]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-hirsute-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: update netlink socket classes
[mirror_ubuntu-hirsute-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
3c4ed7bd 32#include <linux/lsm_hooks.h>
1da177e4
LT		 33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
1da177e4 54#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 55#include <net/inet_connection_sock.h>
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
60063497 60#include <linux/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
77954983 64#include <net/netlink.h>
1da177e4
LT		 65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
44fc7ea0 83#include <linux/export.h>
40401530
AV		 84#include <linux/msg.h>
85#include <linux/shm.h>
1da177e4
LT		 86
87#include "avc.h"
88#include "objsec.h"
89#include "netif.h"
224dfbd8 90#include "netnode.h"
3e112172 91#include "netport.h"
d28d1e08 92#include "xfrm.h"
c60475bf 93#include "netlabel.h"
9d57a7f9 94#include "audit.h"
7b98a585 95#include "avc_ss.h"
1da177e4 96
d621d35e 97/* SECMARK reference count */
56a4ca99 98static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 99
1da177e4 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 101int selinux_enforcing;
1da177e4
LT		 102
103static int __init enforcing_setup(char *str)
104{
f5269710 105 unsigned long enforcing;
29707b20 106 if (!kstrtoul(str, 0, &enforcing))
f5269710 107 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 108 return 1;
109}
110__setup("enforcing=", enforcing_setup);
111#endif
112
113#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116static int __init selinux_enabled_setup(char *str)
117{
f5269710 118 unsigned long enabled;
29707b20 119 if (!kstrtoul(str, 0, &enabled))
f5269710 120 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 121 return 1;
122}
123__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 124#else
125int selinux_enabled = 1;
1da177e4
LT		 126#endif
127
e18b890b 128static struct kmem_cache *sel_inode_cache;
7cae7e26 129
d621d35e
PM		 130/**
131 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
132 *
133 * Description:
134 * This function checks the SECMARK reference counter to see if any SECMARK
135 * targets are currently configured, if the reference counter is greater than
136 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 137 * enabled, false (0) if SECMARK is disabled. If the always_check_network
138 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 139 *
140 */
141static int selinux_secmark_enabled(void)
142{
2be4d74f
CP		 143 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
144}
145
146/**
147 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
148 *
149 * Description:
150 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
151 * (1) if any are enabled or false (0) if neither are enabled. If the
152 * always_check_network policy capability is enabled, peer labeling
153 * is always considered enabled.
154 *
155 */
156static int selinux_peerlbl_enabled(void)
157{
158 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 159}
160
615e51fd
PM		 161static int selinux_netcache_avc_callback(u32 event)
162{
163 if (event == AVC_CALLBACK_RESET) {
164 sel_netif_flush();
165 sel_netnode_flush();
166 sel_netport_flush();
167 synchronize_net();
168 }
169 return 0;
170}
171
d84f4f99
DH		 172/*
173 * initialise the security for the init task
174 */
175static void cred_init_security(void)
1da177e4 176{
3b11a1de 177 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 178 struct task_security_struct *tsec;
179
89d155ef 180 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 181 if (!tsec)
d84f4f99 182 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 183
d84f4f99 184 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 185 cred->security = tsec;
1da177e4
LT		 186}
187
88e67f3b
DH		 188/*
189 * get the security ID of a set of credentials
190 */
191static inline u32 cred_sid(const struct cred *cred)
192{
193 const struct task_security_struct *tsec;
194
195 tsec = cred->security;
196 return tsec->sid;
197}
198
275bb41e 199/*
3b11a1de 200 * get the objective security ID of a task
275bb41e
DH		 201 */
202static inline u32 task_sid(const struct task_struct *task)
203{
275bb41e
DH		 204 u32 sid;
205
206 rcu_read_lock();
88e67f3b 207 sid = cred_sid(__task_cred(task));
275bb41e
DH		 208 rcu_read_unlock();
209 return sid;
210}
211
212/*
3b11a1de 213 * get the subjective security ID of the current task
275bb41e
DH		 214 */
215static inline u32 current_sid(void)
216{
5fb49870 217 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 218
219 return tsec->sid;
220}
221
88e67f3b
DH		 222/* Allocate and free functions for each kind of security blob. */
223
1da177e4
LT		 224static int inode_alloc_security(struct inode *inode)
225{
1da177e4 226 struct inode_security_struct *isec;
275bb41e 227 u32 sid = current_sid();
1da177e4 228
a02fe132 229 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 230 if (!isec)
231 return -ENOMEM;
232
23970741 233 mutex_init(&isec->lock);
1da177e4 234 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 235 isec->inode = inode;
236 isec->sid = SECINITSID_UNLABELED;
237 isec->sclass = SECCLASS_FILE;
275bb41e 238 isec->task_sid = sid;
1da177e4
LT		 239 inode->i_security = isec;
240
241 return 0;
242}
243
3dc91d43
SR		 244static void inode_free_rcu(struct rcu_head *head)
245{
246 struct inode_security_struct *isec;
247
248 isec = container_of(head, struct inode_security_struct, rcu);
249 kmem_cache_free(sel_inode_cache, isec);
250}
251
1da177e4
LT		 252static void inode_free_security(struct inode *inode)
253{
254 struct inode_security_struct *isec = inode->i_security;
255 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
256
1da177e4
LT		 257 spin_lock(&sbsec->isec_lock);
258 if (!list_empty(&isec->list))
259 list_del_init(&isec->list);
260 spin_unlock(&sbsec->isec_lock);
261
3dc91d43
SR		 262 /*
263 * The inode may still be referenced in a path walk and
264 * a call to selinux_inode_permission() can be made
265 * after inode_free_security() is called. Ideally, the VFS
266 * wouldn't do this, but fixing that is a much harder
267 * job. For now, simply free the i_security via RCU, and
268 * leave the current inode->i_security pointer intact.
269 * The inode will be freed after the RCU grace period too.
270 */
271 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 272}
273
274static int file_alloc_security(struct file *file)
275{
1da177e4 276 struct file_security_struct *fsec;
275bb41e 277 u32 sid = current_sid();
1da177e4 278
26d2a4be 279 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 280 if (!fsec)
281 return -ENOMEM;
282
275bb41e
DH		 283 fsec->sid = sid;
284 fsec->fown_sid = sid;
1da177e4
LT		 285 file->f_security = fsec;
286
287 return 0;
288}
289
290static void file_free_security(struct file *file)
291{
292 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 293 file->f_security = NULL;
294 kfree(fsec);
295}
296
297static int superblock_alloc_security(struct super_block *sb)
298{
299 struct superblock_security_struct *sbsec;
300
89d155ef 301 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 302 if (!sbsec)
303 return -ENOMEM;
304
bc7e982b 305 mutex_init(&sbsec->lock);
1da177e4
LT		 306 INIT_LIST_HEAD(&sbsec->isec_head);
307 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 308 sbsec->sb = sb;
309 sbsec->sid = SECINITSID_UNLABELED;
310 sbsec->def_sid = SECINITSID_FILE;
c312feb2 311 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 312 sb->s_security = sbsec;
313
314 return 0;
315}
316
317static void superblock_free_security(struct super_block *sb)
318{
319 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 320 sb->s_security = NULL;
321 kfree(sbsec);
322}
323
1da177e4
LT		 324/* The file system's label must be initialized prior to use. */
325
eb9ae686 326static const char *labeling_behaviors[7] = {
1da177e4
LT		 327 "uses xattr",
328 "uses transition SIDs",
329 "uses task SIDs",
330 "uses genfs_contexts",
331 "not configured for labeling",
332 "uses mountpoint labeling",
eb9ae686 333 "uses native labeling",
1da177e4
LT		 334};
335
336static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
337
338static inline int inode_doinit(struct inode *inode)
339{
340 return inode_doinit_with_dentry(inode, NULL);
341}
342
343enum {
31e87930 344 Opt_error = -1,
1da177e4
LT		 345 Opt_context = 1,
346 Opt_fscontext = 2,
c9180a57
EP		 347 Opt_defcontext = 3,
348 Opt_rootcontext = 4,
11689d47 349 Opt_labelsupport = 5,
d355987f 350 Opt_nextmntopt = 6,
1da177e4
LT		 351};
352
d355987f
EP		 353#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
354
a447c093 355static const match_table_t tokens = {
832cbd9a
EP		 356 {Opt_context, CONTEXT_STR "%s"},
357 {Opt_fscontext, FSCONTEXT_STR "%s"},
358 {Opt_defcontext, DEFCONTEXT_STR "%s"},
359 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 360 {Opt_labelsupport, LABELSUPP_STR},
31e87930 361 {Opt_error, NULL},
1da177e4
LT		 362};
363
364#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
365
c312feb2
EP		 366static int may_context_mount_sb_relabel(u32 sid,
367 struct superblock_security_struct *sbsec,
275bb41e 368 const struct cred *cred)
c312feb2 369{
275bb41e 370 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 371 int rc;
372
373 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
374 FILESYSTEM__RELABELFROM, NULL);
375 if (rc)
376 return rc;
377
378 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
379 FILESYSTEM__RELABELTO, NULL);
380 return rc;
381}
382
0808925e
EP		 383static int may_context_mount_inode_relabel(u32 sid,
384 struct superblock_security_struct *sbsec,
275bb41e 385 const struct cred *cred)
0808925e 386{
275bb41e 387 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 388 int rc;
389 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
390 FILESYSTEM__RELABELFROM, NULL);
391 if (rc)
392 return rc;
393
394 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
395 FILESYSTEM__ASSOCIATE, NULL);
396 return rc;
397}
398
b43e725d
EP		 399static int selinux_is_sblabel_mnt(struct super_block *sb)
400{
401 struct superblock_security_struct *sbsec = sb->s_security;
402
d5f3a5f6
MS		 403 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
404 sbsec->behavior == SECURITY_FS_USE_TRANS ||
405 sbsec->behavior == SECURITY_FS_USE_TASK ||
406 /* Special handling. Genfs but also in-core setxattr handler */
407 !strcmp(sb->s_type->name, "sysfs") ||
408 !strcmp(sb->s_type->name, "pstore") ||
409 !strcmp(sb->s_type->name, "debugfs") ||
410 !strcmp(sb->s_type->name, "rootfs");
b43e725d
EP		 411}
412
c9180a57 413static int sb_finish_set_opts(struct super_block *sb)
1da177e4 414{
1da177e4 415 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 416 struct dentry *root = sb->s_root;
c6f493d6 417 struct inode *root_inode = d_backing_inode(root);
c9180a57 418 int rc = 0;
1da177e4 419
c9180a57
EP		 420 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
421 /* Make sure that the xattr handler exists and that no
422 error other than -ENODATA is returned by getxattr on
423 the root directory. -ENODATA is ok, as this may be
424 the first boot of the SELinux kernel before we have
425 assigned xattr values to the filesystem. */
426 if (!root_inode->i_op->getxattr) {
29b1deb2
LT		 427 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
428 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 429 rc = -EOPNOTSUPP;
430 goto out;
431 }
432 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
433 if (rc < 0 && rc != -ENODATA) {
434 if (rc == -EOPNOTSUPP)
435 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 436 "%s) has no security xattr handler\n",
437 sb->s_id, sb->s_type->name);
c9180a57
EP		 438 else
439 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 440 "%s) getxattr errno %d\n", sb->s_id,
441 sb->s_type->name, -rc);
c9180a57
EP		 442 goto out;
443 }
444 }
1da177e4 445
c9180a57 446 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 447 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
448 sb->s_id, sb->s_type->name);
1da177e4 449
eadcabc6 450 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 451 if (selinux_is_sblabel_mnt(sb))
12f348b9 452 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 453
c9180a57
EP		 454 /* Initialize the root inode. */
455 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 456
c9180a57
EP		 457 /* Initialize any other inodes associated with the superblock, e.g.
458 inodes created prior to initial policy load or inodes created
459 during get_sb by a pseudo filesystem that directly
460 populates itself. */
461 spin_lock(&sbsec->isec_lock);
462next_inode:
463 if (!list_empty(&sbsec->isec_head)) {
464 struct inode_security_struct *isec =
465 list_entry(sbsec->isec_head.next,
466 struct inode_security_struct, list);
467 struct inode *inode = isec->inode;
923190d3 468 list_del_init(&isec->list);
c9180a57
EP		 469 spin_unlock(&sbsec->isec_lock);
470 inode = igrab(inode);
471 if (inode) {
472 if (!IS_PRIVATE(inode))
473 inode_doinit(inode);
474 iput(inode);
475 }
476 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 477 goto next_inode;
478 }
479 spin_unlock(&sbsec->isec_lock);
480out:
481 return rc;
482}
1da177e4 483
c9180a57
EP		 484/*
485 * This function should allow an FS to ask what it's mount security
486 * options were so it can use those later for submounts, displaying
487 * mount options, or whatever.
488 */
489static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 490 struct security_mnt_opts *opts)
c9180a57
EP		 491{
492 int rc = 0, i;
493 struct superblock_security_struct *sbsec = sb->s_security;
494 char *context = NULL;
495 u32 len;
496 char tmp;
1da177e4 497
e0007529 498 security_init_mnt_opts(opts);
1da177e4 499
0d90a7ec 500 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 501 return -EINVAL;
1da177e4 502
c9180a57
EP		 503 if (!ss_initialized)
504 return -EINVAL;
1da177e4 505
af8e50cc
EP		 506 /* make sure we always check enough bits to cover the mask */
507 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
508
0d90a7ec 509 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 510 /* count the number of mount options for this sb */
af8e50cc 511 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 512 if (tmp & 0x01)
e0007529 513 opts->num_mnt_opts++;
c9180a57
EP		 514 tmp >>= 1;
515 }
11689d47 516 /* Check if the Label support flag is set */
0b4bdb35 517 if (sbsec->flags & SBLABEL_MNT)
11689d47 518 opts->num_mnt_opts++;
1da177e4 519
e0007529
EP		 520 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
521 if (!opts->mnt_opts) {
c9180a57
EP		 522 rc = -ENOMEM;
523 goto out_free;
524 }
1da177e4 525
e0007529
EP		 526 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
527 if (!opts->mnt_opts_flags) {
c9180a57
EP		 528 rc = -ENOMEM;
529 goto out_free;
530 }
1da177e4 531
c9180a57
EP		 532 i = 0;
533 if (sbsec->flags & FSCONTEXT_MNT) {
534 rc = security_sid_to_context(sbsec->sid, &context, &len);
535 if (rc)
536 goto out_free;
e0007529
EP		 537 opts->mnt_opts[i] = context;
538 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 539 }
540 if (sbsec->flags & CONTEXT_MNT) {
541 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
542 if (rc)
543 goto out_free;
e0007529
EP		 544 opts->mnt_opts[i] = context;
545 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 546 }
547 if (sbsec->flags & DEFCONTEXT_MNT) {
548 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
549 if (rc)
550 goto out_free;
e0007529
EP		 551 opts->mnt_opts[i] = context;
552 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 553 }
554 if (sbsec->flags & ROOTCONTEXT_MNT) {
c6f493d6 555 struct inode *root = d_backing_inode(sbsec->sb->s_root);
c9180a57 556 struct inode_security_struct *isec = root->i_security;
0808925e 557
c9180a57
EP		 558 rc = security_sid_to_context(isec->sid, &context, &len);
559 if (rc)
560 goto out_free;
e0007529
EP		 561 opts->mnt_opts[i] = context;
562 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 563 }
12f348b9 564 if (sbsec->flags & SBLABEL_MNT) {
11689d47 565 opts->mnt_opts[i] = NULL;
12f348b9 566 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 567 }
1da177e4 568
e0007529 569 BUG_ON(i != opts->num_mnt_opts);
1da177e4 570
c9180a57
EP		 571 return 0;
572
573out_free:
e0007529 574 security_free_mnt_opts(opts);
c9180a57
EP		 575 return rc;
576}
1da177e4 577
c9180a57
EP		 578static int bad_option(struct superblock_security_struct *sbsec, char flag,
579 u32 old_sid, u32 new_sid)
580{
0d90a7ec
DQ		 581 char mnt_flags = sbsec->flags & SE_MNTMASK;
582
c9180a57 583 /* check if the old mount command had the same options */
0d90a7ec 584 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 585 if (!(sbsec->flags & flag) ||
586 (old_sid != new_sid))
587 return 1;
588
589 /* check if we were passed the same options twice,
590 * aka someone passed context=a,context=b
591 */
0d90a7ec
DQ		 592 if (!(sbsec->flags & SE_SBINITIALIZED))
593 if (mnt_flags & flag)
c9180a57
EP		 594 return 1;
595 return 0;
596}
e0007529 597
c9180a57
EP		 598/*
599 * Allow filesystems with binary mount data to explicitly set mount point
600 * labeling information.
601 */
e0007529 602static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 603 struct security_mnt_opts *opts,
604 unsigned long kern_flags,
605 unsigned long *set_kern_flags)
c9180a57 606{
275bb41e 607 const struct cred *cred = current_cred();
c9180a57 608 int rc = 0, i;
c9180a57 609 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 610 const char *name = sb->s_type->name;
c6f493d6 611 struct inode *inode = d_backing_inode(sbsec->sb->s_root);
089be43e 612 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 613 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
614 u32 defcontext_sid = 0;
e0007529
EP		 615 char **mount_options = opts->mnt_opts;
616 int *flags = opts->mnt_opts_flags;
617 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 618
619 mutex_lock(&sbsec->lock);
620
621 if (!ss_initialized) {
622 if (!num_opts) {
623 /* Defer initialization until selinux_complete_init,
624 after the initial policy is loaded and the security
625 server is ready to handle calls. */
c9180a57
EP		 626 goto out;
627 }
628 rc = -EINVAL;
744ba35e
EP		 629 printk(KERN_WARNING "SELinux: Unable to set superblock options "
630 "before the security server is initialized\n");
1da177e4 631 goto out;
c9180a57 632 }
649f6e77
DQ		 633 if (kern_flags && !set_kern_flags) {
634 /* Specifying internal flags without providing a place to
635 * place the results is not allowed */
636 rc = -EINVAL;
637 goto out;
638 }
1da177e4 639
e0007529
EP		 640 /*
641 * Binary mount data FS will come through this function twice. Once
642 * from an explicit call and once from the generic calls from the vfs.
643 * Since the generic VFS calls will not contain any security mount data
644 * we need to skip the double mount verification.
645 *
646 * This does open a hole in which we will not notice if the first
647 * mount using this sb set explict options and a second mount using
648 * this sb does not set any security options. (The first options
649 * will be used for both mounts)
650 */
0d90a7ec 651 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 652 && (num_opts == 0))
f5269710 653 goto out;
e0007529 654
c9180a57
EP		 655 /*
656 * parse the mount options, check if they are valid sids.
657 * also check if someone is trying to mount the same sb more
658 * than once with different security options.
659 */
660 for (i = 0; i < num_opts; i++) {
661 u32 sid;
11689d47 662
12f348b9 663 if (flags[i] == SBLABEL_MNT)
11689d47 664 continue;
c9180a57 665 rc = security_context_to_sid(mount_options[i],
52a4c640 666 strlen(mount_options[i]), &sid, GFP_KERNEL);
1da177e4
LT		 667 if (rc) {
668 printk(KERN_WARNING "SELinux: security_context_to_sid"
29b1deb2
LT		 669 "(%s) failed for (dev %s, type %s) errno=%d\n",
670 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 671 goto out;
672 }
673 switch (flags[i]) {
674 case FSCONTEXT_MNT:
675 fscontext_sid = sid;
676
677 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
678 fscontext_sid))
679 goto out_double_mount;
680
681 sbsec->flags |= FSCONTEXT_MNT;
682 break;
683 case CONTEXT_MNT:
684 context_sid = sid;
685
686 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
687 context_sid))
688 goto out_double_mount;
689
690 sbsec->flags |= CONTEXT_MNT;
691 break;
692 case ROOTCONTEXT_MNT:
693 rootcontext_sid = sid;
694
695 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
696 rootcontext_sid))
697 goto out_double_mount;
698
699 sbsec->flags |= ROOTCONTEXT_MNT;
700
701 break;
702 case DEFCONTEXT_MNT:
703 defcontext_sid = sid;
704
705 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
706 defcontext_sid))
707 goto out_double_mount;
708
709 sbsec->flags |= DEFCONTEXT_MNT;
710
711 break;
712 default:
713 rc = -EINVAL;
714 goto out;
1da177e4 715 }
c9180a57
EP		 716 }
717
0d90a7ec 718 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 719 /* previously mounted with options, but not on this attempt? */
0d90a7ec 720 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 721 goto out_double_mount;
722 rc = 0;
723 goto out;
724 }
725
089be43e 726 if (strcmp(sb->s_type->name, "proc") == 0)
0d90a7ec 727 sbsec->flags |= SE_SBPROC;
c9180a57 728
eb9ae686
DQ		 729 if (!sbsec->behavior) {
730 /*
731 * Determine the labeling behavior to use for this
732 * filesystem type.
733 */
98f700f3 734 rc = security_fs_use(sb);
eb9ae686
DQ		 735 if (rc) {
736 printk(KERN_WARNING
737 "%s: security_fs_use(%s) returned %d\n",
738 __func__, sb->s_type->name, rc);
739 goto out;
740 }
c9180a57 741 }
c9180a57
EP		 742 /* sets the context of the superblock for the fs being mounted. */
743 if (fscontext_sid) {
275bb41e 744 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 745 if (rc)
c9180a57 746 goto out;
1da177e4 747
c9180a57 748 sbsec->sid = fscontext_sid;
c312feb2
EP		 749 }
750
751 /*
752 * Switch to using mount point labeling behavior.
753 * sets the label used on all file below the mountpoint, and will set
754 * the superblock context if not already set.
755 */
eb9ae686
DQ		 756 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
757 sbsec->behavior = SECURITY_FS_USE_NATIVE;
758 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
759 }
760
c9180a57
EP		 761 if (context_sid) {
762 if (!fscontext_sid) {
275bb41e
DH		 763 rc = may_context_mount_sb_relabel(context_sid, sbsec,
764 cred);
b04ea3ce 765 if (rc)
c9180a57
EP		 766 goto out;
767 sbsec->sid = context_sid;
b04ea3ce 768 } else {
275bb41e
DH		 769 rc = may_context_mount_inode_relabel(context_sid, sbsec,
770 cred);
b04ea3ce 771 if (rc)
c9180a57 772 goto out;
b04ea3ce 773 }
c9180a57
EP		 774 if (!rootcontext_sid)
775 rootcontext_sid = context_sid;
1da177e4 776
c9180a57 777 sbsec->mntpoint_sid = context_sid;
c312feb2 778 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 779 }
780
c9180a57 781 if (rootcontext_sid) {
275bb41e
DH		 782 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
783 cred);
0808925e 784 if (rc)
c9180a57 785 goto out;
0808925e 786
c9180a57
EP		 787 root_isec->sid = rootcontext_sid;
788 root_isec->initialized = 1;
0808925e
EP		 789 }
790
c9180a57 791 if (defcontext_sid) {
eb9ae686
DQ		 792 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
793 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 794 rc = -EINVAL;
795 printk(KERN_WARNING "SELinux: defcontext option is "
796 "invalid for this filesystem type\n");
797 goto out;
1da177e4
LT		 798 }
799
c9180a57
EP		 800 if (defcontext_sid != sbsec->def_sid) {
801 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 802 sbsec, cred);
c9180a57
EP		 803 if (rc)
804 goto out;
805 }
1da177e4 806
c9180a57 807 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 808 }
809
c9180a57 810 rc = sb_finish_set_opts(sb);
1da177e4 811out:
c9180a57 812 mutex_unlock(&sbsec->lock);
1da177e4 813 return rc;
c9180a57
EP		 814out_double_mount:
815 rc = -EINVAL;
816 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 817 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 818 goto out;
1da177e4
LT		 819}
820
094f7b69
JL		 821static int selinux_cmp_sb_context(const struct super_block *oldsb,
822 const struct super_block *newsb)
823{
824 struct superblock_security_struct *old = oldsb->s_security;
825 struct superblock_security_struct *new = newsb->s_security;
826 char oldflags = old->flags & SE_MNTMASK;
827 char newflags = new->flags & SE_MNTMASK;
828
829 if (oldflags != newflags)
830 goto mismatch;
831 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
832 goto mismatch;
833 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
834 goto mismatch;
835 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
836 goto mismatch;
837 if (oldflags & ROOTCONTEXT_MNT) {
c6f493d6
DH		 838 struct inode_security_struct *oldroot = d_backing_inode(oldsb->s_root)->i_security;
839 struct inode_security_struct *newroot = d_backing_inode(newsb->s_root)->i_security;
094f7b69
JL		 840 if (oldroot->sid != newroot->sid)
841 goto mismatch;
842 }
843 return 0;
844mismatch:
845 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
846 "different security settings for (dev %s, "
847 "type %s)\n", newsb->s_id, newsb->s_type->name);
848 return -EBUSY;
849}
850
851static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 852 struct super_block *newsb)
1da177e4 853{
c9180a57
EP		 854 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
855 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 856
c9180a57
EP		 857 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
858 int set_context = (oldsbsec->flags & CONTEXT_MNT);
859 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 860
0f5e6420
EP		 861 /*
862 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 863 * mount options. thus we can safely deal with this superblock later
0f5e6420 864 */
e8c26255 865 if (!ss_initialized)
094f7b69 866 return 0;
c9180a57 867
c9180a57 868 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 869 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 870
094f7b69 871 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 872 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 873 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 874
c9180a57
EP		 875 mutex_lock(&newsbsec->lock);
876
877 newsbsec->flags = oldsbsec->flags;
878
879 newsbsec->sid = oldsbsec->sid;
880 newsbsec->def_sid = oldsbsec->def_sid;
881 newsbsec->behavior = oldsbsec->behavior;
882
883 if (set_context) {
884 u32 sid = oldsbsec->mntpoint_sid;
885
886 if (!set_fscontext)
887 newsbsec->sid = sid;
888 if (!set_rootcontext) {
c6f493d6 889 struct inode *newinode = d_backing_inode(newsb->s_root);
c9180a57
EP		 890 struct inode_security_struct *newisec = newinode->i_security;
891 newisec->sid = sid;
892 }
893 newsbsec->mntpoint_sid = sid;
1da177e4 894 }
c9180a57 895 if (set_rootcontext) {
c6f493d6 896 const struct inode *oldinode = d_backing_inode(oldsb->s_root);
c9180a57 897 const struct inode_security_struct *oldisec = oldinode->i_security;
c6f493d6 898 struct inode *newinode = d_backing_inode(newsb->s_root);
c9180a57 899 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 900
c9180a57 901 newisec->sid = oldisec->sid;
1da177e4
LT		 902 }
903
c9180a57
EP		 904 sb_finish_set_opts(newsb);
905 mutex_unlock(&newsbsec->lock);
094f7b69 906 return 0;
c9180a57
EP		 907}
908
2e1479d9
AB		 909static int selinux_parse_opts_str(char *options,
910 struct security_mnt_opts *opts)
c9180a57 911{
e0007529 912 char *p;
c9180a57
EP		 913 char *context = NULL, *defcontext = NULL;
914 char *fscontext = NULL, *rootcontext = NULL;
e0007529 915 int rc, num_mnt_opts = 0;
1da177e4 916
e0007529 917 opts->num_mnt_opts = 0;
1da177e4 918
c9180a57
EP		 919 /* Standard string-based options. */
920 while ((p = strsep(&options, "|")) != NULL) {
921 int token;
922 substring_t args[MAX_OPT_ARGS];
1da177e4 923
c9180a57
EP		 924 if (!*p)
925 continue;
1da177e4 926
c9180a57 927 token = match_token(p, tokens, args);
1da177e4 928
c9180a57
EP		 929 switch (token) {
930 case Opt_context:
931 if (context || defcontext) {
932 rc = -EINVAL;
933 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
934 goto out_err;
935 }
936 context = match_strdup(&args[0]);
937 if (!context) {
938 rc = -ENOMEM;
939 goto out_err;
940 }
941 break;
942
943 case Opt_fscontext:
944 if (fscontext) {
945 rc = -EINVAL;
946 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
947 goto out_err;
948 }
949 fscontext = match_strdup(&args[0]);
950 if (!fscontext) {
951 rc = -ENOMEM;
952 goto out_err;
953 }
954 break;
955
956 case Opt_rootcontext:
957 if (rootcontext) {
958 rc = -EINVAL;
959 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
960 goto out_err;
961 }
962 rootcontext = match_strdup(&args[0]);
963 if (!rootcontext) {
964 rc = -ENOMEM;
965 goto out_err;
966 }
967 break;
968
969 case Opt_defcontext:
970 if (context || defcontext) {
971 rc = -EINVAL;
972 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
973 goto out_err;
974 }
975 defcontext = match_strdup(&args[0]);
976 if (!defcontext) {
977 rc = -ENOMEM;
978 goto out_err;
979 }
980 break;
11689d47
DQ		 981 case Opt_labelsupport:
982 break;
c9180a57
EP		 983 default:
984 rc = -EINVAL;
985 printk(KERN_WARNING "SELinux: unknown mount option\n");
986 goto out_err;
1da177e4 987
1da177e4 988 }
1da177e4 989 }
c9180a57 990
e0007529
EP		 991 rc = -ENOMEM;
992 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
993 if (!opts->mnt_opts)
994 goto out_err;
995
996 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
997 if (!opts->mnt_opts_flags) {
998 kfree(opts->mnt_opts);
999 goto out_err;
1000 }
1001
c9180a57 1002 if (fscontext) {
e0007529
EP		 1003 opts->mnt_opts[num_mnt_opts] = fscontext;
1004 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1005 }
1006 if (context) {
e0007529
EP		 1007 opts->mnt_opts[num_mnt_opts] = context;
1008 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1009 }
1010 if (rootcontext) {
e0007529
EP		 1011 opts->mnt_opts[num_mnt_opts] = rootcontext;
1012 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1013 }
1014 if (defcontext) {
e0007529
EP		 1015 opts->mnt_opts[num_mnt_opts] = defcontext;
1016 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1017 }
1018
e0007529
EP		 1019 opts->num_mnt_opts = num_mnt_opts;
1020 return 0;
1021
c9180a57
EP		 1022out_err:
1023 kfree(context);
1024 kfree(defcontext);
1025 kfree(fscontext);
1026 kfree(rootcontext);
1da177e4
LT		 1027 return rc;
1028}
e0007529
EP		 1029/*
1030 * string mount options parsing and call set the sbsec
1031 */
1032static int superblock_doinit(struct super_block *sb, void *data)
1033{
1034 int rc = 0;
1035 char *options = data;
1036 struct security_mnt_opts opts;
1037
1038 security_init_mnt_opts(&opts);
1039
1040 if (!data)
1041 goto out;
1042
1043 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1044
1045 rc = selinux_parse_opts_str(options, &opts);
1046 if (rc)
1047 goto out_err;
1048
1049out:
649f6e77 1050 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1051
1052out_err:
1053 security_free_mnt_opts(&opts);
1054 return rc;
1055}
1da177e4 1056
3583a711
AB		 1057static void selinux_write_opts(struct seq_file *m,
1058 struct security_mnt_opts *opts)
2069f457
EP		 1059{
1060 int i;
1061 char *prefix;
1062
1063 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1064 char *has_comma;
1065
1066 if (opts->mnt_opts[i])
1067 has_comma = strchr(opts->mnt_opts[i], ',');
1068 else
1069 has_comma = NULL;
2069f457
EP		 1070
1071 switch (opts->mnt_opts_flags[i]) {
1072 case CONTEXT_MNT:
1073 prefix = CONTEXT_STR;
1074 break;
1075 case FSCONTEXT_MNT:
1076 prefix = FSCONTEXT_STR;
1077 break;
1078 case ROOTCONTEXT_MNT:
1079 prefix = ROOTCONTEXT_STR;
1080 break;
1081 case DEFCONTEXT_MNT:
1082 prefix = DEFCONTEXT_STR;
1083 break;
12f348b9 1084 case SBLABEL_MNT:
11689d47
DQ		 1085 seq_putc(m, ',');
1086 seq_puts(m, LABELSUPP_STR);
1087 continue;
2069f457
EP		 1088 default:
1089 BUG();
a35c6c83 1090 return;
2069f457
EP		 1091 };
1092 /* we need a comma before each option */
1093 seq_putc(m, ',');
1094 seq_puts(m, prefix);
1095 if (has_comma)
1096 seq_putc(m, '\"');
1097 seq_puts(m, opts->mnt_opts[i]);
1098 if (has_comma)
1099 seq_putc(m, '\"');
1100 }
1101}
1102
1103static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1104{
1105 struct security_mnt_opts opts;
1106 int rc;
1107
1108 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1109 if (rc) {
1110 /* before policy load we may get EINVAL, don't show anything */
1111 if (rc == -EINVAL)
1112 rc = 0;
2069f457 1113 return rc;
383795c2 1114 }
2069f457
EP		 1115
1116 selinux_write_opts(m, &opts);
1117
1118 security_free_mnt_opts(&opts);
1119
1120 return rc;
1121}
1122
1da177e4
LT		 1123static inline u16 inode_mode_to_security_class(umode_t mode)
1124{
1125 switch (mode & S_IFMT) {
1126 case S_IFSOCK:
1127 return SECCLASS_SOCK_FILE;
1128 case S_IFLNK:
1129 return SECCLASS_LNK_FILE;
1130 case S_IFREG:
1131 return SECCLASS_FILE;
1132 case S_IFBLK:
1133 return SECCLASS_BLK_FILE;
1134 case S_IFDIR:
1135 return SECCLASS_DIR;
1136 case S_IFCHR:
1137 return SECCLASS_CHR_FILE;
1138 case S_IFIFO:
1139 return SECCLASS_FIFO_FILE;
1140
1141 }
1142
1143 return SECCLASS_FILE;
1144}
1145
13402580
JM		 1146static inline int default_protocol_stream(int protocol)
1147{
1148 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1149}
1150
1151static inline int default_protocol_dgram(int protocol)
1152{
1153 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1154}
1155
1da177e4
LT		 1156static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1157{
1158 switch (family) {
1159 case PF_UNIX:
1160 switch (type) {
1161 case SOCK_STREAM:
1162 case SOCK_SEQPACKET:
1163 return SECCLASS_UNIX_STREAM_SOCKET;
1164 case SOCK_DGRAM:
1165 return SECCLASS_UNIX_DGRAM_SOCKET;
1166 }
1167 break;
1168 case PF_INET:
1169 case PF_INET6:
1170 switch (type) {
1171 case SOCK_STREAM:
13402580
JM		 1172 if (default_protocol_stream(protocol))
1173 return SECCLASS_TCP_SOCKET;
1174 else
1175 return SECCLASS_RAWIP_SOCKET;
1da177e4 1176 case SOCK_DGRAM:
13402580
JM		 1177 if (default_protocol_dgram(protocol))
1178 return SECCLASS_UDP_SOCKET;
1179 else
1180 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1181 case SOCK_DCCP:
1182 return SECCLASS_DCCP_SOCKET;
13402580 1183 default:
1da177e4
LT		 1184 return SECCLASS_RAWIP_SOCKET;
1185 }
1186 break;
1187 case PF_NETLINK:
1188 switch (protocol) {
1189 case NETLINK_ROUTE:
1190 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1191 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1192 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1193 case NETLINK_NFLOG:
1194 return SECCLASS_NETLINK_NFLOG_SOCKET;
1195 case NETLINK_XFRM:
1196 return SECCLASS_NETLINK_XFRM_SOCKET;
1197 case NETLINK_SELINUX:
1198 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1199 case NETLINK_ISCSI:
1200 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1201 case NETLINK_AUDIT:
1202 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1203 case NETLINK_FIB_LOOKUP:
1204 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1205 case NETLINK_CONNECTOR:
1206 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1207 case NETLINK_NETFILTER:
1208 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1209 case NETLINK_DNRTMSG:
1210 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1211 case NETLINK_KOBJECT_UEVENT:
1212 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1213 case NETLINK_GENERIC:
1214 return SECCLASS_NETLINK_GENERIC_SOCKET;
1215 case NETLINK_SCSITRANSPORT:
1216 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1217 case NETLINK_RDMA:
1218 return SECCLASS_NETLINK_RDMA_SOCKET;
1219 case NETLINK_CRYPTO:
1220 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1221 default:
1222 return SECCLASS_NETLINK_SOCKET;
1223 }
1224 case PF_PACKET:
1225 return SECCLASS_PACKET_SOCKET;
1226 case PF_KEY:
1227 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1228 case PF_APPLETALK:
1229 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1230 }
1231
1232 return SECCLASS_SOCKET;
1233}
1234
1235#ifdef CONFIG_PROC_FS
8e6c9693 1236static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1237 u16 tclass,
1238 u32 *sid)
1239{
8e6c9693
LAG		 1240 int rc;
1241 char *buffer, *path;
1da177e4 1242
828dfe1d 1243 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1244 if (!buffer)
1245 return -ENOMEM;
1246
8e6c9693
LAG		 1247 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1248 if (IS_ERR(path))
1249 rc = PTR_ERR(path);
1250 else {
1251 /* each process gets a /proc/PID/ entry. Strip off the
1252 * PID part to get a valid selinux labeling.
1253 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1254 while (path[1] >= '0' && path[1] <= '9') {
1255 path[1] = '/';
1256 path++;
1257 }
1258 rc = security_genfs_sid("proc", path, tclass, sid);
1da177e4 1259 }
1da177e4
LT		 1260 free_page((unsigned long)buffer);
1261 return rc;
1262}
1263#else
8e6c9693 1264static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1265 u16 tclass,
1266 u32 *sid)
1267{
1268 return -EINVAL;
1269}
1270#endif
1271
1272/* The inode's security attributes must be initialized before first use. */
1273static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1274{
1275 struct superblock_security_struct *sbsec = NULL;
1276 struct inode_security_struct *isec = inode->i_security;
1277 u32 sid;
1278 struct dentry *dentry;
1279#define INITCONTEXTLEN 255
1280 char *context = NULL;
1281 unsigned len = 0;
1282 int rc = 0;
1da177e4
LT		 1283
1284 if (isec->initialized)
1285 goto out;
1286
23970741 1287 mutex_lock(&isec->lock);
1da177e4 1288 if (isec->initialized)
23970741 1289 goto out_unlock;
1da177e4
LT		 1290
1291 sbsec = inode->i_sb->s_security;
0d90a7ec 1292 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1293 /* Defer initialization until selinux_complete_init,
1294 after the initial policy is loaded and the security
1295 server is ready to handle calls. */
1296 spin_lock(&sbsec->isec_lock);
1297 if (list_empty(&isec->list))
1298 list_add(&isec->list, &sbsec->isec_head);
1299 spin_unlock(&sbsec->isec_lock);
23970741 1300 goto out_unlock;
1da177e4
LT		 1301 }
1302
1303 switch (sbsec->behavior) {
eb9ae686
DQ		 1304 case SECURITY_FS_USE_NATIVE:
1305 break;
1da177e4
LT		 1306 case SECURITY_FS_USE_XATTR:
1307 if (!inode->i_op->getxattr) {
1308 isec->sid = sbsec->def_sid;
1309 break;
1310 }
1311
1312 /* Need a dentry, since the xattr API requires one.
1313 Life would be simpler if we could just pass the inode. */
1314 if (opt_dentry) {
1315 /* Called from d_instantiate or d_splice_alias. */
1316 dentry = dget(opt_dentry);
1317 } else {
1318 /* Called from selinux_complete_init, try to find a dentry. */
1319 dentry = d_find_alias(inode);
1320 }
1321 if (!dentry) {
df7f54c0
EP		 1322 /*
1323 * this is can be hit on boot when a file is accessed
1324 * before the policy is loaded. When we load policy we
1325 * may find inodes that have no dentry on the
1326 * sbsec->isec_head list. No reason to complain as these
1327 * will get fixed up the next time we go through
1328 * inode_doinit with a dentry, before these inodes could
1329 * be used again by userspace.
1330 */
23970741 1331 goto out_unlock;
1da177e4
LT		 1332 }
1333
1334 len = INITCONTEXTLEN;
4cb912f1 1335 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1336 if (!context) {
1337 rc = -ENOMEM;
1338 dput(dentry);
23970741 1339 goto out_unlock;
1da177e4 1340 }
4cb912f1 1341 context[len] = '\0';
1da177e4
LT		 1342 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1343 context, len);
1344 if (rc == -ERANGE) {
314dabb8
JM		 1345 kfree(context);
1346
1da177e4
LT		 1347 /* Need a larger buffer. Query for the right size. */
1348 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1349 NULL, 0);
1350 if (rc < 0) {
1351 dput(dentry);
23970741 1352 goto out_unlock;
1da177e4 1353 }
1da177e4 1354 len = rc;
4cb912f1 1355 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1356 if (!context) {
1357 rc = -ENOMEM;
1358 dput(dentry);
23970741 1359 goto out_unlock;
1da177e4 1360 }
4cb912f1 1361 context[len] = '\0';
1da177e4
LT		 1362 rc = inode->i_op->getxattr(dentry,
1363 XATTR_NAME_SELINUX,
1364 context, len);
1365 }
1366 dput(dentry);
1367 if (rc < 0) {
1368 if (rc != -ENODATA) {
744ba35e 1369 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1370 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1371 -rc, inode->i_sb->s_id, inode->i_ino);
1372 kfree(context);
23970741 1373 goto out_unlock;
1da177e4
LT		 1374 }
1375 /* Map ENODATA to the default file SID */
1376 sid = sbsec->def_sid;
1377 rc = 0;
1378 } else {
f5c1d5b2 1379 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1380 sbsec->def_sid,
1381 GFP_NOFS);
1da177e4 1382 if (rc) {
4ba0a8ad
EP		 1383 char *dev = inode->i_sb->s_id;
1384 unsigned long ino = inode->i_ino;
1385
1386 if (rc == -EINVAL) {
1387 if (printk_ratelimit())
1388 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1389 "context=%s. This indicates you may need to relabel the inode or the "
1390 "filesystem in question.\n", ino, dev, context);
1391 } else {
1392 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1393 "returned %d for dev=%s ino=%ld\n",
1394 __func__, context, -rc, dev, ino);
1395 }
1da177e4
LT		 1396 kfree(context);
1397 /* Leave with the unlabeled SID */
1398 rc = 0;
1399 break;
1400 }
1401 }
1402 kfree(context);
1403 isec->sid = sid;
1404 break;
1405 case SECURITY_FS_USE_TASK:
1406 isec->sid = isec->task_sid;
1407 break;
1408 case SECURITY_FS_USE_TRANS:
1409 /* Default to the fs SID. */
1410 isec->sid = sbsec->sid;
1411
1412 /* Try to obtain a transition SID. */
1413 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1414 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1415 isec->sclass, NULL, &sid);
1da177e4 1416 if (rc)
23970741 1417 goto out_unlock;
1da177e4
LT		 1418 isec->sid = sid;
1419 break;
c312feb2
EP		 1420 case SECURITY_FS_USE_MNTPOINT:
1421 isec->sid = sbsec->mntpoint_sid;
1422 break;
1da177e4 1423 default:
c312feb2 1424 /* Default to the fs superblock SID. */
1da177e4
LT		 1425 isec->sid = sbsec->sid;
1426
0d90a7ec 1427 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1428 /* We must have a dentry to determine the label on
1429 * procfs inodes */
1430 if (opt_dentry)
1431 /* Called from d_instantiate or
1432 * d_splice_alias. */
1433 dentry = dget(opt_dentry);
1434 else
1435 /* Called from selinux_complete_init, try to
1436 * find a dentry. */
1437 dentry = d_find_alias(inode);
1438 /*
1439 * This can be hit on boot when a file is accessed
1440 * before the policy is loaded. When we load policy we
1441 * may find inodes that have no dentry on the
1442 * sbsec->isec_head list. No reason to complain as
1443 * these will get fixed up the next time we go through
1444 * inode_doinit() with a dentry, before these inodes
1445 * could be used again by userspace.
1446 */
1447 if (!dentry)
1448 goto out_unlock;
1449 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1450 rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1451 dput(dentry);
1452 if (rc)
1453 goto out_unlock;
1454 isec->sid = sid;
1da177e4
LT		 1455 }
1456 break;
1457 }
1458
1459 isec->initialized = 1;
1460
23970741
EP		 1461out_unlock:
1462 mutex_unlock(&isec->lock);
1da177e4
LT		 1463out:
1464 if (isec->sclass == SECCLASS_FILE)
1465 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1466 return rc;
1467}
1468
1469/* Convert a Linux signal to an access vector. */
1470static inline u32 signal_to_av(int sig)
1471{
1472 u32 perm = 0;
1473
1474 switch (sig) {
1475 case SIGCHLD:
1476 /* Commonly granted from child to parent. */
1477 perm = PROCESS__SIGCHLD;
1478 break;
1479 case SIGKILL:
1480 /* Cannot be caught or ignored */
1481 perm = PROCESS__SIGKILL;
1482 break;
1483 case SIGSTOP:
1484 /* Cannot be caught or ignored */
1485 perm = PROCESS__SIGSTOP;
1486 break;
1487 default:
1488 /* All other signals. */
1489 perm = PROCESS__SIGNAL;
1490 break;
1491 }
1492
1493 return perm;
1494}
1495
d84f4f99
DH		 1496/*
1497 * Check permission between a pair of credentials
1498 * fork check, ptrace check, etc.
1499 */
1500static int cred_has_perm(const struct cred *actor,
1501 const struct cred *target,
1502 u32 perms)
1503{
1504 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1505
1506 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1507}
1508
275bb41e 1509/*
88e67f3b 1510 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1511 * fork check, ptrace check, etc.
1512 * tsk1 is the actor and tsk2 is the target
3b11a1de 1513 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1514 */
1515static int task_has_perm(const struct task_struct *tsk1,
1516 const struct task_struct *tsk2,
1da177e4
LT		 1517 u32 perms)
1518{
275bb41e
DH		 1519 const struct task_security_struct *__tsec1, *__tsec2;
1520 u32 sid1, sid2;
1da177e4 1521
275bb41e
DH		 1522 rcu_read_lock();
1523 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1524 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1525 rcu_read_unlock();
1526 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1527}
1528
3b11a1de
DH		 1529/*
1530 * Check permission between current and another task, e.g. signal checks,
1531 * fork check, ptrace check, etc.
1532 * current is the actor and tsk2 is the target
1533 * - this uses current's subjective creds
1534 */
1535static int current_has_perm(const struct task_struct *tsk,
1536 u32 perms)
1537{
1538 u32 sid, tsid;
1539
1540 sid = current_sid();
1541 tsid = task_sid(tsk);
1542 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1543}
1544
b68e418c
SS		 1545#if CAP_LAST_CAP > 63
1546#error Fix SELinux to handle capabilities > 63.
1547#endif
1548
1da177e4 1549/* Check whether a task is allowed to use a capability. */
6a9de491 1550static int cred_has_capability(const struct cred *cred,
06112163 1551 int cap, int audit)
1da177e4 1552{
2bf49690 1553 struct common_audit_data ad;
06112163 1554 struct av_decision avd;
b68e418c 1555 u16 sclass;
3699c53c 1556 u32 sid = cred_sid(cred);
b68e418c 1557 u32 av = CAP_TO_MASK(cap);
06112163 1558 int rc;
1da177e4 1559
50c205f5 1560 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1561 ad.u.cap = cap;
1562
b68e418c
SS		 1563 switch (CAP_TO_INDEX(cap)) {
1564 case 0:
1565 sclass = SECCLASS_CAPABILITY;
1566 break;
1567 case 1:
1568 sclass = SECCLASS_CAPABILITY2;
1569 break;
1570 default:
1571 printk(KERN_ERR
1572 "SELinux: out of range capability %d\n", cap);
1573 BUG();
a35c6c83 1574 return -EINVAL;
b68e418c 1575 }
06112163 1576
275bb41e 1577 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1578 if (audit == SECURITY_CAP_AUDIT) {
ab354062 1579 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
9ade0cf4
EP		 1580 if (rc2)
1581 return rc2;
1582 }
06112163 1583 return rc;
1da177e4
LT		 1584}
1585
1586/* Check whether a task is allowed to use a system operation. */
1587static int task_has_system(struct task_struct *tsk,
1588 u32 perms)
1589{
275bb41e 1590 u32 sid = task_sid(tsk);
1da177e4 1591
275bb41e 1592 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1593 SECCLASS_SYSTEM, perms, NULL);
1594}
1595
1596/* Check whether a task has a particular permission to an inode.
1597 The 'adp' parameter is optional and allows other audit
1598 data to be passed (e.g. the dentry). */
88e67f3b 1599static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1600 struct inode *inode,
1601 u32 perms,
19e49834 1602 struct common_audit_data *adp)
1da177e4 1603{
1da177e4 1604 struct inode_security_struct *isec;
275bb41e 1605 u32 sid;
1da177e4 1606
e0e81739
DH		 1607 validate_creds(cred);
1608
828dfe1d 1609 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1610 return 0;
1611
88e67f3b 1612 sid = cred_sid(cred);
1da177e4
LT		 1613 isec = inode->i_security;
1614
19e49834 1615 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1616}
1617
1618/* Same as inode_has_perm, but pass explicit audit data containing
1619 the dentry to help the auditing code to more easily generate the
1620 pathname if needed. */
88e67f3b 1621static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1622 struct dentry *dentry,
1623 u32 av)
1624{
c6f493d6 1625 struct inode *inode = d_backing_inode(dentry);
2bf49690 1626 struct common_audit_data ad;
88e67f3b 1627
50c205f5 1628 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1629 ad.u.dentry = dentry;
19e49834 1630 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1631}
1632
1633/* Same as inode_has_perm, but pass explicit audit data containing
1634 the path to help the auditing code to more easily generate the
1635 pathname if needed. */
1636static inline int path_has_perm(const struct cred *cred,
3f7036a0 1637 const struct path *path,
2875fa00
EP		 1638 u32 av)
1639{
c6f493d6 1640 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1641 struct common_audit_data ad;
1642
50c205f5 1643 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1644 ad.u.path = *path;
19e49834 1645 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1646}
1647
13f8e981
DH		 1648/* Same as path_has_perm, but uses the inode from the file struct. */
1649static inline int file_path_has_perm(const struct cred *cred,
1650 struct file *file,
1651 u32 av)
1652{
1653 struct common_audit_data ad;
1654
1655 ad.type = LSM_AUDIT_DATA_PATH;
1656 ad.u.path = file->f_path;
19e49834 1657 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1658}
1659
1da177e4
LT		 1660/* Check whether a task can use an open file descriptor to
1661 access an inode in a given way. Check access to the
1662 descriptor itself, and then use dentry_has_perm to
1663 check a particular permission to the file.
1664 Access to the descriptor is implicitly granted if it
1665 has the same SID as the process. If av is zero, then
1666 access to the file is not checked, e.g. for cases
1667 where only the descriptor is affected like seek. */
88e67f3b
DH		 1668static int file_has_perm(const struct cred *cred,
1669 struct file *file,
1670 u32 av)
1da177e4 1671{
1da177e4 1672 struct file_security_struct *fsec = file->f_security;
496ad9aa 1673 struct inode *inode = file_inode(file);
2bf49690 1674 struct common_audit_data ad;
88e67f3b 1675 u32 sid = cred_sid(cred);
1da177e4
LT		 1676 int rc;
1677
50c205f5 1678 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 1679 ad.u.path = file->f_path;
1da177e4 1680
275bb41e
DH		 1681 if (sid != fsec->sid) {
1682 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1683 SECCLASS_FD,
1684 FD__USE,
1685 &ad);
1686 if (rc)
88e67f3b 1687 goto out;
1da177e4
LT		 1688 }
1689
1690 /* av is zero if only checking access to the descriptor. */
88e67f3b 1691 rc = 0;
1da177e4 1692 if (av)
19e49834 1693 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1694
88e67f3b
DH		 1695out:
1696 return rc;
1da177e4
LT		 1697}
1698
1699/* Check whether a task can create a file. */
1700static int may_create(struct inode *dir,
1701 struct dentry *dentry,
1702 u16 tclass)
1703{
5fb49870 1704 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1705 struct inode_security_struct *dsec;
1706 struct superblock_security_struct *sbsec;
275bb41e 1707 u32 sid, newsid;
2bf49690 1708 struct common_audit_data ad;
1da177e4
LT		 1709 int rc;
1710
1da177e4
LT		 1711 dsec = dir->i_security;
1712 sbsec = dir->i_sb->s_security;
1713
275bb41e
DH		 1714 sid = tsec->sid;
1715 newsid = tsec->create_sid;
1716
50c205f5 1717 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1718 ad.u.dentry = dentry;
1da177e4 1719
275bb41e 1720 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1721 DIR__ADD_NAME | DIR__SEARCH,
1722 &ad);
1723 if (rc)
1724 return rc;
1725
12f348b9 1726 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
cb1e922f
EP		 1727 rc = security_transition_sid(sid, dsec->sid, tclass,
1728 &dentry->d_name, &newsid);
1da177e4
LT		 1729 if (rc)
1730 return rc;
1731 }
1732
275bb41e 1733 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1734 if (rc)
1735 return rc;
1736
1737 return avc_has_perm(newsid, sbsec->sid,
1738 SECCLASS_FILESYSTEM,
1739 FILESYSTEM__ASSOCIATE, &ad);
1740}
1741
4eb582cf
ML		 1742/* Check whether a task can create a key. */
1743static int may_create_key(u32 ksid,
1744 struct task_struct *ctx)
1745{
275bb41e 1746 u32 sid = task_sid(ctx);
4eb582cf 1747
275bb41e 1748 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1749}
1750
828dfe1d
EP		 1751#define MAY_LINK 0
1752#define MAY_UNLINK 1
1753#define MAY_RMDIR 2
1da177e4
LT		 1754
1755/* Check whether a task can link, unlink, or rmdir a file/directory. */
1756static int may_link(struct inode *dir,
1757 struct dentry *dentry,
1758 int kind)
1759
1760{
1da177e4 1761 struct inode_security_struct *dsec, *isec;
2bf49690 1762 struct common_audit_data ad;
275bb41e 1763 u32 sid = current_sid();
1da177e4
LT		 1764 u32 av;
1765 int rc;
1766
1da177e4 1767 dsec = dir->i_security;
c6f493d6 1768 isec = d_backing_inode(dentry)->i_security;
1da177e4 1769
50c205f5 1770 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1771 ad.u.dentry = dentry;
1da177e4
LT		 1772
1773 av = DIR__SEARCH;
1774 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1775 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1776 if (rc)
1777 return rc;
1778
1779 switch (kind) {
1780 case MAY_LINK:
1781 av = FILE__LINK;
1782 break;
1783 case MAY_UNLINK:
1784 av = FILE__UNLINK;
1785 break;
1786 case MAY_RMDIR:
1787 av = DIR__RMDIR;
1788 break;
1789 default:
744ba35e
EP		 1790 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1791 __func__, kind);
1da177e4
LT		 1792 return 0;
1793 }
1794
275bb41e 1795 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1796 return rc;
1797}
1798
1799static inline int may_rename(struct inode *old_dir,
1800 struct dentry *old_dentry,
1801 struct inode *new_dir,
1802 struct dentry *new_dentry)
1803{
1da177e4 1804 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1805 struct common_audit_data ad;
275bb41e 1806 u32 sid = current_sid();
1da177e4
LT		 1807 u32 av;
1808 int old_is_dir, new_is_dir;
1809 int rc;
1810
1da177e4 1811 old_dsec = old_dir->i_security;
c6f493d6 1812 old_isec = d_backing_inode(old_dentry)->i_security;
e36cb0b8 1813 old_is_dir = d_is_dir(old_dentry);
1da177e4
LT		 1814 new_dsec = new_dir->i_security;
1815
50c205f5 1816 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1817
a269434d 1818 ad.u.dentry = old_dentry;
275bb41e 1819 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1820 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1821 if (rc)
1822 return rc;
275bb41e 1823 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1824 old_isec->sclass, FILE__RENAME, &ad);
1825 if (rc)
1826 return rc;
1827 if (old_is_dir && new_dir != old_dir) {
275bb41e 1828 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1829 old_isec->sclass, DIR__REPARENT, &ad);
1830 if (rc)
1831 return rc;
1832 }
1833
a269434d 1834 ad.u.dentry = new_dentry;
1da177e4 1835 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1836 if (d_is_positive(new_dentry))
1da177e4 1837 av |= DIR__REMOVE_NAME;
275bb41e 1838 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1839 if (rc)
1840 return rc;
2c616d4d 1841 if (d_is_positive(new_dentry)) {
c6f493d6 1842 new_isec = d_backing_inode(new_dentry)->i_security;
e36cb0b8 1843 new_is_dir = d_is_dir(new_dentry);
275bb41e 1844 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1845 new_isec->sclass,
1846 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1847 if (rc)
1848 return rc;
1849 }
1850
1851 return 0;
1852}
1853
1854/* Check whether a task can perform a filesystem operation. */
88e67f3b 1855static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1856 struct super_block *sb,
1857 u32 perms,
2bf49690 1858 struct common_audit_data *ad)
1da177e4 1859{
1da177e4 1860 struct superblock_security_struct *sbsec;
88e67f3b 1861 u32 sid = cred_sid(cred);
1da177e4 1862
1da177e4 1863 sbsec = sb->s_security;
275bb41e 1864 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1865}
1866
1867/* Convert a Linux mode and permission mask to an access vector. */
1868static inline u32 file_mask_to_av(int mode, int mask)
1869{
1870 u32 av = 0;
1871
dba19c60 1872 if (!S_ISDIR(mode)) {
1da177e4
LT		 1873 if (mask & MAY_EXEC)
1874 av |= FILE__EXECUTE;
1875 if (mask & MAY_READ)
1876 av |= FILE__READ;
1877
1878 if (mask & MAY_APPEND)
1879 av |= FILE__APPEND;
1880 else if (mask & MAY_WRITE)
1881 av |= FILE__WRITE;
1882
1883 } else {
1884 if (mask & MAY_EXEC)
1885 av |= DIR__SEARCH;
1886 if (mask & MAY_WRITE)
1887 av |= DIR__WRITE;
1888 if (mask & MAY_READ)
1889 av |= DIR__READ;
1890 }
1891
1892 return av;
1893}
1894
8b6a5a37
EP		 1895/* Convert a Linux file to an access vector. */
1896static inline u32 file_to_av(struct file *file)
1897{
1898 u32 av = 0;
1899
1900 if (file->f_mode & FMODE_READ)
1901 av |= FILE__READ;
1902 if (file->f_mode & FMODE_WRITE) {
1903 if (file->f_flags & O_APPEND)
1904 av |= FILE__APPEND;
1905 else
1906 av |= FILE__WRITE;
1907 }
1908 if (!av) {
1909 /*
1910 * Special file opened with flags 3 for ioctl-only use.
1911 */
1912 av = FILE__IOCTL;
1913 }
1914
1915 return av;
1916}
1917
b0c636b9 1918/*
8b6a5a37 1919 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1920 * open permission.
1921 */
8b6a5a37 1922static inline u32 open_file_to_av(struct file *file)
b0c636b9 1923{
8b6a5a37 1924 u32 av = file_to_av(file);
b0c636b9 1925
49b7b8de
EP		 1926 if (selinux_policycap_openperm)
1927 av |= FILE__OPEN;
1928
b0c636b9
EP		 1929 return av;
1930}
1931
1da177e4
LT		 1932/* Hook functions begin here. */
1933
79af7307
SS		 1934static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1935{
1936 u32 mysid = current_sid();
1937 u32 mgrsid = task_sid(mgr);
1938
1939 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
1940 BINDER__SET_CONTEXT_MGR, NULL);
1941}
1942
1943static int selinux_binder_transaction(struct task_struct *from,
1944 struct task_struct *to)
1945{
1946 u32 mysid = current_sid();
1947 u32 fromsid = task_sid(from);
1948 u32 tosid = task_sid(to);
1949 int rc;
1950
1951 if (mysid != fromsid) {
1952 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
1953 BINDER__IMPERSONATE, NULL);
1954 if (rc)
1955 return rc;
1956 }
1957
1958 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
1959 NULL);
1960}
1961
1962static int selinux_binder_transfer_binder(struct task_struct *from,
1963 struct task_struct *to)
1964{
1965 u32 fromsid = task_sid(from);
1966 u32 tosid = task_sid(to);
1967
1968 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
1969 NULL);
1970}
1971
1972static int selinux_binder_transfer_file(struct task_struct *from,
1973 struct task_struct *to,
1974 struct file *file)
1975{
1976 u32 sid = task_sid(to);
1977 struct file_security_struct *fsec = file->f_security;
c6f493d6 1978 struct inode *inode = d_backing_inode(file->f_path.dentry);
79af7307
SS		 1979 struct inode_security_struct *isec = inode->i_security;
1980 struct common_audit_data ad;
1981 int rc;
1982
1983 ad.type = LSM_AUDIT_DATA_PATH;
1984 ad.u.path = file->f_path;
1985
1986 if (sid != fsec->sid) {
1987 rc = avc_has_perm(sid, fsec->sid,
1988 SECCLASS_FD,
1989 FD__USE,
1990 &ad);
1991 if (rc)
1992 return rc;
1993 }
1994
1995 if (unlikely(IS_PRIVATE(inode)))
1996 return 0;
1997
1998 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
1999 &ad);
2000}
2001
9e48858f 2002static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2003 unsigned int mode)
1da177e4 2004{
69f594a3 2005 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 2006 u32 sid = current_sid();
2007 u32 csid = task_sid(child);
2008 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 2009 }
2010
3b11a1de 2011 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 2012}
2013
2014static int selinux_ptrace_traceme(struct task_struct *parent)
2015{
5cd9c58f 2016 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 2017}
2018
2019static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2020 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2021{
b1d9e6b0 2022 return current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 2023}
2024
d84f4f99
DH		 2025static int selinux_capset(struct cred *new, const struct cred *old,
2026 const kernel_cap_t *effective,
2027 const kernel_cap_t *inheritable,
2028 const kernel_cap_t *permitted)
1da177e4 2029{
d84f4f99 2030 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 2031}
2032
5626d3e8
JM		 2033/*
2034 * (This comment used to live with the selinux_task_setuid hook,
2035 * which was removed).
2036 *
2037 * Since setuid only affects the current process, and since the SELinux
2038 * controls are not based on the Linux identity attributes, SELinux does not
2039 * need to control this operation. However, SELinux does control the use of
2040 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2041 */
2042
6a9de491
EP		 2043static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2044 int cap, int audit)
1da177e4 2045{
6a9de491 2046 return cred_has_capability(cred, cap, audit);
1da177e4
LT		 2047}
2048
1da177e4
LT		 2049static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2050{
88e67f3b 2051 const struct cred *cred = current_cred();
1da177e4
LT		 2052 int rc = 0;
2053
2054 if (!sb)
2055 return 0;
2056
2057 switch (cmds) {
828dfe1d
EP		 2058 case Q_SYNC:
2059 case Q_QUOTAON:
2060 case Q_QUOTAOFF:
2061 case Q_SETINFO:
2062 case Q_SETQUOTA:
88e67f3b 2063 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2064 break;
2065 case Q_GETFMT:
2066 case Q_GETINFO:
2067 case Q_GETQUOTA:
88e67f3b 2068 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2069 break;
2070 default:
2071 rc = 0; /* let the kernel handle invalid cmds */
2072 break;
1da177e4
LT		 2073 }
2074 return rc;
2075}
2076
2077static int selinux_quota_on(struct dentry *dentry)
2078{
88e67f3b
DH		 2079 const struct cred *cred = current_cred();
2080
2875fa00 2081 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2082}
2083
12b3052c 2084static int selinux_syslog(int type)
1da177e4
LT		 2085{
2086 int rc;
2087
1da177e4 2088 switch (type) {
d78ca3cd
KC		 2089 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2090 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2091 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2092 break;
d78ca3cd
KC		 2093 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2094 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2095 /* Set level of messages printed to console */
2096 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2097 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2098 break;
d78ca3cd
KC		 2099 case SYSLOG_ACTION_CLOSE: /* Close log */
2100 case SYSLOG_ACTION_OPEN: /* Open log */
2101 case SYSLOG_ACTION_READ: /* Read from log */
2102 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2103 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2104 default:
2105 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2106 break;
1da177e4
LT		 2107 }
2108 return rc;
2109}
2110
2111/*
2112 * Check that a process has enough memory to allocate a new virtual
2113 * mapping. 0 means there is enough memory for the allocation to
2114 * succeed and -ENOMEM implies there is not.
2115 *
1da177e4
LT		 2116 * Do not audit the selinux permission check, as this is applied to all
2117 * processes that allocate mappings.
2118 */
34b4e4aa 2119static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2120{
2121 int rc, cap_sys_admin = 0;
1da177e4 2122
b1d9e6b0
CS		 2123 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2124 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2125 if (rc == 0)
2126 cap_sys_admin = 1;
2127
b1d9e6b0 2128 return cap_sys_admin;
1da177e4
LT		 2129}
2130
2131/* binprm security operations */
2132
7b0d0b40
SS		 2133static int check_nnp_nosuid(const struct linux_binprm *bprm,
2134 const struct task_security_struct *old_tsec,
2135 const struct task_security_struct *new_tsec)
2136{
2137 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2138 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2139 int rc;
2140
2141 if (!nnp && !nosuid)
2142 return 0; /* neither NNP nor nosuid */
2143
2144 if (new_tsec->sid == old_tsec->sid)
2145 return 0; /* No change in credentials */
2146
2147 /*
2148 * The only transitions we permit under NNP or nosuid
2149 * are transitions to bounded SIDs, i.e. SIDs that are
2150 * guaranteed to only be allowed a subset of the permissions
2151 * of the current SID.
2152 */
2153 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2154 if (rc) {
2155 /*
2156 * On failure, preserve the errno values for NNP vs nosuid.
2157 * NNP: Operation not permitted for caller.
2158 * nosuid: Permission denied to file.
2159 */
2160 if (nnp)
2161 return -EPERM;
2162 else
2163 return -EACCES;
2164 }
2165 return 0;
2166}
2167
a6f76f23 2168static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2169{
a6f76f23
DH		 2170 const struct task_security_struct *old_tsec;
2171 struct task_security_struct *new_tsec;
1da177e4 2172 struct inode_security_struct *isec;
2bf49690 2173 struct common_audit_data ad;
496ad9aa 2174 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2175 int rc;
2176
a6f76f23
DH		 2177 /* SELinux context only depends on initial program or script and not
2178 * the script interpreter */
2179 if (bprm->cred_prepared)
1da177e4
LT		 2180 return 0;
2181
a6f76f23
DH		 2182 old_tsec = current_security();
2183 new_tsec = bprm->cred->security;
1da177e4
LT		 2184 isec = inode->i_security;
2185
2186 /* Default to the current task SID. */
a6f76f23
DH		 2187 new_tsec->sid = old_tsec->sid;
2188 new_tsec->osid = old_tsec->sid;
1da177e4 2189
28eba5bf 2190 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2191 new_tsec->create_sid = 0;
2192 new_tsec->keycreate_sid = 0;
2193 new_tsec->sockcreate_sid = 0;
1da177e4 2194
a6f76f23
DH		 2195 if (old_tsec->exec_sid) {
2196 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2197 /* Reset exec SID on execve. */
a6f76f23 2198 new_tsec->exec_sid = 0;
259e5e6c 2199
7b0d0b40
SS		 2200 /* Fail on NNP or nosuid if not an allowed transition. */
2201 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2202 if (rc)
2203 return rc;
1da177e4
LT		 2204 } else {
2205 /* Check for a default transition on this program. */
a6f76f23 2206 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2207 SECCLASS_PROCESS, NULL,
2208 &new_tsec->sid);
1da177e4
LT		 2209 if (rc)
2210 return rc;
7b0d0b40
SS		 2211
2212 /*
2213 * Fallback to old SID on NNP or nosuid if not an allowed
2214 * transition.
2215 */
2216 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2217 if (rc)
2218 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2219 }
2220
50c205f5 2221 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 2222 ad.u.path = bprm->file->f_path;
1da177e4 2223
a6f76f23
DH		 2224 if (new_tsec->sid == old_tsec->sid) {
2225 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2226 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2227 if (rc)
2228 return rc;
2229 } else {
2230 /* Check permissions for the transition. */
a6f76f23 2231 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2232 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2233 if (rc)
2234 return rc;
2235
a6f76f23 2236 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2237 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2238 if (rc)
2239 return rc;
2240
a6f76f23
DH		 2241 /* Check for shared state */
2242 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2243 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2244 SECCLASS_PROCESS, PROCESS__SHARE,
2245 NULL);
2246 if (rc)
2247 return -EPERM;
2248 }
2249
2250 /* Make sure that anyone attempting to ptrace over a task that
2251 * changes its SID has the appropriate permit */
2252 if (bprm->unsafe &
2253 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2254 struct task_struct *tracer;
2255 struct task_security_struct *sec;
2256 u32 ptsid = 0;
2257
2258 rcu_read_lock();
06d98473 2259 tracer = ptrace_parent(current);
a6f76f23
DH		 2260 if (likely(tracer != NULL)) {
2261 sec = __task_cred(tracer)->security;
2262 ptsid = sec->sid;
2263 }
2264 rcu_read_unlock();
2265
2266 if (ptsid != 0) {
2267 rc = avc_has_perm(ptsid, new_tsec->sid,
2268 SECCLASS_PROCESS,
2269 PROCESS__PTRACE, NULL);
2270 if (rc)
2271 return -EPERM;
2272 }
2273 }
1da177e4 2274
a6f76f23
DH		 2275 /* Clear any possibly unsafe personality bits on exec: */
2276 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2277 }
2278
1da177e4
LT		 2279 return 0;
2280}
2281
828dfe1d 2282static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2283{
5fb49870 2284 const struct task_security_struct *tsec = current_security();
275bb41e 2285 u32 sid, osid;
1da177e4
LT		 2286 int atsecure = 0;
2287
275bb41e
DH		 2288 sid = tsec->sid;
2289 osid = tsec->osid;
2290
2291 if (osid != sid) {
1da177e4
LT		 2292 /* Enable secure mode for SIDs transitions unless
2293 the noatsecure permission is granted between
2294 the two SIDs, i.e. ahp returns 0. */
275bb41e 2295 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2296 SECCLASS_PROCESS,
2297 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2298 }
2299
b1d9e6b0 2300 return !!atsecure;
1da177e4
LT		 2301}
2302
c3c073f8
AV		 2303static int match_file(const void *p, struct file *file, unsigned fd)
2304{
2305 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2306}
2307
1da177e4 2308/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2309static inline void flush_unauthorized_files(const struct cred *cred,
2310 struct files_struct *files)
1da177e4 2311{
1da177e4 2312 struct file *file, *devnull = NULL;
b20c8122 2313 struct tty_struct *tty;
24ec839c 2314 int drop_tty = 0;
c3c073f8 2315 unsigned n;
1da177e4 2316
24ec839c 2317 tty = get_current_tty();
1da177e4 2318 if (tty) {
ee2ffa0d 2319 spin_lock(&tty_files_lock);
37dd0bd0 2320 if (!list_empty(&tty->tty_files)) {
d996b62a 2321 struct tty_file_private *file_priv;
37dd0bd0 2322
1da177e4 2323 /* Revalidate access to controlling tty.
13f8e981
DH		 2324 Use file_path_has_perm on the tty path directly
2325 rather than using file_has_perm, as this particular
2326 open file may belong to another process and we are
2327 only interested in the inode-based check here. */
d996b62a
NP		 2328 file_priv = list_first_entry(&tty->tty_files,
2329 struct tty_file_private, list);
2330 file = file_priv->file;
13f8e981 2331 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2332 drop_tty = 1;
1da177e4 2333 }
ee2ffa0d 2334 spin_unlock(&tty_files_lock);
452a00d2 2335 tty_kref_put(tty);
1da177e4 2336 }
98a27ba4
EB		 2337 /* Reset controlling tty. */
2338 if (drop_tty)
2339 no_tty();
1da177e4
LT		 2340
2341 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2342 n = iterate_fd(files, 0, match_file, cred);
2343 if (!n) /* none found? */
2344 return;
1da177e4 2345
c3c073f8 2346 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2347 if (IS_ERR(devnull))
2348 devnull = NULL;
2349 /* replace all the matching ones with this */
2350 do {
2351 replace_fd(n - 1, devnull, 0);
2352 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2353 if (devnull)
c3c073f8 2354 fput(devnull);
1da177e4
LT		 2355}
2356
a6f76f23
DH		 2357/*
2358 * Prepare a process for imminent new credential changes due to exec
2359 */
2360static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2361{
a6f76f23
DH		 2362 struct task_security_struct *new_tsec;
2363 struct rlimit *rlim, *initrlim;
2364 int rc, i;
d84f4f99 2365
a6f76f23
DH		 2366 new_tsec = bprm->cred->security;
2367 if (new_tsec->sid == new_tsec->osid)
2368 return;
1da177e4 2369
a6f76f23
DH		 2370 /* Close files for which the new task SID is not authorized. */
2371 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2372
a6f76f23
DH		 2373 /* Always clear parent death signal on SID transitions. */
2374 current->pdeath_signal = 0;
0356357c 2375
a6f76f23
DH		 2376 /* Check whether the new SID can inherit resource limits from the old
2377 * SID. If not, reset all soft limits to the lower of the current
2378 * task's hard limit and the init task's soft limit.
2379 *
2380 * Note that the setting of hard limits (even to lower them) can be
2381 * controlled by the setrlimit check. The inclusion of the init task's
2382 * soft limit into the computation is to avoid resetting soft limits
2383 * higher than the default soft limit for cases where the default is
2384 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2385 */
2386 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2387 PROCESS__RLIMITINH, NULL);
2388 if (rc) {
eb2d55a3
ON		 2389 /* protect against do_prlimit() */
2390 task_lock(current);
a6f76f23
DH		 2391 for (i = 0; i < RLIM_NLIMITS; i++) {
2392 rlim = current->signal->rlim + i;
2393 initrlim = init_task.signal->rlim + i;
2394 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2395 }
eb2d55a3
ON		 2396 task_unlock(current);
2397 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2398 }
2399}
2400
2401/*
a6f76f23
DH		 2402 * Clean up the process immediately after the installation of new credentials
2403 * due to exec
1da177e4 2404 */
a6f76f23 2405static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2406{
a6f76f23 2407 const struct task_security_struct *tsec = current_security();
1da177e4 2408 struct itimerval itimer;
a6f76f23 2409 u32 osid, sid;
1da177e4
LT		 2410 int rc, i;
2411
a6f76f23
DH		 2412 osid = tsec->osid;
2413 sid = tsec->sid;
2414
2415 if (sid == osid)
1da177e4
LT		 2416 return;
2417
a6f76f23
DH		 2418 /* Check whether the new SID can inherit signal state from the old SID.
2419 * If not, clear itimers to avoid subsequent signal generation and
2420 * flush and unblock signals.
2421 *
2422 * This must occur _after_ the task SID has been updated so that any
2423 * kill done after the flush will be checked against the new SID.
2424 */
2425 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2426 if (rc) {
2427 memset(&itimer, 0, sizeof itimer);
2428 for (i = 0; i < 3; i++)
2429 do_setitimer(i, &itimer, NULL);
1da177e4 2430 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2431 if (!fatal_signal_pending(current)) {
2432 flush_sigqueue(&current->pending);
2433 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2434 flush_signal_handlers(current, 1);
2435 sigemptyset(&current->blocked);
9e7c8f8c 2436 recalc_sigpending();
3bcac026 2437 }
1da177e4
LT		 2438 spin_unlock_irq(&current->sighand->siglock);
2439 }
2440
a6f76f23
DH		 2441 /* Wake up the parent if it is waiting so that it can recheck
2442 * wait permission to the new task SID. */
ecd6de3c 2443 read_lock(&tasklist_lock);
0b7570e7 2444 __wake_up_parent(current, current->real_parent);
ecd6de3c 2445 read_unlock(&tasklist_lock);
1da177e4
LT		 2446}
2447
2448/* superblock security operations */
2449
2450static int selinux_sb_alloc_security(struct super_block *sb)
2451{
2452 return superblock_alloc_security(sb);
2453}
2454
2455static void selinux_sb_free_security(struct super_block *sb)
2456{
2457 superblock_free_security(sb);
2458}
2459
2460static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2461{
2462 if (plen > olen)
2463 return 0;
2464
2465 return !memcmp(prefix, option, plen);
2466}
2467
2468static inline int selinux_option(char *option, int len)
2469{
832cbd9a
EP		 2470 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2471 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2472 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2473 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2474 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2475}
2476
2477static inline void take_option(char **to, char *from, int *first, int len)
2478{
2479 if (!*first) {
2480 **to = ',';
2481 *to += 1;
3528a953 2482 } else
1da177e4
LT		 2483 *first = 0;
2484 memcpy(*to, from, len);
2485 *to += len;
2486}
2487
828dfe1d
EP		 2488static inline void take_selinux_option(char **to, char *from, int *first,
2489 int len)
3528a953
CO		 2490{
2491 int current_size = 0;
2492
2493 if (!*first) {
2494 **to = '|';
2495 *to += 1;
828dfe1d 2496 } else
3528a953
CO		 2497 *first = 0;
2498
2499 while (current_size < len) {
2500 if (*from != '"') {
2501 **to = *from;
2502 *to += 1;
2503 }
2504 from += 1;
2505 current_size += 1;
2506 }
2507}
2508
e0007529 2509static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2510{
2511 int fnosec, fsec, rc = 0;
2512 char *in_save, *in_curr, *in_end;
2513 char *sec_curr, *nosec_save, *nosec;
3528a953 2514 int open_quote = 0;
1da177e4
LT		 2515
2516 in_curr = orig;
2517 sec_curr = copy;
2518
1da177e4
LT		 2519 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2520 if (!nosec) {
2521 rc = -ENOMEM;
2522 goto out;
2523 }
2524
2525 nosec_save = nosec;
2526 fnosec = fsec = 1;
2527 in_save = in_end = orig;
2528
2529 do {
3528a953
CO		 2530 if (*in_end == '"')
2531 open_quote = !open_quote;
2532 if ((*in_end == ',' && open_quote == 0) ||
2533 *in_end == '\0') {
1da177e4
LT		 2534 int len = in_end - in_curr;
2535
2536 if (selinux_option(in_curr, len))
3528a953 2537 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2538 else
2539 take_option(&nosec, in_curr, &fnosec, len);
2540
2541 in_curr = in_end + 1;
2542 }
2543 } while (*in_end++);
2544
6931dfc9 2545 strcpy(in_save, nosec_save);
da3caa20 2546 free_page((unsigned long)nosec_save);
1da177e4
LT		 2547out:
2548 return rc;
2549}
2550
026eb167
EP		 2551static int selinux_sb_remount(struct super_block *sb, void *data)
2552{
2553 int rc, i, *flags;
2554 struct security_mnt_opts opts;
2555 char *secdata, **mount_options;
2556 struct superblock_security_struct *sbsec = sb->s_security;
2557
2558 if (!(sbsec->flags & SE_SBINITIALIZED))
2559 return 0;
2560
2561 if (!data)
2562 return 0;
2563
2564 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2565 return 0;
2566
2567 security_init_mnt_opts(&opts);
2568 secdata = alloc_secdata();
2569 if (!secdata)
2570 return -ENOMEM;
2571 rc = selinux_sb_copy_data(data, secdata);
2572 if (rc)
2573 goto out_free_secdata;
2574
2575 rc = selinux_parse_opts_str(secdata, &opts);
2576 if (rc)
2577 goto out_free_secdata;
2578
2579 mount_options = opts.mnt_opts;
2580 flags = opts.mnt_opts_flags;
2581
2582 for (i = 0; i < opts.num_mnt_opts; i++) {
2583 u32 sid;
2584 size_t len;
2585
12f348b9 2586 if (flags[i] == SBLABEL_MNT)
026eb167
EP		 2587 continue;
2588 len = strlen(mount_options[i]);
52a4c640
NA		 2589 rc = security_context_to_sid(mount_options[i], len, &sid,
2590 GFP_KERNEL);
026eb167
EP		 2591 if (rc) {
2592 printk(KERN_WARNING "SELinux: security_context_to_sid"
29b1deb2
LT		 2593 "(%s) failed for (dev %s, type %s) errno=%d\n",
2594 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2595 goto out_free_opts;
2596 }
2597 rc = -EINVAL;
2598 switch (flags[i]) {
2599 case FSCONTEXT_MNT:
2600 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2601 goto out_bad_option;
2602 break;
2603 case CONTEXT_MNT:
2604 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2605 goto out_bad_option;
2606 break;
2607 case ROOTCONTEXT_MNT: {
2608 struct inode_security_struct *root_isec;
c6f493d6 2609 root_isec = d_backing_inode(sb->s_root)->i_security;
026eb167
EP		 2610
2611 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2612 goto out_bad_option;
2613 break;
2614 }
2615 case DEFCONTEXT_MNT:
2616 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2617 goto out_bad_option;
2618 break;
2619 default:
2620 goto out_free_opts;
2621 }
2622 }
2623
2624 rc = 0;
2625out_free_opts:
2626 security_free_mnt_opts(&opts);
2627out_free_secdata:
2628 free_secdata(secdata);
2629 return rc;
2630out_bad_option:
2631 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2632 "during remount (dev %s, type=%s)\n", sb->s_id,
2633 sb->s_type->name);
026eb167
EP		 2634 goto out_free_opts;
2635}
2636
12204e24 2637static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2638{
88e67f3b 2639 const struct cred *cred = current_cred();
2bf49690 2640 struct common_audit_data ad;
1da177e4
LT		 2641 int rc;
2642
2643 rc = superblock_doinit(sb, data);
2644 if (rc)
2645 return rc;
2646
74192246
JM		 2647 /* Allow all mounts performed by the kernel */
2648 if (flags & MS_KERNMOUNT)
2649 return 0;
2650
50c205f5 2651 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2652 ad.u.dentry = sb->s_root;
88e67f3b 2653 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2654}
2655
726c3342 2656static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2657{
88e67f3b 2658 const struct cred *cred = current_cred();
2bf49690 2659 struct common_audit_data ad;
1da177e4 2660
50c205f5 2661 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2662 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2663 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2664}
2665
808d4e3c 2666static int selinux_mount(const char *dev_name,
b5266eb4 2667 struct path *path,
808d4e3c 2668 const char *type,
828dfe1d
EP		 2669 unsigned long flags,
2670 void *data)
1da177e4 2671{
88e67f3b 2672 const struct cred *cred = current_cred();
1da177e4
LT		 2673
2674 if (flags & MS_REMOUNT)
d8c9584e 2675 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2676 FILESYSTEM__REMOUNT, NULL);
1da177e4 2677 else
2875fa00 2678 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2679}
2680
2681static int selinux_umount(struct vfsmount *mnt, int flags)
2682{
88e67f3b 2683 const struct cred *cred = current_cred();
1da177e4 2684
88e67f3b 2685 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2686 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2687}
2688
2689/* inode security operations */
2690
2691static int selinux_inode_alloc_security(struct inode *inode)
2692{
2693 return inode_alloc_security(inode);
2694}
2695
2696static void selinux_inode_free_security(struct inode *inode)
2697{
2698 inode_free_security(inode);
2699}
2700
d47be3df
DQ		 2701static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2702 struct qstr *name, void **ctx,
2703 u32 *ctxlen)
2704{
2705 const struct cred *cred = current_cred();
2706 struct task_security_struct *tsec;
2707 struct inode_security_struct *dsec;
2708 struct superblock_security_struct *sbsec;
c6f493d6 2709 struct inode *dir = d_backing_inode(dentry->d_parent);
d47be3df
DQ		 2710 u32 newsid;
2711 int rc;
2712
2713 tsec = cred->security;
2714 dsec = dir->i_security;
2715 sbsec = dir->i_sb->s_security;
2716
2717 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2718 newsid = tsec->create_sid;
2719 } else {
2720 rc = security_transition_sid(tsec->sid, dsec->sid,
2721 inode_mode_to_security_class(mode),
2722 name,
2723 &newsid);
2724 if (rc) {
2725 printk(KERN_WARNING
2726 "%s: security_transition_sid failed, rc=%d\n",
2727 __func__, -rc);
2728 return rc;
2729 }
2730 }
2731
2732 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2733}
2734
5e41ff9e 2735static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2736 const struct qstr *qstr,
2737 const char **name,
2a7dba39 2738 void **value, size_t *len)
5e41ff9e 2739{
5fb49870 2740 const struct task_security_struct *tsec = current_security();
5e41ff9e
SS		 2741 struct inode_security_struct *dsec;
2742 struct superblock_security_struct *sbsec;
275bb41e 2743 u32 sid, newsid, clen;
5e41ff9e 2744 int rc;
9548906b 2745 char *context;
5e41ff9e 2746
5e41ff9e
SS		 2747 dsec = dir->i_security;
2748 sbsec = dir->i_sb->s_security;
5e41ff9e 2749
275bb41e
DH		 2750 sid = tsec->sid;
2751 newsid = tsec->create_sid;
2752
415103f9
EP		 2753 if ((sbsec->flags & SE_SBINITIALIZED) &&
2754 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2755 newsid = sbsec->mntpoint_sid;
12f348b9 2756 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
275bb41e 2757 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e 2758 inode_mode_to_security_class(inode->i_mode),
652bb9b0 2759 qstr, &newsid);
5e41ff9e
SS		 2760 if (rc) {
2761 printk(KERN_WARNING "%s: "
2762 "security_transition_sid failed, rc=%d (dev=%s "
2763 "ino=%ld)\n",
dd6f953a 2764 __func__,
5e41ff9e
SS		 2765 -rc, inode->i_sb->s_id, inode->i_ino);
2766 return rc;
2767 }
2768 }
2769
296fddf7 2770 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2771 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2772 struct inode_security_struct *isec = inode->i_security;
2773 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2774 isec->sid = newsid;
2775 isec->initialized = 1;
2776 }
5e41ff9e 2777
12f348b9 2778 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2779 return -EOPNOTSUPP;
2780
9548906b
TH		 2781 if (name)
2782 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2783
570bc1c2 2784 if (value && len) {
12b29f34 2785 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2786 if (rc)
570bc1c2 2787 return rc;
570bc1c2
SS		 2788 *value = context;
2789 *len = clen;
5e41ff9e 2790 }
5e41ff9e 2791
5e41ff9e
SS		 2792 return 0;
2793}
2794
4acdaf27 2795static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2796{
2797 return may_create(dir, dentry, SECCLASS_FILE);
2798}
2799
1da177e4
LT		 2800static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2801{
1da177e4
LT		 2802 return may_link(dir, old_dentry, MAY_LINK);
2803}
2804
1da177e4
LT		 2805static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2806{
1da177e4
LT		 2807 return may_link(dir, dentry, MAY_UNLINK);
2808}
2809
2810static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2811{
2812 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2813}
2814
18bb1db3 2815static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2816{
2817 return may_create(dir, dentry, SECCLASS_DIR);
2818}
2819
1da177e4
LT		 2820static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2821{
2822 return may_link(dir, dentry, MAY_RMDIR);
2823}
2824
1a67aafb 2825static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2826{
1da177e4
LT		 2827 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2828}
2829
1da177e4 2830static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2831 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2832{
2833 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2834}
2835
1da177e4
LT		 2836static int selinux_inode_readlink(struct dentry *dentry)
2837{
88e67f3b
DH		 2838 const struct cred *cred = current_cred();
2839
2875fa00 2840 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2841}
2842
2843static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2844{
88e67f3b 2845 const struct cred *cred = current_cred();
1da177e4 2846
2875fa00 2847 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2848}
2849
d4cf970d
EP		 2850static noinline int audit_inode_permission(struct inode *inode,
2851 u32 perms, u32 audited, u32 denied,
626b9740 2852 int result,
d4cf970d 2853 unsigned flags)
1da177e4 2854{
b782e0a6 2855 struct common_audit_data ad;
d4cf970d
EP		 2856 struct inode_security_struct *isec = inode->i_security;
2857 int rc;
2858
50c205f5 2859 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2860 ad.u.inode = inode;
2861
2862 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 2863 audited, denied, result, &ad, flags);
d4cf970d
EP		 2864 if (rc)
2865 return rc;
2866 return 0;
2867}
2868
e74f71eb 2869static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2870{
88e67f3b 2871 const struct cred *cred = current_cred();
b782e0a6
EP		 2872 u32 perms;
2873 bool from_access;
cf1dd1da 2874 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2875 struct inode_security_struct *isec;
2876 u32 sid;
2877 struct av_decision avd;
2878 int rc, rc2;
2879 u32 audited, denied;
1da177e4 2880
b782e0a6 2881 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2882 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2883
b782e0a6
EP		 2884 /* No permission to check. Existence test. */
2885 if (!mask)
1da177e4 2886 return 0;
1da177e4 2887
2e334057 2888 validate_creds(cred);
b782e0a6 2889
2e334057
EP		 2890 if (unlikely(IS_PRIVATE(inode)))
2891 return 0;
b782e0a6
EP		 2892
2893 perms = file_mask_to_av(inode->i_mode, mask);
2894
2e334057
EP		 2895 sid = cred_sid(cred);
2896 isec = inode->i_security;
2897
2898 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2899 audited = avc_audit_required(perms, &avd, rc,
2900 from_access ? FILE__AUDIT_ACCESS : 0,
2901 &denied);
2902 if (likely(!audited))
2903 return rc;
2904
626b9740 2905 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 2906 if (rc2)
2907 return rc2;
2908 return rc;
1da177e4
LT		 2909}
2910
2911static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2912{
88e67f3b 2913 const struct cred *cred = current_cred();
bc6a6008 2914 unsigned int ia_valid = iattr->ia_valid;
95dbf739 2915 __u32 av = FILE__WRITE;
1da177e4 2916
bc6a6008
AW		 2917 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2918 if (ia_valid & ATTR_FORCE) {
2919 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2920 ATTR_FORCE);
2921 if (!ia_valid)
2922 return 0;
2923 }
1da177e4 2924
bc6a6008
AW		 2925 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2926 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 2927 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 2928
3d2195c3 2929 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
95dbf739
EP		 2930 av |= FILE__OPEN;
2931
2932 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 2933}
2934
3f7036a0 2935static int selinux_inode_getattr(const struct path *path)
1da177e4 2936{
3f7036a0 2937 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 2938}
2939
8f0cfa52 2940static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2941{
88e67f3b
DH		 2942 const struct cred *cred = current_cred();
2943
b5376771
SH		 2944 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2945 sizeof XATTR_SECURITY_PREFIX - 1)) {
2946 if (!strcmp(name, XATTR_NAME_CAPS)) {
2947 if (!capable(CAP_SETFCAP))
2948 return -EPERM;
2949 } else if (!capable(CAP_SYS_ADMIN)) {
2950 /* A different attribute in the security namespace.
2951 Restrict to administrator. */
2952 return -EPERM;
2953 }
2954 }
2955
2956 /* Not an attribute we recognize, so just check the
2957 ordinary setattr permission. */
2875fa00 2958 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 2959}
2960
8f0cfa52
DH		 2961static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2962 const void *value, size_t size, int flags)
1da177e4 2963{
c6f493d6 2964 struct inode *inode = d_backing_inode(dentry);
1da177e4
LT		 2965 struct inode_security_struct *isec = inode->i_security;
2966 struct superblock_security_struct *sbsec;
2bf49690 2967 struct common_audit_data ad;
275bb41e 2968 u32 newsid, sid = current_sid();
1da177e4
LT		 2969 int rc = 0;
2970
b5376771
SH		 2971 if (strcmp(name, XATTR_NAME_SELINUX))
2972 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2973
2974 sbsec = inode->i_sb->s_security;
12f348b9 2975 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 2976 return -EOPNOTSUPP;
2977
2e149670 2978 if (!inode_owner_or_capable(inode))
1da177e4
LT		 2979 return -EPERM;
2980
50c205f5 2981 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2982 ad.u.dentry = dentry;
1da177e4 2983
275bb41e 2984 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 2985 FILE__RELABELFROM, &ad);
2986 if (rc)
2987 return rc;
2988
52a4c640 2989 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 2990 if (rc == -EINVAL) {
d6ea83ec
EP		 2991 if (!capable(CAP_MAC_ADMIN)) {
2992 struct audit_buffer *ab;
2993 size_t audit_size;
2994 const char *str;
2995
2996 /* We strip a nul only if it is at the end, otherwise the
2997 * context contains a nul and we should audit that */
e3fea3f7
AV		 2998 if (value) {
2999 str = value;
3000 if (str[size - 1] == '\0')
3001 audit_size = size - 1;
3002 else
3003 audit_size = size;
3004 } else {
3005 str = "";
3006 audit_size = 0;
3007 }
d6ea83ec
EP		 3008 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3009 audit_log_format(ab, "op=setxattr invalid_context=");
3010 audit_log_n_untrustedstring(ab, value, audit_size);
3011 audit_log_end(ab);
3012
12b29f34 3013 return rc;
d6ea83ec 3014 }
12b29f34
SS		 3015 rc = security_context_to_sid_force(value, size, &newsid);
3016 }
1da177e4
LT		 3017 if (rc)
3018 return rc;
3019
275bb41e 3020 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3021 FILE__RELABELTO, &ad);
3022 if (rc)
3023 return rc;
3024
275bb41e 3025 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3026 isec->sclass);
1da177e4
LT		 3027 if (rc)
3028 return rc;
3029
3030 return avc_has_perm(newsid,
3031 sbsec->sid,
3032 SECCLASS_FILESYSTEM,
3033 FILESYSTEM__ASSOCIATE,
3034 &ad);
3035}
3036
8f0cfa52 3037static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3038 const void *value, size_t size,
8f0cfa52 3039 int flags)
1da177e4 3040{
c6f493d6 3041 struct inode *inode = d_backing_inode(dentry);
1da177e4
LT		 3042 struct inode_security_struct *isec = inode->i_security;
3043 u32 newsid;
3044 int rc;
3045
3046 if (strcmp(name, XATTR_NAME_SELINUX)) {
3047 /* Not an attribute we recognize, so nothing to do. */
3048 return;
3049 }
3050
12b29f34 3051 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3052 if (rc) {
12b29f34
SS		 3053 printk(KERN_ERR "SELinux: unable to map context to SID"
3054 "for (%s, %lu), rc=%d\n",
3055 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3056 return;
3057 }
3058
aa9c2669 3059 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3060 isec->sid = newsid;
aa9c2669
DQ		 3061 isec->initialized = 1;
3062
1da177e4
LT		 3063 return;
3064}
3065
8f0cfa52 3066static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3067{
88e67f3b
DH		 3068 const struct cred *cred = current_cred();
3069
2875fa00 3070 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3071}
3072
828dfe1d 3073static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3074{
88e67f3b
DH		 3075 const struct cred *cred = current_cred();
3076
2875fa00 3077 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3078}
3079
8f0cfa52 3080static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3081{
b5376771
SH		 3082 if (strcmp(name, XATTR_NAME_SELINUX))
3083 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3084
3085 /* No one is allowed to remove a SELinux security label.
3086 You can change the label, but all data must be labeled. */
3087 return -EACCES;
3088}
3089
d381d8a9 3090/*
abc69bb6 3091 * Copy the inode security context value to the user.
d381d8a9
JM		 3092 *
3093 * Permission check is handled by selinux_inode_getxattr hook.
3094 */
42492594 3095static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3096{
42492594
DQ		 3097 u32 size;
3098 int error;
3099 char *context = NULL;
1da177e4 3100 struct inode_security_struct *isec = inode->i_security;
d381d8a9 3101
8c8570fb
DK		 3102 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3103 return -EOPNOTSUPP;
d381d8a9 3104
abc69bb6
SS		 3105 /*
3106 * If the caller has CAP_MAC_ADMIN, then get the raw context
3107 * value even if it is not defined by current policy; otherwise,
3108 * use the in-core value under current policy.
3109 * Use the non-auditing forms of the permission checks since
3110 * getxattr may be called by unprivileged processes commonly
3111 * and lack of permission just means that we fall back to the
3112 * in-core context value, not a denial.
3113 */
b1d9e6b0
CS		 3114 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3115 SECURITY_CAP_NOAUDIT);
3116 if (!error)
3117 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3118 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 3119 if (!error)
3120 error = security_sid_to_context_force(isec->sid, &context,
3121 &size);
3122 else
3123 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3124 if (error)
3125 return error;
3126 error = size;
3127 if (alloc) {
3128 *buffer = context;
3129 goto out_nofree;
3130 }
3131 kfree(context);
3132out_nofree:
3133 return error;
1da177e4
LT		 3134}
3135
3136static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3137 const void *value, size_t size, int flags)
1da177e4
LT		 3138{
3139 struct inode_security_struct *isec = inode->i_security;
3140 u32 newsid;
3141 int rc;
3142
3143 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3144 return -EOPNOTSUPP;
3145
3146 if (!value || !size)
3147 return -EACCES;
3148
52a4c640 3149 rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3150 if (rc)
3151 return rc;
3152
aa9c2669 3153 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3154 isec->sid = newsid;
ddd29ec6 3155 isec->initialized = 1;
1da177e4
LT		 3156 return 0;
3157}
3158
3159static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3160{
3161 const int len = sizeof(XATTR_NAME_SELINUX);
3162 if (buffer && len <= buffer_size)
3163 memcpy(buffer, XATTR_NAME_SELINUX, len);
3164 return len;
3165}
3166
713a04ae
AD		 3167static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3168{
3169 struct inode_security_struct *isec = inode->i_security;
3170 *secid = isec->sid;
3171}
3172
1da177e4
LT		 3173/* file security operations */
3174
788e7dd4 3175static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3176{
88e67f3b 3177 const struct cred *cred = current_cred();
496ad9aa 3178 struct inode *inode = file_inode(file);
1da177e4 3179
1da177e4
LT		 3180 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3181 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3182 mask |= MAY_APPEND;
3183
389fb800
PM		 3184 return file_has_perm(cred, file,
3185 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3186}
3187
788e7dd4
YN		 3188static int selinux_file_permission(struct file *file, int mask)
3189{
496ad9aa 3190 struct inode *inode = file_inode(file);
20dda18b
SS		 3191 struct file_security_struct *fsec = file->f_security;
3192 struct inode_security_struct *isec = inode->i_security;
3193 u32 sid = current_sid();
3194
389fb800 3195 if (!mask)
788e7dd4
YN		 3196 /* No permission to check. Existence test. */
3197 return 0;
788e7dd4 3198
20dda18b
SS		 3199 if (sid == fsec->sid && fsec->isid == isec->sid &&
3200 fsec->pseqno == avc_policy_seqno())
83d49856 3201 /* No change since file_open check. */
20dda18b
SS		 3202 return 0;
3203
788e7dd4
YN		 3204 return selinux_revalidate_file_permission(file, mask);
3205}
3206
1da177e4
LT		 3207static int selinux_file_alloc_security(struct file *file)
3208{
3209 return file_alloc_security(file);
3210}
3211
3212static void selinux_file_free_security(struct file *file)
3213{
3214 file_free_security(file);
3215}
3216
3217static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3218 unsigned long arg)
3219{
88e67f3b 3220 const struct cred *cred = current_cred();
0b24dcb7 3221 int error = 0;
1da177e4 3222
0b24dcb7
EP		 3223 switch (cmd) {
3224 case FIONREAD:
3225 /* fall through */
3226 case FIBMAP:
3227 /* fall through */
3228 case FIGETBSZ:
3229 /* fall through */
2f99c369 3230 case FS_IOC_GETFLAGS:
0b24dcb7 3231 /* fall through */
2f99c369 3232 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3233 error = file_has_perm(cred, file, FILE__GETATTR);
3234 break;
1da177e4 3235
2f99c369 3236 case FS_IOC_SETFLAGS:
0b24dcb7 3237 /* fall through */
2f99c369 3238 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3239 error = file_has_perm(cred, file, FILE__SETATTR);
3240 break;
3241
3242 /* sys_ioctl() checks */
3243 case FIONBIO:
3244 /* fall through */
3245 case FIOASYNC:
3246 error = file_has_perm(cred, file, 0);
3247 break;
1da177e4 3248
0b24dcb7
EP		 3249 case KDSKBENT:
3250 case KDSKBSENT:
6a9de491
EP		 3251 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3252 SECURITY_CAP_AUDIT);
0b24dcb7
EP		 3253 break;
3254
3255 /* default case assumes that the command will go
3256 * to the file's ioctl() function.
3257 */
3258 default:
3259 error = file_has_perm(cred, file, FILE__IOCTL);
3260 }
3261 return error;
1da177e4
LT		 3262}
3263
fcaaade1
SS		 3264static int default_noexec;
3265
1da177e4
LT		 3266static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3267{
88e67f3b 3268 const struct cred *cred = current_cred();
d84f4f99 3269 int rc = 0;
88e67f3b 3270
fcaaade1
SS		 3271 if (default_noexec &&
3272 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3273 /*
3274 * We are making executable an anonymous mapping or a
3275 * private file mapping that will also be writable.
3276 * This has an additional check.
3277 */
d84f4f99 3278 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3279 if (rc)
d84f4f99 3280 goto error;
1da177e4 3281 }
1da177e4
LT		 3282
3283 if (file) {
3284 /* read access is always possible with a mapping */
3285 u32 av = FILE__READ;
3286
3287 /* write access only matters if the mapping is shared */
3288 if (shared && (prot & PROT_WRITE))
3289 av |= FILE__WRITE;
3290
3291 if (prot & PROT_EXEC)
3292 av |= FILE__EXECUTE;
3293
88e67f3b 3294 return file_has_perm(cred, file, av);
1da177e4 3295 }
d84f4f99
DH		 3296
3297error:
3298 return rc;
1da177e4
LT		 3299}
3300
e5467859 3301static int selinux_mmap_addr(unsigned long addr)
1da177e4 3302{
b1d9e6b0 3303 int rc = 0;
1da177e4 3304
a2551df7 3305 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3306 u32 sid = current_sid();
ed032189
EP		 3307 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3308 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3309 }
3310
98883bfd 3311 return rc;
e5467859 3312}
1da177e4 3313
e5467859
AV		 3314static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3315 unsigned long prot, unsigned long flags)
3316{
1da177e4
LT		 3317 if (selinux_checkreqprot)
3318 prot = reqprot;
3319
3320 return file_map_prot_check(file, prot,
3321 (flags & MAP_TYPE) == MAP_SHARED);
3322}
3323
3324static int selinux_file_mprotect(struct vm_area_struct *vma,
3325 unsigned long reqprot,
3326 unsigned long prot)
3327{
88e67f3b 3328 const struct cred *cred = current_cred();
1da177e4
LT		 3329
3330 if (selinux_checkreqprot)
3331 prot = reqprot;
3332
fcaaade1
SS		 3333 if (default_noexec &&
3334 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3335 int rc = 0;
db4c9641
SS		 3336 if (vma->vm_start >= vma->vm_mm->start_brk &&
3337 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3338 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3339 } else if (!vma->vm_file &&
3340 vma->vm_start <= vma->vm_mm->start_stack &&
3341 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3342 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3343 } else if (vma->vm_file && vma->anon_vma) {
3344 /*
3345 * We are making executable a file mapping that has
3346 * had some COW done. Since pages might have been
3347 * written, check ability to execute the possibly
3348 * modified content. This typically should only
3349 * occur for text relocations.
3350 */
d84f4f99 3351 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3352 }