]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
SELinux: Use GFP_KERNEL for selinux_parse_opts_str().
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
3c4ed7bd 32#include <linux/lsm_hooks.h>
1da177e4
LT		 33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
1da177e4 54#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 55#include <net/inet_connection_sock.h>
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
60063497 60#include <linux/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
77954983 64#include <net/netlink.h>
1da177e4
LT		 65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
44fc7ea0 83#include <linux/export.h>
40401530
AV		 84#include <linux/msg.h>
85#include <linux/shm.h>
1da177e4
LT		 86
87#include "avc.h"
88#include "objsec.h"
89#include "netif.h"
224dfbd8 90#include "netnode.h"
3e112172 91#include "netport.h"
d28d1e08 92#include "xfrm.h"
c60475bf 93#include "netlabel.h"
9d57a7f9 94#include "audit.h"
7b98a585 95#include "avc_ss.h"
1da177e4 96
d621d35e 97/* SECMARK reference count */
56a4ca99 98static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 99
1da177e4 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 101int selinux_enforcing;
1da177e4
LT		 102
103static int __init enforcing_setup(char *str)
104{
f5269710 105 unsigned long enforcing;
29707b20 106 if (!kstrtoul(str, 0, &enforcing))
f5269710 107 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 108 return 1;
109}
110__setup("enforcing=", enforcing_setup);
111#endif
112
113#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116static int __init selinux_enabled_setup(char *str)
117{
f5269710 118 unsigned long enabled;
29707b20 119 if (!kstrtoul(str, 0, &enabled))
f5269710 120 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 121 return 1;
122}
123__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 124#else
125int selinux_enabled = 1;
1da177e4
LT		 126#endif
127
e18b890b 128static struct kmem_cache *sel_inode_cache;
63205654 129static struct kmem_cache *file_security_cache;
7cae7e26 130
d621d35e
PM		 131/**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 140 *
141 */
142static int selinux_secmark_enabled(void)
143{
2be4d74f
CP		 144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145}
146
147/**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157static int selinux_peerlbl_enabled(void)
158{
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 160}
161
615e51fd
PM		 162static int selinux_netcache_avc_callback(u32 event)
163{
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171}
172
d84f4f99
DH		 173/*
174 * initialise the security for the init task
175 */
176static void cred_init_security(void)
1da177e4 177{
3b11a1de 178 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 179 struct task_security_struct *tsec;
180
89d155ef 181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 182 if (!tsec)
d84f4f99 183 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 184
d84f4f99 185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 186 cred->security = tsec;
1da177e4
LT		 187}
188
88e67f3b
DH		 189/*
190 * get the security ID of a set of credentials
191 */
192static inline u32 cred_sid(const struct cred *cred)
193{
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198}
199
275bb41e 200/*
3b11a1de 201 * get the objective security ID of a task
275bb41e
DH		 202 */
203static inline u32 task_sid(const struct task_struct *task)
204{
275bb41e
DH		 205 u32 sid;
206
207 rcu_read_lock();
88e67f3b 208 sid = cred_sid(__task_cred(task));
275bb41e
DH		 209 rcu_read_unlock();
210 return sid;
211}
212
213/*
3b11a1de 214 * get the subjective security ID of the current task
275bb41e
DH		 215 */
216static inline u32 current_sid(void)
217{
5fb49870 218 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 219
220 return tsec->sid;
221}
222
88e67f3b
DH		 223/* Allocate and free functions for each kind of security blob. */
224
1da177e4
LT		 225static int inode_alloc_security(struct inode *inode)
226{
1da177e4 227 struct inode_security_struct *isec;
275bb41e 228 u32 sid = current_sid();
1da177e4 229
a02fe132 230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 231 if (!isec)
232 return -ENOMEM;
233
23970741 234 mutex_init(&isec->lock);
1da177e4 235 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
275bb41e 239 isec->task_sid = sid;
1da177e4
LT		 240 inode->i_security = isec;
241
242 return 0;
243}
244
5d226df4
AG		 245static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246
247/*
248 * Try reloading inode security labels that have been marked as invalid. The
249 * @may_sleep parameter indicates when sleeping and thus reloading labels is
250 * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is
251 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
252 * when no dentry is available, set it to NULL instead.
253 */
254static int __inode_security_revalidate(struct inode *inode,
255 struct dentry *opt_dentry,
256 bool may_sleep)
257{
258 struct inode_security_struct *isec = inode->i_security;
259
260 might_sleep_if(may_sleep);
261
1ac42476 262 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 263 if (!may_sleep)
264 return -ECHILD;
265
266 /*
267 * Try reloading the inode security label. This will fail if
268 * @opt_dentry is NULL and no dentry for this inode can be
269 * found; in that case, continue using the old label.
270 */
271 inode_doinit_with_dentry(inode, opt_dentry);
272 }
273 return 0;
274}
275
5d226df4
AG		 276static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277{
278 return inode->i_security;
279}
280
281static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282{
283 int error;
284
285 error = __inode_security_revalidate(inode, NULL, !rcu);
286 if (error)
287 return ERR_PTR(error);
288 return inode->i_security;
289}
290
83da53c5
AG		 291/*
292 * Get the security label of an inode.
293 */
294static struct inode_security_struct *inode_security(struct inode *inode)
295{
5d226df4 296 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 297 return inode->i_security;
298}
299
2c97165b
PM		 300static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301{
302 struct inode *inode = d_backing_inode(dentry);
303
304 return inode->i_security;
305}
306
83da53c5
AG		 307/*
308 * Get the security label of a dentry's backing inode.
309 */
310static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
311{
312 struct inode *inode = d_backing_inode(dentry);
313
5d226df4 314 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 315 return inode->i_security;
316}
317
3dc91d43
SR		 318static void inode_free_rcu(struct rcu_head *head)
319{
320 struct inode_security_struct *isec;
321
322 isec = container_of(head, struct inode_security_struct, rcu);
323 kmem_cache_free(sel_inode_cache, isec);
324}
325
1da177e4
LT		 326static void inode_free_security(struct inode *inode)
327{
328 struct inode_security_struct *isec = inode->i_security;
329 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
330
9629d04a
WL		 331 /*
332 * As not all inode security structures are in a list, we check for
333 * empty list outside of the lock to make sure that we won't waste
334 * time taking a lock doing nothing.
335 *
336 * The list_del_init() function can be safely called more than once.
337 * It should not be possible for this function to be called with
338 * concurrent list_add(), but for better safety against future changes
339 * in the code, we use list_empty_careful() here.
340 */
341 if (!list_empty_careful(&isec->list)) {
342 spin_lock(&sbsec->isec_lock);
1da177e4 343 list_del_init(&isec->list);
9629d04a
WL		 344 spin_unlock(&sbsec->isec_lock);
345 }
1da177e4 346
3dc91d43
SR		 347 /*
348 * The inode may still be referenced in a path walk and
349 * a call to selinux_inode_permission() can be made
350 * after inode_free_security() is called. Ideally, the VFS
351 * wouldn't do this, but fixing that is a much harder
352 * job. For now, simply free the i_security via RCU, and
353 * leave the current inode->i_security pointer intact.
354 * The inode will be freed after the RCU grace period too.
355 */
356 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 357}
358
359static int file_alloc_security(struct file *file)
360{
1da177e4 361 struct file_security_struct *fsec;
275bb41e 362 u32 sid = current_sid();
1da177e4 363
63205654 364 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 365 if (!fsec)
366 return -ENOMEM;
367
275bb41e
DH		 368 fsec->sid = sid;
369 fsec->fown_sid = sid;
1da177e4
LT		 370 file->f_security = fsec;
371
372 return 0;
373}
374
375static void file_free_security(struct file *file)
376{
377 struct file_security_struct *fsec = file->f_security;
1da177e4 378 file->f_security = NULL;
63205654 379 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 380}
381
382static int superblock_alloc_security(struct super_block *sb)
383{
384 struct superblock_security_struct *sbsec;
385
89d155ef 386 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 387 if (!sbsec)
388 return -ENOMEM;
389
bc7e982b 390 mutex_init(&sbsec->lock);
1da177e4
LT		 391 INIT_LIST_HEAD(&sbsec->isec_head);
392 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 393 sbsec->sb = sb;
394 sbsec->sid = SECINITSID_UNLABELED;
395 sbsec->def_sid = SECINITSID_FILE;
c312feb2 396 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 397 sb->s_security = sbsec;
398
399 return 0;
400}
401
402static void superblock_free_security(struct super_block *sb)
403{
404 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 405 sb->s_security = NULL;
406 kfree(sbsec);
407}
408
1da177e4
LT		 409/* The file system's label must be initialized prior to use. */
410
eb9ae686 411static const char *labeling_behaviors[7] = {
1da177e4
LT		 412 "uses xattr",
413 "uses transition SIDs",
414 "uses task SIDs",
415 "uses genfs_contexts",
416 "not configured for labeling",
417 "uses mountpoint labeling",
eb9ae686 418 "uses native labeling",
1da177e4
LT		 419};
420
1da177e4
LT		 421static inline int inode_doinit(struct inode *inode)
422{
423 return inode_doinit_with_dentry(inode, NULL);
424}
425
426enum {
31e87930 427 Opt_error = -1,
1da177e4
LT		 428 Opt_context = 1,
429 Opt_fscontext = 2,
c9180a57
EP		 430 Opt_defcontext = 3,
431 Opt_rootcontext = 4,
11689d47 432 Opt_labelsupport = 5,
d355987f 433 Opt_nextmntopt = 6,
1da177e4
LT		 434};
435
d355987f
EP		 436#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
437
a447c093 438static const match_table_t tokens = {
832cbd9a
EP		 439 {Opt_context, CONTEXT_STR "%s"},
440 {Opt_fscontext, FSCONTEXT_STR "%s"},
441 {Opt_defcontext, DEFCONTEXT_STR "%s"},
442 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 443 {Opt_labelsupport, LABELSUPP_STR},
31e87930 444 {Opt_error, NULL},
1da177e4
LT		 445};
446
447#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
448
c312feb2
EP		 449static int may_context_mount_sb_relabel(u32 sid,
450 struct superblock_security_struct *sbsec,
275bb41e 451 const struct cred *cred)
c312feb2 452{
275bb41e 453 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 454 int rc;
455
456 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
457 FILESYSTEM__RELABELFROM, NULL);
458 if (rc)
459 return rc;
460
461 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
462 FILESYSTEM__RELABELTO, NULL);
463 return rc;
464}
465
0808925e
EP		 466static int may_context_mount_inode_relabel(u32 sid,
467 struct superblock_security_struct *sbsec,
275bb41e 468 const struct cred *cred)
0808925e 469{
275bb41e 470 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 471 int rc;
472 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
473 FILESYSTEM__RELABELFROM, NULL);
474 if (rc)
475 return rc;
476
477 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__ASSOCIATE, NULL);
479 return rc;
480}
481
b43e725d
EP		 482static int selinux_is_sblabel_mnt(struct super_block *sb)
483{
484 struct superblock_security_struct *sbsec = sb->s_security;
485
d5f3a5f6
MS		 486 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
487 sbsec->behavior == SECURITY_FS_USE_TRANS ||
488 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 489 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 490 /* Special handling. Genfs but also in-core setxattr handler */
491 !strcmp(sb->s_type->name, "sysfs") ||
492 !strcmp(sb->s_type->name, "pstore") ||
493 !strcmp(sb->s_type->name, "debugfs") ||
494 !strcmp(sb->s_type->name, "rootfs");
b43e725d
EP		 495}
496
c9180a57 497static int sb_finish_set_opts(struct super_block *sb)
1da177e4 498{
1da177e4 499 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 500 struct dentry *root = sb->s_root;
c6f493d6 501 struct inode *root_inode = d_backing_inode(root);
c9180a57 502 int rc = 0;
1da177e4 503
c9180a57
EP		 504 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
505 /* Make sure that the xattr handler exists and that no
506 error other than -ENODATA is returned by getxattr on
507 the root directory. -ENODATA is ok, as this may be
508 the first boot of the SELinux kernel before we have
509 assigned xattr values to the filesystem. */
5d6c3191 510 if (!(root_inode->i_opflags & IOP_XATTR)) {
29b1deb2
LT		 511 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
512 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 513 rc = -EOPNOTSUPP;
514 goto out;
515 }
5d6c3191
AG		 516
517 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 518 if (rc < 0 && rc != -ENODATA) {
519 if (rc == -EOPNOTSUPP)
520 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 521 "%s) has no security xattr handler\n",
522 sb->s_id, sb->s_type->name);
c9180a57
EP		 523 else
524 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 525 "%s) getxattr errno %d\n", sb->s_id,
526 sb->s_type->name, -rc);
c9180a57
EP		 527 goto out;
528 }
529 }
1da177e4 530
c9180a57 531 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 532 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
533 sb->s_id, sb->s_type->name);
1da177e4 534
eadcabc6 535 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 536 if (selinux_is_sblabel_mnt(sb))
12f348b9 537 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 538
c9180a57
EP		 539 /* Initialize the root inode. */
540 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 541
c9180a57
EP		 542 /* Initialize any other inodes associated with the superblock, e.g.
543 inodes created prior to initial policy load or inodes created
544 during get_sb by a pseudo filesystem that directly
545 populates itself. */
546 spin_lock(&sbsec->isec_lock);
547next_inode:
548 if (!list_empty(&sbsec->isec_head)) {
549 struct inode_security_struct *isec =
550 list_entry(sbsec->isec_head.next,
551 struct inode_security_struct, list);
552 struct inode *inode = isec->inode;
923190d3 553 list_del_init(&isec->list);
c9180a57
EP		 554 spin_unlock(&sbsec->isec_lock);
555 inode = igrab(inode);
556 if (inode) {
557 if (!IS_PRIVATE(inode))
558 inode_doinit(inode);
559 iput(inode);
560 }
561 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 562 goto next_inode;
563 }
564 spin_unlock(&sbsec->isec_lock);
565out:
566 return rc;
567}
1da177e4 568
c9180a57
EP		 569/*
570 * This function should allow an FS to ask what it's mount security
571 * options were so it can use those later for submounts, displaying
572 * mount options, or whatever.
573 */
574static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 575 struct security_mnt_opts *opts)
c9180a57
EP		 576{
577 int rc = 0, i;
578 struct superblock_security_struct *sbsec = sb->s_security;
579 char *context = NULL;
580 u32 len;
581 char tmp;
1da177e4 582
e0007529 583 security_init_mnt_opts(opts);
1da177e4 584
0d90a7ec 585 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 586 return -EINVAL;
1da177e4 587
c9180a57
EP		 588 if (!ss_initialized)
589 return -EINVAL;
1da177e4 590
af8e50cc
EP		 591 /* make sure we always check enough bits to cover the mask */
592 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593
0d90a7ec 594 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 595 /* count the number of mount options for this sb */
af8e50cc 596 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 597 if (tmp & 0x01)
e0007529 598 opts->num_mnt_opts++;
c9180a57
EP		 599 tmp >>= 1;
600 }
11689d47 601 /* Check if the Label support flag is set */
0b4bdb35 602 if (sbsec->flags & SBLABEL_MNT)
11689d47 603 opts->num_mnt_opts++;
1da177e4 604
e0007529
EP		 605 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606 if (!opts->mnt_opts) {
c9180a57
EP		 607 rc = -ENOMEM;
608 goto out_free;
609 }
1da177e4 610
e0007529
EP		 611 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612 if (!opts->mnt_opts_flags) {
c9180a57
EP		 613 rc = -ENOMEM;
614 goto out_free;
615 }
1da177e4 616
c9180a57
EP		 617 i = 0;
618 if (sbsec->flags & FSCONTEXT_MNT) {
619 rc = security_sid_to_context(sbsec->sid, &context, &len);
620 if (rc)
621 goto out_free;
e0007529
EP		 622 opts->mnt_opts[i] = context;
623 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 624 }
625 if (sbsec->flags & CONTEXT_MNT) {
626 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627 if (rc)
628 goto out_free;
e0007529
EP		 629 opts->mnt_opts[i] = context;
630 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 631 }
632 if (sbsec->flags & DEFCONTEXT_MNT) {
633 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634 if (rc)
635 goto out_free;
e0007529
EP		 636 opts->mnt_opts[i] = context;
637 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 638 }
639 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 640 struct dentry *root = sbsec->sb->s_root;
641 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 642
c9180a57
EP		 643 rc = security_sid_to_context(isec->sid, &context, &len);
644 if (rc)
645 goto out_free;
e0007529
EP		 646 opts->mnt_opts[i] = context;
647 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 648 }
12f348b9 649 if (sbsec->flags & SBLABEL_MNT) {
11689d47 650 opts->mnt_opts[i] = NULL;
12f348b9 651 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 652 }
1da177e4 653
e0007529 654 BUG_ON(i != opts->num_mnt_opts);
1da177e4 655
c9180a57
EP		 656 return 0;
657
658out_free:
e0007529 659 security_free_mnt_opts(opts);
c9180a57
EP		 660 return rc;
661}
1da177e4 662
c9180a57
EP		 663static int bad_option(struct superblock_security_struct *sbsec, char flag,
664 u32 old_sid, u32 new_sid)
665{
0d90a7ec
DQ		 666 char mnt_flags = sbsec->flags & SE_MNTMASK;
667
c9180a57 668 /* check if the old mount command had the same options */
0d90a7ec 669 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 670 if (!(sbsec->flags & flag) ||
671 (old_sid != new_sid))
672 return 1;
673
674 /* check if we were passed the same options twice,
675 * aka someone passed context=a,context=b
676 */
0d90a7ec
DQ		 677 if (!(sbsec->flags & SE_SBINITIALIZED))
678 if (mnt_flags & flag)
c9180a57
EP		 679 return 1;
680 return 0;
681}
e0007529 682
c9180a57
EP		 683/*
684 * Allow filesystems with binary mount data to explicitly set mount point
685 * labeling information.
686 */
e0007529 687static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 688 struct security_mnt_opts *opts,
689 unsigned long kern_flags,
690 unsigned long *set_kern_flags)
c9180a57 691{
275bb41e 692 const struct cred *cred = current_cred();
c9180a57 693 int rc = 0, i;
c9180a57 694 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 695 const char *name = sb->s_type->name;
83da53c5 696 struct dentry *root = sbsec->sb->s_root;
2c97165b 697 struct inode_security_struct *root_isec;
c9180a57
EP		 698 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699 u32 defcontext_sid = 0;
e0007529
EP		 700 char **mount_options = opts->mnt_opts;
701 int *flags = opts->mnt_opts_flags;
702 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 703
704 mutex_lock(&sbsec->lock);
705
706 if (!ss_initialized) {
707 if (!num_opts) {
708 /* Defer initialization until selinux_complete_init,
709 after the initial policy is loaded and the security
710 server is ready to handle calls. */
c9180a57
EP		 711 goto out;
712 }
713 rc = -EINVAL;
744ba35e
EP		 714 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715 "before the security server is initialized\n");
1da177e4 716 goto out;
c9180a57 717 }
649f6e77
DQ		 718 if (kern_flags && !set_kern_flags) {
719 /* Specifying internal flags without providing a place to
720 * place the results is not allowed */
721 rc = -EINVAL;
722 goto out;
723 }
1da177e4 724
e0007529
EP		 725 /*
726 * Binary mount data FS will come through this function twice. Once
727 * from an explicit call and once from the generic calls from the vfs.
728 * Since the generic VFS calls will not contain any security mount data
729 * we need to skip the double mount verification.
730 *
731 * This does open a hole in which we will not notice if the first
732 * mount using this sb set explict options and a second mount using
733 * this sb does not set any security options. (The first options
734 * will be used for both mounts)
735 */
0d90a7ec 736 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 737 && (num_opts == 0))
f5269710 738 goto out;
e0007529 739
2c97165b
PM		 740 root_isec = backing_inode_security_novalidate(root);
741
c9180a57
EP		 742 /*
743 * parse the mount options, check if they are valid sids.
744 * also check if someone is trying to mount the same sb more
745 * than once with different security options.
746 */
747 for (i = 0; i < num_opts; i++) {
748 u32 sid;
11689d47 749
12f348b9 750 if (flags[i] == SBLABEL_MNT)
11689d47 751 continue;
44be2f65 752 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 753 if (rc) {
44be2f65 754 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 755 "(%s) failed for (dev %s, type %s) errno=%d\n",
756 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 757 goto out;
758 }
759 switch (flags[i]) {
760 case FSCONTEXT_MNT:
761 fscontext_sid = sid;
762
763 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764 fscontext_sid))
765 goto out_double_mount;
766
767 sbsec->flags |= FSCONTEXT_MNT;
768 break;
769 case CONTEXT_MNT:
770 context_sid = sid;
771
772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773 context_sid))
774 goto out_double_mount;
775
776 sbsec->flags |= CONTEXT_MNT;
777 break;
778 case ROOTCONTEXT_MNT:
779 rootcontext_sid = sid;
780
781 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782 rootcontext_sid))
783 goto out_double_mount;
784
785 sbsec->flags |= ROOTCONTEXT_MNT;
786
787 break;
788 case DEFCONTEXT_MNT:
789 defcontext_sid = sid;
790
791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792 defcontext_sid))
793 goto out_double_mount;
794
795 sbsec->flags |= DEFCONTEXT_MNT;
796
797 break;
798 default:
799 rc = -EINVAL;
800 goto out;
1da177e4 801 }
c9180a57
EP		 802 }
803
0d90a7ec 804 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 805 /* previously mounted with options, but not on this attempt? */
0d90a7ec 806 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 807 goto out_double_mount;
808 rc = 0;
809 goto out;
810 }
811
089be43e 812 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 813 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814
8e014720
SS		 815 if (!strcmp(sb->s_type->name, "debugfs") ||
816 !strcmp(sb->s_type->name, "sysfs") ||
817 !strcmp(sb->s_type->name, "pstore"))
134509d5 818 sbsec->flags |= SE_SBGENFS;
c9180a57 819
eb9ae686
DQ		 820 if (!sbsec->behavior) {
821 /*
822 * Determine the labeling behavior to use for this
823 * filesystem type.
824 */
98f700f3 825 rc = security_fs_use(sb);
eb9ae686
DQ		 826 if (rc) {
827 printk(KERN_WARNING
828 "%s: security_fs_use(%s) returned %d\n",
829 __func__, sb->s_type->name, rc);
830 goto out;
831 }
c9180a57 832 }
aad82892
SF		 833
834 /*
835 * If this is a user namespace mount, no contexts are allowed
836 * on the command line and security labels must be ignored.
837 */
838 if (sb->s_user_ns != &init_user_ns) {
839 if (context_sid || fscontext_sid || rootcontext_sid ||
840 defcontext_sid) {
841 rc = -EACCES;
842 goto out;
843 }
844 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
845 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
846 rc = security_transition_sid(current_sid(), current_sid(),
847 SECCLASS_FILE, NULL,
848 &sbsec->mntpoint_sid);
849 if (rc)
850 goto out;
851 }
852 goto out_set_opts;
853 }
854
c9180a57
EP		 855 /* sets the context of the superblock for the fs being mounted. */
856 if (fscontext_sid) {
275bb41e 857 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 858 if (rc)
c9180a57 859 goto out;
1da177e4 860
c9180a57 861 sbsec->sid = fscontext_sid;
c312feb2
EP		 862 }
863
864 /*
865 * Switch to using mount point labeling behavior.
866 * sets the label used on all file below the mountpoint, and will set
867 * the superblock context if not already set.
868 */
eb9ae686
DQ		 869 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
870 sbsec->behavior = SECURITY_FS_USE_NATIVE;
871 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
872 }
873
c9180a57
EP		 874 if (context_sid) {
875 if (!fscontext_sid) {
275bb41e
DH		 876 rc = may_context_mount_sb_relabel(context_sid, sbsec,
877 cred);
b04ea3ce 878 if (rc)
c9180a57
EP		 879 goto out;
880 sbsec->sid = context_sid;
b04ea3ce 881 } else {
275bb41e
DH		 882 rc = may_context_mount_inode_relabel(context_sid, sbsec,
883 cred);
b04ea3ce 884 if (rc)
c9180a57 885 goto out;
b04ea3ce 886 }
c9180a57
EP		 887 if (!rootcontext_sid)
888 rootcontext_sid = context_sid;
1da177e4 889
c9180a57 890 sbsec->mntpoint_sid = context_sid;
c312feb2 891 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 892 }
893
c9180a57 894 if (rootcontext_sid) {
275bb41e
DH		 895 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
896 cred);
0808925e 897 if (rc)
c9180a57 898 goto out;
0808925e 899
c9180a57 900 root_isec->sid = rootcontext_sid;
6f3be9f5 901 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 902 }
903
c9180a57 904 if (defcontext_sid) {
eb9ae686
DQ		 905 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
906 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 907 rc = -EINVAL;
908 printk(KERN_WARNING "SELinux: defcontext option is "
909 "invalid for this filesystem type\n");
910 goto out;
1da177e4
LT		 911 }
912
c9180a57
EP		 913 if (defcontext_sid != sbsec->def_sid) {
914 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 915 sbsec, cred);
c9180a57
EP		 916 if (rc)
917 goto out;
918 }
1da177e4 919
c9180a57 920 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 921 }
922
aad82892 923out_set_opts:
c9180a57 924 rc = sb_finish_set_opts(sb);
1da177e4 925out:
c9180a57 926 mutex_unlock(&sbsec->lock);
1da177e4 927 return rc;
c9180a57
EP		 928out_double_mount:
929 rc = -EINVAL;
930 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 931 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 932 goto out;
1da177e4
LT		 933}
934
094f7b69
JL		 935static int selinux_cmp_sb_context(const struct super_block *oldsb,
936 const struct super_block *newsb)
937{
938 struct superblock_security_struct *old = oldsb->s_security;
939 struct superblock_security_struct *new = newsb->s_security;
940 char oldflags = old->flags & SE_MNTMASK;
941 char newflags = new->flags & SE_MNTMASK;
942
943 if (oldflags != newflags)
944 goto mismatch;
945 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
946 goto mismatch;
947 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
948 goto mismatch;
949 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
950 goto mismatch;
951 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 952 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
953 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 954 if (oldroot->sid != newroot->sid)
955 goto mismatch;
956 }
957 return 0;
958mismatch:
959 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
960 "different security settings for (dev %s, "
961 "type %s)\n", newsb->s_id, newsb->s_type->name);
962 return -EBUSY;
963}
964
965static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 966 struct super_block *newsb)
1da177e4 967{
c9180a57
EP		 968 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
969 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 970
c9180a57
EP		 971 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
972 int set_context = (oldsbsec->flags & CONTEXT_MNT);
973 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 974
0f5e6420
EP		 975 /*
976 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 977 * mount options. thus we can safely deal with this superblock later
0f5e6420 978 */
e8c26255 979 if (!ss_initialized)
094f7b69 980 return 0;
c9180a57 981
c9180a57 982 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 983 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 984
094f7b69 985 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 986 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 987 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 988
c9180a57
EP		 989 mutex_lock(&newsbsec->lock);
990
991 newsbsec->flags = oldsbsec->flags;
992
993 newsbsec->sid = oldsbsec->sid;
994 newsbsec->def_sid = oldsbsec->def_sid;
995 newsbsec->behavior = oldsbsec->behavior;
996
997 if (set_context) {
998 u32 sid = oldsbsec->mntpoint_sid;
999
1000 if (!set_fscontext)
1001 newsbsec->sid = sid;
1002 if (!set_rootcontext) {
83da53c5 1003 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 1004 newisec->sid = sid;
1005 }
1006 newsbsec->mntpoint_sid = sid;
1da177e4 1007 }
c9180a57 1008 if (set_rootcontext) {
83da53c5
AG		 1009 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1010 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 1011
c9180a57 1012 newisec->sid = oldisec->sid;
1da177e4
LT		 1013 }
1014
c9180a57
EP		 1015 sb_finish_set_opts(newsb);
1016 mutex_unlock(&newsbsec->lock);
094f7b69 1017 return 0;
c9180a57
EP		 1018}
1019
2e1479d9
AB		 1020static int selinux_parse_opts_str(char *options,
1021 struct security_mnt_opts *opts)
c9180a57 1022{
e0007529 1023 char *p;
c9180a57
EP		 1024 char *context = NULL, *defcontext = NULL;
1025 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1026 int rc, num_mnt_opts = 0;
1da177e4 1027
e0007529 1028 opts->num_mnt_opts = 0;
1da177e4 1029
c9180a57
EP		 1030 /* Standard string-based options. */
1031 while ((p = strsep(&options, "|")) != NULL) {
1032 int token;
1033 substring_t args[MAX_OPT_ARGS];
1da177e4 1034
c9180a57
EP		 1035 if (!*p)
1036 continue;
1da177e4 1037
c9180a57 1038 token = match_token(p, tokens, args);
1da177e4 1039
c9180a57
EP		 1040 switch (token) {
1041 case Opt_context:
1042 if (context || defcontext) {
1043 rc = -EINVAL;
1044 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1045 goto out_err;
1046 }
1047 context = match_strdup(&args[0]);
1048 if (!context) {
1049 rc = -ENOMEM;
1050 goto out_err;
1051 }
1052 break;
1053
1054 case Opt_fscontext:
1055 if (fscontext) {
1056 rc = -EINVAL;
1057 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1058 goto out_err;
1059 }
1060 fscontext = match_strdup(&args[0]);
1061 if (!fscontext) {
1062 rc = -ENOMEM;
1063 goto out_err;
1064 }
1065 break;
1066
1067 case Opt_rootcontext:
1068 if (rootcontext) {
1069 rc = -EINVAL;
1070 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1071 goto out_err;
1072 }
1073 rootcontext = match_strdup(&args[0]);
1074 if (!rootcontext) {
1075 rc = -ENOMEM;
1076 goto out_err;
1077 }
1078 break;
1079
1080 case Opt_defcontext:
1081 if (context || defcontext) {
1082 rc = -EINVAL;
1083 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1084 goto out_err;
1085 }
1086 defcontext = match_strdup(&args[0]);
1087 if (!defcontext) {
1088 rc = -ENOMEM;
1089 goto out_err;
1090 }
1091 break;
11689d47
DQ		 1092 case Opt_labelsupport:
1093 break;
c9180a57
EP		 1094 default:
1095 rc = -EINVAL;
1096 printk(KERN_WARNING "SELinux: unknown mount option\n");
1097 goto out_err;
1da177e4 1098
1da177e4 1099 }
1da177e4 1100 }
c9180a57 1101
e0007529 1102 rc = -ENOMEM;
8931c3bd 1103 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
e0007529
EP		 1104 if (!opts->mnt_opts)
1105 goto out_err;
1106
8931c3bd
TH		 1107 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1108 GFP_KERNEL);
e0007529
EP		 1109 if (!opts->mnt_opts_flags) {
1110 kfree(opts->mnt_opts);
1111 goto out_err;
1112 }
1113
c9180a57 1114 if (fscontext) {
e0007529
EP		 1115 opts->mnt_opts[num_mnt_opts] = fscontext;
1116 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1117 }
1118 if (context) {
e0007529
EP		 1119 opts->mnt_opts[num_mnt_opts] = context;
1120 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1121 }
1122 if (rootcontext) {
e0007529
EP		 1123 opts->mnt_opts[num_mnt_opts] = rootcontext;
1124 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1125 }
1126 if (defcontext) {
e0007529
EP		 1127 opts->mnt_opts[num_mnt_opts] = defcontext;
1128 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1129 }
1130
e0007529
EP		 1131 opts->num_mnt_opts = num_mnt_opts;
1132 return 0;
1133
c9180a57
EP		 1134out_err:
1135 kfree(context);
1136 kfree(defcontext);
1137 kfree(fscontext);
1138 kfree(rootcontext);
1da177e4
LT		 1139 return rc;
1140}
e0007529
EP		 1141/*
1142 * string mount options parsing and call set the sbsec
1143 */
1144static int superblock_doinit(struct super_block *sb, void *data)
1145{
1146 int rc = 0;
1147 char *options = data;
1148 struct security_mnt_opts opts;
1149
1150 security_init_mnt_opts(&opts);
1151
1152 if (!data)
1153 goto out;
1154
1155 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1156
1157 rc = selinux_parse_opts_str(options, &opts);
1158 if (rc)
1159 goto out_err;
1160
1161out:
649f6e77 1162 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1163
1164out_err:
1165 security_free_mnt_opts(&opts);
1166 return rc;
1167}
1da177e4 1168
3583a711
AB		 1169static void selinux_write_opts(struct seq_file *m,
1170 struct security_mnt_opts *opts)
2069f457
EP		 1171{
1172 int i;
1173 char *prefix;
1174
1175 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1176 char *has_comma;
1177
1178 if (opts->mnt_opts[i])
1179 has_comma = strchr(opts->mnt_opts[i], ',');
1180 else
1181 has_comma = NULL;
2069f457
EP		 1182
1183 switch (opts->mnt_opts_flags[i]) {
1184 case CONTEXT_MNT:
1185 prefix = CONTEXT_STR;
1186 break;
1187 case FSCONTEXT_MNT:
1188 prefix = FSCONTEXT_STR;
1189 break;
1190 case ROOTCONTEXT_MNT:
1191 prefix = ROOTCONTEXT_STR;
1192 break;
1193 case DEFCONTEXT_MNT:
1194 prefix = DEFCONTEXT_STR;
1195 break;
12f348b9 1196 case SBLABEL_MNT:
11689d47
DQ		 1197 seq_putc(m, ',');
1198 seq_puts(m, LABELSUPP_STR);
1199 continue;
2069f457
EP		 1200 default:
1201 BUG();
a35c6c83 1202 return;
2069f457
EP		 1203 };
1204 /* we need a comma before each option */
1205 seq_putc(m, ',');
1206 seq_puts(m, prefix);
1207 if (has_comma)
1208 seq_putc(m, '\"');
a068acf2 1209 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1210 if (has_comma)
1211 seq_putc(m, '\"');
1212 }
1213}
1214
1215static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1216{
1217 struct security_mnt_opts opts;
1218 int rc;
1219
1220 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1221 if (rc) {
1222 /* before policy load we may get EINVAL, don't show anything */
1223 if (rc == -EINVAL)
1224 rc = 0;
2069f457 1225 return rc;
383795c2 1226 }
2069f457
EP		 1227
1228 selinux_write_opts(m, &opts);
1229
1230 security_free_mnt_opts(&opts);
1231
1232 return rc;
1233}
1234
1da177e4
LT		 1235static inline u16 inode_mode_to_security_class(umode_t mode)
1236{
1237 switch (mode & S_IFMT) {
1238 case S_IFSOCK:
1239 return SECCLASS_SOCK_FILE;
1240 case S_IFLNK:
1241 return SECCLASS_LNK_FILE;
1242 case S_IFREG:
1243 return SECCLASS_FILE;
1244 case S_IFBLK:
1245 return SECCLASS_BLK_FILE;
1246 case S_IFDIR:
1247 return SECCLASS_DIR;
1248 case S_IFCHR:
1249 return SECCLASS_CHR_FILE;
1250 case S_IFIFO:
1251 return SECCLASS_FIFO_FILE;
1252
1253 }
1254
1255 return SECCLASS_FILE;
1256}
1257
13402580
JM		 1258static inline int default_protocol_stream(int protocol)
1259{
1260 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1261}
1262
1263static inline int default_protocol_dgram(int protocol)
1264{
1265 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1266}
1267
1da177e4
LT		 1268static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1269{
1270 switch (family) {
1271 case PF_UNIX:
1272 switch (type) {
1273 case SOCK_STREAM:
1274 case SOCK_SEQPACKET:
1275 return SECCLASS_UNIX_STREAM_SOCKET;
1276 case SOCK_DGRAM:
1277 return SECCLASS_UNIX_DGRAM_SOCKET;
1278 }
1279 break;
1280 case PF_INET:
1281 case PF_INET6:
1282 switch (type) {
1283 case SOCK_STREAM:
13402580
JM		 1284 if (default_protocol_stream(protocol))
1285 return SECCLASS_TCP_SOCKET;
1286 else
1287 return SECCLASS_RAWIP_SOCKET;
1da177e4 1288 case SOCK_DGRAM:
13402580
JM		 1289 if (default_protocol_dgram(protocol))
1290 return SECCLASS_UDP_SOCKET;
1291 else
1292 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1293 case SOCK_DCCP:
1294 return SECCLASS_DCCP_SOCKET;
13402580 1295 default:
1da177e4
LT		 1296 return SECCLASS_RAWIP_SOCKET;
1297 }
1298 break;
1299 case PF_NETLINK:
1300 switch (protocol) {
1301 case NETLINK_ROUTE:
1302 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1303 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1304 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1305 case NETLINK_NFLOG:
1306 return SECCLASS_NETLINK_NFLOG_SOCKET;
1307 case NETLINK_XFRM:
1308 return SECCLASS_NETLINK_XFRM_SOCKET;
1309 case NETLINK_SELINUX:
1310 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1311 case NETLINK_ISCSI:
1312 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1313 case NETLINK_AUDIT:
1314 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1315 case NETLINK_FIB_LOOKUP:
1316 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1317 case NETLINK_CONNECTOR:
1318 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1319 case NETLINK_NETFILTER:
1320 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1321 case NETLINK_DNRTMSG:
1322 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1323 case NETLINK_KOBJECT_UEVENT:
1324 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1325 case NETLINK_GENERIC:
1326 return SECCLASS_NETLINK_GENERIC_SOCKET;
1327 case NETLINK_SCSITRANSPORT:
1328 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1329 case NETLINK_RDMA:
1330 return SECCLASS_NETLINK_RDMA_SOCKET;
1331 case NETLINK_CRYPTO:
1332 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1333 default:
1334 return SECCLASS_NETLINK_SOCKET;
1335 }
1336 case PF_PACKET:
1337 return SECCLASS_PACKET_SOCKET;
1338 case PF_KEY:
1339 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1340 case PF_APPLETALK:
1341 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1342 }
1343
1344 return SECCLASS_SOCKET;
1345}
1346
134509d5
SS		 1347static int selinux_genfs_get_sid(struct dentry *dentry,
1348 u16 tclass,
1349 u16 flags,
1350 u32 *sid)
1da177e4 1351{
8e6c9693 1352 int rc;
fc64005c 1353 struct super_block *sb = dentry->d_sb;
8e6c9693 1354 char *buffer, *path;
1da177e4 1355
828dfe1d 1356 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1357 if (!buffer)
1358 return -ENOMEM;
1359
8e6c9693
LAG		 1360 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1361 if (IS_ERR(path))
1362 rc = PTR_ERR(path);
1363 else {
134509d5
SS		 1364 if (flags & SE_SBPROC) {
1365 /* each process gets a /proc/PID/ entry. Strip off the
1366 * PID part to get a valid selinux labeling.
1367 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1368 while (path[1] >= '0' && path[1] <= '9') {
1369 path[1] = '/';
1370 path++;
1371 }
8e6c9693 1372 }
134509d5 1373 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1374 }
1da177e4
LT		 1375 free_page((unsigned long)buffer);
1376 return rc;
1377}
1da177e4
LT		 1378
1379/* The inode's security attributes must be initialized before first use. */
1380static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1381{
1382 struct superblock_security_struct *sbsec = NULL;
1383 struct inode_security_struct *isec = inode->i_security;
1384 u32 sid;
1385 struct dentry *dentry;
1386#define INITCONTEXTLEN 255
1387 char *context = NULL;
1388 unsigned len = 0;
1389 int rc = 0;
1da177e4 1390
6f3be9f5 1391 if (isec->initialized == LABEL_INITIALIZED)
1da177e4
LT		 1392 goto out;
1393
23970741 1394 mutex_lock(&isec->lock);
6f3be9f5 1395 if (isec->initialized == LABEL_INITIALIZED)
23970741 1396 goto out_unlock;
1da177e4
LT		 1397
1398 sbsec = inode->i_sb->s_security;
0d90a7ec 1399 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1400 /* Defer initialization until selinux_complete_init,
1401 after the initial policy is loaded and the security
1402 server is ready to handle calls. */
1403 spin_lock(&sbsec->isec_lock);
1404 if (list_empty(&isec->list))
1405 list_add(&isec->list, &sbsec->isec_head);
1406 spin_unlock(&sbsec->isec_lock);
23970741 1407 goto out_unlock;
1da177e4
LT		 1408 }
1409
1410 switch (sbsec->behavior) {
eb9ae686
DQ		 1411 case SECURITY_FS_USE_NATIVE:
1412 break;
1da177e4 1413 case SECURITY_FS_USE_XATTR:
5d6c3191 1414 if (!(inode->i_opflags & IOP_XATTR)) {
1da177e4
LT		 1415 isec->sid = sbsec->def_sid;
1416 break;
1417 }
1da177e4
LT		 1418 /* Need a dentry, since the xattr API requires one.
1419 Life would be simpler if we could just pass the inode. */
1420 if (opt_dentry) {
1421 /* Called from d_instantiate or d_splice_alias. */
1422 dentry = dget(opt_dentry);
1423 } else {
1424 /* Called from selinux_complete_init, try to find a dentry. */
1425 dentry = d_find_alias(inode);
1426 }
1427 if (!dentry) {
df7f54c0
EP		 1428 /*
1429 * this is can be hit on boot when a file is accessed
1430 * before the policy is loaded. When we load policy we
1431 * may find inodes that have no dentry on the
1432 * sbsec->isec_head list. No reason to complain as these
1433 * will get fixed up the next time we go through
1434 * inode_doinit with a dentry, before these inodes could
1435 * be used again by userspace.
1436 */
23970741 1437 goto out_unlock;
1da177e4
LT		 1438 }
1439
1440 len = INITCONTEXTLEN;
4cb912f1 1441 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1442 if (!context) {
1443 rc = -ENOMEM;
1444 dput(dentry);
23970741 1445 goto out_unlock;
1da177e4 1446 }
4cb912f1 1447 context[len] = '\0';
5d6c3191 1448 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1449 if (rc == -ERANGE) {
314dabb8
JM		 1450 kfree(context);
1451
1da177e4 1452 /* Need a larger buffer. Query for the right size. */
5d6c3191 1453 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1454 if (rc < 0) {
1455 dput(dentry);
23970741 1456 goto out_unlock;
1da177e4 1457 }
1da177e4 1458 len = rc;
4cb912f1 1459 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1460 if (!context) {
1461 rc = -ENOMEM;
1462 dput(dentry);
23970741 1463 goto out_unlock;
1da177e4 1464 }
4cb912f1 1465 context[len] = '\0';
5d6c3191 1466 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1467 }
1468 dput(dentry);
1469 if (rc < 0) {
1470 if (rc != -ENODATA) {
744ba35e 1471 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1472 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1473 -rc, inode->i_sb->s_id, inode->i_ino);
1474 kfree(context);
23970741 1475 goto out_unlock;
1da177e4
LT		 1476 }
1477 /* Map ENODATA to the default file SID */
1478 sid = sbsec->def_sid;
1479 rc = 0;
1480 } else {
f5c1d5b2 1481 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1482 sbsec->def_sid,
1483 GFP_NOFS);
1da177e4 1484 if (rc) {
4ba0a8ad
EP		 1485 char *dev = inode->i_sb->s_id;
1486 unsigned long ino = inode->i_ino;
1487
1488 if (rc == -EINVAL) {
1489 if (printk_ratelimit())
1490 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1491 "context=%s. This indicates you may need to relabel the inode or the "
1492 "filesystem in question.\n", ino, dev, context);
1493 } else {
1494 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1495 "returned %d for dev=%s ino=%ld\n",
1496 __func__, context, -rc, dev, ino);
1497 }
1da177e4
LT		 1498 kfree(context);
1499 /* Leave with the unlabeled SID */
1500 rc = 0;
1501 break;
1502 }
1503 }
1504 kfree(context);
1505 isec->sid = sid;
1506 break;
1507 case SECURITY_FS_USE_TASK:
1508 isec->sid = isec->task_sid;
1509 break;
1510 case SECURITY_FS_USE_TRANS:
1511 /* Default to the fs SID. */
1512 isec->sid = sbsec->sid;
1513
1514 /* Try to obtain a transition SID. */
1515 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1516 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1517 isec->sclass, NULL, &sid);
1da177e4 1518 if (rc)
23970741 1519 goto out_unlock;
1da177e4
LT		 1520 isec->sid = sid;
1521 break;
c312feb2
EP		 1522 case SECURITY_FS_USE_MNTPOINT:
1523 isec->sid = sbsec->mntpoint_sid;
1524 break;
1da177e4 1525 default:
c312feb2 1526 /* Default to the fs superblock SID. */
1da177e4
LT		 1527 isec->sid = sbsec->sid;
1528
134509d5 1529 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1530 /* We must have a dentry to determine the label on
1531 * procfs inodes */
1532 if (opt_dentry)
1533 /* Called from d_instantiate or
1534 * d_splice_alias. */
1535 dentry = dget(opt_dentry);
1536 else
1537 /* Called from selinux_complete_init, try to
1538 * find a dentry. */
1539 dentry = d_find_alias(inode);
1540 /*
1541 * This can be hit on boot when a file is accessed
1542 * before the policy is loaded. When we load policy we
1543 * may find inodes that have no dentry on the
1544 * sbsec->isec_head list. No reason to complain as
1545 * these will get fixed up the next time we go through
1546 * inode_doinit() with a dentry, before these inodes
1547 * could be used again by userspace.
1548 */
1549 if (!dentry)
1550 goto out_unlock;
1551 isec->sclass = inode_mode_to_security_class(inode->i_mode);
134509d5
SS		 1552 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1553 sbsec->flags, &sid);
f64410ec
PM		 1554 dput(dentry);
1555 if (rc)
1556 goto out_unlock;
1557 isec->sid = sid;
1da177e4
LT		 1558 }
1559 break;
1560 }
1561
6f3be9f5 1562 isec->initialized = LABEL_INITIALIZED;
1da177e4 1563
23970741
EP		 1564out_unlock:
1565 mutex_unlock(&isec->lock);
1da177e4
LT		 1566out:
1567 if (isec->sclass == SECCLASS_FILE)
1568 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1569 return rc;
1570}
1571
1572/* Convert a Linux signal to an access vector. */
1573static inline u32 signal_to_av(int sig)
1574{
1575 u32 perm = 0;
1576
1577 switch (sig) {
1578 case SIGCHLD:
1579 /* Commonly granted from child to parent. */
1580 perm = PROCESS__SIGCHLD;
1581 break;
1582 case SIGKILL:
1583 /* Cannot be caught or ignored */
1584 perm = PROCESS__SIGKILL;
1585 break;
1586 case SIGSTOP:
1587 /* Cannot be caught or ignored */
1588 perm = PROCESS__SIGSTOP;
1589 break;
1590 default:
1591 /* All other signals. */
1592 perm = PROCESS__SIGNAL;
1593 break;
1594 }
1595
1596 return perm;
1597}
1598
d84f4f99
DH		 1599/*
1600 * Check permission between a pair of credentials
1601 * fork check, ptrace check, etc.
1602 */
1603static int cred_has_perm(const struct cred *actor,
1604 const struct cred *target,
1605 u32 perms)
1606{
1607 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1608
1609 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1610}
1611
275bb41e 1612/*
88e67f3b 1613 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1614 * fork check, ptrace check, etc.
1615 * tsk1 is the actor and tsk2 is the target
3b11a1de 1616 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1617 */
1618static int task_has_perm(const struct task_struct *tsk1,
1619 const struct task_struct *tsk2,
1da177e4
LT		 1620 u32 perms)
1621{
275bb41e
DH		 1622 const struct task_security_struct *__tsec1, *__tsec2;
1623 u32 sid1, sid2;
1da177e4 1624
275bb41e
DH		 1625 rcu_read_lock();
1626 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1627 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1628 rcu_read_unlock();
1629 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1630}
1631
3b11a1de
DH		 1632/*
1633 * Check permission between current and another task, e.g. signal checks,
1634 * fork check, ptrace check, etc.
1635 * current is the actor and tsk2 is the target
1636 * - this uses current's subjective creds
1637 */
1638static int current_has_perm(const struct task_struct *tsk,
1639 u32 perms)
1640{
1641 u32 sid, tsid;
1642
1643 sid = current_sid();
1644 tsid = task_sid(tsk);
1645 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1646}
1647
b68e418c
SS		 1648#if CAP_LAST_CAP > 63
1649#error Fix SELinux to handle capabilities > 63.
1650#endif
1651
1da177e4 1652/* Check whether a task is allowed to use a capability. */
6a9de491 1653static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1654 int cap, int audit, bool initns)
1da177e4 1655{
2bf49690 1656 struct common_audit_data ad;
06112163 1657 struct av_decision avd;
b68e418c 1658 u16 sclass;
3699c53c 1659 u32 sid = cred_sid(cred);
b68e418c 1660 u32 av = CAP_TO_MASK(cap);
06112163 1661 int rc;
1da177e4 1662
50c205f5 1663 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1664 ad.u.cap = cap;
1665
b68e418c
SS		 1666 switch (CAP_TO_INDEX(cap)) {
1667 case 0:
8e4ff6f2 1668 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1669 break;
1670 case 1:
8e4ff6f2 1671 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1672 break;
1673 default:
1674 printk(KERN_ERR
1675 "SELinux: out of range capability %d\n", cap);
1676 BUG();
a35c6c83 1677 return -EINVAL;
b68e418c 1678 }
06112163 1679
275bb41e 1680 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1681 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1682 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1683 if (rc2)
1684 return rc2;
1685 }
06112163 1686 return rc;
1da177e4
LT		 1687}
1688
1689/* Check whether a task is allowed to use a system operation. */
1690static int task_has_system(struct task_struct *tsk,
1691 u32 perms)
1692{
275bb41e 1693 u32 sid = task_sid(tsk);
1da177e4 1694
275bb41e 1695 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1696 SECCLASS_SYSTEM, perms, NULL);
1697}
1698
1699/* Check whether a task has a particular permission to an inode.
1700 The 'adp' parameter is optional and allows other audit
1701 data to be passed (e.g. the dentry). */
88e67f3b 1702static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1703 struct inode *inode,
1704 u32 perms,
19e49834 1705 struct common_audit_data *adp)
1da177e4 1706{
1da177e4 1707 struct inode_security_struct *isec;
275bb41e 1708 u32 sid;
1da177e4 1709
e0e81739
DH		 1710 validate_creds(cred);
1711
828dfe1d 1712 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1713 return 0;
1714
88e67f3b 1715 sid = cred_sid(cred);
1da177e4
LT		 1716 isec = inode->i_security;
1717
19e49834 1718 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1719}
1720
1721/* Same as inode_has_perm, but pass explicit audit data containing
1722 the dentry to help the auditing code to more easily generate the
1723 pathname if needed. */
88e67f3b 1724static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1725 struct dentry *dentry,
1726 u32 av)
1727{
c6f493d6 1728 struct inode *inode = d_backing_inode(dentry);
2bf49690 1729 struct common_audit_data ad;
88e67f3b 1730
50c205f5 1731 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1732 ad.u.dentry = dentry;
5d226df4 1733 __inode_security_revalidate(inode, dentry, true);
19e49834 1734 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1735}
1736
1737/* Same as inode_has_perm, but pass explicit audit data containing
1738 the path to help the auditing code to more easily generate the
1739 pathname if needed. */
1740static inline int path_has_perm(const struct cred *cred,
3f7036a0 1741 const struct path *path,
2875fa00
EP		 1742 u32 av)
1743{
c6f493d6 1744 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1745 struct common_audit_data ad;
1746
50c205f5 1747 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1748 ad.u.path = *path;
5d226df4 1749 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1750 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1751}
1752
13f8e981
DH		 1753/* Same as path_has_perm, but uses the inode from the file struct. */
1754static inline int file_path_has_perm(const struct cred *cred,
1755 struct file *file,
1756 u32 av)
1757{
1758 struct common_audit_data ad;
1759
43af5de7
VG		 1760 ad.type = LSM_AUDIT_DATA_FILE;
1761 ad.u.file = file;
19e49834 1762 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1763}
1764
1da177e4
LT		 1765/* Check whether a task can use an open file descriptor to
1766 access an inode in a given way. Check access to the
1767 descriptor itself, and then use dentry_has_perm to
1768 check a particular permission to the file.
1769 Access to the descriptor is implicitly granted if it
1770 has the same SID as the process. If av is zero, then
1771 access to the file is not checked, e.g. for cases
1772 where only the descriptor is affected like seek. */
88e67f3b
DH		 1773static int file_has_perm(const struct cred *cred,
1774 struct file *file,
1775 u32 av)
1da177e4 1776{
1da177e4 1777 struct file_security_struct *fsec = file->f_security;
496ad9aa 1778 struct inode *inode = file_inode(file);
2bf49690 1779 struct common_audit_data ad;
88e67f3b 1780 u32 sid = cred_sid(cred);
1da177e4
LT		 1781 int rc;
1782
43af5de7
VG		 1783 ad.type = LSM_AUDIT_DATA_FILE;
1784 ad.u.file = file;
1da177e4 1785
275bb41e
DH		 1786 if (sid != fsec->sid) {
1787 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1788 SECCLASS_FD,
1789 FD__USE,
1790 &ad);
1791 if (rc)
88e67f3b 1792 goto out;
1da177e4
LT		 1793 }
1794
1795 /* av is zero if only checking access to the descriptor. */
88e67f3b 1796 rc = 0;
1da177e4 1797 if (av)
19e49834 1798 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1799
88e67f3b
DH		 1800out:
1801 return rc;
1da177e4
LT		 1802}
1803
c3c188b2
DH		 1804/*
1805 * Determine the label for an inode that might be unioned.
1806 */
c957f6df
VG		 1807static int
1808selinux_determine_inode_label(const struct task_security_struct *tsec,
1809 struct inode *dir,
1810 const struct qstr *name, u16 tclass,
1811 u32 *_new_isid)
c3c188b2
DH		 1812{
1813 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1814
1815 if ((sbsec->flags & SE_SBINITIALIZED) &&
1816 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1817 *_new_isid = sbsec->mntpoint_sid;
1818 } else if ((sbsec->flags & SBLABEL_MNT) &&
1819 tsec->create_sid) {
1820 *_new_isid = tsec->create_sid;
1821 } else {
20cdef8d 1822 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1823 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1824 name, _new_isid);
1825 }
1826
1827 return 0;
1828}
1829
1da177e4
LT		 1830/* Check whether a task can create a file. */
1831static int may_create(struct inode *dir,
1832 struct dentry *dentry,
1833 u16 tclass)
1834{
5fb49870 1835 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1836 struct inode_security_struct *dsec;
1837 struct superblock_security_struct *sbsec;
275bb41e 1838 u32 sid, newsid;
2bf49690 1839 struct common_audit_data ad;
1da177e4
LT		 1840 int rc;
1841
83da53c5 1842 dsec = inode_security(dir);
1da177e4
LT		 1843 sbsec = dir->i_sb->s_security;
1844
275bb41e 1845 sid = tsec->sid;
275bb41e 1846
50c205f5 1847 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1848 ad.u.dentry = dentry;
1da177e4 1849
275bb41e 1850 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1851 DIR__ADD_NAME | DIR__SEARCH,
1852 &ad);
1853 if (rc)
1854 return rc;
1855
c957f6df
VG		 1856 rc = selinux_determine_inode_label(current_security(), dir,
1857 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1858 if (rc)
1859 return rc;
1da177e4 1860
275bb41e 1861 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1862 if (rc)
1863 return rc;
1864
1865 return avc_has_perm(newsid, sbsec->sid,
1866 SECCLASS_FILESYSTEM,
1867 FILESYSTEM__ASSOCIATE, &ad);
1868}
1869
4eb582cf
ML		 1870/* Check whether a task can create a key. */
1871static int may_create_key(u32 ksid,
1872 struct task_struct *ctx)
1873{
275bb41e 1874 u32 sid = task_sid(ctx);
4eb582cf 1875
275bb41e 1876 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1877}
1878
828dfe1d
EP		 1879#define MAY_LINK 0
1880#define MAY_UNLINK 1
1881#define MAY_RMDIR 2
1da177e4
LT		 1882
1883/* Check whether a task can link, unlink, or rmdir a file/directory. */
1884static int may_link(struct inode *dir,
1885 struct dentry *dentry,
1886 int kind)
1887
1888{
1da177e4 1889 struct inode_security_struct *dsec, *isec;
2bf49690 1890 struct common_audit_data ad;
275bb41e 1891 u32 sid = current_sid();
1da177e4
LT		 1892 u32 av;
1893 int rc;
1894
83da53c5
AG		 1895 dsec = inode_security(dir);
1896 isec = backing_inode_security(dentry);
1da177e4 1897
50c205f5 1898 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1899 ad.u.dentry = dentry;
1da177e4
LT		 1900
1901 av = DIR__SEARCH;
1902 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1903 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1904 if (rc)
1905 return rc;
1906
1907 switch (kind) {
1908 case MAY_LINK:
1909 av = FILE__LINK;
1910 break;
1911 case MAY_UNLINK:
1912 av = FILE__UNLINK;
1913 break;
1914 case MAY_RMDIR:
1915 av = DIR__RMDIR;
1916 break;
1917 default:
744ba35e
EP		 1918 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1919 __func__, kind);
1da177e4
LT		 1920 return 0;
1921 }
1922
275bb41e 1923 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1924 return rc;
1925}
1926
1927static inline int may_rename(struct inode *old_dir,
1928 struct dentry *old_dentry,
1929 struct inode *new_dir,
1930 struct dentry *new_dentry)
1931{
1da177e4 1932 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1933 struct common_audit_data ad;
275bb41e 1934 u32 sid = current_sid();
1da177e4
LT		 1935 u32 av;
1936 int old_is_dir, new_is_dir;
1937 int rc;
1938
83da53c5
AG		 1939 old_dsec = inode_security(old_dir);
1940 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1941 old_is_dir = d_is_dir(old_dentry);
83da53c5 1942 new_dsec = inode_security(new_dir);
1da177e4 1943
50c205f5 1944 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1945
a269434d 1946 ad.u.dentry = old_dentry;
275bb41e 1947 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1948 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1949 if (rc)
1950 return rc;
275bb41e 1951 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1952 old_isec->sclass, FILE__RENAME, &ad);
1953 if (rc)
1954 return rc;
1955 if (old_is_dir && new_dir != old_dir) {
275bb41e 1956 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1957 old_isec->sclass, DIR__REPARENT, &ad);
1958 if (rc)
1959 return rc;
1960 }
1961
a269434d 1962 ad.u.dentry = new_dentry;
1da177e4 1963 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1964 if (d_is_positive(new_dentry))
1da177e4 1965 av |= DIR__REMOVE_NAME;
275bb41e 1966 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1967 if (rc)
1968 return rc;
2c616d4d 1969 if (d_is_positive(new_dentry)) {
83da53c5 1970 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1971 new_is_dir = d_is_dir(new_dentry);
275bb41e 1972 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1973 new_isec->sclass,
1974 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1975 if (rc)
1976 return rc;
1977 }
1978
1979 return 0;
1980}
1981
1982/* Check whether a task can perform a filesystem operation. */
88e67f3b 1983static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1984 struct super_block *sb,
1985 u32 perms,
2bf49690 1986 struct common_audit_data *ad)
1da177e4 1987{
1da177e4 1988 struct superblock_security_struct *sbsec;
88e67f3b 1989 u32 sid = cred_sid(cred);
1da177e4 1990
1da177e4 1991 sbsec = sb->s_security;
275bb41e 1992 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1993}
1994
1995/* Convert a Linux mode and permission mask to an access vector. */
1996static inline u32 file_mask_to_av(int mode, int mask)
1997{
1998 u32 av = 0;
1999
dba19c60 2000 if (!S_ISDIR(mode)) {
1da177e4
LT		 2001 if (mask & MAY_EXEC)
2002 av |= FILE__EXECUTE;
2003 if (mask & MAY_READ)
2004 av |= FILE__READ;
2005
2006 if (mask & MAY_APPEND)
2007 av |= FILE__APPEND;
2008 else if (mask & MAY_WRITE)
2009 av |= FILE__WRITE;
2010
2011 } else {
2012 if (mask & MAY_EXEC)
2013 av |= DIR__SEARCH;
2014 if (mask & MAY_WRITE)
2015 av |= DIR__WRITE;
2016 if (mask & MAY_READ)
2017 av |= DIR__READ;
2018 }
2019
2020 return av;
2021}
2022
8b6a5a37
EP		 2023/* Convert a Linux file to an access vector. */
2024static inline u32 file_to_av(struct file *file)
2025{
2026 u32 av = 0;
2027
2028 if (file->f_mode & FMODE_READ)
2029 av |= FILE__READ;
2030 if (file->f_mode & FMODE_WRITE) {
2031 if (file->f_flags & O_APPEND)
2032 av |= FILE__APPEND;
2033 else
2034 av |= FILE__WRITE;
2035 }
2036 if (!av) {
2037 /*
2038 * Special file opened with flags 3 for ioctl-only use.
2039 */
2040 av = FILE__IOCTL;
2041 }
2042
2043 return av;
2044}
2045
b0c636b9 2046/*
8b6a5a37 2047 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2048 * open permission.
2049 */
8b6a5a37 2050static inline u32 open_file_to_av(struct file *file)
b0c636b9 2051{
8b6a5a37 2052 u32 av = file_to_av(file);
b0c636b9 2053
49b7b8de
EP		 2054 if (selinux_policycap_openperm)
2055 av |= FILE__OPEN;
2056
b0c636b9
EP		 2057 return av;
2058}
2059
1da177e4
LT		 2060/* Hook functions begin here. */
2061
79af7307
SS		 2062static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2063{
2064 u32 mysid = current_sid();
2065 u32 mgrsid = task_sid(mgr);
2066
2067 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2068 BINDER__SET_CONTEXT_MGR, NULL);
2069}
2070
2071static int selinux_binder_transaction(struct task_struct *from,
2072 struct task_struct *to)
2073{
2074 u32 mysid = current_sid();
2075 u32 fromsid = task_sid(from);
2076 u32 tosid = task_sid(to);
2077 int rc;
2078
2079 if (mysid != fromsid) {
2080 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2081 BINDER__IMPERSONATE, NULL);
2082 if (rc)
2083 return rc;
2084 }
2085
2086 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2087 NULL);
2088}
2089
2090static int selinux_binder_transfer_binder(struct task_struct *from,
2091 struct task_struct *to)
2092{
2093 u32 fromsid = task_sid(from);
2094 u32 tosid = task_sid(to);
2095
2096 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2097 NULL);
2098}
2099
2100static int selinux_binder_transfer_file(struct task_struct *from,
2101 struct task_struct *to,
2102 struct file *file)
2103{
2104 u32 sid = task_sid(to);
2105 struct file_security_struct *fsec = file->f_security;
83da53c5 2106 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2107 struct inode_security_struct *isec;
79af7307
SS		 2108 struct common_audit_data ad;
2109 int rc;
2110
2111 ad.type = LSM_AUDIT_DATA_PATH;
2112 ad.u.path = file->f_path;
2113
2114 if (sid != fsec->sid) {
2115 rc = avc_has_perm(sid, fsec->sid,
2116 SECCLASS_FD,
2117 FD__USE,
2118 &ad);
2119 if (rc)
2120 return rc;
2121 }
2122
83da53c5 2123 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2124 return 0;
2125
20cdef8d 2126 isec = backing_inode_security(dentry);
79af7307
SS		 2127 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2128 &ad);
2129}
2130
9e48858f 2131static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2132 unsigned int mode)
1da177e4 2133{
69f594a3 2134 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 2135 u32 sid = current_sid();
2136 u32 csid = task_sid(child);
2137 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 2138 }
2139
3b11a1de 2140 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 2141}
2142
2143static int selinux_ptrace_traceme(struct task_struct *parent)
2144{
5cd9c58f 2145 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 2146}
2147
2148static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2149 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2150{
b1d9e6b0 2151 return current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 2152}
2153
d84f4f99
DH		 2154static int selinux_capset(struct cred *new, const struct cred *old,
2155 const kernel_cap_t *effective,
2156 const kernel_cap_t *inheritable,
2157 const kernel_cap_t *permitted)
1da177e4 2158{
d84f4f99 2159 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 2160}
2161
5626d3e8
JM		 2162/*
2163 * (This comment used to live with the selinux_task_setuid hook,
2164 * which was removed).
2165 *
2166 * Since setuid only affects the current process, and since the SELinux
2167 * controls are not based on the Linux identity attributes, SELinux does not
2168 * need to control this operation. However, SELinux does control the use of
2169 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2170 */
2171
6a9de491
EP		 2172static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2173 int cap, int audit)
1da177e4 2174{
8e4ff6f2 2175 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2176}
2177
1da177e4
LT		 2178static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2179{
88e67f3b 2180 const struct cred *cred = current_cred();
1da177e4
LT		 2181 int rc = 0;
2182
2183 if (!sb)
2184 return 0;
2185
2186 switch (cmds) {
828dfe1d
EP		 2187 case Q_SYNC:
2188 case Q_QUOTAON:
2189 case Q_QUOTAOFF:
2190 case Q_SETINFO:
2191 case Q_SETQUOTA:
88e67f3b 2192 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2193 break;
2194 case Q_GETFMT:
2195 case Q_GETINFO:
2196 case Q_GETQUOTA:
88e67f3b 2197 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2198 break;
2199 default:
2200 rc = 0; /* let the kernel handle invalid cmds */
2201 break;
1da177e4
LT		 2202 }
2203 return rc;
2204}
2205
2206static int selinux_quota_on(struct dentry *dentry)
2207{
88e67f3b
DH		 2208 const struct cred *cred = current_cred();
2209
2875fa00 2210 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2211}
2212
12b3052c 2213static int selinux_syslog(int type)
1da177e4
LT		 2214{
2215 int rc;
2216
1da177e4 2217 switch (type) {
d78ca3cd
KC		 2218 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2219 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2220 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2221 break;
d78ca3cd
KC		 2222 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2223 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2224 /* Set level of messages printed to console */
2225 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2226 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2227 break;
d78ca3cd
KC		 2228 case SYSLOG_ACTION_CLOSE: /* Close log */
2229 case SYSLOG_ACTION_OPEN: /* Open log */
2230 case SYSLOG_ACTION_READ: /* Read from log */
2231 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2232 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2233 default:
2234 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2235 break;
1da177e4
LT		 2236 }
2237 return rc;
2238}
2239
2240/*
2241 * Check that a process has enough memory to allocate a new virtual
2242 * mapping. 0 means there is enough memory for the allocation to
2243 * succeed and -ENOMEM implies there is not.
2244 *
1da177e4
LT		 2245 * Do not audit the selinux permission check, as this is applied to all
2246 * processes that allocate mappings.
2247 */
34b4e4aa 2248static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2249{
2250 int rc, cap_sys_admin = 0;
1da177e4 2251
b1d9e6b0 2252 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2253 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2254 if (rc == 0)
2255 cap_sys_admin = 1;
2256
b1d9e6b0 2257 return cap_sys_admin;
1da177e4
LT		 2258}
2259
2260/* binprm security operations */
2261
0c6181cb
PM		 2262static u32 ptrace_parent_sid(struct task_struct *task)
2263{
2264 u32 sid = 0;
2265 struct task_struct *tracer;
2266
2267 rcu_read_lock();
2268 tracer = ptrace_parent(task);
2269 if (tracer)
2270 sid = task_sid(tracer);
2271 rcu_read_unlock();
2272
2273 return sid;
2274}
2275
7b0d0b40
SS		 2276static int check_nnp_nosuid(const struct linux_binprm *bprm,
2277 const struct task_security_struct *old_tsec,
2278 const struct task_security_struct *new_tsec)
2279{
2280 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2281 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40
SS		 2282 int rc;
2283
2284 if (!nnp && !nosuid)
2285 return 0; /* neither NNP nor nosuid */
2286
2287 if (new_tsec->sid == old_tsec->sid)
2288 return 0; /* No change in credentials */
2289
2290 /*
2291 * The only transitions we permit under NNP or nosuid
2292 * are transitions to bounded SIDs, i.e. SIDs that are
2293 * guaranteed to only be allowed a subset of the permissions
2294 * of the current SID.
2295 */
2296 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2297 if (rc) {
2298 /*
2299 * On failure, preserve the errno values for NNP vs nosuid.
2300 * NNP: Operation not permitted for caller.
2301 * nosuid: Permission denied to file.
2302 */
2303 if (nnp)
2304 return -EPERM;
2305 else
2306 return -EACCES;
2307 }
2308 return 0;
2309}
2310
a6f76f23 2311static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2312{
a6f76f23
DH		 2313 const struct task_security_struct *old_tsec;
2314 struct task_security_struct *new_tsec;
1da177e4 2315 struct inode_security_struct *isec;
2bf49690 2316 struct common_audit_data ad;
496ad9aa 2317 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2318 int rc;
2319
a6f76f23
DH		 2320 /* SELinux context only depends on initial program or script and not
2321 * the script interpreter */
2322 if (bprm->cred_prepared)
1da177e4
LT		 2323 return 0;
2324
a6f76f23
DH		 2325 old_tsec = current_security();
2326 new_tsec = bprm->cred->security;
83da53c5 2327 isec = inode_security(inode);
1da177e4
LT		 2328
2329 /* Default to the current task SID. */
a6f76f23
DH		 2330 new_tsec->sid = old_tsec->sid;
2331 new_tsec->osid = old_tsec->sid;
1da177e4 2332
28eba5bf 2333 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2334 new_tsec->create_sid = 0;
2335 new_tsec->keycreate_sid = 0;
2336 new_tsec->sockcreate_sid = 0;
1da177e4 2337
a6f76f23
DH		 2338 if (old_tsec->exec_sid) {
2339 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2340 /* Reset exec SID on execve. */
a6f76f23 2341 new_tsec->exec_sid = 0;
259e5e6c 2342
7b0d0b40
SS		 2343 /* Fail on NNP or nosuid if not an allowed transition. */
2344 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2345 if (rc)
2346 return rc;
1da177e4
LT		 2347 } else {
2348 /* Check for a default transition on this program. */
a6f76f23 2349 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2350 SECCLASS_PROCESS, NULL,
2351 &new_tsec->sid);
1da177e4
LT		 2352 if (rc)
2353 return rc;
7b0d0b40
SS		 2354
2355 /*
2356 * Fallback to old SID on NNP or nosuid if not an allowed
2357 * transition.
2358 */
2359 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2360 if (rc)
2361 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2362 }
2363
43af5de7
VG		 2364 ad.type = LSM_AUDIT_DATA_FILE;
2365 ad.u.file = bprm->file;
1da177e4 2366
a6f76f23
DH		 2367 if (new_tsec->sid == old_tsec->sid) {
2368 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2369 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2370 if (rc)
2371 return rc;
2372 } else {
2373 /* Check permissions for the transition. */
a6f76f23 2374 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2375 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2376 if (rc)
2377 return rc;
2378
a6f76f23 2379 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2380 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2381 if (rc)
2382 return rc;
2383
a6f76f23
DH		 2384 /* Check for shared state */
2385 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2386 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2387 SECCLASS_PROCESS, PROCESS__SHARE,
2388 NULL);
2389 if (rc)
2390 return -EPERM;
2391 }
2392
2393 /* Make sure that anyone attempting to ptrace over a task that
2394 * changes its SID has the appropriate permit */
2395 if (bprm->unsafe &
2396 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
0c6181cb 2397 u32 ptsid = ptrace_parent_sid(current);
a6f76f23
DH		 2398 if (ptsid != 0) {
2399 rc = avc_has_perm(ptsid, new_tsec->sid,
2400 SECCLASS_PROCESS,
2401 PROCESS__PTRACE, NULL);
2402 if (rc)
2403 return -EPERM;
2404 }
2405 }
1da177e4 2406
a6f76f23
DH		 2407 /* Clear any possibly unsafe personality bits on exec: */
2408 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2409 }
2410
1da177e4
LT		 2411 return 0;
2412}
2413
828dfe1d 2414static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2415{
5fb49870 2416 const struct task_security_struct *tsec = current_security();
275bb41e 2417 u32 sid, osid;
1da177e4
LT		 2418 int atsecure = 0;
2419
275bb41e
DH		 2420 sid = tsec->sid;
2421 osid = tsec->osid;
2422
2423 if (osid != sid) {
1da177e4
LT		 2424 /* Enable secure mode for SIDs transitions unless
2425 the noatsecure permission is granted between
2426 the two SIDs, i.e. ahp returns 0. */
275bb41e 2427 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2428 SECCLASS_PROCESS,
2429 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2430 }
2431
b1d9e6b0 2432 return !!atsecure;
1da177e4
LT		 2433}
2434
c3c073f8
AV		 2435static int match_file(const void *p, struct file *file, unsigned fd)
2436{
2437 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2438}
2439
1da177e4 2440/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2441static inline void flush_unauthorized_files(const struct cred *cred,
2442 struct files_struct *files)
1da177e4 2443{
1da177e4 2444 struct file *file, *devnull = NULL;
b20c8122 2445 struct tty_struct *tty;
24ec839c 2446 int drop_tty = 0;
c3c073f8 2447 unsigned n;
1da177e4 2448
24ec839c 2449 tty = get_current_tty();
1da177e4 2450 if (tty) {
4a510969 2451 spin_lock(&tty->files_lock);
37dd0bd0 2452 if (!list_empty(&tty->tty_files)) {
d996b62a 2453 struct tty_file_private *file_priv;
37dd0bd0 2454
1da177e4 2455 /* Revalidate access to controlling tty.
13f8e981
DH		 2456 Use file_path_has_perm on the tty path directly
2457 rather than using file_has_perm, as this particular
2458 open file may belong to another process and we are
2459 only interested in the inode-based check here. */
d996b62a
NP		 2460 file_priv = list_first_entry(&tty->tty_files,
2461 struct tty_file_private, list);
2462 file = file_priv->file;
13f8e981 2463 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2464 drop_tty = 1;
1da177e4 2465 }
4a510969 2466 spin_unlock(&tty->files_lock);
452a00d2 2467 tty_kref_put(tty);
1da177e4 2468 }
98a27ba4
EB		 2469 /* Reset controlling tty. */
2470 if (drop_tty)
2471 no_tty();
1da177e4
LT		 2472
2473 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2474 n = iterate_fd(files, 0, match_file, cred);
2475 if (!n) /* none found? */
2476 return;
1da177e4 2477
c3c073f8 2478 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2479 if (IS_ERR(devnull))
2480 devnull = NULL;
2481 /* replace all the matching ones with this */
2482 do {
2483 replace_fd(n - 1, devnull, 0);
2484 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2485 if (devnull)
c3c073f8 2486 fput(devnull);
1da177e4
LT		 2487}
2488
a6f76f23
DH		 2489/*
2490 * Prepare a process for imminent new credential changes due to exec
2491 */
2492static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2493{
a6f76f23
DH		 2494 struct task_security_struct *new_tsec;
2495 struct rlimit *rlim, *initrlim;
2496 int rc, i;
d84f4f99 2497
a6f76f23
DH		 2498 new_tsec = bprm->cred->security;
2499 if (new_tsec->sid == new_tsec->osid)
2500 return;
1da177e4 2501
a6f76f23
DH		 2502 /* Close files for which the new task SID is not authorized. */
2503 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2504
a6f76f23
DH		 2505 /* Always clear parent death signal on SID transitions. */
2506 current->pdeath_signal = 0;
0356357c 2507
a6f76f23
DH		 2508 /* Check whether the new SID can inherit resource limits from the old
2509 * SID. If not, reset all soft limits to the lower of the current
2510 * task's hard limit and the init task's soft limit.
2511 *
2512 * Note that the setting of hard limits (even to lower them) can be
2513 * controlled by the setrlimit check. The inclusion of the init task's
2514 * soft limit into the computation is to avoid resetting soft limits
2515 * higher than the default soft limit for cases where the default is
2516 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2517 */
2518 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2519 PROCESS__RLIMITINH, NULL);
2520 if (rc) {
eb2d55a3
ON		 2521 /* protect against do_prlimit() */
2522 task_lock(current);
a6f76f23
DH		 2523 for (i = 0; i < RLIM_NLIMITS; i++) {
2524 rlim = current->signal->rlim + i;
2525 initrlim = init_task.signal->rlim + i;
2526 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2527 }
eb2d55a3
ON		 2528 task_unlock(current);
2529 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2530 }
2531}
2532
2533/*
a6f76f23
DH		 2534 * Clean up the process immediately after the installation of new credentials
2535 * due to exec
1da177e4 2536 */
a6f76f23 2537static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2538{
a6f76f23 2539 const struct task_security_struct *tsec = current_security();
1da177e4 2540 struct itimerval itimer;
a6f76f23 2541 u32 osid, sid;
1da177e4
LT		 2542 int rc, i;
2543
a6f76f23
DH		 2544 osid = tsec->osid;
2545 sid = tsec->sid;
2546
2547 if (sid == osid)
1da177e4
LT		 2548 return;
2549
a6f76f23
DH		 2550 /* Check whether the new SID can inherit signal state from the old SID.
2551 * If not, clear itimers to avoid subsequent signal generation and
2552 * flush and unblock signals.
2553 *
2554 * This must occur _after_ the task SID has been updated so that any
2555 * kill done after the flush will be checked against the new SID.
2556 */
2557 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2558 if (rc) {
2559 memset(&itimer, 0, sizeof itimer);
2560 for (i = 0; i < 3; i++)
2561 do_setitimer(i, &itimer, NULL);
1da177e4 2562 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2563 if (!fatal_signal_pending(current)) {
2564 flush_sigqueue(&current->pending);
2565 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2566 flush_signal_handlers(current, 1);
2567 sigemptyset(&current->blocked);
9e7c8f8c 2568 recalc_sigpending();
3bcac026 2569 }
1da177e4
LT		 2570 spin_unlock_irq(&current->sighand->siglock);
2571 }
2572
a6f76f23
DH		 2573 /* Wake up the parent if it is waiting so that it can recheck
2574 * wait permission to the new task SID. */
ecd6de3c 2575 read_lock(&tasklist_lock);
0b7570e7 2576 __wake_up_parent(current, current->real_parent);
ecd6de3c 2577 read_unlock(&tasklist_lock);
1da177e4
LT		 2578}
2579
2580/* superblock security operations */
2581
2582static int selinux_sb_alloc_security(struct super_block *sb)
2583{
2584 return superblock_alloc_security(sb);
2585}
2586
2587static void selinux_sb_free_security(struct super_block *sb)
2588{
2589 superblock_free_security(sb);
2590}
2591
2592static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2593{
2594 if (plen > olen)
2595 return 0;
2596
2597 return !memcmp(prefix, option, plen);
2598}
2599
2600static inline int selinux_option(char *option, int len)
2601{
832cbd9a
EP		 2602 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2603 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2604 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2605 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2606 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2607}
2608
2609static inline void take_option(char **to, char *from, int *first, int len)
2610{
2611 if (!*first) {
2612 **to = ',';
2613 *to += 1;
3528a953 2614 } else
1da177e4
LT		 2615 *first = 0;
2616 memcpy(*to, from, len);
2617 *to += len;
2618}
2619
828dfe1d
EP		 2620static inline void take_selinux_option(char **to, char *from, int *first,
2621 int len)
3528a953
CO		 2622{
2623 int current_size = 0;
2624
2625 if (!*first) {
2626 **to = '|';
2627 *to += 1;
828dfe1d 2628 } else
3528a953
CO		 2629 *first = 0;
2630
2631 while (current_size < len) {
2632 if (*from != '"') {
2633 **to = *from;
2634 *to += 1;
2635 }
2636 from += 1;
2637 current_size += 1;
2638 }
2639}
2640
e0007529 2641static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2642{
2643 int fnosec, fsec, rc = 0;
2644 char *in_save, *in_curr, *in_end;
2645 char *sec_curr, *nosec_save, *nosec;
3528a953 2646 int open_quote = 0;
1da177e4
LT		 2647
2648 in_curr = orig;
2649 sec_curr = copy;
2650
1da177e4
LT		 2651 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2652 if (!nosec) {
2653 rc = -ENOMEM;
2654 goto out;
2655 }
2656
2657 nosec_save = nosec;
2658 fnosec = fsec = 1;
2659 in_save = in_end = orig;
2660
2661 do {
3528a953
CO		 2662 if (*in_end == '"')
2663 open_quote = !open_quote;
2664 if ((*in_end == ',' && open_quote == 0) ||
2665 *in_end == '\0') {
1da177e4
LT		 2666 int len = in_end - in_curr;
2667
2668 if (selinux_option(in_curr, len))
3528a953 2669 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2670 else
2671 take_option(&nosec, in_curr, &fnosec, len);
2672
2673 in_curr = in_end + 1;
2674 }
2675 } while (*in_end++);
2676
6931dfc9 2677 strcpy(in_save, nosec_save);
da3caa20 2678 free_page((unsigned long)nosec_save);
1da177e4
LT		 2679out:
2680 return rc;
2681}
2682
026eb167
EP		 2683static int selinux_sb_remount(struct super_block *sb, void *data)
2684{
2685 int rc, i, *flags;
2686 struct security_mnt_opts opts;
2687 char *secdata, **mount_options;
2688 struct superblock_security_struct *sbsec = sb->s_security;
2689
2690 if (!(sbsec->flags & SE_SBINITIALIZED))
2691 return 0;
2692
2693 if (!data)
2694 return 0;
2695
2696 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2697 return 0;
2698
2699 security_init_mnt_opts(&opts);
2700 secdata = alloc_secdata();
2701 if (!secdata)
2702 return -ENOMEM;
2703 rc = selinux_sb_copy_data(data, secdata);
2704 if (rc)
2705 goto out_free_secdata;
2706
2707 rc = selinux_parse_opts_str(secdata, &opts);
2708 if (rc)
2709 goto out_free_secdata;
2710
2711 mount_options = opts.mnt_opts;
2712 flags = opts.mnt_opts_flags;
2713
2714 for (i = 0; i < opts.num_mnt_opts; i++) {
2715 u32 sid;
026eb167 2716
12f348b9 2717 if (flags[i] == SBLABEL_MNT)
026eb167 2718 continue;
44be2f65 2719 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2720 if (rc) {
44be2f65 2721 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2722 "(%s) failed for (dev %s, type %s) errno=%d\n",
2723 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2724 goto out_free_opts;
2725 }
2726 rc = -EINVAL;
2727 switch (flags[i]) {
2728 case FSCONTEXT_MNT:
2729 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2730 goto out_bad_option;
2731 break;
2732 case CONTEXT_MNT:
2733 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2734 goto out_bad_option;
2735 break;
2736 case ROOTCONTEXT_MNT: {
2737 struct inode_security_struct *root_isec;
83da53c5 2738 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2739
2740 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2741 goto out_bad_option;
2742 break;
2743 }
2744 case DEFCONTEXT_MNT:
2745 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2746 goto out_bad_option;
2747 break;
2748 default:
2749 goto out_free_opts;
2750 }
2751 }
2752
2753 rc = 0;
2754out_free_opts:
2755 security_free_mnt_opts(&opts);
2756out_free_secdata:
2757 free_secdata(secdata);
2758 return rc;
2759out_bad_option:
2760 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2761 "during remount (dev %s, type=%s)\n", sb->s_id,
2762 sb->s_type->name);
026eb167
EP		 2763 goto out_free_opts;
2764}
2765
12204e24 2766static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2767{
88e67f3b 2768 const struct cred *cred = current_cred();
2bf49690 2769 struct common_audit_data ad;
1da177e4
LT		 2770 int rc;
2771
2772 rc = superblock_doinit(sb, data);
2773 if (rc)
2774 return rc;
2775
74192246
JM		 2776 /* Allow all mounts performed by the kernel */
2777 if (flags & MS_KERNMOUNT)
2778 return 0;
2779
50c205f5 2780 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2781 ad.u.dentry = sb->s_root;
88e67f3b 2782 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2783}
2784
726c3342 2785static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2786{
88e67f3b 2787 const struct cred *cred = current_cred();
2bf49690 2788 struct common_audit_data ad;
1da177e4 2789
50c205f5 2790 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2791 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2792 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2793}
2794
808d4e3c 2795static int selinux_mount(const char *dev_name,
8a04c43b 2796 const struct path *path,
808d4e3c 2797 const char *type,
828dfe1d
EP		 2798 unsigned long flags,
2799 void *data)
1da177e4 2800{
88e67f3b 2801 const struct cred *cred = current_cred();
1da177e4
LT		 2802
2803 if (flags & MS_REMOUNT)
d8c9584e 2804 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2805 FILESYSTEM__REMOUNT, NULL);
1da177e4 2806 else
2875fa00 2807 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2808}
2809
2810static int selinux_umount(struct vfsmount *mnt, int flags)
2811{
88e67f3b 2812 const struct cred *cred = current_cred();
1da177e4 2813
88e67f3b 2814 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2815 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2816}
2817
2818/* inode security operations */
2819
2820static int selinux_inode_alloc_security(struct inode *inode)
2821{
2822 return inode_alloc_security(inode);
2823}
2824
2825static void selinux_inode_free_security(struct inode *inode)
2826{
2827 inode_free_security(inode);
2828}
2829
d47be3df 2830static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2831 const struct qstr *name, void **ctx,
d47be3df
DQ		 2832 u32 *ctxlen)
2833{
d47be3df
DQ		 2834 u32 newsid;
2835 int rc;
2836
c957f6df
VG		 2837 rc = selinux_determine_inode_label(current_security(),
2838 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2839 inode_mode_to_security_class(mode),
2840 &newsid);
2841 if (rc)
2842 return rc;
d47be3df
DQ		 2843
2844 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2845}
2846
a518b0a5
VG		 2847static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2848 struct qstr *name,
2849 const struct cred *old,
2850 struct cred *new)
2851{
2852 u32 newsid;
2853 int rc;
2854 struct task_security_struct *tsec;
2855
2856 rc = selinux_determine_inode_label(old->security,
2857 d_inode(dentry->d_parent), name,
2858 inode_mode_to_security_class(mode),
2859 &newsid);
2860 if (rc)
2861 return rc;
2862
2863 tsec = new->security;
2864 tsec->create_sid = newsid;
2865 return 0;
2866}
2867
5e41ff9e 2868static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2869 const struct qstr *qstr,
2870 const char **name,
2a7dba39 2871 void **value, size_t *len)
5e41ff9e 2872{
5fb49870 2873 const struct task_security_struct *tsec = current_security();
5e41ff9e 2874 struct superblock_security_struct *sbsec;
275bb41e 2875 u32 sid, newsid, clen;
5e41ff9e 2876 int rc;
9548906b 2877 char *context;
5e41ff9e 2878
5e41ff9e 2879 sbsec = dir->i_sb->s_security;
5e41ff9e 2880
275bb41e
DH		 2881 sid = tsec->sid;
2882 newsid = tsec->create_sid;
2883
c957f6df 2884 rc = selinux_determine_inode_label(current_security(),
c3c188b2
DH		 2885 dir, qstr,
2886 inode_mode_to_security_class(inode->i_mode),
2887 &newsid);
2888 if (rc)
2889 return rc;
5e41ff9e 2890
296fddf7 2891 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2892 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2893 struct inode_security_struct *isec = inode->i_security;
2894 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2895 isec->sid = newsid;
6f3be9f5 2896 isec->initialized = LABEL_INITIALIZED;
296fddf7 2897 }
5e41ff9e 2898
12f348b9 2899 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2900 return -EOPNOTSUPP;
2901
9548906b
TH		 2902 if (name)
2903 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2904
570bc1c2 2905 if (value && len) {
12b29f34 2906 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2907 if (rc)
570bc1c2 2908 return rc;
570bc1c2
SS		 2909 *value = context;
2910 *len = clen;
5e41ff9e 2911 }
5e41ff9e 2912
5e41ff9e
SS		 2913 return 0;
2914}
2915
4acdaf27 2916static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2917{
2918 return may_create(dir, dentry, SECCLASS_FILE);
2919}
2920
1da177e4
LT		 2921static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2922{
1da177e4
LT		 2923 return may_link(dir, old_dentry, MAY_LINK);
2924}
2925
1da177e4
LT		 2926static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2927{
1da177e4
LT		 2928 return may_link(dir, dentry, MAY_UNLINK);
2929}
2930
2931static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2932{
2933 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2934}
2935
18bb1db3 2936static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2937{
2938 return may_create(dir, dentry, SECCLASS_DIR);
2939}
2940
1da177e4
LT		 2941static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2942{
2943 return may_link(dir, dentry, MAY_RMDIR);
2944}
2945
1a67aafb 2946static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2947{
1da177e4
LT		 2948 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2949}
2950
1da177e4 2951static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2952 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2953{
2954 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2955}
2956
1da177e4
LT		 2957static int selinux_inode_readlink(struct dentry *dentry)
2958{
88e67f3b
DH		 2959 const struct cred *cred = current_cred();
2960
2875fa00 2961 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2962}
2963
bda0be7a
N		 2964static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2965 bool rcu)
1da177e4 2966{
88e67f3b 2967 const struct cred *cred = current_cred();
bda0be7a
N		 2968 struct common_audit_data ad;
2969 struct inode_security_struct *isec;
2970 u32 sid;
1da177e4 2971
bda0be7a
N		 2972 validate_creds(cred);
2973
2974 ad.type = LSM_AUDIT_DATA_DENTRY;
2975 ad.u.dentry = dentry;
2976 sid = cred_sid(cred);
5d226df4
AG		 2977 isec = inode_security_rcu(inode, rcu);
2978 if (IS_ERR(isec))
2979 return PTR_ERR(isec);
bda0be7a
N		 2980
2981 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2982 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 2983}
2984
d4cf970d
EP		 2985static noinline int audit_inode_permission(struct inode *inode,
2986 u32 perms, u32 audited, u32 denied,
626b9740 2987 int result,
d4cf970d 2988 unsigned flags)
1da177e4 2989{
b782e0a6 2990 struct common_audit_data ad;
d4cf970d
EP		 2991 struct inode_security_struct *isec = inode->i_security;
2992 int rc;
2993
50c205f5 2994 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2995 ad.u.inode = inode;
2996
2997 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 2998 audited, denied, result, &ad, flags);
d4cf970d
EP		 2999 if (rc)
3000 return rc;
3001 return 0;
3002}
3003
e74f71eb 3004static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3005{
88e67f3b 3006 const struct cred *cred = current_cred();
b782e0a6
EP		 3007 u32 perms;
3008 bool from_access;
cf1dd1da 3009 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3010 struct inode_security_struct *isec;
3011 u32 sid;
3012 struct av_decision avd;
3013 int rc, rc2;
3014 u32 audited, denied;
1da177e4 3015
b782e0a6 3016 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3017 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3018
b782e0a6
EP		 3019 /* No permission to check. Existence test. */
3020 if (!mask)
1da177e4 3021 return 0;
1da177e4 3022
2e334057 3023 validate_creds(cred);
b782e0a6 3024
2e334057
EP		 3025 if (unlikely(IS_PRIVATE(inode)))
3026 return 0;
b782e0a6
EP		 3027
3028 perms = file_mask_to_av(inode->i_mode, mask);
3029
2e334057 3030 sid = cred_sid(cred);
5d226df4
AG		 3031 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3032 if (IS_ERR(isec))
3033 return PTR_ERR(isec);
2e334057
EP		 3034
3035 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3036 audited = avc_audit_required(perms, &avd, rc,
3037 from_access ? FILE__AUDIT_ACCESS : 0,
3038 &denied);
3039 if (likely(!audited))
3040 return rc;
3041
626b9740 3042 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3043 if (rc2)
3044 return rc2;
3045 return rc;
1da177e4
LT		 3046}
3047
3048static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3049{
88e67f3b 3050 const struct cred *cred = current_cred();
bc6a6008 3051 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3052 __u32 av = FILE__WRITE;
1da177e4 3053
bc6a6008
AW		 3054 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3055 if (ia_valid & ATTR_FORCE) {
3056 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3057 ATTR_FORCE);
3058 if (!ia_valid)
3059 return 0;
3060 }
1da177e4 3061
bc6a6008
AW		 3062 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3063 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3064 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3065
44d37ad3
JVS		 3066 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3067 && !(ia_valid & ATTR_FILE))
95dbf739
EP		 3068 av |= FILE__OPEN;
3069
3070 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3071}
3072
3f7036a0 3073static int selinux_inode_getattr(const struct path *path)
1da177e4 3074{
3f7036a0 3075 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3076}
3077
8f0cfa52 3078static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 3079{
88e67f3b
DH		 3080 const struct cred *cred = current_cred();
3081
b5376771
SH		 3082 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3083 sizeof XATTR_SECURITY_PREFIX - 1)) {
3084 if (!strcmp(name, XATTR_NAME_CAPS)) {
3085 if (!capable(CAP_SETFCAP))
3086 return -EPERM;
3087 } else if (!capable(CAP_SYS_ADMIN)) {
3088 /* A different attribute in the security namespace.
3089 Restrict to administrator. */
3090 return -EPERM;
3091 }
3092 }
3093
3094 /* Not an attribute we recognize, so just check the
3095 ordinary setattr permission. */
2875fa00 3096 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 3097}
3098
8f0cfa52
DH		 3099static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3100 const void *value, size_t size, int flags)
1da177e4 3101{
c6f493d6 3102 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3103 struct inode_security_struct *isec;
1da177e4 3104 struct superblock_security_struct *sbsec;
2bf49690 3105 struct common_audit_data ad;
275bb41e 3106 u32 newsid, sid = current_sid();
1da177e4
LT		 3107 int rc = 0;
3108
b5376771
SH		 3109 if (strcmp(name, XATTR_NAME_SELINUX))
3110 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3111
3112 sbsec = inode->i_sb->s_security;
12f348b9 3113 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3114 return -EOPNOTSUPP;
3115
2e149670 3116 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3117 return -EPERM;
3118
50c205f5 3119 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3120 ad.u.dentry = dentry;
1da177e4 3121
20cdef8d 3122 isec = backing_inode_security(dentry);
275bb41e 3123 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3124 FILE__RELABELFROM, &ad);
3125 if (rc)
3126 return rc;
3127
52a4c640 3128 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3129 if (rc == -EINVAL) {
d6ea83ec
EP		 3130 if (!capable(CAP_MAC_ADMIN)) {
3131 struct audit_buffer *ab;
3132 size_t audit_size;
3133 const char *str;
3134
3135 /* We strip a nul only if it is at the end, otherwise the
3136 * context contains a nul and we should audit that */
e3fea3f7
AV		 3137 if (value) {
3138 str = value;
3139 if (str[size - 1] == '\0')
3140 audit_size = size - 1;
3141 else
3142 audit_size = size;
3143 } else {
3144 str = "";
3145 audit_size = 0;
3146 }
d6ea83ec
EP		 3147 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3148 audit_log_format(ab, "op=setxattr invalid_context=");
3149 audit_log_n_untrustedstring(ab, value, audit_size);
3150 audit_log_end(ab);
3151
12b29f34 3152 return rc;
d6ea83ec 3153 }
12b29f34
SS		 3154 rc = security_context_to_sid_force(value, size, &newsid);
3155 }
1da177e4
LT		 3156 if (rc)
3157 return rc;
3158
275bb41e 3159 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3160 FILE__RELABELTO, &ad);
3161 if (rc)
3162 return rc;
3163
275bb41e 3164 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3165 isec->sclass);
1da177e4
LT		 3166 if (rc)
3167 return rc;
3168
3169 return avc_has_perm(newsid,
3170 sbsec->sid,
3171 SECCLASS_FILESYSTEM,
3172 FILESYSTEM__ASSOCIATE,
3173 &ad);
3174}
3175
8f0cfa52 3176static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3177 const void *value, size_t size,
8f0cfa52 3178 int flags)
1da177e4 3179{
c6f493d6 3180 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3181 struct inode_security_struct *isec;
1da177e4
LT		 3182 u32 newsid;
3183 int rc;
3184
3185 if (strcmp(name, XATTR_NAME_SELINUX)) {
3186 /* Not an attribute we recognize, so nothing to do. */
3187 return;
3188 }
3189
12b29f34 3190 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3191 if (rc) {
12b29f34
SS		 3192 printk(KERN_ERR "SELinux: unable to map context to SID"
3193 "for (%s, %lu), rc=%d\n",
3194 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3195 return;
3196 }
3197
20cdef8d 3198 isec = backing_inode_security(dentry);
aa9c2669 3199 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3200 isec->sid = newsid;
6f3be9f5 3201 isec->initialized = LABEL_INITIALIZED;
aa9c2669 3202
1da177e4
LT		 3203 return;
3204}
3205
8f0cfa52 3206static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3207{
88e67f3b
DH		 3208 const struct cred *cred = current_cred();
3209
2875fa00 3210 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3211}
3212
828dfe1d 3213static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3214{
88e67f3b
DH		 3215 const struct cred *cred = current_cred();
3216
2875fa00 3217 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3218}
3219
8f0cfa52 3220static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3221{
b5376771
SH		 3222 if (strcmp(name, XATTR_NAME_SELINUX))
3223 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3224
3225 /* No one is allowed to remove a SELinux security label.
3226 You can change the label, but all data must be labeled. */
3227 return -EACCES;
3228}
3229
d381d8a9 3230/*
abc69bb6 3231 * Copy the inode security context value to the user.
d381d8a9
JM		 3232 *
3233 * Permission check is handled by selinux_inode_getxattr hook.
3234 */
ea861dfd 3235static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3236{
42492594
DQ		 3237 u32 size;
3238 int error;
3239 char *context = NULL;
20cdef8d 3240 struct inode_security_struct *isec;
d381d8a9 3241
8c8570fb
DK		 3242 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3243 return -EOPNOTSUPP;
d381d8a9 3244
abc69bb6
SS		 3245 /*
3246 * If the caller has CAP_MAC_ADMIN, then get the raw context
3247 * value even if it is not defined by current policy; otherwise,
3248 * use the in-core value under current policy.
3249 * Use the non-auditing forms of the permission checks since
3250 * getxattr may be called by unprivileged processes commonly
3251 * and lack of permission just means that we fall back to the
3252 * in-core context value, not a denial.
3253 */
b1d9e6b0
CS		 3254 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3255 SECURITY_CAP_NOAUDIT);
3256 if (!error)
3257 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
8e4ff6f2 3258 SECURITY_CAP_NOAUDIT, true);
20cdef8d 3259 isec = inode_security(inode);
abc69bb6
SS		 3260 if (!error)
3261 error = security_sid_to_context_force(isec->sid, &context,
3262 &size);
3263 else
3264 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3265 if (error)
3266 return error;
3267 error = size;
3268 if (alloc) {
3269 *buffer = context;
3270 goto out_nofree;
3271 }
3272 kfree(context);
3273out_nofree:
3274 return error;
1da177e4
LT		 3275}
3276
3277static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3278 const void *value, size_t size, int flags)
1da177e4 3279{
2c97165b 3280 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3281 u32 newsid;
3282 int rc;
3283
3284 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3285 return -EOPNOTSUPP;
3286
3287 if (!value || !size)
3288 return -EACCES;
3289
20ba96ae 3290 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3291 if (rc)
3292 return rc;
3293
aa9c2669 3294 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3295 isec->sid = newsid;
6f3be9f5 3296 isec->initialized = LABEL_INITIALIZED;
1da177e4
LT		 3297 return 0;
3298}
3299
3300static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3301{
3302 const int len = sizeof(XATTR_NAME_SELINUX);
3303 if (buffer && len <= buffer_size)
3304 memcpy(buffer, XATTR_NAME_SELINUX, len);
3305 return len;
3306}
3307
d6335d77 3308static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3309{
e817c2f3 3310 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3311 *secid = isec->sid;
3312}
3313
56909eb3
VG		 3314static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3315{
3316 u32 sid;
3317 struct task_security_struct *tsec;
3318 struct cred *new_creds = *new;
3319
3320 if (new_creds == NULL) {
3321 new_creds = prepare_creds();
3322 if (!new_creds)
3323 return -ENOMEM;
3324 }
3325
3326 tsec = new_creds->security;
3327 /* Get label from overlay inode and set it in create_sid */
3328 selinux_inode_getsecid(d_inode(src), &sid);
3329 tsec->create_sid = sid;
3330 *new = new_creds;
3331 return 0;
3332}
3333
19472b69
VG		 3334static int selinux_inode_copy_up_xattr(const char *name)
3335{
3336 /* The copy_up hook above sets the initial context on an inode, but we
3337 * don't then want to overwrite it by blindly copying all the lower
3338 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3339 */
3340 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3341 return 1; /* Discard */
3342 /*
3343 * Any other attribute apart from SELINUX is not claimed, supported
3344 * by selinux.
3345 */
3346 return -EOPNOTSUPP;
3347}
3348
1da177e4
LT		 3349/* file security operations */
3350
788e7dd4 3351static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3352{
88e67f3b 3353 const struct cred *cred = current_cred();
496ad9aa 3354 struct inode *inode = file_inode(file);
1da177e4 3355
1da177e4
LT		 3356 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3357 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3358 mask |= MAY_APPEND;
3359
389fb800
PM		 3360 return file_has_perm(cred, file,
3361 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3362}
3363
788e7dd4
YN		 3364static int selinux_file_permission(struct file *file, int mask)
3365{
496ad9aa 3366 struct inode *inode = file_inode(file);
20dda18b 3367 struct file_security_struct *fsec = file->f_security;
b197367e 3368 struct inode_security_struct *isec;
20dda18b
SS		 3369 u32 sid = current_sid();
3370
389fb800 3371 if (!mask)
788e7dd4
YN		 3372 /* No permission to check. Existence test. */
3373 return 0;
788e7dd4 3374
b197367e 3375 isec = inode_security(inode);
20dda18b
SS		 3376 if (sid == fsec->sid && fsec->isid == isec->sid &&
3377 fsec->pseqno == avc_policy_seqno())
83d49856 3378 /* No change since file_open check. */
20dda18b
SS		 3379 return 0;
3380
788e7dd4
YN		 3381 return selinux_revalidate_file_permission(file, mask);
3382}
3383
1da177e4
LT		 3384static int selinux_file_alloc_security(struct file *file)
3385{
3386 return file_alloc_security(file);
3387}
3388
3389static void selinux_file_free_security(struct file *file)
3390{
3391 file_free_security(file);
3392}
3393
fa1aa143
JVS		 3394/*
3395 * Check whether a task has the ioctl permission and cmd
3396 * operation to an inode.
3397 */
1d2a168a 3398static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3399 u32 requested, u16 cmd)
3400{
3401 struct common_audit_data ad;
3402 struct file_security_struct *fsec = file->f_security;
3403 struct inode *inode = file_inode(file);
20cdef8d 3404 struct inode_security_struct *isec;
fa1aa143
JVS		 3405 struct lsm_ioctlop_audit ioctl;
3406 u32 ssid = cred_sid(cred);
3407 int rc;
3408 u8 driver = cmd >> 8;
3409 u8 xperm = cmd & 0xff;
3410
3411 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3412 ad.u.op = &ioctl;
3413 ad.u.op->cmd = cmd;
3414 ad.u.op->path = file->f_path;
3415
3416 if (ssid != fsec->sid) {
3417 rc = avc_has_perm(ssid, fsec->sid,
3418 SECCLASS_FD,
3419 FD__USE,
3420 &ad);
3421 if (rc)
3422 goto out;
3423 }
3424
3425 if (unlikely(IS_PRIVATE(inode)))
3426 return 0;
3427
20cdef8d 3428 isec = inode_security(inode);
fa1aa143
JVS		 3429 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3430 requested, driver, xperm, &ad);
3431out:
3432 return rc;
3433}
3434
1da177e4
LT		 3435static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3436 unsigned long arg)
3437{
88e67f3b 3438 const struct cred *cred = current_cred();
0b24dcb7 3439 int error = 0;
1da177e4 3440
0b24dcb7
EP		 3441 switch (cmd) {
3442 case FIONREAD:
3443 /* fall through */
3444 case FIBMAP:
3445 /* fall through */
3446 case FIGETBSZ:
3447 /* fall through */
2f99c369 3448 case FS_IOC_GETFLAGS:
0b24dcb7 3449 /* fall through */
2f99c369 3450 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3451 error = file_has_perm(cred, file, FILE__GETATTR);
3452 break;
1da177e4 3453
2f99c369 3454 case FS_IOC_SETFLAGS:
0b24dcb7 3455 /* fall through */
2f99c369 3456 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3457 error = file_has_perm(cred, file, FILE__SETATTR);
3458 break;
3459
3460 /* sys_ioctl() checks */
3461 case FIONBIO:
3462 /* fall through */
3463 case FIOASYNC:
3464 error = file_has_perm(cred, file, 0);
3465 break;
1da177e4 3466
0b24dcb7
EP		 3467 case KDSKBENT:
3468 case KDSKBSENT:
6a9de491 3469 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3470 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3471 break;
3472
3473 /* default case assumes that the command will go
3474 * to the file's ioctl() function.
3475 */
3476 default:
fa1aa143 3477 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3478 }
3479 return error;
1da177e4
LT		 3480}
3481
fcaaade1
SS		 3482static int default_noexec;
3483
1da177e4
LT		 3484static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3485{
88e67f3b 3486 const struct cred *cred = current_cred();
d84f4f99 3487 int rc = 0;
88e67f3b 3488
fcaaade1 3489 if (default_noexec &&
892e8cac
SS		 3490 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3491 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3492 /*
3493 * We are making executable an anonymous mapping or a
3494 * private file mapping that will also be writable.
3495 * This has an additional check.
3496 */
d84f4f99 3497 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3498 if (rc)
d84f4f99 3499 goto error;
1da177e4 3500 }
1da177e4
LT		 3501
3502 if (file) {
3503 /* read access is always possible with a mapping */
3504 u32 av = FILE__READ;
3505
3506 /* write access only matters if the mapping is shared */
3507 if (shared && (prot & PROT_WRITE))
3508 av |= FILE__WRITE;
3509
3510 if (prot & PROT_EXEC)
3511 av |= FILE__EXECUTE;
3512
88e67f3b 3513 return file_has_perm(cred, file, av);
1da177e4 3514 }
d84f4f99
DH		 3515
3516error:
3517 return rc;
1da177e4
LT		 3518}
3519
e5467859 3520static int selinux_mmap_addr(unsigned long addr)
1da177e4 3521{
b1d9e6b0 3522 int rc = 0;
1da177e4 3523
a2551df7 3524 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3525 u32 sid = current_sid();
ed032189
EP		 3526 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3527 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3528 }
3529
98883bfd 3530 return rc;
e5467859 3531}
1da177e4 3532
e5467859
AV		 3533static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3534 unsigned long prot, unsigned long flags)
3535{
1da177e4
LT		 3536 if (selinux_checkreqprot)
3537 prot = reqprot;
3538
3539 return file_map_prot_check(file, prot,
3540 (flags & MAP_TYPE) == MAP_SHARED);
3541}
3542
3543static int selinux_file_mprotect(struct vm_area_struct *vma,
3544 unsigned long reqprot,
3545 unsigned long prot)
3546{
88e67f3b 3547 const struct cred *cred = current_cred();
1da177e4
LT		 3548
3549 if (selinux_checkreqprot)
3550 prot = reqprot;
3551
fcaaade1
SS		 3552 if (default_noexec &&
3553 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3554 int rc = 0;
db4c9641
SS		 3555 if (vma->vm_start >= vma->vm_mm->start_brk &&
3556 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3557 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641 3558 } else if (!vma->vm_file &&
c2316dbf
SS		 3559 ((vma->vm_start <= vma->vm_mm->start_stack &&
3560 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3561 vma_is_stack_for_current(vma))) {
3b11a1de 3562 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3563 } else if (vma->vm_file && vma->anon_vma) {
3564 /*
3565 * We are making executable a file mapping that has
3566 * had some COW done. Since pages might have been
3567 * written, check ability to execute the possibly
3568 * modified content. This typically should only
3569 * occur for text relocations.
3570 */
d84f4f99 3571 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3572 }