]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: use sprintf return value
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
3c4ed7bd 32#include <linux/lsm_hooks.h>
1da177e4
LT		 33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
1da177e4 54#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 55#include <net/inet_connection_sock.h>
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
60063497 60#include <linux/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
77954983 64#include <net/netlink.h>
1da177e4
LT		 65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
44fc7ea0 83#include <linux/export.h>
40401530
AV		 84#include <linux/msg.h>
85#include <linux/shm.h>
1da177e4
LT		 86
87#include "avc.h"
88#include "objsec.h"
89#include "netif.h"
224dfbd8 90#include "netnode.h"
3e112172 91#include "netport.h"
d28d1e08 92#include "xfrm.h"
c60475bf 93#include "netlabel.h"
9d57a7f9 94#include "audit.h"
7b98a585 95#include "avc_ss.h"
1da177e4 96
d621d35e 97/* SECMARK reference count */
56a4ca99 98static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 99
1da177e4 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 101int selinux_enforcing;
1da177e4
LT		 102
103static int __init enforcing_setup(char *str)
104{
f5269710 105 unsigned long enforcing;
29707b20 106 if (!kstrtoul(str, 0, &enforcing))
f5269710 107 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 108 return 1;
109}
110__setup("enforcing=", enforcing_setup);
111#endif
112
113#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116static int __init selinux_enabled_setup(char *str)
117{
f5269710 118 unsigned long enabled;
29707b20 119 if (!kstrtoul(str, 0, &enabled))
f5269710 120 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 121 return 1;
122}
123__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 124#else
125int selinux_enabled = 1;
1da177e4
LT		 126#endif
127
e18b890b 128static struct kmem_cache *sel_inode_cache;
7cae7e26 129
d621d35e
PM		 130/**
131 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
132 *
133 * Description:
134 * This function checks the SECMARK reference counter to see if any SECMARK
135 * targets are currently configured, if the reference counter is greater than
136 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 137 * enabled, false (0) if SECMARK is disabled. If the always_check_network
138 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 139 *
140 */
141static int selinux_secmark_enabled(void)
142{
2be4d74f
CP		 143 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
144}
145
146/**
147 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
148 *
149 * Description:
150 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
151 * (1) if any are enabled or false (0) if neither are enabled. If the
152 * always_check_network policy capability is enabled, peer labeling
153 * is always considered enabled.
154 *
155 */
156static int selinux_peerlbl_enabled(void)
157{
158 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 159}
160
615e51fd
PM		 161static int selinux_netcache_avc_callback(u32 event)
162{
163 if (event == AVC_CALLBACK_RESET) {
164 sel_netif_flush();
165 sel_netnode_flush();
166 sel_netport_flush();
167 synchronize_net();
168 }
169 return 0;
170}
171
d84f4f99
DH		 172/*
173 * initialise the security for the init task
174 */
175static void cred_init_security(void)
1da177e4 176{
3b11a1de 177 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 178 struct task_security_struct *tsec;
179
89d155ef 180 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 181 if (!tsec)
d84f4f99 182 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 183
d84f4f99 184 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 185 cred->security = tsec;
1da177e4
LT		 186}
187
88e67f3b
DH		 188/*
189 * get the security ID of a set of credentials
190 */
191static inline u32 cred_sid(const struct cred *cred)
192{
193 const struct task_security_struct *tsec;
194
195 tsec = cred->security;
196 return tsec->sid;
197}
198
275bb41e 199/*
3b11a1de 200 * get the objective security ID of a task
275bb41e
DH		 201 */
202static inline u32 task_sid(const struct task_struct *task)
203{
275bb41e
DH		 204 u32 sid;
205
206 rcu_read_lock();
88e67f3b 207 sid = cred_sid(__task_cred(task));
275bb41e
DH		 208 rcu_read_unlock();
209 return sid;
210}
211
212/*
3b11a1de 213 * get the subjective security ID of the current task
275bb41e
DH		 214 */
215static inline u32 current_sid(void)
216{
5fb49870 217 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 218
219 return tsec->sid;
220}
221
88e67f3b
DH		 222/* Allocate and free functions for each kind of security blob. */
223
1da177e4
LT		 224static int inode_alloc_security(struct inode *inode)
225{
1da177e4 226 struct inode_security_struct *isec;
275bb41e 227 u32 sid = current_sid();
1da177e4 228
a02fe132 229 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 230 if (!isec)
231 return -ENOMEM;
232
23970741 233 mutex_init(&isec->lock);
1da177e4 234 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 235 isec->inode = inode;
236 isec->sid = SECINITSID_UNLABELED;
237 isec->sclass = SECCLASS_FILE;
275bb41e 238 isec->task_sid = sid;
1da177e4
LT		 239 inode->i_security = isec;
240
241 return 0;
242}
243
3dc91d43
SR		 244static void inode_free_rcu(struct rcu_head *head)
245{
246 struct inode_security_struct *isec;
247
248 isec = container_of(head, struct inode_security_struct, rcu);
249 kmem_cache_free(sel_inode_cache, isec);
250}
251
1da177e4
LT		 252static void inode_free_security(struct inode *inode)
253{
254 struct inode_security_struct *isec = inode->i_security;
255 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
256
9629d04a
WL		 257 /*
258 * As not all inode security structures are in a list, we check for
259 * empty list outside of the lock to make sure that we won't waste
260 * time taking a lock doing nothing.
261 *
262 * The list_del_init() function can be safely called more than once.
263 * It should not be possible for this function to be called with
264 * concurrent list_add(), but for better safety against future changes
265 * in the code, we use list_empty_careful() here.
266 */
267 if (!list_empty_careful(&isec->list)) {
268 spin_lock(&sbsec->isec_lock);
1da177e4 269 list_del_init(&isec->list);
9629d04a
WL		 270 spin_unlock(&sbsec->isec_lock);
271 }
1da177e4 272
3dc91d43
SR		 273 /*
274 * The inode may still be referenced in a path walk and
275 * a call to selinux_inode_permission() can be made
276 * after inode_free_security() is called. Ideally, the VFS
277 * wouldn't do this, but fixing that is a much harder
278 * job. For now, simply free the i_security via RCU, and
279 * leave the current inode->i_security pointer intact.
280 * The inode will be freed after the RCU grace period too.
281 */
282 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 283}
284
285static int file_alloc_security(struct file *file)
286{
1da177e4 287 struct file_security_struct *fsec;
275bb41e 288 u32 sid = current_sid();
1da177e4 289
26d2a4be 290 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 291 if (!fsec)
292 return -ENOMEM;
293
275bb41e
DH		 294 fsec->sid = sid;
295 fsec->fown_sid = sid;
1da177e4
LT		 296 file->f_security = fsec;
297
298 return 0;
299}
300
301static void file_free_security(struct file *file)
302{
303 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 304 file->f_security = NULL;
305 kfree(fsec);
306}
307
308static int superblock_alloc_security(struct super_block *sb)
309{
310 struct superblock_security_struct *sbsec;
311
89d155ef 312 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 313 if (!sbsec)
314 return -ENOMEM;
315
bc7e982b 316 mutex_init(&sbsec->lock);
1da177e4
LT		 317 INIT_LIST_HEAD(&sbsec->isec_head);
318 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 319 sbsec->sb = sb;
320 sbsec->sid = SECINITSID_UNLABELED;
321 sbsec->def_sid = SECINITSID_FILE;
c312feb2 322 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 323 sb->s_security = sbsec;
324
325 return 0;
326}
327
328static void superblock_free_security(struct super_block *sb)
329{
330 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 331 sb->s_security = NULL;
332 kfree(sbsec);
333}
334
1da177e4
LT		 335/* The file system's label must be initialized prior to use. */
336
eb9ae686 337static const char *labeling_behaviors[7] = {
1da177e4
LT		 338 "uses xattr",
339 "uses transition SIDs",
340 "uses task SIDs",
341 "uses genfs_contexts",
342 "not configured for labeling",
343 "uses mountpoint labeling",
eb9ae686 344 "uses native labeling",
1da177e4
LT		 345};
346
347static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
348
349static inline int inode_doinit(struct inode *inode)
350{
351 return inode_doinit_with_dentry(inode, NULL);
352}
353
354enum {
31e87930 355 Opt_error = -1,
1da177e4
LT		 356 Opt_context = 1,
357 Opt_fscontext = 2,
c9180a57
EP		 358 Opt_defcontext = 3,
359 Opt_rootcontext = 4,
11689d47 360 Opt_labelsupport = 5,
d355987f 361 Opt_nextmntopt = 6,
1da177e4
LT		 362};
363
d355987f
EP		 364#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
365
a447c093 366static const match_table_t tokens = {
832cbd9a
EP		 367 {Opt_context, CONTEXT_STR "%s"},
368 {Opt_fscontext, FSCONTEXT_STR "%s"},
369 {Opt_defcontext, DEFCONTEXT_STR "%s"},
370 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 371 {Opt_labelsupport, LABELSUPP_STR},
31e87930 372 {Opt_error, NULL},
1da177e4
LT		 373};
374
375#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
376
c312feb2
EP		 377static int may_context_mount_sb_relabel(u32 sid,
378 struct superblock_security_struct *sbsec,
275bb41e 379 const struct cred *cred)
c312feb2 380{
275bb41e 381 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 382 int rc;
383
384 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
385 FILESYSTEM__RELABELFROM, NULL);
386 if (rc)
387 return rc;
388
389 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
390 FILESYSTEM__RELABELTO, NULL);
391 return rc;
392}
393
0808925e
EP		 394static int may_context_mount_inode_relabel(u32 sid,
395 struct superblock_security_struct *sbsec,
275bb41e 396 const struct cred *cred)
0808925e 397{
275bb41e 398 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 399 int rc;
400 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
401 FILESYSTEM__RELABELFROM, NULL);
402 if (rc)
403 return rc;
404
405 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
406 FILESYSTEM__ASSOCIATE, NULL);
407 return rc;
408}
409
b43e725d
EP		 410static int selinux_is_sblabel_mnt(struct super_block *sb)
411{
412 struct superblock_security_struct *sbsec = sb->s_security;
413
d5f3a5f6
MS		 414 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
415 sbsec->behavior == SECURITY_FS_USE_TRANS ||
416 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 417 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 418 /* Special handling. Genfs but also in-core setxattr handler */
419 !strcmp(sb->s_type->name, "sysfs") ||
420 !strcmp(sb->s_type->name, "pstore") ||
421 !strcmp(sb->s_type->name, "debugfs") ||
422 !strcmp(sb->s_type->name, "rootfs");
b43e725d
EP		 423}
424
c9180a57 425static int sb_finish_set_opts(struct super_block *sb)
1da177e4 426{
1da177e4 427 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 428 struct dentry *root = sb->s_root;
c6f493d6 429 struct inode *root_inode = d_backing_inode(root);
c9180a57 430 int rc = 0;
1da177e4 431
c9180a57
EP		 432 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
433 /* Make sure that the xattr handler exists and that no
434 error other than -ENODATA is returned by getxattr on
435 the root directory. -ENODATA is ok, as this may be
436 the first boot of the SELinux kernel before we have
437 assigned xattr values to the filesystem. */
438 if (!root_inode->i_op->getxattr) {
29b1deb2
LT		 439 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
440 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 441 rc = -EOPNOTSUPP;
442 goto out;
443 }
444 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
445 if (rc < 0 && rc != -ENODATA) {
446 if (rc == -EOPNOTSUPP)
447 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 448 "%s) has no security xattr handler\n",
449 sb->s_id, sb->s_type->name);
c9180a57
EP		 450 else
451 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 452 "%s) getxattr errno %d\n", sb->s_id,
453 sb->s_type->name, -rc);
c9180a57
EP		 454 goto out;
455 }
456 }
1da177e4 457
c9180a57 458 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 459 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
460 sb->s_id, sb->s_type->name);
1da177e4 461
eadcabc6 462 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 463 if (selinux_is_sblabel_mnt(sb))
12f348b9 464 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 465
c9180a57
EP		 466 /* Initialize the root inode. */
467 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 468
c9180a57
EP		 469 /* Initialize any other inodes associated with the superblock, e.g.
470 inodes created prior to initial policy load or inodes created
471 during get_sb by a pseudo filesystem that directly
472 populates itself. */
473 spin_lock(&sbsec->isec_lock);
474next_inode:
475 if (!list_empty(&sbsec->isec_head)) {
476 struct inode_security_struct *isec =
477 list_entry(sbsec->isec_head.next,
478 struct inode_security_struct, list);
479 struct inode *inode = isec->inode;
923190d3 480 list_del_init(&isec->list);
c9180a57
EP		 481 spin_unlock(&sbsec->isec_lock);
482 inode = igrab(inode);
483 if (inode) {
484 if (!IS_PRIVATE(inode))
485 inode_doinit(inode);
486 iput(inode);
487 }
488 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 489 goto next_inode;
490 }
491 spin_unlock(&sbsec->isec_lock);
492out:
493 return rc;
494}
1da177e4 495
c9180a57
EP		 496/*
497 * This function should allow an FS to ask what it's mount security
498 * options were so it can use those later for submounts, displaying
499 * mount options, or whatever.
500 */
501static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 502 struct security_mnt_opts *opts)
c9180a57
EP		 503{
504 int rc = 0, i;
505 struct superblock_security_struct *sbsec = sb->s_security;
506 char *context = NULL;
507 u32 len;
508 char tmp;
1da177e4 509
e0007529 510 security_init_mnt_opts(opts);
1da177e4 511
0d90a7ec 512 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 513 return -EINVAL;
1da177e4 514
c9180a57
EP		 515 if (!ss_initialized)
516 return -EINVAL;
1da177e4 517
af8e50cc
EP		 518 /* make sure we always check enough bits to cover the mask */
519 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
520
0d90a7ec 521 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 522 /* count the number of mount options for this sb */
af8e50cc 523 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 524 if (tmp & 0x01)
e0007529 525 opts->num_mnt_opts++;
c9180a57
EP		 526 tmp >>= 1;
527 }
11689d47 528 /* Check if the Label support flag is set */
0b4bdb35 529 if (sbsec->flags & SBLABEL_MNT)
11689d47 530 opts->num_mnt_opts++;
1da177e4 531
e0007529
EP		 532 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
533 if (!opts->mnt_opts) {
c9180a57
EP		 534 rc = -ENOMEM;
535 goto out_free;
536 }
1da177e4 537
e0007529
EP		 538 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
539 if (!opts->mnt_opts_flags) {
c9180a57
EP		 540 rc = -ENOMEM;
541 goto out_free;
542 }
1da177e4 543
c9180a57
EP		 544 i = 0;
545 if (sbsec->flags & FSCONTEXT_MNT) {
546 rc = security_sid_to_context(sbsec->sid, &context, &len);
547 if (rc)
548 goto out_free;
e0007529
EP		 549 opts->mnt_opts[i] = context;
550 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 551 }
552 if (sbsec->flags & CONTEXT_MNT) {
553 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
554 if (rc)
555 goto out_free;
e0007529
EP		 556 opts->mnt_opts[i] = context;
557 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 558 }
559 if (sbsec->flags & DEFCONTEXT_MNT) {
560 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
561 if (rc)
562 goto out_free;
e0007529
EP		 563 opts->mnt_opts[i] = context;
564 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 565 }
566 if (sbsec->flags & ROOTCONTEXT_MNT) {
c6f493d6 567 struct inode *root = d_backing_inode(sbsec->sb->s_root);
c9180a57 568 struct inode_security_struct *isec = root->i_security;
0808925e 569
c9180a57
EP		 570 rc = security_sid_to_context(isec->sid, &context, &len);
571 if (rc)
572 goto out_free;
e0007529
EP		 573 opts->mnt_opts[i] = context;
574 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 575 }
12f348b9 576 if (sbsec->flags & SBLABEL_MNT) {
11689d47 577 opts->mnt_opts[i] = NULL;
12f348b9 578 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 579 }
1da177e4 580
e0007529 581 BUG_ON(i != opts->num_mnt_opts);
1da177e4 582
c9180a57
EP		 583 return 0;
584
585out_free:
e0007529 586 security_free_mnt_opts(opts);
c9180a57
EP		 587 return rc;
588}
1da177e4 589
c9180a57
EP		 590static int bad_option(struct superblock_security_struct *sbsec, char flag,
591 u32 old_sid, u32 new_sid)
592{
0d90a7ec
DQ		 593 char mnt_flags = sbsec->flags & SE_MNTMASK;
594
c9180a57 595 /* check if the old mount command had the same options */
0d90a7ec 596 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 597 if (!(sbsec->flags & flag) ||
598 (old_sid != new_sid))
599 return 1;
600
601 /* check if we were passed the same options twice,
602 * aka someone passed context=a,context=b
603 */
0d90a7ec
DQ		 604 if (!(sbsec->flags & SE_SBINITIALIZED))
605 if (mnt_flags & flag)
c9180a57
EP		 606 return 1;
607 return 0;
608}
e0007529 609
c9180a57
EP		 610/*
611 * Allow filesystems with binary mount data to explicitly set mount point
612 * labeling information.
613 */
e0007529 614static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 615 struct security_mnt_opts *opts,
616 unsigned long kern_flags,
617 unsigned long *set_kern_flags)
c9180a57 618{
275bb41e 619 const struct cred *cred = current_cred();
c9180a57 620 int rc = 0, i;
c9180a57 621 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 622 const char *name = sb->s_type->name;
c6f493d6 623 struct inode *inode = d_backing_inode(sbsec->sb->s_root);
089be43e 624 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 625 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
626 u32 defcontext_sid = 0;
e0007529
EP		 627 char **mount_options = opts->mnt_opts;
628 int *flags = opts->mnt_opts_flags;
629 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 630
631 mutex_lock(&sbsec->lock);
632
633 if (!ss_initialized) {
634 if (!num_opts) {
635 /* Defer initialization until selinux_complete_init,
636 after the initial policy is loaded and the security
637 server is ready to handle calls. */
c9180a57
EP		 638 goto out;
639 }
640 rc = -EINVAL;
744ba35e
EP		 641 printk(KERN_WARNING "SELinux: Unable to set superblock options "
642 "before the security server is initialized\n");
1da177e4 643 goto out;
c9180a57 644 }
649f6e77
DQ		 645 if (kern_flags && !set_kern_flags) {
646 /* Specifying internal flags without providing a place to
647 * place the results is not allowed */
648 rc = -EINVAL;
649 goto out;
650 }
1da177e4 651
e0007529
EP		 652 /*
653 * Binary mount data FS will come through this function twice. Once
654 * from an explicit call and once from the generic calls from the vfs.
655 * Since the generic VFS calls will not contain any security mount data
656 * we need to skip the double mount verification.
657 *
658 * This does open a hole in which we will not notice if the first
659 * mount using this sb set explict options and a second mount using
660 * this sb does not set any security options. (The first options
661 * will be used for both mounts)
662 */
0d90a7ec 663 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 664 && (num_opts == 0))
f5269710 665 goto out;
e0007529 666
c9180a57
EP		 667 /*
668 * parse the mount options, check if they are valid sids.
669 * also check if someone is trying to mount the same sb more
670 * than once with different security options.
671 */
672 for (i = 0; i < num_opts; i++) {
673 u32 sid;
11689d47 674
12f348b9 675 if (flags[i] == SBLABEL_MNT)
11689d47 676 continue;
44be2f65 677 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 678 if (rc) {
44be2f65 679 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 680 "(%s) failed for (dev %s, type %s) errno=%d\n",
681 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 682 goto out;
683 }
684 switch (flags[i]) {
685 case FSCONTEXT_MNT:
686 fscontext_sid = sid;
687
688 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
689 fscontext_sid))
690 goto out_double_mount;
691
692 sbsec->flags |= FSCONTEXT_MNT;
693 break;
694 case CONTEXT_MNT:
695 context_sid = sid;
696
697 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
698 context_sid))
699 goto out_double_mount;
700
701 sbsec->flags |= CONTEXT_MNT;
702 break;
703 case ROOTCONTEXT_MNT:
704 rootcontext_sid = sid;
705
706 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
707 rootcontext_sid))
708 goto out_double_mount;
709
710 sbsec->flags |= ROOTCONTEXT_MNT;
711
712 break;
713 case DEFCONTEXT_MNT:
714 defcontext_sid = sid;
715
716 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
717 defcontext_sid))
718 goto out_double_mount;
719
720 sbsec->flags |= DEFCONTEXT_MNT;
721
722 break;
723 default:
724 rc = -EINVAL;
725 goto out;
1da177e4 726 }
c9180a57
EP		 727 }
728
0d90a7ec 729 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 730 /* previously mounted with options, but not on this attempt? */
0d90a7ec 731 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 732 goto out_double_mount;
733 rc = 0;
734 goto out;
735 }
736
089be43e 737 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 738 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
739
8e014720
SS		 740 if (!strcmp(sb->s_type->name, "debugfs") ||
741 !strcmp(sb->s_type->name, "sysfs") ||
742 !strcmp(sb->s_type->name, "pstore"))
134509d5 743 sbsec->flags |= SE_SBGENFS;
c9180a57 744
eb9ae686
DQ		 745 if (!sbsec->behavior) {
746 /*
747 * Determine the labeling behavior to use for this
748 * filesystem type.
749 */
98f700f3 750 rc = security_fs_use(sb);
eb9ae686
DQ		 751 if (rc) {
752 printk(KERN_WARNING
753 "%s: security_fs_use(%s) returned %d\n",
754 __func__, sb->s_type->name, rc);
755 goto out;
756 }
c9180a57 757 }
c9180a57
EP		 758 /* sets the context of the superblock for the fs being mounted. */
759 if (fscontext_sid) {
275bb41e 760 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 761 if (rc)
c9180a57 762 goto out;
1da177e4 763
c9180a57 764 sbsec->sid = fscontext_sid;
c312feb2
EP		 765 }
766
767 /*
768 * Switch to using mount point labeling behavior.
769 * sets the label used on all file below the mountpoint, and will set
770 * the superblock context if not already set.
771 */
eb9ae686
DQ		 772 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
773 sbsec->behavior = SECURITY_FS_USE_NATIVE;
774 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
775 }
776
c9180a57
EP		 777 if (context_sid) {
778 if (!fscontext_sid) {
275bb41e
DH		 779 rc = may_context_mount_sb_relabel(context_sid, sbsec,
780 cred);
b04ea3ce 781 if (rc)
c9180a57
EP		 782 goto out;
783 sbsec->sid = context_sid;
b04ea3ce 784 } else {
275bb41e
DH		 785 rc = may_context_mount_inode_relabel(context_sid, sbsec,
786 cred);
b04ea3ce 787 if (rc)
c9180a57 788 goto out;
b04ea3ce 789 }
c9180a57
EP		 790 if (!rootcontext_sid)
791 rootcontext_sid = context_sid;
1da177e4 792
c9180a57 793 sbsec->mntpoint_sid = context_sid;
c312feb2 794 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 795 }
796
c9180a57 797 if (rootcontext_sid) {
275bb41e
DH		 798 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
799 cred);
0808925e 800 if (rc)
c9180a57 801 goto out;
0808925e 802
c9180a57
EP		 803 root_isec->sid = rootcontext_sid;
804 root_isec->initialized = 1;
0808925e
EP		 805 }
806
c9180a57 807 if (defcontext_sid) {
eb9ae686
DQ		 808 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
809 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 810 rc = -EINVAL;
811 printk(KERN_WARNING "SELinux: defcontext option is "
812 "invalid for this filesystem type\n");
813 goto out;
1da177e4
LT		 814 }
815
c9180a57
EP		 816 if (defcontext_sid != sbsec->def_sid) {
817 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 818 sbsec, cred);
c9180a57
EP		 819 if (rc)
820 goto out;
821 }
1da177e4 822
c9180a57 823 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 824 }
825
c9180a57 826 rc = sb_finish_set_opts(sb);
1da177e4 827out:
c9180a57 828 mutex_unlock(&sbsec->lock);
1da177e4 829 return rc;
c9180a57
EP		 830out_double_mount:
831 rc = -EINVAL;
832 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 833 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 834 goto out;
1da177e4
LT		 835}
836
094f7b69
JL		 837static int selinux_cmp_sb_context(const struct super_block *oldsb,
838 const struct super_block *newsb)
839{
840 struct superblock_security_struct *old = oldsb->s_security;
841 struct superblock_security_struct *new = newsb->s_security;
842 char oldflags = old->flags & SE_MNTMASK;
843 char newflags = new->flags & SE_MNTMASK;
844
845 if (oldflags != newflags)
846 goto mismatch;
847 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
848 goto mismatch;
849 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
850 goto mismatch;
851 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
852 goto mismatch;
853 if (oldflags & ROOTCONTEXT_MNT) {
c6f493d6
DH		 854 struct inode_security_struct *oldroot = d_backing_inode(oldsb->s_root)->i_security;
855 struct inode_security_struct *newroot = d_backing_inode(newsb->s_root)->i_security;
094f7b69
JL		 856 if (oldroot->sid != newroot->sid)
857 goto mismatch;
858 }
859 return 0;
860mismatch:
861 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
862 "different security settings for (dev %s, "
863 "type %s)\n", newsb->s_id, newsb->s_type->name);
864 return -EBUSY;
865}
866
867static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 868 struct super_block *newsb)
1da177e4 869{
c9180a57
EP		 870 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
871 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 872
c9180a57
EP		 873 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
874 int set_context = (oldsbsec->flags & CONTEXT_MNT);
875 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 876
0f5e6420
EP		 877 /*
878 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 879 * mount options. thus we can safely deal with this superblock later
0f5e6420 880 */
e8c26255 881 if (!ss_initialized)
094f7b69 882 return 0;
c9180a57 883
c9180a57 884 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 885 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 886
094f7b69 887 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 888 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 889 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 890
c9180a57
EP		 891 mutex_lock(&newsbsec->lock);
892
893 newsbsec->flags = oldsbsec->flags;
894
895 newsbsec->sid = oldsbsec->sid;
896 newsbsec->def_sid = oldsbsec->def_sid;
897 newsbsec->behavior = oldsbsec->behavior;
898
899 if (set_context) {
900 u32 sid = oldsbsec->mntpoint_sid;
901
902 if (!set_fscontext)
903 newsbsec->sid = sid;
904 if (!set_rootcontext) {
c6f493d6 905 struct inode *newinode = d_backing_inode(newsb->s_root);
c9180a57
EP		 906 struct inode_security_struct *newisec = newinode->i_security;
907 newisec->sid = sid;
908 }
909 newsbsec->mntpoint_sid = sid;
1da177e4 910 }
c9180a57 911 if (set_rootcontext) {
c6f493d6 912 const struct inode *oldinode = d_backing_inode(oldsb->s_root);
c9180a57 913 const struct inode_security_struct *oldisec = oldinode->i_security;
c6f493d6 914 struct inode *newinode = d_backing_inode(newsb->s_root);
c9180a57 915 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 916
c9180a57 917 newisec->sid = oldisec->sid;
1da177e4
LT		 918 }
919
c9180a57
EP		 920 sb_finish_set_opts(newsb);
921 mutex_unlock(&newsbsec->lock);
094f7b69 922 return 0;
c9180a57
EP		 923}
924
2e1479d9
AB		 925static int selinux_parse_opts_str(char *options,
926 struct security_mnt_opts *opts)
c9180a57 927{
e0007529 928 char *p;
c9180a57
EP		 929 char *context = NULL, *defcontext = NULL;
930 char *fscontext = NULL, *rootcontext = NULL;
e0007529 931 int rc, num_mnt_opts = 0;
1da177e4 932
e0007529 933 opts->num_mnt_opts = 0;
1da177e4 934
c9180a57
EP		 935 /* Standard string-based options. */
936 while ((p = strsep(&options, "|")) != NULL) {
937 int token;
938 substring_t args[MAX_OPT_ARGS];
1da177e4 939
c9180a57
EP		 940 if (!*p)
941 continue;
1da177e4 942
c9180a57 943 token = match_token(p, tokens, args);
1da177e4 944
c9180a57
EP		 945 switch (token) {
946 case Opt_context:
947 if (context || defcontext) {
948 rc = -EINVAL;
949 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
950 goto out_err;
951 }
952 context = match_strdup(&args[0]);
953 if (!context) {
954 rc = -ENOMEM;
955 goto out_err;
956 }
957 break;
958
959 case Opt_fscontext:
960 if (fscontext) {
961 rc = -EINVAL;
962 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
963 goto out_err;
964 }
965 fscontext = match_strdup(&args[0]);
966 if (!fscontext) {
967 rc = -ENOMEM;
968 goto out_err;
969 }
970 break;
971
972 case Opt_rootcontext:
973 if (rootcontext) {
974 rc = -EINVAL;
975 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
976 goto out_err;
977 }
978 rootcontext = match_strdup(&args[0]);
979 if (!rootcontext) {
980 rc = -ENOMEM;
981 goto out_err;
982 }
983 break;
984
985 case Opt_defcontext:
986 if (context || defcontext) {
987 rc = -EINVAL;
988 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
989 goto out_err;
990 }
991 defcontext = match_strdup(&args[0]);
992 if (!defcontext) {
993 rc = -ENOMEM;
994 goto out_err;
995 }
996 break;
11689d47
DQ		 997 case Opt_labelsupport:
998 break;
c9180a57
EP		 999 default:
1000 rc = -EINVAL;
1001 printk(KERN_WARNING "SELinux: unknown mount option\n");
1002 goto out_err;
1da177e4 1003
1da177e4 1004 }
1da177e4 1005 }
c9180a57 1006
e0007529
EP		 1007 rc = -ENOMEM;
1008 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1009 if (!opts->mnt_opts)
1010 goto out_err;
1011
1012 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1013 if (!opts->mnt_opts_flags) {
1014 kfree(opts->mnt_opts);
1015 goto out_err;
1016 }
1017
c9180a57 1018 if (fscontext) {
e0007529
EP		 1019 opts->mnt_opts[num_mnt_opts] = fscontext;
1020 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1021 }
1022 if (context) {
e0007529
EP		 1023 opts->mnt_opts[num_mnt_opts] = context;
1024 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1025 }
1026 if (rootcontext) {
e0007529
EP		 1027 opts->mnt_opts[num_mnt_opts] = rootcontext;
1028 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1029 }
1030 if (defcontext) {
e0007529
EP		 1031 opts->mnt_opts[num_mnt_opts] = defcontext;
1032 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1033 }
1034
e0007529
EP		 1035 opts->num_mnt_opts = num_mnt_opts;
1036 return 0;
1037
c9180a57
EP		 1038out_err:
1039 kfree(context);
1040 kfree(defcontext);
1041 kfree(fscontext);
1042 kfree(rootcontext);
1da177e4
LT		 1043 return rc;
1044}
e0007529
EP		 1045/*
1046 * string mount options parsing and call set the sbsec
1047 */
1048static int superblock_doinit(struct super_block *sb, void *data)
1049{
1050 int rc = 0;
1051 char *options = data;
1052 struct security_mnt_opts opts;
1053
1054 security_init_mnt_opts(&opts);
1055
1056 if (!data)
1057 goto out;
1058
1059 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1060
1061 rc = selinux_parse_opts_str(options, &opts);
1062 if (rc)
1063 goto out_err;
1064
1065out:
649f6e77 1066 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1067
1068out_err:
1069 security_free_mnt_opts(&opts);
1070 return rc;
1071}
1da177e4 1072
3583a711
AB		 1073static void selinux_write_opts(struct seq_file *m,
1074 struct security_mnt_opts *opts)
2069f457
EP		 1075{
1076 int i;
1077 char *prefix;
1078
1079 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1080 char *has_comma;
1081
1082 if (opts->mnt_opts[i])
1083 has_comma = strchr(opts->mnt_opts[i], ',');
1084 else
1085 has_comma = NULL;
2069f457
EP		 1086
1087 switch (opts->mnt_opts_flags[i]) {
1088 case CONTEXT_MNT:
1089 prefix = CONTEXT_STR;
1090 break;
1091 case FSCONTEXT_MNT:
1092 prefix = FSCONTEXT_STR;
1093 break;
1094 case ROOTCONTEXT_MNT:
1095 prefix = ROOTCONTEXT_STR;
1096 break;
1097 case DEFCONTEXT_MNT:
1098 prefix = DEFCONTEXT_STR;
1099 break;
12f348b9 1100 case SBLABEL_MNT:
11689d47
DQ		 1101 seq_putc(m, ',');
1102 seq_puts(m, LABELSUPP_STR);
1103 continue;
2069f457
EP		 1104 default:
1105 BUG();
a35c6c83 1106 return;
2069f457
EP		 1107 };
1108 /* we need a comma before each option */
1109 seq_putc(m, ',');
1110 seq_puts(m, prefix);
1111 if (has_comma)
1112 seq_putc(m, '\"');
a068acf2 1113 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1114 if (has_comma)
1115 seq_putc(m, '\"');
1116 }
1117}
1118
1119static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1120{
1121 struct security_mnt_opts opts;
1122 int rc;
1123
1124 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1125 if (rc) {
1126 /* before policy load we may get EINVAL, don't show anything */
1127 if (rc == -EINVAL)
1128 rc = 0;
2069f457 1129 return rc;
383795c2 1130 }
2069f457
EP		 1131
1132 selinux_write_opts(m, &opts);
1133
1134 security_free_mnt_opts(&opts);
1135
1136 return rc;
1137}
1138
1da177e4
LT		 1139static inline u16 inode_mode_to_security_class(umode_t mode)
1140{
1141 switch (mode & S_IFMT) {
1142 case S_IFSOCK:
1143 return SECCLASS_SOCK_FILE;
1144 case S_IFLNK:
1145 return SECCLASS_LNK_FILE;
1146 case S_IFREG:
1147 return SECCLASS_FILE;
1148 case S_IFBLK:
1149 return SECCLASS_BLK_FILE;
1150 case S_IFDIR:
1151 return SECCLASS_DIR;
1152 case S_IFCHR:
1153 return SECCLASS_CHR_FILE;
1154 case S_IFIFO:
1155 return SECCLASS_FIFO_FILE;
1156
1157 }
1158
1159 return SECCLASS_FILE;
1160}
1161
13402580
JM		 1162static inline int default_protocol_stream(int protocol)
1163{
1164 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1165}
1166
1167static inline int default_protocol_dgram(int protocol)
1168{
1169 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1170}
1171
1da177e4
LT		 1172static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1173{
1174 switch (family) {
1175 case PF_UNIX:
1176 switch (type) {
1177 case SOCK_STREAM:
1178 case SOCK_SEQPACKET:
1179 return SECCLASS_UNIX_STREAM_SOCKET;
1180 case SOCK_DGRAM:
1181 return SECCLASS_UNIX_DGRAM_SOCKET;
1182 }
1183 break;
1184 case PF_INET:
1185 case PF_INET6:
1186 switch (type) {
1187 case SOCK_STREAM:
13402580
JM		 1188 if (default_protocol_stream(protocol))
1189 return SECCLASS_TCP_SOCKET;
1190 else
1191 return SECCLASS_RAWIP_SOCKET;
1da177e4 1192 case SOCK_DGRAM:
13402580
JM		 1193 if (default_protocol_dgram(protocol))
1194 return SECCLASS_UDP_SOCKET;
1195 else
1196 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1197 case SOCK_DCCP:
1198 return SECCLASS_DCCP_SOCKET;
13402580 1199 default:
1da177e4
LT		 1200 return SECCLASS_RAWIP_SOCKET;
1201 }
1202 break;
1203 case PF_NETLINK:
1204 switch (protocol) {
1205 case NETLINK_ROUTE:
1206 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1207 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1208 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1209 case NETLINK_NFLOG:
1210 return SECCLASS_NETLINK_NFLOG_SOCKET;
1211 case NETLINK_XFRM:
1212 return SECCLASS_NETLINK_XFRM_SOCKET;
1213 case NETLINK_SELINUX:
1214 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1215 case NETLINK_ISCSI:
1216 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1217 case NETLINK_AUDIT:
1218 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1219 case NETLINK_FIB_LOOKUP:
1220 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1221 case NETLINK_CONNECTOR:
1222 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1223 case NETLINK_NETFILTER:
1224 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1225 case NETLINK_DNRTMSG:
1226 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1227 case NETLINK_KOBJECT_UEVENT:
1228 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1229 case NETLINK_GENERIC:
1230 return SECCLASS_NETLINK_GENERIC_SOCKET;
1231 case NETLINK_SCSITRANSPORT:
1232 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1233 case NETLINK_RDMA:
1234 return SECCLASS_NETLINK_RDMA_SOCKET;
1235 case NETLINK_CRYPTO:
1236 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1237 default:
1238 return SECCLASS_NETLINK_SOCKET;
1239 }
1240 case PF_PACKET:
1241 return SECCLASS_PACKET_SOCKET;
1242 case PF_KEY:
1243 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1244 case PF_APPLETALK:
1245 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1246 }
1247
1248 return SECCLASS_SOCKET;
1249}
1250
134509d5
SS		 1251static int selinux_genfs_get_sid(struct dentry *dentry,
1252 u16 tclass,
1253 u16 flags,
1254 u32 *sid)
1da177e4 1255{
8e6c9693 1256 int rc;
134509d5 1257 struct super_block *sb = dentry->d_inode->i_sb;
8e6c9693 1258 char *buffer, *path;
1da177e4 1259
828dfe1d 1260 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1261 if (!buffer)
1262 return -ENOMEM;
1263
8e6c9693
LAG		 1264 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1265 if (IS_ERR(path))
1266 rc = PTR_ERR(path);
1267 else {
134509d5
SS		 1268 if (flags & SE_SBPROC) {
1269 /* each process gets a /proc/PID/ entry. Strip off the
1270 * PID part to get a valid selinux labeling.
1271 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1272 while (path[1] >= '0' && path[1] <= '9') {
1273 path[1] = '/';
1274 path++;
1275 }
8e6c9693 1276 }
134509d5 1277 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1278 }
1da177e4
LT		 1279 free_page((unsigned long)buffer);
1280 return rc;
1281}
1da177e4
LT		 1282
1283/* The inode's security attributes must be initialized before first use. */
1284static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1285{
1286 struct superblock_security_struct *sbsec = NULL;
1287 struct inode_security_struct *isec = inode->i_security;
1288 u32 sid;
1289 struct dentry *dentry;
1290#define INITCONTEXTLEN 255
1291 char *context = NULL;
1292 unsigned len = 0;
1293 int rc = 0;
1da177e4
LT		 1294
1295 if (isec->initialized)
1296 goto out;
1297
23970741 1298 mutex_lock(&isec->lock);
1da177e4 1299 if (isec->initialized)
23970741 1300 goto out_unlock;
1da177e4
LT		 1301
1302 sbsec = inode->i_sb->s_security;
0d90a7ec 1303 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1304 /* Defer initialization until selinux_complete_init,
1305 after the initial policy is loaded and the security
1306 server is ready to handle calls. */
1307 spin_lock(&sbsec->isec_lock);
1308 if (list_empty(&isec->list))
1309 list_add(&isec->list, &sbsec->isec_head);
1310 spin_unlock(&sbsec->isec_lock);
23970741 1311 goto out_unlock;
1da177e4
LT		 1312 }
1313
1314 switch (sbsec->behavior) {
eb9ae686
DQ		 1315 case SECURITY_FS_USE_NATIVE:
1316 break;
1da177e4
LT		 1317 case SECURITY_FS_USE_XATTR:
1318 if (!inode->i_op->getxattr) {
1319 isec->sid = sbsec->def_sid;
1320 break;
1321 }
1322
1323 /* Need a dentry, since the xattr API requires one.
1324 Life would be simpler if we could just pass the inode. */
1325 if (opt_dentry) {
1326 /* Called from d_instantiate or d_splice_alias. */
1327 dentry = dget(opt_dentry);
1328 } else {
1329 /* Called from selinux_complete_init, try to find a dentry. */
1330 dentry = d_find_alias(inode);
1331 }
1332 if (!dentry) {
df7f54c0
EP		 1333 /*
1334 * this is can be hit on boot when a file is accessed
1335 * before the policy is loaded. When we load policy we
1336 * may find inodes that have no dentry on the
1337 * sbsec->isec_head list. No reason to complain as these
1338 * will get fixed up the next time we go through
1339 * inode_doinit with a dentry, before these inodes could
1340 * be used again by userspace.
1341 */
23970741 1342 goto out_unlock;
1da177e4
LT		 1343 }
1344
1345 len = INITCONTEXTLEN;
4cb912f1 1346 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1347 if (!context) {
1348 rc = -ENOMEM;
1349 dput(dentry);
23970741 1350 goto out_unlock;
1da177e4 1351 }
4cb912f1 1352 context[len] = '\0';
1da177e4
LT		 1353 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1354 context, len);
1355 if (rc == -ERANGE) {
314dabb8
JM		 1356 kfree(context);
1357
1da177e4
LT		 1358 /* Need a larger buffer. Query for the right size. */
1359 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1360 NULL, 0);
1361 if (rc < 0) {
1362 dput(dentry);
23970741 1363 goto out_unlock;
1da177e4 1364 }
1da177e4 1365 len = rc;
4cb912f1 1366 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1367 if (!context) {
1368 rc = -ENOMEM;
1369 dput(dentry);
23970741 1370 goto out_unlock;
1da177e4 1371 }
4cb912f1 1372 context[len] = '\0';
1da177e4
LT		 1373 rc = inode->i_op->getxattr(dentry,
1374 XATTR_NAME_SELINUX,
1375 context, len);
1376 }
1377 dput(dentry);
1378 if (rc < 0) {
1379 if (rc != -ENODATA) {
744ba35e 1380 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1381 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1382 -rc, inode->i_sb->s_id, inode->i_ino);
1383 kfree(context);
23970741 1384 goto out_unlock;
1da177e4
LT		 1385 }
1386 /* Map ENODATA to the default file SID */
1387 sid = sbsec->def_sid;
1388 rc = 0;
1389 } else {
f5c1d5b2 1390 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1391 sbsec->def_sid,
1392 GFP_NOFS);
1da177e4 1393 if (rc) {
4ba0a8ad
EP		 1394 char *dev = inode->i_sb->s_id;
1395 unsigned long ino = inode->i_ino;
1396
1397 if (rc == -EINVAL) {
1398 if (printk_ratelimit())
1399 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1400 "context=%s. This indicates you may need to relabel the inode or the "
1401 "filesystem in question.\n", ino, dev, context);
1402 } else {
1403 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1404 "returned %d for dev=%s ino=%ld\n",
1405 __func__, context, -rc, dev, ino);
1406 }
1da177e4
LT		 1407 kfree(context);
1408 /* Leave with the unlabeled SID */
1409 rc = 0;
1410 break;
1411 }
1412 }
1413 kfree(context);
1414 isec->sid = sid;
1415 break;
1416 case SECURITY_FS_USE_TASK:
1417 isec->sid = isec->task_sid;
1418 break;
1419 case SECURITY_FS_USE_TRANS:
1420 /* Default to the fs SID. */
1421 isec->sid = sbsec->sid;
1422
1423 /* Try to obtain a transition SID. */
1424 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1425 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1426 isec->sclass, NULL, &sid);
1da177e4 1427 if (rc)
23970741 1428 goto out_unlock;
1da177e4
LT		 1429 isec->sid = sid;
1430 break;
c312feb2
EP		 1431 case SECURITY_FS_USE_MNTPOINT:
1432 isec->sid = sbsec->mntpoint_sid;
1433 break;
1da177e4 1434 default:
c312feb2 1435 /* Default to the fs superblock SID. */
1da177e4
LT		 1436 isec->sid = sbsec->sid;
1437
134509d5 1438 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1439 /* We must have a dentry to determine the label on
1440 * procfs inodes */
1441 if (opt_dentry)
1442 /* Called from d_instantiate or
1443 * d_splice_alias. */
1444 dentry = dget(opt_dentry);
1445 else
1446 /* Called from selinux_complete_init, try to
1447 * find a dentry. */
1448 dentry = d_find_alias(inode);
1449 /*
1450 * This can be hit on boot when a file is accessed
1451 * before the policy is loaded. When we load policy we
1452 * may find inodes that have no dentry on the
1453 * sbsec->isec_head list. No reason to complain as
1454 * these will get fixed up the next time we go through
1455 * inode_doinit() with a dentry, before these inodes
1456 * could be used again by userspace.
1457 */
1458 if (!dentry)
1459 goto out_unlock;
1460 isec->sclass = inode_mode_to_security_class(inode->i_mode);
134509d5
SS		 1461 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1462 sbsec->flags, &sid);
f64410ec
PM		 1463 dput(dentry);
1464 if (rc)
1465 goto out_unlock;
1466 isec->sid = sid;
1da177e4
LT		 1467 }
1468 break;
1469 }
1470
1471 isec->initialized = 1;
1472
23970741
EP		 1473out_unlock:
1474 mutex_unlock(&isec->lock);
1da177e4
LT		 1475out:
1476 if (isec->sclass == SECCLASS_FILE)
1477 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1478 return rc;
1479}
1480
1481/* Convert a Linux signal to an access vector. */
1482static inline u32 signal_to_av(int sig)
1483{
1484 u32 perm = 0;
1485
1486 switch (sig) {
1487 case SIGCHLD:
1488 /* Commonly granted from child to parent. */
1489 perm = PROCESS__SIGCHLD;
1490 break;
1491 case SIGKILL:
1492 /* Cannot be caught or ignored */
1493 perm = PROCESS__SIGKILL;
1494 break;
1495 case SIGSTOP:
1496 /* Cannot be caught or ignored */
1497 perm = PROCESS__SIGSTOP;
1498 break;
1499 default:
1500 /* All other signals. */
1501 perm = PROCESS__SIGNAL;
1502 break;
1503 }
1504
1505 return perm;
1506}
1507
d84f4f99
DH		 1508/*
1509 * Check permission between a pair of credentials
1510 * fork check, ptrace check, etc.
1511 */
1512static int cred_has_perm(const struct cred *actor,
1513 const struct cred *target,
1514 u32 perms)
1515{
1516 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1517
1518 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1519}
1520
275bb41e 1521/*
88e67f3b 1522 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1523 * fork check, ptrace check, etc.
1524 * tsk1 is the actor and tsk2 is the target
3b11a1de 1525 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1526 */
1527static int task_has_perm(const struct task_struct *tsk1,
1528 const struct task_struct *tsk2,
1da177e4
LT		 1529 u32 perms)
1530{
275bb41e
DH		 1531 const struct task_security_struct *__tsec1, *__tsec2;
1532 u32 sid1, sid2;
1da177e4 1533
275bb41e
DH		 1534 rcu_read_lock();
1535 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1536 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1537 rcu_read_unlock();
1538 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1539}
1540
3b11a1de
DH		 1541/*
1542 * Check permission between current and another task, e.g. signal checks,
1543 * fork check, ptrace check, etc.
1544 * current is the actor and tsk2 is the target
1545 * - this uses current's subjective creds
1546 */
1547static int current_has_perm(const struct task_struct *tsk,
1548 u32 perms)
1549{
1550 u32 sid, tsid;
1551
1552 sid = current_sid();
1553 tsid = task_sid(tsk);
1554 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1555}
1556
b68e418c
SS		 1557#if CAP_LAST_CAP > 63
1558#error Fix SELinux to handle capabilities > 63.
1559#endif
1560
1da177e4 1561/* Check whether a task is allowed to use a capability. */
6a9de491 1562static int cred_has_capability(const struct cred *cred,
06112163 1563 int cap, int audit)
1da177e4 1564{
2bf49690 1565 struct common_audit_data ad;
06112163 1566 struct av_decision avd;
b68e418c 1567 u16 sclass;
3699c53c 1568 u32 sid = cred_sid(cred);
b68e418c 1569 u32 av = CAP_TO_MASK(cap);
06112163 1570 int rc;
1da177e4 1571
50c205f5 1572 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1573 ad.u.cap = cap;
1574
b68e418c
SS		 1575 switch (CAP_TO_INDEX(cap)) {
1576 case 0:
1577 sclass = SECCLASS_CAPABILITY;
1578 break;
1579 case 1:
1580 sclass = SECCLASS_CAPABILITY2;
1581 break;
1582 default:
1583 printk(KERN_ERR
1584 "SELinux: out of range capability %d\n", cap);
1585 BUG();
a35c6c83 1586 return -EINVAL;
b68e418c 1587 }
06112163 1588
275bb41e 1589 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1590 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1591 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1592 if (rc2)
1593 return rc2;
1594 }
06112163 1595 return rc;
1da177e4
LT		 1596}
1597
1598/* Check whether a task is allowed to use a system operation. */
1599static int task_has_system(struct task_struct *tsk,
1600 u32 perms)
1601{
275bb41e 1602 u32 sid = task_sid(tsk);
1da177e4 1603
275bb41e 1604 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1605 SECCLASS_SYSTEM, perms, NULL);
1606}
1607
1608/* Check whether a task has a particular permission to an inode.
1609 The 'adp' parameter is optional and allows other audit
1610 data to be passed (e.g. the dentry). */
88e67f3b 1611static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1612 struct inode *inode,
1613 u32 perms,
19e49834 1614 struct common_audit_data *adp)
1da177e4 1615{
1da177e4 1616 struct inode_security_struct *isec;
275bb41e 1617 u32 sid;
1da177e4 1618
e0e81739
DH		 1619 validate_creds(cred);
1620
828dfe1d 1621 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1622 return 0;
1623
88e67f3b 1624 sid = cred_sid(cred);
1da177e4
LT		 1625 isec = inode->i_security;
1626
19e49834 1627 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1628}
1629
1630/* Same as inode_has_perm, but pass explicit audit data containing
1631 the dentry to help the auditing code to more easily generate the
1632 pathname if needed. */
88e67f3b 1633static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1634 struct dentry *dentry,
1635 u32 av)
1636{
c6f493d6 1637 struct inode *inode = d_backing_inode(dentry);
2bf49690 1638 struct common_audit_data ad;
88e67f3b 1639
50c205f5 1640 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1641 ad.u.dentry = dentry;
19e49834 1642 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1643}
1644
1645/* Same as inode_has_perm, but pass explicit audit data containing
1646 the path to help the auditing code to more easily generate the
1647 pathname if needed. */
1648static inline int path_has_perm(const struct cred *cred,
3f7036a0 1649 const struct path *path,
2875fa00
EP		 1650 u32 av)
1651{
c6f493d6 1652 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1653 struct common_audit_data ad;
1654
50c205f5 1655 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1656 ad.u.path = *path;
19e49834 1657 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1658}
1659
13f8e981
DH		 1660/* Same as path_has_perm, but uses the inode from the file struct. */
1661static inline int file_path_has_perm(const struct cred *cred,
1662 struct file *file,
1663 u32 av)
1664{
1665 struct common_audit_data ad;
1666
1667 ad.type = LSM_AUDIT_DATA_PATH;
1668 ad.u.path = file->f_path;
19e49834 1669 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1670}
1671
1da177e4
LT		 1672/* Check whether a task can use an open file descriptor to
1673 access an inode in a given way. Check access to the
1674 descriptor itself, and then use dentry_has_perm to
1675 check a particular permission to the file.
1676 Access to the descriptor is implicitly granted if it
1677 has the same SID as the process. If av is zero, then
1678 access to the file is not checked, e.g. for cases
1679 where only the descriptor is affected like seek. */
88e67f3b
DH		 1680static int file_has_perm(const struct cred *cred,
1681 struct file *file,
1682 u32 av)
1da177e4 1683{
1da177e4 1684 struct file_security_struct *fsec = file->f_security;
496ad9aa 1685 struct inode *inode = file_inode(file);
2bf49690 1686 struct common_audit_data ad;
88e67f3b 1687 u32 sid = cred_sid(cred);
1da177e4
LT		 1688 int rc;
1689
50c205f5 1690 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 1691 ad.u.path = file->f_path;
1da177e4 1692
275bb41e
DH		 1693 if (sid != fsec->sid) {
1694 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1695 SECCLASS_FD,
1696 FD__USE,
1697 &ad);
1698 if (rc)
88e67f3b 1699 goto out;
1da177e4
LT		 1700 }
1701
1702 /* av is zero if only checking access to the descriptor. */
88e67f3b 1703 rc = 0;
1da177e4 1704 if (av)
19e49834 1705 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1706
88e67f3b
DH		 1707out:
1708 return rc;
1da177e4
LT		 1709}
1710
c3c188b2
DH		 1711/*
1712 * Determine the label for an inode that might be unioned.
1713 */
1714static int selinux_determine_inode_label(const struct inode *dir,
1715 const struct qstr *name,
1716 u16 tclass,
1717 u32 *_new_isid)
1718{
1719 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1720 const struct inode_security_struct *dsec = dir->i_security;
1721 const struct task_security_struct *tsec = current_security();
1722
1723 if ((sbsec->flags & SE_SBINITIALIZED) &&
1724 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1725 *_new_isid = sbsec->mntpoint_sid;
1726 } else if ((sbsec->flags & SBLABEL_MNT) &&
1727 tsec->create_sid) {
1728 *_new_isid = tsec->create_sid;
1729 } else {
1730 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1731 name, _new_isid);
1732 }
1733
1734 return 0;
1735}
1736
1da177e4
LT		 1737/* Check whether a task can create a file. */
1738static int may_create(struct inode *dir,
1739 struct dentry *dentry,
1740 u16 tclass)
1741{
5fb49870 1742 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1743 struct inode_security_struct *dsec;
1744 struct superblock_security_struct *sbsec;
275bb41e 1745 u32 sid, newsid;
2bf49690 1746 struct common_audit_data ad;
1da177e4
LT		 1747 int rc;
1748
1da177e4
LT		 1749 dsec = dir->i_security;
1750 sbsec = dir->i_sb->s_security;
1751
275bb41e 1752 sid = tsec->sid;
275bb41e 1753
50c205f5 1754 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1755 ad.u.dentry = dentry;
1da177e4 1756
275bb41e 1757 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1758 DIR__ADD_NAME | DIR__SEARCH,
1759 &ad);
1760 if (rc)
1761 return rc;
1762
c3c188b2
DH		 1763 rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
1764 &newsid);
1765 if (rc)
1766 return rc;
1da177e4 1767
275bb41e 1768 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1769 if (rc)
1770 return rc;
1771
1772 return avc_has_perm(newsid, sbsec->sid,
1773 SECCLASS_FILESYSTEM,
1774 FILESYSTEM__ASSOCIATE, &ad);
1775}
1776
4eb582cf
ML		 1777/* Check whether a task can create a key. */
1778static int may_create_key(u32 ksid,
1779 struct task_struct *ctx)
1780{
275bb41e 1781 u32 sid = task_sid(ctx);
4eb582cf 1782
275bb41e 1783 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1784}
1785
828dfe1d
EP		 1786#define MAY_LINK 0
1787#define MAY_UNLINK 1
1788#define MAY_RMDIR 2
1da177e4
LT		 1789
1790/* Check whether a task can link, unlink, or rmdir a file/directory. */
1791static int may_link(struct inode *dir,
1792 struct dentry *dentry,
1793 int kind)
1794
1795{
1da177e4 1796 struct inode_security_struct *dsec, *isec;
2bf49690 1797 struct common_audit_data ad;
275bb41e 1798 u32 sid = current_sid();
1da177e4
LT		 1799 u32 av;
1800 int rc;
1801
1da177e4 1802 dsec = dir->i_security;
c6f493d6 1803 isec = d_backing_inode(dentry)->i_security;
1da177e4 1804
50c205f5 1805 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1806 ad.u.dentry = dentry;
1da177e4
LT		 1807
1808 av = DIR__SEARCH;
1809 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1810 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1811 if (rc)
1812 return rc;
1813
1814 switch (kind) {
1815 case MAY_LINK:
1816 av = FILE__LINK;
1817 break;
1818 case MAY_UNLINK:
1819 av = FILE__UNLINK;
1820 break;
1821 case MAY_RMDIR:
1822 av = DIR__RMDIR;
1823 break;
1824 default:
744ba35e
EP		 1825 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1826 __func__, kind);
1da177e4
LT		 1827 return 0;
1828 }
1829
275bb41e 1830 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1831 return rc;
1832}
1833
1834static inline int may_rename(struct inode *old_dir,
1835 struct dentry *old_dentry,
1836 struct inode *new_dir,
1837 struct dentry *new_dentry)
1838{
1da177e4 1839 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1840 struct common_audit_data ad;
275bb41e 1841 u32 sid = current_sid();
1da177e4
LT		 1842 u32 av;
1843 int old_is_dir, new_is_dir;
1844 int rc;
1845
1da177e4 1846 old_dsec = old_dir->i_security;
c6f493d6 1847 old_isec = d_backing_inode(old_dentry)->i_security;
e36cb0b8 1848 old_is_dir = d_is_dir(old_dentry);
1da177e4
LT		 1849 new_dsec = new_dir->i_security;
1850
50c205f5 1851 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1852
a269434d 1853 ad.u.dentry = old_dentry;
275bb41e 1854 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1855 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1856 if (rc)
1857 return rc;
275bb41e 1858 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1859 old_isec->sclass, FILE__RENAME, &ad);
1860 if (rc)
1861 return rc;
1862 if (old_is_dir && new_dir != old_dir) {
275bb41e 1863 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1864 old_isec->sclass, DIR__REPARENT, &ad);
1865 if (rc)
1866 return rc;
1867 }
1868
a269434d 1869 ad.u.dentry = new_dentry;
1da177e4 1870 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1871 if (d_is_positive(new_dentry))
1da177e4 1872 av |= DIR__REMOVE_NAME;
275bb41e 1873 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1874 if (rc)
1875 return rc;
2c616d4d 1876 if (d_is_positive(new_dentry)) {
c6f493d6 1877 new_isec = d_backing_inode(new_dentry)->i_security;
e36cb0b8 1878 new_is_dir = d_is_dir(new_dentry);
275bb41e 1879 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1880 new_isec->sclass,
1881 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1882 if (rc)
1883 return rc;
1884 }
1885
1886 return 0;
1887}
1888
1889/* Check whether a task can perform a filesystem operation. */
88e67f3b 1890static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1891 struct super_block *sb,
1892 u32 perms,
2bf49690 1893 struct common_audit_data *ad)
1da177e4 1894{
1da177e4 1895 struct superblock_security_struct *sbsec;
88e67f3b 1896 u32 sid = cred_sid(cred);
1da177e4 1897
1da177e4 1898 sbsec = sb->s_security;
275bb41e 1899 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1900}
1901
1902/* Convert a Linux mode and permission mask to an access vector. */
1903static inline u32 file_mask_to_av(int mode, int mask)
1904{
1905 u32 av = 0;
1906
dba19c60 1907 if (!S_ISDIR(mode)) {
1da177e4
LT		 1908 if (mask & MAY_EXEC)
1909 av |= FILE__EXECUTE;
1910 if (mask & MAY_READ)
1911 av |= FILE__READ;
1912
1913 if (mask & MAY_APPEND)
1914 av |= FILE__APPEND;
1915 else if (mask & MAY_WRITE)
1916 av |= FILE__WRITE;
1917
1918 } else {
1919 if (mask & MAY_EXEC)
1920 av |= DIR__SEARCH;
1921 if (mask & MAY_WRITE)
1922 av |= DIR__WRITE;
1923 if (mask & MAY_READ)
1924 av |= DIR__READ;
1925 }
1926
1927 return av;
1928}
1929
8b6a5a37
EP		 1930/* Convert a Linux file to an access vector. */
1931static inline u32 file_to_av(struct file *file)
1932{
1933 u32 av = 0;
1934
1935 if (file->f_mode & FMODE_READ)
1936 av |= FILE__READ;
1937 if (file->f_mode & FMODE_WRITE) {
1938 if (file->f_flags & O_APPEND)
1939 av |= FILE__APPEND;
1940 else
1941 av |= FILE__WRITE;
1942 }
1943 if (!av) {
1944 /*
1945 * Special file opened with flags 3 for ioctl-only use.
1946 */
1947 av = FILE__IOCTL;
1948 }
1949
1950 return av;
1951}
1952
b0c636b9 1953/*
8b6a5a37 1954 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1955 * open permission.
1956 */
8b6a5a37 1957static inline u32 open_file_to_av(struct file *file)
b0c636b9 1958{
8b6a5a37 1959 u32 av = file_to_av(file);
b0c636b9 1960
49b7b8de
EP		 1961 if (selinux_policycap_openperm)
1962 av |= FILE__OPEN;
1963
b0c636b9
EP		 1964 return av;
1965}
1966
1da177e4
LT		 1967/* Hook functions begin here. */
1968
79af7307
SS		 1969static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1970{
1971 u32 mysid = current_sid();
1972 u32 mgrsid = task_sid(mgr);
1973
1974 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
1975 BINDER__SET_CONTEXT_MGR, NULL);
1976}
1977
1978static int selinux_binder_transaction(struct task_struct *from,
1979 struct task_struct *to)
1980{
1981 u32 mysid = current_sid();
1982 u32 fromsid = task_sid(from);
1983 u32 tosid = task_sid(to);
1984 int rc;
1985
1986 if (mysid != fromsid) {
1987 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
1988 BINDER__IMPERSONATE, NULL);
1989 if (rc)
1990 return rc;
1991 }
1992
1993 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
1994 NULL);
1995}
1996
1997static int selinux_binder_transfer_binder(struct task_struct *from,
1998 struct task_struct *to)
1999{
2000 u32 fromsid = task_sid(from);
2001 u32 tosid = task_sid(to);
2002
2003 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2004 NULL);
2005}
2006
2007static int selinux_binder_transfer_file(struct task_struct *from,
2008 struct task_struct *to,
2009 struct file *file)
2010{
2011 u32 sid = task_sid(to);
2012 struct file_security_struct *fsec = file->f_security;
c6f493d6 2013 struct inode *inode = d_backing_inode(file->f_path.dentry);
79af7307
SS		 2014 struct inode_security_struct *isec = inode->i_security;
2015 struct common_audit_data ad;
2016 int rc;
2017
2018 ad.type = LSM_AUDIT_DATA_PATH;
2019 ad.u.path = file->f_path;
2020
2021 if (sid != fsec->sid) {
2022 rc = avc_has_perm(sid, fsec->sid,
2023 SECCLASS_FD,
2024 FD__USE,
2025 &ad);
2026 if (rc)
2027 return rc;
2028 }
2029
2030 if (unlikely(IS_PRIVATE(inode)))
2031 return 0;
2032
2033 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2034 &ad);
2035}
2036
9e48858f 2037static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2038 unsigned int mode)
1da177e4 2039{
69f594a3 2040 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 2041 u32 sid = current_sid();
2042 u32 csid = task_sid(child);
2043 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 2044 }
2045
3b11a1de 2046 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 2047}
2048
2049static int selinux_ptrace_traceme(struct task_struct *parent)
2050{
5cd9c58f 2051 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 2052}
2053
2054static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2055 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2056{
b1d9e6b0 2057 return current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 2058}
2059
d84f4f99
DH		 2060static int selinux_capset(struct cred *new, const struct cred *old,
2061 const kernel_cap_t *effective,
2062 const kernel_cap_t *inheritable,
2063 const kernel_cap_t *permitted)
1da177e4 2064{
d84f4f99 2065 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 2066}
2067
5626d3e8
JM		 2068/*
2069 * (This comment used to live with the selinux_task_setuid hook,
2070 * which was removed).
2071 *
2072 * Since setuid only affects the current process, and since the SELinux
2073 * controls are not based on the Linux identity attributes, SELinux does not
2074 * need to control this operation. However, SELinux does control the use of
2075 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2076 */
2077
6a9de491
EP		 2078static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2079 int cap, int audit)
1da177e4 2080{
6a9de491 2081 return cred_has_capability(cred, cap, audit);
1da177e4
LT		 2082}
2083
1da177e4
LT		 2084static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2085{
88e67f3b 2086 const struct cred *cred = current_cred();
1da177e4
LT		 2087 int rc = 0;
2088
2089 if (!sb)
2090 return 0;
2091
2092 switch (cmds) {
828dfe1d
EP		 2093 case Q_SYNC:
2094 case Q_QUOTAON:
2095 case Q_QUOTAOFF:
2096 case Q_SETINFO:
2097 case Q_SETQUOTA:
88e67f3b 2098 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2099 break;
2100 case Q_GETFMT:
2101 case Q_GETINFO:
2102 case Q_GETQUOTA:
88e67f3b 2103 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2104 break;
2105 default:
2106 rc = 0; /* let the kernel handle invalid cmds */
2107 break;
1da177e4
LT		 2108 }
2109 return rc;
2110}
2111
2112static int selinux_quota_on(struct dentry *dentry)
2113{
88e67f3b
DH		 2114 const struct cred *cred = current_cred();
2115
2875fa00 2116 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2117}
2118
12b3052c 2119static int selinux_syslog(int type)
1da177e4
LT		 2120{
2121 int rc;
2122
1da177e4 2123 switch (type) {
d78ca3cd
KC		 2124 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2125 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2126 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2127 break;
d78ca3cd
KC		 2128 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2129 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2130 /* Set level of messages printed to console */
2131 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2132 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2133 break;
d78ca3cd
KC		 2134 case SYSLOG_ACTION_CLOSE: /* Close log */
2135 case SYSLOG_ACTION_OPEN: /* Open log */
2136 case SYSLOG_ACTION_READ: /* Read from log */
2137 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2138 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2139 default:
2140 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2141 break;
1da177e4
LT		 2142 }
2143 return rc;
2144}
2145
2146/*
2147 * Check that a process has enough memory to allocate a new virtual
2148 * mapping. 0 means there is enough memory for the allocation to
2149 * succeed and -ENOMEM implies there is not.
2150 *
1da177e4
LT		 2151 * Do not audit the selinux permission check, as this is applied to all
2152 * processes that allocate mappings.
2153 */
34b4e4aa 2154static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2155{
2156 int rc, cap_sys_admin = 0;
1da177e4 2157
b1d9e6b0
CS		 2158 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2159 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2160 if (rc == 0)
2161 cap_sys_admin = 1;
2162
b1d9e6b0 2163 return cap_sys_admin;
1da177e4
LT		 2164}
2165
2166/* binprm security operations */
2167
7b0d0b40
SS		 2168static int check_nnp_nosuid(const struct linux_binprm *bprm,
2169 const struct task_security_struct *old_tsec,
2170 const struct task_security_struct *new_tsec)
2171{
2172 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2173 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2174 int rc;
2175
2176 if (!nnp && !nosuid)
2177 return 0; /* neither NNP nor nosuid */
2178
2179 if (new_tsec->sid == old_tsec->sid)
2180 return 0; /* No change in credentials */
2181
2182 /*
2183 * The only transitions we permit under NNP or nosuid
2184 * are transitions to bounded SIDs, i.e. SIDs that are
2185 * guaranteed to only be allowed a subset of the permissions
2186 * of the current SID.
2187 */
2188 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2189 if (rc) {
2190 /*
2191 * On failure, preserve the errno values for NNP vs nosuid.
2192 * NNP: Operation not permitted for caller.
2193 * nosuid: Permission denied to file.
2194 */
2195 if (nnp)
2196 return -EPERM;
2197 else
2198 return -EACCES;
2199 }
2200 return 0;
2201}
2202
a6f76f23 2203static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2204{
a6f76f23
DH		 2205 const struct task_security_struct *old_tsec;
2206 struct task_security_struct *new_tsec;
1da177e4 2207 struct inode_security_struct *isec;
2bf49690 2208 struct common_audit_data ad;
496ad9aa 2209 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2210 int rc;
2211
a6f76f23
DH		 2212 /* SELinux context only depends on initial program or script and not
2213 * the script interpreter */
2214 if (bprm->cred_prepared)
1da177e4
LT		 2215 return 0;
2216
a6f76f23
DH		 2217 old_tsec = current_security();
2218 new_tsec = bprm->cred->security;
1da177e4
LT		 2219 isec = inode->i_security;
2220
2221 /* Default to the current task SID. */
a6f76f23
DH		 2222 new_tsec->sid = old_tsec->sid;
2223 new_tsec->osid = old_tsec->sid;
1da177e4 2224
28eba5bf 2225 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2226 new_tsec->create_sid = 0;
2227 new_tsec->keycreate_sid = 0;
2228 new_tsec->sockcreate_sid = 0;
1da177e4 2229
a6f76f23
DH		 2230 if (old_tsec->exec_sid) {
2231 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2232 /* Reset exec SID on execve. */
a6f76f23 2233 new_tsec->exec_sid = 0;
259e5e6c 2234
7b0d0b40
SS		 2235 /* Fail on NNP or nosuid if not an allowed transition. */
2236 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2237 if (rc)
2238 return rc;
1da177e4
LT		 2239 } else {
2240 /* Check for a default transition on this program. */
a6f76f23 2241 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2242 SECCLASS_PROCESS, NULL,
2243 &new_tsec->sid);
1da177e4
LT		 2244 if (rc)
2245 return rc;
7b0d0b40
SS		 2246
2247 /*
2248 * Fallback to old SID on NNP or nosuid if not an allowed
2249 * transition.
2250 */
2251 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2252 if (rc)
2253 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2254 }
2255
50c205f5 2256 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 2257 ad.u.path = bprm->file->f_path;
1da177e4 2258
a6f76f23
DH		 2259 if (new_tsec->sid == old_tsec->sid) {
2260 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2261 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2262 if (rc)
2263 return rc;
2264 } else {
2265 /* Check permissions for the transition. */
a6f76f23 2266 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2267 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2268 if (rc)
2269 return rc;
2270
a6f76f23 2271 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2272 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2273 if (rc)
2274 return rc;
2275
a6f76f23
DH		 2276 /* Check for shared state */
2277 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2278 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2279 SECCLASS_PROCESS, PROCESS__SHARE,
2280 NULL);
2281 if (rc)
2282 return -EPERM;
2283 }
2284
2285 /* Make sure that anyone attempting to ptrace over a task that
2286 * changes its SID has the appropriate permit */
2287 if (bprm->unsafe &
2288 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2289 struct task_struct *tracer;
2290 struct task_security_struct *sec;
2291 u32 ptsid = 0;
2292
2293 rcu_read_lock();
06d98473 2294 tracer = ptrace_parent(current);
a6f76f23
DH		 2295 if (likely(tracer != NULL)) {
2296 sec = __task_cred(tracer)->security;
2297 ptsid = sec->sid;
2298 }
2299 rcu_read_unlock();
2300
2301 if (ptsid != 0) {
2302 rc = avc_has_perm(ptsid, new_tsec->sid,
2303 SECCLASS_PROCESS,
2304 PROCESS__PTRACE, NULL);
2305 if (rc)
2306 return -EPERM;
2307 }
2308 }
1da177e4 2309
a6f76f23
DH		 2310 /* Clear any possibly unsafe personality bits on exec: */
2311 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2312 }
2313
1da177e4
LT		 2314 return 0;
2315}
2316
828dfe1d 2317static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2318{
5fb49870 2319 const struct task_security_struct *tsec = current_security();
275bb41e 2320 u32 sid, osid;
1da177e4
LT		 2321 int atsecure = 0;
2322
275bb41e
DH		 2323 sid = tsec->sid;
2324 osid = tsec->osid;
2325
2326 if (osid != sid) {
1da177e4
LT		 2327 /* Enable secure mode for SIDs transitions unless
2328 the noatsecure permission is granted between
2329 the two SIDs, i.e. ahp returns 0. */
275bb41e 2330 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2331 SECCLASS_PROCESS,
2332 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2333 }
2334
b1d9e6b0 2335 return !!atsecure;
1da177e4
LT		 2336}
2337
c3c073f8
AV		 2338static int match_file(const void *p, struct file *file, unsigned fd)
2339{
2340 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2341}
2342
1da177e4 2343/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2344static inline void flush_unauthorized_files(const struct cred *cred,
2345 struct files_struct *files)
1da177e4 2346{
1da177e4 2347 struct file *file, *devnull = NULL;
b20c8122 2348 struct tty_struct *tty;
24ec839c 2349 int drop_tty = 0;
c3c073f8 2350 unsigned n;
1da177e4 2351
24ec839c 2352 tty = get_current_tty();
1da177e4 2353 if (tty) {
ee2ffa0d 2354 spin_lock(&tty_files_lock);
37dd0bd0 2355 if (!list_empty(&tty->tty_files)) {
d996b62a 2356 struct tty_file_private *file_priv;
37dd0bd0 2357
1da177e4 2358 /* Revalidate access to controlling tty.
13f8e981
DH		 2359 Use file_path_has_perm on the tty path directly
2360 rather than using file_has_perm, as this particular
2361 open file may belong to another process and we are
2362 only interested in the inode-based check here. */
d996b62a
NP		 2363 file_priv = list_first_entry(&tty->tty_files,
2364 struct tty_file_private, list);
2365 file = file_priv->file;
13f8e981 2366 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2367 drop_tty = 1;
1da177e4 2368 }
ee2ffa0d 2369 spin_unlock(&tty_files_lock);
452a00d2 2370 tty_kref_put(tty);
1da177e4 2371 }
98a27ba4
EB		 2372 /* Reset controlling tty. */
2373 if (drop_tty)
2374 no_tty();
1da177e4
LT		 2375
2376 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2377 n = iterate_fd(files, 0, match_file, cred);
2378 if (!n) /* none found? */
2379 return;
1da177e4 2380
c3c073f8 2381 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2382 if (IS_ERR(devnull))
2383 devnull = NULL;
2384 /* replace all the matching ones with this */
2385 do {
2386 replace_fd(n - 1, devnull, 0);
2387 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2388 if (devnull)
c3c073f8 2389 fput(devnull);
1da177e4
LT		 2390}
2391
a6f76f23
DH		 2392/*
2393 * Prepare a process for imminent new credential changes due to exec
2394 */
2395static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2396{
a6f76f23
DH		 2397 struct task_security_struct *new_tsec;
2398 struct rlimit *rlim, *initrlim;
2399 int rc, i;
d84f4f99 2400
a6f76f23
DH		 2401 new_tsec = bprm->cred->security;
2402 if (new_tsec->sid == new_tsec->osid)
2403 return;
1da177e4 2404
a6f76f23
DH		 2405 /* Close files for which the new task SID is not authorized. */
2406 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2407
a6f76f23
DH		 2408 /* Always clear parent death signal on SID transitions. */
2409 current->pdeath_signal = 0;
0356357c 2410
a6f76f23
DH		 2411 /* Check whether the new SID can inherit resource limits from the old
2412 * SID. If not, reset all soft limits to the lower of the current
2413 * task's hard limit and the init task's soft limit.
2414 *
2415 * Note that the setting of hard limits (even to lower them) can be
2416 * controlled by the setrlimit check. The inclusion of the init task's
2417 * soft limit into the computation is to avoid resetting soft limits
2418 * higher than the default soft limit for cases where the default is
2419 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2420 */
2421 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2422 PROCESS__RLIMITINH, NULL);
2423 if (rc) {
eb2d55a3
ON		 2424 /* protect against do_prlimit() */
2425 task_lock(current);
a6f76f23
DH		 2426 for (i = 0; i < RLIM_NLIMITS; i++) {
2427 rlim = current->signal->rlim + i;
2428 initrlim = init_task.signal->rlim + i;
2429 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2430 }
eb2d55a3
ON		 2431 task_unlock(current);
2432 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2433 }
2434}
2435
2436/*
a6f76f23
DH		 2437 * Clean up the process immediately after the installation of new credentials
2438 * due to exec
1da177e4 2439 */
a6f76f23 2440static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2441{
a6f76f23 2442 const struct task_security_struct *tsec = current_security();
1da177e4 2443 struct itimerval itimer;
a6f76f23 2444 u32 osid, sid;
1da177e4
LT		 2445 int rc, i;
2446
a6f76f23
DH		 2447 osid = tsec->osid;
2448 sid = tsec->sid;
2449
2450 if (sid == osid)
1da177e4
LT		 2451 return;
2452
a6f76f23
DH		 2453 /* Check whether the new SID can inherit signal state from the old SID.
2454 * If not, clear itimers to avoid subsequent signal generation and
2455 * flush and unblock signals.
2456 *
2457 * This must occur _after_ the task SID has been updated so that any
2458 * kill done after the flush will be checked against the new SID.
2459 */
2460 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2461 if (rc) {
2462 memset(&itimer, 0, sizeof itimer);
2463 for (i = 0; i < 3; i++)
2464 do_setitimer(i, &itimer, NULL);
1da177e4 2465 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2466 if (!fatal_signal_pending(current)) {
2467 flush_sigqueue(&current->pending);
2468 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2469 flush_signal_handlers(current, 1);
2470 sigemptyset(&current->blocked);
9e7c8f8c 2471 recalc_sigpending();
3bcac026 2472 }
1da177e4
LT		 2473 spin_unlock_irq(&current->sighand->siglock);
2474 }
2475
a6f76f23
DH		 2476 /* Wake up the parent if it is waiting so that it can recheck
2477 * wait permission to the new task SID. */
ecd6de3c 2478 read_lock(&tasklist_lock);
0b7570e7 2479 __wake_up_parent(current, current->real_parent);
ecd6de3c 2480 read_unlock(&tasklist_lock);
1da177e4
LT		 2481}
2482
2483/* superblock security operations */
2484
2485static int selinux_sb_alloc_security(struct super_block *sb)
2486{
2487 return superblock_alloc_security(sb);
2488}
2489
2490static void selinux_sb_free_security(struct super_block *sb)
2491{
2492 superblock_free_security(sb);
2493}
2494
2495static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2496{
2497 if (plen > olen)
2498 return 0;
2499
2500 return !memcmp(prefix, option, plen);
2501}
2502
2503static inline int selinux_option(char *option, int len)
2504{
832cbd9a
EP		 2505 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2506 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2507 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2508 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2509 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2510}
2511
2512static inline void take_option(char **to, char *from, int *first, int len)
2513{
2514 if (!*first) {
2515 **to = ',';
2516 *to += 1;
3528a953 2517 } else
1da177e4
LT		 2518 *first = 0;
2519 memcpy(*to, from, len);
2520 *to += len;
2521}
2522
828dfe1d
EP		 2523static inline void take_selinux_option(char **to, char *from, int *first,
2524 int len)
3528a953
CO		 2525{
2526 int current_size = 0;
2527
2528 if (!*first) {
2529 **to = '|';
2530 *to += 1;
828dfe1d 2531 } else
3528a953
CO		 2532 *first = 0;
2533
2534 while (current_size < len) {
2535 if (*from != '"') {
2536 **to = *from;
2537 *to += 1;
2538 }
2539 from += 1;
2540 current_size += 1;
2541 }
2542}
2543
e0007529 2544static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2545{
2546 int fnosec, fsec, rc = 0;
2547 char *in_save, *in_curr, *in_end;
2548 char *sec_curr, *nosec_save, *nosec;
3528a953 2549 int open_quote = 0;
1da177e4
LT		 2550
2551 in_curr = orig;
2552 sec_curr = copy;
2553
1da177e4
LT		 2554 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2555 if (!nosec) {
2556 rc = -ENOMEM;
2557 goto out;
2558 }
2559
2560 nosec_save = nosec;
2561 fnosec = fsec = 1;
2562 in_save = in_end = orig;
2563
2564 do {
3528a953
CO		 2565 if (*in_end == '"')
2566 open_quote = !open_quote;
2567 if ((*in_end == ',' && open_quote == 0) ||
2568 *in_end == '\0') {
1da177e4
LT		 2569 int len = in_end - in_curr;
2570
2571 if (selinux_option(in_curr, len))
3528a953 2572 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2573 else
2574 take_option(&nosec, in_curr, &fnosec, len);
2575
2576 in_curr = in_end + 1;
2577 }
2578 } while (*in_end++);
2579
6931dfc9 2580 strcpy(in_save, nosec_save);
da3caa20 2581 free_page((unsigned long)nosec_save);
1da177e4
LT		 2582out:
2583 return rc;
2584}
2585
026eb167
EP		 2586static int selinux_sb_remount(struct super_block *sb, void *data)
2587{
2588 int rc, i, *flags;
2589 struct security_mnt_opts opts;
2590 char *secdata, **mount_options;
2591 struct superblock_security_struct *sbsec = sb->s_security;
2592
2593 if (!(sbsec->flags & SE_SBINITIALIZED))
2594 return 0;
2595
2596 if (!data)
2597 return 0;
2598
2599 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2600 return 0;
2601
2602 security_init_mnt_opts(&opts);
2603 secdata = alloc_secdata();
2604 if (!secdata)
2605 return -ENOMEM;
2606 rc = selinux_sb_copy_data(data, secdata);
2607 if (rc)
2608 goto out_free_secdata;
2609
2610 rc = selinux_parse_opts_str(secdata, &opts);
2611 if (rc)
2612 goto out_free_secdata;
2613
2614 mount_options = opts.mnt_opts;
2615 flags = opts.mnt_opts_flags;
2616
2617 for (i = 0; i < opts.num_mnt_opts; i++) {
2618 u32 sid;
026eb167 2619
12f348b9 2620 if (flags[i] == SBLABEL_MNT)
026eb167 2621 continue;
44be2f65 2622 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2623 if (rc) {
44be2f65 2624 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2625 "(%s) failed for (dev %s, type %s) errno=%d\n",
2626 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2627 goto out_free_opts;
2628 }
2629 rc = -EINVAL;
2630 switch (flags[i]) {
2631 case FSCONTEXT_MNT:
2632 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2633 goto out_bad_option;
2634 break;
2635 case CONTEXT_MNT:
2636 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2637 goto out_bad_option;
2638 break;
2639 case ROOTCONTEXT_MNT: {
2640 struct inode_security_struct *root_isec;
c6f493d6 2641 root_isec = d_backing_inode(sb->s_root)->i_security;
026eb167
EP		 2642
2643 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2644 goto out_bad_option;
2645 break;
2646 }
2647 case DEFCONTEXT_MNT:
2648 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2649 goto out_bad_option;
2650 break;
2651 default:
2652 goto out_free_opts;
2653 }
2654 }
2655
2656 rc = 0;
2657out_free_opts:
2658 security_free_mnt_opts(&opts);
2659out_free_secdata:
2660 free_secdata(secdata);
2661 return rc;
2662out_bad_option:
2663 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2664 "during remount (dev %s, type=%s)\n", sb->s_id,
2665 sb->s_type->name);
026eb167
EP		 2666 goto out_free_opts;
2667}
2668
12204e24 2669static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2670{
88e67f3b 2671 const struct cred *cred = current_cred();
2bf49690 2672 struct common_audit_data ad;
1da177e4
LT		 2673 int rc;
2674
2675 rc = superblock_doinit(sb, data);
2676 if (rc)
2677 return rc;
2678
74192246
JM		 2679 /* Allow all mounts performed by the kernel */
2680 if (flags & MS_KERNMOUNT)
2681 return 0;
2682
50c205f5 2683 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2684 ad.u.dentry = sb->s_root;
88e67f3b 2685 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2686}
2687
726c3342 2688static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2689{
88e67f3b 2690 const struct cred *cred = current_cred();
2bf49690 2691 struct common_audit_data ad;
1da177e4 2692
50c205f5 2693 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2694 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2695 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2696}
2697
808d4e3c 2698static int selinux_mount(const char *dev_name,
b5266eb4 2699 struct path *path,
808d4e3c 2700 const char *type,
828dfe1d
EP		 2701 unsigned long flags,
2702 void *data)
1da177e4 2703{
88e67f3b 2704 const struct cred *cred = current_cred();
1da177e4
LT		 2705
2706 if (flags & MS_REMOUNT)
d8c9584e 2707 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2708 FILESYSTEM__REMOUNT, NULL);
1da177e4 2709 else
2875fa00 2710 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2711}
2712
2713static int selinux_umount(struct vfsmount *mnt, int flags)
2714{
88e67f3b 2715 const struct cred *cred = current_cred();
1da177e4 2716
88e67f3b 2717 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2718 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2719}
2720
2721/* inode security operations */
2722
2723static int selinux_inode_alloc_security(struct inode *inode)
2724{
2725 return inode_alloc_security(inode);
2726}
2727
2728static void selinux_inode_free_security(struct inode *inode)
2729{
2730 inode_free_security(inode);
2731}
2732
d47be3df
DQ		 2733static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2734 struct qstr *name, void **ctx,
2735 u32 *ctxlen)
2736{
d47be3df
DQ		 2737 u32 newsid;
2738 int rc;
2739
c3c188b2
DH		 2740 rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
2741 inode_mode_to_security_class(mode),
2742 &newsid);
2743 if (rc)
2744 return rc;
d47be3df
DQ		 2745
2746 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2747}
2748
5e41ff9e 2749static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2750 const struct qstr *qstr,
2751 const char **name,
2a7dba39 2752 void **value, size_t *len)
5e41ff9e 2753{
5fb49870 2754 const struct task_security_struct *tsec = current_security();
5e41ff9e
SS		 2755 struct inode_security_struct *dsec;
2756 struct superblock_security_struct *sbsec;
275bb41e 2757 u32 sid, newsid, clen;
5e41ff9e 2758 int rc;
9548906b 2759 char *context;
5e41ff9e 2760
5e41ff9e
SS		 2761 dsec = dir->i_security;
2762 sbsec = dir->i_sb->s_security;
5e41ff9e 2763
275bb41e
DH		 2764 sid = tsec->sid;
2765 newsid = tsec->create_sid;
2766
c3c188b2
DH		 2767 rc = selinux_determine_inode_label(
2768 dir, qstr,
2769 inode_mode_to_security_class(inode->i_mode),
2770 &newsid);
2771 if (rc)
2772 return rc;
5e41ff9e 2773
296fddf7 2774 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2775 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2776 struct inode_security_struct *isec = inode->i_security;
2777 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2778 isec->sid = newsid;
2779 isec->initialized = 1;
2780 }
5e41ff9e 2781
12f348b9 2782 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2783 return -EOPNOTSUPP;
2784
9548906b
TH		 2785 if (name)
2786 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2787
570bc1c2 2788 if (value && len) {
12b29f34 2789 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2790 if (rc)
570bc1c2 2791 return rc;
570bc1c2
SS		 2792 *value = context;
2793 *len = clen;
5e41ff9e 2794 }
5e41ff9e 2795
5e41ff9e
SS		 2796 return 0;
2797}
2798
4acdaf27 2799static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2800{
2801 return may_create(dir, dentry, SECCLASS_FILE);
2802}
2803
1da177e4
LT		 2804static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2805{
1da177e4
LT		 2806 return may_link(dir, old_dentry, MAY_LINK);
2807}
2808
1da177e4
LT		 2809static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2810{
1da177e4
LT		 2811 return may_link(dir, dentry, MAY_UNLINK);
2812}
2813
2814static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2815{
2816 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2817}
2818
18bb1db3 2819static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2820{
2821 return may_create(dir, dentry, SECCLASS_DIR);
2822}
2823
1da177e4
LT		 2824static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2825{
2826 return may_link(dir, dentry, MAY_RMDIR);
2827}
2828
1a67aafb 2829static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2830{
1da177e4
LT		 2831 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2832}
2833
1da177e4 2834static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2835 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2836{
2837 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2838}
2839
1da177e4
LT		 2840static int selinux_inode_readlink(struct dentry *dentry)
2841{
88e67f3b
DH		 2842 const struct cred *cred = current_cred();
2843
2875fa00 2844 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2845}
2846
bda0be7a
N		 2847static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2848 bool rcu)
1da177e4 2849{
88e67f3b 2850 const struct cred *cred = current_cred();
bda0be7a
N		 2851 struct common_audit_data ad;
2852 struct inode_security_struct *isec;
2853 u32 sid;
1da177e4 2854
bda0be7a
N		 2855 validate_creds(cred);
2856
2857 ad.type = LSM_AUDIT_DATA_DENTRY;
2858 ad.u.dentry = dentry;
2859 sid = cred_sid(cred);
2860 isec = inode->i_security;
2861
2862 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2863 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 2864}
2865
d4cf970d
EP		 2866static noinline int audit_inode_permission(struct inode *inode,
2867 u32 perms, u32 audited, u32 denied,
626b9740 2868 int result,
d4cf970d 2869 unsigned flags)
1da177e4 2870{
b782e0a6 2871 struct common_audit_data ad;
d4cf970d
EP		 2872 struct inode_security_struct *isec = inode->i_security;
2873 int rc;
2874
50c205f5 2875 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2876 ad.u.inode = inode;
2877
2878 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 2879 audited, denied, result, &ad, flags);
d4cf970d
EP		 2880 if (rc)
2881 return rc;
2882 return 0;
2883}
2884
e74f71eb 2885static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2886{
88e67f3b 2887 const struct cred *cred = current_cred();
b782e0a6
EP		 2888 u32 perms;
2889 bool from_access;
cf1dd1da 2890 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2891 struct inode_security_struct *isec;
2892 u32 sid;
2893 struct av_decision avd;
2894 int rc, rc2;
2895 u32 audited, denied;
1da177e4 2896
b782e0a6 2897 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2898 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2899
b782e0a6
EP		 2900 /* No permission to check. Existence test. */
2901 if (!mask)
1da177e4 2902 return 0;
1da177e4 2903
2e334057 2904 validate_creds(cred);
b782e0a6 2905
2e334057
EP		 2906 if (unlikely(IS_PRIVATE(inode)))
2907 return 0;
b782e0a6
EP		 2908
2909 perms = file_mask_to_av(inode->i_mode, mask);
2910
2e334057
EP		 2911 sid = cred_sid(cred);
2912 isec = inode->i_security;
2913
2914 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2915 audited = avc_audit_required(perms, &avd, rc,
2916 from_access ? FILE__AUDIT_ACCESS : 0,
2917 &denied);
2918 if (likely(!audited))
2919 return rc;
2920
626b9740 2921 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 2922 if (rc2)
2923 return rc2;
2924 return rc;
1da177e4
LT		 2925}
2926
2927static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2928{
88e67f3b 2929 const struct cred *cred = current_cred();
bc6a6008 2930 unsigned int ia_valid = iattr->ia_valid;
95dbf739 2931 __u32 av = FILE__WRITE;
1da177e4 2932
bc6a6008
AW		 2933 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2934 if (ia_valid & ATTR_FORCE) {
2935 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2936 ATTR_FORCE);
2937 if (!ia_valid)
2938 return 0;
2939 }
1da177e4 2940
bc6a6008
AW		 2941 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2942 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 2943 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 2944
44d37ad3
JVS		 2945 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
2946 && !(ia_valid & ATTR_FILE))
95dbf739
EP		 2947 av |= FILE__OPEN;
2948
2949 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 2950}
2951
3f7036a0 2952static int selinux_inode_getattr(const struct path *path)
1da177e4 2953{
3f7036a0 2954 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 2955}
2956
8f0cfa52 2957static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2958{
88e67f3b
DH		 2959 const struct cred *cred = current_cred();
2960
b5376771
SH		 2961 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2962 sizeof XATTR_SECURITY_PREFIX - 1)) {
2963 if (!strcmp(name, XATTR_NAME_CAPS)) {
2964 if (!capable(CAP_SETFCAP))
2965 return -EPERM;
2966 } else if (!capable(CAP_SYS_ADMIN)) {
2967 /* A different attribute in the security namespace.
2968 Restrict to administrator. */
2969 return -EPERM;
2970 }
2971 }
2972
2973 /* Not an attribute we recognize, so just check the
2974 ordinary setattr permission. */
2875fa00 2975 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 2976}
2977
8f0cfa52
DH		 2978static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2979 const void *value, size_t size, int flags)
1da177e4 2980{
c6f493d6 2981 struct inode *inode = d_backing_inode(dentry);
1da177e4
LT		 2982 struct inode_security_struct *isec = inode->i_security;
2983 struct superblock_security_struct *sbsec;
2bf49690 2984 struct common_audit_data ad;
275bb41e 2985 u32 newsid, sid = current_sid();
1da177e4
LT		 2986 int rc = 0;
2987
b5376771
SH		 2988 if (strcmp(name, XATTR_NAME_SELINUX))
2989 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2990
2991 sbsec = inode->i_sb->s_security;
12f348b9 2992 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 2993 return -EOPNOTSUPP;
2994
2e149670 2995 if (!inode_owner_or_capable(inode))
1da177e4
LT		 2996 return -EPERM;
2997
50c205f5 2998 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2999 ad.u.dentry = dentry;
1da177e4 3000
275bb41e 3001 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3002 FILE__RELABELFROM, &ad);
3003 if (rc)
3004 return rc;
3005
52a4c640 3006 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3007 if (rc == -EINVAL) {
d6ea83ec
EP		 3008 if (!capable(CAP_MAC_ADMIN)) {
3009 struct audit_buffer *ab;
3010 size_t audit_size;
3011 const char *str;
3012
3013 /* We strip a nul only if it is at the end, otherwise the
3014 * context contains a nul and we should audit that */
e3fea3f7
AV		 3015 if (value) {
3016 str = value;
3017 if (str[size - 1] == '\0')
3018 audit_size = size - 1;
3019 else
3020 audit_size = size;
3021 } else {
3022 str = "";
3023 audit_size = 0;
3024 }
d6ea83ec
EP		 3025 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3026 audit_log_format(ab, "op=setxattr invalid_context=");
3027 audit_log_n_untrustedstring(ab, value, audit_size);
3028 audit_log_end(ab);
3029
12b29f34 3030 return rc;
d6ea83ec 3031 }
12b29f34
SS		 3032 rc = security_context_to_sid_force(value, size, &newsid);
3033 }
1da177e4
LT		 3034 if (rc)
3035 return rc;
3036
275bb41e 3037 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3038 FILE__RELABELTO, &ad);
3039 if (rc)
3040 return rc;
3041
275bb41e 3042 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3043 isec->sclass);
1da177e4
LT		 3044 if (rc)
3045 return rc;
3046
3047 return avc_has_perm(newsid,
3048 sbsec->sid,
3049 SECCLASS_FILESYSTEM,
3050 FILESYSTEM__ASSOCIATE,
3051 &ad);
3052}
3053
8f0cfa52 3054static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3055 const void *value, size_t size,
8f0cfa52 3056 int flags)
1da177e4 3057{
c6f493d6 3058 struct inode *inode = d_backing_inode(dentry);
1da177e4
LT		 3059 struct inode_security_struct *isec = inode->i_security;
3060 u32 newsid;
3061 int rc;
3062
3063 if (strcmp(name, XATTR_NAME_SELINUX)) {
3064 /* Not an attribute we recognize, so nothing to do. */
3065 return;
3066 }
3067
12b29f34 3068 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3069 if (rc) {
12b29f34
SS		 3070 printk(KERN_ERR "SELinux: unable to map context to SID"
3071 "for (%s, %lu), rc=%d\n",
3072 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3073 return;
3074 }
3075
aa9c2669 3076 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3077 isec->sid = newsid;
aa9c2669
DQ		 3078 isec->initialized = 1;
3079
1da177e4
LT		 3080 return;
3081}
3082
8f0cfa52 3083static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3084{
88e67f3b
DH		 3085 const struct cred *cred = current_cred();
3086
2875fa00 3087 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3088}
3089
828dfe1d 3090static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3091{
88e67f3b
DH		 3092 const struct cred *cred = current_cred();
3093
2875fa00 3094 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3095}
3096
8f0cfa52 3097static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3098{
b5376771
SH		 3099 if (strcmp(name, XATTR_NAME_SELINUX))
3100 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3101
3102 /* No one is allowed to remove a SELinux security label.
3103 You can change the label, but all data must be labeled. */
3104 return -EACCES;
3105}
3106
d381d8a9 3107/*
abc69bb6 3108 * Copy the inode security context value to the user.
d381d8a9
JM		 3109 *
3110 * Permission check is handled by selinux_inode_getxattr hook.
3111 */
42492594 3112static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3113{
42492594
DQ		 3114 u32 size;
3115 int error;
3116 char *context = NULL;
1da177e4 3117 struct inode_security_struct *isec = inode->i_security;
d381d8a9 3118
8c8570fb
DK		 3119 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3120 return -EOPNOTSUPP;
d381d8a9 3121
abc69bb6
SS		 3122 /*
3123 * If the caller has CAP_MAC_ADMIN, then get the raw context
3124 * value even if it is not defined by current policy; otherwise,
3125 * use the in-core value under current policy.
3126 * Use the non-auditing forms of the permission checks since
3127 * getxattr may be called by unprivileged processes commonly
3128 * and lack of permission just means that we fall back to the
3129 * in-core context value, not a denial.
3130 */
b1d9e6b0
CS		 3131 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3132 SECURITY_CAP_NOAUDIT);
3133 if (!error)
3134 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3135 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 3136 if (!error)
3137 error = security_sid_to_context_force(isec->sid, &context,
3138 &size);
3139 else
3140 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3141 if (error)
3142 return error;
3143 error = size;
3144 if (alloc) {
3145 *buffer = context;
3146 goto out_nofree;
3147 }
3148 kfree(context);
3149out_nofree:
3150 return error;
1da177e4
LT		 3151}
3152
3153static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3154 const void *value, size_t size, int flags)
1da177e4
LT		 3155{
3156 struct inode_security_struct *isec = inode->i_security;
3157 u32 newsid;
3158 int rc;
3159
3160 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3161 return -EOPNOTSUPP;
3162
3163 if (!value || !size)
3164 return -EACCES;
3165
20ba96ae 3166 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3167 if (rc)
3168 return rc;
3169
aa9c2669 3170 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3171 isec->sid = newsid;
ddd29ec6 3172 isec->initialized = 1;
1da177e4
LT		 3173 return 0;
3174}
3175
3176static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3177{
3178 const int len = sizeof(XATTR_NAME_SELINUX);
3179 if (buffer && len <= buffer_size)
3180 memcpy(buffer, XATTR_NAME_SELINUX, len);
3181 return len;
3182}
3183
713a04ae
AD		 3184static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3185{
3186 struct inode_security_struct *isec = inode->i_security;
3187 *secid = isec->sid;
3188}
3189
1da177e4
LT		 3190/* file security operations */
3191
788e7dd4 3192static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3193{
88e67f3b 3194 const struct cred *cred = current_cred();
496ad9aa 3195 struct inode *inode = file_inode(file);
1da177e4 3196
1da177e4
LT		 3197 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3198 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3199 mask |= MAY_APPEND;
3200
389fb800
PM		 3201 return file_has_perm(cred, file,
3202 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3203}
3204
788e7dd4
YN		 3205static int selinux_file_permission(struct file *file, int mask)
3206{
496ad9aa 3207 struct inode *inode = file_inode(file);
20dda18b
SS		 3208 struct file_security_struct *fsec = file->f_security;
3209 struct inode_security_struct *isec = inode->i_security;
3210 u32 sid = current_sid();
3211
389fb800 3212 if (!mask)
788e7dd4
YN		 3213 /* No permission to check. Existence test. */
3214 return 0;
788e7dd4 3215
20dda18b
SS		 3216 if (sid == fsec->sid && fsec->isid == isec->sid &&
3217 fsec->pseqno == avc_policy_seqno())
83d49856 3218 /* No change since file_open check. */
20dda18b
SS		 3219 return 0;
3220
788e7dd4
YN		 3221 return selinux_revalidate_file_permission(file, mask);
3222}
3223
1da177e4
LT		 3224static int selinux_file_alloc_security(struct file *file)
3225{
3226 return file_alloc_security(file);
3227}
3228
3229static void selinux_file_free_security(struct file *file)
3230{
3231 file_free_security(file);
3232}
3233
fa1aa143
JVS		 3234/*
3235 * Check whether a task has the ioctl permission and cmd
3236 * operation to an inode.
3237 */
3238int ioctl_has_perm(const struct cred *cred, struct file *file,
3239 u32 requested, u16 cmd)
3240{
3241 struct common_audit_data ad;
3242 struct file_security_struct *fsec = file->f_security;
3243 struct inode *inode = file_inode(file);
3244 struct inode_security_struct *isec = inode->i_security;
3245 struct lsm_ioctlop_audit ioctl;
3246 u32 ssid = cred_sid(cred);
3247 int rc;
3248 u8 driver = cmd >> 8;
3249 u8 xperm = cmd & 0xff;
3250
3251 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3252 ad.u.op = &ioctl;
3253 ad.u.op->cmd = cmd;
3254 ad.u.op->path = file->f_path;
3255
3256 if (ssid != fsec->sid) {
3257 rc = avc_has_perm(ssid, fsec->sid,
3258 SECCLASS_FD,
3259 FD__USE,
3260 &ad);
3261 if (rc)
3262 goto out;
3263 }
3264
3265 if (unlikely(IS_PRIVATE(inode)))
3266 return 0;
3267
3268 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3269 requested, driver, xperm, &ad);
3270out:
3271 return rc;
3272}
3273
1da177e4
LT		 3274static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3275 unsigned long arg)
3276{
88e67f3b 3277 const struct cred *cred = current_cred();
0b24dcb7 3278 int error = 0;
1da177e4 3279
0b24dcb7
EP		 3280 switch (cmd) {
3281 case FIONREAD:
3282 /* fall through */
3283 case FIBMAP:
3284 /* fall through */
3285 case FIGETBSZ:
3286 /* fall through */
2f99c369 3287 case FS_IOC_GETFLAGS:
0b24dcb7 3288 /* fall through */
2f99c369 3289 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3290 error = file_has_perm(cred, file, FILE__GETATTR);
3291 break;
1da177e4 3292
2f99c369 3293 case FS_IOC_SETFLAGS:
0b24dcb7 3294 /* fall through */
2f99c369 3295 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3296 error = file_has_perm(cred, file, FILE__SETATTR);
3297 break;
3298
3299 /* sys_ioctl() checks */
3300 case FIONBIO:
3301 /* fall through */
3302 case FIOASYNC:
3303 error = file_has_perm(cred, file, 0);
3304 break;
1da177e4 3305
0b24dcb7
EP		 3306 case KDSKBENT:
3307 case KDSKBSENT:
6a9de491
EP		 3308 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3309 SECURITY_CAP_AUDIT);
0b24dcb7
EP		 3310 break;
3311
3312 /* default case assumes that the command will go
3313 * to the file's ioctl() function.
3314 */
3315 default:
fa1aa143 3316 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3317 }
3318 return error;
1da177e4
LT		 3319}
3320
fcaaade1
SS		 3321static int default_noexec;
3322
1da177e4
LT		 3323static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3324{
88e67f3b 3325 const struct cred *cred = current_cred();
d84f4f99 3326 int rc = 0;
88e67f3b 3327
fcaaade1 3328 if (default_noexec &&
892e8cac
SS		 3329 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3330 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3331 /*
3332 * We are making executable an anonymous mapping or a
3333 * private file mapping that will also be writable.
3334 * This has an additional check.
3335 */
d84f4f99 3336 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3337 if (rc)
d84f4f99 3338 goto error;
1da177e4 3339 }
1da177e4
LT		 3340
3341 if (file) {
3342 /* read access is always possible with a mapping */
3343 u32 av = FILE__READ;
3344
3345 /* write access only matters if the mapping is shared */
3346 if (shared && (prot & PROT_WRITE))
3347 av |= FILE__WRITE;
3348
3349 if (prot & PROT_EXEC)
3350 av |= FILE__EXECUTE;
3351
88e67f3b 3352 return file_has_perm(cred, file, av);
1da177e4 3353 }
d84f4f99
DH		 3354
3355error:
3356 return rc;
1da177e4
LT		 3357}
3358
e5467859 3359static int selinux_mmap_addr(unsigned long addr)
1da177e4 3360{
b1d9e6b0 3361 int rc = 0;
1da177e4 3362
a2551df7 3363 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3364 u32 sid = current_sid();
ed032189
EP		 3365 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3366 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3367 }
3368
98883bfd 3369 return rc;
e5467859 3370}
1da177e4 3371
e5467859
AV		 3372static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3373 unsigned long prot, unsigned long flags)
3374{
1da177e4
LT		 3375 if (selinux_checkreqprot)
3376 prot = reqprot;
3377
3378 return file_map_prot_check(file, prot,
3379 (flags & MAP_TYPE) == MAP_SHARED);
3380}
3381
3382static int selinux_file_mprotect(struct vm_area_struct *vma,
3383 unsigned long reqprot,
3384 unsigned long prot)
3385{
88e67f3b 3386 const struct cred *cred = current_cred();
1da177e4
LT		 3387
3388 if (selinux_checkreqprot)
3389 prot = reqprot;
3390
fcaaade1
SS		 3391 if (default_noexec &&
3392 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3393 int rc = 0;
db4c9641
SS		 3394 if (vma->vm_start >= vma->vm_mm->start_brk &&
3395 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3396 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3397 } else if (!vma->vm_file &&
3398 vma->vm_start <= vma->vm_mm->start_stack &&
3399 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3400 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3401 } else if (vma->vm_file && vma->anon_vma) {
3402 /*
3403 * We are making executable a file mapping that has
3404 * had some COW done. Since pages might have been
3405 * written, check ability to execute the possibly
3406 * modified content. This typically should only
3407 * occur for text relocations.
3408 */
d84f4f99 3409 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3410 }