]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: fix problems in netnode when BUG() is compiled out
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
32#include <linux/security.h>
33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
ca10b9e9 54#include <net/sock.h>
1da177e4 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
60063497 60#include <linux/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
77954983 64#include <net/netlink.h>
1da177e4
LT		 65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
44fc7ea0 83#include <linux/export.h>
40401530
AV		 84#include <linux/msg.h>
85#include <linux/shm.h>
1da177e4
LT		 86
87#include "avc.h"
88#include "objsec.h"
89#include "netif.h"
224dfbd8 90#include "netnode.h"
3e112172 91#include "netport.h"
d28d1e08 92#include "xfrm.h"
c60475bf 93#include "netlabel.h"
9d57a7f9 94#include "audit.h"
7b98a585 95#include "avc_ss.h"
1da177e4 96
20510f2f 97extern struct security_operations *security_ops;
1da177e4 98
d621d35e 99/* SECMARK reference count */
56a4ca99 100static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 101
1da177e4 102#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 103int selinux_enforcing;
1da177e4
LT		 104
105static int __init enforcing_setup(char *str)
106{
f5269710
EP		 107 unsigned long enforcing;
108 if (!strict_strtoul(str, 0, &enforcing))
109 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 110 return 1;
111}
112__setup("enforcing=", enforcing_setup);
113#endif
114
115#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117
118static int __init selinux_enabled_setup(char *str)
119{
f5269710
EP		 120 unsigned long enabled;
121 if (!strict_strtoul(str, 0, &enabled))
122 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 123 return 1;
124}
125__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 126#else
127int selinux_enabled = 1;
1da177e4
LT		 128#endif
129
e18b890b 130static struct kmem_cache *sel_inode_cache;
7cae7e26 131
d621d35e
PM		 132/**
133 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
134 *
135 * Description:
136 * This function checks the SECMARK reference counter to see if any SECMARK
137 * targets are currently configured, if the reference counter is greater than
138 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
139 * enabled, false (0) if SECMARK is disabled.
140 *
141 */
142static int selinux_secmark_enabled(void)
143{
144 return (atomic_read(&selinux_secmark_refcount) > 0);
145}
146
d84f4f99
DH		 147/*
148 * initialise the security for the init task
149 */
150static void cred_init_security(void)
1da177e4 151{
3b11a1de 152 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 153 struct task_security_struct *tsec;
154
89d155ef 155 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 156 if (!tsec)
d84f4f99 157 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 158
d84f4f99 159 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 160 cred->security = tsec;
1da177e4
LT		 161}
162
88e67f3b
DH		 163/*
164 * get the security ID of a set of credentials
165 */
166static inline u32 cred_sid(const struct cred *cred)
167{
168 const struct task_security_struct *tsec;
169
170 tsec = cred->security;
171 return tsec->sid;
172}
173
275bb41e 174/*
3b11a1de 175 * get the objective security ID of a task
275bb41e
DH		 176 */
177static inline u32 task_sid(const struct task_struct *task)
178{
275bb41e
DH		 179 u32 sid;
180
181 rcu_read_lock();
88e67f3b 182 sid = cred_sid(__task_cred(task));
275bb41e
DH		 183 rcu_read_unlock();
184 return sid;
185}
186
187/*
3b11a1de 188 * get the subjective security ID of the current task
275bb41e
DH		 189 */
190static inline u32 current_sid(void)
191{
5fb49870 192 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 193
194 return tsec->sid;
195}
196
88e67f3b
DH		 197/* Allocate and free functions for each kind of security blob. */
198
1da177e4
LT		 199static int inode_alloc_security(struct inode *inode)
200{
1da177e4 201 struct inode_security_struct *isec;
275bb41e 202 u32 sid = current_sid();
1da177e4 203
a02fe132 204 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 205 if (!isec)
206 return -ENOMEM;
207
23970741 208 mutex_init(&isec->lock);
1da177e4 209 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 210 isec->inode = inode;
211 isec->sid = SECINITSID_UNLABELED;
212 isec->sclass = SECCLASS_FILE;
275bb41e 213 isec->task_sid = sid;
1da177e4
LT		 214 inode->i_security = isec;
215
216 return 0;
217}
218
219static void inode_free_security(struct inode *inode)
220{
221 struct inode_security_struct *isec = inode->i_security;
222 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
223
1da177e4
LT		 224 spin_lock(&sbsec->isec_lock);
225 if (!list_empty(&isec->list))
226 list_del_init(&isec->list);
227 spin_unlock(&sbsec->isec_lock);
228
229 inode->i_security = NULL;
7cae7e26 230 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 231}
232
233static int file_alloc_security(struct file *file)
234{
1da177e4 235 struct file_security_struct *fsec;
275bb41e 236 u32 sid = current_sid();
1da177e4 237
26d2a4be 238 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 239 if (!fsec)
240 return -ENOMEM;
241
275bb41e
DH		 242 fsec->sid = sid;
243 fsec->fown_sid = sid;
1da177e4
LT		 244 file->f_security = fsec;
245
246 return 0;
247}
248
249static void file_free_security(struct file *file)
250{
251 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 252 file->f_security = NULL;
253 kfree(fsec);
254}
255
256static int superblock_alloc_security(struct super_block *sb)
257{
258 struct superblock_security_struct *sbsec;
259
89d155ef 260 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 261 if (!sbsec)
262 return -ENOMEM;
263
bc7e982b 264 mutex_init(&sbsec->lock);
1da177e4
LT		 265 INIT_LIST_HEAD(&sbsec->isec_head);
266 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 267 sbsec->sb = sb;
268 sbsec->sid = SECINITSID_UNLABELED;
269 sbsec->def_sid = SECINITSID_FILE;
c312feb2 270 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 271 sb->s_security = sbsec;
272
273 return 0;
274}
275
276static void superblock_free_security(struct super_block *sb)
277{
278 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 279 sb->s_security = NULL;
280 kfree(sbsec);
281}
282
1da177e4
LT		 283/* The file system's label must be initialized prior to use. */
284
634a539e 285static const char *labeling_behaviors[6] = {
1da177e4
LT		 286 "uses xattr",
287 "uses transition SIDs",
288 "uses task SIDs",
289 "uses genfs_contexts",
290 "not configured for labeling",
291 "uses mountpoint labeling",
292};
293
294static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
295
296static inline int inode_doinit(struct inode *inode)
297{
298 return inode_doinit_with_dentry(inode, NULL);
299}
300
301enum {
31e87930 302 Opt_error = -1,
1da177e4
LT		 303 Opt_context = 1,
304 Opt_fscontext = 2,
c9180a57
EP		 305 Opt_defcontext = 3,
306 Opt_rootcontext = 4,
11689d47 307 Opt_labelsupport = 5,
d355987f 308 Opt_nextmntopt = 6,
1da177e4
LT		 309};
310
d355987f
EP		 311#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
312
a447c093 313static const match_table_t tokens = {
832cbd9a
EP		 314 {Opt_context, CONTEXT_STR "%s"},
315 {Opt_fscontext, FSCONTEXT_STR "%s"},
316 {Opt_defcontext, DEFCONTEXT_STR "%s"},
317 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 318 {Opt_labelsupport, LABELSUPP_STR},
31e87930 319 {Opt_error, NULL},
1da177e4
LT		 320};
321
322#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
323
c312feb2
EP		 324static int may_context_mount_sb_relabel(u32 sid,
325 struct superblock_security_struct *sbsec,
275bb41e 326 const struct cred *cred)
c312feb2 327{
275bb41e 328 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 329 int rc;
330
331 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
332 FILESYSTEM__RELABELFROM, NULL);
333 if (rc)
334 return rc;
335
336 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
337 FILESYSTEM__RELABELTO, NULL);
338 return rc;
339}
340
0808925e
EP		 341static int may_context_mount_inode_relabel(u32 sid,
342 struct superblock_security_struct *sbsec,
275bb41e 343 const struct cred *cred)
0808925e 344{
275bb41e 345 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 346 int rc;
347 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELFROM, NULL);
349 if (rc)
350 return rc;
351
352 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
353 FILESYSTEM__ASSOCIATE, NULL);
354 return rc;
355}
356
b43e725d
EP		 357static int selinux_is_sblabel_mnt(struct super_block *sb)
358{
359 struct superblock_security_struct *sbsec = sb->s_security;
360
361 if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
362 sbsec->behavior == SECURITY_FS_USE_TRANS ||
363 sbsec->behavior == SECURITY_FS_USE_TASK)
364 return 1;
365
366 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
367 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
368 return 1;
369
370 /*
371 * Special handling for rootfs. Is genfs but supports
372 * setting SELinux context on in-core inodes.
373 */
374 if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
375 return 1;
376
377 return 0;
378}
379
c9180a57 380static int sb_finish_set_opts(struct super_block *sb)
1da177e4 381{
1da177e4 382 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 383 struct dentry *root = sb->s_root;
384 struct inode *root_inode = root->d_inode;
385 int rc = 0;
1da177e4 386
c9180a57
EP		 387 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
388 /* Make sure that the xattr handler exists and that no
389 error other than -ENODATA is returned by getxattr on
390 the root directory. -ENODATA is ok, as this may be
391 the first boot of the SELinux kernel before we have
392 assigned xattr values to the filesystem. */
393 if (!root_inode->i_op->getxattr) {
394 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
395 "xattr support\n", sb->s_id, sb->s_type->name);
396 rc = -EOPNOTSUPP;
397 goto out;
398 }
399 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
400 if (rc < 0 && rc != -ENODATA) {
401 if (rc == -EOPNOTSUPP)
402 printk(KERN_WARNING "SELinux: (dev %s, type "
403 "%s) has no security xattr handler\n",
404 sb->s_id, sb->s_type->name);
405 else
406 printk(KERN_WARNING "SELinux: (dev %s, type "
407 "%s) getxattr errno %d\n", sb->s_id,
408 sb->s_type->name, -rc);
409 goto out;
410 }
411 }
1da177e4 412
c9180a57
EP		 413 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
414 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
415 sb->s_id, sb->s_type->name);
416 else
417 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
418 sb->s_id, sb->s_type->name,
419 labeling_behaviors[sbsec->behavior-1]);
1da177e4 420
eadcabc6 421 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 422 if (selinux_is_sblabel_mnt(sb))
12f348b9 423 sbsec->flags |= SBLABEL_MNT;
5c73fceb 424
c9180a57
EP		 425 /* Initialize the root inode. */
426 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 427
c9180a57
EP		 428 /* Initialize any other inodes associated with the superblock, e.g.
429 inodes created prior to initial policy load or inodes created
430 during get_sb by a pseudo filesystem that directly
431 populates itself. */
432 spin_lock(&sbsec->isec_lock);
433next_inode:
434 if (!list_empty(&sbsec->isec_head)) {
435 struct inode_security_struct *isec =
436 list_entry(sbsec->isec_head.next,
437 struct inode_security_struct, list);
438 struct inode *inode = isec->inode;
439 spin_unlock(&sbsec->isec_lock);
440 inode = igrab(inode);
441 if (inode) {
442 if (!IS_PRIVATE(inode))
443 inode_doinit(inode);
444 iput(inode);
445 }
446 spin_lock(&sbsec->isec_lock);
447 list_del_init(&isec->list);
448 goto next_inode;
449 }
450 spin_unlock(&sbsec->isec_lock);
451out:
452 return rc;
453}
1da177e4 454
c9180a57
EP		 455/*
456 * This function should allow an FS to ask what it's mount security
457 * options were so it can use those later for submounts, displaying
458 * mount options, or whatever.
459 */
460static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 461 struct security_mnt_opts *opts)
c9180a57
EP		 462{
463 int rc = 0, i;
464 struct superblock_security_struct *sbsec = sb->s_security;
465 char *context = NULL;
466 u32 len;
467 char tmp;
1da177e4 468
e0007529 469 security_init_mnt_opts(opts);
1da177e4 470
0d90a7ec 471 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 472 return -EINVAL;
1da177e4 473
c9180a57
EP		 474 if (!ss_initialized)
475 return -EINVAL;
1da177e4 476
af8e50cc
EP		 477 /* make sure we always check enough bits to cover the mask */
478 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
479
0d90a7ec 480 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 481 /* count the number of mount options for this sb */
af8e50cc 482 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 483 if (tmp & 0x01)
e0007529 484 opts->num_mnt_opts++;
c9180a57
EP		 485 tmp >>= 1;
486 }
1da177e4 487
e0007529
EP		 488 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
489 if (!opts->mnt_opts) {
c9180a57
EP		 490 rc = -ENOMEM;
491 goto out_free;
492 }
1da177e4 493
e0007529
EP		 494 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
495 if (!opts->mnt_opts_flags) {
c9180a57
EP		 496 rc = -ENOMEM;
497 goto out_free;
498 }
1da177e4 499
c9180a57
EP		 500 i = 0;
501 if (sbsec->flags & FSCONTEXT_MNT) {
502 rc = security_sid_to_context(sbsec->sid, &context, &len);
503 if (rc)
504 goto out_free;
e0007529
EP		 505 opts->mnt_opts[i] = context;
506 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 507 }
508 if (sbsec->flags & CONTEXT_MNT) {
509 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
510 if (rc)
511 goto out_free;
e0007529
EP		 512 opts->mnt_opts[i] = context;
513 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 514 }
515 if (sbsec->flags & DEFCONTEXT_MNT) {
516 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
517 if (rc)
518 goto out_free;
e0007529
EP		 519 opts->mnt_opts[i] = context;
520 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 521 }
522 if (sbsec->flags & ROOTCONTEXT_MNT) {
523 struct inode *root = sbsec->sb->s_root->d_inode;
524 struct inode_security_struct *isec = root->i_security;
0808925e 525
c9180a57
EP		 526 rc = security_sid_to_context(isec->sid, &context, &len);
527 if (rc)
528 goto out_free;
e0007529
EP		 529 opts->mnt_opts[i] = context;
530 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 531 }
12f348b9 532 if (sbsec->flags & SBLABEL_MNT) {
11689d47 533 opts->mnt_opts[i] = NULL;
12f348b9 534 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 535 }
1da177e4 536
e0007529 537 BUG_ON(i != opts->num_mnt_opts);
1da177e4 538
c9180a57
EP		 539 return 0;
540
541out_free:
e0007529 542 security_free_mnt_opts(opts);
c9180a57
EP		 543 return rc;
544}
1da177e4 545
c9180a57
EP		 546static int bad_option(struct superblock_security_struct *sbsec, char flag,
547 u32 old_sid, u32 new_sid)
548{
0d90a7ec
DQ		 549 char mnt_flags = sbsec->flags & SE_MNTMASK;
550
c9180a57 551 /* check if the old mount command had the same options */
0d90a7ec 552 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 553 if (!(sbsec->flags & flag) ||
554 (old_sid != new_sid))
555 return 1;
556
557 /* check if we were passed the same options twice,
558 * aka someone passed context=a,context=b
559 */
0d90a7ec
DQ		 560 if (!(sbsec->flags & SE_SBINITIALIZED))
561 if (mnt_flags & flag)
c9180a57
EP		 562 return 1;
563 return 0;
564}
e0007529 565
c9180a57
EP		 566/*
567 * Allow filesystems with binary mount data to explicitly set mount point
568 * labeling information.
569 */
e0007529
EP		 570static int selinux_set_mnt_opts(struct super_block *sb,
571 struct security_mnt_opts *opts)
c9180a57 572{
275bb41e 573 const struct cred *cred = current_cred();
c9180a57 574 int rc = 0, i;
c9180a57
EP		 575 struct superblock_security_struct *sbsec = sb->s_security;
576 const char *name = sb->s_type->name;
089be43e
JM		 577 struct inode *inode = sbsec->sb->s_root->d_inode;
578 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 579 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
580 u32 defcontext_sid = 0;
e0007529
EP		 581 char **mount_options = opts->mnt_opts;
582 int *flags = opts->mnt_opts_flags;
583 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 584
585 mutex_lock(&sbsec->lock);
586
587 if (!ss_initialized) {
588 if (!num_opts) {
589 /* Defer initialization until selinux_complete_init,
590 after the initial policy is loaded and the security
591 server is ready to handle calls. */
c9180a57
EP		 592 goto out;
593 }
594 rc = -EINVAL;
744ba35e
EP		 595 printk(KERN_WARNING "SELinux: Unable to set superblock options "
596 "before the security server is initialized\n");
1da177e4 597 goto out;
c9180a57 598 }
1da177e4 599
e0007529
EP		 600 /*
601 * Binary mount data FS will come through this function twice. Once
602 * from an explicit call and once from the generic calls from the vfs.
603 * Since the generic VFS calls will not contain any security mount data
604 * we need to skip the double mount verification.
605 *
606 * This does open a hole in which we will not notice if the first
607 * mount using this sb set explict options and a second mount using
608 * this sb does not set any security options. (The first options
609 * will be used for both mounts)
610 */
0d90a7ec 611 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 612 && (num_opts == 0))
f5269710 613 goto out;
e0007529 614
c9180a57
EP		 615 /*
616 * parse the mount options, check if they are valid sids.
617 * also check if someone is trying to mount the same sb more
618 * than once with different security options.
619 */
620 for (i = 0; i < num_opts; i++) {
621 u32 sid;
11689d47 622
12f348b9 623 if (flags[i] == SBLABEL_MNT)
11689d47 624 continue;
c9180a57
EP		 625 rc = security_context_to_sid(mount_options[i],
626 strlen(mount_options[i]), &sid);
1da177e4
LT		 627 if (rc) {
628 printk(KERN_WARNING "SELinux: security_context_to_sid"
629 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 630 mount_options[i], sb->s_id, name, rc);
631 goto out;
632 }
633 switch (flags[i]) {
634 case FSCONTEXT_MNT:
635 fscontext_sid = sid;
636
637 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
638 fscontext_sid))
639 goto out_double_mount;
640
641 sbsec->flags |= FSCONTEXT_MNT;
642 break;
643 case CONTEXT_MNT:
644 context_sid = sid;
645
646 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
647 context_sid))
648 goto out_double_mount;
649
650 sbsec->flags |= CONTEXT_MNT;
651 break;
652 case ROOTCONTEXT_MNT:
653 rootcontext_sid = sid;
654
655 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
656 rootcontext_sid))
657 goto out_double_mount;
658
659 sbsec->flags |= ROOTCONTEXT_MNT;
660
661 break;
662 case DEFCONTEXT_MNT:
663 defcontext_sid = sid;
664
665 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
666 defcontext_sid))
667 goto out_double_mount;
668
669 sbsec->flags |= DEFCONTEXT_MNT;
670
671 break;
672 default:
673 rc = -EINVAL;
674 goto out;
1da177e4 675 }
c9180a57
EP		 676 }
677
0d90a7ec 678 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 679 /* previously mounted with options, but not on this attempt? */
0d90a7ec 680 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 681 goto out_double_mount;
682 rc = 0;
683 goto out;
684 }
685
089be43e 686 if (strcmp(sb->s_type->name, "proc") == 0)
0d90a7ec 687 sbsec->flags |= SE_SBPROC;
c9180a57
EP		 688
689 /* Determine the labeling behavior to use for this filesystem type. */
a64c54cf 690 rc = security_fs_use(sb);
c9180a57
EP		 691 if (rc) {
692 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
089be43e 693 __func__, sb->s_type->name, rc);
c9180a57
EP		 694 goto out;
695 }
1da177e4 696
c9180a57
EP		 697 /* sets the context of the superblock for the fs being mounted. */
698 if (fscontext_sid) {
275bb41e 699 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 700 if (rc)
c9180a57 701 goto out;
1da177e4 702
c9180a57 703 sbsec->sid = fscontext_sid;
c312feb2
EP		 704 }
705
706 /*
707 * Switch to using mount point labeling behavior.
708 * sets the label used on all file below the mountpoint, and will set
709 * the superblock context if not already set.
710 */
c9180a57
EP		 711 if (context_sid) {
712 if (!fscontext_sid) {
275bb41e
DH		 713 rc = may_context_mount_sb_relabel(context_sid, sbsec,
714 cred);
b04ea3ce 715 if (rc)
c9180a57
EP		 716 goto out;
717 sbsec->sid = context_sid;
b04ea3ce 718 } else {
275bb41e
DH		 719 rc = may_context_mount_inode_relabel(context_sid, sbsec,
720 cred);
b04ea3ce 721 if (rc)
c9180a57 722 goto out;
b04ea3ce 723 }
c9180a57
EP		 724 if (!rootcontext_sid)
725 rootcontext_sid = context_sid;
1da177e4 726
c9180a57 727 sbsec->mntpoint_sid = context_sid;
c312feb2 728 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 729 }
730
c9180a57 731 if (rootcontext_sid) {
275bb41e
DH		 732 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
733 cred);
0808925e 734 if (rc)
c9180a57 735 goto out;
0808925e 736
c9180a57
EP		 737 root_isec->sid = rootcontext_sid;
738 root_isec->initialized = 1;
0808925e
EP		 739 }
740
c9180a57
EP		 741 if (defcontext_sid) {
742 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
743 rc = -EINVAL;
744 printk(KERN_WARNING "SELinux: defcontext option is "
745 "invalid for this filesystem type\n");
746 goto out;
1da177e4
LT		 747 }
748
c9180a57
EP		 749 if (defcontext_sid != sbsec->def_sid) {
750 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 751 sbsec, cred);
c9180a57
EP		 752 if (rc)
753 goto out;
754 }
1da177e4 755
c9180a57 756 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 757 }
758
c9180a57 759 rc = sb_finish_set_opts(sb);
1da177e4 760out:
c9180a57 761 mutex_unlock(&sbsec->lock);
1da177e4 762 return rc;
c9180a57
EP		 763out_double_mount:
764 rc = -EINVAL;
765 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
766 "security settings for (dev %s, type %s)\n", sb->s_id, name);
767 goto out;
1da177e4
LT		 768}
769
094f7b69
JL		 770static int selinux_cmp_sb_context(const struct super_block *oldsb,
771 const struct super_block *newsb)
772{
773 struct superblock_security_struct *old = oldsb->s_security;
774 struct superblock_security_struct *new = newsb->s_security;
775 char oldflags = old->flags & SE_MNTMASK;
776 char newflags = new->flags & SE_MNTMASK;
777
778 if (oldflags != newflags)
779 goto mismatch;
780 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
781 goto mismatch;
782 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
783 goto mismatch;
784 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
785 goto mismatch;
786 if (oldflags & ROOTCONTEXT_MNT) {
787 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
788 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
789 if (oldroot->sid != newroot->sid)
790 goto mismatch;
791 }
792 return 0;
793mismatch:
794 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
795 "different security settings for (dev %s, "
796 "type %s)\n", newsb->s_id, newsb->s_type->name);
797 return -EBUSY;
798}
799
800static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 801 struct super_block *newsb)
1da177e4 802{
c9180a57
EP		 803 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
804 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 805
c9180a57
EP		 806 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
807 int set_context = (oldsbsec->flags & CONTEXT_MNT);
808 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 809
0f5e6420
EP		 810 /*
811 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 812 * mount options. thus we can safely deal with this superblock later
0f5e6420 813 */
e8c26255 814 if (!ss_initialized)
094f7b69 815 return 0;
c9180a57 816
c9180a57 817 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 818 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 819
094f7b69 820 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 821 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 822 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 823
c9180a57
EP		 824 mutex_lock(&newsbsec->lock);
825
826 newsbsec->flags = oldsbsec->flags;
827
828 newsbsec->sid = oldsbsec->sid;
829 newsbsec->def_sid = oldsbsec->def_sid;
830 newsbsec->behavior = oldsbsec->behavior;
831
832 if (set_context) {
833 u32 sid = oldsbsec->mntpoint_sid;
834
835 if (!set_fscontext)
836 newsbsec->sid = sid;
837 if (!set_rootcontext) {
838 struct inode *newinode = newsb->s_root->d_inode;
839 struct inode_security_struct *newisec = newinode->i_security;
840 newisec->sid = sid;
841 }
842 newsbsec->mntpoint_sid = sid;
1da177e4 843 }
c9180a57
EP		 844 if (set_rootcontext) {
845 const struct inode *oldinode = oldsb->s_root->d_inode;
846 const struct inode_security_struct *oldisec = oldinode->i_security;
847 struct inode *newinode = newsb->s_root->d_inode;
848 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 849
c9180a57 850 newisec->sid = oldisec->sid;
1da177e4
LT		 851 }
852
c9180a57
EP		 853 sb_finish_set_opts(newsb);
854 mutex_unlock(&newsbsec->lock);
094f7b69 855 return 0;
c9180a57
EP		 856}
857
2e1479d9
AB		 858static int selinux_parse_opts_str(char *options,
859 struct security_mnt_opts *opts)
c9180a57 860{
e0007529 861 char *p;
c9180a57
EP		 862 char *context = NULL, *defcontext = NULL;
863 char *fscontext = NULL, *rootcontext = NULL;
e0007529 864 int rc, num_mnt_opts = 0;
1da177e4 865
e0007529 866 opts->num_mnt_opts = 0;
1da177e4 867
c9180a57
EP		 868 /* Standard string-based options. */
869 while ((p = strsep(&options, "|")) != NULL) {
870 int token;
871 substring_t args[MAX_OPT_ARGS];
1da177e4 872
c9180a57
EP		 873 if (!*p)
874 continue;
1da177e4 875
c9180a57 876 token = match_token(p, tokens, args);
1da177e4 877
c9180a57
EP		 878 switch (token) {
879 case Opt_context:
880 if (context || defcontext) {
881 rc = -EINVAL;
882 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
883 goto out_err;
884 }
885 context = match_strdup(&args[0]);
886 if (!context) {
887 rc = -ENOMEM;
888 goto out_err;
889 }
890 break;
891
892 case Opt_fscontext:
893 if (fscontext) {
894 rc = -EINVAL;
895 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
896 goto out_err;
897 }
898 fscontext = match_strdup(&args[0]);
899 if (!fscontext) {
900 rc = -ENOMEM;
901 goto out_err;
902 }
903 break;
904
905 case Opt_rootcontext:
906 if (rootcontext) {
907 rc = -EINVAL;
908 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
909 goto out_err;
910 }
911 rootcontext = match_strdup(&args[0]);
912 if (!rootcontext) {
913 rc = -ENOMEM;
914 goto out_err;
915 }
916 break;
917
918 case Opt_defcontext:
919 if (context || defcontext) {
920 rc = -EINVAL;
921 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
922 goto out_err;
923 }
924 defcontext = match_strdup(&args[0]);
925 if (!defcontext) {
926 rc = -ENOMEM;
927 goto out_err;
928 }
929 break;
11689d47
DQ		 930 case Opt_labelsupport:
931 break;
c9180a57
EP		 932 default:
933 rc = -EINVAL;
934 printk(KERN_WARNING "SELinux: unknown mount option\n");
935 goto out_err;
1da177e4 936
1da177e4 937 }
1da177e4 938 }
c9180a57 939
e0007529
EP		 940 rc = -ENOMEM;
941 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
942 if (!opts->mnt_opts)
943 goto out_err;
944
945 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
946 if (!opts->mnt_opts_flags) {
947 kfree(opts->mnt_opts);
948 goto out_err;
949 }
950
c9180a57 951 if (fscontext) {
e0007529
EP		 952 opts->mnt_opts[num_mnt_opts] = fscontext;
953 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 954 }
955 if (context) {
e0007529
EP		 956 opts->mnt_opts[num_mnt_opts] = context;
957 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 958 }
959 if (rootcontext) {
e0007529
EP		 960 opts->mnt_opts[num_mnt_opts] = rootcontext;
961 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 962 }
963 if (defcontext) {
e0007529
EP		 964 opts->mnt_opts[num_mnt_opts] = defcontext;
965 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 966 }
967
e0007529
EP		 968 opts->num_mnt_opts = num_mnt_opts;
969 return 0;
970
c9180a57
EP		 971out_err:
972 kfree(context);
973 kfree(defcontext);
974 kfree(fscontext);
975 kfree(rootcontext);
1da177e4
LT		 976 return rc;
977}
e0007529
EP		 978/*
979 * string mount options parsing and call set the sbsec
980 */
981static int superblock_doinit(struct super_block *sb, void *data)
982{
983 int rc = 0;
984 char *options = data;
985 struct security_mnt_opts opts;
986
987 security_init_mnt_opts(&opts);
988
989 if (!data)
990 goto out;
991
992 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
993
994 rc = selinux_parse_opts_str(options, &opts);
995 if (rc)
996 goto out_err;
997
998out:
999 rc = selinux_set_mnt_opts(sb, &opts);
1000
1001out_err:
1002 security_free_mnt_opts(&opts);
1003 return rc;
1004}
1da177e4 1005
3583a711
AB		 1006static void selinux_write_opts(struct seq_file *m,
1007 struct security_mnt_opts *opts)
2069f457
EP		 1008{
1009 int i;
1010 char *prefix;
1011
1012 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1013 char *has_comma;
1014
1015 if (opts->mnt_opts[i])
1016 has_comma = strchr(opts->mnt_opts[i], ',');
1017 else
1018 has_comma = NULL;
2069f457
EP		 1019
1020 switch (opts->mnt_opts_flags[i]) {
1021 case CONTEXT_MNT:
1022 prefix = CONTEXT_STR;
1023 break;
1024 case FSCONTEXT_MNT:
1025 prefix = FSCONTEXT_STR;
1026 break;
1027 case ROOTCONTEXT_MNT:
1028 prefix = ROOTCONTEXT_STR;
1029 break;
1030 case DEFCONTEXT_MNT:
1031 prefix = DEFCONTEXT_STR;
1032 break;
12f348b9 1033 case SBLABEL_MNT:
11689d47
DQ		 1034 seq_putc(m, ',');
1035 seq_puts(m, LABELSUPP_STR);
1036 continue;
2069f457
EP		 1037 default:
1038 BUG();
a35c6c83 1039 return;
2069f457
EP		 1040 };
1041 /* we need a comma before each option */
1042 seq_putc(m, ',');
1043 seq_puts(m, prefix);
1044 if (has_comma)
1045 seq_putc(m, '\"');
1046 seq_puts(m, opts->mnt_opts[i]);
1047 if (has_comma)
1048 seq_putc(m, '\"');
1049 }
1050}
1051
1052static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1053{
1054 struct security_mnt_opts opts;
1055 int rc;
1056
1057 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1058 if (rc) {
1059 /* before policy load we may get EINVAL, don't show anything */
1060 if (rc == -EINVAL)
1061 rc = 0;
2069f457 1062 return rc;
383795c2 1063 }
2069f457
EP		 1064
1065 selinux_write_opts(m, &opts);
1066
1067 security_free_mnt_opts(&opts);
1068
1069 return rc;
1070}
1071
1da177e4
LT		 1072static inline u16 inode_mode_to_security_class(umode_t mode)
1073{
1074 switch (mode & S_IFMT) {
1075 case S_IFSOCK:
1076 return SECCLASS_SOCK_FILE;
1077 case S_IFLNK:
1078 return SECCLASS_LNK_FILE;
1079 case S_IFREG:
1080 return SECCLASS_FILE;
1081 case S_IFBLK:
1082 return SECCLASS_BLK_FILE;
1083 case S_IFDIR:
1084 return SECCLASS_DIR;
1085 case S_IFCHR:
1086 return SECCLASS_CHR_FILE;
1087 case S_IFIFO:
1088 return SECCLASS_FIFO_FILE;
1089
1090 }
1091
1092 return SECCLASS_FILE;
1093}
1094
13402580
JM		 1095static inline int default_protocol_stream(int protocol)
1096{
1097 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1098}
1099
1100static inline int default_protocol_dgram(int protocol)
1101{
1102 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1103}
1104
1da177e4
LT		 1105static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1106{
1107 switch (family) {
1108 case PF_UNIX:
1109 switch (type) {
1110 case SOCK_STREAM:
1111 case SOCK_SEQPACKET:
1112 return SECCLASS_UNIX_STREAM_SOCKET;
1113 case SOCK_DGRAM:
1114 return SECCLASS_UNIX_DGRAM_SOCKET;
1115 }
1116 break;
1117 case PF_INET:
1118 case PF_INET6:
1119 switch (type) {
1120 case SOCK_STREAM:
13402580
JM		 1121 if (default_protocol_stream(protocol))
1122 return SECCLASS_TCP_SOCKET;
1123 else
1124 return SECCLASS_RAWIP_SOCKET;
1da177e4 1125 case SOCK_DGRAM:
13402580
JM		 1126 if (default_protocol_dgram(protocol))
1127 return SECCLASS_UDP_SOCKET;
1128 else
1129 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1130 case SOCK_DCCP:
1131 return SECCLASS_DCCP_SOCKET;
13402580 1132 default:
1da177e4
LT		 1133 return SECCLASS_RAWIP_SOCKET;
1134 }
1135 break;
1136 case PF_NETLINK:
1137 switch (protocol) {
1138 case NETLINK_ROUTE:
1139 return SECCLASS_NETLINK_ROUTE_SOCKET;
1140 case NETLINK_FIREWALL:
1141 return SECCLASS_NETLINK_FIREWALL_SOCKET;
7f1fb60c 1142 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1143 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1144 case NETLINK_NFLOG:
1145 return SECCLASS_NETLINK_NFLOG_SOCKET;
1146 case NETLINK_XFRM:
1147 return SECCLASS_NETLINK_XFRM_SOCKET;
1148 case NETLINK_SELINUX:
1149 return SECCLASS_NETLINK_SELINUX_SOCKET;
1150 case NETLINK_AUDIT:
1151 return SECCLASS_NETLINK_AUDIT_SOCKET;
1152 case NETLINK_IP6_FW:
1153 return SECCLASS_NETLINK_IP6FW_SOCKET;
1154 case NETLINK_DNRTMSG:
1155 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1156 case NETLINK_KOBJECT_UEVENT:
1157 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1158 default:
1159 return SECCLASS_NETLINK_SOCKET;
1160 }
1161 case PF_PACKET:
1162 return SECCLASS_PACKET_SOCKET;
1163 case PF_KEY:
1164 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1165 case PF_APPLETALK:
1166 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1167 }
1168
1169 return SECCLASS_SOCKET;
1170}
1171
1172#ifdef CONFIG_PROC_FS
8e6c9693 1173static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1174 u16 tclass,
1175 u32 *sid)
1176{
8e6c9693
LAG		 1177 int rc;
1178 char *buffer, *path;
1da177e4 1179
828dfe1d 1180 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1181 if (!buffer)
1182 return -ENOMEM;
1183
8e6c9693
LAG		 1184 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1185 if (IS_ERR(path))
1186 rc = PTR_ERR(path);
1187 else {
1188 /* each process gets a /proc/PID/ entry. Strip off the
1189 * PID part to get a valid selinux labeling.
1190 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1191 while (path[1] >= '0' && path[1] <= '9') {
1192 path[1] = '/';
1193 path++;
1194 }
1195 rc = security_genfs_sid("proc", path, tclass, sid);
1da177e4 1196 }
1da177e4
LT		 1197 free_page((unsigned long)buffer);
1198 return rc;
1199}
1200#else
8e6c9693 1201static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1202 u16 tclass,
1203 u32 *sid)
1204{
1205 return -EINVAL;
1206}
1207#endif
1208
1209/* The inode's security attributes must be initialized before first use. */
1210static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1211{
1212 struct superblock_security_struct *sbsec = NULL;
1213 struct inode_security_struct *isec = inode->i_security;
1214 u32 sid;
1215 struct dentry *dentry;
1216#define INITCONTEXTLEN 255
1217 char *context = NULL;
1218 unsigned len = 0;
1219 int rc = 0;
1da177e4
LT		 1220
1221 if (isec->initialized)
1222 goto out;
1223
23970741 1224 mutex_lock(&isec->lock);
1da177e4 1225 if (isec->initialized)
23970741 1226 goto out_unlock;
1da177e4
LT		 1227
1228 sbsec = inode->i_sb->s_security;
0d90a7ec 1229 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1230 /* Defer initialization until selinux_complete_init,
1231 after the initial policy is loaded and the security
1232 server is ready to handle calls. */
1233 spin_lock(&sbsec->isec_lock);
1234 if (list_empty(&isec->list))
1235 list_add(&isec->list, &sbsec->isec_head);
1236 spin_unlock(&sbsec->isec_lock);
23970741 1237 goto out_unlock;
1da177e4
LT		 1238 }
1239
1240 switch (sbsec->behavior) {
1241 case SECURITY_FS_USE_XATTR:
1242 if (!inode->i_op->getxattr) {
1243 isec->sid = sbsec->def_sid;
1244 break;
1245 }
1246
1247 /* Need a dentry, since the xattr API requires one.
1248 Life would be simpler if we could just pass the inode. */
1249 if (opt_dentry) {
1250 /* Called from d_instantiate or d_splice_alias. */
1251 dentry = dget(opt_dentry);
1252 } else {
1253 /* Called from selinux_complete_init, try to find a dentry. */
1254 dentry = d_find_alias(inode);
1255 }
1256 if (!dentry) {
df7f54c0
EP		 1257 /*
1258 * this is can be hit on boot when a file is accessed
1259 * before the policy is loaded. When we load policy we
1260 * may find inodes that have no dentry on the
1261 * sbsec->isec_head list. No reason to complain as these
1262 * will get fixed up the next time we go through
1263 * inode_doinit with a dentry, before these inodes could
1264 * be used again by userspace.
1265 */
23970741 1266 goto out_unlock;
1da177e4
LT		 1267 }
1268
1269 len = INITCONTEXTLEN;
4cb912f1 1270 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1271 if (!context) {
1272 rc = -ENOMEM;
1273 dput(dentry);
23970741 1274 goto out_unlock;
1da177e4 1275 }
4cb912f1 1276 context[len] = '\0';
1da177e4
LT		 1277 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1278 context, len);
1279 if (rc == -ERANGE) {
314dabb8
JM		 1280 kfree(context);
1281
1da177e4
LT		 1282 /* Need a larger buffer. Query for the right size. */
1283 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1284 NULL, 0);
1285 if (rc < 0) {
1286 dput(dentry);
23970741 1287 goto out_unlock;
1da177e4 1288 }
1da177e4 1289 len = rc;
4cb912f1 1290 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1291 if (!context) {
1292 rc = -ENOMEM;
1293 dput(dentry);
23970741 1294 goto out_unlock;
1da177e4 1295 }
4cb912f1 1296 context[len] = '\0';
1da177e4
LT		 1297 rc = inode->i_op->getxattr(dentry,
1298 XATTR_NAME_SELINUX,
1299 context, len);
1300 }
1301 dput(dentry);
1302 if (rc < 0) {
1303 if (rc != -ENODATA) {
744ba35e 1304 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1305 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1306 -rc, inode->i_sb->s_id, inode->i_ino);
1307 kfree(context);
23970741 1308 goto out_unlock;
1da177e4
LT		 1309 }
1310 /* Map ENODATA to the default file SID */
1311 sid = sbsec->def_sid;
1312 rc = 0;
1313 } else {
f5c1d5b2 1314 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1315 sbsec->def_sid,
1316 GFP_NOFS);
1da177e4 1317 if (rc) {
4ba0a8ad
EP		 1318 char *dev = inode->i_sb->s_id;
1319 unsigned long ino = inode->i_ino;
1320
1321 if (rc == -EINVAL) {
1322 if (printk_ratelimit())
1323 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1324 "context=%s. This indicates you may need to relabel the inode or the "
1325 "filesystem in question.\n", ino, dev, context);
1326 } else {
1327 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1328 "returned %d for dev=%s ino=%ld\n",
1329 __func__, context, -rc, dev, ino);
1330 }
1da177e4
LT		 1331 kfree(context);
1332 /* Leave with the unlabeled SID */
1333 rc = 0;
1334 break;
1335 }
1336 }
1337 kfree(context);
1338 isec->sid = sid;
1339 break;
1340 case SECURITY_FS_USE_TASK:
1341 isec->sid = isec->task_sid;
1342 break;
1343 case SECURITY_FS_USE_TRANS:
1344 /* Default to the fs SID. */
1345 isec->sid = sbsec->sid;
1346
1347 /* Try to obtain a transition SID. */
1348 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1349 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1350 isec->sclass, NULL, &sid);
1da177e4 1351 if (rc)
23970741 1352 goto out_unlock;
1da177e4
LT		 1353 isec->sid = sid;
1354 break;
c312feb2
EP		 1355 case SECURITY_FS_USE_MNTPOINT:
1356 isec->sid = sbsec->mntpoint_sid;
1357 break;
1da177e4 1358 default:
c312feb2 1359 /* Default to the fs superblock SID. */
1da177e4
LT		 1360 isec->sid = sbsec->sid;
1361
0d90a7ec 1362 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
8e6c9693 1363 if (opt_dentry) {
1da177e4 1364 isec->sclass = inode_mode_to_security_class(inode->i_mode);
8e6c9693 1365 rc = selinux_proc_get_sid(opt_dentry,
1da177e4
LT		 1366 isec->sclass,
1367 &sid);
1368 if (rc)
23970741 1369 goto out_unlock;
1da177e4
LT		 1370 isec->sid = sid;
1371 }
1372 }
1373 break;
1374 }
1375
1376 isec->initialized = 1;
1377
23970741
EP		 1378out_unlock:
1379 mutex_unlock(&isec->lock);
1da177e4
LT		 1380out:
1381 if (isec->sclass == SECCLASS_FILE)
1382 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1383 return rc;
1384}
1385
1386/* Convert a Linux signal to an access vector. */
1387static inline u32 signal_to_av(int sig)
1388{
1389 u32 perm = 0;
1390
1391 switch (sig) {
1392 case SIGCHLD:
1393 /* Commonly granted from child to parent. */
1394 perm = PROCESS__SIGCHLD;
1395 break;
1396 case SIGKILL:
1397 /* Cannot be caught or ignored */
1398 perm = PROCESS__SIGKILL;
1399 break;
1400 case SIGSTOP:
1401 /* Cannot be caught or ignored */
1402 perm = PROCESS__SIGSTOP;
1403 break;
1404 default:
1405 /* All other signals. */
1406 perm = PROCESS__SIGNAL;
1407 break;
1408 }
1409
1410 return perm;
1411}
1412
d84f4f99
DH		 1413/*
1414 * Check permission between a pair of credentials
1415 * fork check, ptrace check, etc.
1416 */
1417static int cred_has_perm(const struct cred *actor,
1418 const struct cred *target,
1419 u32 perms)
1420{
1421 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1422
1423 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1424}
1425
275bb41e 1426/*
88e67f3b 1427 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1428 * fork check, ptrace check, etc.
1429 * tsk1 is the actor and tsk2 is the target
3b11a1de 1430 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1431 */
1432static int task_has_perm(const struct task_struct *tsk1,
1433 const struct task_struct *tsk2,
1da177e4
LT		 1434 u32 perms)
1435{
275bb41e
DH		 1436 const struct task_security_struct *__tsec1, *__tsec2;
1437 u32 sid1, sid2;
1da177e4 1438
275bb41e
DH		 1439 rcu_read_lock();
1440 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1441 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1442 rcu_read_unlock();
1443 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1444}
1445
3b11a1de
DH		 1446/*
1447 * Check permission between current and another task, e.g. signal checks,
1448 * fork check, ptrace check, etc.
1449 * current is the actor and tsk2 is the target
1450 * - this uses current's subjective creds
1451 */
1452static int current_has_perm(const struct task_struct *tsk,
1453 u32 perms)
1454{
1455 u32 sid, tsid;
1456
1457 sid = current_sid();
1458 tsid = task_sid(tsk);
1459 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1460}
1461
b68e418c
SS		 1462#if CAP_LAST_CAP > 63
1463#error Fix SELinux to handle capabilities > 63.
1464#endif
1465
1da177e4 1466/* Check whether a task is allowed to use a capability. */
6a9de491 1467static int cred_has_capability(const struct cred *cred,
06112163 1468 int cap, int audit)
1da177e4 1469{
2bf49690 1470 struct common_audit_data ad;
06112163 1471 struct av_decision avd;
b68e418c 1472 u16 sclass;
3699c53c 1473 u32 sid = cred_sid(cred);
b68e418c 1474 u32 av = CAP_TO_MASK(cap);
06112163 1475 int rc;
1da177e4 1476
50c205f5 1477 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1478 ad.u.cap = cap;
1479
b68e418c
SS		 1480 switch (CAP_TO_INDEX(cap)) {
1481 case 0:
1482 sclass = SECCLASS_CAPABILITY;
1483 break;
1484 case 1:
1485 sclass = SECCLASS_CAPABILITY2;
1486 break;
1487 default:
1488 printk(KERN_ERR
1489 "SELinux: out of range capability %d\n", cap);
1490 BUG();
a35c6c83 1491 return -EINVAL;
b68e418c 1492 }
06112163 1493
275bb41e 1494 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4
EP		 1495 if (audit == SECURITY_CAP_AUDIT) {
1496 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1497 if (rc2)
1498 return rc2;
1499 }
06112163 1500 return rc;
1da177e4
LT		 1501}
1502
1503/* Check whether a task is allowed to use a system operation. */
1504static int task_has_system(struct task_struct *tsk,
1505 u32 perms)
1506{
275bb41e 1507 u32 sid = task_sid(tsk);
1da177e4 1508
275bb41e 1509 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1510 SECCLASS_SYSTEM, perms, NULL);
1511}
1512
1513/* Check whether a task has a particular permission to an inode.
1514 The 'adp' parameter is optional and allows other audit
1515 data to be passed (e.g. the dentry). */
88e67f3b 1516static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1517 struct inode *inode,
1518 u32 perms,
9ade0cf4
EP		 1519 struct common_audit_data *adp,
1520 unsigned flags)
1da177e4 1521{
1da177e4 1522 struct inode_security_struct *isec;
275bb41e 1523 u32 sid;
1da177e4 1524
e0e81739
DH		 1525 validate_creds(cred);
1526
828dfe1d 1527 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1528 return 0;
1529
88e67f3b 1530 sid = cred_sid(cred);
1da177e4
LT		 1531 isec = inode->i_security;
1532
9ade0cf4 1533 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1da177e4
LT		 1534}
1535
1536/* Same as inode_has_perm, but pass explicit audit data containing
1537 the dentry to help the auditing code to more easily generate the
1538 pathname if needed. */
88e67f3b 1539static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1540 struct dentry *dentry,
1541 u32 av)
1542{
1543 struct inode *inode = dentry->d_inode;
2bf49690 1544 struct common_audit_data ad;
88e67f3b 1545
50c205f5 1546 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00
EP		 1547 ad.u.dentry = dentry;
1548 return inode_has_perm(cred, inode, av, &ad, 0);
1549}
1550
1551/* Same as inode_has_perm, but pass explicit audit data containing
1552 the path to help the auditing code to more easily generate the
1553 pathname if needed. */
1554static inline int path_has_perm(const struct cred *cred,
1555 struct path *path,
1556 u32 av)
1557{
1558 struct inode *inode = path->dentry->d_inode;
1559 struct common_audit_data ad;
1560
50c205f5 1561 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1562 ad.u.path = *path;
9ade0cf4 1563 return inode_has_perm(cred, inode, av, &ad, 0);
1da177e4
LT		 1564}
1565
1566/* Check whether a task can use an open file descriptor to
1567 access an inode in a given way. Check access to the
1568 descriptor itself, and then use dentry_has_perm to
1569 check a particular permission to the file.
1570 Access to the descriptor is implicitly granted if it
1571 has the same SID as the process. If av is zero, then
1572 access to the file is not checked, e.g. for cases
1573 where only the descriptor is affected like seek. */
88e67f3b
DH		 1574static int file_has_perm(const struct cred *cred,
1575 struct file *file,
1576 u32 av)
1da177e4 1577{
1da177e4 1578 struct file_security_struct *fsec = file->f_security;
496ad9aa 1579 struct inode *inode = file_inode(file);
2bf49690 1580 struct common_audit_data ad;
88e67f3b 1581 u32 sid = cred_sid(cred);
1da177e4
LT		 1582 int rc;
1583
50c205f5 1584 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 1585 ad.u.path = file->f_path;
1da177e4 1586
275bb41e
DH		 1587 if (sid != fsec->sid) {
1588 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1589 SECCLASS_FD,
1590 FD__USE,
1591 &ad);
1592 if (rc)
88e67f3b 1593 goto out;
1da177e4
LT		 1594 }
1595
1596 /* av is zero if only checking access to the descriptor. */
88e67f3b 1597 rc = 0;
1da177e4 1598 if (av)
9ade0cf4 1599 rc = inode_has_perm(cred, inode, av, &ad, 0);
1da177e4 1600
88e67f3b
DH		 1601out:
1602 return rc;
1da177e4
LT		 1603}
1604
1605/* Check whether a task can create a file. */
1606static int may_create(struct inode *dir,
1607 struct dentry *dentry,
1608 u16 tclass)
1609{
5fb49870 1610 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1611 struct inode_security_struct *dsec;
1612 struct superblock_security_struct *sbsec;
275bb41e 1613 u32 sid, newsid;
2bf49690 1614 struct common_audit_data ad;
1da177e4
LT		 1615 int rc;
1616
1da177e4
LT		 1617 dsec = dir->i_security;
1618 sbsec = dir->i_sb->s_security;
1619
275bb41e
DH		 1620 sid = tsec->sid;
1621 newsid = tsec->create_sid;
1622
50c205f5 1623 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1624 ad.u.dentry = dentry;
1da177e4 1625
275bb41e 1626 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1627 DIR__ADD_NAME | DIR__SEARCH,
1628 &ad);
1629 if (rc)
1630 return rc;
1631
12f348b9 1632 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
cb1e922f
EP		 1633 rc = security_transition_sid(sid, dsec->sid, tclass,
1634 &dentry->d_name, &newsid);
1da177e4
LT		 1635 if (rc)
1636 return rc;
1637 }
1638
275bb41e 1639 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1640 if (rc)
1641 return rc;
1642
1643 return avc_has_perm(newsid, sbsec->sid,
1644 SECCLASS_FILESYSTEM,
1645 FILESYSTEM__ASSOCIATE, &ad);
1646}
1647
4eb582cf
ML		 1648/* Check whether a task can create a key. */
1649static int may_create_key(u32 ksid,
1650 struct task_struct *ctx)
1651{
275bb41e 1652 u32 sid = task_sid(ctx);
4eb582cf 1653
275bb41e 1654 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1655}
1656
828dfe1d
EP		 1657#define MAY_LINK 0
1658#define MAY_UNLINK 1
1659#define MAY_RMDIR 2
1da177e4
LT		 1660
1661/* Check whether a task can link, unlink, or rmdir a file/directory. */
1662static int may_link(struct inode *dir,
1663 struct dentry *dentry,
1664 int kind)
1665
1666{
1da177e4 1667 struct inode_security_struct *dsec, *isec;
2bf49690 1668 struct common_audit_data ad;
275bb41e 1669 u32 sid = current_sid();
1da177e4
LT		 1670 u32 av;
1671 int rc;
1672
1da177e4
LT		 1673 dsec = dir->i_security;
1674 isec = dentry->d_inode->i_security;
1675
50c205f5 1676 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1677 ad.u.dentry = dentry;
1da177e4
LT		 1678
1679 av = DIR__SEARCH;
1680 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1681 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1682 if (rc)
1683 return rc;
1684
1685 switch (kind) {
1686 case MAY_LINK:
1687 av = FILE__LINK;
1688 break;
1689 case MAY_UNLINK:
1690 av = FILE__UNLINK;
1691 break;
1692 case MAY_RMDIR:
1693 av = DIR__RMDIR;
1694 break;
1695 default:
744ba35e
EP		 1696 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1697 __func__, kind);
1da177e4
LT		 1698 return 0;
1699 }
1700
275bb41e 1701 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1702 return rc;
1703}
1704
1705static inline int may_rename(struct inode *old_dir,
1706 struct dentry *old_dentry,
1707 struct inode *new_dir,
1708 struct dentry *new_dentry)
1709{
1da177e4 1710 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1711 struct common_audit_data ad;
275bb41e 1712 u32 sid = current_sid();
1da177e4
LT		 1713 u32 av;
1714 int old_is_dir, new_is_dir;
1715 int rc;
1716
1da177e4
LT		 1717 old_dsec = old_dir->i_security;
1718 old_isec = old_dentry->d_inode->i_security;
1719 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1720 new_dsec = new_dir->i_security;
1721
50c205f5 1722 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1723
a269434d 1724 ad.u.dentry = old_dentry;
275bb41e 1725 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1726 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1727 if (rc)
1728 return rc;
275bb41e 1729 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1730 old_isec->sclass, FILE__RENAME, &ad);
1731 if (rc)
1732 return rc;
1733 if (old_is_dir && new_dir != old_dir) {
275bb41e 1734 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1735 old_isec->sclass, DIR__REPARENT, &ad);
1736 if (rc)
1737 return rc;
1738 }
1739
a269434d 1740 ad.u.dentry = new_dentry;
1da177e4
LT		 1741 av = DIR__ADD_NAME | DIR__SEARCH;
1742 if (new_dentry->d_inode)
1743 av |= DIR__REMOVE_NAME;
275bb41e 1744 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1745 if (rc)
1746 return rc;
1747 if (new_dentry->d_inode) {
1748 new_isec = new_dentry->d_inode->i_security;
1749 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
275bb41e 1750 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1751 new_isec->sclass,
1752 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1753 if (rc)
1754 return rc;
1755 }
1756
1757 return 0;
1758}
1759
1760/* Check whether a task can perform a filesystem operation. */
88e67f3b 1761static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1762 struct super_block *sb,
1763 u32 perms,
2bf49690 1764 struct common_audit_data *ad)
1da177e4 1765{
1da177e4 1766 struct superblock_security_struct *sbsec;
88e67f3b 1767 u32 sid = cred_sid(cred);
1da177e4 1768
1da177e4 1769 sbsec = sb->s_security;
275bb41e 1770 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1771}
1772
1773/* Convert a Linux mode and permission mask to an access vector. */
1774static inline u32 file_mask_to_av(int mode, int mask)
1775{
1776 u32 av = 0;
1777
dba19c60 1778 if (!S_ISDIR(mode)) {
1da177e4
LT		 1779 if (mask & MAY_EXEC)
1780 av |= FILE__EXECUTE;
1781 if (mask & MAY_READ)
1782 av |= FILE__READ;
1783
1784 if (mask & MAY_APPEND)
1785 av |= FILE__APPEND;
1786 else if (mask & MAY_WRITE)
1787 av |= FILE__WRITE;
1788
1789 } else {
1790 if (mask & MAY_EXEC)
1791 av |= DIR__SEARCH;
1792 if (mask & MAY_WRITE)
1793 av |= DIR__WRITE;
1794 if (mask & MAY_READ)
1795 av |= DIR__READ;
1796 }
1797
1798 return av;
1799}
1800
8b6a5a37
EP		 1801/* Convert a Linux file to an access vector. */
1802static inline u32 file_to_av(struct file *file)
1803{
1804 u32 av = 0;
1805
1806 if (file->f_mode & FMODE_READ)
1807 av |= FILE__READ;
1808 if (file->f_mode & FMODE_WRITE) {
1809 if (file->f_flags & O_APPEND)
1810 av |= FILE__APPEND;
1811 else
1812 av |= FILE__WRITE;
1813 }
1814 if (!av) {
1815 /*
1816 * Special file opened with flags 3 for ioctl-only use.
1817 */
1818 av = FILE__IOCTL;
1819 }
1820
1821 return av;
1822}
1823
b0c636b9 1824/*
8b6a5a37 1825 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1826 * open permission.
1827 */
8b6a5a37 1828static inline u32 open_file_to_av(struct file *file)
b0c636b9 1829{
8b6a5a37 1830 u32 av = file_to_av(file);
b0c636b9 1831
49b7b8de
EP		 1832 if (selinux_policycap_openperm)
1833 av |= FILE__OPEN;
1834
b0c636b9
EP		 1835 return av;
1836}
1837
1da177e4
LT		 1838/* Hook functions begin here. */
1839
9e48858f 1840static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 1841 unsigned int mode)
1da177e4 1842{
1da177e4
LT		 1843 int rc;
1844
9e48858f 1845 rc = cap_ptrace_access_check(child, mode);
1da177e4
LT		 1846 if (rc)
1847 return rc;
1848
69f594a3 1849 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 1850 u32 sid = current_sid();
1851 u32 csid = task_sid(child);
1852 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 1853 }
1854
3b11a1de 1855 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 1856}
1857
1858static int selinux_ptrace_traceme(struct task_struct *parent)
1859{
1860 int rc;
1861
200ac532 1862 rc = cap_ptrace_traceme(parent);
5cd9c58f
DH		 1863 if (rc)
1864 return rc;
1865
1866 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 1867}
1868
1869static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1870 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1871{
1872 int error;
1873
3b11a1de 1874 error = current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 1875 if (error)
1876 return error;
1877
200ac532 1878 return cap_capget(target, effective, inheritable, permitted);
1da177e4
LT		 1879}
1880
d84f4f99
DH		 1881static int selinux_capset(struct cred *new, const struct cred *old,
1882 const kernel_cap_t *effective,
1883 const kernel_cap_t *inheritable,
1884 const kernel_cap_t *permitted)
1da177e4
LT		 1885{
1886 int error;
1887
200ac532 1888 error = cap_capset(new, old,
d84f4f99 1889 effective, inheritable, permitted);
1da177e4
LT		 1890 if (error)
1891 return error;
1892
d84f4f99 1893 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 1894}
1895
5626d3e8
JM		 1896/*
1897 * (This comment used to live with the selinux_task_setuid hook,
1898 * which was removed).
1899 *
1900 * Since setuid only affects the current process, and since the SELinux
1901 * controls are not based on the Linux identity attributes, SELinux does not
1902 * need to control this operation. However, SELinux does control the use of
1903 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1904 */
1905
6a9de491
EP		 1906static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1907 int cap, int audit)
1da177e4
LT		 1908{
1909 int rc;
1910
6a9de491 1911 rc = cap_capable(cred, ns, cap, audit);
1da177e4
LT		 1912 if (rc)
1913 return rc;
1914
6a9de491 1915 return cred_has_capability(cred, cap, audit);
1da177e4
LT		 1916}
1917
1da177e4
LT		 1918static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1919{
88e67f3b 1920 const struct cred *cred = current_cred();
1da177e4
LT		 1921 int rc = 0;
1922
1923 if (!sb)
1924 return 0;
1925
1926 switch (cmds) {
828dfe1d
EP		 1927 case Q_SYNC:
1928 case Q_QUOTAON:
1929 case Q_QUOTAOFF:
1930 case Q_SETINFO:
1931 case Q_SETQUOTA:
88e67f3b 1932 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 1933 break;
1934 case Q_GETFMT:
1935 case Q_GETINFO:
1936 case Q_GETQUOTA:
88e67f3b 1937 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 1938 break;
1939 default:
1940 rc = 0; /* let the kernel handle invalid cmds */
1941 break;
1da177e4
LT		 1942 }
1943 return rc;
1944}
1945
1946static int selinux_quota_on(struct dentry *dentry)
1947{
88e67f3b
DH		 1948 const struct cred *cred = current_cred();
1949
2875fa00 1950 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 1951}
1952
12b3052c 1953static int selinux_syslog(int type)
1da177e4
LT		 1954{
1955 int rc;
1956
1da177e4 1957 switch (type) {
d78ca3cd
KC		 1958 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1959 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 1960 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1961 break;
d78ca3cd
KC		 1962 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1963 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1964 /* Set level of messages printed to console */
1965 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 1966 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1967 break;
d78ca3cd
KC		 1968 case SYSLOG_ACTION_CLOSE: /* Close log */
1969 case SYSLOG_ACTION_OPEN: /* Open log */
1970 case SYSLOG_ACTION_READ: /* Read from log */
1971 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1972 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 1973 default:
1974 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1975 break;
1da177e4
LT		 1976 }
1977 return rc;
1978}
1979
1980/*
1981 * Check that a process has enough memory to allocate a new virtual
1982 * mapping. 0 means there is enough memory for the allocation to
1983 * succeed and -ENOMEM implies there is not.
1984 *
1da177e4
LT		 1985 * Do not audit the selinux permission check, as this is applied to all
1986 * processes that allocate mappings.
1987 */
34b4e4aa 1988static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1989{
1990 int rc, cap_sys_admin = 0;
1da177e4 1991
6a9de491 1992 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
3699c53c 1993 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 1994 if (rc == 0)
1995 cap_sys_admin = 1;
1996
34b4e4aa 1997 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 1998}
1999
2000/* binprm security operations */
2001
a6f76f23 2002static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2003{
a6f76f23
DH		 2004 const struct task_security_struct *old_tsec;
2005 struct task_security_struct *new_tsec;
1da177e4 2006 struct inode_security_struct *isec;
2bf49690 2007 struct common_audit_data ad;
496ad9aa 2008 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2009 int rc;
2010
200ac532 2011 rc = cap_bprm_set_creds(bprm);
1da177e4
LT		 2012 if (rc)
2013 return rc;
2014
a6f76f23
DH		 2015 /* SELinux context only depends on initial program or script and not
2016 * the script interpreter */
2017 if (bprm->cred_prepared)
1da177e4
LT		 2018 return 0;
2019
a6f76f23
DH		 2020 old_tsec = current_security();
2021 new_tsec = bprm->cred->security;
1da177e4
LT		 2022 isec = inode->i_security;
2023
2024 /* Default to the current task SID. */
a6f76f23
DH		 2025 new_tsec->sid = old_tsec->sid;
2026 new_tsec->osid = old_tsec->sid;
1da177e4 2027
28eba5bf 2028 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2029 new_tsec->create_sid = 0;
2030 new_tsec->keycreate_sid = 0;
2031 new_tsec->sockcreate_sid = 0;
1da177e4 2032
a6f76f23
DH		 2033 if (old_tsec->exec_sid) {
2034 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2035 /* Reset exec SID on execve. */
a6f76f23 2036 new_tsec->exec_sid = 0;
259e5e6c
AL		 2037
2038 /*
2039 * Minimize confusion: if no_new_privs and a transition is
2040 * explicitly requested, then fail the exec.
2041 */
2042 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2043 return -EPERM;
1da177e4
LT		 2044 } else {
2045 /* Check for a default transition on this program. */
a6f76f23 2046 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2047 SECCLASS_PROCESS, NULL,
2048 &new_tsec->sid);
1da177e4
LT		 2049 if (rc)
2050 return rc;
2051 }
2052
50c205f5 2053 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 2054 ad.u.path = bprm->file->f_path;
1da177e4 2055
259e5e6c
AL		 2056 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2057 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
a6f76f23 2058 new_tsec->sid = old_tsec->sid;
1da177e4 2059
a6f76f23
DH		 2060 if (new_tsec->sid == old_tsec->sid) {
2061 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2062 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2063 if (rc)
2064 return rc;
2065 } else {
2066 /* Check permissions for the transition. */
a6f76f23 2067 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2068 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2069 if (rc)
2070 return rc;
2071
a6f76f23 2072 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2073 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2074 if (rc)
2075 return rc;
2076
a6f76f23
DH		 2077 /* Check for shared state */
2078 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2079 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2080 SECCLASS_PROCESS, PROCESS__SHARE,
2081 NULL);
2082 if (rc)
2083 return -EPERM;
2084 }
2085
2086 /* Make sure that anyone attempting to ptrace over a task that
2087 * changes its SID has the appropriate permit */
2088 if (bprm->unsafe &
2089 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2090 struct task_struct *tracer;
2091 struct task_security_struct *sec;
2092 u32 ptsid = 0;
2093
2094 rcu_read_lock();
06d98473 2095 tracer = ptrace_parent(current);
a6f76f23
DH		 2096 if (likely(tracer != NULL)) {
2097 sec = __task_cred(tracer)->security;
2098 ptsid = sec->sid;
2099 }
2100 rcu_read_unlock();
2101
2102 if (ptsid != 0) {
2103 rc = avc_has_perm(ptsid, new_tsec->sid,
2104 SECCLASS_PROCESS,
2105 PROCESS__PTRACE, NULL);
2106 if (rc)
2107 return -EPERM;
2108 }
2109 }
1da177e4 2110
a6f76f23
DH		 2111 /* Clear any possibly unsafe personality bits on exec: */
2112 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2113 }
2114
1da177e4
LT		 2115 return 0;
2116}
2117
828dfe1d 2118static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2119{
5fb49870 2120 const struct task_security_struct *tsec = current_security();
275bb41e 2121 u32 sid, osid;
1da177e4
LT		 2122 int atsecure = 0;
2123
275bb41e
DH		 2124 sid = tsec->sid;
2125 osid = tsec->osid;
2126
2127 if (osid != sid) {
1da177e4
LT		 2128 /* Enable secure mode for SIDs transitions unless
2129 the noatsecure permission is granted between
2130 the two SIDs, i.e. ahp returns 0. */
275bb41e 2131 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2132 SECCLASS_PROCESS,
2133 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2134 }
2135
200ac532 2136 return (atsecure || cap_bprm_secureexec(bprm));
1da177e4
LT		 2137}
2138
c3c073f8
AV		 2139static int match_file(const void *p, struct file *file, unsigned fd)
2140{
2141 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2142}
2143
1da177e4 2144/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2145static inline void flush_unauthorized_files(const struct cred *cred,
2146 struct files_struct *files)
1da177e4 2147{
1da177e4 2148 struct file *file, *devnull = NULL;
b20c8122 2149 struct tty_struct *tty;
24ec839c 2150 int drop_tty = 0;
c3c073f8 2151 unsigned n;
1da177e4 2152
24ec839c 2153 tty = get_current_tty();
1da177e4 2154 if (tty) {
ee2ffa0d 2155 spin_lock(&tty_files_lock);
37dd0bd0 2156 if (!list_empty(&tty->tty_files)) {
d996b62a 2157 struct tty_file_private *file_priv;
37dd0bd0 2158
1da177e4 2159 /* Revalidate access to controlling tty.
602a8dd6 2160 Use path_has_perm on the tty path directly rather
1da177e4
LT		 2161 than using file_has_perm, as this particular open
2162 file may belong to another process and we are only
2163 interested in the inode-based check here. */
d996b62a
NP		 2164 file_priv = list_first_entry(&tty->tty_files,
2165 struct tty_file_private, list);
2166 file = file_priv->file;
602a8dd6 2167 if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
24ec839c 2168 drop_tty = 1;
1da177e4 2169 }
ee2ffa0d 2170 spin_unlock(&tty_files_lock);
452a00d2 2171 tty_kref_put(tty);
1da177e4 2172 }
98a27ba4
EB		 2173 /* Reset controlling tty. */
2174 if (drop_tty)
2175 no_tty();
1da177e4
LT		 2176
2177 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2178 n = iterate_fd(files, 0, match_file, cred);
2179 if (!n) /* none found? */
2180 return;
1da177e4 2181
c3c073f8 2182 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2183 if (IS_ERR(devnull))
2184 devnull = NULL;
2185 /* replace all the matching ones with this */
2186 do {
2187 replace_fd(n - 1, devnull, 0);
2188 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2189 if (devnull)
c3c073f8 2190 fput(devnull);
1da177e4
LT		 2191}
2192
a6f76f23
DH		 2193/*
2194 * Prepare a process for imminent new credential changes due to exec
2195 */
2196static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2197{
a6f76f23
DH		 2198 struct task_security_struct *new_tsec;
2199 struct rlimit *rlim, *initrlim;
2200 int rc, i;
d84f4f99 2201
a6f76f23
DH		 2202 new_tsec = bprm->cred->security;
2203 if (new_tsec->sid == new_tsec->osid)
2204 return;
1da177e4 2205
a6f76f23
DH		 2206 /* Close files for which the new task SID is not authorized. */
2207 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2208
a6f76f23
DH		 2209 /* Always clear parent death signal on SID transitions. */
2210 current->pdeath_signal = 0;
0356357c 2211
a6f76f23
DH		 2212 /* Check whether the new SID can inherit resource limits from the old
2213 * SID. If not, reset all soft limits to the lower of the current
2214 * task's hard limit and the init task's soft limit.
2215 *
2216 * Note that the setting of hard limits (even to lower them) can be
2217 * controlled by the setrlimit check. The inclusion of the init task's
2218 * soft limit into the computation is to avoid resetting soft limits
2219 * higher than the default soft limit for cases where the default is
2220 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2221 */
2222 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2223 PROCESS__RLIMITINH, NULL);
2224 if (rc) {
eb2d55a3
ON		 2225 /* protect against do_prlimit() */
2226 task_lock(current);
a6f76f23
DH		 2227 for (i = 0; i < RLIM_NLIMITS; i++) {
2228 rlim = current->signal->rlim + i;
2229 initrlim = init_task.signal->rlim + i;
2230 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2231 }
eb2d55a3
ON		 2232 task_unlock(current);
2233 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2234 }
2235}
2236
2237/*
a6f76f23
DH		 2238 * Clean up the process immediately after the installation of new credentials
2239 * due to exec
1da177e4 2240 */
a6f76f23 2241static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2242{
a6f76f23 2243 const struct task_security_struct *tsec = current_security();
1da177e4 2244 struct itimerval itimer;
a6f76f23 2245 u32 osid, sid;
1da177e4
LT		 2246 int rc, i;
2247
a6f76f23
DH		 2248 osid = tsec->osid;
2249 sid = tsec->sid;
2250
2251 if (sid == osid)
1da177e4
LT		 2252 return;
2253
a6f76f23
DH		 2254 /* Check whether the new SID can inherit signal state from the old SID.
2255 * If not, clear itimers to avoid subsequent signal generation and
2256 * flush and unblock signals.
2257 *
2258 * This must occur _after_ the task SID has been updated so that any
2259 * kill done after the flush will be checked against the new SID.
2260 */
2261 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2262 if (rc) {
2263 memset(&itimer, 0, sizeof itimer);
2264 for (i = 0; i < 3; i++)
2265 do_setitimer(i, &itimer, NULL);
1da177e4 2266 spin_lock_irq(&current->sighand->siglock);
3bcac026
DH		 2267 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2268 __flush_signals(current);
2269 flush_signal_handlers(current, 1);
2270 sigemptyset(&current->blocked);
2271 }
1da177e4
LT		 2272 spin_unlock_irq(&current->sighand->siglock);
2273 }
2274
a6f76f23
DH		 2275 /* Wake up the parent if it is waiting so that it can recheck
2276 * wait permission to the new task SID. */
ecd6de3c 2277 read_lock(&tasklist_lock);
0b7570e7 2278 __wake_up_parent(current, current->real_parent);
ecd6de3c 2279 read_unlock(&tasklist_lock);
1da177e4
LT		 2280}
2281
2282/* superblock security operations */
2283
2284static int selinux_sb_alloc_security(struct super_block *sb)
2285{
2286 return superblock_alloc_security(sb);
2287}
2288
2289static void selinux_sb_free_security(struct super_block *sb)
2290{
2291 superblock_free_security(sb);
2292}
2293
2294static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2295{
2296 if (plen > olen)
2297 return 0;
2298
2299 return !memcmp(prefix, option, plen);
2300}
2301
2302static inline int selinux_option(char *option, int len)
2303{
832cbd9a
EP		 2304 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2305 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2306 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2307 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2308 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2309}
2310
2311static inline void take_option(char **to, char *from, int *first, int len)
2312{
2313 if (!*first) {
2314 **to = ',';
2315 *to += 1;
3528a953 2316 } else
1da177e4
LT		 2317 *first = 0;
2318 memcpy(*to, from, len);
2319 *to += len;
2320}
2321
828dfe1d
EP		 2322static inline void take_selinux_option(char **to, char *from, int *first,
2323 int len)
3528a953
CO		 2324{
2325 int current_size = 0;
2326
2327 if (!*first) {
2328 **to = '|';
2329 *to += 1;
828dfe1d 2330 } else
3528a953
CO		 2331 *first = 0;
2332
2333 while (current_size < len) {
2334 if (*from != '"') {
2335 **to = *from;
2336 *to += 1;
2337 }
2338 from += 1;
2339 current_size += 1;
2340 }
2341}
2342
e0007529 2343static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2344{
2345 int fnosec, fsec, rc = 0;
2346 char *in_save, *in_curr, *in_end;
2347 char *sec_curr, *nosec_save, *nosec;
3528a953 2348 int open_quote = 0;
1da177e4
LT		 2349
2350 in_curr = orig;
2351 sec_curr = copy;
2352
1da177e4
LT		 2353 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2354 if (!nosec) {
2355 rc = -ENOMEM;
2356 goto out;
2357 }
2358
2359 nosec_save = nosec;
2360 fnosec = fsec = 1;
2361 in_save = in_end = orig;
2362
2363 do {
3528a953
CO		 2364 if (*in_end == '"')
2365 open_quote = !open_quote;
2366 if ((*in_end == ',' && open_quote == 0) ||
2367 *in_end == '\0') {
1da177e4
LT		 2368 int len = in_end - in_curr;
2369
2370 if (selinux_option(in_curr, len))
3528a953 2371 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2372 else
2373 take_option(&nosec, in_curr, &fnosec, len);
2374
2375 in_curr = in_end + 1;
2376 }
2377 } while (*in_end++);
2378
6931dfc9 2379 strcpy(in_save, nosec_save);
da3caa20 2380 free_page((unsigned long)nosec_save);
1da177e4
LT		 2381out:
2382 return rc;
2383}
2384
026eb167
EP		 2385static int selinux_sb_remount(struct super_block *sb, void *data)
2386{
2387 int rc, i, *flags;
2388 struct security_mnt_opts opts;
2389 char *secdata, **mount_options;
2390 struct superblock_security_struct *sbsec = sb->s_security;
2391
2392 if (!(sbsec->flags & SE_SBINITIALIZED))
2393 return 0;
2394
2395 if (!data)
2396 return 0;
2397
2398 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2399 return 0;
2400
2401 security_init_mnt_opts(&opts);
2402 secdata = alloc_secdata();
2403 if (!secdata)
2404 return -ENOMEM;
2405 rc = selinux_sb_copy_data(data, secdata);
2406 if (rc)
2407 goto out_free_secdata;
2408
2409 rc = selinux_parse_opts_str(secdata, &opts);
2410 if (rc)
2411 goto out_free_secdata;
2412
2413 mount_options = opts.mnt_opts;
2414 flags = opts.mnt_opts_flags;
2415
2416 for (i = 0; i < opts.num_mnt_opts; i++) {
2417 u32 sid;
2418 size_t len;
2419
12f348b9 2420 if (flags[i] == SBLABEL_MNT)
026eb167
EP		 2421 continue;
2422 len = strlen(mount_options[i]);
2423 rc = security_context_to_sid(mount_options[i], len, &sid);
2424 if (rc) {
2425 printk(KERN_WARNING "SELinux: security_context_to_sid"
2426 "(%s) failed for (dev %s, type %s) errno=%d\n",
2427 mount_options[i], sb->s_id, sb->s_type->name, rc);
2428 goto out_free_opts;
2429 }
2430 rc = -EINVAL;
2431 switch (flags[i]) {
2432 case FSCONTEXT_MNT:
2433 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2434 goto out_bad_option;
2435 break;
2436 case CONTEXT_MNT:
2437 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2438 goto out_bad_option;
2439 break;
2440 case ROOTCONTEXT_MNT: {
2441 struct inode_security_struct *root_isec;
2442 root_isec = sb->s_root->d_inode->i_security;
2443
2444 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2445 goto out_bad_option;
2446 break;
2447 }
2448 case DEFCONTEXT_MNT:
2449 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2450 goto out_bad_option;
2451 break;
2452 default:
2453 goto out_free_opts;
2454 }
2455 }
2456
2457 rc = 0;
2458out_free_opts:
2459 security_free_mnt_opts(&opts);
2460out_free_secdata:
2461 free_secdata(secdata);
2462 return rc;
2463out_bad_option:
2464 printk(KERN_WARNING "SELinux: unable to change security options "
2465 "during remount (dev %s, type=%s)\n", sb->s_id,
2466 sb->s_type->name);
2467 goto out_free_opts;
2468}
2469
12204e24 2470static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2471{
88e67f3b 2472 const struct cred *cred = current_cred();
2bf49690 2473 struct common_audit_data ad;
1da177e4
LT		 2474 int rc;
2475
2476 rc = superblock_doinit(sb, data);
2477 if (rc)
2478 return rc;
2479
74192246
JM		 2480 /* Allow all mounts performed by the kernel */
2481 if (flags & MS_KERNMOUNT)
2482 return 0;
2483
50c205f5 2484 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2485 ad.u.dentry = sb->s_root;
88e67f3b 2486 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2487}
2488
726c3342 2489static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2490{
88e67f3b 2491 const struct cred *cred = current_cred();
2bf49690 2492 struct common_audit_data ad;
1da177e4 2493
50c205f5 2494 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2495 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2496 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2497}
2498
808d4e3c 2499static int selinux_mount(const char *dev_name,
b5266eb4 2500 struct path *path,
808d4e3c 2501 const char *type,
828dfe1d
EP		 2502 unsigned long flags,
2503 void *data)
1da177e4 2504{
88e67f3b 2505 const struct cred *cred = current_cred();
1da177e4
LT		 2506
2507 if (flags & MS_REMOUNT)
d8c9584e 2508 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2509 FILESYSTEM__REMOUNT, NULL);
1da177e4 2510 else
2875fa00 2511 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2512}
2513
2514static int selinux_umount(struct vfsmount *mnt, int flags)
2515{
88e67f3b 2516 const struct cred *cred = current_cred();
1da177e4 2517
88e67f3b 2518 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2519 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2520}
2521
2522/* inode security operations */
2523
2524static int selinux_inode_alloc_security(struct inode *inode)
2525{
2526 return inode_alloc_security(inode);
2527}
2528
2529static void selinux_inode_free_security(struct inode *inode)
2530{
2531 inode_free_security(inode);
2532}
2533
5e41ff9e 2534static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2a7dba39
EP		 2535 const struct qstr *qstr, char **name,
2536 void **value, size_t *len)
5e41ff9e 2537{
5fb49870 2538 const struct task_security_struct *tsec = current_security();
5e41ff9e
SS		 2539 struct inode_security_struct *dsec;
2540 struct superblock_security_struct *sbsec;
275bb41e 2541 u32 sid, newsid, clen;
5e41ff9e 2542 int rc;
570bc1c2 2543 char *namep = NULL, *context;
5e41ff9e 2544
5e41ff9e
SS		 2545 dsec = dir->i_security;
2546 sbsec = dir->i_sb->s_security;
5e41ff9e 2547
275bb41e
DH		 2548 sid = tsec->sid;
2549 newsid = tsec->create_sid;
2550
415103f9
EP		 2551 if ((sbsec->flags & SE_SBINITIALIZED) &&
2552 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2553 newsid = sbsec->mntpoint_sid;
12f348b9 2554 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
275bb41e 2555 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e 2556 inode_mode_to_security_class(inode->i_mode),
652bb9b0 2557 qstr, &newsid);
5e41ff9e
SS		 2558 if (rc) {
2559 printk(KERN_WARNING "%s: "
2560 "security_transition_sid failed, rc=%d (dev=%s "
2561 "ino=%ld)\n",
dd6f953a 2562 __func__,
5e41ff9e
SS		 2563 -rc, inode->i_sb->s_id, inode->i_ino);
2564 return rc;
2565 }
2566 }
2567
296fddf7 2568 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2569 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2570 struct inode_security_struct *isec = inode->i_security;
2571 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2572 isec->sid = newsid;
2573 isec->initialized = 1;
2574 }
5e41ff9e 2575
12f348b9 2576 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2577 return -EOPNOTSUPP;
2578
570bc1c2 2579 if (name) {
a02fe132 2580 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2581 if (!namep)
2582 return -ENOMEM;
2583 *name = namep;
2584 }
5e41ff9e 2585
570bc1c2 2586 if (value && len) {
12b29f34 2587 rc = security_sid_to_context_force(newsid, &context, &clen);
570bc1c2
SS		 2588 if (rc) {
2589 kfree(namep);
2590 return rc;
2591 }
2592 *value = context;
2593 *len = clen;
5e41ff9e 2594 }
5e41ff9e 2595
5e41ff9e
SS		 2596 return 0;
2597}
2598
4acdaf27 2599static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2600{
2601 return may_create(dir, dentry, SECCLASS_FILE);
2602}
2603
1da177e4
LT		 2604static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2605{
1da177e4
LT		 2606 return may_link(dir, old_dentry, MAY_LINK);
2607}
2608
1da177e4
LT		 2609static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2610{
1da177e4
LT		 2611 return may_link(dir, dentry, MAY_UNLINK);
2612}
2613
2614static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2615{
2616 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2617}
2618
18bb1db3 2619static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2620{
2621 return may_create(dir, dentry, SECCLASS_DIR);
2622}
2623
1da177e4
LT		 2624static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2625{
2626 return may_link(dir, dentry, MAY_RMDIR);
2627}
2628
1a67aafb 2629static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2630{
1da177e4
LT		 2631 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2632}
2633
1da177e4 2634static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2635 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2636{
2637 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2638}
2639
1da177e4
LT		 2640static int selinux_inode_readlink(struct dentry *dentry)
2641{
88e67f3b
DH		 2642 const struct cred *cred = current_cred();
2643
2875fa00 2644 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2645}
2646
2647static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2648{
88e67f3b 2649 const struct cred *cred = current_cred();
1da177e4 2650
2875fa00 2651 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2652}
2653
d4cf970d
EP		 2654static noinline int audit_inode_permission(struct inode *inode,
2655 u32 perms, u32 audited, u32 denied,
2656 unsigned flags)
1da177e4 2657{
b782e0a6 2658 struct common_audit_data ad;
d4cf970d
EP		 2659 struct inode_security_struct *isec = inode->i_security;
2660 int rc;
2661
50c205f5 2662 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2663 ad.u.inode = inode;
2664
2665 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2666 audited, denied, &ad, flags);
2667 if (rc)
2668 return rc;
2669 return 0;
2670}
2671
e74f71eb 2672static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2673{
88e67f3b 2674 const struct cred *cred = current_cred();
b782e0a6
EP		 2675 u32 perms;
2676 bool from_access;
cf1dd1da 2677 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2678 struct inode_security_struct *isec;
2679 u32 sid;
2680 struct av_decision avd;
2681 int rc, rc2;
2682 u32 audited, denied;
1da177e4 2683
b782e0a6 2684 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2685 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2686
b782e0a6
EP		 2687 /* No permission to check. Existence test. */
2688 if (!mask)
1da177e4 2689 return 0;
1da177e4 2690
2e334057 2691 validate_creds(cred);
b782e0a6 2692
2e334057
EP		 2693 if (unlikely(IS_PRIVATE(inode)))
2694 return 0;
b782e0a6
EP		 2695
2696 perms = file_mask_to_av(inode->i_mode, mask);
2697
2e334057
EP		 2698 sid = cred_sid(cred);
2699 isec = inode->i_security;
2700
2701 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2702 audited = avc_audit_required(perms, &avd, rc,
2703 from_access ? FILE__AUDIT_ACCESS : 0,
2704 &denied);
2705 if (likely(!audited))
2706 return rc;
2707
d4cf970d 2708 rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2e334057
EP		 2709 if (rc2)
2710 return rc2;
2711 return rc;
1da177e4
LT		 2712}
2713
2714static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2715{
88e67f3b 2716 const struct cred *cred = current_cred();
bc6a6008 2717 unsigned int ia_valid = iattr->ia_valid;
95dbf739 2718 __u32 av = FILE__WRITE;
1da177e4 2719
bc6a6008
AW		 2720 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2721 if (ia_valid & ATTR_FORCE) {
2722 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2723 ATTR_FORCE);
2724 if (!ia_valid)
2725 return 0;
2726 }
1da177e4 2727
bc6a6008
AW		 2728 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2729 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 2730 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 2731
3d2195c3 2732 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
95dbf739
EP		 2733 av |= FILE__OPEN;
2734
2735 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 2736}
2737
2738static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2739{
88e67f3b 2740 const struct cred *cred = current_cred();
2875fa00
EP		 2741 struct path path;
2742
2743 path.dentry = dentry;
2744 path.mnt = mnt;
88e67f3b 2745
2875fa00 2746 return path_has_perm(cred, &path, FILE__GETATTR);
1da177e4
LT		 2747}
2748
8f0cfa52 2749static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2750{
88e67f3b
DH		 2751 const struct cred *cred = current_cred();
2752
b5376771
SH		 2753 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2754 sizeof XATTR_SECURITY_PREFIX - 1)) {
2755 if (!strcmp(name, XATTR_NAME_CAPS)) {
2756 if (!capable(CAP_SETFCAP))
2757 return -EPERM;
2758 } else if (!capable(CAP_SYS_ADMIN)) {
2759 /* A different attribute in the security namespace.
2760 Restrict to administrator. */
2761 return -EPERM;
2762 }
2763 }
2764
2765 /* Not an attribute we recognize, so just check the
2766 ordinary setattr permission. */
2875fa00 2767 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 2768}
2769
8f0cfa52
DH		 2770static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2771 const void *value, size_t size, int flags)
1da177e4 2772{
1da177e4
LT		 2773 struct inode *inode = dentry->d_inode;
2774 struct inode_security_struct *isec = inode->i_security;
2775 struct superblock_security_struct *sbsec;
2bf49690 2776 struct common_audit_data ad;
275bb41e 2777 u32 newsid, sid = current_sid();
1da177e4
LT		 2778 int rc = 0;
2779
b5376771
SH		 2780 if (strcmp(name, XATTR_NAME_SELINUX))
2781 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2782
2783 sbsec = inode->i_sb->s_security;
12f348b9 2784 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 2785 return -EOPNOTSUPP;
2786
2e149670 2787 if (!inode_owner_or_capable(inode))
1da177e4
LT		 2788 return -EPERM;
2789
50c205f5 2790 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2791 ad.u.dentry = dentry;
1da177e4 2792
275bb41e 2793 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 2794 FILE__RELABELFROM, &ad);
2795 if (rc)
2796 return rc;
2797
2798 rc = security_context_to_sid(value, size, &newsid);
12b29f34 2799 if (rc == -EINVAL) {
d6ea83ec
EP		 2800 if (!capable(CAP_MAC_ADMIN)) {
2801 struct audit_buffer *ab;
2802 size_t audit_size;
2803 const char *str;
2804
2805 /* We strip a nul only if it is at the end, otherwise the
2806 * context contains a nul and we should audit that */
e3fea3f7
AV		 2807 if (value) {
2808 str = value;
2809 if (str[size - 1] == '\0')
2810 audit_size = size - 1;
2811 else
2812 audit_size = size;
2813 } else {
2814 str = "";
2815 audit_size = 0;
2816 }
d6ea83ec
EP		 2817 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2818 audit_log_format(ab, "op=setxattr invalid_context=");
2819 audit_log_n_untrustedstring(ab, value, audit_size);
2820 audit_log_end(ab);
2821
12b29f34 2822 return rc;
d6ea83ec 2823 }
12b29f34
SS		 2824 rc = security_context_to_sid_force(value, size, &newsid);
2825 }
1da177e4
LT		 2826 if (rc)
2827 return rc;
2828
275bb41e 2829 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 2830 FILE__RELABELTO, &ad);
2831 if (rc)
2832 return rc;
2833
275bb41e 2834 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 2835 isec->sclass);
1da177e4
LT		 2836 if (rc)
2837 return rc;
2838
2839 return avc_has_perm(newsid,
2840 sbsec->sid,
2841 SECCLASS_FILESYSTEM,
2842 FILESYSTEM__ASSOCIATE,
2843 &ad);
2844}
2845
8f0cfa52 2846static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 2847 const void *value, size_t size,
8f0cfa52 2848 int flags)
1da177e4
LT		 2849{
2850 struct inode *inode = dentry->d_inode;
2851 struct inode_security_struct *isec = inode->i_security;
2852 u32 newsid;
2853 int rc;
2854
2855 if (strcmp(name, XATTR_NAME_SELINUX)) {
2856 /* Not an attribute we recognize, so nothing to do. */
2857 return;
2858 }
2859
12b29f34 2860 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 2861 if (rc) {
12b29f34
SS		 2862 printk(KERN_ERR "SELinux: unable to map context to SID"
2863 "for (%s, %lu), rc=%d\n",
2864 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 2865 return;
2866 }
2867
2868 isec->sid = newsid;
2869 return;
2870}
2871
8f0cfa52 2872static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 2873{
88e67f3b
DH		 2874 const struct cred *cred = current_cred();
2875
2875fa00 2876 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 2877}
2878
828dfe1d 2879static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 2880{
88e67f3b
DH		 2881 const struct cred *cred = current_cred();
2882
2875fa00 2883 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 2884}
2885
8f0cfa52 2886static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 2887{
b5376771
SH		 2888 if (strcmp(name, XATTR_NAME_SELINUX))
2889 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2890
2891 /* No one is allowed to remove a SELinux security label.
2892 You can change the label, but all data must be labeled. */
2893 return -EACCES;
2894}
2895
d381d8a9 2896/*
abc69bb6 2897 * Copy the inode security context value to the user.
d381d8a9
JM		 2898 *
2899 * Permission check is handled by selinux_inode_getxattr hook.
2900 */
42492594 2901static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2902{
42492594
DQ		 2903 u32 size;
2904 int error;
2905 char *context = NULL;
1da177e4 2906 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2907
8c8570fb
DK		 2908 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2909 return -EOPNOTSUPP;
d381d8a9 2910
abc69bb6
SS		 2911 /*
2912 * If the caller has CAP_MAC_ADMIN, then get the raw context
2913 * value even if it is not defined by current policy; otherwise,
2914 * use the in-core value under current policy.
2915 * Use the non-auditing forms of the permission checks since
2916 * getxattr may be called by unprivileged processes commonly
2917 * and lack of permission just means that we fall back to the
2918 * in-core context value, not a denial.
2919 */
6a9de491 2920 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3699c53c 2921 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 2922 if (!error)
2923 error = security_sid_to_context_force(isec->sid, &context,
2924 &size);
2925 else
2926 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 2927 if (error)
2928 return error;
2929 error = size;
2930 if (alloc) {
2931 *buffer = context;
2932 goto out_nofree;
2933 }
2934 kfree(context);
2935out_nofree:
2936 return error;
1da177e4
LT		 2937}
2938
2939static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 2940 const void *value, size_t size, int flags)
1da177e4
LT		 2941{
2942 struct inode_security_struct *isec = inode->i_security;
2943 u32 newsid;
2944 int rc;
2945
2946 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2947 return -EOPNOTSUPP;
2948
2949 if (!value || !size)
2950 return -EACCES;
2951
828dfe1d 2952 rc = security_context_to_sid((void *)value, size, &newsid);
1da177e4
LT		 2953 if (rc)
2954 return rc;
2955
2956 isec->sid = newsid;
ddd29ec6 2957 isec->initialized = 1;
1da177e4
LT		 2958 return 0;
2959}
2960
2961static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2962{
2963 const int len = sizeof(XATTR_NAME_SELINUX);
2964 if (buffer && len <= buffer_size)
2965 memcpy(buffer, XATTR_NAME_SELINUX, len);
2966 return len;
2967}
2968
713a04ae
AD		 2969static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2970{
2971 struct inode_security_struct *isec = inode->i_security;
2972 *secid = isec->sid;
2973}
2974
1da177e4
LT		 2975/* file security operations */
2976
788e7dd4 2977static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2978{
88e67f3b 2979 const struct cred *cred = current_cred();
496ad9aa 2980 struct inode *inode = file_inode(file);
1da177e4 2981
1da177e4
LT		 2982 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2983 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2984 mask |= MAY_APPEND;
2985
389fb800
PM		 2986 return file_has_perm(cred, file,
2987 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 2988}
2989
788e7dd4
YN		 2990static int selinux_file_permission(struct file *file, int mask)
2991{
496ad9aa 2992 struct inode *inode = file_inode(file);
20dda18b
SS		 2993 struct file_security_struct *fsec = file->f_security;
2994 struct inode_security_struct *isec = inode->i_security;
2995 u32 sid = current_sid();
2996
389fb800 2997 if (!mask)
788e7dd4
YN		 2998 /* No permission to check. Existence test. */
2999 return 0;
788e7dd4 3000
20dda18b
SS		 3001 if (sid == fsec->sid && fsec->isid == isec->sid &&
3002 fsec->pseqno == avc_policy_seqno())
83d49856 3003 /* No change since file_open check. */
20dda18b
SS		 3004 return 0;
3005
788e7dd4
YN		 3006 return selinux_revalidate_file_permission(file, mask);
3007}
3008
1da177e4
LT		 3009static int selinux_file_alloc_security(struct file *file)
3010{
3011 return file_alloc_security(file);
3012}
3013
3014static void selinux_file_free_security(struct file *file)
3015{
3016 file_free_security(file);
3017}
3018
3019static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3020 unsigned long arg)
3021{
88e67f3b 3022 const struct cred *cred = current_cred();
0b24dcb7 3023 int error = 0;
1da177e4 3024
0b24dcb7
EP		 3025 switch (cmd) {
3026 case FIONREAD:
3027 /* fall through */
3028 case FIBMAP:
3029 /* fall through */
3030 case FIGETBSZ:
3031 /* fall through */
2f99c369 3032 case FS_IOC_GETFLAGS:
0b24dcb7 3033 /* fall through */
2f99c369 3034 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3035 error = file_has_perm(cred, file, FILE__GETATTR);
3036 break;
1da177e4 3037
2f99c369 3038 case FS_IOC_SETFLAGS:
0b24dcb7 3039 /* fall through */
2f99c369 3040 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3041 error = file_has_perm(cred, file, FILE__SETATTR);
3042 break;
3043
3044 /* sys_ioctl() checks */
3045 case FIONBIO:
3046 /* fall through */
3047 case FIOASYNC:
3048 error = file_has_perm(cred, file, 0);
3049 break;
1da177e4 3050
0b24dcb7
EP		 3051 case KDSKBENT:
3052 case KDSKBSENT:
6a9de491
EP		 3053 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3054 SECURITY_CAP_AUDIT);
0b24dcb7
EP		 3055 break;
3056
3057 /* default case assumes that the command will go
3058 * to the file's ioctl() function.
3059 */
3060 default:
3061 error = file_has_perm(cred, file, FILE__IOCTL);
3062 }
3063 return error;
1da177e4
LT		 3064}
3065
fcaaade1
SS		 3066static int default_noexec;
3067
1da177e4
LT		 3068static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3069{
88e67f3b 3070 const struct cred *cred = current_cred();
d84f4f99 3071 int rc = 0;
88e67f3b 3072
fcaaade1
SS		 3073 if (default_noexec &&
3074 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3075 /*
3076 * We are making executable an anonymous mapping or a
3077 * private file mapping that will also be writable.
3078 * This has an additional check.
3079 */
d84f4f99 3080 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3081 if (rc)
d84f4f99 3082 goto error;
1da177e4 3083 }
1da177e4
LT		 3084
3085 if (file) {
3086 /* read access is always possible with a mapping */
3087 u32 av = FILE__READ;
3088
3089 /* write access only matters if the mapping is shared */
3090 if (shared && (prot & PROT_WRITE))
3091 av |= FILE__WRITE;
3092
3093 if (prot & PROT_EXEC)
3094 av |= FILE__EXECUTE;
3095
88e67f3b 3096 return file_has_perm(cred, file, av);
1da177e4 3097 }
d84f4f99
DH		 3098
3099error:
3100 return rc;
1da177e4
LT		 3101}
3102
e5467859 3103static int selinux_mmap_addr(unsigned long addr)
1da177e4 3104{
ed032189 3105 int rc = 0;
275bb41e 3106 u32 sid = current_sid();
1da177e4 3107
84336d1a
EP		 3108 /*
3109 * notice that we are intentionally putting the SELinux check before
3110 * the secondary cap_file_mmap check. This is such a likely attempt
3111 * at bad behaviour/exploit that we always want to get the AVC, even
3112 * if DAC would have also denied the operation.
3113 */
a2551df7 3114 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
ed032189
EP		 3115 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3116 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3117 if (rc)
3118 return rc;
3119 }
3120
3121 /* do DAC check on address space usage */
e5467859
AV		 3122 return cap_mmap_addr(addr);
3123}
1da177e4 3124
e5467859
AV		 3125static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3126 unsigned long prot, unsigned long flags)
3127{
1da177e4
LT		 3128 if (selinux_checkreqprot)
3129 prot = reqprot;
3130
3131 return file_map_prot_check(file, prot,
3132 (flags & MAP_TYPE) == MAP_SHARED);
3133}
3134
3135static int selinux_file_mprotect(struct vm_area_struct *vma,
3136 unsigned long reqprot,
3137 unsigned long prot)
3138{
88e67f3b 3139 const struct cred *cred = current_cred();
1da177e4
LT		 3140
3141 if (selinux_checkreqprot)
3142 prot = reqprot;
3143
fcaaade1
SS		 3144 if (default_noexec &&
3145 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3146 int rc = 0;
db4c9641
SS		 3147 if (vma->vm_start >= vma->vm_mm->start_brk &&
3148 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3149 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3150 } else if (!vma->vm_file &&
3151 vma->vm_start <= vma->vm_mm->start_stack &&
3152 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3153 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3154 } else if (vma->vm_file && vma->anon_vma) {
3155 /*
3156 * We are making executable a file mapping that has
3157 * had some COW done. Since pages might have been
3158 * written, check ability to execute the possibly
3159 * modified content. This typically should only
3160 * occur for text relocations.
3161 */
d84f4f99 3162 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3163 }