backing_inode(sbsec->sb->s_root);
089be43e 612 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 613 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
614 u32 defcontext_sid = 0;
e0007529
EP		 615 char **mount_options = opts->mnt_opts;
616 int *flags = opts->mnt_opts_flags;
617 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 618
619 mutex_lock(&sbsec->lock);
620
621 if (!ss_initialized) {
622 if (!num_opts) {
623 /* Defer initialization until selinux_complete_init,
624 after the initial policy is loaded and the security
625 server is ready to handle calls. */
c9180a57
EP		 626 goto out;
627 }
628 rc = -EINVAL;
744ba35e
EP		 629 printk(KERN_WARNING "SELinux: Unable to set superblock options "
630 "before the security server is initialized\n");
1da177e4 631 goto out;
c9180a57 632 }
649f6e77
DQ		 633 if (kern_flags && !set_kern_flags) {
634 /* Specifying internal flags without providing a place to
635 * place the results is not allowed */
636 rc = -EINVAL;
637 goto out;
638 }
1da177e4 639
e0007529
EP		 640 /*
641 * Binary mount data FS will come through this function twice. Once
642 * from an explicit call and once from the generic calls from the vfs.
643 * Since the generic VFS calls will not contain any security mount data
644 * we need to skip the double mount verification.
645 *
646 * This does open a hole in which we will not notice if the first
647 * mount using this sb set explict options and a second mount using
648 * this sb does not set any security options. (The first options
649 * will be used for both mounts)
650 */
0d90a7ec 651 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 652 && (num_opts == 0))
f5269710 653 goto out;
e0007529 654
c9180a57
EP		 655 /*
656 * parse the mount options, check if they are valid sids.
657 * also check if someone is trying to mount the same sb more
658 * than once with different security options.
659 */
660 for (i = 0; i < num_opts; i++) {
661 u32 sid;
11689d47 662
12f348b9 663 if (flags[i] == SBLABEL_MNT)
11689d47 664 continue;
c9180a57 665 rc = security_context_to_sid(mount_options[i],
52a4c640 666 strlen(mount_options[i]), &sid, GFP_KERNEL);
1da177e4
LT		 667 if (rc) {
668 printk(KERN_WARNING "SELinux: security_context_to_sid"
29b1deb2
LT		 669 "(%s) failed for (dev %s, type %s) errno=%d\n",
670 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 671 goto out;
672 }
673 switch (flags[i]) {
674 case FSCONTEXT_MNT:
675 fscontext_sid = sid;
676
677 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
678 fscontext_sid))
679 goto out_double_mount;
680
681 sbsec->flags |= FSCONTEXT_MNT;
682 break;
683 case CONTEXT_MNT:
684 context_sid = sid;
685
686 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
687 context_sid))
688 goto out_double_mount;
689
690 sbsec->flags |= CONTEXT_MNT;
691 break;
692 case ROOTCONTEXT_MNT:
693 rootcontext_sid = sid;
694
695 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
696 rootcontext_sid))
697 goto out_double_mount;
698
699 sbsec->flags |= ROOTCONTEXT_MNT;
700
701 break;
702 case DEFCONTEXT_MNT:
703 defcontext_sid = sid;
704
705 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
706 defcontext_sid))
707 goto out_double_mount;
708
709 sbsec->flags |= DEFCONTEXT_MNT;
710
711 break;
712 default:
713 rc = -EINVAL;
714 goto out;
1da177e4 715 }
c9180a57
EP		 716 }
717
0d90a7ec 718 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 719 /* previously mounted with options, but not on this attempt? */
0d90a7ec 720 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 721 goto out_double_mount;
722 rc = 0;
723 goto out;
724 }
725
089be43e 726 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 727 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
728
8e014720
SS		 729 if (!strcmp(sb->s_type->name, "debugfs") ||
730 !strcmp(sb->s_type->name, "sysfs") ||
731 !strcmp(sb->s_type->name, "pstore"))
134509d5 732 sbsec->flags |= SE_SBGENFS;
c9180a57 733
eb9ae686
DQ		 734 if (!sbsec->behavior) {
735 /*
736 * Determine the labeling behavior to use for this
737 * filesystem type.
738 */
98f700f3 739 rc = security_fs_use(sb);
eb9ae686
DQ		 740 if (rc) {
741 printk(KERN_WARNING
742 "%s: security_fs_use(%s) returned %d\n",
743 __func__, sb->s_type->name, rc);
744 goto out;
745 }
c9180a57 746 }
c9180a57
EP		 747 /* sets the context of the superblock for the fs being mounted. */
748 if (fscontext_sid) {
275bb41e 749 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 750 if (rc)
c9180a57 751 goto out;
1da177e4 752
c9180a57 753 sbsec->sid = fscontext_sid;
c312feb2
EP		 754 }
755
756 /*
757 * Switch to using mount point labeling behavior.
758 * sets the label used on all file below the mountpoint, and will set
759 * the superblock context if not already set.
760 */
eb9ae686
DQ		 761 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
762 sbsec->behavior = SECURITY_FS_USE_NATIVE;
763 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
764 }
765
c9180a57
EP		 766 if (context_sid) {
767 if (!fscontext_sid) {
275bb41e
DH		 768 rc = may_context_mount_sb_relabel(context_sid, sbsec,
769 cred);
b04ea3ce 770 if (rc)
c9180a57
EP		 771 goto out;
772 sbsec->sid = context_sid;
b04ea3ce 773 } else {
275bb41e
DH		 774 rc = may_context_mount_inode_relabel(context_sid, sbsec,
775 cred);
b04ea3ce 776 if (rc)
c9180a57 777 goto out;
b04ea3ce 778 }
c9180a57
EP		 779 if (!rootcontext_sid)
780 rootcontext_sid = context_sid;
1da177e4 781
c9180a57 782 sbsec->mntpoint_sid = context_sid;
c312feb2 783 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 784 }
785
c9180a57 786 if (rootcontext_sid) {
275bb41e
DH		 787 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
788 cred);
0808925e 789 if (rc)
c9180a57 790 goto out;
0808925e 791
c9180a57
EP		 792 root_isec->sid = rootcontext_sid;
793 root_isec->initialized = 1;
0808925e
EP		 794 }
795
c9180a57 796 if (defcontext_sid) {
eb9ae686
DQ		 797 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
798 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 799 rc = -EINVAL;
800 printk(KERN_WARNING "SELinux: defcontext option is "
801 "invalid for this filesystem type\n");
802 goto out;
1da177e4
LT		 803 }
804
c9180a57
EP		 805 if (defcontext_sid != sbsec->def_sid) {
806 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 807 sbsec, cred);
c9180a57
EP		 808 if (rc)
809 goto out;
810 }
1da177e4 811
c9180a57 812 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 813 }
814
c9180a57 815 rc = sb_finish_set_opts(sb);
1da177e4 816out:
c9180a57 817 mutex_unlock(&sbsec->lock);
1da177e4 818 return rc;
c9180a57
EP		 819out_double_mount:
820 rc = -EINVAL;
821 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 822 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 823 goto out;
1da177e4
LT		 824}
825
094f7b69
JL		 826static int selinux_cmp_sb_context(const struct super_block *oldsb,
827 const struct super_block *newsb)
828{
829 struct superblock_security_struct *old = oldsb->s_security;
830 struct superblock_security_struct *new = newsb->s_security;
831 char oldflags = old->flags & SE_MNTMASK;
832 char newflags = new->flags & SE_MNTMASK;
833
834 if (oldflags != newflags)
835 goto mismatch;
836 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
837 goto mismatch;
838 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
839 goto mismatch;
840 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
841 goto mismatch;
842 if (oldflags & ROOTCONTEXT_MNT) {
c6f493d6
DH		 843 struct inode_security_struct *oldroot = d_backing_inode(oldsb->s_root)->i_security;
844 struct inode_security_struct *newroot = d_backing_inode(newsb->s_root)->i_security;
094f7b69
JL		 845 if (oldroot->sid != newroot->sid)
846 goto mismatch;
847 }
848 return 0;
849mismatch:
850 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
851 "different security settings for (dev %s, "
852 "type %s)\n", newsb->s_id, newsb->s_type->name);
853 return -EBUSY;
854}
855
856static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 857 struct super_block *newsb)
1da177e4 858{
c9180a57
EP		 859 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
860 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 861
c9180a57
EP		 862 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
863 int set_context = (oldsbsec->flags & CONTEXT_MNT);
864 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 865
0f5e6420
EP		 866 /*
867 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 868 * mount options. thus we can safely deal with this superblock later
0f5e6420 869 */
e8c26255 870 if (!ss_initialized)
094f7b69 871 return 0;
c9180a57 872
c9180a57 873 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 874 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 875
094f7b69 876 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 877 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 878 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 879
c9180a57
EP		 880 mutex_lock(&newsbsec->lock);
881
882 newsbsec->flags = oldsbsec->flags;
883
884 newsbsec->sid = oldsbsec->sid;
885 newsbsec->def_sid = oldsbsec->def_sid;
886 newsbsec->behavior = oldsbsec->behavior;
887
888 if (set_context) {
889 u32 sid = oldsbsec->mntpoint_sid;
890
891 if (!set_fscontext)
892 newsbsec->sid = sid;
893 if (!set_rootcontext) {
c6f493d6 894 struct inode *newinode = d_backing_inode(newsb->s_root);
c9180a57
EP		 895 struct inode_security_struct *newisec = newinode->i_security;
896 newisec->sid = sid;
897 }
898 newsbsec->mntpoint_sid = sid;
1da177e4 899 }
c9180a57 900 if (set_rootcontext) {
c6f493d6 901 const struct inode *oldinode = d_backing_inode(oldsb->s_root);
c9180a57 902 const struct inode_security_struct *oldisec = oldinode->i_security;
c6f493d6 903 struct inode *newinode = d_backing_inode(newsb->s_root);
c9180a57 904 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 905
c9180a57 906 newisec->sid = oldisec->sid;
1da177e4
LT		 907 }
908
c9180a57
EP		 909 sb_finish_set_opts(newsb);
910 mutex_unlock(&newsbsec->lock);
094f7b69 911 return 0;
c9180a57
EP		 912}
913
2e1479d9
AB		 914static int selinux_parse_opts_str(char *options,
915 struct security_mnt_opts *opts)
c9180a57 916{
e0007529 917 char *p;
c9180a57
EP		 918 char *context = NULL, *defcontext = NULL;
919 char *fscontext = NULL, *rootcontext = NULL;
e0007529 920 int rc, num_mnt_opts = 0;
1da177e4 921
e0007529 922 opts->num_mnt_opts = 0;
1da177e4 923
c9180a57
EP		 924 /* Standard string-based options. */
925 while ((p = strsep(&options, "|")) != NULL) {
926 int token;
927 substring_t args[MAX_OPT_ARGS];
1da177e4 928
c9180a57
EP		 929 if (!*p)
930 continue;
1da177e4 931
c9180a57 932 token = match_token(p, tokens, args);
1da177e4 933
c9180a57
EP		 934 switch (token) {
935 case Opt_context:
936 if (context || defcontext) {
937 rc = -EINVAL;
938 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
939 goto out_err;
940 }
941 context = match_strdup(&args[0]);
942 if (!context) {
943 rc = -ENOMEM;
944 goto out_err;
945 }
946 break;
947
948 case Opt_fscontext:
949 if (fscontext) {
950 rc = -EINVAL;
951 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
952 goto out_err;
953 }
954 fscontext = match_strdup(&args[0]);
955 if (!fscontext) {
956 rc = -ENOMEM;
957 goto out_err;
958 }
959 break;
960
961 case Opt_rootcontext:
962 if (rootcontext) {
963 rc = -EINVAL;
964 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
965 goto out_err;
966 }
967 rootcontext = match_strdup(&args[0]);
968 if (!rootcontext) {
969 rc = -ENOMEM;
970 goto out_err;
971 }
972 break;
973
974 case Opt_defcontext:
975 if (context || defcontext) {
976 rc = -EINVAL;
977 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
978 goto out_err;
979 }
980 defcontext = match_strdup(&args[0]);
981 if (!defcontext) {
982 rc = -ENOMEM;
983 goto out_err;
984 }
985 break;
11689d47
DQ		 986 case Opt_labelsupport:
987 break;
c9180a57
EP		 988 default:
989 rc = -EINVAL;
990 printk(KERN_WARNING "SELinux: unknown mount option\n");
991 goto out_err;
1da177e4 992
1da177e4 993 }
1da177e4 994 }
c9180a57 995
e0007529
EP		 996 rc = -ENOMEM;
997 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
998 if (!opts->mnt_opts)
999 goto out_err;
1000
1001 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1002 if (!opts->mnt_opts_flags) {
1003 kfree(opts->mnt_opts);
1004 goto out_err;
1005 }
1006
c9180a57 1007 if (fscontext) {
e0007529
EP		 1008 opts->mnt_opts[num_mnt_opts] = fscontext;
1009 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1010 }
1011 if (context) {
e0007529
EP		 1012 opts->mnt_opts[num_mnt_opts] = context;
1013 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1014 }
1015 if (rootcontext) {
e0007529
EP		 1016 opts->mnt_opts[num_mnt_opts] = rootcontext;
1017 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1018 }
1019 if (defcontext) {
e0007529
EP		 1020 opts->mnt_opts[num_mnt_opts] = defcontext;
1021 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1022 }
1023
e0007529
EP		 1024 opts->num_mnt_opts = num_mnt_opts;
1025 return 0;
1026
c9180a57
EP		 1027out_err:
1028 kfree(context);
1029 kfree(defcontext);
1030 kfree(fscontext);
1031 kfree(rootcontext);
1da177e4
LT		 1032 return rc;
1033}
e0007529
EP		 1034/*
1035 * string mount options parsing and call set the sbsec
1036 */
1037static int superblock_doinit(struct super_block *sb, void *data)
1038{
1039 int rc = 0;
1040 char *options = data;
1041 struct security_mnt_opts opts;
1042
1043 security_init_mnt_opts(&opts);
1044
1045 if (!data)
1046 goto out;
1047
1048 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1049
1050 rc = selinux_parse_opts_str(options, &opts);
1051 if (rc)
1052 goto out_err;
1053
1054out:
649f6e77 1055 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1056
1057out_err:
1058 security_free_mnt_opts(&opts);
1059 return rc;
1060}
1da177e4 1061
3583a711
AB		 1062static void selinux_write_opts(struct seq_file *m,
1063 struct security_mnt_opts *opts)
2069f457
EP		 1064{
1065 int i;
1066 char *prefix;
1067
1068 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1069 char *has_comma;
1070
1071 if (opts->mnt_opts[i])
1072 has_comma = strchr(opts->mnt_opts[i], ',');
1073 else
1074 has_comma = NULL;
2069f457
EP		 1075
1076 switch (opts->mnt_opts_flags[i]) {
1077 case CONTEXT_MNT:
1078 prefix = CONTEXT_STR;
1079 break;
1080 case FSCONTEXT_MNT:
1081 prefix = FSCONTEXT_STR;
1082 break;
1083 case ROOTCONTEXT_MNT:
1084 prefix = ROOTCONTEXT_STR;
1085 break;
1086 case DEFCONTEXT_MNT:
1087 prefix = DEFCONTEXT_STR;
1088 break;
12f348b9 1089 case SBLABEL_MNT:
11689d47
DQ		 1090 seq_putc(m, ',');
1091 seq_puts(m, LABELSUPP_STR);
1092 continue;
2069f457
EP		 1093 default:
1094 BUG();
a35c6c83 1095 return;
2069f457
EP		 1096 };
1097 /* we need a comma before each option */
1098 seq_putc(m, ',');
1099 seq_puts(m, prefix);
1100 if (has_comma)
1101 seq_putc(m, '\"');
1102 seq_puts(m, opts->mnt_opts[i]);
1103 if (has_comma)
1104 seq_putc(m, '\"');
1105 }
1106}
1107
1108static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1109{
1110 struct security_mnt_opts opts;
1111 int rc;
1112
1113 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1114 if (rc) {
1115 /* before policy load we may get EINVAL, don't show anything */
1116 if (rc == -EINVAL)
1117 rc = 0;
2069f457 1118 return rc;
383795c2 1119 }
2069f457
EP		 1120
1121 selinux_write_opts(m, &opts);
1122
1123 security_free_mnt_opts(&opts);
1124
1125 return rc;
1126}
1127
1da177e4
LT		 1128static inline u16 inode_mode_to_security_class(umode_t mode)
1129{
1130 switch (mode & S_IFMT) {
1131 case S_IFSOCK:
1132 return SECCLASS_SOCK_FILE;
1133 case S_IFLNK:
1134 return SECCLASS_LNK_FILE;
1135 case S_IFREG:
1136 return SECCLASS_FILE;
1137 case S_IFBLK:
1138 return SECCLASS_BLK_FILE;
1139 case S_IFDIR:
1140 return SECCLASS_DIR;
1141 case S_IFCHR:
1142 return SECCLASS_CHR_FILE;
1143 case S_IFIFO:
1144 return SECCLASS_FIFO_FILE;
1145
1146 }
1147
1148 return SECCLASS_FILE;
1149}
1150
13402580
JM		 1151static inline int default_protocol_stream(int protocol)
1152{
1153 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1154}
1155
1156static inline int default_protocol_dgram(int protocol)
1157{
1158 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1159}
1160
1da177e4
LT		 1161static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1162{
1163 switch (family) {
1164 case PF_UNIX:
1165 switch (type) {
1166 case SOCK_STREAM:
1167 case SOCK_SEQPACKET:
1168 return SECCLASS_UNIX_STREAM_SOCKET;
1169 case SOCK_DGRAM:
1170 return SECCLASS_UNIX_DGRAM_SOCKET;
1171 }
1172 break;
1173 case PF_INET:
1174 case PF_INET6:
1175 switch (type) {
1176 case SOCK_STREAM:
13402580
JM		 1177 if (default_protocol_stream(protocol))
1178 return SECCLASS_TCP_SOCKET;
1179 else
1180 return SECCLASS_RAWIP_SOCKET;
1da177e4 1181 case SOCK_DGRAM:
13402580
JM		 1182 if (default_protocol_dgram(protocol))
1183 return SECCLASS_UDP_SOCKET;
1184 else
1185 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1186 case SOCK_DCCP:
1187 return SECCLASS_DCCP_SOCKET;
13402580 1188 default:
1da177e4
LT		 1189 return SECCLASS_RAWIP_SOCKET;
1190 }
1191 break;
1192 case PF_NETLINK:
1193 switch (protocol) {
1194 case NETLINK_ROUTE:
1195 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1196 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1197 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1198 case NETLINK_NFLOG:
1199 return SECCLASS_NETLINK_NFLOG_SOCKET;
1200 case NETLINK_XFRM:
1201 return SECCLASS_NETLINK_XFRM_SOCKET;
1202 case NETLINK_SELINUX:
1203 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1204 case NETLINK_ISCSI:
1205 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1206 case NETLINK_AUDIT:
1207 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1208 case NETLINK_FIB_LOOKUP:
1209 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1210 case NETLINK_CONNECTOR:
1211 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1212 case NETLINK_NETFILTER:
1213 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1214 case NETLINK_DNRTMSG:
1215 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1216 case NETLINK_KOBJECT_UEVENT:
1217 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1218 case NETLINK_GENERIC:
1219 return SECCLASS_NETLINK_GENERIC_SOCKET;
1220 case NETLINK_SCSITRANSPORT:
1221 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1222 case NETLINK_RDMA:
1223 return SECCLASS_NETLINK_RDMA_SOCKET;
1224 case NETLINK_CRYPTO:
1225 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1226 default:
1227 return SECCLASS_NETLINK_SOCKET;
1228 }
1229 case PF_PACKET:
1230 return SECCLASS_PACKET_SOCKET;
1231 case PF_KEY:
1232 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1233 case PF_APPLETALK:
1234 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1235 }
1236
1237 return SECCLASS_SOCKET;
1238}
1239
134509d5
SS		 1240static int selinux_genfs_get_sid(struct dentry *dentry,
1241 u16 tclass,
1242 u16 flags,
1243 u32 *sid)
1da177e4 1244{
8e6c9693 1245 int rc;
134509d5 1246 struct super_block *sb = dentry->d_inode->i_sb;
8e6c9693 1247 char *buffer, *path;
1da177e4 1248
828dfe1d 1249 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1250 if (!buffer)
1251 return -ENOMEM;
1252
8e6c9693
LAG		 1253 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1254 if (IS_ERR(path))
1255 rc = PTR_ERR(path);
1256 else {
134509d5
SS		 1257 if (flags & SE_SBPROC) {
1258 /* each process gets a /proc/PID/ entry. Strip off the
1259 * PID part to get a valid selinux labeling.
1260 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1261 while (path[1] >= '0' && path[1] <= '9') {
1262 path[1] = '/';
1263 path++;
1264 }
8e6c9693 1265 }
134509d5 1266 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1267 }
1da177e4
LT		 1268 free_page((unsigned long)buffer);
1269 return rc;
1270}
1da177e4
LT		 1271
1272/* The inode's security attributes must be initialized before first use. */
1273static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1274{
1275 struct superblock_security_struct *sbsec = NULL;
1276 struct inode_security_struct *isec = inode->i_security;
1277 u32 sid;
1278 struct dentry *dentry;
1279#define INITCONTEXTLEN 255
1280 char *context = NULL;
1281 unsigned len = 0;
1282 int rc = 0;
1da177e4
LT		 1283
1284 if (isec->initialized)
1285 goto out;
1286
23970741 1287 mutex_lock(&isec->lock);
1da177e4 1288 if (isec->initialized)
23970741 1289 goto out_unlock;
1da177e4
LT		 1290
1291 sbsec = inode->i_sb->s_security;
0d90a7ec 1292 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1293 /* Defer initialization until selinux_complete_init,
1294 after the initial policy is loaded and the security
1295 server is ready to handle calls. */
1296 spin_lock(&sbsec->isec_lock);
1297 if (list_empty(&isec->list))
1298 list_add(&isec->list, &sbsec->isec_head);
1299 spin_unlock(&sbsec->isec_lock);
23970741 1300 goto out_unlock;
1da177e4
LT		 1301 }
1302
1303 switch (sbsec->behavior) {
eb9ae686
DQ		 1304 case SECURITY_FS_USE_NATIVE:
1305 break;
1da177e4
LT		 1306 case SECURITY_FS_USE_XATTR:
1307 if (!inode->i_op->getxattr) {
1308 isec->sid = sbsec->def_sid;
1309 break;
1310 }
1311
1312 /* Need a dentry, since the xattr API requires one.
1313 Life would be simpler if we could just pass the inode. */
1314 if (opt_dentry) {
1315 /* Called from d_instantiate or d_splice_alias. */
1316 dentry = dget(opt_dentry);
1317 } else {
1318 /* Called from selinux_complete_init, try to find a dentry. */
1319 dentry = d_find_alias(inode);
1320 }
1321 if (!dentry) {
df7f54c0
EP		 1322 /*
1323 * this is can be hit on boot when a file is accessed
1324 * before the policy is loaded. When we load policy we
1325 * may find inodes that have no dentry on the
1326 * sbsec->isec_head list. No reason to complain as these
1327 * will get fixed up the next time we go through
1328 * inode_doinit with a dentry, before these inodes could
1329 * be used again by userspace.
1330 */
23970741 1331 goto out_unlock;
1da177e4
LT		 1332 }
1333
1334 len = INITCONTEXTLEN;
4cb912f1 1335 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1336 if (!context) {
1337 rc = -ENOMEM;
1338 dput(dentry);
23970741 1339 goto out_unlock;
1da177e4 1340 }
4cb912f1 1341 context[len] = '\0';
1da177e4
LT		 1342 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1343 context, len);
1344 if (rc == -ERANGE) {
314dabb8
JM		 1345 kfree(context);
1346
1da177e4
LT		 1347 /* Need a larger buffer. Query for the right size. */
1348 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1349 NULL, 0);
1350 if (rc < 0) {
1351 dput(dentry);
23970741 1352 goto out_unlock;
1da177e4 1353 }
1da177e4 1354 len = rc;
4cb912f1 1355 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1356 if (!context) {
1357 rc = -ENOMEM;
1358 dput(dentry);
23970741 1359 goto out_unlock;
1da177e4 1360 }
4cb912f1 1361 context[len] = '\0';
1da177e4
LT		 1362 rc = inode->i_op->getxattr(dentry,
1363 XATTR_NAME_SELINUX,
1364 context, len);
1365 }
1366 dput(dentry);
1367 if (rc < 0) {
1368 if (rc != -ENODATA) {
744ba35e 1369 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1370 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1371 -rc, inode->i_sb->s_id, inode->i_ino);
1372 kfree(context);
23970741 1373 goto out_unlock;
1da177e4
LT		 1374 }
1375 /* Map ENODATA to the default file SID */
1376 sid = sbsec->def_sid;
1377 rc = 0;
1378 } else {
f5c1d5b2 1379 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1380 sbsec->def_sid,
1381 GFP_NOFS);
1da177e4 1382 if (rc) {
4ba0a8ad
EP		 1383 char *dev = inode->i_sb->s_id;
1384 unsigned long ino = inode->i_ino;
1385
1386 if (rc == -EINVAL) {
1387 if (printk_ratelimit())
1388 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1389 "context=%s. This indicates you may need to relabel the inode or the "
1390 "filesystem in question.\n", ino, dev, context);
1391 } else {
1392 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1393 "returned %d for dev=%s ino=%ld\n",
1394 __func__, context, -rc, dev, ino);
1395 }
1da177e4
LT		 1396 kfree(context);
1397 /* Leave with the unlabeled SID */
1398 rc = 0;
1399 break;
1400 }
1401 }
1402 kfree(context);
1403 isec->sid = sid;
1404 break;
1405 case SECURITY_FS_USE_TASK:
1406 isec->sid = isec->task_sid;
1407 break;
1408 case SECURITY_FS_USE_TRANS:
1409 /* Default to the fs SID. */
1410 isec->sid = sbsec->sid;
1411
1412 /* Try to obtain a transition SID. */
1413 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1414 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1415 isec->sclass, NULL, &sid);
1da177e4 1416 if (rc)
23970741 1417 goto out_unlock;
1da177e4
LT		 1418 isec->sid = sid;
1419 break;
c312feb2
EP		 1420 case SECURITY_FS_USE_MNTPOINT:
1421 isec->sid = sbsec->mntpoint_sid;
1422 break;
1da177e4 1423 default:
c312feb2 1424 /* Default to the fs superblock SID. */
1da177e4
LT		 1425 isec->sid = sbsec->sid;
1426
134509d5 1427 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1428 /* We must have a dentry to determine the label on
1429 * procfs inodes */
1430 if (opt_dentry)
1431 /* Called from d_instantiate or
1432 * d_splice_alias. */
1433 dentry = dget(opt_dentry);
1434 else
1435 /* Called from selinux_complete_init, try to
1436 * find a dentry. */
1437 dentry = d_find_alias(inode);
1438 /*
1439 * This can be hit on boot when a file is accessed
1440 * before the policy is loaded. When we load policy we
1441 * may find inodes that have no dentry on the
1442 * sbsec->isec_head list. No reason to complain as
1443 * these will get fixed up the next time we go through
1444 * inode_doinit() with a dentry, before these inodes
1445 * could be used again by userspace.
1446 */
1447 if (!dentry)
1448 goto out_unlock;
1449 isec->sclass = inode_mode_to_security_class(inode->i_mode);
134509d5
SS		 1450 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1451 sbsec->flags, &sid);
f64410ec
PM		 1452 dput(dentry);
1453 if (rc)
1454 goto out_unlock;
1455 isec->sid = sid;
1da177e4
LT		 1456 }
1457 break;
1458 }
1459
1460 isec->initialized = 1;
1461
23970741
EP		 1462out_unlock:
1463 mutex_unlock(&isec->lock);
1da177e4
LT		 1464out:
1465 if (isec->sclass == SECCLASS_FILE)
1466 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1467 return rc;
1468}
1469
1470/* Convert a Linux signal to an access vector. */
1471static inline u32 signal_to_av(int sig)
1472{
1473 u32 perm = 0;
1474
1475 switch (sig) {
1476 case SIGCHLD:
1477 /* Commonly granted from child to parent. */
1478 perm = PROCESS__SIGCHLD;
1479 break;
1480 case SIGKILL:
1481 /* Cannot be caught or ignored */
1482 perm = PROCESS__SIGKILL;
1483 break;
1484 case SIGSTOP:
1485 /* Cannot be caught or ignored */
1486 perm = PROCESS__SIGSTOP;
1487 break;
1488 default:
1489 /* All other signals. */
1490 perm = PROCESS__SIGNAL;
1491 break;
1492 }
1493
1494 return perm;
1495}
1496
d84f4f99
DH		 1497/*
1498 * Check permission between a pair of credentials
1499 * fork check, ptrace check, etc.
1500 */
1501static int cred_has_perm(const struct cred *actor,
1502 const struct cred *target,
1503 u32 perms)
1504{
1505 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1506
1507 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1508}
1509
275bb41e 1510/*
88e67f3b 1511 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1512 * fork check, ptrace check, etc.
1513 * tsk1 is the actor and tsk2 is the target
3b11a1de 1514 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1515 */
1516static int task_has_perm(const struct task_struct *tsk1,
1517 const struct task_struct *tsk2,
1da177e4
LT		 1518 u32 perms)
1519{
275bb41e
DH		 1520 const struct task_security_struct *__tsec1, *__tsec2;
1521 u32 sid1, sid2;
1da177e4 1522
275bb41e
DH		 1523 rcu_read_lock();
1524 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1525 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1526 rcu_read_unlock();
1527 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1528}
1529
3b11a1de
DH		 1530/*
1531 * Check permission between current and another task, e.g. signal checks,
1532 * fork check, ptrace check, etc.
1533 * current is the actor and tsk2 is the target
1534 * - this uses current's subjective creds
1535 */
1536static int current_has_perm(const struct task_struct *tsk,
1537 u32 perms)
1538{
1539 u32 sid, tsid;
1540
1541 sid = current_sid();
1542 tsid = task_sid(tsk);
1543 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1544}
1545
b68e418c
SS		 1546#if CAP_LAST_CAP > 63
1547#error Fix SELinux to handle capabilities > 63.
1548#endif
1549
1da177e4 1550/* Check whether a task is allowed to use a capability. */
6a9de491 1551static int cred_has_capability(const struct cred *cred,
06112163 1552 int cap, int audit)
1da177e4 1553{
2bf49690 1554 struct common_audit_data ad;
06112163 1555 struct av_decision avd;
b68e418c 1556 u16 sclass;
3699c53c 1557 u32 sid = cred_sid(cred);
b68e418c 1558 u32 av = CAP_TO_MASK(cap);
06112163 1559 int rc;
1da177e4 1560
50c205f5 1561 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1562 ad.u.cap = cap;
1563
b68e418c
SS		 1564 switch (CAP_TO_INDEX(cap)) {
1565 case 0:
1566 sclass = SECCLASS_CAPABILITY;
1567 break;
1568 case 1:
1569 sclass = SECCLASS_CAPABILITY2;
1570 break;
1571 default:
1572 printk(KERN_ERR
1573 "SELinux: out of range capability %d\n", cap);
1574 BUG();
a35c6c83 1575 return -EINVAL;
b68e418c 1576 }
06112163 1577
275bb41e 1578 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1579 if (audit == SECURITY_CAP_AUDIT) {
ab354062 1580 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
9ade0cf4
EP		 1581 if (rc2)
1582 return rc2;
1583 }
06112163 1584 return rc;
1da177e4
LT		 1585}
1586
1587/* Check whether a task is allowed to use a system operation. */
1588static int task_has_system(struct task_struct *tsk,
1589 u32 perms)
1590{
275bb41e 1591 u32 sid = task_sid(tsk);
1da177e4 1592
275bb41e 1593 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1594 SECCLASS_SYSTEM, perms, NULL);
1595}
1596
1597/* Check whether a task has a particular permission to an inode.
1598 The 'adp' parameter is optional and allows other audit
1599 data to be passed (e.g. the dentry). */
88e67f3b 1600static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1601 struct inode *inode,
1602 u32 perms,
19e49834 1603 struct common_audit_data *adp)
1da177e4 1604{
1da177e4 1605 struct inode_security_struct *isec;
275bb41e 1606 u32 sid;
1da177e4 1607
e0e81739
DH		 1608 validate_creds(cred);
1609
828dfe1d 1610 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1611 return 0;
1612
88e67f3b 1613 sid = cred_sid(cred);
1da177e4
LT		 1614 isec = inode->i_security;
1615
19e49834 1616 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1617}
1618
1619/* Same as inode_has_perm, but pass explicit audit data containing
1620 the dentry to help the auditing code to more easily generate the
1621 pathname if needed. */
88e67f3b 1622static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1623 struct dentry *dentry,
1624 u32 av)
1625{
c6f493d6 1626 struct inode *inode = d_backing_inode(dentry);
2bf49690 1627 struct common_audit_data ad;
88e67f3b 1628
50c205f5 1629 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1630 ad.u.dentry = dentry;
19e49834 1631 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1632}
1633
1634/* Same as inode_has_perm, but pass explicit audit data containing
1635 the path to help the auditing code to more easily generate the
1636 pathname if needed. */
1637static inline int path_has_perm(const struct cred *cred,
3f7036a0 1638 const struct path *path,
2875fa00
EP		 1639 u32 av)
1640{
c6f493d6 1641 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1642 struct common_audit_data ad;
1643
50c205f5 1644 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1645 ad.u.path = *path;
19e49834 1646 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1647}
1648
13f8e981
DH		 1649/* Same as path_has_perm, but uses the inode from the file struct. */
1650static inline int file_path_has_perm(const struct cred *cred,
1651 struct file *file,
1652 u32 av)
1653{
1654 struct common_audit_data ad;
1655
1656 ad.type = LSM_AUDIT_DATA_PATH;
1657 ad.u.path = file->f_path;
19e49834 1658 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1659}
1660
1da177e4
LT		 1661/* Check whether a task can use an open file descriptor to
1662 access an inode in a given way. Check access to the
1663 descriptor itself, and then use dentry_has_perm to
1664 check a particular permission to the file.
1665 Access to the descriptor is implicitly granted if it
1666 has the same SID as the process. If av is zero, then
1667 access to the file is not checked, e.g. for cases
1668 where only the descriptor is affected like seek. */
88e67f3b
DH		 1669static int file_has_perm(const struct cred *cred,
1670 struct file *file,
1671 u32 av)
1da177e4 1672{
1da177e4 1673 struct file_security_struct *fsec = file->f_security;
496ad9aa 1674 struct inode *inode = file_inode(file);
2bf49690 1675 struct common_audit_data ad;
88e67f3b 1676 u32 sid = cred_sid(cred);
1da177e4
LT		 1677 int rc;
1678
50c205f5 1679 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 1680 ad.u.path = file->f_path;
1da177e4 1681
275bb41e
DH		 1682 if (sid != fsec->sid) {
1683 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1684 SECCLASS_FD,
1685 FD__USE,
1686 &ad);
1687 if (rc)
88e67f3b 1688 goto out;
1da177e4
LT		 1689 }
1690
1691 /* av is zero if only checking access to the descriptor. */
88e67f3b 1692 rc = 0;
1da177e4 1693 if (av)
19e49834 1694 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1695
88e67f3b
DH		 1696out:
1697 return rc;
1da177e4
LT		 1698}
1699
1700/* Check whether a task can create a file. */
1701static int may_create(struct inode *dir,
1702 struct dentry *dentry,
1703 u16 tclass)
1704{
5fb49870 1705 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1706 struct inode_security_struct *dsec;
1707 struct superblock_security_struct *sbsec;
275bb41e 1708 u32 sid, newsid;
2bf49690 1709 struct common_audit_data ad;
1da177e4
LT		 1710 int rc;
1711
1da177e4
LT		 1712 dsec = dir->i_security;
1713 sbsec = dir->i_sb->s_security;
1714
275bb41e
DH		 1715 sid = tsec->sid;
1716 newsid = tsec->create_sid;
1717
50c205f5 1718 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1719 ad.u.dentry = dentry;
1da177e4 1720
275bb41e 1721 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1722 DIR__ADD_NAME | DIR__SEARCH,
1723 &ad);
1724 if (rc)
1725 return rc;
1726
12f348b9 1727 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
cb1e922f
EP		 1728 rc = security_transition_sid(sid, dsec->sid, tclass,
1729 &dentry->d_name, &newsid);
1da177e4
LT		 1730 if (rc)
1731 return rc;
1732 }
1733
275bb41e 1734 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1735 if (rc)
1736 return rc;
1737
1738 return avc_has_perm(newsid, sbsec->sid,
1739 SECCLASS_FILESYSTEM,
1740 FILESYSTEM__ASSOCIATE, &ad);
1741}
1742
4eb582cf
ML		 1743/* Check whether a task can create a key. */
1744static int may_create_key(u32 ksid,
1745 struct task_struct *ctx)
1746{
275bb41e 1747 u32 sid = task_sid(ctx);
4eb582cf 1748
275bb41e 1749 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1750}
1751
828dfe1d
EP		 1752#define MAY_LINK 0
1753#define MAY_UNLINK 1
1754#define MAY_RMDIR 2
1da177e4
LT		 1755
1756/* Check whether a task can link, unlink, or rmdir a file/directory. */
1757static int may_link(struct inode *dir,
1758 struct dentry *dentry,
1759 int kind)
1760
1761{
1da177e4 1762 struct inode_security_struct *dsec, *isec;
2bf49690 1763 struct common_audit_data ad;
275bb41e 1764 u32 sid = current_sid();
1da177e4
LT		 1765 u32 av;
1766 int rc;
1767
1da177e4 1768 dsec = dir->i_security;
c6f493d6 1769 isec = d_backing_inode(dentry)->i_security;
1da177e4 1770
50c205f5 1771 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1772 ad.u.dentry = dentry;
1da177e4
LT		 1773
1774 av = DIR__SEARCH;
1775 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1776 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1777 if (rc)
1778 return rc;
1779
1780 switch (kind) {
1781 case MAY_LINK:
1782 av = FILE__LINK;
1783 break;
1784 case MAY_UNLINK:
1785 av = FILE__UNLINK;
1786 break;
1787 case MAY_RMDIR:
1788 av = DIR__RMDIR;
1789 break;
1790 default:
744ba35e
EP		 1791 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1792 __func__, kind);
1da177e4
LT		 1793 return 0;
1794 }
1795
275bb41e 1796 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1797 return rc;
1798}
1799
1800static inline int may_rename(struct inode *old_dir,
1801 struct dentry *old_dentry,
1802 struct inode *new_dir,
1803 struct dentry *new_dentry)
1804{
1da177e4 1805 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1806 struct common_audit_data ad;
275bb41e 1807 u32 sid = current_sid();
1da177e4
LT		 1808 u32 av;
1809 int old_is_dir, new_is_dir;
1810 int rc;
1811
1da177e4 1812 old_dsec = old_dir->i_security;
c6f493d6 1813 old_isec = d_backing_inode(old_dentry)->i_security;
e36cb0b8 1814 old_is_dir = d_is_dir(old_dentry);
1da177e4
LT		 1815 new_dsec = new_dir->i_security;
1816
50c205f5 1817 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1818
a269434d 1819 ad.u.dentry = old_dentry;
275bb41e 1820 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1821 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1822 if (rc)
1823 return rc;
275bb41e 1824 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1825 old_isec->sclass, FILE__RENAME, &ad);
1826 if (rc)
1827 return rc;
1828 if (old_is_dir && new_dir != old_dir) {
275bb41e 1829 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1830 old_isec->sclass, DIR__REPARENT, &ad);
1831 if (rc)
1832 return rc;
1833 }
1834
a269434d 1835 ad.u.dentry = new_dentry;
1da177e4 1836 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1837 if (d_is_positive(new_dentry))
1da177e4 1838 av |= DIR__REMOVE_NAME;
275bb41e 1839 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1840 if (rc)
1841 return rc;
2c616d4d 1842 if (d_is_positive(new_dentry)) {
c6f493d6 1843 new_isec = d_backing_inode(new_dentry)->i_security;
e36cb0b8 1844 new_is_dir = d_is_dir(new_dentry);
275bb41e 1845 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1846 new_isec->sclass,
1847 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1848 if (rc)
1849 return rc;
1850 }
1851
1852 return 0;
1853}
1854
1855/* Check whether a task can perform a filesystem operation. */
88e67f3b 1856static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1857 struct super_block *sb,
1858 u32 perms,
2bf49690 1859 struct common_audit_data *ad)
1da177e4 1860{
1da177e4 1861 struct superblock_security_struct *sbsec;
88e67f3b 1862 u32 sid = cred_sid(cred);
1da177e4 1863
1da177e4 1864 sbsec = sb->s_security;
275bb41e 1865 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1866}
1867
1868/* Convert a Linux mode and permission mask to an access vector. */
1869static inline u32 file_mask_to_av(int mode, int mask)
1870{
1871 u32 av = 0;
1872
dba19c60 1873 if (!S_ISDIR(mode)) {
1da177e4
LT		 1874 if (mask & MAY_EXEC)
1875 av |= FILE__EXECUTE;
1876 if (mask & MAY_READ)
1877 av |= FILE__READ;
1878
1879 if (mask & MAY_APPEND)
1880 av |= FILE__APPEND;
1881 else if (mask & MAY_WRITE)
1882 av |= FILE__WRITE;
1883
1884 } else {
1885 if (mask & MAY_EXEC)
1886 av |= DIR__SEARCH;
1887 if (mask & MAY_WRITE)
1888 av |= DIR__WRITE;
1889 if (mask & MAY_READ)
1890 av |= DIR__READ;
1891 }
1892
1893 return av;
1894}
1895
8b6a5a37
EP		 1896/* Convert a Linux file to an access vector. */
1897static inline u32 file_to_av(struct file *file)
1898{
1899 u32 av = 0;
1900
1901 if (file->f_mode & FMODE_READ)
1902 av |= FILE__READ;
1903 if (file->f_mode & FMODE_WRITE) {
1904 if (file->f_flags & O_APPEND)
1905 av |= FILE__APPEND;
1906 else
1907 av |= FILE__WRITE;
1908 }
1909 if (!av) {
1910 /*
1911 * Special file opened with flags 3 for ioctl-only use.
1912 */
1913 av = FILE__IOCTL;
1914 }
1915
1916 return av;
1917}
1918
b0c636b9 1919/*
8b6a5a37 1920 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1921 * open permission.
1922 */
8b6a5a37 1923static inline u32 open_file_to_av(struct file *file)
b0c636b9 1924{
8b6a5a37 1925 u32 av = file_to_av(file);
b0c636b9 1926
49b7b8de
EP		 1927 if (selinux_policycap_openperm)
1928 av |= FILE__OPEN;
1929
b0c636b9
EP		 1930 return av;
1931}
1932
1da177e4
LT		 1933/* Hook functions begin here. */
1934
79af7307
SS		 1935static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1936{
1937 u32 mysid = current_sid();
1938 u32 mgrsid = task_sid(mgr);
1939
1940 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
1941 BINDER__SET_CONTEXT_MGR, NULL);
1942}
1943
1944static int selinux_binder_transaction(struct task_struct *from,
1945 struct task_struct *to)
1946{
1947 u32 mysid = current_sid();
1948 u32 fromsid = task_sid(from);
1949 u32 tosid = task_sid(to);
1950 int rc;
1951
1952 if (mysid != fromsid) {
1953 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
1954 BINDER__IMPERSONATE, NULL);
1955 if (rc)
1956 return rc;
1957 }
1958
1959 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
1960 NULL);
1961}
1962
1963static int selinux_binder_transfer_binder(struct task_struct *from,
1964 struct task_struct *to)
1965{
1966 u32 fromsid = task_sid(from);
1967 u32 tosid = task_sid(to);
1968
1969 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
1970 NULL);
1971}
1972
1973static int selinux_binder_transfer_file(struct task_struct *from,
1974 struct task_struct *to,
1975 struct file *file)
1976{
1977 u32 sid = task_sid(to);
1978 struct file_security_struct *fsec = file->f_security;
c6f493d6 1979 struct inode *inode = d_backing_inode(file->f_path.dentry);
79af7307
SS		 1980 struct inode_security_struct *isec = inode->i_security;
1981 struct common_audit_data ad;
1982 int rc;
1983
1984 ad.type = LSM_AUDIT_DATA_PATH;
1985 ad.u.path = file->f_path;
1986
1987 if (sid != fsec->sid) {
1988 rc = avc_has_perm(sid, fsec->sid,
1989 SECCLASS_FD,
1990 FD__USE,
1991 &ad);
1992 if (rc)
1993 return rc;
1994 }
1995
1996 if (unlikely(IS_PRIVATE(inode)))
1997 return 0;
1998
1999 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2000 &ad);
2001}
2002
9e48858f 2003static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2004 unsigned int mode)
1da177e4 2005{
69f594a3 2006 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 2007 u32 sid = current_sid();
2008 u32 csid = task_sid(child);
2009 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 2010 }
2011
3b11a1de 2012 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 2013}
2014
2015static int selinux_ptrace_traceme(struct task_struct *parent)
2016{
5cd9c58f 2017 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 2018}
2019
2020static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2021 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2022{
b1d9e6b0 2023 return current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 2024}
2025
d84f4f99
DH		 2026static int selinux_capset(struct cred *new, const struct cred *old,
2027 const kernel_cap_t *effective,
2028 const kernel_cap_t *inheritable,
2029 const kernel_cap_t *permitted)
1da177e4 2030{
d84f4f99 2031 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 2032}
2033
5626d3e8
JM		 2034/*
2035 * (This comment used to live with the selinux_task_setuid hook,
2036 * which was removed).
2037 *
2038 * Since setuid only affects the current process, and since the SELinux
2039 * controls are not based on the Linux identity attributes, SELinux does not
2040 * need to control this operation. However, SELinux does control the use of
2041 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2042 */
2043
6a9de491
EP		 2044static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2045 int cap, int audit)
1da177e4 2046{
6a9de491 2047 return cred_has_capability(cred, cap, audit);
1da177e4
LT		 2048}
2049
1da177e4
LT		 2050static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2051{
88e67f3b 2052 const struct cred *cred = current_cred();
1da177e4
LT		 2053 int rc = 0;
2054
2055 if (!sb)
2056 return 0;
2057
2058 switch (cmds) {
828dfe1d
EP		 2059 case Q_SYNC:
2060 case Q_QUOTAON:
2061 case Q_QUOTAOFF:
2062 case Q_SETINFO:
2063 case Q_SETQUOTA:
88e67f3b 2064 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2065 break;
2066 case Q_GETFMT:
2067 case Q_GETINFO:
2068 case Q_GETQUOTA:
88e67f3b 2069 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2070 break;
2071 default:
2072 rc = 0; /* let the kernel handle invalid cmds */
2073 break;
1da177e4
LT		 2074 }
2075 return rc;
2076}
2077
2078static int selinux_quota_on(struct dentry *dentry)
2079{
88e67f3b
DH		 2080 const struct cred *cred = current_cred();
2081
2875fa00 2082 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2083}
2084
12b3052c 2085static int selinux_syslog(int type)
1da177e4
LT		 2086{
2087 int rc;
2088
1da177e4 2089 switch (type) {
d78ca3cd
KC		 2090 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2091 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2092 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2093 break;
d78ca3cd
KC		 2094 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2095 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2096 /* Set level of messages printed to console */
2097 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2098 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2099 break;
d78ca3cd
KC		 2100 case SYSLOG_ACTION_CLOSE: /* Close log */
2101 case SYSLOG_ACTION_OPEN: /* Open log */
2102 case SYSLOG_ACTION_READ: /* Read from log */
2103 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2104 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2105 default:
2106 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2107 break;
1da177e4
LT		 2108 }
2109 return rc;
2110}
2111
2112/*
2113 * Check that a process has enough memory to allocate a new virtual
2114 * mapping. 0 means there is enough memory for the allocation to
2115 * succeed and -ENOMEM implies there is not.
2116 *
1da177e4
LT		 2117 * Do not audit the selinux permission check, as this is applied to all
2118 * processes that allocate mappings.
2119 */
34b4e4aa 2120static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2121{
2122 int rc, cap_sys_admin = 0;
1da177e4 2123
b1d9e6b0
CS		 2124 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2125 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2126 if (rc == 0)
2127 cap_sys_admin = 1;
2128
b1d9e6b0 2129 return cap_sys_admin;
1da177e4
LT		 2130}
2131
2132/* binprm security operations */
2133
7b0d0b40
SS		 2134static int check_nnp_nosuid(const struct linux_binprm *bprm,
2135 const struct task_security_struct *old_tsec,
2136 const struct task_security_struct *new_tsec)
2137{
2138 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2139 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2140 int rc;
2141
2142 if (!nnp && !nosuid)
2143 return 0; /* neither NNP nor nosuid */
2144
2145 if (new_tsec->sid == old_tsec->sid)
2146 return 0; /* No change in credentials */
2147
2148 /*
2149 * The only transitions we permit under NNP or nosuid
2150 * are transitions to bounded SIDs, i.e. SIDs that are
2151 * guaranteed to only be allowed a subset of the permissions
2152 * of the current SID.
2153 */
2154 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2155 if (rc) {
2156 /*
2157 * On failure, preserve the errno values for NNP vs nosuid.
2158 * NNP: Operation not permitted for caller.
2159 * nosuid: Permission denied to file.
2160 */
2161 if (nnp)
2162 return -EPERM;
2163 else
2164 return -EACCES;
2165 }
2166 return 0;
2167}
2168
a6f76f23 2169static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2170{
a6f76f23
DH		 2171 const struct task_security_struct *old_tsec;
2172 struct task_security_struct *new_tsec;
1da177e4 2173 struct inode_security_struct *isec;
2bf49690 2174 struct common_audit_data ad;
496ad9aa 2175 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2176 int rc;
2177
a6f76f23
DH		 2178 /* SELinux context only depends on initial program or script and not
2179 * the script interpreter */
2180 if (bprm->cred_prepared)
1da177e4
LT		 2181 return 0;
2182
a6f76f23
DH		 2183 old_tsec = current_security();
2184 new_tsec = bprm->cred->security;
1da177e4
LT		 2185 isec = inode->i_security;
2186
2187 /* Default to the current task SID. */
a6f76f23
DH		 2188 new_tsec->sid = old_tsec->sid;
2189 new_tsec->osid = old_tsec->sid;
1da177e4 2190
28eba5bf 2191 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2192 new_tsec->create_sid = 0;
2193 new_tsec->keycreate_sid = 0;
2194 new_tsec->sockcreate_sid = 0;
1da177e4 2195
a6f76f23
DH		 2196 if (old_tsec->exec_sid) {
2197 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2198 /* Reset exec SID on execve. */
a6f76f23 2199 new_tsec->exec_sid = 0;
259e5e6c 2200
7b0d0b40
SS		 2201 /* Fail on NNP or nosuid if not an allowed transition. */
2202 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2203 if (rc)
2204 return rc;
1da177e4
LT		 2205 } else {
2206 /* Check for a default transition on this program. */
a6f76f23 2207 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2208 SECCLASS_PROCESS, NULL,
2209 &new_tsec->sid);
1da177e4
LT		 2210 if (rc)
2211 return rc;
7b0d0b40
SS		 2212
2213 /*
2214 * Fallback to old SID on NNP or nosuid if not an allowed
2215 * transition.
2216 */
2217 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2218 if (rc)
2219 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2220 }
2221
50c205f5 2222 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 2223 ad.u.path = bprm->file->f_path;
1da177e4 2224
a6f76f23
DH		 2225 if (new_tsec->sid == old_tsec->sid) {
2226 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2227 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2228 if (rc)
2229 return rc;
2230 } else {
2231 /* Check permissions for the transition. */
a6f76f23 2232 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2233 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2234 if (rc)
2235 return rc;
2236
a6f76f23 2237 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2238 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2239 if (rc)
2240 return rc;
2241
a6f76f23
DH		 2242 /* Check for shared state */
2243 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2244 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2245 SECCLASS_PROCESS, PROCESS__SHARE,
2246 NULL);
2247 if (rc)
2248 return -EPERM;
2249 }
2250
2251 /* Make sure that anyone attempting to ptrace over a task that
2252 * changes its SID has the appropriate permit */
2253 if (bprm->unsafe &
2254 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2255 struct task_struct *tracer;
2256 struct task_security_struct *sec;
2257 u32 ptsid = 0;
2258
2259 rcu_read_lock();
06d98473 2260 tracer = ptrace_parent(current);
a6f76f23
DH		 2261 if (likely(tracer != NULL)) {
2262 sec = __task_cred(tracer)->security;
2263 ptsid = sec->sid;
2264 }
2265 rcu_read_unlock();
2266
2267 if (ptsid != 0) {
2268 rc = avc_has_perm(ptsid, new_tsec->sid,
2269 SECCLASS_PROCESS,
2270 PROCESS__PTRACE, NULL);
2271 if (rc)
2272 return -EPERM;
2273 }
2274 }
1da177e4 2275
a6f76f23
DH		 2276 /* Clear any possibly unsafe personality bits on exec: */
2277 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2278 }
2279
1da177e4
LT		 2280 return 0;
2281}
2282
828dfe1d 2283static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2284{
5fb49870 2285 const struct task_security_struct *tsec = current_security();
275bb41e 2286 u32 sid, osid;
1da177e4
LT		 2287 int atsecure = 0;
2288
275bb41e
DH		 2289 sid = tsec->sid;
2290 osid = tsec->osid;
2291
2292 if (osid != sid) {
1da177e4
LT		 2293 /* Enable secure mode for SIDs transitions unless
2294 the noatsecure permission is granted between
2295 the two SIDs, i.e. ahp returns 0. */
275bb41e 2296 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2297 SECCLASS_PROCESS,
2298 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2299 }
2300
b1d9e6b0 2301 return !!atsecure;
1da177e4
LT		 2302}
2303
c3c073f8
AV		 2304static int match_file(const void *p, struct file *file, unsigned fd)
2305{
2306 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2307}
2308
1da177e4 2309/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2310static inline void flush_unauthorized_files(const struct cred *cred,
2311 struct files_struct *files)
1da177e4 2312{
1da177e4 2313 struct file *file, *devnull = NULL;
b20c8122 2314 struct tty_struct *tty;
24ec839c 2315 int drop_tty = 0;
c3c073f8 2316 unsigned n;
1da177e4 2317
24ec839c 2318 tty = get_current_tty();
1da177e4 2319 if (tty) {
ee2ffa0d 2320 spin_lock(&tty_files_lock);
37dd0bd0 2321 if (!list_empty(&tty->tty_files)) {
d996b62a 2322 struct tty_file_private *file_priv;
37dd0bd0 2323
1da177e4 2324 /* Revalidate access to controlling tty.
13f8e981
DH		 2325 Use file_path_has_perm on the tty path directly
2326 rather than using file_has_perm, as this particular
2327 open file may belong to another process and we are
2328 only interested in the inode-based check here. */
d996b62a
NP		 2329 file_priv = list_first_entry(&tty->tty_files,
2330 struct tty_file_private, list);
2331 file = file_priv->file;
13f8e981 2332 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2333 drop_tty = 1;
1da177e4 2334 }
ee2ffa0d 2335 spin_unlock(&tty_files_lock);
452a00d2 2336 tty_kref_put(tty);
1da177e4 2337 }
98a27ba4
EB		 2338 /* Reset controlling tty. */
2339 if (drop_tty)
2340 no_tty();
1da177e4
LT		 2341
2342 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2343 n = iterate_fd(files, 0, match_file, cred);
2344 if (!n) /* none found? */
2345 return;
1da177e4 2346
c3c073f8 2347 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2348 if (IS_ERR(devnull))
2349 devnull = NULL;
2350 /* replace all the matching ones with this */
2351 do {
2352 replace_fd(n - 1, devnull, 0);
2353 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2354 if (devnull)
c3c073f8 2355 fput(devnull);
1da177e4
LT		 2356}
2357
a6f76f23
DH		 2358/*
2359 * Prepare a process for imminent new credential changes due to exec
2360 */
2361static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2362{
a6f76f23
DH		 2363 struct task_security_struct *new_tsec;
2364 struct rlimit *rlim, *initrlim;
2365 int rc, i;
d84f4f99 2366
a6f76f23
DH		 2367 new_tsec = bprm->cred->security;
2368 if (new_tsec->sid == new_tsec->osid)
2369 return;
1da177e4 2370
a6f76f23
DH		 2371 /* Close files for which the new task SID is not authorized. */
2372 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2373
a6f76f23
DH		 2374 /* Always clear parent death signal on SID transitions. */
2375 current->pdeath_signal = 0;
0356357c 2376
a6f76f23
DH		 2377 /* Check whether the new SID can inherit resource limits from the old
2378 * SID. If not, reset all soft limits to the lower of the current
2379 * task's hard limit and the init task's soft limit.
2380 *
2381 * Note that the setting of hard limits (even to lower them) can be
2382 * controlled by the setrlimit check. The inclusion of the init task's
2383 * soft limit into the computation is to avoid resetting soft limits
2384 * higher than the default soft limit for cases where the default is
2385 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2386 */
2387 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2388 PROCESS__RLIMITINH, NULL);
2389 if (rc) {
eb2d55a3
ON		 2390 /* protect against do_prlimit() */
2391 task_lock(current);
a6f76f23
DH		 2392 for (i = 0; i < RLIM_NLIMITS; i++) {
2393 rlim = current->signal->rlim + i;
2394 initrlim = init_task.signal->rlim + i;
2395 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2396 }
eb2d55a3
ON		 2397 task_unlock(current);
2398 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2399 }
2400}
2401
2402/*
a6f76f23
DH		 2403 * Clean up the process immediately after the installation of new credentials
2404 * due to exec
1da177e4 2405 */
a6f76f23 2406static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2407{
a6f76f23 2408 const struct task_security_struct *tsec = current_security();
1da177e4 2409 struct itimerval itimer;
a6f76f23 2410 u32 osid, sid;
1da177e4
LT		 2411 int rc, i;
2412
a6f76f23
DH		 2413 osid = tsec->osid;
2414 sid = tsec->sid;
2415
2416 if (sid == osid)
1da177e4
LT		 2417 return;
2418
a6f76f23
DH		 2419 /* Check whether the new SID can inherit signal state from the old SID.
2420 * If not, clear itimers to avoid subsequent signal generation and
2421 * flush and unblock signals.
2422 *
2423 * This must occur _after_ the task SID has been updated so that any
2424 * kill done after the flush will be checked against the new SID.
2425 */
2426 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2427 if (rc) {
2428 memset(&itimer, 0, sizeof itimer);
2429 for (i = 0; i < 3; i++)
2430 do_setitimer(i, &itimer, NULL);
1da177e4 2431 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2432 if (!fatal_signal_pending(current)) {
2433 flush_sigqueue(&current->pending);
2434 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2435 flush_signal_handlers(current, 1);
2436 sigemptyset(&current->blocked);
9e7c8f8c 2437 recalc_sigpending();
3bcac026 2438 }
1da177e4
LT		 2439 spin_unlock_irq(&current->sighand->siglock);
2440 }
2441
a6f76f23
DH		 2442 /* Wake up the parent if it is waiting so that it can recheck
2443 * wait permission to the new task SID. */
ecd6de3c 2444 read_lock(&tasklist_lock);
0b7570e7 2445 __wake_up_parent(current, current->real_parent);
ecd6de3c 2446 read_unlock(&tasklist_lock);
1da177e4
LT		 2447}
2448
2449/* superblock security operations */
2450
2451static int selinux_sb_alloc_security(struct super_block *sb)
2452{
2453 return superblock_alloc_security(sb);
2454}
2455
2456static void selinux_sb_free_security(struct super_block *sb)
2457{
2458 superblock_free_security(sb);
2459}
2460
2461static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2462{
2463 if (plen > olen)
2464 return 0;
2465
2466 return !memcmp(prefix, option, plen);
2467}
2468
2469static inline int selinux_option(char *option, int len)
2470{
832cbd9a
EP		 2471 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2472 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2473 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2474 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2475 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2476}
2477
2478static inline void take_option(char **to, char *from, int *first, int len)
2479{
2480 if (!*first) {
2481 **to = ',';
2482 *to += 1;
3528a953 2483 } else
1da177e4
LT		 2484 *first = 0;
2485 memcpy(*to, from, len);
2486 *to += len;
2487}
2488
828dfe1d
EP		 2489static inline void take_selinux_option(char **to, char *from, int *first,
2490 int len)
3528a953
CO		 2491{
2492 int current_size = 0;
2493
2494 if (!*first) {
2495 **to = '|';
2496 *to += 1;
828dfe1d 2497 } else
3528a953
CO		 2498 *first = 0;
2499
2500 while (current_size < len) {
2501 if (*from != '"') {
2502 **to = *from;
2503 *to += 1;
2504 }
2505 from += 1;
2506 current_size += 1;
2507 }
2508}
2509
e0007529 2510static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2511{
2512 int fnosec, fsec, rc = 0;
2513 char *in_save, *in_curr, *in_end;
2514 char *sec_curr, *nosec_save, *nosec;
3528a953 2515 int open_quote = 0;
1da177e4
LT		 2516
2517 in_curr = orig;
2518 sec_curr = copy;
2519
1da177e4
LT		 2520 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2521 if (!nosec) {
2522 rc = -ENOMEM;
2523 goto out;
2524 }
2525
2526 nosec_save = nosec;
2527 fnosec = fsec = 1;
2528 in_save = in_end = orig;
2529
2530 do {
3528a953
CO		 2531 if (*in_end == '"')
2532 open_quote = !open_quote;
2533 if ((*in_end == ',' && open_quote == 0) ||
2534 *in_end == '\0') {
1da177e4
LT		 2535 int len = in_end - in_curr;
2536
2537 if (selinux_option(in_curr, len))
3528a953 2538 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2539 else
2540 take_option(&nosec, in_curr, &fnosec, len);
2541
2542 in_curr = in_end + 1;
2543 }
2544 } while (*in_end++);
2545
6931dfc9 2546 strcpy(in_save, nosec_save);
da3caa20 2547 free_page((unsigned long)nosec_save);
1da177e4
LT		 2548out:
2549 return rc;
2550}
2551
026eb167
EP		 2552static int selinux_sb_remount(struct super_block *sb, void *data)
2553{
2554 int rc, i, *flags;
2555 struct security_mnt_opts opts;
2556 char *secdata, **mount_options;
2557 struct superblock_security_struct *sbsec = sb->s_security;
2558
2559 if (!(sbsec->flags & SE_SBINITIALIZED))
2560 return 0;
2561
2562 if (!data)
2563 return 0;
2564
2565 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2566 return 0;
2567
2568 security_init_mnt_opts(&opts);
2569 secdata = alloc_secdata();
2570 if (!secdata)
2571 return -ENOMEM;
2572 rc = selinux_sb_copy_data(data, secdata);
2573 if (rc)
2574 goto out_free_secdata;
2575
2576 rc = selinux_parse_opts_str(secdata, &opts);
2577 if (rc)
2578 goto out_free_secdata;
2579
2580 mount_options = opts.mnt_opts;
2581 flags = opts.mnt_opts_flags;
2582
2583 for (i = 0; i < opts.num_mnt_opts; i++) {
2584 u32 sid;
2585 size_t len;
2586
12f348b9 2587 if (flags[i] == SBLABEL_MNT)
026eb167
EP		 2588 continue;
2589 len = strlen(mount_options[i]);
52a4c640
NA		 2590 rc = security_context_to_sid(mount_options[i], len, &sid,
2591 GFP_KERNEL);
026eb167
EP		 2592 if (rc) {
2593 printk(KERN_WARNING "SELinux: security_context_to_sid"
29b1deb2
LT		 2594 "(%s) failed for (dev %s, type %s) errno=%d\n",
2595 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2596 goto out_free_opts;
2597 }
2598 rc = -EINVAL;
2599 switch (flags[i]) {
2600 case FSCONTEXT_MNT:
2601 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2602 goto out_bad_option;
2603 break;
2604 case CONTEXT_MNT:
2605 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2606 goto out_bad_option;
2607 break;
2608 case ROOTCONTEXT_MNT: {
2609 struct inode_security_struct *root_isec;
c6f493d6 2610 root_isec = d_backing_inode(sb->s_root)->i_security;
026eb167
EP		 2611
2612 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2613 goto out_bad_option;
2614 break;
2615 }
2616 case DEFCONTEXT_MNT:
2617 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2618 goto out_bad_option;
2619 break;
2620 default:
2621 goto out_free_opts;
2622 }
2623 }
2624
2625 rc = 0;
2626out_free_opts:
2627 security_free_mnt_opts(&opts);
2628out_free_secdata:
2629 free_secdata(secdata);
2630 return rc;
2631out_bad_option:
2632 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2633 "during remount (dev %s, type=%s)\n", sb->s_id,
2634 sb->s_type->name);
026eb167
EP		 2635 goto out_free_opts;
2636}
2637
12204e24 2638static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2639{
88e67f3b 2640 const struct cred *cred = current_cred();
2bf49690 2641 struct common_audit_data ad;
1da177e4
LT		 2642 int rc;
2643
2644 rc = superblock_doinit(sb, data);
2645 if (rc)
2646 return rc;
2647
74192246
JM		 2648 /* Allow all mounts performed by the kernel */
2649 if (flags & MS_KERNMOUNT)
2650 return 0;
2651
50c205f5 2652 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2653 ad.u.dentry = sb->s_root;
88e67f3b 2654 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2655}
2656
726c3342 2657static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2658{
88e67f3b 2659 const struct cred *cred = current_cred();
2bf49690 2660 struct common_audit_data ad;
1da177e4 2661
50c205f5 2662 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2663 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2664 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2665}
2666
808d4e3c 2667static int selinux_mount(const char *dev_name,
b5266eb4 2668 struct path *path,
808d4e3c 2669 const char *type,
828dfe1d
EP		 2670 unsigned long flags,
2671 void *data)
1da177e4 2672{
88e67f3b 2673 const struct cred *cred = current_cred();
1da177e4
LT		 2674
2675 if (flags & MS_REMOUNT)
d8c9584e 2676 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2677 FILESYSTEM__REMOUNT, NULL);
1da177e4 2678 else
2875fa00 2679 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2680}
2681
2682static int selinux_umount(struct vfsmount *mnt, int flags)
2683{
88e67f3b 2684 const struct cred *cred = current_cred();
1da177e4 2685
88e67f3b 2686 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2687 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2688}
2689
2690/* inode security operations */
2691
2692static int selinux_inode_alloc_security(struct inode *inode)
2693{
2694 return inode_alloc_security(inode);
2695}
2696
2697static void selinux_inode_free_security(struct inode *inode)
2698{
2699 inode_free_security(inode);
2700}
2701
d47be3df
DQ		 2702static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2703 struct qstr *name, void **ctx,
2704 u32 *ctxlen)
2705{
2706 const struct cred *cred = current_cred();
2707 struct task_security_struct *tsec;
2708 struct inode_security_struct *dsec;
2709 struct superblock_security_struct *sbsec;
c6f493d6 2710 struct inode *dir = d_backing_inode(dentry->d_parent);
d47be3df
DQ		 2711 u32 newsid;
2712 int rc;
2713
2714 tsec = cred->security;
2715 dsec = dir->i_security;
2716 sbsec = dir->i_sb->s_security;
2717
2718 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2719 newsid = tsec->create_sid;
2720 } else {
2721 rc = security_transition_sid(tsec->sid, dsec->sid,
2722 inode_mode_to_security_class(mode),
2723 name,
2724 &newsid);
2725 if (rc) {
2726 printk(KERN_WARNING
2727 "%s: security_transition_sid failed, rc=%d\n",
2728 __func__, -rc);
2729 return rc;
2730 }
2731 }
2732
2733 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2734}
2735
5e41ff9e 2736static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2737 const struct qstr *qstr,
2738 const char **name,
2a7dba39 2739 void **value, size_t *len)
5e41ff9e 2740{
5fb49870 2741 const struct task_security_struct *tsec = current_security();
5e41ff9e
SS		 2742 struct inode_security_struct *dsec;
2743 struct superblock_security_struct *sbsec;
275bb41e 2744 u32 sid, newsid, clen;
5e41ff9e 2745 int rc;
9548906b 2746 char *context;
5e41ff9e 2747
5e41ff9e
SS		 2748 dsec = dir->i_security;
2749 sbsec = dir->i_sb->s_security;
5e41ff9e 2750
275bb41e
DH		 2751 sid = tsec->sid;
2752 newsid = tsec->create_sid;
2753
415103f9
EP		 2754 if ((sbsec->flags & SE_SBINITIALIZED) &&
2755 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2756 newsid = sbsec->mntpoint_sid;
12f348b9 2757 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
275bb41e 2758 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e 2759 inode_mode_to_security_class(inode->i_mode),
652bb9b0 2760 qstr, &newsid);
5e41ff9e
SS		 2761 if (rc) {
2762 printk(KERN_WARNING "%s: "
2763 "security_transition_sid failed, rc=%d (dev=%s "
2764 "ino=%ld)\n",
dd6f953a 2765 __func__,
5e41ff9e
SS		 2766 -rc, inode->i_sb->s_id, inode->i_ino);
2767 return rc;
2768 }
2769 }
2770
296fddf7 2771 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2772 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2773 struct inode_security_struct *isec = inode->i_security;
2774 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2775 isec->sid = newsid;
2776 isec->initialized = 1;
2777 }
5e41ff9e 2778
12f348b9 2779 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2780 return -EOPNOTSUPP;
2781
9548906b
TH		 2782 if (name)
2783 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2784
570bc1c2 2785 if (value && len) {
12b29f34 2786 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2787 if (rc)
570bc1c2 2788 return rc;
570bc1c2
SS		 2789 *value = context;
2790 *len = clen;
5e41ff9e 2791 }
5e41ff9e 2792
5e41ff9e
SS		 2793 return 0;
2794}
2795
4acdaf27 2796static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2797{
2798 return may_create(dir, dentry, SECCLASS_FILE);
2799}
2800
1da177e4
LT		 2801static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2802{
1da177e4
LT		 2803 return may_link(dir, old_dentry, MAY_LINK);
2804}
2805
1da177e4
LT		 2806static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2807{
1da177e4
LT		 2808 return may_link(dir, dentry, MAY_UNLINK);
2809}
2810
2811static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2812{
2813 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2814}
2815
18bb1db3 2816static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2817{
2818 return may_create(dir, dentry, SECCLASS_DIR);
2819}
2820
1da177e4
LT		 2821static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2822{
2823 return may_link(dir, dentry, MAY_RMDIR);
2824}
2825
1a67aafb 2826static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2827{
1da177e4
LT		 2828 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2829}
2830
1da177e4 2831static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2832 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2833{
2834 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2835}
2836
1da177e4
LT		 2837static int selinux_inode_readlink(struct dentry *dentry)
2838{
88e67f3b
DH		 2839 const struct cred *cred = current_cred();
2840
2875fa00 2841 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2842}
2843
2844static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2845{
88e67f3b 2846 const struct cred *cred = current_cred();
1da177e4 2847
2875fa00 2848 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2849}
2850
d4cf970d
EP		 2851static noinline int audit_inode_permission(struct inode *inode,
2852 u32 perms, u32 audited, u32 denied,
626b9740 2853 int result,
d4cf970d 2854 unsigned flags)
1da177e4 2855{
b782e0a6 2856 struct common_audit_data ad;
d4cf970d
EP		 2857 struct inode_security_struct *isec = inode->i_security;
2858 int rc;
2859
50c205f5 2860 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2861 ad.u.inode = inode;
2862
2863 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 2864 audited, denied, result, &ad, flags);
d4cf970d
EP		 2865 if (rc)
2866 return rc;
2867 return 0;
2868}
2869
e74f71eb 2870static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2871{
88e67f3b 2872 const struct cred *cred = current_cred();
b782e0a6
EP		 2873 u32 perms;
2874 bool from_access;
cf1dd1da 2875 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2876 struct inode_security_struct *isec;
2877 u32 sid;
2878 struct av_decision avd;
2879 int rc, rc2;
2880 u32 audited, denied;
1da177e4 2881
b782e0a6 2882 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2883 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2884
b782e0a6
EP		 2885 /* No permission to check. Existence test. */
2886 if (!mask)
1da177e4 2887 return 0;
1da177e4 2888
2e334057 2889 validate_creds(cred);
b782e0a6 2890
2e334057
EP		 2891 if (unlikely(IS_PRIVATE(inode)))
2892 return 0;
b782e0a6
EP		 2893
2894 perms = file_mask_to_av(inode->i_mode, mask);
2895
2e334057
EP		 2896 sid = cred_sid(cred);
2897 isec = inode->i_security;
2898
2899 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2900 audited = avc_audit_required(perms, &avd, rc,
2901 from_access ? FILE__AUDIT_ACCESS : 0,
2902 &denied);
2903 if (likely(!audited))
2904 return rc;
2905
626b9740 2906 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 2907 if (rc2)
2908 return rc2;
2909 return rc;
1da177e4
LT		 2910}
2911
2912static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2913{
88e67f3b 2914 const struct cred *cred = current_cred();
bc6a6008 2915 unsigned int ia_valid = iattr->ia_valid;
95dbf739 2916 __u32 av = FILE__WRITE;
1da177e4 2917
bc6a6008
AW		 2918 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2919 if (ia_valid & ATTR_FORCE) {
2920 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2921 ATTR_FORCE);
2922 if (!ia_valid)
2923 return 0;
2924 }
1da177e4 2925
bc6a6008
AW		 2926 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2927 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 2928 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 2929
3d2195c3 2930 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
95dbf739
EP		 2931 av |= FILE__OPEN;
2932
2933 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 2934}
2935
3f7036a0 2936static int selinux_inode_getattr(const struct path *path)
1da177e4 2937{
3f7036a0 2938 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 2939}
2940
8f0cfa52 2941static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2942{
88e67f3b
DH		 2943 const struct cred *cred = current_cred();
2944
b5376771
SH		 2945 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2946 sizeof XATTR_SECURITY_PREFIX - 1)) {
2947 if (!strcmp(name, XATTR_NAME_CAPS)) {
2948 if (!capable(CAP_SETFCAP))
2949 return -EPERM;
2950 } else if (!capable(CAP_SYS_ADMIN)) {
2951 /* A different attribute in the security namespace.
2952 Restrict to administrator. */
2953 return -EPERM;
2954 }
2955 }
2956
2957 /* Not an attribute we recognize, so just check the
2958 ordinary setattr permission. */
2875fa00 2959 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 2960}
2961
8f0cfa52
DH		 2962static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2963 const void *value, size_t size, int flags)
1da177e4 2964{
c6f493d6 2965 struct inode *inode = d_backing_inode(dentry);
1da177e4
LT		 2966 struct inode_security_struct *isec = inode->i_security;
2967 struct superblock_security_struct *sbsec;
2bf49690 2968 struct common_audit_data ad;
275bb41e 2969 u32 newsid, sid = current_sid();
1da177e4
LT		 2970 int rc = 0;
2971
b5376771
SH		 2972 if (strcmp(name, XATTR_NAME_SELINUX))
2973 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2974
2975 sbsec = inode->i_sb->s_security;
12f348b9 2976 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 2977 return -EOPNOTSUPP;
2978
2e149670 2979 if (!inode_owner_or_capable(inode))
1da177e4
LT		 2980 return -EPERM;
2981
50c205f5 2982 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2983 ad.u.dentry = dentry;
1da177e4 2984
275bb41e 2985 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 2986 FILE__RELABELFROM, &ad);
2987 if (rc)
2988 return rc;
2989
52a4c640 2990 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 2991 if (rc == -EINVAL) {
d6ea83ec
EP		 2992 if (!capable(CAP_MAC_ADMIN)) {
2993 struct audit_buffer *ab;
2994 size_t audit_size;
2995 const char *str;
2996
2997 /* We strip a nul only if it is at the end, otherwise the
2998 * context contains a nul and we should audit that */
e3fea3f7
AV		 2999 if (value) {
3000 str = value;
3001 if (str[size - 1] == '\0')
3002 audit_size = size - 1;
3003 else
3004 audit_size = size;
3005 } else {
3006 str = "";
3007 audit_size = 0;
3008 }
d6ea83ec
EP		 3009 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3010 audit_log_format(ab, "op=setxattr invalid_context=");
3011 audit_log_n_untrustedstring(ab, value, audit_size);
3012 audit_log_end(ab);
3013
12b29f34 3014 return rc;
d6ea83ec 3015 }
12b29f34
SS		 3016 rc = security_context_to_sid_force(value, size, &newsid);
3017 }
1da177e4
LT		 3018 if (rc)
3019 return rc;
3020
275bb41e 3021 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3022 FILE__RELABELTO, &ad);
3023 if (rc)
3024 return rc;
3025
275bb41e 3026 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3027 isec->sclass);
1da177e4
LT		 3028 if (rc)
3029 return rc;
3030
3031 return avc_has_perm(newsid,
3032 sbsec->sid,
3033 SECCLASS_FILESYSTEM,
3034 FILESYSTEM__ASSOCIATE,
3035 &ad);
3036}
3037
8f0cfa52 3038static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3039 const void *value, size_t size,
8f0cfa52 3040 int flags)
1da177e4 3041{
c6f493d6 3042 struct inode *inode = d_backing_inode(dentry);
1da177e4
LT		 3043 struct inode_security_struct *isec = inode->i_security;
3044 u32 newsid;
3045 int rc;
3046
3047 if (strcmp(name, XATTR_NAME_SELINUX)) {
3048 /* Not an attribute we recognize, so nothing to do. */
3049 return;
3050 }
3051
12b29f34 3052 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3053 if (rc) {
12b29f34
SS		 3054 printk(KERN_ERR "SELinux: unable to map context to SID"
3055 "for (%s, %lu), rc=%d\n",
3056 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3057 return;
3058 }
3059
aa9c2669 3060 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3061 isec->sid = newsid;
aa9c2669
DQ		 3062 isec->initialized = 1;
3063
1da177e4
LT		 3064 return;
3065}
3066
8f0cfa52 3067static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3068{
88e67f3b
DH		 3069 const struct cred *cred = current_cred();
3070
2875fa00 3071 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3072}
3073
828dfe1d 3074static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3075{
88e67f3b
DH		 3076 const struct cred *cred = current_cred();
3077
2875fa00 3078 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3079}
3080
8f0cfa52 3081static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3082{
b5376771
SH		 3083 if (strcmp(name, XATTR_NAME_SELINUX))
3084 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3085
3086 /* No one is allowed to remove a SELinux security label.
3087 You can change the label, but all data must be labeled. */
3088 return -EACCES;
3089}
3090
d381d8a9 3091/*
abc69bb6 3092 * Copy the inode security context value to the user.
d381d8a9
JM		 3093 *
3094 * Permission check is handled by selinux_inode_getxattr hook.
3095 */
42492594 3096static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3097{
42492594
DQ		 3098 u32 size;
3099 int error;
3100 char *context = NULL;
1da177e4 3101 struct inode_security_struct *isec = inode->i_security;
d381d8a9 3102
8c8570fb
DK		 3103 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3104 return -EOPNOTSUPP;
d381d8a9 3105
abc69bb6
SS		 3106 /*
3107 * If the caller has CAP_MAC_ADMIN, then get the raw context
3108 * value even if it is not defined by current policy; otherwise,
3109 * use the in-core value under current policy.
3110 * Use the non-auditing forms of the permission checks since
3111 * getxattr may be called by unprivileged processes commonly
3112 * and lack of permission just means that we fall back to the
3113 * in-core context value, not a denial.
3114 */
b1d9e6b0
CS		 3115 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3116 SECURITY_CAP_NOAUDIT);
3117 if (!error)
3118 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3119 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 3120 if (!error)
3121 error = security_sid_to_context_force(isec->sid, &context,
3122 &size);
3123 else
3124 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3125 if (error)
3126 return error;
3127 error = size;
3128 if (alloc) {
3129 *buffer = context;
3130 goto out_nofree;
3131 }
3132 kfree(context);
3133out_nofree:
3134 return error;
1da177e4
LT		 3135}
3136
3137static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3138 const void *value, size_t size, int flags)
1da177e4
LT		 3139{
3140 struct inode_security_struct *isec = inode->i_security;
3141 u32 newsid;
3142 int rc;
3143
3144 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3145 return -EOPNOTSUPP;
3146
3147 if (!value || !size)
3148 return -EACCES;
3149
52a4c640 3150 rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3151 if (rc)
3152 return rc;
3153
aa9c2669 3154 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3155 isec->sid = newsid;
ddd29ec6 3156 isec->initialized = 1;
1da177e4
LT		 3157 return 0;
3158}
3159
3160static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3161{
3162 const int len = sizeof(XATTR_NAME_SELINUX);
3163 if (buffer && len <= buffer_size)
3164 memcpy(buffer, XATTR_NAME_SELINUX, len);
3165 return len;
3166}
3167
713a04ae
AD		 3168static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3169{
3170 struct inode_security_struct *isec = inode->i_security;
3171 *secid = isec->sid;
3172}
3173
1da177e4
LT		 3174/* file security operations */
3175
788e7dd4 3176static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3177{
88e67f3b 3178 const struct cred *cred = current_cred();
496ad9aa 3179 struct inode *inode = file_inode(file);
1da177e4 3180
1da177e4
LT		 3181 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3182 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3183 mask |= MAY_APPEND;
3184
389fb800
PM		 3185 return file_has_perm(cred, file,
3186 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3187}
3188
788e7dd4
YN		 3189static int selinux_file_permission(struct file *file, int mask)
3190{
496ad9aa 3191 struct inode *inode = file_inode(file);
20dda18b
SS		 3192 struct file_security_struct *fsec = file->f_security;
3193 struct inode_security_struct *isec = inode->i_security;
3194 u32 sid = current_sid();
3195
389fb800 3196 if (!mask)
788e7dd4
YN		 3197 /* No permission to check. Existence test. */
3198 return 0;
788e7dd4 3199
20dda18b
SS		 3200 if (sid == fsec->sid && fsec->isid == isec->sid &&
3201 fsec->pseqno == avc_policy_seqno())
83d49856 3202 /* No change since file_open check. */
20dda18b
SS		 3203 return 0;
3204
788e7dd4
YN		 3205 return selinux_revalidate_file_permission(file, mask);
3206}
3207
1da177e4
LT		 3208static int selinux_file_alloc_security(struct file *file)
3209{
3210 return file_alloc_security(file);
3211}
3212
3213static void selinux_file_free_security(struct file *file)
3214{
3215 file_free_security(file);
3216}
3217
3218static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3219 unsigned long arg)
3220{
88e67f3b 3221 const struct cred *cred = current_cred();
0b24dcb7 3222 int error = 0;
1da177e4 3223
0b24dcb7
EP		 3224 switch (cmd) {
3225 case FIONREAD:
3226 /* fall through */
3227 case FIBMAP:
3228 /* fall through */
3229 case FIGETBSZ:
3230 /* fall through */
2f99c369 3231 case FS_IOC_GETFLAGS:
0b24dcb7 3232 /* fall through */
2f99c369 3233 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3234 error = file_has_perm(cred, file, FILE__GETATTR);
3235 break;
1da177e4 3236
2f99c369 3237 case FS_IOC_SETFLAGS:
0b24dcb7 3238 /* fall through */
2f99c369 3239 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3240 error = file_has_perm(cred, file, FILE__SETATTR);
3241 break;
3242
3243 /* sys_ioctl() checks */
3244 case FIONBIO:
3245 /* fall through */
3246 case FIOASYNC:
3247 error = file_has_perm(cred, file, 0);
3248 break;
1da177e4 3249
0b24dcb7
EP		 3250 case KDSKBENT:
3251 case KDSKBSENT:
6a9de491
EP		 3252 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3253 SECURITY_CAP_AUDIT);
0b24dcb7
EP		 3254 break;
3255
3256 /* default case assumes that the command will go
3257 * to the file's ioctl() function.
3258 */
3259 default:
3260 error = file_has_perm(cred, file, FILE__IOCTL);
3261 }
3262 return error;
1da177e4
LT		 3263}
3264
fcaaade1
SS		 3265static int default_noexec;
3266
1da177e4
LT		 3267static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3268{
88e67f3b 3269 const struct cred *cred = current_cred();
d84f4f99 3270 int rc = 0;
88e67f3b 3271
fcaaade1
SS		 3272 if (default_noexec &&
3273 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3274 /*
3275 * We are making executable an anonymous mapping or a
3276 * private file mapping that will also be writable.
3277 * This has an additional check.
3278 */
d84f4f99 3279 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3280 if (rc)
d84f4f99 3281 goto error;
1da177e4 3282 }
1da177e4
LT		 3283
3284 if (file) {
3285 /* read access is always possible with a mapping */
3286 u32 av = FILE__READ;
3287
3288 /* write access only matters if the mapping is shared */
3289 if (shared && (prot & PROT_WRITE))
3290 av |= FILE__WRITE;
3291
3292 if (prot & PROT_EXEC)
3293 av |= FILE__EXECUTE;
3294
88e67f3b 3295 return file_has_perm(cred, file, av);
1da177e4 3296 }
d84f4f99
DH		 3297
3298error:
3299 return rc;
1da177e4
LT		 3300}
3301
e5467859 3302static int selinux_mmap_addr(unsigned long addr)
1da177e4 3303{
b1d9e6b0 3304 int rc = 0;
1da177e4 3305
a2551df7 3306 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3307 u32 sid = current_sid();
ed032189
EP		 3308 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3309 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3310 }
3311
98883bfd 3312 return rc;
e5467859 3313}
1da177e4 3314
e5467859
AV		 3315static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3316 unsigned long prot, unsigned long flags)
3317{
1da177e4
LT		 3318 if (selinux_checkreqprot)
3319 prot = reqprot;
3320
3321 return file_map_prot_check(file, prot,
3322 (flags & MAP_TYPE) == MAP_SHARED);
3323}
3324
3325static int selinux_file_mprotect(struct vm_area_struct *vma,
3326 unsigned long reqprot,
3327 unsigned long prot)
3328{
88e67f3b 3329 const struct cred *cred = current_cred();
1da177e4
LT		 3330
3331 if (selinux_checkreqprot)
3332 prot = reqprot;
3333
fcaaade1
SS		 3334 if (default_noexec &&
3335 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3336 int rc = 0;
db4c9641
SS		 3337 if (vma->vm_start >= vma->vm_mm->start_brk &&
3338 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3339 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3340 } else if (!vma->vm_file &&
3341 vma->vm_start <= vma->vm_mm->start_stack &&
3342 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3343 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3344 } else if (vma->vm_file && vma->anon_vma) {
3345 /*
3346 * We are making executable a file mapping that has
3347 * had some COW done. Since pages might have been
3348 * written, check ability to execute the possibly
3349 * modified content. This typically should only
3350 * occur for text relocations.
3351 */
d84f4f99 3352 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3353 }