]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-jammy-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
d_path: kerneldoc cleanup
[mirror_ubuntu-jammy-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
effad8df
PM		 15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
788e7dd4
YN		 17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
23 */
24
1da177e4
LT		 25#include <linux/init.h>
26#include <linux/kernel.h>
27#include <linux/ptrace.h>
28#include <linux/errno.h>
29#include <linux/sched.h>
30#include <linux/security.h>
31#include <linux/xattr.h>
32#include <linux/capability.h>
33#include <linux/unistd.h>
34#include <linux/mm.h>
35#include <linux/mman.h>
36#include <linux/slab.h>
37#include <linux/pagemap.h>
38#include <linux/swap.h>
1da177e4
LT		 39#include <linux/spinlock.h>
40#include <linux/syscalls.h>
41#include <linux/file.h>
42#include <linux/namei.h>
43#include <linux/mount.h>
44#include <linux/ext2_fs.h>
45#include <linux/proc_fs.h>
46#include <linux/kd.h>
47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 53#include <net/net_namespace.h>
d621d35e 54#include <net/netlabel.h>
1da177e4 55#include <asm/uaccess.h>
1da177e4 56#include <asm/ioctls.h>
d621d35e 57#include <asm/atomic.h>
1da177e4
LT		 58#include <linux/bitops.h>
59#include <linux/interrupt.h>
60#include <linux/netdevice.h> /* for network interface checks */
61#include <linux/netlink.h>
62#include <linux/tcp.h>
63#include <linux/udp.h>
2ee92d46 64#include <linux/dccp.h>
1da177e4
LT		 65#include <linux/quota.h>
66#include <linux/un.h> /* for Unix socket types */
67#include <net/af_unix.h> /* for Unix socket types */
68#include <linux/parser.h>
69#include <linux/nfs_mount.h>
70#include <net/ipv6.h>
71#include <linux/hugetlb.h>
72#include <linux/personality.h>
73#include <linux/sysctl.h>
74#include <linux/audit.h>
6931dfc9 75#include <linux/string.h>
877ce7c1 76#include <linux/selinux.h>
23970741 77#include <linux/mutex.h>
1da177e4
LT		 78
79#include "avc.h"
80#include "objsec.h"
81#include "netif.h"
224dfbd8 82#include "netnode.h"
d28d1e08 83#include "xfrm.h"
c60475bf 84#include "netlabel.h"
1da177e4
LT		 85
86#define XATTR_SELINUX_SUFFIX "selinux"
87#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
c9180a57
EP		 89#define NUM_SEL_MNT_OPTS 4
90
1da177e4
LT		 91extern unsigned int policydb_loaded_version;
92extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 93extern int selinux_compat_net;
20510f2f 94extern struct security_operations *security_ops;
1da177e4 95
d621d35e
PM		 96/* SECMARK reference count */
97atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
1da177e4
LT		 99#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100int selinux_enforcing = 0;
101
102static int __init enforcing_setup(char *str)
103{
104 selinux_enforcing = simple_strtol(str,NULL,0);
105 return 1;
106}
107__setup("enforcing=", enforcing_setup);
108#endif
109
110#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113static int __init selinux_enabled_setup(char *str)
114{
115 selinux_enabled = simple_strtol(str, NULL, 0);
116 return 1;
117}
118__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 119#else
120int selinux_enabled = 1;
1da177e4
LT		 121#endif
122
123/* Original (dummy) security module. */
124static struct security_operations *original_ops = NULL;
125
126/* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130static struct security_operations *secondary_ops = NULL;
131
132/* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134static LIST_HEAD(superblock_security_head);
135static DEFINE_SPINLOCK(sb_security_lock);
136
e18b890b 137static struct kmem_cache *sel_inode_cache;
7cae7e26 138
d621d35e
PM		 139/**
140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
141 *
142 * Description:
143 * This function checks the SECMARK reference counter to see if any SECMARK
144 * targets are currently configured, if the reference counter is greater than
145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
146 * enabled, false (0) if SECMARK is disabled.
147 *
148 */
149static int selinux_secmark_enabled(void)
150{
151 return (atomic_read(&selinux_secmark_refcount) > 0);
152}
153
1da177e4
LT		 154/* Allocate and free functions for each kind of security blob. */
155
156static int task_alloc_security(struct task_struct *task)
157{
158 struct task_security_struct *tsec;
159
89d155ef 160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 161 if (!tsec)
162 return -ENOMEM;
163
1da177e4
LT		 164 tsec->task = task;
165 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166 task->security = tsec;
167
168 return 0;
169}
170
171static void task_free_security(struct task_struct *task)
172{
173 struct task_security_struct *tsec = task->security;
1da177e4
LT		 174 task->security = NULL;
175 kfree(tsec);
176}
177
178static int inode_alloc_security(struct inode *inode)
179{
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
182
c3762229 183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
1da177e4
LT		 184 if (!isec)
185 return -ENOMEM;
186
23970741 187 mutex_init(&isec->lock);
1da177e4 188 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 189 isec->inode = inode;
190 isec->sid = SECINITSID_UNLABELED;
191 isec->sclass = SECCLASS_FILE;
9ac49d22 192 isec->task_sid = tsec->sid;
1da177e4
LT		 193 inode->i_security = isec;
194
195 return 0;
196}
197
198static void inode_free_security(struct inode *inode)
199{
200 struct inode_security_struct *isec = inode->i_security;
201 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
1da177e4
LT		 203 spin_lock(&sbsec->isec_lock);
204 if (!list_empty(&isec->list))
205 list_del_init(&isec->list);
206 spin_unlock(&sbsec->isec_lock);
207
208 inode->i_security = NULL;
7cae7e26 209 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 210}
211
212static int file_alloc_security(struct file *file)
213{
214 struct task_security_struct *tsec = current->security;
215 struct file_security_struct *fsec;
216
26d2a4be 217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 218 if (!fsec)
219 return -ENOMEM;
220
1da177e4 221 fsec->file = file;
9ac49d22
SS		 222 fsec->sid = tsec->sid;
223 fsec->fown_sid = tsec->sid;
1da177e4
LT		 224 file->f_security = fsec;
225
226 return 0;
227}
228
229static void file_free_security(struct file *file)
230{
231 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 232 file->f_security = NULL;
233 kfree(fsec);
234}
235
236static int superblock_alloc_security(struct super_block *sb)
237{
238 struct superblock_security_struct *sbsec;
239
89d155ef 240 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 241 if (!sbsec)
242 return -ENOMEM;
243
bc7e982b 244 mutex_init(&sbsec->lock);
1da177e4
LT		 245 INIT_LIST_HEAD(&sbsec->list);
246 INIT_LIST_HEAD(&sbsec->isec_head);
247 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 248 sbsec->sb = sb;
249 sbsec->sid = SECINITSID_UNLABELED;
250 sbsec->def_sid = SECINITSID_FILE;
c312feb2 251 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 252 sb->s_security = sbsec;
253
254 return 0;
255}
256
257static void superblock_free_security(struct super_block *sb)
258{
259 struct superblock_security_struct *sbsec = sb->s_security;
260
1da177e4
LT		 261 spin_lock(&sb_security_lock);
262 if (!list_empty(&sbsec->list))
263 list_del_init(&sbsec->list);
264 spin_unlock(&sb_security_lock);
265
266 sb->s_security = NULL;
267 kfree(sbsec);
268}
269
7d877f3b 270static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 271{
272 struct sk_security_struct *ssec;
273
89d155ef 274 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 275 if (!ssec)
276 return -ENOMEM;
277
1da177e4
LT		 278 ssec->sk = sk;
279 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 280 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 281 sk->sk_security = ssec;
282
99f59ed0
PM		 283 selinux_netlbl_sk_security_init(ssec, family);
284
1da177e4
LT		 285 return 0;
286}
287
288static void sk_free_security(struct sock *sk)
289{
290 struct sk_security_struct *ssec = sk->sk_security;
291
1da177e4
LT		 292 sk->sk_security = NULL;
293 kfree(ssec);
294}
1da177e4
LT		 295
296/* The security server must be initialized before
297 any labeling or access decisions can be provided. */
298extern int ss_initialized;
299
300/* The file system's label must be initialized prior to use. */
301
302static char *labeling_behaviors[6] = {
303 "uses xattr",
304 "uses transition SIDs",
305 "uses task SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
309};
310
311static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313static inline int inode_doinit(struct inode *inode)
314{
315 return inode_doinit_with_dentry(inode, NULL);
316}
317
318enum {
31e87930 319 Opt_error = -1,
1da177e4
LT		 320 Opt_context = 1,
321 Opt_fscontext = 2,
c9180a57
EP		 322 Opt_defcontext = 3,
323 Opt_rootcontext = 4,
1da177e4
LT		 324};
325
326static match_table_t tokens = {
327 {Opt_context, "context=%s"},
328 {Opt_fscontext, "fscontext=%s"},
329 {Opt_defcontext, "defcontext=%s"},
0808925e 330 {Opt_rootcontext, "rootcontext=%s"},
31e87930 331 {Opt_error, NULL},
1da177e4
LT		 332};
333
334#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
335
c312feb2
EP		 336static int may_context_mount_sb_relabel(u32 sid,
337 struct superblock_security_struct *sbsec,
338 struct task_security_struct *tsec)
339{
340 int rc;
341
342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343 FILESYSTEM__RELABELFROM, NULL);
344 if (rc)
345 return rc;
346
347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELTO, NULL);
349 return rc;
350}
351
0808925e
EP		 352static int may_context_mount_inode_relabel(u32 sid,
353 struct superblock_security_struct *sbsec,
354 struct task_security_struct *tsec)
355{
356 int rc;
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
359 if (rc)
360 return rc;
361
362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__ASSOCIATE, NULL);
364 return rc;
365}
366
c9180a57 367static int sb_finish_set_opts(struct super_block *sb)
1da177e4 368{
1da177e4 369 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 370 struct dentry *root = sb->s_root;
371 struct inode *root_inode = root->d_inode;
372 int rc = 0;
1da177e4 373
c9180a57
EP		 374 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375 /* Make sure that the xattr handler exists and that no
376 error other than -ENODATA is returned by getxattr on
377 the root directory. -ENODATA is ok, as this may be
378 the first boot of the SELinux kernel before we have
379 assigned xattr values to the filesystem. */
380 if (!root_inode->i_op->getxattr) {
381 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382 "xattr support\n", sb->s_id, sb->s_type->name);
383 rc = -EOPNOTSUPP;
384 goto out;
385 }
386 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387 if (rc < 0 && rc != -ENODATA) {
388 if (rc == -EOPNOTSUPP)
389 printk(KERN_WARNING "SELinux: (dev %s, type "
390 "%s) has no security xattr handler\n",
391 sb->s_id, sb->s_type->name);
392 else
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) getxattr errno %d\n", sb->s_id,
395 sb->s_type->name, -rc);
396 goto out;
397 }
398 }
1da177e4 399
c9180a57 400 sbsec->initialized = 1;
1da177e4 401
c9180a57
EP		 402 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404 sb->s_id, sb->s_type->name);
405 else
406 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407 sb->s_id, sb->s_type->name,
408 labeling_behaviors[sbsec->behavior-1]);
1da177e4 409
c9180a57
EP		 410 /* Initialize the root inode. */
411 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 412
c9180a57
EP		 413 /* Initialize any other inodes associated with the superblock, e.g.
414 inodes created prior to initial policy load or inodes created
415 during get_sb by a pseudo filesystem that directly
416 populates itself. */
417 spin_lock(&sbsec->isec_lock);
418next_inode:
419 if (!list_empty(&sbsec->isec_head)) {
420 struct inode_security_struct *isec =
421 list_entry(sbsec->isec_head.next,
422 struct inode_security_struct, list);
423 struct inode *inode = isec->inode;
424 spin_unlock(&sbsec->isec_lock);
425 inode = igrab(inode);
426 if (inode) {
427 if (!IS_PRIVATE(inode))
428 inode_doinit(inode);
429 iput(inode);
430 }
431 spin_lock(&sbsec->isec_lock);
432 list_del_init(&isec->list);
433 goto next_inode;
434 }
435 spin_unlock(&sbsec->isec_lock);
436out:
437 return rc;
438}
1da177e4 439
c9180a57
EP		 440/*
441 * This function should allow an FS to ask what it's mount security
442 * options were so it can use those later for submounts, displaying
443 * mount options, or whatever.
444 */
445static int selinux_get_mnt_opts(const struct super_block *sb,
446 char ***mount_options, int **mnt_opts_flags,
447 int *num_opts)
448{
449 int rc = 0, i;
450 struct superblock_security_struct *sbsec = sb->s_security;
451 char *context = NULL;
452 u32 len;
453 char tmp;
1da177e4 454
c9180a57
EP		 455 *num_opts = 0;
456 *mount_options = NULL;
457 *mnt_opts_flags = NULL;
1da177e4 458
c9180a57
EP		 459 if (!sbsec->initialized)
460 return -EINVAL;
1da177e4 461
c9180a57
EP		 462 if (!ss_initialized)
463 return -EINVAL;
1da177e4 464
c9180a57
EP		 465 /*
466 * if we ever use sbsec flags for anything other than tracking mount
467 * settings this is going to need a mask
468 */
469 tmp = sbsec->flags;
470 /* count the number of mount options for this sb */
471 for (i = 0; i < 8; i++) {
472 if (tmp & 0x01)
473 (*num_opts)++;
474 tmp >>= 1;
475 }
1da177e4 476
c9180a57
EP		 477 *mount_options = kcalloc(*num_opts, sizeof(char *), GFP_ATOMIC);
478 if (!*mount_options) {
479 rc = -ENOMEM;
480 goto out_free;
481 }
1da177e4 482
c9180a57
EP		 483 *mnt_opts_flags = kcalloc(*num_opts, sizeof(int), GFP_ATOMIC);
484 if (!*mnt_opts_flags) {
485 rc = -ENOMEM;
486 goto out_free;
487 }
1da177e4 488
c9180a57
EP		 489 i = 0;
490 if (sbsec->flags & FSCONTEXT_MNT) {
491 rc = security_sid_to_context(sbsec->sid, &context, &len);
492 if (rc)
493 goto out_free;
494 (*mount_options)[i] = context;
495 (*mnt_opts_flags)[i++] = FSCONTEXT_MNT;
496 }
497 if (sbsec->flags & CONTEXT_MNT) {
498 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
499 if (rc)
500 goto out_free;
501 (*mount_options)[i] = context;
502 (*mnt_opts_flags)[i++] = CONTEXT_MNT;
503 }
504 if (sbsec->flags & DEFCONTEXT_MNT) {
505 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
506 if (rc)
507 goto out_free;
508 (*mount_options)[i] = context;
509 (*mnt_opts_flags)[i++] = DEFCONTEXT_MNT;
510 }
511 if (sbsec->flags & ROOTCONTEXT_MNT) {
512 struct inode *root = sbsec->sb->s_root->d_inode;
513 struct inode_security_struct *isec = root->i_security;
0808925e 514
c9180a57
EP		 515 rc = security_sid_to_context(isec->sid, &context, &len);
516 if (rc)
517 goto out_free;
518 (*mount_options)[i] = context;
519 (*mnt_opts_flags)[i++] = ROOTCONTEXT_MNT;
520 }
1da177e4 521
c9180a57 522 BUG_ON(i != *num_opts);
1da177e4 523
c9180a57
EP		 524 return 0;
525
526out_free:
527 /* don't leak context string if security_sid_to_context had an error */
528 if (*mount_options && i)
529 for (; i > 0; i--)
530 kfree((*mount_options)[i-1]);
531 kfree(*mount_options);
532 *mount_options = NULL;
533 kfree(*mnt_opts_flags);
534 *mnt_opts_flags = NULL;
535 *num_opts = 0;
536 return rc;
537}
1da177e4 538
c9180a57
EP		 539static int bad_option(struct superblock_security_struct *sbsec, char flag,
540 u32 old_sid, u32 new_sid)
541{
542 /* check if the old mount command had the same options */
543 if (sbsec->initialized)
544 if (!(sbsec->flags & flag) ||
545 (old_sid != new_sid))
546 return 1;
547
548 /* check if we were passed the same options twice,
549 * aka someone passed context=a,context=b
550 */
551 if (!sbsec->initialized)
552 if (sbsec->flags & flag)
553 return 1;
554 return 0;
555}
556/*
557 * Allow filesystems with binary mount data to explicitly set mount point
558 * labeling information.
559 */
374ea019
AB		 560static int selinux_set_mnt_opts(struct super_block *sb, char **mount_options,
561 int *flags, int num_opts)
c9180a57
EP		 562{
563 int rc = 0, i;
564 struct task_security_struct *tsec = current->security;
565 struct superblock_security_struct *sbsec = sb->s_security;
566 const char *name = sb->s_type->name;
567 struct inode *inode = sbsec->sb->s_root->d_inode;
568 struct inode_security_struct *root_isec = inode->i_security;
569 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
570 u32 defcontext_sid = 0;
571
572 mutex_lock(&sbsec->lock);
573
574 if (!ss_initialized) {
575 if (!num_opts) {
576 /* Defer initialization until selinux_complete_init,
577 after the initial policy is loaded and the security
578 server is ready to handle calls. */
579 spin_lock(&sb_security_lock);
580 if (list_empty(&sbsec->list))
581 list_add(&sbsec->list, &superblock_security_head);
582 spin_unlock(&sb_security_lock);
583 goto out;
584 }
585 rc = -EINVAL;
586 printk(KERN_WARNING "Unable to set superblock options before "
587 "the security server is initialized\n");
1da177e4 588 goto out;
c9180a57 589 }
1da177e4 590
c9180a57
EP		 591 /*
592 * parse the mount options, check if they are valid sids.
593 * also check if someone is trying to mount the same sb more
594 * than once with different security options.
595 */
596 for (i = 0; i < num_opts; i++) {
597 u32 sid;
598 rc = security_context_to_sid(mount_options[i],
599 strlen(mount_options[i]), &sid);
1da177e4
LT		 600 if (rc) {
601 printk(KERN_WARNING "SELinux: security_context_to_sid"
602 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 603 mount_options[i], sb->s_id, name, rc);
604 goto out;
605 }
606 switch (flags[i]) {
607 case FSCONTEXT_MNT:
608 fscontext_sid = sid;
609
610 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
611 fscontext_sid))
612 goto out_double_mount;
613
614 sbsec->flags |= FSCONTEXT_MNT;
615 break;
616 case CONTEXT_MNT:
617 context_sid = sid;
618
619 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
620 context_sid))
621 goto out_double_mount;
622
623 sbsec->flags |= CONTEXT_MNT;
624 break;
625 case ROOTCONTEXT_MNT:
626 rootcontext_sid = sid;
627
628 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
629 rootcontext_sid))
630 goto out_double_mount;
631
632 sbsec->flags |= ROOTCONTEXT_MNT;
633
634 break;
635 case DEFCONTEXT_MNT:
636 defcontext_sid = sid;
637
638 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
639 defcontext_sid))
640 goto out_double_mount;
641
642 sbsec->flags |= DEFCONTEXT_MNT;
643
644 break;
645 default:
646 rc = -EINVAL;
647 goto out;
1da177e4 648 }
c9180a57
EP		 649 }
650
651 if (sbsec->initialized) {
652 /* previously mounted with options, but not on this attempt? */
653 if (sbsec->flags && !num_opts)
654 goto out_double_mount;
655 rc = 0;
656 goto out;
657 }
658
659 if (strcmp(sb->s_type->name, "proc") == 0)
660 sbsec->proc = 1;
661
662 /* Determine the labeling behavior to use for this filesystem type. */
663 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
664 if (rc) {
665 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
666 __FUNCTION__, sb->s_type->name, rc);
667 goto out;
668 }
1da177e4 669
c9180a57
EP		 670 /* sets the context of the superblock for the fs being mounted. */
671 if (fscontext_sid) {
672
673 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
1da177e4 674 if (rc)
c9180a57 675 goto out;
1da177e4 676
c9180a57 677 sbsec->sid = fscontext_sid;
c312feb2
EP		 678 }
679
680 /*
681 * Switch to using mount point labeling behavior.
682 * sets the label used on all file below the mountpoint, and will set
683 * the superblock context if not already set.
684 */
c9180a57
EP		 685 if (context_sid) {
686 if (!fscontext_sid) {
687 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
b04ea3ce 688 if (rc)
c9180a57
EP		 689 goto out;
690 sbsec->sid = context_sid;
b04ea3ce 691 } else {
c9180a57 692 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
b04ea3ce 693 if (rc)
c9180a57 694 goto out;
b04ea3ce 695 }
c9180a57
EP		 696 if (!rootcontext_sid)
697 rootcontext_sid = context_sid;
1da177e4 698
c9180a57 699 sbsec->mntpoint_sid = context_sid;
c312feb2 700 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 701 }
702
c9180a57
EP		 703 if (rootcontext_sid) {
704 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
0808925e 705 if (rc)
c9180a57 706 goto out;
0808925e 707
c9180a57
EP		 708 root_isec->sid = rootcontext_sid;
709 root_isec->initialized = 1;
0808925e
EP		 710 }
711
c9180a57
EP		 712 if (defcontext_sid) {
713 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
714 rc = -EINVAL;
715 printk(KERN_WARNING "SELinux: defcontext option is "
716 "invalid for this filesystem type\n");
717 goto out;
1da177e4
LT		 718 }
719
c9180a57
EP		 720 if (defcontext_sid != sbsec->def_sid) {
721 rc = may_context_mount_inode_relabel(defcontext_sid,
722 sbsec, tsec);
723 if (rc)
724 goto out;
725 }
1da177e4 726
c9180a57 727 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 728 }
729
c9180a57 730 rc = sb_finish_set_opts(sb);
1da177e4 731out:
c9180a57 732 mutex_unlock(&sbsec->lock);
1da177e4 733 return rc;
c9180a57
EP		 734out_double_mount:
735 rc = -EINVAL;
736 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
737 "security settings for (dev %s, type %s)\n", sb->s_id, name);
738 goto out;
1da177e4
LT		 739}
740
c9180a57
EP		 741static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
742 struct super_block *newsb)
1da177e4 743{
c9180a57
EP		 744 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
745 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 746
c9180a57
EP		 747 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
748 int set_context = (oldsbsec->flags & CONTEXT_MNT);
749 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 750
c9180a57
EP		 751 /* we can't error, we can't save the info, this shouldn't get called
752 * this early in the boot process. */
753 BUG_ON(!ss_initialized);
754
755 /* this might go away sometime down the line if there is a new user
756 * of clone, but for now, nfs better not get here... */
757 BUG_ON(newsbsec->initialized);
758
759 /* how can we clone if the old one wasn't set up?? */
760 BUG_ON(!oldsbsec->initialized);
761
762 mutex_lock(&newsbsec->lock);
763
764 newsbsec->flags = oldsbsec->flags;
765
766 newsbsec->sid = oldsbsec->sid;
767 newsbsec->def_sid = oldsbsec->def_sid;
768 newsbsec->behavior = oldsbsec->behavior;
769
770 if (set_context) {
771 u32 sid = oldsbsec->mntpoint_sid;
772
773 if (!set_fscontext)
774 newsbsec->sid = sid;
775 if (!set_rootcontext) {
776 struct inode *newinode = newsb->s_root->d_inode;
777 struct inode_security_struct *newisec = newinode->i_security;
778 newisec->sid = sid;
779 }
780 newsbsec->mntpoint_sid = sid;
1da177e4 781 }
c9180a57
EP		 782 if (set_rootcontext) {
783 const struct inode *oldinode = oldsb->s_root->d_inode;
784 const struct inode_security_struct *oldisec = oldinode->i_security;
785 struct inode *newinode = newsb->s_root->d_inode;
786 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 787
c9180a57 788 newisec->sid = oldisec->sid;
1da177e4
LT		 789 }
790
c9180a57
EP		 791 sb_finish_set_opts(newsb);
792 mutex_unlock(&newsbsec->lock);
793}
794
795/*
796 * string mount options parsing and call set the sbsec
797 */
798static int superblock_doinit(struct super_block *sb, void *data)
799{
800 char *context = NULL, *defcontext = NULL;
801 char *fscontext = NULL, *rootcontext = NULL;
802 int rc = 0;
803 char *p, *options = data;
804 /* selinux only know about a fixed number of mount options */
805 char *mnt_opts[NUM_SEL_MNT_OPTS];
806 int mnt_opts_flags[NUM_SEL_MNT_OPTS], num_mnt_opts = 0;
807
808 if (!data)
1da177e4
LT		 809 goto out;
810
c9180a57
EP		 811 /* with the nfs patch this will become a goto out; */
812 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
813 const char *name = sb->s_type->name;
814 /* NFS we understand. */
815 if (!strcmp(name, "nfs")) {
816 struct nfs_mount_data *d = data;
817
818 if (d->version != NFS_MOUNT_VERSION)
819 goto out;
820
821 if (d->context[0]) {
822 context = kstrdup(d->context, GFP_KERNEL);
823 if (!context) {
824 rc = -ENOMEM;
825 goto out;
826 }
827 }
828 goto build_flags;
829 } else
1da177e4 830 goto out;
1da177e4
LT		 831 }
832
c9180a57
EP		 833 /* Standard string-based options. */
834 while ((p = strsep(&options, "|")) != NULL) {
835 int token;
836 substring_t args[MAX_OPT_ARGS];
1da177e4 837
c9180a57
EP		 838 if (!*p)
839 continue;
1da177e4 840
c9180a57 841 token = match_token(p, tokens, args);
1da177e4 842
c9180a57
EP		 843 switch (token) {
844 case Opt_context:
845 if (context || defcontext) {
846 rc = -EINVAL;
847 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
848 goto out_err;
849 }
850 context = match_strdup(&args[0]);
851 if (!context) {
852 rc = -ENOMEM;
853 goto out_err;
854 }
855 break;
856
857 case Opt_fscontext:
858 if (fscontext) {
859 rc = -EINVAL;
860 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
861 goto out_err;
862 }
863 fscontext = match_strdup(&args[0]);
864 if (!fscontext) {
865 rc = -ENOMEM;
866 goto out_err;
867 }
868 break;
869
870 case Opt_rootcontext:
871 if (rootcontext) {
872 rc = -EINVAL;
873 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
874 goto out_err;
875 }
876 rootcontext = match_strdup(&args[0]);
877 if (!rootcontext) {
878 rc = -ENOMEM;
879 goto out_err;
880 }
881 break;
882
883 case Opt_defcontext:
884 if (context || defcontext) {
885 rc = -EINVAL;
886 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
887 goto out_err;
888 }
889 defcontext = match_strdup(&args[0]);
890 if (!defcontext) {
891 rc = -ENOMEM;
892 goto out_err;
893 }
894 break;
895
896 default:
897 rc = -EINVAL;
898 printk(KERN_WARNING "SELinux: unknown mount option\n");
899 goto out_err;
1da177e4 900
1da177e4 901 }
1da177e4 902 }
c9180a57
EP		 903
904build_flags:
905 if (fscontext) {
906 mnt_opts[num_mnt_opts] = fscontext;
907 mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
908 }
909 if (context) {
910 mnt_opts[num_mnt_opts] = context;
911 mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
912 }
913 if (rootcontext) {
914 mnt_opts[num_mnt_opts] = rootcontext;
915 mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
916 }
917 if (defcontext) {
918 mnt_opts[num_mnt_opts] = defcontext;
919 mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
920 }
921
1da177e4 922out:
c9180a57
EP		 923 rc = selinux_set_mnt_opts(sb, mnt_opts, mnt_opts_flags, num_mnt_opts);
924out_err:
925 kfree(context);
926 kfree(defcontext);
927 kfree(fscontext);
928 kfree(rootcontext);
1da177e4
LT		 929 return rc;
930}
931
932static inline u16 inode_mode_to_security_class(umode_t mode)
933{
934 switch (mode & S_IFMT) {
935 case S_IFSOCK:
936 return SECCLASS_SOCK_FILE;
937 case S_IFLNK:
938 return SECCLASS_LNK_FILE;
939 case S_IFREG:
940 return SECCLASS_FILE;
941 case S_IFBLK:
942 return SECCLASS_BLK_FILE;
943 case S_IFDIR:
944 return SECCLASS_DIR;
945 case S_IFCHR:
946 return SECCLASS_CHR_FILE;
947 case S_IFIFO:
948 return SECCLASS_FIFO_FILE;
949
950 }
951
952 return SECCLASS_FILE;
953}
954
13402580
JM		 955static inline int default_protocol_stream(int protocol)
956{
957 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
958}
959
960static inline int default_protocol_dgram(int protocol)
961{
962 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
963}
964
1da177e4
LT		 965static inline u16 socket_type_to_security_class(int family, int type, int protocol)
966{
967 switch (family) {
968 case PF_UNIX:
969 switch (type) {
970 case SOCK_STREAM:
971 case SOCK_SEQPACKET:
972 return SECCLASS_UNIX_STREAM_SOCKET;
973 case SOCK_DGRAM:
974 return SECCLASS_UNIX_DGRAM_SOCKET;
975 }
976 break;
977 case PF_INET:
978 case PF_INET6:
979 switch (type) {
980 case SOCK_STREAM:
13402580
JM		 981 if (default_protocol_stream(protocol))
982 return SECCLASS_TCP_SOCKET;
983 else
984 return SECCLASS_RAWIP_SOCKET;
1da177e4 985 case SOCK_DGRAM:
13402580
JM		 986 if (default_protocol_dgram(protocol))
987 return SECCLASS_UDP_SOCKET;
988 else
989 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 990 case SOCK_DCCP:
991 return SECCLASS_DCCP_SOCKET;
13402580 992 default:
1da177e4
LT		 993 return SECCLASS_RAWIP_SOCKET;
994 }
995 break;
996 case PF_NETLINK:
997 switch (protocol) {
998 case NETLINK_ROUTE:
999 return SECCLASS_NETLINK_ROUTE_SOCKET;
1000 case NETLINK_FIREWALL:
1001 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1002 case NETLINK_INET_DIAG:
1da177e4
LT		 1003 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1004 case NETLINK_NFLOG:
1005 return SECCLASS_NETLINK_NFLOG_SOCKET;
1006 case NETLINK_XFRM:
1007 return SECCLASS_NETLINK_XFRM_SOCKET;
1008 case NETLINK_SELINUX:
1009 return SECCLASS_NETLINK_SELINUX_SOCKET;
1010 case NETLINK_AUDIT:
1011 return SECCLASS_NETLINK_AUDIT_SOCKET;
1012 case NETLINK_IP6_FW:
1013 return SECCLASS_NETLINK_IP6FW_SOCKET;
1014 case NETLINK_DNRTMSG:
1015 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1016 case NETLINK_KOBJECT_UEVENT:
1017 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1018 default:
1019 return SECCLASS_NETLINK_SOCKET;
1020 }
1021 case PF_PACKET:
1022 return SECCLASS_PACKET_SOCKET;
1023 case PF_KEY:
1024 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1025 case PF_APPLETALK:
1026 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1027 }
1028
1029 return SECCLASS_SOCKET;
1030}
1031
1032#ifdef CONFIG_PROC_FS
1033static int selinux_proc_get_sid(struct proc_dir_entry *de,
1034 u16 tclass,
1035 u32 *sid)
1036{
1037 int buflen, rc;
1038 char *buffer, *path, *end;
1039
1040 buffer = (char*)__get_free_page(GFP_KERNEL);
1041 if (!buffer)
1042 return -ENOMEM;
1043
1044 buflen = PAGE_SIZE;
1045 end = buffer+buflen;
1046 *--end = '\0';
1047 buflen--;
1048 path = end-1;
1049 *path = '/';
1050 while (de && de != de->parent) {
1051 buflen -= de->namelen + 1;
1052 if (buflen < 0)
1053 break;
1054 end -= de->namelen;
1055 memcpy(end, de->name, de->namelen);
1056 *--end = '/';
1057 path = end;
1058 de = de->parent;
1059 }
1060 rc = security_genfs_sid("proc", path, tclass, sid);
1061 free_page((unsigned long)buffer);
1062 return rc;
1063}
1064#else
1065static int selinux_proc_get_sid(struct proc_dir_entry *de,
1066 u16 tclass,
1067 u32 *sid)
1068{
1069 return -EINVAL;
1070}
1071#endif
1072
1073/* The inode's security attributes must be initialized before first use. */
1074static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1075{
1076 struct superblock_security_struct *sbsec = NULL;
1077 struct inode_security_struct *isec = inode->i_security;
1078 u32 sid;
1079 struct dentry *dentry;
1080#define INITCONTEXTLEN 255
1081 char *context = NULL;
1082 unsigned len = 0;
1083 int rc = 0;
1da177e4
LT		 1084
1085 if (isec->initialized)
1086 goto out;
1087
23970741 1088 mutex_lock(&isec->lock);
1da177e4 1089 if (isec->initialized)
23970741 1090 goto out_unlock;
1da177e4
LT		 1091
1092 sbsec = inode->i_sb->s_security;
1093 if (!sbsec->initialized) {
1094 /* Defer initialization until selinux_complete_init,
1095 after the initial policy is loaded and the security
1096 server is ready to handle calls. */
1097 spin_lock(&sbsec->isec_lock);
1098 if (list_empty(&isec->list))
1099 list_add(&isec->list, &sbsec->isec_head);
1100 spin_unlock(&sbsec->isec_lock);
23970741 1101 goto out_unlock;
1da177e4
LT		 1102 }
1103
1104 switch (sbsec->behavior) {
1105 case SECURITY_FS_USE_XATTR:
1106 if (!inode->i_op->getxattr) {
1107 isec->sid = sbsec->def_sid;
1108 break;
1109 }
1110
1111 /* Need a dentry, since the xattr API requires one.
1112 Life would be simpler if we could just pass the inode. */
1113 if (opt_dentry) {
1114 /* Called from d_instantiate or d_splice_alias. */
1115 dentry = dget(opt_dentry);
1116 } else {
1117 /* Called from selinux_complete_init, try to find a dentry. */
1118 dentry = d_find_alias(inode);
1119 }
1120 if (!dentry) {
1121 printk(KERN_WARNING "%s: no dentry for dev=%s "
1122 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1123 inode->i_ino);
23970741 1124 goto out_unlock;
1da177e4
LT		 1125 }
1126
1127 len = INITCONTEXTLEN;
1128 context = kmalloc(len, GFP_KERNEL);
1129 if (!context) {
1130 rc = -ENOMEM;
1131 dput(dentry);
23970741 1132 goto out_unlock;
1da177e4
LT		 1133 }
1134 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1135 context, len);
1136 if (rc == -ERANGE) {
1137 /* Need a larger buffer. Query for the right size. */
1138 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1139 NULL, 0);
1140 if (rc < 0) {
1141 dput(dentry);
23970741 1142 goto out_unlock;
1da177e4
LT		 1143 }
1144 kfree(context);
1145 len = rc;
1146 context = kmalloc(len, GFP_KERNEL);
1147 if (!context) {
1148 rc = -ENOMEM;
1149 dput(dentry);
23970741 1150 goto out_unlock;
1da177e4
LT		 1151 }
1152 rc = inode->i_op->getxattr(dentry,
1153 XATTR_NAME_SELINUX,
1154 context, len);
1155 }
1156 dput(dentry);
1157 if (rc < 0) {
1158 if (rc != -ENODATA) {
1159 printk(KERN_WARNING "%s: getxattr returned "
1160 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1161 -rc, inode->i_sb->s_id, inode->i_ino);
1162 kfree(context);
23970741 1163 goto out_unlock;
1da177e4
LT		 1164 }
1165 /* Map ENODATA to the default file SID */
1166 sid = sbsec->def_sid;
1167 rc = 0;
1168 } else {
f5c1d5b2
JM		 1169 rc = security_context_to_sid_default(context, rc, &sid,
1170 sbsec->def_sid);
1da177e4
LT		 1171 if (rc) {
1172 printk(KERN_WARNING "%s: context_to_sid(%s) "
1173 "returned %d for dev=%s ino=%ld\n",
1174 __FUNCTION__, context, -rc,
1175 inode->i_sb->s_id, inode->i_ino);
1176 kfree(context);
1177 /* Leave with the unlabeled SID */
1178 rc = 0;
1179 break;
1180 }
1181 }
1182 kfree(context);
1183 isec->sid = sid;
1184 break;
1185 case SECURITY_FS_USE_TASK:
1186 isec->sid = isec->task_sid;
1187 break;
1188 case SECURITY_FS_USE_TRANS:
1189 /* Default to the fs SID. */
1190 isec->sid = sbsec->sid;
1191
1192 /* Try to obtain a transition SID. */
1193 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1194 rc = security_transition_sid(isec->task_sid,
1195 sbsec->sid,
1196 isec->sclass,
1197 &sid);
1198 if (rc)
23970741 1199 goto out_unlock;
1da177e4
LT		 1200 isec->sid = sid;
1201 break;
c312feb2
EP		 1202 case SECURITY_FS_USE_MNTPOINT:
1203 isec->sid = sbsec->mntpoint_sid;
1204 break;
1da177e4 1205 default:
c312feb2 1206 /* Default to the fs superblock SID. */
1da177e4
LT		 1207 isec->sid = sbsec->sid;
1208
1209 if (sbsec->proc) {
1210 struct proc_inode *proci = PROC_I(inode);
1211 if (proci->pde) {
1212 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1213 rc = selinux_proc_get_sid(proci->pde,
1214 isec->sclass,
1215 &sid);
1216 if (rc)
23970741 1217 goto out_unlock;
1da177e4
LT		 1218 isec->sid = sid;
1219 }
1220 }
1221 break;
1222 }
1223
1224 isec->initialized = 1;
1225
23970741
EP		 1226out_unlock:
1227 mutex_unlock(&isec->lock);
1da177e4
LT		 1228out:
1229 if (isec->sclass == SECCLASS_FILE)
1230 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1231 return rc;
1232}
1233
1234/* Convert a Linux signal to an access vector. */
1235static inline u32 signal_to_av(int sig)
1236{
1237 u32 perm = 0;
1238
1239 switch (sig) {
1240 case SIGCHLD:
1241 /* Commonly granted from child to parent. */
1242 perm = PROCESS__SIGCHLD;
1243 break;
1244 case SIGKILL:
1245 /* Cannot be caught or ignored */
1246 perm = PROCESS__SIGKILL;
1247 break;
1248 case SIGSTOP:
1249 /* Cannot be caught or ignored */
1250 perm = PROCESS__SIGSTOP;
1251 break;
1252 default:
1253 /* All other signals. */
1254 perm = PROCESS__SIGNAL;
1255 break;
1256 }
1257
1258 return perm;
1259}
1260
1261/* Check permission betweeen a pair of tasks, e.g. signal checks,
1262 fork check, ptrace check, etc. */
1263static int task_has_perm(struct task_struct *tsk1,
1264 struct task_struct *tsk2,
1265 u32 perms)
1266{
1267 struct task_security_struct *tsec1, *tsec2;
1268
1269 tsec1 = tsk1->security;
1270 tsec2 = tsk2->security;
1271 return avc_has_perm(tsec1->sid, tsec2->sid,
1272 SECCLASS_PROCESS, perms, NULL);
1273}
1274
b68e418c
SS		 1275#if CAP_LAST_CAP > 63
1276#error Fix SELinux to handle capabilities > 63.
1277#endif
1278
1da177e4
LT		 1279/* Check whether a task is allowed to use a capability. */
1280static int task_has_capability(struct task_struct *tsk,
1281 int cap)
1282{
1283 struct task_security_struct *tsec;
1284 struct avc_audit_data ad;
b68e418c
SS		 1285 u16 sclass;
1286 u32 av = CAP_TO_MASK(cap);
1da177e4
LT		 1287
1288 tsec = tsk->security;
1289
1290 AVC_AUDIT_DATA_INIT(&ad,CAP);
1291 ad.tsk = tsk;
1292 ad.u.cap = cap;
1293
b68e418c
SS		 1294 switch (CAP_TO_INDEX(cap)) {
1295 case 0:
1296 sclass = SECCLASS_CAPABILITY;
1297 break;
1298 case 1:
1299 sclass = SECCLASS_CAPABILITY2;
1300 break;
1301 default:
1302 printk(KERN_ERR
1303 "SELinux: out of range capability %d\n", cap);
1304 BUG();
1305 }
1306 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1da177e4
LT		 1307}
1308
1309/* Check whether a task is allowed to use a system operation. */
1310static int task_has_system(struct task_struct *tsk,
1311 u32 perms)
1312{
1313 struct task_security_struct *tsec;
1314
1315 tsec = tsk->security;
1316
1317 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1318 SECCLASS_SYSTEM, perms, NULL);
1319}
1320
1321/* Check whether a task has a particular permission to an inode.
1322 The 'adp' parameter is optional and allows other audit
1323 data to be passed (e.g. the dentry). */
1324static int inode_has_perm(struct task_struct *tsk,
1325 struct inode *inode,
1326 u32 perms,
1327 struct avc_audit_data *adp)
1328{
1329 struct task_security_struct *tsec;
1330 struct inode_security_struct *isec;
1331 struct avc_audit_data ad;
1332
bbaca6c2
SS		 1333 if (unlikely (IS_PRIVATE (inode)))
1334 return 0;
1335
1da177e4
LT		 1336 tsec = tsk->security;
1337 isec = inode->i_security;
1338
1339 if (!adp) {
1340 adp = &ad;
1341 AVC_AUDIT_DATA_INIT(&ad, FS);
1342 ad.u.fs.inode = inode;
1343 }
1344
1345 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1346}
1347
1348/* Same as inode_has_perm, but pass explicit audit data containing
1349 the dentry to help the auditing code to more easily generate the
1350 pathname if needed. */
1351static inline int dentry_has_perm(struct task_struct *tsk,
1352 struct vfsmount *mnt,
1353 struct dentry *dentry,
1354 u32 av)
1355{
1356 struct inode *inode = dentry->d_inode;
1357 struct avc_audit_data ad;
1358 AVC_AUDIT_DATA_INIT(&ad,FS);
1359 ad.u.fs.mnt = mnt;
1360 ad.u.fs.dentry = dentry;
1361 return inode_has_perm(tsk, inode, av, &ad);
1362}
1363
1364/* Check whether a task can use an open file descriptor to
1365 access an inode in a given way. Check access to the
1366 descriptor itself, and then use dentry_has_perm to
1367 check a particular permission to the file.
1368 Access to the descriptor is implicitly granted if it
1369 has the same SID as the process. If av is zero, then
1370 access to the file is not checked, e.g. for cases
1371 where only the descriptor is affected like seek. */
858119e1 1372static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1373 struct file *file,
1374 u32 av)
1375{
1376 struct task_security_struct *tsec = tsk->security;
1377 struct file_security_struct *fsec = file->f_security;
3d5ff529
JS		 1378 struct vfsmount *mnt = file->f_path.mnt;
1379 struct dentry *dentry = file->f_path.dentry;
1da177e4
LT		 1380 struct inode *inode = dentry->d_inode;
1381 struct avc_audit_data ad;
1382 int rc;
1383
1384 AVC_AUDIT_DATA_INIT(&ad, FS);
1385 ad.u.fs.mnt = mnt;
1386 ad.u.fs.dentry = dentry;
1387
1388 if (tsec->sid != fsec->sid) {
1389 rc = avc_has_perm(tsec->sid, fsec->sid,
1390 SECCLASS_FD,
1391 FD__USE,
1392 &ad);
1393 if (rc)
1394 return rc;
1395 }
1396
1397 /* av is zero if only checking access to the descriptor. */
1398 if (av)
1399 return inode_has_perm(tsk, inode, av, &ad);
1400
1401 return 0;
1402}
1403
1404/* Check whether a task can create a file. */
1405static int may_create(struct inode *dir,
1406 struct dentry *dentry,
1407 u16 tclass)
1408{
1409 struct task_security_struct *tsec;
1410 struct inode_security_struct *dsec;
1411 struct superblock_security_struct *sbsec;
1412 u32 newsid;
1413 struct avc_audit_data ad;
1414 int rc;
1415
1416 tsec = current->security;
1417 dsec = dir->i_security;
1418 sbsec = dir->i_sb->s_security;
1419
1420 AVC_AUDIT_DATA_INIT(&ad, FS);
1421 ad.u.fs.dentry = dentry;
1422
1423 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1424 DIR__ADD_NAME | DIR__SEARCH,
1425 &ad);
1426 if (rc)
1427 return rc;
1428
1429 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1430 newsid = tsec->create_sid;
1431 } else {
1432 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1433 &newsid);
1434 if (rc)
1435 return rc;
1436 }
1437
1438 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1439 if (rc)
1440 return rc;
1441
1442 return avc_has_perm(newsid, sbsec->sid,
1443 SECCLASS_FILESYSTEM,
1444 FILESYSTEM__ASSOCIATE, &ad);
1445}
1446
4eb582cf
ML		 1447/* Check whether a task can create a key. */
1448static int may_create_key(u32 ksid,
1449 struct task_struct *ctx)
1450{
1451 struct task_security_struct *tsec;
1452
1453 tsec = ctx->security;
1454
1455 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1456}
1457
1da177e4
LT		 1458#define MAY_LINK 0
1459#define MAY_UNLINK 1
1460#define MAY_RMDIR 2
1461
1462/* Check whether a task can link, unlink, or rmdir a file/directory. */
1463static int may_link(struct inode *dir,
1464 struct dentry *dentry,
1465 int kind)
1466
1467{
1468 struct task_security_struct *tsec;
1469 struct inode_security_struct *dsec, *isec;
1470 struct avc_audit_data ad;
1471 u32 av;
1472 int rc;
1473
1474 tsec = current->security;
1475 dsec = dir->i_security;
1476 isec = dentry->d_inode->i_security;
1477
1478 AVC_AUDIT_DATA_INIT(&ad, FS);
1479 ad.u.fs.dentry = dentry;
1480
1481 av = DIR__SEARCH;
1482 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1483 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1484 if (rc)
1485 return rc;
1486
1487 switch (kind) {
1488 case MAY_LINK:
1489 av = FILE__LINK;
1490 break;
1491 case MAY_UNLINK:
1492 av = FILE__UNLINK;
1493 break;
1494 case MAY_RMDIR:
1495 av = DIR__RMDIR;
1496 break;
1497 default:
1498 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1499 return 0;
1500 }
1501
1502 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1503 return rc;
1504}
1505
1506static inline int may_rename(struct inode *old_dir,
1507 struct dentry *old_dentry,
1508 struct inode *new_dir,
1509 struct dentry *new_dentry)
1510{
1511 struct task_security_struct *tsec;
1512 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1513 struct avc_audit_data ad;
1514 u32 av;
1515 int old_is_dir, new_is_dir;
1516 int rc;
1517
1518 tsec = current->security;
1519 old_dsec = old_dir->i_security;
1520 old_isec = old_dentry->d_inode->i_security;
1521 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1522 new_dsec = new_dir->i_security;
1523
1524 AVC_AUDIT_DATA_INIT(&ad, FS);
1525
1526 ad.u.fs.dentry = old_dentry;
1527 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1528 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1529 if (rc)
1530 return rc;
1531 rc = avc_has_perm(tsec->sid, old_isec->sid,
1532 old_isec->sclass, FILE__RENAME, &ad);
1533 if (rc)
1534 return rc;
1535 if (old_is_dir && new_dir != old_dir) {
1536 rc = avc_has_perm(tsec->sid, old_isec->sid,
1537 old_isec->sclass, DIR__REPARENT, &ad);
1538 if (rc)
1539 return rc;
1540 }
1541
1542 ad.u.fs.dentry = new_dentry;
1543 av = DIR__ADD_NAME | DIR__SEARCH;
1544 if (new_dentry->d_inode)
1545 av |= DIR__REMOVE_NAME;
1546 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1547 if (rc)
1548 return rc;
1549 if (new_dentry->d_inode) {
1550 new_isec = new_dentry->d_inode->i_security;
1551 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1552 rc = avc_has_perm(tsec->sid, new_isec->sid,
1553 new_isec->sclass,
1554 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1555 if (rc)
1556 return rc;
1557 }
1558
1559 return 0;
1560}
1561
1562/* Check whether a task can perform a filesystem operation. */
1563static int superblock_has_perm(struct task_struct *tsk,
1564 struct super_block *sb,
1565 u32 perms,
1566 struct avc_audit_data *ad)
1567{
1568 struct task_security_struct *tsec;
1569 struct superblock_security_struct *sbsec;
1570
1571 tsec = tsk->security;
1572 sbsec = sb->s_security;
1573 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1574 perms, ad);
1575}
1576
1577/* Convert a Linux mode and permission mask to an access vector. */
1578static inline u32 file_mask_to_av(int mode, int mask)
1579{
1580 u32 av = 0;
1581
1582 if ((mode & S_IFMT) != S_IFDIR) {
1583 if (mask & MAY_EXEC)
1584 av |= FILE__EXECUTE;
1585 if (mask & MAY_READ)
1586 av |= FILE__READ;
1587
1588 if (mask & MAY_APPEND)
1589 av |= FILE__APPEND;
1590 else if (mask & MAY_WRITE)
1591 av |= FILE__WRITE;
1592
1593 } else {
1594 if (mask & MAY_EXEC)
1595 av |= DIR__SEARCH;
1596 if (mask & MAY_WRITE)
1597 av |= DIR__WRITE;
1598 if (mask & MAY_READ)
1599 av |= DIR__READ;
1600 }
1601
1602 return av;
1603}
1604
1605/* Convert a Linux file to an access vector. */
1606static inline u32 file_to_av(struct file *file)
1607{
1608 u32 av = 0;
1609
1610 if (file->f_mode & FMODE_READ)
1611 av |= FILE__READ;
1612 if (file->f_mode & FMODE_WRITE) {
1613 if (file->f_flags & O_APPEND)
1614 av |= FILE__APPEND;
1615 else
1616 av |= FILE__WRITE;
1617 }
1618
1619 return av;
1620}
1621
1da177e4
LT		 1622/* Hook functions begin here. */
1623
1624static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1625{
1626 struct task_security_struct *psec = parent->security;
1627 struct task_security_struct *csec = child->security;
1628 int rc;
1629
1630 rc = secondary_ops->ptrace(parent,child);
1631 if (rc)
1632 return rc;
1633
1634 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1635 /* Save the SID of the tracing process for later use in apply_creds. */
341c2d80 1636 if (!(child->ptrace & PT_PTRACED) && !rc)
1da177e4
LT		 1637 csec->ptrace_sid = psec->sid;
1638 return rc;
1639}
1640
1641static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1642 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1643{
1644 int error;
1645
1646 error = task_has_perm(current, target, PROCESS__GETCAP);
1647 if (error)
1648 return error;
1649
1650 return secondary_ops->capget(target, effective, inheritable, permitted);
1651}
1652
1653static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1654 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1655{
1656 int error;
1657
1658 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1659 if (error)
1660 return error;
1661
1662 return task_has_perm(current, target, PROCESS__SETCAP);
1663}
1664
1665static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1666 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1667{
1668 secondary_ops->capset_set(target, effective, inheritable, permitted);
1669}
1670
1671static int selinux_capable(struct task_struct *tsk, int cap)
1672{
1673 int rc;
1674
1675 rc = secondary_ops->capable(tsk, cap);
1676 if (rc)
1677 return rc;
1678
1679 return task_has_capability(tsk,cap);
1680}
1681
3fbfa981
EB		 1682static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1683{
1684 int buflen, rc;
1685 char *buffer, *path, *end;
1686
1687 rc = -ENOMEM;
1688 buffer = (char*)__get_free_page(GFP_KERNEL);
1689 if (!buffer)
1690 goto out;
1691
1692 buflen = PAGE_SIZE;
1693 end = buffer+buflen;
1694 *--end = '\0';
1695 buflen--;
1696 path = end-1;
1697 *path = '/';
1698 while (table) {
1699 const char *name = table->procname;
1700 size_t namelen = strlen(name);
1701 buflen -= namelen + 1;
1702 if (buflen < 0)
1703 goto out_free;
1704 end -= namelen;
1705 memcpy(end, name, namelen);
1706 *--end = '/';
1707 path = end;
1708 table = table->parent;
1709 }
b599fdfd
EB		 1710 buflen -= 4;
1711 if (buflen < 0)
1712 goto out_free;
1713 end -= 4;
1714 memcpy(end, "/sys", 4);
1715 path = end;
3fbfa981
EB		 1716 rc = security_genfs_sid("proc", path, tclass, sid);
1717out_free:
1718 free_page((unsigned long)buffer);
1719out:
1720 return rc;
1721}
1722
1da177e4
LT		 1723static int selinux_sysctl(ctl_table *table, int op)
1724{
1725 int error = 0;
1726 u32 av;
1727 struct task_security_struct *tsec;
1728 u32 tsid;
1729 int rc;
1730
1731 rc = secondary_ops->sysctl(table, op);
1732 if (rc)
1733 return rc;
1734
1735 tsec = current->security;
1736
3fbfa981
EB		 1737 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1738 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1739 if (rc) {
1740 /* Default to the well-defined sysctl SID. */
1741 tsid = SECINITSID_SYSCTL;
1742 }
1743
1744 /* The op values are "defined" in sysctl.c, thereby creating
1745 * a bad coupling between this module and sysctl.c */
1746 if(op == 001) {
1747 error = avc_has_perm(tsec->sid, tsid,
1748 SECCLASS_DIR, DIR__SEARCH, NULL);
1749 } else {
1750 av = 0;
1751 if (op & 004)
1752 av |= FILE__READ;
1753 if (op & 002)
1754 av |= FILE__WRITE;
1755 if (av)
1756 error = avc_has_perm(tsec->sid, tsid,
1757 SECCLASS_FILE, av, NULL);
1758 }
1759
1760 return error;
1761}
1762
1763static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1764{
1765 int rc = 0;
1766
1767 if (!sb)
1768 return 0;
1769
1770 switch (cmds) {
1771 case Q_SYNC:
1772 case Q_QUOTAON:
1773 case Q_QUOTAOFF:
1774 case Q_SETINFO:
1775 case Q_SETQUOTA:
1776 rc = superblock_has_perm(current,
1777 sb,
1778 FILESYSTEM__QUOTAMOD, NULL);
1779 break;
1780 case Q_GETFMT:
1781 case Q_GETINFO:
1782 case Q_GETQUOTA:
1783 rc = superblock_has_perm(current,
1784 sb,
1785 FILESYSTEM__QUOTAGET, NULL);
1786 break;
1787 default:
1788 rc = 0; /* let the kernel handle invalid cmds */
1789 break;
1790 }
1791 return rc;
1792}
1793
1794static int selinux_quota_on(struct dentry *dentry)
1795{
1796 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1797}
1798
1799static int selinux_syslog(int type)
1800{
1801 int rc;
1802
1803 rc = secondary_ops->syslog(type);
1804 if (rc)
1805 return rc;
1806
1807 switch (type) {
1808 case 3: /* Read last kernel messages */
1809 case 10: /* Return size of the log buffer */
1810 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1811 break;
1812 case 6: /* Disable logging to console */
1813 case 7: /* Enable logging to console */
1814 case 8: /* Set level of messages printed to console */
1815 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1816 break;
1817 case 0: /* Close log */
1818 case 1: /* Open log */
1819 case 2: /* Read from log */
1820 case 4: /* Read/clear last kernel messages */
1821 case 5: /* Clear ring buffer */
1822 default:
1823 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1824 break;
1825 }
1826 return rc;
1827}
1828
1829/*
1830 * Check that a process has enough memory to allocate a new virtual
1831 * mapping. 0 means there is enough memory for the allocation to
1832 * succeed and -ENOMEM implies there is not.
1833 *
1834 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1835 * if the capability is granted, but __vm_enough_memory requires 1 if
1836 * the capability is granted.
1837 *
1838 * Do not audit the selinux permission check, as this is applied to all
1839 * processes that allocate mappings.
1840 */
34b4e4aa 1841static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1842{
1843 int rc, cap_sys_admin = 0;
1844 struct task_security_struct *tsec = current->security;
1845
1846 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1847 if (rc == 0)
1848 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2c3c05db
SS		 1849 SECCLASS_CAPABILITY,
1850 CAP_TO_MASK(CAP_SYS_ADMIN),
1851 0,
1852 NULL);
1da177e4
LT		 1853
1854 if (rc == 0)
1855 cap_sys_admin = 1;
1856
34b4e4aa 1857 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 1858}
1859
1860/* binprm security operations */
1861
1862static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1863{
1864 struct bprm_security_struct *bsec;
1865
89d155ef 1866 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1867 if (!bsec)
1868 return -ENOMEM;
1869
1da177e4
LT		 1870 bsec->bprm = bprm;
1871 bsec->sid = SECINITSID_UNLABELED;
1872 bsec->set = 0;
1873
1874 bprm->security = bsec;
1875 return 0;
1876}
1877
1878static int selinux_bprm_set_security(struct linux_binprm *bprm)
1879{
1880 struct task_security_struct *tsec;
3d5ff529 1881 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 1882 struct inode_security_struct *isec;
1883 struct bprm_security_struct *bsec;
1884 u32 newsid;
1885 struct avc_audit_data ad;
1886 int rc;
1887
1888 rc = secondary_ops->bprm_set_security(bprm);
1889 if (rc)
1890 return rc;
1891
1892 bsec = bprm->security;
1893
1894 if (bsec->set)
1895 return 0;
1896
1897 tsec = current->security;
1898 isec = inode->i_security;
1899
1900 /* Default to the current task SID. */
1901 bsec->sid = tsec->sid;
1902
28eba5bf 1903 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1904 tsec->create_sid = 0;
28eba5bf 1905 tsec->keycreate_sid = 0;
42c3e03e 1906 tsec->sockcreate_sid = 0;
1da177e4
LT		 1907
1908 if (tsec->exec_sid) {
1909 newsid = tsec->exec_sid;
1910 /* Reset exec SID on execve. */
1911 tsec->exec_sid = 0;
1912 } else {
1913 /* Check for a default transition on this program. */
1914 rc = security_transition_sid(tsec->sid, isec->sid,
1915 SECCLASS_PROCESS, &newsid);
1916 if (rc)
1917 return rc;
1918 }
1919
1920 AVC_AUDIT_DATA_INIT(&ad, FS);
3d5ff529
JS		 1921 ad.u.fs.mnt = bprm->file->f_path.mnt;
1922 ad.u.fs.dentry = bprm->file->f_path.dentry;
1da177e4 1923
3d5ff529 1924 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1da177e4
LT		 1925 newsid = tsec->sid;
1926
1927 if (tsec->sid == newsid) {
1928 rc = avc_has_perm(tsec->sid, isec->sid,
1929 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1930 if (rc)
1931 return rc;
1932 } else {
1933 /* Check permissions for the transition. */
1934 rc = avc_has_perm(tsec->sid, newsid,
1935 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1936 if (rc)
1937 return rc;
1938
1939 rc = avc_has_perm(newsid, isec->sid,
1940 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1941 if (rc)
1942 return rc;
1943
1944 /* Clear any possibly unsafe personality bits on exec: */
1945 current->personality &= ~PER_CLEAR_ON_SETID;
1946
1947 /* Set the security field to the new SID. */
1948 bsec->sid = newsid;
1949 }
1950
1951 bsec->set = 1;
1952 return 0;
1953}
1954
1955static int selinux_bprm_check_security (struct linux_binprm *bprm)
1956{
1957 return secondary_ops->bprm_check_security(bprm);
1958}
1959
1960
1961static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1962{
1963 struct task_security_struct *tsec = current->security;
1964 int atsecure = 0;
1965
1966 if (tsec->osid != tsec->sid) {
1967 /* Enable secure mode for SIDs transitions unless
1968 the noatsecure permission is granted between
1969 the two SIDs, i.e. ahp returns 0. */
1970 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1971 SECCLASS_PROCESS,
1972 PROCESS__NOATSECURE, NULL);
1973 }
1974
1975 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1976}
1977
1978static void selinux_bprm_free_security(struct linux_binprm *bprm)
1979{
9a5f04bf 1980 kfree(bprm->security);
1da177e4 1981 bprm->security = NULL;
1da177e4
LT		 1982}
1983
1984extern struct vfsmount *selinuxfs_mount;
1985extern struct dentry *selinux_null;
1986
1987/* Derived from fs/exec.c:flush_old_files. */
1988static inline void flush_unauthorized_files(struct files_struct * files)
1989{
1990 struct avc_audit_data ad;
1991 struct file *file, *devnull = NULL;
b20c8122 1992 struct tty_struct *tty;
badf1662 1993 struct fdtable *fdt;
1da177e4 1994 long j = -1;
24ec839c 1995 int drop_tty = 0;
1da177e4 1996
b20c8122 1997 mutex_lock(&tty_mutex);
24ec839c 1998 tty = get_current_tty();
1da177e4
LT		 1999 if (tty) {
2000 file_list_lock();
2f512016 2001 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 2002 if (file) {
2003 /* Revalidate access to controlling tty.
2004 Use inode_has_perm on the tty inode directly rather
2005 than using file_has_perm, as this particular open
2006 file may belong to another process and we are only
2007 interested in the inode-based check here. */
3d5ff529 2008 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2009 if (inode_has_perm(current, inode,
2010 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2011 drop_tty = 1;
1da177e4
LT		 2012 }
2013 }
2014 file_list_unlock();
2015 }
b20c8122 2016 mutex_unlock(&tty_mutex);
98a27ba4
EB		 2017 /* Reset controlling tty. */
2018 if (drop_tty)
2019 no_tty();
1da177e4
LT		 2020
2021 /* Revalidate access to inherited open files. */
2022
2023 AVC_AUDIT_DATA_INIT(&ad,FS);
2024
2025 spin_lock(&files->file_lock);
2026 for (;;) {
2027 unsigned long set, i;
2028 int fd;
2029
2030 j++;
2031 i = j * __NFDBITS;
badf1662 2032 fdt = files_fdtable(files);
bbea9f69 2033 if (i >= fdt->max_fds)
1da177e4 2034 break;
badf1662 2035 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2036 if (!set)
2037 continue;
2038 spin_unlock(&files->file_lock);
2039 for ( ; set ; i++,set >>= 1) {
2040 if (set & 1) {
2041 file = fget(i);
2042 if (!file)
2043 continue;
2044 if (file_has_perm(current,
2045 file,
2046 file_to_av(file))) {
2047 sys_close(i);
2048 fd = get_unused_fd();
2049 if (fd != i) {
2050 if (fd >= 0)
2051 put_unused_fd(fd);
2052 fput(file);
2053 continue;
2054 }
2055 if (devnull) {
095975da 2056 get_file(devnull);
1da177e4
LT		 2057 } else {
2058 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
fc5d81e6
AM		 2059 if (IS_ERR(devnull)) {
2060 devnull = NULL;
1da177e4
LT		 2061 put_unused_fd(fd);
2062 fput(file);
2063 continue;
2064 }
2065 }
2066 fd_install(fd, devnull);
2067 }
2068 fput(file);
2069 }
2070 }
2071 spin_lock(&files->file_lock);
2072
2073 }
2074 spin_unlock(&files->file_lock);
2075}
2076
2077static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2078{
2079 struct task_security_struct *tsec;
2080 struct bprm_security_struct *bsec;
2081 u32 sid;
2082 int rc;
2083
2084 secondary_ops->bprm_apply_creds(bprm, unsafe);
2085
2086 tsec = current->security;
2087
2088 bsec = bprm->security;
2089 sid = bsec->sid;
2090
2091 tsec->osid = tsec->sid;
2092 bsec->unsafe = 0;
2093 if (tsec->sid != sid) {
2094 /* Check for shared state. If not ok, leave SID
2095 unchanged and kill. */
2096 if (unsafe & LSM_UNSAFE_SHARE) {
2097 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2098 PROCESS__SHARE, NULL);
2099 if (rc) {
2100 bsec->unsafe = 1;
2101 return;
2102 }
2103 }
2104
2105 /* Check for ptracing, and update the task SID if ok.
2106 Otherwise, leave SID unchanged and kill. */
2107 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2108 rc = avc_has_perm(tsec->ptrace_sid, sid,
2109 SECCLASS_PROCESS, PROCESS__PTRACE,
2110 NULL);
2111 if (rc) {
2112 bsec->unsafe = 1;
2113 return;
2114 }
2115 }
2116 tsec->sid = sid;
2117 }
2118}
2119
2120/*
2121 * called after apply_creds without the task lock held
2122 */
2123static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2124{
2125 struct task_security_struct *tsec;
2126 struct rlimit *rlim, *initrlim;
2127 struct itimerval itimer;
2128 struct bprm_security_struct *bsec;
2129 int rc, i;
2130
2131 tsec = current->security;
2132 bsec = bprm->security;
2133
2134 if (bsec->unsafe) {
2135 force_sig_specific(SIGKILL, current);
2136 return;
2137 }
2138 if (tsec->osid == tsec->sid)
2139 return;
2140
2141 /* Close files for which the new task SID is not authorized. */
2142 flush_unauthorized_files(current->files);
2143
2144 /* Check whether the new SID can inherit signal state
2145 from the old SID. If not, clear itimers to avoid
2146 subsequent signal generation and flush and unblock
2147 signals. This must occur _after_ the task SID has
2148 been updated so that any kill done after the flush
2149 will be checked against the new SID. */
2150 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2151 PROCESS__SIGINH, NULL);
2152 if (rc) {
2153 memset(&itimer, 0, sizeof itimer);
2154 for (i = 0; i < 3; i++)
2155 do_setitimer(i, &itimer, NULL);
2156 flush_signals(current);
2157 spin_lock_irq(&current->sighand->siglock);
2158 flush_signal_handlers(current, 1);
2159 sigemptyset(&current->blocked);
2160 recalc_sigpending();
2161 spin_unlock_irq(&current->sighand->siglock);
2162 }
2163
4ac212ad
SS		 2164 /* Always clear parent death signal on SID transitions. */
2165 current->pdeath_signal = 0;
2166
1da177e4
LT		 2167 /* Check whether the new SID can inherit resource limits
2168 from the old SID. If not, reset all soft limits to
2169 the lower of the current task's hard limit and the init
2170 task's soft limit. Note that the setting of hard limits
2171 (even to lower them) can be controlled by the setrlimit
2172 check. The inclusion of the init task's soft limit into
2173 the computation is to avoid resetting soft limits higher
2174 than the default soft limit for cases where the default
2175 is lower than the hard limit, e.g. RLIMIT_CORE or
2176 RLIMIT_STACK.*/
2177 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2178 PROCESS__RLIMITINH, NULL);
2179 if (rc) {
2180 for (i = 0; i < RLIM_NLIMITS; i++) {
2181 rlim = current->signal->rlim + i;
2182 initrlim = init_task.signal->rlim+i;
2183 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2184 }
2185 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2186 /*
2187 * This will cause RLIMIT_CPU calculations
2188 * to be refigured.
2189 */
2190 current->it_prof_expires = jiffies_to_cputime(1);
2191 }
2192 }
2193
2194 /* Wake up the parent if it is waiting so that it can
2195 recheck wait permission to the new task SID. */
2196 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2197}
2198
2199/* superblock security operations */
2200
2201static int selinux_sb_alloc_security(struct super_block *sb)
2202{
2203 return superblock_alloc_security(sb);
2204}
2205
2206static void selinux_sb_free_security(struct super_block *sb)
2207{
2208 superblock_free_security(sb);
2209}
2210
2211static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2212{
2213 if (plen > olen)
2214 return 0;
2215
2216 return !memcmp(prefix, option, plen);
2217}
2218
2219static inline int selinux_option(char *option, int len)
2220{
2221 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2222 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
0808925e
EP		 2223 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2224 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1da177e4
LT		 2225}
2226
2227static inline void take_option(char **to, char *from, int *first, int len)
2228{
2229 if (!*first) {
2230 **to = ',';
2231 *to += 1;
3528a953 2232 } else
1da177e4
LT		 2233 *first = 0;
2234 memcpy(*to, from, len);
2235 *to += len;
2236}
2237
3528a953
CO		 2238static inline void take_selinux_option(char **to, char *from, int *first,
2239 int len)
2240{
2241 int current_size = 0;
2242
2243 if (!*first) {
2244 **to = '|';
2245 *to += 1;
2246 }
2247 else
2248 *first = 0;
2249
2250 while (current_size < len) {
2251 if (*from != '"') {
2252 **to = *from;
2253 *to += 1;
2254 }
2255 from += 1;
2256 current_size += 1;
2257 }
2258}
2259
1da177e4
LT		 2260static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2261{
2262 int fnosec, fsec, rc = 0;
2263 char *in_save, *in_curr, *in_end;
2264 char *sec_curr, *nosec_save, *nosec;
3528a953 2265 int open_quote = 0;
1da177e4
LT		 2266
2267 in_curr = orig;
2268 sec_curr = copy;
2269
2270 /* Binary mount data: just copy */
2271 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2272 copy_page(sec_curr, in_curr);
2273 goto out;
2274 }
2275
2276 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2277 if (!nosec) {
2278 rc = -ENOMEM;
2279 goto out;
2280 }
2281
2282 nosec_save = nosec;
2283 fnosec = fsec = 1;
2284 in_save = in_end = orig;
2285
2286 do {
3528a953
CO		 2287 if (*in_end == '"')
2288 open_quote = !open_quote;
2289 if ((*in_end == ',' && open_quote == 0) ||
2290 *in_end == '\0') {
1da177e4
LT		 2291 int len = in_end - in_curr;
2292
2293 if (selinux_option(in_curr, len))
3528a953 2294 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2295 else
2296 take_option(&nosec, in_curr, &fnosec, len);
2297
2298 in_curr = in_end + 1;
2299 }
2300 } while (*in_end++);
2301
6931dfc9 2302 strcpy(in_save, nosec_save);
da3caa20 2303 free_page((unsigned long)nosec_save);
1da177e4
LT		 2304out:
2305 return rc;
2306}
2307
2308static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2309{
2310 struct avc_audit_data ad;
2311 int rc;
2312
2313 rc = superblock_doinit(sb, data);
2314 if (rc)
2315 return rc;
2316
2317 AVC_AUDIT_DATA_INIT(&ad,FS);
2318 ad.u.fs.dentry = sb->s_root;
2319 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2320}
2321
726c3342 2322static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2323{
2324 struct avc_audit_data ad;
2325
2326 AVC_AUDIT_DATA_INIT(&ad,FS);
726c3342
DH		 2327 ad.u.fs.dentry = dentry->d_sb->s_root;
2328 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2329}
2330
2331static int selinux_mount(char * dev_name,
2332 struct nameidata *nd,
2333 char * type,
2334 unsigned long flags,
2335 void * data)
2336{
2337 int rc;
2338
2339 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2340 if (rc)
2341 return rc;
2342
2343 if (flags & MS_REMOUNT)
4ac91378 2344 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
1da177e4
LT		 2345 FILESYSTEM__REMOUNT, NULL);
2346 else
4ac91378 2347 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
1da177e4
LT		 2348 FILE__MOUNTON);
2349}
2350
2351static int selinux_umount(struct vfsmount *mnt, int flags)
2352{
2353 int rc;
2354
2355 rc = secondary_ops->sb_umount(mnt, flags);
2356 if (rc)
2357 return rc;
2358
2359 return superblock_has_perm(current,mnt->mnt_sb,
2360 FILESYSTEM__UNMOUNT,NULL);
2361}
2362
2363/* inode security operations */
2364
2365static int selinux_inode_alloc_security(struct inode *inode)
2366{
2367 return inode_alloc_security(inode);
2368}
2369
2370static void selinux_inode_free_security(struct inode *inode)
2371{
2372 inode_free_security(inode);
2373}
2374
5e41ff9e
SS		 2375static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2376 char **name, void **value,
2377 size_t *len)
2378{
2379 struct task_security_struct *tsec;
2380 struct inode_security_struct *dsec;
2381 struct superblock_security_struct *sbsec;
570bc1c2 2382 u32 newsid, clen;
5e41ff9e 2383 int rc;
570bc1c2 2384 char *namep = NULL, *context;
5e41ff9e
SS		 2385
2386 tsec = current->security;
2387 dsec = dir->i_security;
2388 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2389
2390 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2391 newsid = tsec->create_sid;
2392 } else {
2393 rc = security_transition_sid(tsec->sid, dsec->sid,
2394 inode_mode_to_security_class(inode->i_mode),
2395 &newsid);
2396 if (rc) {
2397 printk(KERN_WARNING "%s: "
2398 "security_transition_sid failed, rc=%d (dev=%s "
2399 "ino=%ld)\n",
2400 __FUNCTION__,
2401 -rc, inode->i_sb->s_id, inode->i_ino);
2402 return rc;
2403 }
2404 }
2405
296fddf7
EP		 2406 /* Possibly defer initialization to selinux_complete_init. */
2407 if (sbsec->initialized) {
2408 struct inode_security_struct *isec = inode->i_security;
2409 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2410 isec->sid = newsid;
2411 isec->initialized = 1;
2412 }
5e41ff9e 2413
8aad3875 2414 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2415 return -EOPNOTSUPP;
2416
570bc1c2
SS		 2417 if (name) {
2418 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2419 if (!namep)
2420 return -ENOMEM;
2421 *name = namep;
2422 }
5e41ff9e 2423
570bc1c2
SS		 2424 if (value && len) {
2425 rc = security_sid_to_context(newsid, &context, &clen);
2426 if (rc) {
2427 kfree(namep);
2428 return rc;
2429 }
2430 *value = context;
2431 *len = clen;
5e41ff9e 2432 }
5e41ff9e 2433
5e41ff9e
SS		 2434 return 0;
2435}
2436
1da177e4
LT		 2437static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2438{
2439 return may_create(dir, dentry, SECCLASS_FILE);
2440}
2441
1da177e4
LT		 2442static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2443{
2444 int rc;
2445
2446 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2447 if (rc)
2448 return rc;
2449 return may_link(dir, old_dentry, MAY_LINK);
2450}
2451
1da177e4
LT		 2452static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2453{
2454 int rc;
2455
2456 rc = secondary_ops->inode_unlink(dir, dentry);
2457 if (rc)
2458 return rc;
2459 return may_link(dir, dentry, MAY_UNLINK);
2460}
2461
2462static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2463{
2464 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2465}
2466
1da177e4
LT		 2467static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2468{
2469 return may_create(dir, dentry, SECCLASS_DIR);
2470}
2471
1da177e4
LT		 2472static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2473{
2474 return may_link(dir, dentry, MAY_RMDIR);
2475}
2476
2477static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2478{
2479 int rc;
2480
2481 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2482 if (rc)
2483 return rc;
2484
2485 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2486}
2487
1da177e4
LT		 2488static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2489 struct inode *new_inode, struct dentry *new_dentry)
2490{
2491 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2492}
2493
1da177e4
LT		 2494static int selinux_inode_readlink(struct dentry *dentry)
2495{
2496 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2497}
2498
2499static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2500{
2501 int rc;
2502
2503 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2504 if (rc)
2505 return rc;
2506 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2507}
2508
2509static int selinux_inode_permission(struct inode *inode, int mask,
2510 struct nameidata *nd)
2511{
2512 int rc;
2513
2514 rc = secondary_ops->inode_permission(inode, mask, nd);
2515 if (rc)
2516 return rc;
2517
2518 if (!mask) {
2519 /* No permission to check. Existence test. */
2520 return 0;
2521 }
2522
2523 return inode_has_perm(current, inode,
2524 file_mask_to_av(inode->i_mode, mask), NULL);
2525}
2526
2527static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2528{
2529 int rc;
2530
2531 rc = secondary_ops->inode_setattr(dentry, iattr);
2532 if (rc)
2533 return rc;
2534
2535 if (iattr->ia_valid & ATTR_FORCE)
2536 return 0;
2537
2538 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2539 ATTR_ATIME_SET | ATTR_MTIME_SET))
2540 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2541
2542 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2543}
2544
2545static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2546{
2547 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2548}
2549
b5376771
SH		 2550static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2551{
2552 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2553 sizeof XATTR_SECURITY_PREFIX - 1)) {
2554 if (!strcmp(name, XATTR_NAME_CAPS)) {
2555 if (!capable(CAP_SETFCAP))
2556 return -EPERM;
2557 } else if (!capable(CAP_SYS_ADMIN)) {
2558 /* A different attribute in the security namespace.
2559 Restrict to administrator. */
2560 return -EPERM;
2561 }
2562 }
2563
2564 /* Not an attribute we recognize, so just check the
2565 ordinary setattr permission. */
2566 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2567}
2568
1da177e4
LT		 2569static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2570{
2571 struct task_security_struct *tsec = current->security;
2572 struct inode *inode = dentry->d_inode;
2573 struct inode_security_struct *isec = inode->i_security;
2574 struct superblock_security_struct *sbsec;
2575 struct avc_audit_data ad;
2576 u32 newsid;
2577 int rc = 0;
2578
b5376771
SH		 2579 if (strcmp(name, XATTR_NAME_SELINUX))
2580 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2581
2582 sbsec = inode->i_sb->s_security;
2583 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2584 return -EOPNOTSUPP;
2585
3bd858ab 2586 if (!is_owner_or_cap(inode))
1da177e4
LT		 2587 return -EPERM;
2588
2589 AVC_AUDIT_DATA_INIT(&ad,FS);
2590 ad.u.fs.dentry = dentry;
2591
2592 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2593 FILE__RELABELFROM, &ad);
2594 if (rc)
2595 return rc;
2596
2597 rc = security_context_to_sid(value, size, &newsid);
2598 if (rc)
2599 return rc;
2600
2601 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2602 FILE__RELABELTO, &ad);
2603 if (rc)
2604 return rc;
2605
2606 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2607 isec->sclass);
2608 if (rc)
2609 return rc;
2610
2611 return avc_has_perm(newsid,
2612 sbsec->sid,
2613 SECCLASS_FILESYSTEM,
2614 FILESYSTEM__ASSOCIATE,
2615 &ad);
2616}
2617
2618static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2619 void *value, size_t size, int flags)
2620{
2621 struct inode *inode = dentry->d_inode;
2622 struct inode_security_struct *isec = inode->i_security;
2623 u32 newsid;
2624 int rc;
2625
2626 if (strcmp(name, XATTR_NAME_SELINUX)) {
2627 /* Not an attribute we recognize, so nothing to do. */
2628 return;
2629 }
2630
2631 rc = security_context_to_sid(value, size, &newsid);
2632 if (rc) {
2633 printk(KERN_WARNING "%s: unable to obtain SID for context "
2634 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2635 return;
2636 }
2637
2638 isec->sid = newsid;
2639 return;
2640}
2641
2642static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2643{
1da177e4
LT		 2644 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2645}
2646
2647static int selinux_inode_listxattr (struct dentry *dentry)
2648{
2649 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2650}
2651
2652static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2653{
b5376771
SH		 2654 if (strcmp(name, XATTR_NAME_SELINUX))
2655 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2656
2657 /* No one is allowed to remove a SELinux security label.
2658 You can change the label, but all data must be labeled. */
2659 return -EACCES;
2660}
2661
d381d8a9
JM		 2662/*
2663 * Copy the in-core inode security context value to the user. If the
2664 * getxattr() prior to this succeeded, check to see if we need to
2665 * canonicalize the value to be finally returned to the user.
2666 *
2667 * Permission check is handled by selinux_inode_getxattr hook.
2668 */
42492594 2669static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2670{
42492594
DQ		 2671 u32 size;
2672 int error;
2673 char *context = NULL;
1da177e4 2674 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2675
8c8570fb
DK		 2676 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2677 return -EOPNOTSUPP;
d381d8a9 2678
42492594
DQ		 2679 error = security_sid_to_context(isec->sid, &context, &size);
2680 if (error)
2681 return error;
2682 error = size;
2683 if (alloc) {
2684 *buffer = context;
2685 goto out_nofree;
2686 }
2687 kfree(context);
2688out_nofree:
2689 return error;
1da177e4
LT		 2690}
2691
2692static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2693 const void *value, size_t size, int flags)
2694{
2695 struct inode_security_struct *isec = inode->i_security;
2696 u32 newsid;
2697 int rc;
2698
2699 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2700 return -EOPNOTSUPP;
2701
2702 if (!value || !size)
2703 return -EACCES;
2704
2705 rc = security_context_to_sid((void*)value, size, &newsid);
2706 if (rc)
2707 return rc;
2708
2709 isec->sid = newsid;
2710 return 0;
2711}
2712
2713static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2714{
2715 const int len = sizeof(XATTR_NAME_SELINUX);
2716 if (buffer && len <= buffer_size)
2717 memcpy(buffer, XATTR_NAME_SELINUX, len);
2718 return len;
2719}
2720
b5376771
SH		 2721static int selinux_inode_need_killpriv(struct dentry *dentry)
2722{
2723 return secondary_ops->inode_need_killpriv(dentry);
2724}
2725
2726static int selinux_inode_killpriv(struct dentry *dentry)
2727{
2728 return secondary_ops->inode_killpriv(dentry);
2729}
2730
1da177e4
LT		 2731/* file security operations */
2732
788e7dd4 2733static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2734{
7420ed23 2735 int rc;
3d5ff529 2736 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2737
2738 if (!mask) {
2739 /* No permission to check. Existence test. */
2740 return 0;
2741 }
2742
2743 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2744 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2745 mask |= MAY_APPEND;
2746
7420ed23
VY		 2747 rc = file_has_perm(current, file,
2748 file_mask_to_av(inode->i_mode, mask));
2749 if (rc)
2750 return rc;
2751
2752 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2753}
2754
788e7dd4
YN		 2755static int selinux_file_permission(struct file *file, int mask)
2756{
2757 struct inode *inode = file->f_path.dentry->d_inode;
2758 struct task_security_struct *tsec = current->security;
2759 struct file_security_struct *fsec = file->f_security;
2760 struct inode_security_struct *isec = inode->i_security;
2761
2762 if (!mask) {
2763 /* No permission to check. Existence test. */
2764 return 0;
2765 }
2766
2767 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2768 && fsec->pseqno == avc_policy_seqno())
2769 return selinux_netlbl_inode_permission(inode, mask);
2770
2771 return selinux_revalidate_file_permission(file, mask);
2772}
2773
1da177e4
LT		 2774static int selinux_file_alloc_security(struct file *file)
2775{
2776 return file_alloc_security(file);
2777}
2778
2779static void selinux_file_free_security(struct file *file)
2780{
2781 file_free_security(file);
2782}
2783
2784static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2785 unsigned long arg)
2786{
2787 int error = 0;
2788
2789 switch (cmd) {
2790 case FIONREAD:
2791 /* fall through */
2792 case FIBMAP:
2793 /* fall through */
2794 case FIGETBSZ:
2795 /* fall through */
2796 case EXT2_IOC_GETFLAGS:
2797 /* fall through */
2798 case EXT2_IOC_GETVERSION:
2799 error = file_has_perm(current, file, FILE__GETATTR);
2800 break;
2801
2802 case EXT2_IOC_SETFLAGS:
2803 /* fall through */
2804 case EXT2_IOC_SETVERSION:
2805 error = file_has_perm(current, file, FILE__SETATTR);
2806 break;
2807
2808 /* sys_ioctl() checks */
2809 case FIONBIO:
2810 /* fall through */
2811 case FIOASYNC:
2812 error = file_has_perm(current, file, 0);
2813 break;
2814
2815 case KDSKBENT:
2816 case KDSKBSENT:
2817 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2818 break;
2819
2820 /* default case assumes that the command will go
2821 * to the file's ioctl() function.
2822 */
2823 default:
2824 error = file_has_perm(current, file, FILE__IOCTL);
2825
2826 }
2827 return error;
2828}
2829
2830static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2831{
2832#ifndef CONFIG_PPC32
2833 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2834 /*
2835 * We are making executable an anonymous mapping or a
2836 * private file mapping that will also be writable.
2837 * This has an additional check.
2838 */
2839 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2840 if (rc)
2841 return rc;
2842 }
2843#endif
2844
2845 if (file) {
2846 /* read access is always possible with a mapping */
2847 u32 av = FILE__READ;
2848
2849 /* write access only matters if the mapping is shared */
2850 if (shared && (prot & PROT_WRITE))
2851 av |= FILE__WRITE;
2852
2853 if (prot & PROT_EXEC)
2854 av |= FILE__EXECUTE;
2855
2856 return file_has_perm(current, file, av);
2857 }
2858 return 0;
2859}
2860
2861static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 2862 unsigned long prot, unsigned long flags,
2863 unsigned long addr, unsigned long addr_only)
1da177e4 2864{
ed032189
EP		 2865 int rc = 0;
2866 u32 sid = ((struct task_security_struct*)(current->security))->sid;
1da177e4 2867
ed032189
EP		 2868 if (addr < mmap_min_addr)
2869 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2870 MEMPROTECT__MMAP_ZERO, NULL);
2871 if (rc || addr_only)
1da177e4
LT		 2872 return rc;
2873
2874 if (selinux_checkreqprot)
2875 prot = reqprot;
2876
2877 return file_map_prot_check(file, prot,
2878 (flags & MAP_TYPE) == MAP_SHARED);
2879}
2880
2881static int selinux_file_mprotect(struct vm_area_struct *vma,
2882 unsigned long reqprot,
2883 unsigned long prot)
2884{
2885 int rc;
2886
2887 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2888 if (rc)
2889 return rc;
2890
2891 if (selinux_checkreqprot)
2892 prot = reqprot;
2893
2894#ifndef CONFIG_PPC32
db4c9641
SS		 2895 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2896 rc = 0;
2897 if (vma->vm_start >= vma->vm_mm->start_brk &&
2898 vma->vm_end <= vma->vm_mm->brk) {
2899 rc = task_has_perm(current, current,
2900 PROCESS__EXECHEAP);
2901 } else if (!vma->vm_file &&
2902 vma->vm_start <= vma->vm_mm->start_stack &&
2903 vma->vm_end >= vma->vm_mm->start_stack) {
2904 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2905 } else if (vma->vm_file && vma->anon_vma) {
2906 /*
2907 * We are making executable a file mapping that has
2908 * had some COW done. Since pages might have been
2909 * written, check ability to execute the possibly
2910 * modified content. This typically should only
2911 * occur for text relocations.
2912 */
2913 rc = file_has_perm(current, vma->vm_file,
2914 FILE__EXECMOD);
2915 }