]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
[PATCH] let the the lockdep options depend on DEBUG_KERNEL
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
19 */
20
1da177e4
LT		 21#include <linux/module.h>
22#include <linux/init.h>
23#include <linux/kernel.h>
24#include <linux/ptrace.h>
25#include <linux/errno.h>
26#include <linux/sched.h>
27#include <linux/security.h>
28#include <linux/xattr.h>
29#include <linux/capability.h>
30#include <linux/unistd.h>
31#include <linux/mm.h>
32#include <linux/mman.h>
33#include <linux/slab.h>
34#include <linux/pagemap.h>
35#include <linux/swap.h>
36#include <linux/smp_lock.h>
37#include <linux/spinlock.h>
38#include <linux/syscalls.h>
39#include <linux/file.h>
40#include <linux/namei.h>
41#include <linux/mount.h>
42#include <linux/ext2_fs.h>
43#include <linux/proc_fs.h>
44#include <linux/kd.h>
45#include <linux/netfilter_ipv4.h>
46#include <linux/netfilter_ipv6.h>
47#include <linux/tty.h>
48#include <net/icmp.h>
49#include <net/ip.h> /* for sysctl_local_port_range[] */
50#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
51#include <asm/uaccess.h>
52#include <asm/semaphore.h>
53#include <asm/ioctls.h>
54#include <linux/bitops.h>
55#include <linux/interrupt.h>
56#include <linux/netdevice.h> /* for network interface checks */
57#include <linux/netlink.h>
58#include <linux/tcp.h>
59#include <linux/udp.h>
60#include <linux/quota.h>
61#include <linux/un.h> /* for Unix socket types */
62#include <net/af_unix.h> /* for Unix socket types */
63#include <linux/parser.h>
64#include <linux/nfs_mount.h>
65#include <net/ipv6.h>
66#include <linux/hugetlb.h>
67#include <linux/personality.h>
68#include <linux/sysctl.h>
69#include <linux/audit.h>
6931dfc9 70#include <linux/string.h>
877ce7c1 71#include <linux/selinux.h>
1da177e4
LT		 72
73#include "avc.h"
74#include "objsec.h"
75#include "netif.h"
d28d1e08 76#include "xfrm.h"
1da177e4
LT		 77
78#define XATTR_SELINUX_SUFFIX "selinux"
79#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81extern unsigned int policydb_loaded_version;
82extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 83extern int selinux_compat_net;
1da177e4
LT		 84
85#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
86int selinux_enforcing = 0;
87
88static int __init enforcing_setup(char *str)
89{
90 selinux_enforcing = simple_strtol(str,NULL,0);
91 return 1;
92}
93__setup("enforcing=", enforcing_setup);
94#endif
95
96#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
97int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
98
99static int __init selinux_enabled_setup(char *str)
100{
101 selinux_enabled = simple_strtol(str, NULL, 0);
102 return 1;
103}
104__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 105#else
106int selinux_enabled = 1;
1da177e4
LT		 107#endif
108
109/* Original (dummy) security module. */
110static struct security_operations *original_ops = NULL;
111
112/* Minimal support for a secondary security module,
113 just to allow the use of the dummy or capability modules.
114 The owlsm module can alternatively be used as a secondary
115 module as long as CONFIG_OWLSM_FD is not enabled. */
116static struct security_operations *secondary_ops = NULL;
117
118/* Lists of inode and superblock security structures initialized
119 before the policy was loaded. */
120static LIST_HEAD(superblock_security_head);
121static DEFINE_SPINLOCK(sb_security_lock);
122
7cae7e26
JM		 123static kmem_cache_t *sel_inode_cache;
124
8c8570fb
DK		 125/* Return security context for a given sid or just the context
126 length if the buffer is null or length is 0 */
127static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
128{
129 char *context;
130 unsigned len;
131 int rc;
132
133 rc = security_sid_to_context(sid, &context, &len);
134 if (rc)
135 return rc;
136
137 if (!buffer || !size)
138 goto getsecurity_exit;
139
140 if (size < len) {
141 len = -ERANGE;
142 goto getsecurity_exit;
143 }
144 memcpy(buffer, context, len);
145
146getsecurity_exit:
147 kfree(context);
148 return len;
149}
150
1da177e4
LT		 151/* Allocate and free functions for each kind of security blob. */
152
153static int task_alloc_security(struct task_struct *task)
154{
155 struct task_security_struct *tsec;
156
89d155ef 157 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 158 if (!tsec)
159 return -ENOMEM;
160
1da177e4
LT		 161 tsec->task = task;
162 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
163 task->security = tsec;
164
165 return 0;
166}
167
168static void task_free_security(struct task_struct *task)
169{
170 struct task_security_struct *tsec = task->security;
1da177e4
LT		 171 task->security = NULL;
172 kfree(tsec);
173}
174
175static int inode_alloc_security(struct inode *inode)
176{
177 struct task_security_struct *tsec = current->security;
178 struct inode_security_struct *isec;
179
7cae7e26 180 isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
1da177e4
LT		 181 if (!isec)
182 return -ENOMEM;
183
7cae7e26 184 memset(isec, 0, sizeof(*isec));
1da177e4
LT		 185 init_MUTEX(&isec->sem);
186 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 187 isec->inode = inode;
188 isec->sid = SECINITSID_UNLABELED;
189 isec->sclass = SECCLASS_FILE;
9ac49d22 190 isec->task_sid = tsec->sid;
1da177e4
LT		 191 inode->i_security = isec;
192
193 return 0;
194}
195
196static void inode_free_security(struct inode *inode)
197{
198 struct inode_security_struct *isec = inode->i_security;
199 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
200
1da177e4
LT		 201 spin_lock(&sbsec->isec_lock);
202 if (!list_empty(&isec->list))
203 list_del_init(&isec->list);
204 spin_unlock(&sbsec->isec_lock);
205
206 inode->i_security = NULL;
7cae7e26 207 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 208}
209
210static int file_alloc_security(struct file *file)
211{
212 struct task_security_struct *tsec = current->security;
213 struct file_security_struct *fsec;
214
26d2a4be 215 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 216 if (!fsec)
217 return -ENOMEM;
218
1da177e4 219 fsec->file = file;
9ac49d22
SS		 220 fsec->sid = tsec->sid;
221 fsec->fown_sid = tsec->sid;
1da177e4
LT		 222 file->f_security = fsec;
223
224 return 0;
225}
226
227static void file_free_security(struct file *file)
228{
229 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 230 file->f_security = NULL;
231 kfree(fsec);
232}
233
234static int superblock_alloc_security(struct super_block *sb)
235{
236 struct superblock_security_struct *sbsec;
237
89d155ef 238 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 239 if (!sbsec)
240 return -ENOMEM;
241
1da177e4
LT		 242 init_MUTEX(&sbsec->sem);
243 INIT_LIST_HEAD(&sbsec->list);
244 INIT_LIST_HEAD(&sbsec->isec_head);
245 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 246 sbsec->sb = sb;
247 sbsec->sid = SECINITSID_UNLABELED;
248 sbsec->def_sid = SECINITSID_FILE;
c312feb2 249 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 250 sb->s_security = sbsec;
251
252 return 0;
253}
254
255static void superblock_free_security(struct super_block *sb)
256{
257 struct superblock_security_struct *sbsec = sb->s_security;
258
1da177e4
LT		 259 spin_lock(&sb_security_lock);
260 if (!list_empty(&sbsec->list))
261 list_del_init(&sbsec->list);
262 spin_unlock(&sb_security_lock);
263
264 sb->s_security = NULL;
265 kfree(sbsec);
266}
267
7d877f3b 268static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 269{
270 struct sk_security_struct *ssec;
271
272 if (family != PF_UNIX)
273 return 0;
274
89d155ef 275 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 276 if (!ssec)
277 return -ENOMEM;
278
1da177e4
LT		 279 ssec->sk = sk;
280 ssec->peer_sid = SECINITSID_UNLABELED;
281 sk->sk_security = ssec;
282
283 return 0;
284}
285
286static void sk_free_security(struct sock *sk)
287{
288 struct sk_security_struct *ssec = sk->sk_security;
289
9ac49d22 290 if (sk->sk_family != PF_UNIX)
1da177e4
LT		 291 return;
292
293 sk->sk_security = NULL;
294 kfree(ssec);
295}
1da177e4
LT		 296
297/* The security server must be initialized before
298 any labeling or access decisions can be provided. */
299extern int ss_initialized;
300
301/* The file system's label must be initialized prior to use. */
302
303static char *labeling_behaviors[6] = {
304 "uses xattr",
305 "uses transition SIDs",
306 "uses task SIDs",
307 "uses genfs_contexts",
308 "not configured for labeling",
309 "uses mountpoint labeling",
310};
311
312static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314static inline int inode_doinit(struct inode *inode)
315{
316 return inode_doinit_with_dentry(inode, NULL);
317}
318
319enum {
320 Opt_context = 1,
321 Opt_fscontext = 2,
322 Opt_defcontext = 4,
0808925e 323 Opt_rootcontext = 8,
1da177e4
LT		 324};
325
326static match_table_t tokens = {
327 {Opt_context, "context=%s"},
328 {Opt_fscontext, "fscontext=%s"},
329 {Opt_defcontext, "defcontext=%s"},
0808925e 330 {Opt_rootcontext, "rootcontext=%s"},
1da177e4
LT		 331};
332
333#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
334
c312feb2
EP		 335static int may_context_mount_sb_relabel(u32 sid,
336 struct superblock_security_struct *sbsec,
337 struct task_security_struct *tsec)
338{
339 int rc;
340
341 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
342 FILESYSTEM__RELABELFROM, NULL);
343 if (rc)
344 return rc;
345
346 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
347 FILESYSTEM__RELABELTO, NULL);
348 return rc;
349}
350
0808925e
EP		 351static int may_context_mount_inode_relabel(u32 sid,
352 struct superblock_security_struct *sbsec,
353 struct task_security_struct *tsec)
354{
355 int rc;
356 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
357 FILESYSTEM__RELABELFROM, NULL);
358 if (rc)
359 return rc;
360
361 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
362 FILESYSTEM__ASSOCIATE, NULL);
363 return rc;
364}
365
1da177e4
LT		 366static int try_context_mount(struct super_block *sb, void *data)
367{
368 char *context = NULL, *defcontext = NULL;
0808925e 369 char *fscontext = NULL, *rootcontext = NULL;
1da177e4
LT		 370 const char *name;
371 u32 sid;
372 int alloc = 0, rc = 0, seen = 0;
373 struct task_security_struct *tsec = current->security;
374 struct superblock_security_struct *sbsec = sb->s_security;
375
376 if (!data)
377 goto out;
378
379 name = sb->s_type->name;
380
381 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
382
383 /* NFS we understand. */
384 if (!strcmp(name, "nfs")) {
385 struct nfs_mount_data *d = data;
386
387 if (d->version < NFS_MOUNT_VERSION)
388 goto out;
389
390 if (d->context[0]) {
391 context = d->context;
392 seen |= Opt_context;
393 }
394 } else
395 goto out;
396
397 } else {
398 /* Standard string-based options. */
399 char *p, *options = data;
400
401 while ((p = strsep(&options, ",")) != NULL) {
402 int token;
403 substring_t args[MAX_OPT_ARGS];
404
405 if (!*p)
406 continue;
407
408 token = match_token(p, tokens, args);
409
410 switch (token) {
411 case Opt_context:
c312feb2 412 if (seen & (Opt_context|Opt_defcontext)) {
1da177e4
LT		 413 rc = -EINVAL;
414 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
415 goto out_free;
416 }
417 context = match_strdup(&args[0]);
418 if (!context) {
419 rc = -ENOMEM;
420 goto out_free;
421 }
422 if (!alloc)
423 alloc = 1;
424 seen |= Opt_context;
425 break;
426
427 case Opt_fscontext:
c312feb2 428 if (seen & Opt_fscontext) {
1da177e4
LT		 429 rc = -EINVAL;
430 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
431 goto out_free;
432 }
c312feb2
EP		 433 fscontext = match_strdup(&args[0]);
434 if (!fscontext) {
1da177e4
LT		 435 rc = -ENOMEM;
436 goto out_free;
437 }
438 if (!alloc)
439 alloc = 1;
440 seen |= Opt_fscontext;
441 break;
442
0808925e
EP		 443 case Opt_rootcontext:
444 if (seen & Opt_rootcontext) {
445 rc = -EINVAL;
446 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
447 goto out_free;
448 }
449 rootcontext = match_strdup(&args[0]);
450 if (!rootcontext) {
451 rc = -ENOMEM;
452 goto out_free;
453 }
454 if (!alloc)
455 alloc = 1;
456 seen |= Opt_rootcontext;
457 break;
458
1da177e4
LT		 459 case Opt_defcontext:
460 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
461 rc = -EINVAL;
462 printk(KERN_WARNING "SELinux: "
463 "defcontext option is invalid "
464 "for this filesystem type\n");
465 goto out_free;
466 }
467 if (seen & (Opt_context|Opt_defcontext)) {
468 rc = -EINVAL;
469 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
470 goto out_free;
471 }
472 defcontext = match_strdup(&args[0]);
473 if (!defcontext) {
474 rc = -ENOMEM;
475 goto out_free;
476 }
477 if (!alloc)
478 alloc = 1;
479 seen |= Opt_defcontext;
480 break;
481
482 default:
483 rc = -EINVAL;
484 printk(KERN_WARNING "SELinux: unknown mount "
485 "option\n");
486 goto out_free;
487
488 }
489 }
490 }
491
492 if (!seen)
493 goto out;
494
c312feb2
EP		 495 /* sets the context of the superblock for the fs being mounted. */
496 if (fscontext) {
497 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
1da177e4
LT		 498 if (rc) {
499 printk(KERN_WARNING "SELinux: security_context_to_sid"
500 "(%s) failed for (dev %s, type %s) errno=%d\n",
c312feb2 501 fscontext, sb->s_id, name, rc);
1da177e4
LT		 502 goto out_free;
503 }
504
c312feb2 505 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
1da177e4
LT		 506 if (rc)
507 goto out_free;
508
c312feb2
EP		 509 sbsec->sid = sid;
510 }
511
512 /*
513 * Switch to using mount point labeling behavior.
514 * sets the label used on all file below the mountpoint, and will set
515 * the superblock context if not already set.
516 */
517 if (context) {
518 rc = security_context_to_sid(context, strlen(context), &sid);
519 if (rc) {
520 printk(KERN_WARNING "SELinux: security_context_to_sid"
521 "(%s) failed for (dev %s, type %s) errno=%d\n",
522 context, sb->s_id, name, rc);
523 goto out_free;
524 }
525
526 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
1da177e4
LT		 527 if (rc)
528 goto out_free;
529
c312feb2
EP		 530 if (!fscontext)
531 sbsec->sid = sid;
532 sbsec->mntpoint_sid = sid;
1da177e4 533
c312feb2 534 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 535 }
536
0808925e
EP		 537 if (rootcontext) {
538 struct inode *inode = sb->s_root->d_inode;
539 struct inode_security_struct *isec = inode->i_security;
540 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
541 if (rc) {
542 printk(KERN_WARNING "SELinux: security_context_to_sid"
543 "(%s) failed for (dev %s, type %s) errno=%d\n",
544 rootcontext, sb->s_id, name, rc);
545 goto out_free;
546 }
547
548 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
549 if (rc)
550 goto out_free;
551
552 isec->sid = sid;
553 isec->initialized = 1;
554 }
555
1da177e4
LT		 556 if (defcontext) {
557 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
558 if (rc) {
559 printk(KERN_WARNING "SELinux: security_context_to_sid"
560 "(%s) failed for (dev %s, type %s) errno=%d\n",
561 defcontext, sb->s_id, name, rc);
562 goto out_free;
563 }
564
565 if (sid == sbsec->def_sid)
566 goto out_free;
567
0808925e 568 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
1da177e4
LT		 569 if (rc)
570 goto out_free;
571
572 sbsec->def_sid = sid;
573 }
574
575out_free:
576 if (alloc) {
577 kfree(context);
578 kfree(defcontext);
c312feb2 579 kfree(fscontext);
0808925e 580 kfree(rootcontext);
1da177e4
LT		 581 }
582out:
583 return rc;
584}
585
586static int superblock_doinit(struct super_block *sb, void *data)
587{
588 struct superblock_security_struct *sbsec = sb->s_security;
589 struct dentry *root = sb->s_root;
590 struct inode *inode = root->d_inode;
591 int rc = 0;
592
593 down(&sbsec->sem);
594 if (sbsec->initialized)
595 goto out;
596
597 if (!ss_initialized) {
598 /* Defer initialization until selinux_complete_init,
599 after the initial policy is loaded and the security
600 server is ready to handle calls. */
601 spin_lock(&sb_security_lock);
602 if (list_empty(&sbsec->list))
603 list_add(&sbsec->list, &superblock_security_head);
604 spin_unlock(&sb_security_lock);
605 goto out;
606 }
607
608 /* Determine the labeling behavior to use for this filesystem type. */
609 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
610 if (rc) {
611 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
612 __FUNCTION__, sb->s_type->name, rc);
613 goto out;
614 }
615
616 rc = try_context_mount(sb, data);
617 if (rc)
618 goto out;
619
620 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
621 /* Make sure that the xattr handler exists and that no
622 error other than -ENODATA is returned by getxattr on
623 the root directory. -ENODATA is ok, as this may be
624 the first boot of the SELinux kernel before we have
625 assigned xattr values to the filesystem. */
626 if (!inode->i_op->getxattr) {
627 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
628 "xattr support\n", sb->s_id, sb->s_type->name);
629 rc = -EOPNOTSUPP;
630 goto out;
631 }
632 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
633 if (rc < 0 && rc != -ENODATA) {
634 if (rc == -EOPNOTSUPP)
635 printk(KERN_WARNING "SELinux: (dev %s, type "
636 "%s) has no security xattr handler\n",
637 sb->s_id, sb->s_type->name);
638 else
639 printk(KERN_WARNING "SELinux: (dev %s, type "
640 "%s) getxattr errno %d\n", sb->s_id,
641 sb->s_type->name, -rc);
642 goto out;
643 }
644 }
645
646 if (strcmp(sb->s_type->name, "proc") == 0)
647 sbsec->proc = 1;
648
649 sbsec->initialized = 1;
650
651 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
652 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
653 sb->s_id, sb->s_type->name);
654 }
655 else {
656 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
657 sb->s_id, sb->s_type->name,
658 labeling_behaviors[sbsec->behavior-1]);
659 }
660
661 /* Initialize the root inode. */
662 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
663
664 /* Initialize any other inodes associated with the superblock, e.g.
665 inodes created prior to initial policy load or inodes created
666 during get_sb by a pseudo filesystem that directly
667 populates itself. */
668 spin_lock(&sbsec->isec_lock);
669next_inode:
670 if (!list_empty(&sbsec->isec_head)) {
671 struct inode_security_struct *isec =
672 list_entry(sbsec->isec_head.next,
673 struct inode_security_struct, list);
674 struct inode *inode = isec->inode;
675 spin_unlock(&sbsec->isec_lock);
676 inode = igrab(inode);
677 if (inode) {
678 if (!IS_PRIVATE (inode))
679 inode_doinit(inode);
680 iput(inode);
681 }
682 spin_lock(&sbsec->isec_lock);
683 list_del_init(&isec->list);
684 goto next_inode;
685 }
686 spin_unlock(&sbsec->isec_lock);
687out:
688 up(&sbsec->sem);
689 return rc;
690}
691
692static inline u16 inode_mode_to_security_class(umode_t mode)
693{
694 switch (mode & S_IFMT) {
695 case S_IFSOCK:
696 return SECCLASS_SOCK_FILE;
697 case S_IFLNK:
698 return SECCLASS_LNK_FILE;
699 case S_IFREG:
700 return SECCLASS_FILE;
701 case S_IFBLK:
702 return SECCLASS_BLK_FILE;
703 case S_IFDIR:
704 return SECCLASS_DIR;
705 case S_IFCHR:
706 return SECCLASS_CHR_FILE;
707 case S_IFIFO:
708 return SECCLASS_FIFO_FILE;
709
710 }
711
712 return SECCLASS_FILE;
713}
714
13402580
JM		 715static inline int default_protocol_stream(int protocol)
716{
717 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
718}
719
720static inline int default_protocol_dgram(int protocol)
721{
722 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
723}
724
1da177e4
LT		 725static inline u16 socket_type_to_security_class(int family, int type, int protocol)
726{
727 switch (family) {
728 case PF_UNIX:
729 switch (type) {
730 case SOCK_STREAM:
731 case SOCK_SEQPACKET:
732 return SECCLASS_UNIX_STREAM_SOCKET;
733 case SOCK_DGRAM:
734 return SECCLASS_UNIX_DGRAM_SOCKET;
735 }
736 break;
737 case PF_INET:
738 case PF_INET6:
739 switch (type) {
740 case SOCK_STREAM:
13402580
JM		 741 if (default_protocol_stream(protocol))
742 return SECCLASS_TCP_SOCKET;
743 else
744 return SECCLASS_RAWIP_SOCKET;
1da177e4 745 case SOCK_DGRAM:
13402580
JM		 746 if (default_protocol_dgram(protocol))
747 return SECCLASS_UDP_SOCKET;
748 else
749 return SECCLASS_RAWIP_SOCKET;
750 default:
1da177e4
LT		 751 return SECCLASS_RAWIP_SOCKET;
752 }
753 break;
754 case PF_NETLINK:
755 switch (protocol) {
756 case NETLINK_ROUTE:
757 return SECCLASS_NETLINK_ROUTE_SOCKET;
758 case NETLINK_FIREWALL:
759 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 760 case NETLINK_INET_DIAG:
1da177e4
LT		 761 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
762 case NETLINK_NFLOG:
763 return SECCLASS_NETLINK_NFLOG_SOCKET;
764 case NETLINK_XFRM:
765 return SECCLASS_NETLINK_XFRM_SOCKET;
766 case NETLINK_SELINUX:
767 return SECCLASS_NETLINK_SELINUX_SOCKET;
768 case NETLINK_AUDIT:
769 return SECCLASS_NETLINK_AUDIT_SOCKET;
770 case NETLINK_IP6_FW:
771 return SECCLASS_NETLINK_IP6FW_SOCKET;
772 case NETLINK_DNRTMSG:
773 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 774 case NETLINK_KOBJECT_UEVENT:
775 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 776 default:
777 return SECCLASS_NETLINK_SOCKET;
778 }
779 case PF_PACKET:
780 return SECCLASS_PACKET_SOCKET;
781 case PF_KEY:
782 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 783 case PF_APPLETALK:
784 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 785 }
786
787 return SECCLASS_SOCKET;
788}
789
790#ifdef CONFIG_PROC_FS
791static int selinux_proc_get_sid(struct proc_dir_entry *de,
792 u16 tclass,
793 u32 *sid)
794{
795 int buflen, rc;
796 char *buffer, *path, *end;
797
798 buffer = (char*)__get_free_page(GFP_KERNEL);
799 if (!buffer)
800 return -ENOMEM;
801
802 buflen = PAGE_SIZE;
803 end = buffer+buflen;
804 *--end = '\0';
805 buflen--;
806 path = end-1;
807 *path = '/';
808 while (de && de != de->parent) {
809 buflen -= de->namelen + 1;
810 if (buflen < 0)
811 break;
812 end -= de->namelen;
813 memcpy(end, de->name, de->namelen);
814 *--end = '/';
815 path = end;
816 de = de->parent;
817 }
818 rc = security_genfs_sid("proc", path, tclass, sid);
819 free_page((unsigned long)buffer);
820 return rc;
821}
822#else
823static int selinux_proc_get_sid(struct proc_dir_entry *de,
824 u16 tclass,
825 u32 *sid)
826{
827 return -EINVAL;
828}
829#endif
830
831/* The inode's security attributes must be initialized before first use. */
832static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
833{
834 struct superblock_security_struct *sbsec = NULL;
835 struct inode_security_struct *isec = inode->i_security;
836 u32 sid;
837 struct dentry *dentry;
838#define INITCONTEXTLEN 255
839 char *context = NULL;
840 unsigned len = 0;
841 int rc = 0;
842 int hold_sem = 0;
843
844 if (isec->initialized)
845 goto out;
846
847 down(&isec->sem);
848 hold_sem = 1;
849 if (isec->initialized)
850 goto out;
851
852 sbsec = inode->i_sb->s_security;
853 if (!sbsec->initialized) {
854 /* Defer initialization until selinux_complete_init,
855 after the initial policy is loaded and the security
856 server is ready to handle calls. */
857 spin_lock(&sbsec->isec_lock);
858 if (list_empty(&isec->list))
859 list_add(&isec->list, &sbsec->isec_head);
860 spin_unlock(&sbsec->isec_lock);
861 goto out;
862 }
863
864 switch (sbsec->behavior) {
865 case SECURITY_FS_USE_XATTR:
866 if (!inode->i_op->getxattr) {
867 isec->sid = sbsec->def_sid;
868 break;
869 }
870
871 /* Need a dentry, since the xattr API requires one.
872 Life would be simpler if we could just pass the inode. */
873 if (opt_dentry) {
874 /* Called from d_instantiate or d_splice_alias. */
875 dentry = dget(opt_dentry);
876 } else {
877 /* Called from selinux_complete_init, try to find a dentry. */
878 dentry = d_find_alias(inode);
879 }
880 if (!dentry) {
881 printk(KERN_WARNING "%s: no dentry for dev=%s "
882 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
883 inode->i_ino);
884 goto out;
885 }
886
887 len = INITCONTEXTLEN;
888 context = kmalloc(len, GFP_KERNEL);
889 if (!context) {
890 rc = -ENOMEM;
891 dput(dentry);
892 goto out;
893 }
894 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
895 context, len);
896 if (rc == -ERANGE) {
897 /* Need a larger buffer. Query for the right size. */
898 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
899 NULL, 0);
900 if (rc < 0) {
901 dput(dentry);
902 goto out;
903 }
904 kfree(context);
905 len = rc;
906 context = kmalloc(len, GFP_KERNEL);
907 if (!context) {
908 rc = -ENOMEM;
909 dput(dentry);
910 goto out;
911 }
912 rc = inode->i_op->getxattr(dentry,
913 XATTR_NAME_SELINUX,
914 context, len);
915 }
916 dput(dentry);
917 if (rc < 0) {
918 if (rc != -ENODATA) {
919 printk(KERN_WARNING "%s: getxattr returned "
920 "%d for dev=%s ino=%ld\n", __FUNCTION__,
921 -rc, inode->i_sb->s_id, inode->i_ino);
922 kfree(context);
923 goto out;
924 }
925 /* Map ENODATA to the default file SID */
926 sid = sbsec->def_sid;
927 rc = 0;
928 } else {
f5c1d5b2
JM		 929 rc = security_context_to_sid_default(context, rc, &sid,
930 sbsec->def_sid);
1da177e4
LT		 931 if (rc) {
932 printk(KERN_WARNING "%s: context_to_sid(%s) "
933 "returned %d for dev=%s ino=%ld\n",
934 __FUNCTION__, context, -rc,
935 inode->i_sb->s_id, inode->i_ino);
936 kfree(context);
937 /* Leave with the unlabeled SID */
938 rc = 0;
939 break;
940 }
941 }
942 kfree(context);
943 isec->sid = sid;
944 break;
945 case SECURITY_FS_USE_TASK:
946 isec->sid = isec->task_sid;
947 break;
948 case SECURITY_FS_USE_TRANS:
949 /* Default to the fs SID. */
950 isec->sid = sbsec->sid;
951
952 /* Try to obtain a transition SID. */
953 isec->sclass = inode_mode_to_security_class(inode->i_mode);
954 rc = security_transition_sid(isec->task_sid,
955 sbsec->sid,
956 isec->sclass,
957 &sid);
958 if (rc)
959 goto out;
960 isec->sid = sid;
961 break;
c312feb2
EP		 962 case SECURITY_FS_USE_MNTPOINT:
963 isec->sid = sbsec->mntpoint_sid;
964 break;
1da177e4 965 default:
c312feb2 966 /* Default to the fs superblock SID. */
1da177e4
LT		 967 isec->sid = sbsec->sid;
968
969 if (sbsec->proc) {
970 struct proc_inode *proci = PROC_I(inode);
971 if (proci->pde) {
972 isec->sclass = inode_mode_to_security_class(inode->i_mode);
973 rc = selinux_proc_get_sid(proci->pde,
974 isec->sclass,
975 &sid);
976 if (rc)
977 goto out;
978 isec->sid = sid;
979 }
980 }
981 break;
982 }
983
984 isec->initialized = 1;
985
986out:
987 if (isec->sclass == SECCLASS_FILE)
988 isec->sclass = inode_mode_to_security_class(inode->i_mode);
989
990 if (hold_sem)
991 up(&isec->sem);
992 return rc;
993}
994
995/* Convert a Linux signal to an access vector. */
996static inline u32 signal_to_av(int sig)
997{
998 u32 perm = 0;
999
1000 switch (sig) {
1001 case SIGCHLD:
1002 /* Commonly granted from child to parent. */
1003 perm = PROCESS__SIGCHLD;
1004 break;
1005 case SIGKILL:
1006 /* Cannot be caught or ignored */
1007 perm = PROCESS__SIGKILL;
1008 break;
1009 case SIGSTOP:
1010 /* Cannot be caught or ignored */
1011 perm = PROCESS__SIGSTOP;
1012 break;
1013 default:
1014 /* All other signals. */
1015 perm = PROCESS__SIGNAL;
1016 break;
1017 }
1018
1019 return perm;
1020}
1021
1022/* Check permission betweeen a pair of tasks, e.g. signal checks,
1023 fork check, ptrace check, etc. */
1024static int task_has_perm(struct task_struct *tsk1,
1025 struct task_struct *tsk2,
1026 u32 perms)
1027{
1028 struct task_security_struct *tsec1, *tsec2;
1029
1030 tsec1 = tsk1->security;
1031 tsec2 = tsk2->security;
1032 return avc_has_perm(tsec1->sid, tsec2->sid,
1033 SECCLASS_PROCESS, perms, NULL);
1034}
1035
1036/* Check whether a task is allowed to use a capability. */
1037static int task_has_capability(struct task_struct *tsk,
1038 int cap)
1039{
1040 struct task_security_struct *tsec;
1041 struct avc_audit_data ad;
1042
1043 tsec = tsk->security;
1044
1045 AVC_AUDIT_DATA_INIT(&ad,CAP);
1046 ad.tsk = tsk;
1047 ad.u.cap = cap;
1048
1049 return avc_has_perm(tsec->sid, tsec->sid,
1050 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1051}
1052
1053/* Check whether a task is allowed to use a system operation. */
1054static int task_has_system(struct task_struct *tsk,
1055 u32 perms)
1056{
1057 struct task_security_struct *tsec;
1058
1059 tsec = tsk->security;
1060
1061 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1062 SECCLASS_SYSTEM, perms, NULL);
1063}
1064
1065/* Check whether a task has a particular permission to an inode.
1066 The 'adp' parameter is optional and allows other audit
1067 data to be passed (e.g. the dentry). */
1068static int inode_has_perm(struct task_struct *tsk,
1069 struct inode *inode,
1070 u32 perms,
1071 struct avc_audit_data *adp)
1072{
1073 struct task_security_struct *tsec;
1074 struct inode_security_struct *isec;
1075 struct avc_audit_data ad;
1076
1077 tsec = tsk->security;
1078 isec = inode->i_security;
1079
1080 if (!adp) {
1081 adp = &ad;
1082 AVC_AUDIT_DATA_INIT(&ad, FS);
1083 ad.u.fs.inode = inode;
1084 }
1085
1086 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1087}
1088
1089/* Same as inode_has_perm, but pass explicit audit data containing
1090 the dentry to help the auditing code to more easily generate the
1091 pathname if needed. */
1092static inline int dentry_has_perm(struct task_struct *tsk,
1093 struct vfsmount *mnt,
1094 struct dentry *dentry,
1095 u32 av)
1096{
1097 struct inode *inode = dentry->d_inode;
1098 struct avc_audit_data ad;
1099 AVC_AUDIT_DATA_INIT(&ad,FS);
1100 ad.u.fs.mnt = mnt;
1101 ad.u.fs.dentry = dentry;
1102 return inode_has_perm(tsk, inode, av, &ad);
1103}
1104
1105/* Check whether a task can use an open file descriptor to
1106 access an inode in a given way. Check access to the
1107 descriptor itself, and then use dentry_has_perm to
1108 check a particular permission to the file.
1109 Access to the descriptor is implicitly granted if it
1110 has the same SID as the process. If av is zero, then
1111 access to the file is not checked, e.g. for cases
1112 where only the descriptor is affected like seek. */
858119e1 1113static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1114 struct file *file,
1115 u32 av)
1116{
1117 struct task_security_struct *tsec = tsk->security;
1118 struct file_security_struct *fsec = file->f_security;
1119 struct vfsmount *mnt = file->f_vfsmnt;
1120 struct dentry *dentry = file->f_dentry;
1121 struct inode *inode = dentry->d_inode;
1122 struct avc_audit_data ad;
1123 int rc;
1124
1125 AVC_AUDIT_DATA_INIT(&ad, FS);
1126 ad.u.fs.mnt = mnt;
1127 ad.u.fs.dentry = dentry;
1128
1129 if (tsec->sid != fsec->sid) {
1130 rc = avc_has_perm(tsec->sid, fsec->sid,
1131 SECCLASS_FD,
1132 FD__USE,
1133 &ad);
1134 if (rc)
1135 return rc;
1136 }
1137
1138 /* av is zero if only checking access to the descriptor. */
1139 if (av)
1140 return inode_has_perm(tsk, inode, av, &ad);
1141
1142 return 0;
1143}
1144
1145/* Check whether a task can create a file. */
1146static int may_create(struct inode *dir,
1147 struct dentry *dentry,
1148 u16 tclass)
1149{
1150 struct task_security_struct *tsec;
1151 struct inode_security_struct *dsec;
1152 struct superblock_security_struct *sbsec;
1153 u32 newsid;
1154 struct avc_audit_data ad;
1155 int rc;
1156
1157 tsec = current->security;
1158 dsec = dir->i_security;
1159 sbsec = dir->i_sb->s_security;
1160
1161 AVC_AUDIT_DATA_INIT(&ad, FS);
1162 ad.u.fs.dentry = dentry;
1163
1164 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1165 DIR__ADD_NAME | DIR__SEARCH,
1166 &ad);
1167 if (rc)
1168 return rc;
1169
1170 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1171 newsid = tsec->create_sid;
1172 } else {
1173 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1174 &newsid);
1175 if (rc)
1176 return rc;
1177 }
1178
1179 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1180 if (rc)
1181 return rc;
1182
1183 return avc_has_perm(newsid, sbsec->sid,
1184 SECCLASS_FILESYSTEM,
1185 FILESYSTEM__ASSOCIATE, &ad);
1186}
1187
4eb582cf
ML		 1188/* Check whether a task can create a key. */
1189static int may_create_key(u32 ksid,
1190 struct task_struct *ctx)
1191{
1192 struct task_security_struct *tsec;
1193
1194 tsec = ctx->security;
1195
1196 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1197}
1198
1da177e4
LT		 1199#define MAY_LINK 0
1200#define MAY_UNLINK 1
1201#define MAY_RMDIR 2
1202
1203/* Check whether a task can link, unlink, or rmdir a file/directory. */
1204static int may_link(struct inode *dir,
1205 struct dentry *dentry,
1206 int kind)
1207
1208{
1209 struct task_security_struct *tsec;
1210 struct inode_security_struct *dsec, *isec;
1211 struct avc_audit_data ad;
1212 u32 av;
1213 int rc;
1214
1215 tsec = current->security;
1216 dsec = dir->i_security;
1217 isec = dentry->d_inode->i_security;
1218
1219 AVC_AUDIT_DATA_INIT(&ad, FS);
1220 ad.u.fs.dentry = dentry;
1221
1222 av = DIR__SEARCH;
1223 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1224 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1225 if (rc)
1226 return rc;
1227
1228 switch (kind) {
1229 case MAY_LINK:
1230 av = FILE__LINK;
1231 break;
1232 case MAY_UNLINK:
1233 av = FILE__UNLINK;
1234 break;
1235 case MAY_RMDIR:
1236 av = DIR__RMDIR;
1237 break;
1238 default:
1239 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1240 return 0;
1241 }
1242
1243 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1244 return rc;
1245}
1246
1247static inline int may_rename(struct inode *old_dir,
1248 struct dentry *old_dentry,
1249 struct inode *new_dir,
1250 struct dentry *new_dentry)
1251{
1252 struct task_security_struct *tsec;
1253 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1254 struct avc_audit_data ad;
1255 u32 av;
1256 int old_is_dir, new_is_dir;
1257 int rc;
1258
1259 tsec = current->security;
1260 old_dsec = old_dir->i_security;
1261 old_isec = old_dentry->d_inode->i_security;
1262 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1263 new_dsec = new_dir->i_security;
1264
1265 AVC_AUDIT_DATA_INIT(&ad, FS);
1266
1267 ad.u.fs.dentry = old_dentry;
1268 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1269 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1270 if (rc)
1271 return rc;
1272 rc = avc_has_perm(tsec->sid, old_isec->sid,
1273 old_isec->sclass, FILE__RENAME, &ad);
1274 if (rc)
1275 return rc;
1276 if (old_is_dir && new_dir != old_dir) {
1277 rc = avc_has_perm(tsec->sid, old_isec->sid,
1278 old_isec->sclass, DIR__REPARENT, &ad);
1279 if (rc)
1280 return rc;
1281 }
1282
1283 ad.u.fs.dentry = new_dentry;
1284 av = DIR__ADD_NAME | DIR__SEARCH;
1285 if (new_dentry->d_inode)
1286 av |= DIR__REMOVE_NAME;
1287 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1288 if (rc)
1289 return rc;
1290 if (new_dentry->d_inode) {
1291 new_isec = new_dentry->d_inode->i_security;
1292 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1293 rc = avc_has_perm(tsec->sid, new_isec->sid,
1294 new_isec->sclass,
1295 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1296 if (rc)
1297 return rc;
1298 }
1299
1300 return 0;
1301}
1302
1303/* Check whether a task can perform a filesystem operation. */
1304static int superblock_has_perm(struct task_struct *tsk,
1305 struct super_block *sb,
1306 u32 perms,
1307 struct avc_audit_data *ad)
1308{
1309 struct task_security_struct *tsec;
1310 struct superblock_security_struct *sbsec;
1311
1312 tsec = tsk->security;
1313 sbsec = sb->s_security;
1314 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1315 perms, ad);
1316}
1317
1318/* Convert a Linux mode and permission mask to an access vector. */
1319static inline u32 file_mask_to_av(int mode, int mask)
1320{
1321 u32 av = 0;
1322
1323 if ((mode & S_IFMT) != S_IFDIR) {
1324 if (mask & MAY_EXEC)
1325 av |= FILE__EXECUTE;
1326 if (mask & MAY_READ)
1327 av |= FILE__READ;
1328
1329 if (mask & MAY_APPEND)
1330 av |= FILE__APPEND;
1331 else if (mask & MAY_WRITE)
1332 av |= FILE__WRITE;
1333
1334 } else {
1335 if (mask & MAY_EXEC)
1336 av |= DIR__SEARCH;
1337 if (mask & MAY_WRITE)
1338 av |= DIR__WRITE;
1339 if (mask & MAY_READ)
1340 av |= DIR__READ;
1341 }
1342
1343 return av;
1344}
1345
1346/* Convert a Linux file to an access vector. */
1347static inline u32 file_to_av(struct file *file)
1348{
1349 u32 av = 0;
1350
1351 if (file->f_mode & FMODE_READ)
1352 av |= FILE__READ;
1353 if (file->f_mode & FMODE_WRITE) {
1354 if (file->f_flags & O_APPEND)
1355 av |= FILE__APPEND;
1356 else
1357 av |= FILE__WRITE;
1358 }
1359
1360 return av;
1361}
1362
1363/* Set an inode's SID to a specified value. */
1364static int inode_security_set_sid(struct inode *inode, u32 sid)
1365{
1366 struct inode_security_struct *isec = inode->i_security;
1367 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1368
1369 if (!sbsec->initialized) {
1370 /* Defer initialization to selinux_complete_init. */
1371 return 0;
1372 }
1373
1374 down(&isec->sem);
1375 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1376 isec->sid = sid;
1377 isec->initialized = 1;
1378 up(&isec->sem);
1379 return 0;
1380}
1381
1da177e4
LT		 1382/* Hook functions begin here. */
1383
1384static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1385{
1386 struct task_security_struct *psec = parent->security;
1387 struct task_security_struct *csec = child->security;
1388 int rc;
1389
1390 rc = secondary_ops->ptrace(parent,child);
1391 if (rc)
1392 return rc;
1393
1394 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1395 /* Save the SID of the tracing process for later use in apply_creds. */
341c2d80 1396 if (!(child->ptrace & PT_PTRACED) && !rc)
1da177e4
LT		 1397 csec->ptrace_sid = psec->sid;
1398 return rc;
1399}
1400
1401static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1402 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1403{
1404 int error;
1405
1406 error = task_has_perm(current, target, PROCESS__GETCAP);
1407 if (error)
1408 return error;
1409
1410 return secondary_ops->capget(target, effective, inheritable, permitted);
1411}
1412
1413static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1414 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1415{
1416 int error;
1417
1418 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1419 if (error)
1420 return error;
1421
1422 return task_has_perm(current, target, PROCESS__SETCAP);
1423}
1424
1425static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1426 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1427{
1428 secondary_ops->capset_set(target, effective, inheritable, permitted);
1429}
1430
1431static int selinux_capable(struct task_struct *tsk, int cap)
1432{
1433 int rc;
1434
1435 rc = secondary_ops->capable(tsk, cap);
1436 if (rc)
1437 return rc;
1438
1439 return task_has_capability(tsk,cap);
1440}
1441
1442static int selinux_sysctl(ctl_table *table, int op)
1443{
1444 int error = 0;
1445 u32 av;
1446 struct task_security_struct *tsec;
1447 u32 tsid;
1448 int rc;
1449
1450 rc = secondary_ops->sysctl(table, op);
1451 if (rc)
1452 return rc;
1453
1454 tsec = current->security;
1455
1456 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1457 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1458 if (rc) {
1459 /* Default to the well-defined sysctl SID. */
1460 tsid = SECINITSID_SYSCTL;
1461 }
1462
1463 /* The op values are "defined" in sysctl.c, thereby creating
1464 * a bad coupling between this module and sysctl.c */
1465 if(op == 001) {
1466 error = avc_has_perm(tsec->sid, tsid,
1467 SECCLASS_DIR, DIR__SEARCH, NULL);
1468 } else {
1469 av = 0;
1470 if (op & 004)
1471 av |= FILE__READ;
1472 if (op & 002)
1473 av |= FILE__WRITE;
1474 if (av)
1475 error = avc_has_perm(tsec->sid, tsid,
1476 SECCLASS_FILE, av, NULL);
1477 }
1478
1479 return error;
1480}
1481
1482static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1483{
1484 int rc = 0;
1485
1486 if (!sb)
1487 return 0;
1488
1489 switch (cmds) {
1490 case Q_SYNC:
1491 case Q_QUOTAON:
1492 case Q_QUOTAOFF:
1493 case Q_SETINFO:
1494 case Q_SETQUOTA:
1495 rc = superblock_has_perm(current,
1496 sb,
1497 FILESYSTEM__QUOTAMOD, NULL);
1498 break;
1499 case Q_GETFMT:
1500 case Q_GETINFO:
1501 case Q_GETQUOTA:
1502 rc = superblock_has_perm(current,
1503 sb,
1504 FILESYSTEM__QUOTAGET, NULL);
1505 break;
1506 default:
1507 rc = 0; /* let the kernel handle invalid cmds */
1508 break;
1509 }
1510 return rc;
1511}
1512
1513static int selinux_quota_on(struct dentry *dentry)
1514{
1515 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1516}
1517
1518static int selinux_syslog(int type)
1519{
1520 int rc;
1521
1522 rc = secondary_ops->syslog(type);
1523 if (rc)
1524 return rc;
1525
1526 switch (type) {
1527 case 3: /* Read last kernel messages */
1528 case 10: /* Return size of the log buffer */
1529 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1530 break;
1531 case 6: /* Disable logging to console */
1532 case 7: /* Enable logging to console */
1533 case 8: /* Set level of messages printed to console */
1534 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1535 break;
1536 case 0: /* Close log */
1537 case 1: /* Open log */
1538 case 2: /* Read from log */
1539 case 4: /* Read/clear last kernel messages */
1540 case 5: /* Clear ring buffer */
1541 default:
1542 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1543 break;
1544 }
1545 return rc;
1546}
1547
1548/*
1549 * Check that a process has enough memory to allocate a new virtual
1550 * mapping. 0 means there is enough memory for the allocation to
1551 * succeed and -ENOMEM implies there is not.
1552 *
1553 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1554 * if the capability is granted, but __vm_enough_memory requires 1 if
1555 * the capability is granted.
1556 *
1557 * Do not audit the selinux permission check, as this is applied to all
1558 * processes that allocate mappings.
1559 */
1560static int selinux_vm_enough_memory(long pages)
1561{
1562 int rc, cap_sys_admin = 0;
1563 struct task_security_struct *tsec = current->security;
1564
1565 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1566 if (rc == 0)
1567 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1568 SECCLASS_CAPABILITY,
1569 CAP_TO_MASK(CAP_SYS_ADMIN),
1570 NULL);
1571
1572 if (rc == 0)
1573 cap_sys_admin = 1;
1574
1575 return __vm_enough_memory(pages, cap_sys_admin);
1576}
1577
1578/* binprm security operations */
1579
1580static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1581{
1582 struct bprm_security_struct *bsec;
1583
89d155ef 1584 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1585 if (!bsec)
1586 return -ENOMEM;
1587
1da177e4
LT		 1588 bsec->bprm = bprm;
1589 bsec->sid = SECINITSID_UNLABELED;
1590 bsec->set = 0;
1591
1592 bprm->security = bsec;
1593 return 0;
1594}
1595
1596static int selinux_bprm_set_security(struct linux_binprm *bprm)
1597{
1598 struct task_security_struct *tsec;
1599 struct inode *inode = bprm->file->f_dentry->d_inode;
1600 struct inode_security_struct *isec;
1601 struct bprm_security_struct *bsec;
1602 u32 newsid;
1603 struct avc_audit_data ad;
1604 int rc;
1605
1606 rc = secondary_ops->bprm_set_security(bprm);
1607 if (rc)
1608 return rc;
1609
1610 bsec = bprm->security;
1611
1612 if (bsec->set)
1613 return 0;
1614
1615 tsec = current->security;
1616 isec = inode->i_security;
1617
1618 /* Default to the current task SID. */
1619 bsec->sid = tsec->sid;
1620
28eba5bf 1621 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1622 tsec->create_sid = 0;
28eba5bf 1623 tsec->keycreate_sid = 0;
42c3e03e 1624 tsec->sockcreate_sid = 0;
1da177e4
LT		 1625
1626 if (tsec->exec_sid) {
1627 newsid = tsec->exec_sid;
1628 /* Reset exec SID on execve. */
1629 tsec->exec_sid = 0;
1630 } else {
1631 /* Check for a default transition on this program. */
1632 rc = security_transition_sid(tsec->sid, isec->sid,
1633 SECCLASS_PROCESS, &newsid);
1634 if (rc)
1635 return rc;
1636 }
1637
1638 AVC_AUDIT_DATA_INIT(&ad, FS);
1639 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1640 ad.u.fs.dentry = bprm->file->f_dentry;
1641
1642 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1643 newsid = tsec->sid;
1644
1645 if (tsec->sid == newsid) {
1646 rc = avc_has_perm(tsec->sid, isec->sid,
1647 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1648 if (rc)
1649 return rc;
1650 } else {
1651 /* Check permissions for the transition. */
1652 rc = avc_has_perm(tsec->sid, newsid,
1653 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1654 if (rc)
1655 return rc;
1656
1657 rc = avc_has_perm(newsid, isec->sid,
1658 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1659 if (rc)
1660 return rc;
1661
1662 /* Clear any possibly unsafe personality bits on exec: */
1663 current->personality &= ~PER_CLEAR_ON_SETID;
1664
1665 /* Set the security field to the new SID. */
1666 bsec->sid = newsid;
1667 }
1668
1669 bsec->set = 1;
1670 return 0;
1671}
1672
1673static int selinux_bprm_check_security (struct linux_binprm *bprm)
1674{
1675 return secondary_ops->bprm_check_security(bprm);
1676}
1677
1678
1679static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1680{
1681 struct task_security_struct *tsec = current->security;
1682 int atsecure = 0;
1683
1684 if (tsec->osid != tsec->sid) {
1685 /* Enable secure mode for SIDs transitions unless
1686 the noatsecure permission is granted between
1687 the two SIDs, i.e. ahp returns 0. */
1688 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1689 SECCLASS_PROCESS,
1690 PROCESS__NOATSECURE, NULL);
1691 }
1692
1693 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1694}
1695
1696static void selinux_bprm_free_security(struct linux_binprm *bprm)
1697{
9a5f04bf 1698 kfree(bprm->security);
1da177e4 1699 bprm->security = NULL;
1da177e4
LT		 1700}
1701
1702extern struct vfsmount *selinuxfs_mount;
1703extern struct dentry *selinux_null;
1704
1705/* Derived from fs/exec.c:flush_old_files. */
1706static inline void flush_unauthorized_files(struct files_struct * files)
1707{
1708 struct avc_audit_data ad;
1709 struct file *file, *devnull = NULL;
1710 struct tty_struct *tty = current->signal->tty;
badf1662 1711 struct fdtable *fdt;
1da177e4
LT		 1712 long j = -1;
1713
1714 if (tty) {
1715 file_list_lock();
2f512016 1716 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 1717 if (file) {
1718 /* Revalidate access to controlling tty.
1719 Use inode_has_perm on the tty inode directly rather
1720 than using file_has_perm, as this particular open
1721 file may belong to another process and we are only
1722 interested in the inode-based check here. */
1723 struct inode *inode = file->f_dentry->d_inode;
1724 if (inode_has_perm(current, inode,
1725 FILE__READ | FILE__WRITE, NULL)) {
1726 /* Reset controlling tty. */
1727 current->signal->tty = NULL;
1728 current->signal->tty_old_pgrp = 0;
1729 }
1730 }
1731 file_list_unlock();
1732 }
1733
1734 /* Revalidate access to inherited open files. */
1735
1736 AVC_AUDIT_DATA_INIT(&ad,FS);
1737
1738 spin_lock(&files->file_lock);
1739 for (;;) {
1740 unsigned long set, i;
1741 int fd;
1742
1743 j++;
1744 i = j * __NFDBITS;
badf1662
DS		 1745 fdt = files_fdtable(files);
1746 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1da177e4 1747 break;
badf1662 1748 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 1749 if (!set)
1750 continue;
1751 spin_unlock(&files->file_lock);
1752 for ( ; set ; i++,set >>= 1) {
1753 if (set & 1) {
1754 file = fget(i);
1755 if (!file)
1756 continue;
1757 if (file_has_perm(current,
1758 file,
1759 file_to_av(file))) {
1760 sys_close(i);
1761 fd = get_unused_fd();
1762 if (fd != i) {
1763 if (fd >= 0)
1764 put_unused_fd(fd);
1765 fput(file);
1766 continue;
1767 }
1768 if (devnull) {
095975da 1769 get_file(devnull);
1da177e4
LT		 1770 } else {
1771 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1772 if (!devnull) {
1773 put_unused_fd(fd);
1774 fput(file);
1775 continue;
1776 }
1777 }
1778 fd_install(fd, devnull);
1779 }
1780 fput(file);
1781 }
1782 }
1783 spin_lock(&files->file_lock);
1784
1785 }
1786 spin_unlock(&files->file_lock);
1787}
1788
1789static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1790{
1791 struct task_security_struct *tsec;
1792 struct bprm_security_struct *bsec;
1793 u32 sid;
1794 int rc;
1795
1796 secondary_ops->bprm_apply_creds(bprm, unsafe);
1797
1798 tsec = current->security;
1799
1800 bsec = bprm->security;
1801 sid = bsec->sid;
1802
1803 tsec->osid = tsec->sid;
1804 bsec->unsafe = 0;
1805 if (tsec->sid != sid) {
1806 /* Check for shared state. If not ok, leave SID
1807 unchanged and kill. */
1808 if (unsafe & LSM_UNSAFE_SHARE) {
1809 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1810 PROCESS__SHARE, NULL);
1811 if (rc) {
1812 bsec->unsafe = 1;
1813 return;
1814 }
1815 }
1816
1817 /* Check for ptracing, and update the task SID if ok.
1818 Otherwise, leave SID unchanged and kill. */
1819 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1820 rc = avc_has_perm(tsec->ptrace_sid, sid,
1821 SECCLASS_PROCESS, PROCESS__PTRACE,
1822 NULL);
1823 if (rc) {
1824 bsec->unsafe = 1;
1825 return;
1826 }
1827 }
1828 tsec->sid = sid;
1829 }
1830}
1831
1832/*
1833 * called after apply_creds without the task lock held
1834 */
1835static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1836{
1837 struct task_security_struct *tsec;
1838 struct rlimit *rlim, *initrlim;
1839 struct itimerval itimer;
1840 struct bprm_security_struct *bsec;
1841 int rc, i;
1842
1843 tsec = current->security;
1844 bsec = bprm->security;
1845
1846 if (bsec->unsafe) {
1847 force_sig_specific(SIGKILL, current);
1848 return;
1849 }
1850 if (tsec->osid == tsec->sid)
1851 return;
1852
1853 /* Close files for which the new task SID is not authorized. */
1854 flush_unauthorized_files(current->files);
1855
1856 /* Check whether the new SID can inherit signal state
1857 from the old SID. If not, clear itimers to avoid
1858 subsequent signal generation and flush and unblock
1859 signals. This must occur _after_ the task SID has
1860 been updated so that any kill done after the flush
1861 will be checked against the new SID. */
1862 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1863 PROCESS__SIGINH, NULL);
1864 if (rc) {
1865 memset(&itimer, 0, sizeof itimer);
1866 for (i = 0; i < 3; i++)
1867 do_setitimer(i, &itimer, NULL);
1868 flush_signals(current);
1869 spin_lock_irq(&current->sighand->siglock);
1870 flush_signal_handlers(current, 1);
1871 sigemptyset(&current->blocked);
1872 recalc_sigpending();
1873 spin_unlock_irq(&current->sighand->siglock);
1874 }
1875
1876 /* Check whether the new SID can inherit resource limits
1877 from the old SID. If not, reset all soft limits to
1878 the lower of the current task's hard limit and the init
1879 task's soft limit. Note that the setting of hard limits
1880 (even to lower them) can be controlled by the setrlimit
1881 check. The inclusion of the init task's soft limit into
1882 the computation is to avoid resetting soft limits higher
1883 than the default soft limit for cases where the default
1884 is lower than the hard limit, e.g. RLIMIT_CORE or
1885 RLIMIT_STACK.*/
1886 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1887 PROCESS__RLIMITINH, NULL);
1888 if (rc) {
1889 for (i = 0; i < RLIM_NLIMITS; i++) {
1890 rlim = current->signal->rlim + i;
1891 initrlim = init_task.signal->rlim+i;
1892 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1893 }
1894 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1895 /*
1896 * This will cause RLIMIT_CPU calculations
1897 * to be refigured.
1898 */
1899 current->it_prof_expires = jiffies_to_cputime(1);
1900 }
1901 }
1902
1903 /* Wake up the parent if it is waiting so that it can
1904 recheck wait permission to the new task SID. */
1905 wake_up_interruptible(&current->parent->signal->wait_chldexit);
1906}
1907
1908/* superblock security operations */
1909
1910static int selinux_sb_alloc_security(struct super_block *sb)
1911{
1912 return superblock_alloc_security(sb);
1913}
1914
1915static void selinux_sb_free_security(struct super_block *sb)
1916{
1917 superblock_free_security(sb);
1918}
1919
1920static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1921{
1922 if (plen > olen)
1923 return 0;
1924
1925 return !memcmp(prefix, option, plen);
1926}
1927
1928static inline int selinux_option(char *option, int len)
1929{
1930 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1931 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
0808925e
EP		 1932 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1933 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1da177e4
LT		 1934}
1935
1936static inline void take_option(char **to, char *from, int *first, int len)
1937{
1938 if (!*first) {
1939 **to = ',';
1940 *to += 1;
1941 }
1942 else
1943 *first = 0;
1944 memcpy(*to, from, len);
1945 *to += len;
1946}
1947
1948static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1949{
1950 int fnosec, fsec, rc = 0;
1951 char *in_save, *in_curr, *in_end;
1952 char *sec_curr, *nosec_save, *nosec;
1953
1954 in_curr = orig;
1955 sec_curr = copy;
1956
1957 /* Binary mount data: just copy */
1958 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1959 copy_page(sec_curr, in_curr);
1960 goto out;
1961 }
1962
1963 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1964 if (!nosec) {
1965 rc = -ENOMEM;
1966 goto out;
1967 }
1968
1969 nosec_save = nosec;
1970 fnosec = fsec = 1;
1971 in_save = in_end = orig;
1972
1973 do {
1974 if (*in_end == ',' || *in_end == '\0') {
1975 int len = in_end - in_curr;
1976
1977 if (selinux_option(in_curr, len))
1978 take_option(&sec_curr, in_curr, &fsec, len);
1979 else
1980 take_option(&nosec, in_curr, &fnosec, len);
1981
1982 in_curr = in_end + 1;
1983 }
1984 } while (*in_end++);
1985
6931dfc9 1986 strcpy(in_save, nosec_save);
da3caa20 1987 free_page((unsigned long)nosec_save);
1da177e4
LT		 1988out:
1989 return rc;
1990}
1991
1992static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1993{
1994 struct avc_audit_data ad;
1995 int rc;
1996
1997 rc = superblock_doinit(sb, data);
1998 if (rc)
1999 return rc;
2000
2001 AVC_AUDIT_DATA_INIT(&ad,FS);
2002 ad.u.fs.dentry = sb->s_root;
2003 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2004}
2005
726c3342 2006static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2007{
2008 struct avc_audit_data ad;
2009
2010 AVC_AUDIT_DATA_INIT(&ad,FS);
726c3342
DH		 2011 ad.u.fs.dentry = dentry->d_sb->s_root;
2012 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2013}
2014
2015static int selinux_mount(char * dev_name,
2016 struct nameidata *nd,
2017 char * type,
2018 unsigned long flags,
2019 void * data)
2020{
2021 int rc;
2022
2023 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2024 if (rc)
2025 return rc;
2026
2027 if (flags & MS_REMOUNT)
2028 return superblock_has_perm(current, nd->mnt->mnt_sb,
2029 FILESYSTEM__REMOUNT, NULL);
2030 else
2031 return dentry_has_perm(current, nd->mnt, nd->dentry,
2032 FILE__MOUNTON);
2033}
2034
2035static int selinux_umount(struct vfsmount *mnt, int flags)
2036{
2037 int rc;
2038
2039 rc = secondary_ops->sb_umount(mnt, flags);
2040 if (rc)
2041 return rc;
2042
2043 return superblock_has_perm(current,mnt->mnt_sb,
2044 FILESYSTEM__UNMOUNT,NULL);
2045}
2046
2047/* inode security operations */
2048
2049static int selinux_inode_alloc_security(struct inode *inode)
2050{
2051 return inode_alloc_security(inode);
2052}
2053
2054static void selinux_inode_free_security(struct inode *inode)
2055{
2056 inode_free_security(inode);
2057}
2058
5e41ff9e
SS		 2059static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2060 char **name, void **value,
2061 size_t *len)
2062{
2063 struct task_security_struct *tsec;
2064 struct inode_security_struct *dsec;
2065 struct superblock_security_struct *sbsec;
570bc1c2 2066 u32 newsid, clen;
5e41ff9e 2067 int rc;
570bc1c2 2068 char *namep = NULL, *context;
5e41ff9e
SS		 2069
2070 tsec = current->security;
2071 dsec = dir->i_security;
2072 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2073
2074 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2075 newsid = tsec->create_sid;
2076 } else {
2077 rc = security_transition_sid(tsec->sid, dsec->sid,
2078 inode_mode_to_security_class(inode->i_mode),
2079 &newsid);
2080 if (rc) {
2081 printk(KERN_WARNING "%s: "
2082 "security_transition_sid failed, rc=%d (dev=%s "
2083 "ino=%ld)\n",
2084 __FUNCTION__,
2085 -rc, inode->i_sb->s_id, inode->i_ino);
2086 return rc;
2087 }
2088 }
2089
2090 inode_security_set_sid(inode, newsid);
2091
8aad3875 2092 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2093 return -EOPNOTSUPP;
2094
570bc1c2
SS		 2095 if (name) {
2096 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2097 if (!namep)
2098 return -ENOMEM;
2099 *name = namep;
2100 }
5e41ff9e 2101
570bc1c2
SS		 2102 if (value && len) {
2103 rc = security_sid_to_context(newsid, &context, &clen);
2104 if (rc) {
2105 kfree(namep);
2106 return rc;
2107 }
2108 *value = context;
2109 *len = clen;
5e41ff9e 2110 }
5e41ff9e 2111
5e41ff9e
SS		 2112 return 0;
2113}
2114
1da177e4
LT		 2115static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2116{
2117 return may_create(dir, dentry, SECCLASS_FILE);
2118}
2119
1da177e4
LT		 2120static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2121{
2122 int rc;
2123
2124 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2125 if (rc)
2126 return rc;
2127 return may_link(dir, old_dentry, MAY_LINK);
2128}
2129
1da177e4
LT		 2130static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2131{
2132 int rc;
2133
2134 rc = secondary_ops->inode_unlink(dir, dentry);
2135 if (rc)
2136 return rc;
2137 return may_link(dir, dentry, MAY_UNLINK);
2138}
2139
2140static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2141{
2142 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2143}
2144
1da177e4
LT		 2145static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2146{
2147 return may_create(dir, dentry, SECCLASS_DIR);
2148}
2149
1da177e4
LT		 2150static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2151{
2152 return may_link(dir, dentry, MAY_RMDIR);
2153}
2154
2155static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2156{
2157 int rc;
2158
2159 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2160 if (rc)
2161 return rc;
2162
2163 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2164}
2165
1da177e4
LT		 2166static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2167 struct inode *new_inode, struct dentry *new_dentry)
2168{
2169 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2170}
2171
1da177e4
LT		 2172static int selinux_inode_readlink(struct dentry *dentry)
2173{
2174 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2175}
2176
2177static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2178{
2179 int rc;
2180
2181 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2182 if (rc)
2183 return rc;
2184 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2185}
2186
2187static int selinux_inode_permission(struct inode *inode, int mask,
2188 struct nameidata *nd)
2189{
2190 int rc;
2191
2192 rc = secondary_ops->inode_permission(inode, mask, nd);
2193 if (rc)
2194 return rc;
2195
2196 if (!mask) {
2197 /* No permission to check. Existence test. */
2198 return 0;
2199 }
2200
2201 return inode_has_perm(current, inode,
2202 file_mask_to_av(inode->i_mode, mask), NULL);
2203}
2204
2205static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2206{
2207 int rc;
2208
2209 rc = secondary_ops->inode_setattr(dentry, iattr);
2210 if (rc)
2211 return rc;
2212
2213 if (iattr->ia_valid & ATTR_FORCE)
2214 return 0;
2215
2216 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2217 ATTR_ATIME_SET | ATTR_MTIME_SET))
2218 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2219
2220 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2221}
2222
2223static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2224{
2225 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2226}
2227
2228static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2229{
2230 struct task_security_struct *tsec = current->security;
2231 struct inode *inode = dentry->d_inode;
2232 struct inode_security_struct *isec = inode->i_security;
2233 struct superblock_security_struct *sbsec;
2234 struct avc_audit_data ad;
2235 u32 newsid;
2236 int rc = 0;
2237
2238 if (strcmp(name, XATTR_NAME_SELINUX)) {
2239 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2240 sizeof XATTR_SECURITY_PREFIX - 1) &&
2241 !capable(CAP_SYS_ADMIN)) {
2242 /* A different attribute in the security namespace.
2243 Restrict to administrator. */
2244 return -EPERM;
2245 }
2246
2247 /* Not an attribute we recognize, so just check the
2248 ordinary setattr permission. */
2249 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2250 }
2251
2252 sbsec = inode->i_sb->s_security;
2253 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2254 return -EOPNOTSUPP;
2255
2256 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2257 return -EPERM;
2258
2259 AVC_AUDIT_DATA_INIT(&ad,FS);
2260 ad.u.fs.dentry = dentry;
2261
2262 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2263 FILE__RELABELFROM, &ad);
2264 if (rc)
2265 return rc;
2266
2267 rc = security_context_to_sid(value, size, &newsid);
2268 if (rc)
2269 return rc;
2270
2271 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2272 FILE__RELABELTO, &ad);
2273 if (rc)
2274 return rc;
2275
2276 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2277 isec->sclass);
2278 if (rc)
2279 return rc;
2280
2281 return avc_has_perm(newsid,
2282 sbsec->sid,
2283 SECCLASS_FILESYSTEM,
2284 FILESYSTEM__ASSOCIATE,
2285 &ad);
2286}
2287
2288static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2289 void *value, size_t size, int flags)
2290{
2291 struct inode *inode = dentry->d_inode;
2292 struct inode_security_struct *isec = inode->i_security;
2293 u32 newsid;
2294 int rc;
2295
2296 if (strcmp(name, XATTR_NAME_SELINUX)) {
2297 /* Not an attribute we recognize, so nothing to do. */
2298 return;
2299 }
2300
2301 rc = security_context_to_sid(value, size, &newsid);
2302 if (rc) {
2303 printk(KERN_WARNING "%s: unable to obtain SID for context "
2304 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2305 return;
2306 }
2307
2308 isec->sid = newsid;
2309 return;
2310}
2311
2312static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2313{
1da177e4
LT		 2314 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2315}
2316
2317static int selinux_inode_listxattr (struct dentry *dentry)
2318{
2319 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2320}
2321
2322static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2323{
2324 if (strcmp(name, XATTR_NAME_SELINUX)) {
2325 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2326 sizeof XATTR_SECURITY_PREFIX - 1) &&
2327 !capable(CAP_SYS_ADMIN)) {
2328 /* A different attribute in the security namespace.
2329 Restrict to administrator. */
2330 return -EPERM;
2331 }
2332
2333 /* Not an attribute we recognize, so just check the
2334 ordinary setattr permission. Might want a separate
2335 permission for removexattr. */
2336 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2337 }
2338
2339 /* No one is allowed to remove a SELinux security label.
2340 You can change the label, but all data must be labeled. */
2341 return -EACCES;
2342}
2343
8c8570fb
DK		 2344static const char *selinux_inode_xattr_getsuffix(void)
2345{
2346 return XATTR_SELINUX_SUFFIX;
2347}
2348
d381d8a9
JM		 2349/*
2350 * Copy the in-core inode security context value to the user. If the
2351 * getxattr() prior to this succeeded, check to see if we need to
2352 * canonicalize the value to be finally returned to the user.
2353 *
2354 * Permission check is handled by selinux_inode_getxattr hook.
2355 */
7306a0b9 2356static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
1da177e4
LT		 2357{
2358 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2359
8c8570fb
DK		 2360 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2361 return -EOPNOTSUPP;
d381d8a9 2362
8c8570fb 2363 return selinux_getsecurity(isec->sid, buffer, size);
1da177e4
LT		 2364}
2365
2366static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2367 const void *value, size_t size, int flags)
2368{
2369 struct inode_security_struct *isec = inode->i_security;
2370 u32 newsid;
2371 int rc;
2372
2373 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2374 return -EOPNOTSUPP;
2375
2376 if (!value || !size)
2377 return -EACCES;
2378
2379 rc = security_context_to_sid((void*)value, size, &newsid);
2380 if (rc)
2381 return rc;
2382
2383 isec->sid = newsid;
2384 return 0;
2385}
2386
2387static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2388{
2389 const int len = sizeof(XATTR_NAME_SELINUX);
2390 if (buffer && len <= buffer_size)
2391 memcpy(buffer, XATTR_NAME_SELINUX, len);
2392 return len;
2393}
2394
2395/* file security operations */
2396
2397static int selinux_file_permission(struct file *file, int mask)
2398{
2399 struct inode *inode = file->f_dentry->d_inode;
2400
2401 if (!mask) {
2402 /* No permission to check. Existence test. */
2403 return 0;
2404 }
2405
2406 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2407 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2408 mask |= MAY_APPEND;
2409
2410 return file_has_perm(current, file,
2411 file_mask_to_av(inode->i_mode, mask));
2412}
2413
2414static int selinux_file_alloc_security(struct file *file)
2415{
2416 return file_alloc_security(file);
2417}
2418
2419static void selinux_file_free_security(struct file *file)
2420{
2421 file_free_security(file);
2422}
2423
2424static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2425 unsigned long arg)
2426{
2427 int error = 0;
2428
2429 switch (cmd) {
2430 case FIONREAD:
2431 /* fall through */
2432 case FIBMAP:
2433 /* fall through */
2434 case FIGETBSZ:
2435 /* fall through */
2436 case EXT2_IOC_GETFLAGS:
2437 /* fall through */
2438 case EXT2_IOC_GETVERSION:
2439 error = file_has_perm(current, file, FILE__GETATTR);
2440 break;
2441
2442 case EXT2_IOC_SETFLAGS:
2443 /* fall through */
2444 case EXT2_IOC_SETVERSION:
2445 error = file_has_perm(current, file, FILE__SETATTR);
2446 break;
2447
2448 /* sys_ioctl() checks */
2449 case FIONBIO:
2450 /* fall through */
2451 case FIOASYNC:
2452 error = file_has_perm(current, file, 0);
2453 break;
2454
2455 case KDSKBENT:
2456 case KDSKBSENT:
2457 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2458 break;
2459
2460 /* default case assumes that the command will go
2461 * to the file's ioctl() function.
2462 */
2463 default:
2464 error = file_has_perm(current, file, FILE__IOCTL);
2465
2466 }
2467 return error;
2468}
2469
2470static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2471{
2472#ifndef CONFIG_PPC32
2473 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2474 /*
2475 * We are making executable an anonymous mapping or a
2476 * private file mapping that will also be writable.
2477 * This has an additional check.
2478 */
2479 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2480 if (rc)
2481 return rc;
2482 }
2483#endif
2484
2485 if (file) {
2486 /* read access is always possible with a mapping */
2487 u32 av = FILE__READ;
2488
2489 /* write access only matters if the mapping is shared */
2490 if (shared && (prot & PROT_WRITE))
2491 av |= FILE__WRITE;
2492
2493 if (prot & PROT_EXEC)
2494 av |= FILE__EXECUTE;
2495
2496 return file_has_perm(current, file, av);
2497 }
2498 return 0;
2499}
2500
2501static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2502 unsigned long prot, unsigned long flags)
2503{
2504 int rc;
2505
2506 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2507 if (rc)
2508 return rc;
2509
2510 if (selinux_checkreqprot)
2511 prot = reqprot;
2512
2513 return file_map_prot_check(file, prot,
2514 (flags & MAP_TYPE) == MAP_SHARED);
2515}
2516
2517static int selinux_file_mprotect(struct vm_area_struct *vma,
2518 unsigned long reqprot,
2519 unsigned long prot)
2520{
2521 int rc;
2522
2523 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2524 if (rc)
2525 return rc;
2526
2527 if (selinux_checkreqprot)
2528 prot = reqprot;
2529
2530#ifndef CONFIG_PPC32
db4c9641
SS		 2531 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2532 rc = 0;
2533 if (vma->vm_start >= vma->vm_mm->start_brk &&
2534 vma->vm_end <= vma->vm_mm->brk) {
2535 rc = task_has_perm(current, current,
2536 PROCESS__EXECHEAP);
2537 } else if (!vma->vm_file &&
2538 vma->vm_start <= vma->vm_mm->start_stack &&
2539 vma->vm_end >= vma->vm_mm->start_stack) {
2540 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2541 } else if (vma->vm_file && vma->anon_vma) {
2542 /*
2543 * We are making executable a file mapping that has
2544 * had some COW done. Since pages might have been
2545 * written, check ability to execute the possibly
2546 * modified content. This typically should only
2547 * occur for text relocations.
2548 */
2549 rc = file_has_perm(current, vma->vm_file,
2550 FILE__EXECMOD);
2551 }