]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
firmware: Correct dependency on CONFIG_EXTRA_FIRMWARE_DIR
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
effad8df 16 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
828dfe1d 17 * Paul Moore <paul.moore@hp.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4
LT		 26#include <linux/init.h>
27#include <linux/kernel.h>
28#include <linux/ptrace.h>
29#include <linux/errno.h>
30#include <linux/sched.h>
31#include <linux/security.h>
32#include <linux/xattr.h>
33#include <linux/capability.h>
34#include <linux/unistd.h>
35#include <linux/mm.h>
36#include <linux/mman.h>
37#include <linux/slab.h>
38#include <linux/pagemap.h>
39#include <linux/swap.h>
1da177e4
LT		 40#include <linux/spinlock.h>
41#include <linux/syscalls.h>
42#include <linux/file.h>
9f3acc31 43#include <linux/fdtable.h>
1da177e4
LT		 44#include <linux/namei.h>
45#include <linux/mount.h>
1da177e4 46#include <linux/proc_fs.h>
1da177e4
LT		 47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 53#include <net/net_namespace.h>
d621d35e 54#include <net/netlabel.h>
f5269710 55#include <linux/uaccess.h>
1da177e4 56#include <asm/ioctls.h>
d621d35e 57#include <asm/atomic.h>
1da177e4
LT		 58#include <linux/bitops.h>
59#include <linux/interrupt.h>
60#include <linux/netdevice.h> /* for network interface checks */
61#include <linux/netlink.h>
62#include <linux/tcp.h>
63#include <linux/udp.h>
2ee92d46 64#include <linux/dccp.h>
1da177e4
LT		 65#include <linux/quota.h>
66#include <linux/un.h> /* for Unix socket types */
67#include <net/af_unix.h> /* for Unix socket types */
68#include <linux/parser.h>
69#include <linux/nfs_mount.h>
70#include <net/ipv6.h>
71#include <linux/hugetlb.h>
72#include <linux/personality.h>
73#include <linux/sysctl.h>
74#include <linux/audit.h>
6931dfc9 75#include <linux/string.h>
877ce7c1 76#include <linux/selinux.h>
23970741 77#include <linux/mutex.h>
1da177e4
LT		 78
79#include "avc.h"
80#include "objsec.h"
81#include "netif.h"
224dfbd8 82#include "netnode.h"
3e112172 83#include "netport.h"
d28d1e08 84#include "xfrm.h"
c60475bf 85#include "netlabel.h"
9d57a7f9 86#include "audit.h"
1da177e4
LT		 87
88#define XATTR_SELINUX_SUFFIX "selinux"
89#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
90
c9180a57
EP		 91#define NUM_SEL_MNT_OPTS 4
92
1da177e4
LT		 93extern unsigned int policydb_loaded_version;
94extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 95extern int selinux_compat_net;
20510f2f 96extern struct security_operations *security_ops;
1da177e4 97
d621d35e
PM		 98/* SECMARK reference count */
99atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
1da177e4 101#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 102int selinux_enforcing;
1da177e4
LT		 103
104static int __init enforcing_setup(char *str)
105{
f5269710
EP		 106 unsigned long enforcing;
107 if (!strict_strtoul(str, 0, &enforcing))
108 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 109 return 1;
110}
111__setup("enforcing=", enforcing_setup);
112#endif
113
114#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117static int __init selinux_enabled_setup(char *str)
118{
f5269710
EP		 119 unsigned long enabled;
120 if (!strict_strtoul(str, 0, &enabled))
121 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 122 return 1;
123}
124__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 125#else
126int selinux_enabled = 1;
1da177e4
LT		 127#endif
128
1da177e4 129
6f0f0fd4
JM		 130/*
131 * Minimal support for a secondary security module,
132 * just to allow the use of the capability module.
133 */
828dfe1d 134static struct security_operations *secondary_ops;
1da177e4
LT		 135
136/* Lists of inode and superblock security structures initialized
137 before the policy was loaded. */
138static LIST_HEAD(superblock_security_head);
139static DEFINE_SPINLOCK(sb_security_lock);
140
e18b890b 141static struct kmem_cache *sel_inode_cache;
7cae7e26 142
d621d35e
PM		 143/**
144 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
145 *
146 * Description:
147 * This function checks the SECMARK reference counter to see if any SECMARK
148 * targets are currently configured, if the reference counter is greater than
149 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
150 * enabled, false (0) if SECMARK is disabled.
151 *
152 */
153static int selinux_secmark_enabled(void)
154{
155 return (atomic_read(&selinux_secmark_refcount) > 0);
156}
157
1da177e4
LT		 158/* Allocate and free functions for each kind of security blob. */
159
160static int task_alloc_security(struct task_struct *task)
161{
162 struct task_security_struct *tsec;
163
89d155ef 164 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 165 if (!tsec)
166 return -ENOMEM;
167
0356357c 168 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 169 task->security = tsec;
170
171 return 0;
172}
173
174static void task_free_security(struct task_struct *task)
175{
176 struct task_security_struct *tsec = task->security;
1da177e4
LT		 177 task->security = NULL;
178 kfree(tsec);
179}
180
181static int inode_alloc_security(struct inode *inode)
182{
183 struct task_security_struct *tsec = current->security;
184 struct inode_security_struct *isec;
185
a02fe132 186 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 187 if (!isec)
188 return -ENOMEM;
189
23970741 190 mutex_init(&isec->lock);
1da177e4 191 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 192 isec->inode = inode;
193 isec->sid = SECINITSID_UNLABELED;
194 isec->sclass = SECCLASS_FILE;
9ac49d22 195 isec->task_sid = tsec->sid;
1da177e4
LT		 196 inode->i_security = isec;
197
198 return 0;
199}
200
201static void inode_free_security(struct inode *inode)
202{
203 struct inode_security_struct *isec = inode->i_security;
204 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
205
1da177e4
LT		 206 spin_lock(&sbsec->isec_lock);
207 if (!list_empty(&isec->list))
208 list_del_init(&isec->list);
209 spin_unlock(&sbsec->isec_lock);
210
211 inode->i_security = NULL;
7cae7e26 212 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 213}
214
215static int file_alloc_security(struct file *file)
216{
217 struct task_security_struct *tsec = current->security;
218 struct file_security_struct *fsec;
219
26d2a4be 220 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 221 if (!fsec)
222 return -ENOMEM;
223
9ac49d22
SS		 224 fsec->sid = tsec->sid;
225 fsec->fown_sid = tsec->sid;
1da177e4
LT		 226 file->f_security = fsec;
227
228 return 0;
229}
230
231static void file_free_security(struct file *file)
232{
233 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 234 file->f_security = NULL;
235 kfree(fsec);
236}
237
238static int superblock_alloc_security(struct super_block *sb)
239{
240 struct superblock_security_struct *sbsec;
241
89d155ef 242 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 243 if (!sbsec)
244 return -ENOMEM;
245
bc7e982b 246 mutex_init(&sbsec->lock);
1da177e4
LT		 247 INIT_LIST_HEAD(&sbsec->list);
248 INIT_LIST_HEAD(&sbsec->isec_head);
249 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 250 sbsec->sb = sb;
251 sbsec->sid = SECINITSID_UNLABELED;
252 sbsec->def_sid = SECINITSID_FILE;
c312feb2 253 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 254 sb->s_security = sbsec;
255
256 return 0;
257}
258
259static void superblock_free_security(struct super_block *sb)
260{
261 struct superblock_security_struct *sbsec = sb->s_security;
262
1da177e4
LT		 263 spin_lock(&sb_security_lock);
264 if (!list_empty(&sbsec->list))
265 list_del_init(&sbsec->list);
266 spin_unlock(&sb_security_lock);
267
268 sb->s_security = NULL;
269 kfree(sbsec);
270}
271
7d877f3b 272static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 273{
274 struct sk_security_struct *ssec;
275
89d155ef 276 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 277 if (!ssec)
278 return -ENOMEM;
279
1da177e4 280 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 281 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 282 sk->sk_security = ssec;
283
f74af6e8 284 selinux_netlbl_sk_security_reset(ssec, family);
99f59ed0 285
1da177e4
LT		 286 return 0;
287}
288
289static void sk_free_security(struct sock *sk)
290{
291 struct sk_security_struct *ssec = sk->sk_security;
292
1da177e4
LT		 293 sk->sk_security = NULL;
294 kfree(ssec);
295}
1da177e4
LT		 296
297/* The security server must be initialized before
298 any labeling or access decisions can be provided. */
299extern int ss_initialized;
300
301/* The file system's label must be initialized prior to use. */
302
303static char *labeling_behaviors[6] = {
304 "uses xattr",
305 "uses transition SIDs",
306 "uses task SIDs",
307 "uses genfs_contexts",
308 "not configured for labeling",
309 "uses mountpoint labeling",
310};
311
312static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314static inline int inode_doinit(struct inode *inode)
315{
316 return inode_doinit_with_dentry(inode, NULL);
317}
318
319enum {
31e87930 320 Opt_error = -1,
1da177e4
LT		 321 Opt_context = 1,
322 Opt_fscontext = 2,
c9180a57
EP		 323 Opt_defcontext = 3,
324 Opt_rootcontext = 4,
1da177e4
LT		 325};
326
327static match_table_t tokens = {
832cbd9a
EP		 328 {Opt_context, CONTEXT_STR "%s"},
329 {Opt_fscontext, FSCONTEXT_STR "%s"},
330 {Opt_defcontext, DEFCONTEXT_STR "%s"},
331 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
31e87930 332 {Opt_error, NULL},
1da177e4
LT		 333};
334
335#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
336
c312feb2
EP		 337static int may_context_mount_sb_relabel(u32 sid,
338 struct superblock_security_struct *sbsec,
339 struct task_security_struct *tsec)
340{
341 int rc;
342
343 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
344 FILESYSTEM__RELABELFROM, NULL);
345 if (rc)
346 return rc;
347
348 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
349 FILESYSTEM__RELABELTO, NULL);
350 return rc;
351}
352
0808925e
EP		 353static int may_context_mount_inode_relabel(u32 sid,
354 struct superblock_security_struct *sbsec,
355 struct task_security_struct *tsec)
356{
357 int rc;
358 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
359 FILESYSTEM__RELABELFROM, NULL);
360 if (rc)
361 return rc;
362
363 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
364 FILESYSTEM__ASSOCIATE, NULL);
365 return rc;
366}
367
c9180a57 368static int sb_finish_set_opts(struct super_block *sb)
1da177e4 369{
1da177e4 370 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 371 struct dentry *root = sb->s_root;
372 struct inode *root_inode = root->d_inode;
373 int rc = 0;
1da177e4 374
c9180a57
EP		 375 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
376 /* Make sure that the xattr handler exists and that no
377 error other than -ENODATA is returned by getxattr on
378 the root directory. -ENODATA is ok, as this may be
379 the first boot of the SELinux kernel before we have
380 assigned xattr values to the filesystem. */
381 if (!root_inode->i_op->getxattr) {
382 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
383 "xattr support\n", sb->s_id, sb->s_type->name);
384 rc = -EOPNOTSUPP;
385 goto out;
386 }
387 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
388 if (rc < 0 && rc != -ENODATA) {
389 if (rc == -EOPNOTSUPP)
390 printk(KERN_WARNING "SELinux: (dev %s, type "
391 "%s) has no security xattr handler\n",
392 sb->s_id, sb->s_type->name);
393 else
394 printk(KERN_WARNING "SELinux: (dev %s, type "
395 "%s) getxattr errno %d\n", sb->s_id,
396 sb->s_type->name, -rc);
397 goto out;
398 }
399 }
1da177e4 400
c9180a57 401 sbsec->initialized = 1;
1da177e4 402
c9180a57
EP		 403 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
404 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
405 sb->s_id, sb->s_type->name);
406 else
407 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
408 sb->s_id, sb->s_type->name,
409 labeling_behaviors[sbsec->behavior-1]);
1da177e4 410
c9180a57
EP		 411 /* Initialize the root inode. */
412 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 413
c9180a57
EP		 414 /* Initialize any other inodes associated with the superblock, e.g.
415 inodes created prior to initial policy load or inodes created
416 during get_sb by a pseudo filesystem that directly
417 populates itself. */
418 spin_lock(&sbsec->isec_lock);
419next_inode:
420 if (!list_empty(&sbsec->isec_head)) {
421 struct inode_security_struct *isec =
422 list_entry(sbsec->isec_head.next,
423 struct inode_security_struct, list);
424 struct inode *inode = isec->inode;
425 spin_unlock(&sbsec->isec_lock);
426 inode = igrab(inode);
427 if (inode) {
428 if (!IS_PRIVATE(inode))
429 inode_doinit(inode);
430 iput(inode);
431 }
432 spin_lock(&sbsec->isec_lock);
433 list_del_init(&isec->list);
434 goto next_inode;
435 }
436 spin_unlock(&sbsec->isec_lock);
437out:
438 return rc;
439}
1da177e4 440
c9180a57
EP		 441/*
442 * This function should allow an FS to ask what it's mount security
443 * options were so it can use those later for submounts, displaying
444 * mount options, or whatever.
445 */
446static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 447 struct security_mnt_opts *opts)
c9180a57
EP		 448{
449 int rc = 0, i;
450 struct superblock_security_struct *sbsec = sb->s_security;
451 char *context = NULL;
452 u32 len;
453 char tmp;
1da177e4 454
e0007529 455 security_init_mnt_opts(opts);
1da177e4 456
c9180a57
EP		 457 if (!sbsec->initialized)
458 return -EINVAL;
1da177e4 459
c9180a57
EP		 460 if (!ss_initialized)
461 return -EINVAL;
1da177e4 462
c9180a57
EP		 463 /*
464 * if we ever use sbsec flags for anything other than tracking mount
465 * settings this is going to need a mask
466 */
467 tmp = sbsec->flags;
468 /* count the number of mount options for this sb */
469 for (i = 0; i < 8; i++) {
470 if (tmp & 0x01)
e0007529 471 opts->num_mnt_opts++;
c9180a57
EP		 472 tmp >>= 1;
473 }
1da177e4 474
e0007529
EP		 475 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
476 if (!opts->mnt_opts) {
c9180a57
EP		 477 rc = -ENOMEM;
478 goto out_free;
479 }
1da177e4 480
e0007529
EP		 481 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
482 if (!opts->mnt_opts_flags) {
c9180a57
EP		 483 rc = -ENOMEM;
484 goto out_free;
485 }
1da177e4 486
c9180a57
EP		 487 i = 0;
488 if (sbsec->flags & FSCONTEXT_MNT) {
489 rc = security_sid_to_context(sbsec->sid, &context, &len);
490 if (rc)
491 goto out_free;
e0007529
EP		 492 opts->mnt_opts[i] = context;
493 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 494 }
495 if (sbsec->flags & CONTEXT_MNT) {
496 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
497 if (rc)
498 goto out_free;
e0007529
EP		 499 opts->mnt_opts[i] = context;
500 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 501 }
502 if (sbsec->flags & DEFCONTEXT_MNT) {
503 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
504 if (rc)
505 goto out_free;
e0007529
EP		 506 opts->mnt_opts[i] = context;
507 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 508 }
509 if (sbsec->flags & ROOTCONTEXT_MNT) {
510 struct inode *root = sbsec->sb->s_root->d_inode;
511 struct inode_security_struct *isec = root->i_security;
0808925e 512
c9180a57
EP		 513 rc = security_sid_to_context(isec->sid, &context, &len);
514 if (rc)
515 goto out_free;
e0007529
EP		 516 opts->mnt_opts[i] = context;
517 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 518 }
1da177e4 519
e0007529 520 BUG_ON(i != opts->num_mnt_opts);
1da177e4 521
c9180a57
EP		 522 return 0;
523
524out_free:
e0007529 525 security_free_mnt_opts(opts);
c9180a57
EP		 526 return rc;
527}
1da177e4 528
c9180a57
EP		 529static int bad_option(struct superblock_security_struct *sbsec, char flag,
530 u32 old_sid, u32 new_sid)
531{
532 /* check if the old mount command had the same options */
533 if (sbsec->initialized)
534 if (!(sbsec->flags & flag) ||
535 (old_sid != new_sid))
536 return 1;
537
538 /* check if we were passed the same options twice,
539 * aka someone passed context=a,context=b
540 */
541 if (!sbsec->initialized)
542 if (sbsec->flags & flag)
543 return 1;
544 return 0;
545}
e0007529 546
c9180a57
EP		 547/*
548 * Allow filesystems with binary mount data to explicitly set mount point
549 * labeling information.
550 */
e0007529
EP		 551static int selinux_set_mnt_opts(struct super_block *sb,
552 struct security_mnt_opts *opts)
c9180a57
EP		 553{
554 int rc = 0, i;
555 struct task_security_struct *tsec = current->security;
556 struct superblock_security_struct *sbsec = sb->s_security;
557 const char *name = sb->s_type->name;
811f3799
EP		 558 struct dentry *root = sb->s_root;
559 struct inode *root_inode = root->d_inode;
560 struct inode_security_struct *root_isec = root_inode->i_security;
c9180a57
EP		 561 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
562 u32 defcontext_sid = 0;
e0007529
EP		 563 char **mount_options = opts->mnt_opts;
564 int *flags = opts->mnt_opts_flags;
565 int num_opts = opts->num_mnt_opts;
811f3799 566 bool can_xattr = false;
c9180a57
EP		 567
568 mutex_lock(&sbsec->lock);
569
570 if (!ss_initialized) {
571 if (!num_opts) {
572 /* Defer initialization until selinux_complete_init,
573 after the initial policy is loaded and the security
574 server is ready to handle calls. */
575 spin_lock(&sb_security_lock);
576 if (list_empty(&sbsec->list))
577 list_add(&sbsec->list, &superblock_security_head);
578 spin_unlock(&sb_security_lock);
579 goto out;
580 }
581 rc = -EINVAL;
744ba35e
EP		 582 printk(KERN_WARNING "SELinux: Unable to set superblock options "
583 "before the security server is initialized\n");
1da177e4 584 goto out;
c9180a57 585 }
1da177e4 586
e0007529
EP		 587 /*
588 * Binary mount data FS will come through this function twice. Once
589 * from an explicit call and once from the generic calls from the vfs.
590 * Since the generic VFS calls will not contain any security mount data
591 * we need to skip the double mount verification.
592 *
593 * This does open a hole in which we will not notice if the first
594 * mount using this sb set explict options and a second mount using
595 * this sb does not set any security options. (The first options
596 * will be used for both mounts)
597 */
598 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
599 && (num_opts == 0))
f5269710 600 goto out;
e0007529 601
c9180a57
EP		 602 /*
603 * parse the mount options, check if they are valid sids.
604 * also check if someone is trying to mount the same sb more
605 * than once with different security options.
606 */
607 for (i = 0; i < num_opts; i++) {
608 u32 sid;
609 rc = security_context_to_sid(mount_options[i],
610 strlen(mount_options[i]), &sid);
1da177e4
LT		 611 if (rc) {
612 printk(KERN_WARNING "SELinux: security_context_to_sid"
613 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 614 mount_options[i], sb->s_id, name, rc);
615 goto out;
616 }
617 switch (flags[i]) {
618 case FSCONTEXT_MNT:
619 fscontext_sid = sid;
620
621 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
622 fscontext_sid))
623 goto out_double_mount;
624
625 sbsec->flags |= FSCONTEXT_MNT;
626 break;
627 case CONTEXT_MNT:
628 context_sid = sid;
629
630 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
631 context_sid))
632 goto out_double_mount;
633
634 sbsec->flags |= CONTEXT_MNT;
635 break;
636 case ROOTCONTEXT_MNT:
637 rootcontext_sid = sid;
638
639 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
640 rootcontext_sid))
641 goto out_double_mount;
642
643 sbsec->flags |= ROOTCONTEXT_MNT;
644
645 break;
646 case DEFCONTEXT_MNT:
647 defcontext_sid = sid;
648
649 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
650 defcontext_sid))
651 goto out_double_mount;
652
653 sbsec->flags |= DEFCONTEXT_MNT;
654
655 break;
656 default:
657 rc = -EINVAL;
658 goto out;
1da177e4 659 }
c9180a57
EP		 660 }
661
662 if (sbsec->initialized) {
663 /* previously mounted with options, but not on this attempt? */
664 if (sbsec->flags && !num_opts)
665 goto out_double_mount;
666 rc = 0;
667 goto out;
668 }
669
811f3799 670 if (strcmp(name, "proc") == 0)
c9180a57
EP		 671 sbsec->proc = 1;
672
811f3799
EP		 673 /*
674 * test if the fs supports xattrs, fs_use might make use of this if the
675 * fs has no definition in policy.
676 */
677 if (root_inode->i_op->getxattr) {
678 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
679 if (rc >= 0 || rc == -ENODATA)
680 can_xattr = true;
681 }
682
c9180a57 683 /* Determine the labeling behavior to use for this filesystem type. */
811f3799 684 rc = security_fs_use(name, &sbsec->behavior, &sbsec->sid, can_xattr);
c9180a57
EP		 685 if (rc) {
686 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
811f3799 687 __func__, name, rc);
c9180a57
EP		 688 goto out;
689 }
1da177e4 690
c9180a57
EP		 691 /* sets the context of the superblock for the fs being mounted. */
692 if (fscontext_sid) {
693
694 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
1da177e4 695 if (rc)
c9180a57 696 goto out;
1da177e4 697
c9180a57 698 sbsec->sid = fscontext_sid;
c312feb2
EP		 699 }
700
701 /*
702 * Switch to using mount point labeling behavior.
703 * sets the label used on all file below the mountpoint, and will set
704 * the superblock context if not already set.
705 */
c9180a57
EP		 706 if (context_sid) {
707 if (!fscontext_sid) {
708 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
b04ea3ce 709 if (rc)
c9180a57
EP		 710 goto out;
711 sbsec->sid = context_sid;
b04ea3ce 712 } else {
c9180a57 713 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
b04ea3ce 714 if (rc)
c9180a57 715 goto out;
b04ea3ce 716 }
c9180a57
EP		 717 if (!rootcontext_sid)
718 rootcontext_sid = context_sid;
1da177e4 719
c9180a57 720 sbsec->mntpoint_sid = context_sid;
c312feb2 721 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 722 }
723
c9180a57
EP		 724 if (rootcontext_sid) {
725 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
0808925e 726 if (rc)
c9180a57 727 goto out;
0808925e 728
c9180a57
EP		 729 root_isec->sid = rootcontext_sid;
730 root_isec->initialized = 1;
0808925e
EP		 731 }
732
c9180a57
EP		 733 if (defcontext_sid) {
734 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
735 rc = -EINVAL;
736 printk(KERN_WARNING "SELinux: defcontext option is "
737 "invalid for this filesystem type\n");
738 goto out;
1da177e4
LT		 739 }
740
c9180a57
EP		 741 if (defcontext_sid != sbsec->def_sid) {
742 rc = may_context_mount_inode_relabel(defcontext_sid,
743 sbsec, tsec);
744 if (rc)
745 goto out;
746 }
1da177e4 747
c9180a57 748 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 749 }
750
c9180a57 751 rc = sb_finish_set_opts(sb);
1da177e4 752out:
c9180a57 753 mutex_unlock(&sbsec->lock);
1da177e4 754 return rc;
c9180a57
EP		 755out_double_mount:
756 rc = -EINVAL;
757 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
758 "security settings for (dev %s, type %s)\n", sb->s_id, name);
759 goto out;
1da177e4
LT		 760}
761
c9180a57
EP		 762static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
763 struct super_block *newsb)
1da177e4 764{
c9180a57
EP		 765 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
766 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 767
c9180a57
EP		 768 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
769 int set_context = (oldsbsec->flags & CONTEXT_MNT);
770 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 771
0f5e6420
EP		 772 /*
773 * if the parent was able to be mounted it clearly had no special lsm
774 * mount options. thus we can safely put this sb on the list and deal
775 * with it later
776 */
777 if (!ss_initialized) {
778 spin_lock(&sb_security_lock);
779 if (list_empty(&newsbsec->list))
780 list_add(&newsbsec->list, &superblock_security_head);
781 spin_unlock(&sb_security_lock);
782 return;
783 }
c9180a57 784
c9180a57
EP		 785 /* how can we clone if the old one wasn't set up?? */
786 BUG_ON(!oldsbsec->initialized);
787
5a552617
EP		 788 /* if fs is reusing a sb, just let its options stand... */
789 if (newsbsec->initialized)
790 return;
791
c9180a57
EP		 792 mutex_lock(&newsbsec->lock);
793
794 newsbsec->flags = oldsbsec->flags;
795
796 newsbsec->sid = oldsbsec->sid;
797 newsbsec->def_sid = oldsbsec->def_sid;
798 newsbsec->behavior = oldsbsec->behavior;
799
800 if (set_context) {
801 u32 sid = oldsbsec->mntpoint_sid;
802
803 if (!set_fscontext)
804 newsbsec->sid = sid;
805 if (!set_rootcontext) {
806 struct inode *newinode = newsb->s_root->d_inode;
807 struct inode_security_struct *newisec = newinode->i_security;
808 newisec->sid = sid;
809 }
810 newsbsec->mntpoint_sid = sid;
1da177e4 811 }
c9180a57
EP		 812 if (set_rootcontext) {
813 const struct inode *oldinode = oldsb->s_root->d_inode;
814 const struct inode_security_struct *oldisec = oldinode->i_security;
815 struct inode *newinode = newsb->s_root->d_inode;
816 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 817
c9180a57 818 newisec->sid = oldisec->sid;
1da177e4
LT		 819 }
820
c9180a57
EP		 821 sb_finish_set_opts(newsb);
822 mutex_unlock(&newsbsec->lock);
823}
824
2e1479d9
AB		 825static int selinux_parse_opts_str(char *options,
826 struct security_mnt_opts *opts)
c9180a57 827{
e0007529 828 char *p;
c9180a57
EP		 829 char *context = NULL, *defcontext = NULL;
830 char *fscontext = NULL, *rootcontext = NULL;
e0007529 831 int rc, num_mnt_opts = 0;
1da177e4 832
e0007529 833 opts->num_mnt_opts = 0;
1da177e4 834
c9180a57
EP		 835 /* Standard string-based options. */
836 while ((p = strsep(&options, "|")) != NULL) {
837 int token;
838 substring_t args[MAX_OPT_ARGS];
1da177e4 839
c9180a57
EP		 840 if (!*p)
841 continue;
1da177e4 842
c9180a57 843 token = match_token(p, tokens, args);
1da177e4 844
c9180a57
EP		 845 switch (token) {
846 case Opt_context:
847 if (context || defcontext) {
848 rc = -EINVAL;
849 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
850 goto out_err;
851 }
852 context = match_strdup(&args[0]);
853 if (!context) {
854 rc = -ENOMEM;
855 goto out_err;
856 }
857 break;
858
859 case Opt_fscontext:
860 if (fscontext) {
861 rc = -EINVAL;
862 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
863 goto out_err;
864 }
865 fscontext = match_strdup(&args[0]);
866 if (!fscontext) {
867 rc = -ENOMEM;
868 goto out_err;
869 }
870 break;
871
872 case Opt_rootcontext:
873 if (rootcontext) {
874 rc = -EINVAL;
875 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
876 goto out_err;
877 }
878 rootcontext = match_strdup(&args[0]);
879 if (!rootcontext) {
880 rc = -ENOMEM;
881 goto out_err;
882 }
883 break;
884
885 case Opt_defcontext:
886 if (context || defcontext) {
887 rc = -EINVAL;
888 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
889 goto out_err;
890 }
891 defcontext = match_strdup(&args[0]);
892 if (!defcontext) {
893 rc = -ENOMEM;
894 goto out_err;
895 }
896 break;
897
898 default:
899 rc = -EINVAL;
900 printk(KERN_WARNING "SELinux: unknown mount option\n");
901 goto out_err;
1da177e4 902
1da177e4 903 }
1da177e4 904 }
c9180a57 905
e0007529
EP		 906 rc = -ENOMEM;
907 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
908 if (!opts->mnt_opts)
909 goto out_err;
910
911 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
912 if (!opts->mnt_opts_flags) {
913 kfree(opts->mnt_opts);
914 goto out_err;
915 }
916
c9180a57 917 if (fscontext) {
e0007529
EP		 918 opts->mnt_opts[num_mnt_opts] = fscontext;
919 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 920 }
921 if (context) {
e0007529
EP		 922 opts->mnt_opts[num_mnt_opts] = context;
923 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 924 }
925 if (rootcontext) {
e0007529
EP		 926 opts->mnt_opts[num_mnt_opts] = rootcontext;
927 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 928 }
929 if (defcontext) {
e0007529
EP		 930 opts->mnt_opts[num_mnt_opts] = defcontext;
931 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 932 }
933
e0007529
EP		 934 opts->num_mnt_opts = num_mnt_opts;
935 return 0;
936
c9180a57
EP		 937out_err:
938 kfree(context);
939 kfree(defcontext);
940 kfree(fscontext);
941 kfree(rootcontext);
1da177e4
LT		 942 return rc;
943}
e0007529
EP		 944/*
945 * string mount options parsing and call set the sbsec
946 */
947static int superblock_doinit(struct super_block *sb, void *data)
948{
949 int rc = 0;
950 char *options = data;
951 struct security_mnt_opts opts;
952
953 security_init_mnt_opts(&opts);
954
955 if (!data)
956 goto out;
957
958 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
959
960 rc = selinux_parse_opts_str(options, &opts);
961 if (rc)
962 goto out_err;
963
964out:
965 rc = selinux_set_mnt_opts(sb, &opts);
966
967out_err:
968 security_free_mnt_opts(&opts);
969 return rc;
970}
1da177e4 971
2069f457
EP		 972void selinux_write_opts(struct seq_file *m, struct security_mnt_opts *opts)
973{
974 int i;
975 char *prefix;
976
977 for (i = 0; i < opts->num_mnt_opts; i++) {
978 char *has_comma = strchr(opts->mnt_opts[i], ',');
979
980 switch (opts->mnt_opts_flags[i]) {
981 case CONTEXT_MNT:
982 prefix = CONTEXT_STR;
983 break;
984 case FSCONTEXT_MNT:
985 prefix = FSCONTEXT_STR;
986 break;
987 case ROOTCONTEXT_MNT:
988 prefix = ROOTCONTEXT_STR;
989 break;
990 case DEFCONTEXT_MNT:
991 prefix = DEFCONTEXT_STR;
992 break;
993 default:
994 BUG();
995 };
996 /* we need a comma before each option */
997 seq_putc(m, ',');
998 seq_puts(m, prefix);
999 if (has_comma)
1000 seq_putc(m, '\"');
1001 seq_puts(m, opts->mnt_opts[i]);
1002 if (has_comma)
1003 seq_putc(m, '\"');
1004 }
1005}
1006
1007static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1008{
1009 struct security_mnt_opts opts;
1010 int rc;
1011
1012 rc = selinux_get_mnt_opts(sb, &opts);
1013 if (rc)
1014 return rc;
1015
1016 selinux_write_opts(m, &opts);
1017
1018 security_free_mnt_opts(&opts);
1019
1020 return rc;
1021}
1022
1da177e4
LT		 1023static inline u16 inode_mode_to_security_class(umode_t mode)
1024{
1025 switch (mode & S_IFMT) {
1026 case S_IFSOCK:
1027 return SECCLASS_SOCK_FILE;
1028 case S_IFLNK:
1029 return SECCLASS_LNK_FILE;
1030 case S_IFREG:
1031 return SECCLASS_FILE;
1032 case S_IFBLK:
1033 return SECCLASS_BLK_FILE;
1034 case S_IFDIR:
1035 return SECCLASS_DIR;
1036 case S_IFCHR:
1037 return SECCLASS_CHR_FILE;
1038 case S_IFIFO:
1039 return SECCLASS_FIFO_FILE;
1040
1041 }
1042
1043 return SECCLASS_FILE;
1044}
1045
13402580
JM		 1046static inline int default_protocol_stream(int protocol)
1047{
1048 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1049}
1050
1051static inline int default_protocol_dgram(int protocol)
1052{
1053 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1054}
1055
1da177e4
LT		 1056static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1057{
1058 switch (family) {
1059 case PF_UNIX:
1060 switch (type) {
1061 case SOCK_STREAM:
1062 case SOCK_SEQPACKET:
1063 return SECCLASS_UNIX_STREAM_SOCKET;
1064 case SOCK_DGRAM:
1065 return SECCLASS_UNIX_DGRAM_SOCKET;
1066 }
1067 break;
1068 case PF_INET:
1069 case PF_INET6:
1070 switch (type) {
1071 case SOCK_STREAM:
13402580
JM		 1072 if (default_protocol_stream(protocol))
1073 return SECCLASS_TCP_SOCKET;
1074 else
1075 return SECCLASS_RAWIP_SOCKET;
1da177e4 1076 case SOCK_DGRAM:
13402580
JM		 1077 if (default_protocol_dgram(protocol))
1078 return SECCLASS_UDP_SOCKET;
1079 else
1080 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1081 case SOCK_DCCP:
1082 return SECCLASS_DCCP_SOCKET;
13402580 1083 default:
1da177e4
LT		 1084 return SECCLASS_RAWIP_SOCKET;
1085 }
1086 break;
1087 case PF_NETLINK:
1088 switch (protocol) {
1089 case NETLINK_ROUTE:
1090 return SECCLASS_NETLINK_ROUTE_SOCKET;
1091 case NETLINK_FIREWALL:
1092 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1093 case NETLINK_INET_DIAG:
1da177e4
LT		 1094 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1095 case NETLINK_NFLOG:
1096 return SECCLASS_NETLINK_NFLOG_SOCKET;
1097 case NETLINK_XFRM:
1098 return SECCLASS_NETLINK_XFRM_SOCKET;
1099 case NETLINK_SELINUX:
1100 return SECCLASS_NETLINK_SELINUX_SOCKET;
1101 case NETLINK_AUDIT:
1102 return SECCLASS_NETLINK_AUDIT_SOCKET;
1103 case NETLINK_IP6_FW:
1104 return SECCLASS_NETLINK_IP6FW_SOCKET;
1105 case NETLINK_DNRTMSG:
1106 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1107 case NETLINK_KOBJECT_UEVENT:
1108 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1109 default:
1110 return SECCLASS_NETLINK_SOCKET;
1111 }
1112 case PF_PACKET:
1113 return SECCLASS_PACKET_SOCKET;
1114 case PF_KEY:
1115 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1116 case PF_APPLETALK:
1117 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1118 }
1119
1120 return SECCLASS_SOCKET;
1121}
1122
1123#ifdef CONFIG_PROC_FS
1124static int selinux_proc_get_sid(struct proc_dir_entry *de,
1125 u16 tclass,
1126 u32 *sid)
1127{
1128 int buflen, rc;
1129 char *buffer, *path, *end;
1130
828dfe1d 1131 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1132 if (!buffer)
1133 return -ENOMEM;
1134
1135 buflen = PAGE_SIZE;
1136 end = buffer+buflen;
1137 *--end = '\0';
1138 buflen--;
1139 path = end-1;
1140 *path = '/';
1141 while (de && de != de->parent) {
1142 buflen -= de->namelen + 1;
1143 if (buflen < 0)
1144 break;
1145 end -= de->namelen;
1146 memcpy(end, de->name, de->namelen);
1147 *--end = '/';
1148 path = end;
1149 de = de->parent;
1150 }
1151 rc = security_genfs_sid("proc", path, tclass, sid);
1152 free_page((unsigned long)buffer);
1153 return rc;
1154}
1155#else
1156static int selinux_proc_get_sid(struct proc_dir_entry *de,
1157 u16 tclass,
1158 u32 *sid)
1159{
1160 return -EINVAL;
1161}
1162#endif
1163
1164/* The inode's security attributes must be initialized before first use. */
1165static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1166{
1167 struct superblock_security_struct *sbsec = NULL;
1168 struct inode_security_struct *isec = inode->i_security;
1169 u32 sid;
1170 struct dentry *dentry;
1171#define INITCONTEXTLEN 255
1172 char *context = NULL;
1173 unsigned len = 0;
1174 int rc = 0;
1da177e4
LT		 1175
1176 if (isec->initialized)
1177 goto out;
1178
23970741 1179 mutex_lock(&isec->lock);
1da177e4 1180 if (isec->initialized)
23970741 1181 goto out_unlock;
1da177e4
LT		 1182
1183 sbsec = inode->i_sb->s_security;
1184 if (!sbsec->initialized) {
1185 /* Defer initialization until selinux_complete_init,
1186 after the initial policy is loaded and the security
1187 server is ready to handle calls. */
1188 spin_lock(&sbsec->isec_lock);
1189 if (list_empty(&isec->list))
1190 list_add(&isec->list, &sbsec->isec_head);
1191 spin_unlock(&sbsec->isec_lock);
23970741 1192 goto out_unlock;
1da177e4
LT		 1193 }
1194
1195 switch (sbsec->behavior) {
1196 case SECURITY_FS_USE_XATTR:
1197 if (!inode->i_op->getxattr) {
1198 isec->sid = sbsec->def_sid;
1199 break;
1200 }
1201
1202 /* Need a dentry, since the xattr API requires one.
1203 Life would be simpler if we could just pass the inode. */
1204 if (opt_dentry) {
1205 /* Called from d_instantiate or d_splice_alias. */
1206 dentry = dget(opt_dentry);
1207 } else {
1208 /* Called from selinux_complete_init, try to find a dentry. */
1209 dentry = d_find_alias(inode);
1210 }
1211 if (!dentry) {
744ba35e 1212 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
dd6f953a 1213 "ino=%ld\n", __func__, inode->i_sb->s_id,
1da177e4 1214 inode->i_ino);
23970741 1215 goto out_unlock;
1da177e4
LT		 1216 }
1217
1218 len = INITCONTEXTLEN;
869ab514 1219 context = kmalloc(len, GFP_NOFS);
1da177e4
LT		 1220 if (!context) {
1221 rc = -ENOMEM;
1222 dput(dentry);
23970741 1223 goto out_unlock;
1da177e4
LT		 1224 }
1225 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1226 context, len);
1227 if (rc == -ERANGE) {
1228 /* Need a larger buffer. Query for the right size. */
1229 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1230 NULL, 0);
1231 if (rc < 0) {
1232 dput(dentry);
23970741 1233 goto out_unlock;
1da177e4
LT		 1234 }
1235 kfree(context);
1236 len = rc;
869ab514 1237 context = kmalloc(len, GFP_NOFS);
1da177e4
LT		 1238 if (!context) {
1239 rc = -ENOMEM;
1240 dput(dentry);
23970741 1241 goto out_unlock;
1da177e4
LT		 1242 }
1243 rc = inode->i_op->getxattr(dentry,
1244 XATTR_NAME_SELINUX,
1245 context, len);
1246 }
1247 dput(dentry);
1248 if (rc < 0) {
1249 if (rc != -ENODATA) {
744ba35e 1250 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1251 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1252 -rc, inode->i_sb->s_id, inode->i_ino);
1253 kfree(context);
23970741 1254 goto out_unlock;
1da177e4
LT		 1255 }
1256 /* Map ENODATA to the default file SID */
1257 sid = sbsec->def_sid;
1258 rc = 0;
1259 } else {
f5c1d5b2 1260 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1261 sbsec->def_sid,
1262 GFP_NOFS);
1da177e4 1263 if (rc) {
744ba35e 1264 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1da177e4 1265 "returned %d for dev=%s ino=%ld\n",
dd6f953a 1266 __func__, context, -rc,
1da177e4
LT		 1267 inode->i_sb->s_id, inode->i_ino);
1268 kfree(context);
1269 /* Leave with the unlabeled SID */
1270 rc = 0;
1271 break;
1272 }
1273 }
1274 kfree(context);
1275 isec->sid = sid;
1276 break;
1277 case SECURITY_FS_USE_TASK:
1278 isec->sid = isec->task_sid;
1279 break;
1280 case SECURITY_FS_USE_TRANS:
1281 /* Default to the fs SID. */
1282 isec->sid = sbsec->sid;
1283
1284 /* Try to obtain a transition SID. */
1285 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1286 rc = security_transition_sid(isec->task_sid,
1287 sbsec->sid,
1288 isec->sclass,
1289 &sid);
1290 if (rc)
23970741 1291 goto out_unlock;
1da177e4
LT		 1292 isec->sid = sid;
1293 break;
c312feb2
EP		 1294 case SECURITY_FS_USE_MNTPOINT:
1295 isec->sid = sbsec->mntpoint_sid;
1296 break;
1da177e4 1297 default:
c312feb2 1298 /* Default to the fs superblock SID. */
1da177e4
LT		 1299 isec->sid = sbsec->sid;
1300
1301 if (sbsec->proc) {
1302 struct proc_inode *proci = PROC_I(inode);
1303 if (proci->pde) {
1304 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1305 rc = selinux_proc_get_sid(proci->pde,
1306 isec->sclass,
1307 &sid);
1308 if (rc)
23970741 1309 goto out_unlock;
1da177e4
LT		 1310 isec->sid = sid;
1311 }
1312 }
1313 break;
1314 }
1315
1316 isec->initialized = 1;
1317
23970741
EP		 1318out_unlock:
1319 mutex_unlock(&isec->lock);
1da177e4
LT		 1320out:
1321 if (isec->sclass == SECCLASS_FILE)
1322 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1323 return rc;
1324}
1325
1326/* Convert a Linux signal to an access vector. */
1327static inline u32 signal_to_av(int sig)
1328{
1329 u32 perm = 0;
1330
1331 switch (sig) {
1332 case SIGCHLD:
1333 /* Commonly granted from child to parent. */
1334 perm = PROCESS__SIGCHLD;
1335 break;
1336 case SIGKILL:
1337 /* Cannot be caught or ignored */
1338 perm = PROCESS__SIGKILL;
1339 break;
1340 case SIGSTOP:
1341 /* Cannot be caught or ignored */
1342 perm = PROCESS__SIGSTOP;
1343 break;
1344 default:
1345 /* All other signals. */
1346 perm = PROCESS__SIGNAL;
1347 break;
1348 }
1349
1350 return perm;
1351}
1352
1353/* Check permission betweeen a pair of tasks, e.g. signal checks,
1354 fork check, ptrace check, etc. */
1355static int task_has_perm(struct task_struct *tsk1,
1356 struct task_struct *tsk2,
1357 u32 perms)
1358{
1359 struct task_security_struct *tsec1, *tsec2;
1360
1361 tsec1 = tsk1->security;
1362 tsec2 = tsk2->security;
1363 return avc_has_perm(tsec1->sid, tsec2->sid,
1364 SECCLASS_PROCESS, perms, NULL);
1365}
1366
b68e418c
SS		 1367#if CAP_LAST_CAP > 63
1368#error Fix SELinux to handle capabilities > 63.
1369#endif
1370
1da177e4
LT		 1371/* Check whether a task is allowed to use a capability. */
1372static int task_has_capability(struct task_struct *tsk,
1373 int cap)
1374{
1375 struct task_security_struct *tsec;
1376 struct avc_audit_data ad;
b68e418c
SS		 1377 u16 sclass;
1378 u32 av = CAP_TO_MASK(cap);
1da177e4
LT		 1379
1380 tsec = tsk->security;
1381
828dfe1d 1382 AVC_AUDIT_DATA_INIT(&ad, CAP);
1da177e4
LT		 1383 ad.tsk = tsk;
1384 ad.u.cap = cap;
1385
b68e418c
SS		 1386 switch (CAP_TO_INDEX(cap)) {
1387 case 0:
1388 sclass = SECCLASS_CAPABILITY;
1389 break;
1390 case 1:
1391 sclass = SECCLASS_CAPABILITY2;
1392 break;
1393 default:
1394 printk(KERN_ERR
1395 "SELinux: out of range capability %d\n", cap);
1396 BUG();
1397 }
1398 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1da177e4
LT		 1399}
1400
1401/* Check whether a task is allowed to use a system operation. */
1402static int task_has_system(struct task_struct *tsk,
1403 u32 perms)
1404{
1405 struct task_security_struct *tsec;
1406
1407 tsec = tsk->security;
1408
1409 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1410 SECCLASS_SYSTEM, perms, NULL);
1411}
1412
1413/* Check whether a task has a particular permission to an inode.
1414 The 'adp' parameter is optional and allows other audit
1415 data to be passed (e.g. the dentry). */
1416static int inode_has_perm(struct task_struct *tsk,
1417 struct inode *inode,
1418 u32 perms,
1419 struct avc_audit_data *adp)
1420{
1421 struct task_security_struct *tsec;
1422 struct inode_security_struct *isec;
1423 struct avc_audit_data ad;
1424
828dfe1d 1425 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1426 return 0;
1427
1da177e4
LT		 1428 tsec = tsk->security;
1429 isec = inode->i_security;
1430
1431 if (!adp) {
1432 adp = &ad;
1433 AVC_AUDIT_DATA_INIT(&ad, FS);
1434 ad.u.fs.inode = inode;
1435 }
1436
1437 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1438}
1439
1440/* Same as inode_has_perm, but pass explicit audit data containing
1441 the dentry to help the auditing code to more easily generate the
1442 pathname if needed. */
1443static inline int dentry_has_perm(struct task_struct *tsk,
1444 struct vfsmount *mnt,
1445 struct dentry *dentry,
1446 u32 av)
1447{
1448 struct inode *inode = dentry->d_inode;
1449 struct avc_audit_data ad;
828dfe1d 1450 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf
JB		 1451 ad.u.fs.path.mnt = mnt;
1452 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1453 return inode_has_perm(tsk, inode, av, &ad);
1454}
1455
1456/* Check whether a task can use an open file descriptor to
1457 access an inode in a given way. Check access to the
1458 descriptor itself, and then use dentry_has_perm to
1459 check a particular permission to the file.
1460 Access to the descriptor is implicitly granted if it
1461 has the same SID as the process. If av is zero, then
1462 access to the file is not checked, e.g. for cases
1463 where only the descriptor is affected like seek. */
858119e1 1464static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1465 struct file *file,
1466 u32 av)
1467{
1468 struct task_security_struct *tsec = tsk->security;
1469 struct file_security_struct *fsec = file->f_security;
44707fdf 1470 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 1471 struct avc_audit_data ad;
1472 int rc;
1473
1474 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1475 ad.u.fs.path = file->f_path;
1da177e4
LT		 1476
1477 if (tsec->sid != fsec->sid) {
1478 rc = avc_has_perm(tsec->sid, fsec->sid,
1479 SECCLASS_FD,
1480 FD__USE,
1481 &ad);
1482 if (rc)
1483 return rc;
1484 }
1485
1486 /* av is zero if only checking access to the descriptor. */
1487 if (av)
1488 return inode_has_perm(tsk, inode, av, &ad);
1489
1490 return 0;
1491}
1492
1493/* Check whether a task can create a file. */
1494static int may_create(struct inode *dir,
1495 struct dentry *dentry,
1496 u16 tclass)
1497{
1498 struct task_security_struct *tsec;
1499 struct inode_security_struct *dsec;
1500 struct superblock_security_struct *sbsec;
1501 u32 newsid;
1502 struct avc_audit_data ad;
1503 int rc;
1504
1505 tsec = current->security;
1506 dsec = dir->i_security;
1507 sbsec = dir->i_sb->s_security;
1508
1509 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1510 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1511
1512 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1513 DIR__ADD_NAME | DIR__SEARCH,
1514 &ad);
1515 if (rc)
1516 return rc;
1517
1518 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1519 newsid = tsec->create_sid;
1520 } else {
1521 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1522 &newsid);
1523 if (rc)
1524 return rc;
1525 }
1526
1527 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1528 if (rc)
1529 return rc;
1530
1531 return avc_has_perm(newsid, sbsec->sid,
1532 SECCLASS_FILESYSTEM,
1533 FILESYSTEM__ASSOCIATE, &ad);
1534}
1535
4eb582cf
ML		 1536/* Check whether a task can create a key. */
1537static int may_create_key(u32 ksid,
1538 struct task_struct *ctx)
1539{
1540 struct task_security_struct *tsec;
1541
1542 tsec = ctx->security;
1543
1544 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1545}
1546
828dfe1d
EP		 1547#define MAY_LINK 0
1548#define MAY_UNLINK 1
1549#define MAY_RMDIR 2
1da177e4
LT		 1550
1551/* Check whether a task can link, unlink, or rmdir a file/directory. */
1552static int may_link(struct inode *dir,
1553 struct dentry *dentry,
1554 int kind)
1555
1556{
1557 struct task_security_struct *tsec;
1558 struct inode_security_struct *dsec, *isec;
1559 struct avc_audit_data ad;
1560 u32 av;
1561 int rc;
1562
1563 tsec = current->security;
1564 dsec = dir->i_security;
1565 isec = dentry->d_inode->i_security;
1566
1567 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1568 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1569
1570 av = DIR__SEARCH;
1571 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1572 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1573 if (rc)
1574 return rc;
1575
1576 switch (kind) {
1577 case MAY_LINK:
1578 av = FILE__LINK;
1579 break;
1580 case MAY_UNLINK:
1581 av = FILE__UNLINK;
1582 break;
1583 case MAY_RMDIR:
1584 av = DIR__RMDIR;
1585 break;
1586 default:
744ba35e
EP		 1587 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1588 __func__, kind);
1da177e4
LT		 1589 return 0;
1590 }
1591
1592 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1593 return rc;
1594}
1595
1596static inline int may_rename(struct inode *old_dir,
1597 struct dentry *old_dentry,
1598 struct inode *new_dir,
1599 struct dentry *new_dentry)
1600{
1601 struct task_security_struct *tsec;
1602 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1603 struct avc_audit_data ad;
1604 u32 av;
1605 int old_is_dir, new_is_dir;
1606 int rc;
1607
1608 tsec = current->security;
1609 old_dsec = old_dir->i_security;
1610 old_isec = old_dentry->d_inode->i_security;
1611 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1612 new_dsec = new_dir->i_security;
1613
1614 AVC_AUDIT_DATA_INIT(&ad, FS);
1615
44707fdf 1616 ad.u.fs.path.dentry = old_dentry;
1da177e4
LT		 1617 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1618 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1619 if (rc)
1620 return rc;
1621 rc = avc_has_perm(tsec->sid, old_isec->sid,
1622 old_isec->sclass, FILE__RENAME, &ad);
1623 if (rc)
1624 return rc;
1625 if (old_is_dir && new_dir != old_dir) {
1626 rc = avc_has_perm(tsec->sid, old_isec->sid,
1627 old_isec->sclass, DIR__REPARENT, &ad);
1628 if (rc)
1629 return rc;
1630 }
1631
44707fdf 1632 ad.u.fs.path.dentry = new_dentry;
1da177e4
LT		 1633 av = DIR__ADD_NAME | DIR__SEARCH;
1634 if (new_dentry->d_inode)
1635 av |= DIR__REMOVE_NAME;
1636 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1637 if (rc)
1638 return rc;
1639 if (new_dentry->d_inode) {
1640 new_isec = new_dentry->d_inode->i_security;
1641 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1642 rc = avc_has_perm(tsec->sid, new_isec->sid,
1643 new_isec->sclass,
1644 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1645 if (rc)
1646 return rc;
1647 }
1648
1649 return 0;
1650}
1651
1652/* Check whether a task can perform a filesystem operation. */
1653static int superblock_has_perm(struct task_struct *tsk,
1654 struct super_block *sb,
1655 u32 perms,
1656 struct avc_audit_data *ad)
1657{
1658 struct task_security_struct *tsec;
1659 struct superblock_security_struct *sbsec;
1660
1661 tsec = tsk->security;
1662 sbsec = sb->s_security;
1663 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1664 perms, ad);
1665}
1666
1667/* Convert a Linux mode and permission mask to an access vector. */
1668static inline u32 file_mask_to_av(int mode, int mask)
1669{
1670 u32 av = 0;
1671
1672 if ((mode & S_IFMT) != S_IFDIR) {
1673 if (mask & MAY_EXEC)
1674 av |= FILE__EXECUTE;
1675 if (mask & MAY_READ)
1676 av |= FILE__READ;
1677
1678 if (mask & MAY_APPEND)
1679 av |= FILE__APPEND;
1680 else if (mask & MAY_WRITE)
1681 av |= FILE__WRITE;
1682
1683 } else {
1684 if (mask & MAY_EXEC)
1685 av |= DIR__SEARCH;
1686 if (mask & MAY_WRITE)
1687 av |= DIR__WRITE;
1688 if (mask & MAY_READ)
1689 av |= DIR__READ;
1690 }
1691
1692 return av;
1693}
1694
b0c636b9
EP		 1695/*
1696 * Convert a file mask to an access vector and include the correct open
1697 * open permission.
1698 */
1699static inline u32 open_file_mask_to_av(int mode, int mask)
1700{
1701 u32 av = file_mask_to_av(mode, mask);
1702
1703 if (selinux_policycap_openperm) {
1704 /*
1705 * lnk files and socks do not really have an 'open'
1706 */
1707 if (S_ISREG(mode))
1708 av |= FILE__OPEN;
1709 else if (S_ISCHR(mode))
1710 av |= CHR_FILE__OPEN;
1711 else if (S_ISBLK(mode))
1712 av |= BLK_FILE__OPEN;
1713 else if (S_ISFIFO(mode))
1714 av |= FIFO_FILE__OPEN;
1715 else if (S_ISDIR(mode))
1716 av |= DIR__OPEN;
1717 else
744ba35e
EP		 1718 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1719 "unknown mode:%x\n", __func__, mode);
b0c636b9
EP		 1720 }
1721 return av;
1722}
1723
1da177e4
LT		 1724/* Convert a Linux file to an access vector. */
1725static inline u32 file_to_av(struct file *file)
1726{
1727 u32 av = 0;
1728
1729 if (file->f_mode & FMODE_READ)
1730 av |= FILE__READ;
1731 if (file->f_mode & FMODE_WRITE) {
1732 if (file->f_flags & O_APPEND)
1733 av |= FILE__APPEND;
1734 else
1735 av |= FILE__WRITE;
1736 }
0794c66d
SS		 1737 if (!av) {
1738 /*
1739 * Special file opened with flags 3 for ioctl-only use.
1740 */
1741 av = FILE__IOCTL;
1742 }
1da177e4
LT		 1743
1744 return av;
1745}
1746
1da177e4
LT		 1747/* Hook functions begin here. */
1748
006ebb40
SS		 1749static int selinux_ptrace(struct task_struct *parent,
1750 struct task_struct *child,
1751 unsigned int mode)
1da177e4 1752{
1da177e4
LT		 1753 int rc;
1754
006ebb40 1755 rc = secondary_ops->ptrace(parent, child, mode);
1da177e4
LT		 1756 if (rc)
1757 return rc;
1758
006ebb40
SS		 1759 if (mode == PTRACE_MODE_READ) {
1760 struct task_security_struct *tsec = parent->security;
1761 struct task_security_struct *csec = child->security;
1762 return avc_has_perm(tsec->sid, csec->sid,
1763 SECCLASS_FILE, FILE__READ, NULL);
1764 }
1765
0356357c 1766 return task_has_perm(parent, child, PROCESS__PTRACE);
1da177e4
LT		 1767}
1768
1769static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1770 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1771{
1772 int error;
1773
1774 error = task_has_perm(current, target, PROCESS__GETCAP);
1775 if (error)
1776 return error;
1777
1778 return secondary_ops->capget(target, effective, inheritable, permitted);
1779}
1780
1781static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1782 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1783{
1784 int error;
1785
1786 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1787 if (error)
1788 return error;
1789
1790 return task_has_perm(current, target, PROCESS__SETCAP);
1791}
1792
1793static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1794 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1795{
1796 secondary_ops->capset_set(target, effective, inheritable, permitted);
1797}
1798
1799static int selinux_capable(struct task_struct *tsk, int cap)
1800{
1801 int rc;
1802
1803 rc = secondary_ops->capable(tsk, cap);
1804 if (rc)
1805 return rc;
1806
828dfe1d 1807 return task_has_capability(tsk, cap);
1da177e4
LT		 1808}
1809
3fbfa981
EB		 1810static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1811{
1812 int buflen, rc;
1813 char *buffer, *path, *end;
1814
1815 rc = -ENOMEM;
828dfe1d 1816 buffer = (char *)__get_free_page(GFP_KERNEL);
3fbfa981
EB		 1817 if (!buffer)
1818 goto out;
1819
1820 buflen = PAGE_SIZE;
1821 end = buffer+buflen;
1822 *--end = '\0';
1823 buflen--;
1824 path = end-1;
1825 *path = '/';
1826 while (table) {
1827 const char *name = table->procname;
1828 size_t namelen = strlen(name);
1829 buflen -= namelen + 1;
1830 if (buflen < 0)
1831 goto out_free;
1832 end -= namelen;
1833 memcpy(end, name, namelen);
1834 *--end = '/';
1835 path = end;
1836 table = table->parent;
1837 }
b599fdfd
EB		 1838 buflen -= 4;
1839 if (buflen < 0)
1840 goto out_free;
1841 end -= 4;
1842 memcpy(end, "/sys", 4);
1843 path = end;
3fbfa981
EB		 1844 rc = security_genfs_sid("proc", path, tclass, sid);
1845out_free:
1846 free_page((unsigned long)buffer);
1847out:
1848 return rc;
1849}
1850
1da177e4
LT		 1851static int selinux_sysctl(ctl_table *table, int op)
1852{
1853 int error = 0;
1854 u32 av;
1855 struct task_security_struct *tsec;
1856 u32 tsid;
1857 int rc;
1858
1859 rc = secondary_ops->sysctl(table, op);
1860 if (rc)
1861 return rc;
1862
1863 tsec = current->security;
1864
3fbfa981
EB		 1865 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1866 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1867 if (rc) {
1868 /* Default to the well-defined sysctl SID. */
1869 tsid = SECINITSID_SYSCTL;
1870 }
1871
1872 /* The op values are "defined" in sysctl.c, thereby creating
1873 * a bad coupling between this module and sysctl.c */
828dfe1d 1874 if (op == 001) {
1da177e4
LT		 1875 error = avc_has_perm(tsec->sid, tsid,
1876 SECCLASS_DIR, DIR__SEARCH, NULL);
1877 } else {
1878 av = 0;
1879 if (op & 004)
1880 av |= FILE__READ;
1881 if (op & 002)
1882 av |= FILE__WRITE;
1883 if (av)
1884 error = avc_has_perm(tsec->sid, tsid,
1885 SECCLASS_FILE, av, NULL);
828dfe1d 1886 }
1da177e4
LT		 1887
1888 return error;
1889}
1890
1891static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1892{
1893 int rc = 0;
1894
1895 if (!sb)
1896 return 0;
1897
1898 switch (cmds) {
828dfe1d
EP		 1899 case Q_SYNC:
1900 case Q_QUOTAON:
1901 case Q_QUOTAOFF:
1902 case Q_SETINFO:
1903 case Q_SETQUOTA:
1904 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1905 NULL);
1906 break;
1907 case Q_GETFMT:
1908 case Q_GETINFO:
1909 case Q_GETQUOTA:
1910 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1911 NULL);
1912 break;
1913 default:
1914 rc = 0; /* let the kernel handle invalid cmds */
1915 break;
1da177e4
LT		 1916 }
1917 return rc;
1918}
1919
1920static int selinux_quota_on(struct dentry *dentry)
1921{
1922 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1923}
1924
1925static int selinux_syslog(int type)
1926{
1927 int rc;
1928
1929 rc = secondary_ops->syslog(type);
1930 if (rc)
1931 return rc;
1932
1933 switch (type) {
828dfe1d
EP		 1934 case 3: /* Read last kernel messages */
1935 case 10: /* Return size of the log buffer */
1936 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1937 break;
1938 case 6: /* Disable logging to console */
1939 case 7: /* Enable logging to console */
1940 case 8: /* Set level of messages printed to console */
1941 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1942 break;
1943 case 0: /* Close log */
1944 case 1: /* Open log */
1945 case 2: /* Read from log */
1946 case 4: /* Read/clear last kernel messages */
1947 case 5: /* Clear ring buffer */
1948 default:
1949 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1950 break;
1da177e4
LT		 1951 }
1952 return rc;
1953}
1954
1955/*
1956 * Check that a process has enough memory to allocate a new virtual
1957 * mapping. 0 means there is enough memory for the allocation to
1958 * succeed and -ENOMEM implies there is not.
1959 *
1960 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1961 * if the capability is granted, but __vm_enough_memory requires 1 if
1962 * the capability is granted.
1963 *
1964 * Do not audit the selinux permission check, as this is applied to all
1965 * processes that allocate mappings.
1966 */
34b4e4aa 1967static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1968{
1969 int rc, cap_sys_admin = 0;
1970 struct task_security_struct *tsec = current->security;
1971
1972 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1973 if (rc == 0)
1974 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2c3c05db
SS		 1975 SECCLASS_CAPABILITY,
1976 CAP_TO_MASK(CAP_SYS_ADMIN),
1977 0,
1978 NULL);
1da177e4
LT		 1979
1980 if (rc == 0)
1981 cap_sys_admin = 1;
1982
34b4e4aa 1983 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 1984}
1985
0356357c
RM		 1986/**
1987 * task_tracer_task - return the task that is tracing the given task
1988 * @task: task to consider
1989 *
1990 * Returns NULL if noone is tracing @task, or the &struct task_struct
1991 * pointer to its tracer.
1992 *
1993 * Must be called under rcu_read_lock().
1994 */
1995static struct task_struct *task_tracer_task(struct task_struct *task)
1996{
1997 if (task->ptrace & PT_PTRACED)
1998 return rcu_dereference(task->parent);
1999 return NULL;
2000}
2001
1da177e4
LT		 2002/* binprm security operations */
2003
2004static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
2005{
2006 struct bprm_security_struct *bsec;
2007
89d155ef 2008 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 2009 if (!bsec)
2010 return -ENOMEM;
2011
1da177e4
LT		 2012 bsec->sid = SECINITSID_UNLABELED;
2013 bsec->set = 0;
2014
2015 bprm->security = bsec;
2016 return 0;
2017}
2018
2019static int selinux_bprm_set_security(struct linux_binprm *bprm)
2020{
2021 struct task_security_struct *tsec;
3d5ff529 2022 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 2023 struct inode_security_struct *isec;
2024 struct bprm_security_struct *bsec;
2025 u32 newsid;
2026 struct avc_audit_data ad;
2027 int rc;
2028
2029 rc = secondary_ops->bprm_set_security(bprm);
2030 if (rc)
2031 return rc;
2032
2033 bsec = bprm->security;
2034
2035 if (bsec->set)
2036 return 0;
2037
2038 tsec = current->security;
2039 isec = inode->i_security;
2040
2041 /* Default to the current task SID. */
2042 bsec->sid = tsec->sid;
2043
28eba5bf 2044 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 2045 tsec->create_sid = 0;
28eba5bf 2046 tsec->keycreate_sid = 0;
42c3e03e 2047 tsec->sockcreate_sid = 0;
1da177e4
LT		 2048
2049 if (tsec->exec_sid) {
2050 newsid = tsec->exec_sid;
2051 /* Reset exec SID on execve. */
2052 tsec->exec_sid = 0;
2053 } else {
2054 /* Check for a default transition on this program. */
2055 rc = security_transition_sid(tsec->sid, isec->sid,
828dfe1d 2056 SECCLASS_PROCESS, &newsid);
1da177e4
LT		 2057 if (rc)
2058 return rc;
2059 }
2060
2061 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2062 ad.u.fs.path = bprm->file->f_path;
1da177e4 2063
3d5ff529 2064 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1da177e4
LT		 2065 newsid = tsec->sid;
2066
828dfe1d 2067 if (tsec->sid == newsid) {
1da177e4
LT		 2068 rc = avc_has_perm(tsec->sid, isec->sid,
2069 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2070 if (rc)
2071 return rc;
2072 } else {
2073 /* Check permissions for the transition. */
2074 rc = avc_has_perm(tsec->sid, newsid,
2075 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2076 if (rc)
2077 return rc;
2078
2079 rc = avc_has_perm(newsid, isec->sid,
2080 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2081 if (rc)
2082 return rc;
2083
2084 /* Clear any possibly unsafe personality bits on exec: */
2085 current->personality &= ~PER_CLEAR_ON_SETID;
2086
2087 /* Set the security field to the new SID. */
2088 bsec->sid = newsid;
2089 }
2090
2091 bsec->set = 1;
2092 return 0;
2093}
2094
828dfe1d 2095static int selinux_bprm_check_security(struct linux_binprm *bprm)
1da177e4
LT		 2096{
2097 return secondary_ops->bprm_check_security(bprm);
2098}
2099
2100
828dfe1d 2101static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4
LT		 2102{
2103 struct task_security_struct *tsec = current->security;
2104 int atsecure = 0;
2105
2106 if (tsec->osid != tsec->sid) {
2107 /* Enable secure mode for SIDs transitions unless
2108 the noatsecure permission is granted between
2109 the two SIDs, i.e. ahp returns 0. */
2110 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2111 SECCLASS_PROCESS,
2112 PROCESS__NOATSECURE, NULL);
2113 }
2114
2115 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2116}
2117
2118static void selinux_bprm_free_security(struct linux_binprm *bprm)
2119{
9a5f04bf 2120 kfree(bprm->security);
1da177e4 2121 bprm->security = NULL;
1da177e4
LT		 2122}
2123
2124extern struct vfsmount *selinuxfs_mount;
2125extern struct dentry *selinux_null;
2126
2127/* Derived from fs/exec.c:flush_old_files. */
828dfe1d 2128static inline void flush_unauthorized_files(struct files_struct *files)
1da177e4
LT		 2129{
2130 struct avc_audit_data ad;
2131 struct file *file, *devnull = NULL;
b20c8122 2132 struct tty_struct *tty;
badf1662 2133 struct fdtable *fdt;
1da177e4 2134 long j = -1;
24ec839c 2135 int drop_tty = 0;
1da177e4 2136
b20c8122 2137 mutex_lock(&tty_mutex);
24ec839c 2138 tty = get_current_tty();
1da177e4
LT		 2139 if (tty) {
2140 file_list_lock();
2f512016 2141 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 2142 if (file) {
2143 /* Revalidate access to controlling tty.
2144 Use inode_has_perm on the tty inode directly rather
2145 than using file_has_perm, as this particular open
2146 file may belong to another process and we are only
2147 interested in the inode-based check here. */
3d5ff529 2148 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2149 if (inode_has_perm(current, inode,
2150 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2151 drop_tty = 1;
1da177e4
LT		 2152 }
2153 }
2154 file_list_unlock();
2155 }
b20c8122 2156 mutex_unlock(&tty_mutex);
98a27ba4
EB		 2157 /* Reset controlling tty. */
2158 if (drop_tty)
2159 no_tty();
1da177e4
LT		 2160
2161 /* Revalidate access to inherited open files. */
2162
828dfe1d 2163 AVC_AUDIT_DATA_INIT(&ad, FS);
1da177e4
LT		 2164
2165 spin_lock(&files->file_lock);
2166 for (;;) {
2167 unsigned long set, i;
2168 int fd;
2169
2170 j++;
2171 i = j * __NFDBITS;
badf1662 2172 fdt = files_fdtable(files);
bbea9f69 2173 if (i >= fdt->max_fds)
1da177e4 2174 break;
badf1662 2175 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2176 if (!set)
2177 continue;
2178 spin_unlock(&files->file_lock);
828dfe1d 2179 for ( ; set ; i++, set >>= 1) {
1da177e4
LT		 2180 if (set & 1) {
2181 file = fget(i);
2182 if (!file)
2183 continue;
2184 if (file_has_perm(current,
2185 file,
2186 file_to_av(file))) {
2187 sys_close(i);
2188 fd = get_unused_fd();
2189 if (fd != i) {
2190 if (fd >= 0)
2191 put_unused_fd(fd);
2192 fput(file);
2193 continue;
2194 }
2195 if (devnull) {
095975da 2196 get_file(devnull);
1da177e4
LT		 2197 } else {
2198 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
fc5d81e6
AM		 2199 if (IS_ERR(devnull)) {
2200 devnull = NULL;
1da177e4
LT		 2201 put_unused_fd(fd);
2202 fput(file);
2203 continue;
2204 }
2205 }
2206 fd_install(fd, devnull);
2207 }
2208 fput(file);
2209 }
2210 }
2211 spin_lock(&files->file_lock);
2212
2213 }
2214 spin_unlock(&files->file_lock);
2215}
2216
2217static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2218{
2219 struct task_security_struct *tsec;
2220 struct bprm_security_struct *bsec;
2221 u32 sid;
2222 int rc;
2223
2224 secondary_ops->bprm_apply_creds(bprm, unsafe);
2225
2226 tsec = current->security;
2227
2228 bsec = bprm->security;
2229 sid = bsec->sid;
2230
2231 tsec->osid = tsec->sid;
2232 bsec->unsafe = 0;
2233 if (tsec->sid != sid) {
2234 /* Check for shared state. If not ok, leave SID
2235 unchanged and kill. */
2236 if (unsafe & LSM_UNSAFE_SHARE) {
2237 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2238 PROCESS__SHARE, NULL);
2239 if (rc) {
2240 bsec->unsafe = 1;
2241 return;
2242 }
2243 }
2244
2245 /* Check for ptracing, and update the task SID if ok.
2246 Otherwise, leave SID unchanged and kill. */
2247 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
0356357c
RM		 2248 struct task_struct *tracer;
2249 struct task_security_struct *sec;
2250 u32 ptsid = 0;
2251
2252 rcu_read_lock();
2253 tracer = task_tracer_task(current);
2254 if (likely(tracer != NULL)) {
2255 sec = tracer->security;
2256 ptsid = sec->sid;
2257 }
2258 rcu_read_unlock();
2259
2260 if (ptsid != 0) {
2261 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2262 PROCESS__PTRACE, NULL);
2263 if (rc) {
2264 bsec->unsafe = 1;
2265 return;
2266 }
1da177e4
LT		 2267 }
2268 }
2269 tsec->sid = sid;
2270 }
2271}
2272
2273/*
2274 * called after apply_creds without the task lock held
2275 */
2276static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2277{
2278 struct task_security_struct *tsec;
2279 struct rlimit *rlim, *initrlim;
2280 struct itimerval itimer;
2281 struct bprm_security_struct *bsec;
2282 int rc, i;
2283
2284 tsec = current->security;
2285 bsec = bprm->security;
2286
2287 if (bsec->unsafe) {
2288 force_sig_specific(SIGKILL, current);
2289 return;
2290 }
2291 if (tsec->osid == tsec->sid)
2292 return;
2293
2294 /* Close files for which the new task SID is not authorized. */
2295 flush_unauthorized_files(current->files);
2296
2297 /* Check whether the new SID can inherit signal state
2298 from the old SID. If not, clear itimers to avoid
2299 subsequent signal generation and flush and unblock
2300 signals. This must occur _after_ the task SID has
2301 been updated so that any kill done after the flush
2302 will be checked against the new SID. */
2303 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2304 PROCESS__SIGINH, NULL);
2305 if (rc) {
2306 memset(&itimer, 0, sizeof itimer);
2307 for (i = 0; i < 3; i++)
2308 do_setitimer(i, &itimer, NULL);
2309 flush_signals(current);
2310 spin_lock_irq(&current->sighand->siglock);
2311 flush_signal_handlers(current, 1);
2312 sigemptyset(&current->blocked);
2313 recalc_sigpending();
2314 spin_unlock_irq(&current->sighand->siglock);
2315 }
2316
4ac212ad
SS		 2317 /* Always clear parent death signal on SID transitions. */
2318 current->pdeath_signal = 0;
2319
1da177e4
LT		 2320 /* Check whether the new SID can inherit resource limits
2321 from the old SID. If not, reset all soft limits to
2322 the lower of the current task's hard limit and the init
2323 task's soft limit. Note that the setting of hard limits
2324 (even to lower them) can be controlled by the setrlimit
2325 check. The inclusion of the init task's soft limit into
2326 the computation is to avoid resetting soft limits higher
2327 than the default soft limit for cases where the default
2328 is lower than the hard limit, e.g. RLIMIT_CORE or
2329 RLIMIT_STACK.*/
2330 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2331 PROCESS__RLIMITINH, NULL);
2332 if (rc) {
2333 for (i = 0; i < RLIM_NLIMITS; i++) {
2334 rlim = current->signal->rlim + i;
2335 initrlim = init_task.signal->rlim+i;
828dfe1d 2336 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4
LT		 2337 }
2338 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2339 /*
2340 * This will cause RLIMIT_CPU calculations
2341 * to be refigured.
2342 */
2343 current->it_prof_expires = jiffies_to_cputime(1);
2344 }
2345 }
2346
2347 /* Wake up the parent if it is waiting so that it can
2348 recheck wait permission to the new task SID. */
2349 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2350}
2351
2352/* superblock security operations */
2353
2354static int selinux_sb_alloc_security(struct super_block *sb)
2355{
2356 return superblock_alloc_security(sb);
2357}
2358
2359static void selinux_sb_free_security(struct super_block *sb)
2360{
2361 superblock_free_security(sb);
2362}
2363
2364static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2365{
2366 if (plen > olen)
2367 return 0;
2368
2369 return !memcmp(prefix, option, plen);
2370}
2371
2372static inline int selinux_option(char *option, int len)
2373{
832cbd9a
EP		 2374 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2375 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2376 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2377 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
1da177e4
LT		 2378}
2379
2380static inline void take_option(char **to, char *from, int *first, int len)
2381{
2382 if (!*first) {
2383 **to = ',';
2384 *to += 1;
3528a953 2385 } else
1da177e4
LT		 2386 *first = 0;
2387 memcpy(*to, from, len);
2388 *to += len;
2389}
2390
828dfe1d
EP		 2391static inline void take_selinux_option(char **to, char *from, int *first,
2392 int len)
3528a953
CO		 2393{
2394 int current_size = 0;
2395
2396 if (!*first) {
2397 **to = '|';
2398 *to += 1;
828dfe1d 2399 } else
3528a953
CO		 2400 *first = 0;
2401
2402 while (current_size < len) {
2403 if (*from != '"') {
2404 **to = *from;
2405 *to += 1;
2406 }
2407 from += 1;
2408 current_size += 1;
2409 }
2410}
2411
e0007529 2412static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2413{
2414 int fnosec, fsec, rc = 0;
2415 char *in_save, *in_curr, *in_end;
2416 char *sec_curr, *nosec_save, *nosec;
3528a953 2417 int open_quote = 0;
1da177e4
LT		 2418
2419 in_curr = orig;
2420 sec_curr = copy;
2421
1da177e4
LT		 2422 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2423 if (!nosec) {
2424 rc = -ENOMEM;
2425 goto out;
2426 }
2427
2428 nosec_save = nosec;
2429 fnosec = fsec = 1;
2430 in_save = in_end = orig;
2431
2432 do {
3528a953
CO		 2433 if (*in_end == '"')
2434 open_quote = !open_quote;
2435 if ((*in_end == ',' && open_quote == 0) ||
2436 *in_end == '\0') {
1da177e4
LT		 2437 int len = in_end - in_curr;
2438
2439 if (selinux_option(in_curr, len))
3528a953 2440 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2441 else
2442 take_option(&nosec, in_curr, &fnosec, len);
2443
2444 in_curr = in_end + 1;
2445 }
2446 } while (*in_end++);
2447
6931dfc9 2448 strcpy(in_save, nosec_save);
da3caa20 2449 free_page((unsigned long)nosec_save);
1da177e4
LT		 2450out:
2451 return rc;
2452}
2453
2454static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2455{
2456 struct avc_audit_data ad;
2457 int rc;
2458
2459 rc = superblock_doinit(sb, data);
2460 if (rc)
2461 return rc;
2462
828dfe1d 2463 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2464 ad.u.fs.path.dentry = sb->s_root;
1da177e4
LT		 2465 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2466}
2467
726c3342 2468static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2469{
2470 struct avc_audit_data ad;
2471
828dfe1d 2472 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2473 ad.u.fs.path.dentry = dentry->d_sb->s_root;
726c3342 2474 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2475}
2476
828dfe1d 2477static int selinux_mount(char *dev_name,
b5266eb4 2478 struct path *path,
828dfe1d
EP		 2479 char *type,
2480 unsigned long flags,
2481 void *data)
1da177e4
LT		 2482{
2483 int rc;
2484
b5266eb4 2485 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
1da177e4
LT		 2486 if (rc)
2487 return rc;
2488
2489 if (flags & MS_REMOUNT)
b5266eb4 2490 return superblock_has_perm(current, path->mnt->mnt_sb,
828dfe1d 2491 FILESYSTEM__REMOUNT, NULL);
1da177e4 2492 else
b5266eb4 2493 return dentry_has_perm(current, path->mnt, path->dentry,
828dfe1d 2494 FILE__MOUNTON);
1da177e4
LT		 2495}
2496
2497static int selinux_umount(struct vfsmount *mnt, int flags)
2498{
2499 int rc;
2500
2501 rc = secondary_ops->sb_umount(mnt, flags);
2502 if (rc)
2503 return rc;
2504
828dfe1d
EP		 2505 return superblock_has_perm(current, mnt->mnt_sb,
2506 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2507}
2508
2509/* inode security operations */
2510
2511static int selinux_inode_alloc_security(struct inode *inode)
2512{
2513 return inode_alloc_security(inode);
2514}
2515
2516static void selinux_inode_free_security(struct inode *inode)
2517{
2518 inode_free_security(inode);
2519}
2520
5e41ff9e
SS		 2521static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2522 char **name, void **value,
2523 size_t *len)
2524{
2525 struct task_security_struct *tsec;
2526 struct inode_security_struct *dsec;
2527 struct superblock_security_struct *sbsec;
570bc1c2 2528 u32 newsid, clen;
5e41ff9e 2529 int rc;
570bc1c2 2530 char *namep = NULL, *context;
5e41ff9e
SS		 2531
2532 tsec = current->security;
2533 dsec = dir->i_security;
2534 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2535
2536 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2537 newsid = tsec->create_sid;
2538 } else {
2539 rc = security_transition_sid(tsec->sid, dsec->sid,
2540 inode_mode_to_security_class(inode->i_mode),
2541 &newsid);
2542 if (rc) {
2543 printk(KERN_WARNING "%s: "
2544 "security_transition_sid failed, rc=%d (dev=%s "
2545 "ino=%ld)\n",
dd6f953a 2546 __func__,
5e41ff9e
SS		 2547 -rc, inode->i_sb->s_id, inode->i_ino);
2548 return rc;
2549 }
2550 }
2551
296fddf7
EP		 2552 /* Possibly defer initialization to selinux_complete_init. */
2553 if (sbsec->initialized) {
2554 struct inode_security_struct *isec = inode->i_security;
2555 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2556 isec->sid = newsid;
2557 isec->initialized = 1;
2558 }
5e41ff9e 2559
8aad3875 2560 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2561 return -EOPNOTSUPP;
2562
570bc1c2 2563 if (name) {
a02fe132 2564 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2565 if (!namep)
2566 return -ENOMEM;
2567 *name = namep;
2568 }
5e41ff9e 2569
570bc1c2 2570 if (value && len) {
12b29f34 2571 rc = security_sid_to_context_force(newsid, &context, &clen);
570bc1c2
SS		 2572 if (rc) {
2573 kfree(namep);
2574 return rc;
2575 }
2576 *value = context;
2577 *len = clen;
5e41ff9e 2578 }
5e41ff9e 2579
5e41ff9e
SS		 2580 return 0;
2581}
2582
1da177e4
LT		 2583static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2584{
2585 return may_create(dir, dentry, SECCLASS_FILE);
2586}
2587
1da177e4
LT		 2588static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2589{
2590 int rc;
2591
828dfe1d 2592 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
1da177e4
LT		 2593 if (rc)
2594 return rc;
2595 return may_link(dir, old_dentry, MAY_LINK);
2596}
2597
1da177e4
LT		 2598static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2599{
2600 int rc;
2601
2602 rc = secondary_ops->inode_unlink(dir, dentry);
2603 if (rc)
2604 return rc;
2605 return may_link(dir, dentry, MAY_UNLINK);
2606}
2607
2608static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2609{
2610 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2611}
2612
1da177e4
LT		 2613static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2614{
2615 return may_create(dir, dentry, SECCLASS_DIR);
2616}
2617
1da177e4
LT		 2618static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2619{
2620 return may_link(dir, dentry, MAY_RMDIR);
2621}
2622
2623static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2624{
2625 int rc;
2626
2627 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2628 if (rc)
2629 return rc;
2630
2631 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2632}
2633
1da177e4 2634static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2635 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2636{
2637 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2638}
2639
1da177e4
LT		 2640static int selinux_inode_readlink(struct dentry *dentry)
2641{
2642 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2643}
2644
2645static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2646{
2647 int rc;
2648
828dfe1d 2649 rc = secondary_ops->inode_follow_link(dentry, nameidata);
1da177e4
LT		 2650 if (rc)
2651 return rc;
2652 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2653}
2654
2655static int selinux_inode_permission(struct inode *inode, int mask,
2656 struct nameidata *nd)
2657{
2658 int rc;
2659
2660 rc = secondary_ops->inode_permission(inode, mask, nd);
2661 if (rc)
2662 return rc;
2663
2664 if (!mask) {
2665 /* No permission to check. Existence test. */
2666 return 0;
2667 }
2668
2669 return inode_has_perm(current, inode,
b0c636b9 2670 open_file_mask_to_av(inode->i_mode, mask), NULL);
1da177e4
LT		 2671}
2672
2673static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2674{
2675 int rc;
2676
2677 rc = secondary_ops->inode_setattr(dentry, iattr);
2678 if (rc)
2679 return rc;
2680
2681 if (iattr->ia_valid & ATTR_FORCE)
2682 return 0;
2683
2684 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2685 ATTR_ATIME_SET | ATTR_MTIME_SET))
2686 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2687
2688 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2689}
2690
2691static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2692{
2693 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2694}
2695
8f0cfa52 2696static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771
SH		 2697{
2698 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2699 sizeof XATTR_SECURITY_PREFIX - 1)) {
2700 if (!strcmp(name, XATTR_NAME_CAPS)) {
2701 if (!capable(CAP_SETFCAP))
2702 return -EPERM;
2703 } else if (!capable(CAP_SYS_ADMIN)) {
2704 /* A different attribute in the security namespace.
2705 Restrict to administrator. */
2706 return -EPERM;
2707 }
2708 }
2709
2710 /* Not an attribute we recognize, so just check the
2711 ordinary setattr permission. */
2712 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2713}
2714
8f0cfa52
DH		 2715static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2716 const void *value, size_t size, int flags)
1da177e4
LT		 2717{
2718 struct task_security_struct *tsec = current->security;
2719 struct inode *inode = dentry->d_inode;
2720 struct inode_security_struct *isec = inode->i_security;
2721 struct superblock_security_struct *sbsec;
2722 struct avc_audit_data ad;
2723 u32 newsid;
2724 int rc = 0;
2725
b5376771
SH		 2726 if (strcmp(name, XATTR_NAME_SELINUX))
2727 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2728
2729 sbsec = inode->i_sb->s_security;
2730 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2731 return -EOPNOTSUPP;
2732
3bd858ab 2733 if (!is_owner_or_cap(inode))
1da177e4
LT		 2734 return -EPERM;
2735
828dfe1d 2736 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2737 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 2738
2739 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2740 FILE__RELABELFROM, &ad);
2741 if (rc)
2742 return rc;
2743
2744 rc = security_context_to_sid(value, size, &newsid);
12b29f34
SS		 2745 if (rc == -EINVAL) {
2746 if (!capable(CAP_MAC_ADMIN))
2747 return rc;
2748 rc = security_context_to_sid_force(value, size, &newsid);
2749 }
1da177e4
LT		 2750 if (rc)
2751 return rc;
2752
2753 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2754 FILE__RELABELTO, &ad);
2755 if (rc)
2756 return rc;
2757
2758 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
828dfe1d 2759 isec->sclass);
1da177e4
LT		 2760 if (rc)
2761 return rc;
2762
2763 return avc_has_perm(newsid,
2764 sbsec->sid,
2765 SECCLASS_FILESYSTEM,
2766 FILESYSTEM__ASSOCIATE,
2767 &ad);
2768}
2769
8f0cfa52 2770static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 2771 const void *value, size_t size,
8f0cfa52 2772 int flags)
1da177e4
LT		 2773{
2774 struct inode *inode = dentry->d_inode;
2775 struct inode_security_struct *isec = inode->i_security;
2776 u32 newsid;
2777 int rc;
2778
2779 if (strcmp(name, XATTR_NAME_SELINUX)) {
2780 /* Not an attribute we recognize, so nothing to do. */
2781 return;
2782 }
2783
12b29f34 2784 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 2785 if (rc) {
12b29f34
SS		 2786 printk(KERN_ERR "SELinux: unable to map context to SID"
2787 "for (%s, %lu), rc=%d\n",
2788 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 2789 return;
2790 }
2791
2792 isec->sid = newsid;
2793 return;
2794}
2795
8f0cfa52 2796static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 2797{
1da177e4
LT		 2798 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2799}
2800
828dfe1d 2801static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4
LT		 2802{
2803 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2804}
2805
8f0cfa52 2806static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 2807{
b5376771
SH		 2808 if (strcmp(name, XATTR_NAME_SELINUX))
2809 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2810
2811 /* No one is allowed to remove a SELinux security label.
2812 You can change the label, but all data must be labeled. */
2813 return -EACCES;
2814}
2815
d381d8a9 2816/*
abc69bb6 2817 * Copy the inode security context value to the user.
d381d8a9
JM		 2818 *
2819 * Permission check is handled by selinux_inode_getxattr hook.
2820 */
42492594 2821static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2822{
42492594
DQ		 2823 u32 size;
2824 int error;
2825 char *context = NULL;
abc69bb6 2826 struct task_security_struct *tsec = current->security;
1da177e4 2827 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2828
8c8570fb
DK		 2829 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2830 return -EOPNOTSUPP;
d381d8a9 2831
abc69bb6
SS		 2832 /*
2833 * If the caller has CAP_MAC_ADMIN, then get the raw context
2834 * value even if it is not defined by current policy; otherwise,
2835 * use the in-core value under current policy.
2836 * Use the non-auditing forms of the permission checks since
2837 * getxattr may be called by unprivileged processes commonly
2838 * and lack of permission just means that we fall back to the
2839 * in-core context value, not a denial.
2840 */
2841 error = secondary_ops->capable(current, CAP_MAC_ADMIN);
2842 if (!error)
2843 error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2844 SECCLASS_CAPABILITY2,
2845 CAPABILITY2__MAC_ADMIN,
2846 0,
2847 NULL);
2848 if (!error)
2849 error = security_sid_to_context_force(isec->sid, &context,
2850 &size);
2851 else
2852 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 2853 if (error)
2854 return error;
2855 error = size;
2856 if (alloc) {
2857 *buffer = context;
2858 goto out_nofree;
2859 }
2860 kfree(context);
2861out_nofree:
2862 return error;
1da177e4
LT		 2863}
2864
2865static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 2866 const void *value, size_t size, int flags)
1da177e4
LT		 2867{
2868 struct inode_security_struct *isec = inode->i_security;
2869 u32 newsid;
2870 int rc;
2871
2872 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2873 return -EOPNOTSUPP;
2874
2875 if (!value || !size)
2876 return -EACCES;
2877
828dfe1d 2878 rc = security_context_to_sid((void *)value, size, &newsid);
1da177e4
LT		 2879 if (rc)
2880 return rc;
2881
2882 isec->sid = newsid;
2883 return 0;
2884}
2885
2886static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2887{
2888 const int len = sizeof(XATTR_NAME_SELINUX);
2889 if (buffer && len <= buffer_size)
2890 memcpy(buffer, XATTR_NAME_SELINUX, len);
2891 return len;
2892}
2893
b5376771
SH		 2894static int selinux_inode_need_killpriv(struct dentry *dentry)
2895{
2896 return secondary_ops->inode_need_killpriv(dentry);
2897}
2898
2899static int selinux_inode_killpriv(struct dentry *dentry)
2900{
2901 return secondary_ops->inode_killpriv(dentry);
2902}
2903
713a04ae
AD		 2904static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2905{
2906 struct inode_security_struct *isec = inode->i_security;
2907 *secid = isec->sid;
2908}
2909
1da177e4
LT		 2910/* file security operations */
2911
788e7dd4 2912static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2913{
7420ed23 2914 int rc;
3d5ff529 2915 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2916
2917 if (!mask) {
2918 /* No permission to check. Existence test. */
2919 return 0;
2920 }
2921
2922 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2923 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2924 mask |= MAY_APPEND;
2925
7420ed23
VY		 2926 rc = file_has_perm(current, file,
2927 file_mask_to_av(inode->i_mode, mask));
2928 if (rc)
2929 return rc;
2930
2931 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2932}
2933
788e7dd4
YN		 2934static int selinux_file_permission(struct file *file, int mask)
2935{
2936 struct inode *inode = file->f_path.dentry->d_inode;
2937 struct task_security_struct *tsec = current->security;
2938 struct file_security_struct *fsec = file->f_security;
2939 struct inode_security_struct *isec = inode->i_security;
2940
2941 if (!mask) {
2942 /* No permission to check. Existence test. */
2943 return 0;
2944 }
2945
2946 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2947 && fsec->pseqno == avc_policy_seqno())
2948 return selinux_netlbl_inode_permission(inode, mask);
2949
2950 return selinux_revalidate_file_permission(file, mask);
2951}
2952
1da177e4
LT		 2953static int selinux_file_alloc_security(struct file *file)
2954{
2955 return file_alloc_security(file);
2956}
2957
2958static void selinux_file_free_security(struct file *file)
2959{
2960 file_free_security(file);
2961}
2962
2963static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2964 unsigned long arg)
2965{
242631c4 2966 u32 av = 0;
1da177e4 2967
242631c4
SS		 2968 if (_IOC_DIR(cmd) & _IOC_WRITE)
2969 av |= FILE__WRITE;
2970 if (_IOC_DIR(cmd) & _IOC_READ)
2971 av |= FILE__READ;
2972 if (!av)
2973 av = FILE__IOCTL;
1da177e4 2974
242631c4 2975 return file_has_perm(current, file, av);
1da177e4
LT		 2976}
2977
2978static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2979{
2980#ifndef CONFIG_PPC32
2981 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2982 /*
2983 * We are making executable an anonymous mapping or a
2984 * private file mapping that will also be writable.
2985 * This has an additional check.
2986 */
2987 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2988 if (rc)
2989 return rc;
2990 }
2991#endif
2992
2993 if (file) {
2994 /* read access is always possible with a mapping */
2995 u32 av = FILE__READ;
2996
2997 /* write access only matters if the mapping is shared */
2998 if (shared && (prot & PROT_WRITE))
2999 av |= FILE__WRITE;
3000
3001 if (prot & PROT_EXEC)
3002 av |= FILE__EXECUTE;
3003
3004 return file_has_perm(current, file, av);
3005 }
3006 return 0;
3007}
3008
3009static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 3010 unsigned long prot, unsigned long flags,
3011 unsigned long addr, unsigned long addr_only)
1da177e4 3012{
ed032189 3013 int rc = 0;
828dfe1d 3014 u32 sid = ((struct task_security_struct *)(current->security))->sid;
1da177e4 3015
ed032189
EP		 3016 if (addr < mmap_min_addr)
3017 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3018 MEMPROTECT__MMAP_ZERO, NULL);
3019 if (rc || addr_only)
1da177e4
LT		 3020 return rc;
3021
3022 if (selinux_checkreqprot)
3023 prot = reqprot;
3024
3025 return file_map_prot_check(file, prot,
3026 (flags & MAP_TYPE) == MAP_SHARED);
3027}
3028
3029static int selinux_file_mprotect(struct vm_area_struct *vma,
3030 unsigned long reqprot,
3031 unsigned long prot)
3032{
3033 int rc;
3034
3035 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3036 if (rc)
3037 return rc;
3038
3039 if (selinux_checkreqprot)
3040 prot = reqprot;
3041
3042#ifndef CONFIG_PPC32
db4c9641
SS		 3043 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3044 rc = 0;
3045 if (vma->vm_start >= vma->vm_mm->start_brk &&
3046 vma->vm_end <= vma->vm_mm->brk) {
3047 rc = task_has_perm(current, current,
3048 PROCESS__EXECHEAP);
3049 } else if (!vma->vm_file &&
3050 vma->vm_start <= vma->vm_mm->start_stack &&
3051 vma->vm_end >= vma->vm_mm->start_stack) {
3052 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3053 } else if (vma->vm_file && vma->anon_vma) {
3054 /*
3055 * We are making executable a file mapping that has
3056 * had some COW done. Since pages might have been
3057 * written, check ability to execute the possibly
3058 * modified content. This typically should only
3059 * occur for text relocations.
3060 */
3061 rc = file_has_perm(current, vma->vm_file,
3062 FILE__EXECMOD);
3063 }