]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
[PATCH] SELinux: decouple fscontext/context mount options
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
19 */
20
1da177e4
LT		 21#include <linux/module.h>
22#include <linux/init.h>
23#include <linux/kernel.h>
24#include <linux/ptrace.h>
25#include <linux/errno.h>
26#include <linux/sched.h>
27#include <linux/security.h>
28#include <linux/xattr.h>
29#include <linux/capability.h>
30#include <linux/unistd.h>
31#include <linux/mm.h>
32#include <linux/mman.h>
33#include <linux/slab.h>
34#include <linux/pagemap.h>
35#include <linux/swap.h>
36#include <linux/smp_lock.h>
37#include <linux/spinlock.h>
38#include <linux/syscalls.h>
39#include <linux/file.h>
40#include <linux/namei.h>
41#include <linux/mount.h>
42#include <linux/ext2_fs.h>
43#include <linux/proc_fs.h>
44#include <linux/kd.h>
45#include <linux/netfilter_ipv4.h>
46#include <linux/netfilter_ipv6.h>
47#include <linux/tty.h>
48#include <net/icmp.h>
49#include <net/ip.h> /* for sysctl_local_port_range[] */
50#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
51#include <asm/uaccess.h>
52#include <asm/semaphore.h>
53#include <asm/ioctls.h>
54#include <linux/bitops.h>
55#include <linux/interrupt.h>
56#include <linux/netdevice.h> /* for network interface checks */
57#include <linux/netlink.h>
58#include <linux/tcp.h>
59#include <linux/udp.h>
60#include <linux/quota.h>
61#include <linux/un.h> /* for Unix socket types */
62#include <net/af_unix.h> /* for Unix socket types */
63#include <linux/parser.h>
64#include <linux/nfs_mount.h>
65#include <net/ipv6.h>
66#include <linux/hugetlb.h>
67#include <linux/personality.h>
68#include <linux/sysctl.h>
69#include <linux/audit.h>
6931dfc9 70#include <linux/string.h>
877ce7c1 71#include <linux/selinux.h>
1da177e4
LT		 72
73#include "avc.h"
74#include "objsec.h"
75#include "netif.h"
d28d1e08 76#include "xfrm.h"
1da177e4
LT		 77
78#define XATTR_SELINUX_SUFFIX "selinux"
79#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81extern unsigned int policydb_loaded_version;
82extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 83extern int selinux_compat_net;
1da177e4
LT		 84
85#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
86int selinux_enforcing = 0;
87
88static int __init enforcing_setup(char *str)
89{
90 selinux_enforcing = simple_strtol(str,NULL,0);
91 return 1;
92}
93__setup("enforcing=", enforcing_setup);
94#endif
95
96#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
97int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
98
99static int __init selinux_enabled_setup(char *str)
100{
101 selinux_enabled = simple_strtol(str, NULL, 0);
102 return 1;
103}
104__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 105#else
106int selinux_enabled = 1;
1da177e4
LT		 107#endif
108
109/* Original (dummy) security module. */
110static struct security_operations *original_ops = NULL;
111
112/* Minimal support for a secondary security module,
113 just to allow the use of the dummy or capability modules.
114 The owlsm module can alternatively be used as a secondary
115 module as long as CONFIG_OWLSM_FD is not enabled. */
116static struct security_operations *secondary_ops = NULL;
117
118/* Lists of inode and superblock security structures initialized
119 before the policy was loaded. */
120static LIST_HEAD(superblock_security_head);
121static DEFINE_SPINLOCK(sb_security_lock);
122
7cae7e26
JM		 123static kmem_cache_t *sel_inode_cache;
124
8c8570fb
DK		 125/* Return security context for a given sid or just the context
126 length if the buffer is null or length is 0 */
127static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
128{
129 char *context;
130 unsigned len;
131 int rc;
132
133 rc = security_sid_to_context(sid, &context, &len);
134 if (rc)
135 return rc;
136
137 if (!buffer || !size)
138 goto getsecurity_exit;
139
140 if (size < len) {
141 len = -ERANGE;
142 goto getsecurity_exit;
143 }
144 memcpy(buffer, context, len);
145
146getsecurity_exit:
147 kfree(context);
148 return len;
149}
150
1da177e4
LT		 151/* Allocate and free functions for each kind of security blob. */
152
153static int task_alloc_security(struct task_struct *task)
154{
155 struct task_security_struct *tsec;
156
89d155ef 157 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 158 if (!tsec)
159 return -ENOMEM;
160
1da177e4
LT		 161 tsec->task = task;
162 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
163 task->security = tsec;
164
165 return 0;
166}
167
168static void task_free_security(struct task_struct *task)
169{
170 struct task_security_struct *tsec = task->security;
1da177e4
LT		 171 task->security = NULL;
172 kfree(tsec);
173}
174
175static int inode_alloc_security(struct inode *inode)
176{
177 struct task_security_struct *tsec = current->security;
178 struct inode_security_struct *isec;
179
7cae7e26 180 isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
1da177e4
LT		 181 if (!isec)
182 return -ENOMEM;
183
7cae7e26 184 memset(isec, 0, sizeof(*isec));
1da177e4
LT		 185 init_MUTEX(&isec->sem);
186 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 187 isec->inode = inode;
188 isec->sid = SECINITSID_UNLABELED;
189 isec->sclass = SECCLASS_FILE;
9ac49d22 190 isec->task_sid = tsec->sid;
1da177e4
LT		 191 inode->i_security = isec;
192
193 return 0;
194}
195
196static void inode_free_security(struct inode *inode)
197{
198 struct inode_security_struct *isec = inode->i_security;
199 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
200
1da177e4
LT		 201 spin_lock(&sbsec->isec_lock);
202 if (!list_empty(&isec->list))
203 list_del_init(&isec->list);
204 spin_unlock(&sbsec->isec_lock);
205
206 inode->i_security = NULL;
7cae7e26 207 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 208}
209
210static int file_alloc_security(struct file *file)
211{
212 struct task_security_struct *tsec = current->security;
213 struct file_security_struct *fsec;
214
26d2a4be 215 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 216 if (!fsec)
217 return -ENOMEM;
218
1da177e4 219 fsec->file = file;
9ac49d22
SS		 220 fsec->sid = tsec->sid;
221 fsec->fown_sid = tsec->sid;
1da177e4
LT		 222 file->f_security = fsec;
223
224 return 0;
225}
226
227static void file_free_security(struct file *file)
228{
229 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 230 file->f_security = NULL;
231 kfree(fsec);
232}
233
234static int superblock_alloc_security(struct super_block *sb)
235{
236 struct superblock_security_struct *sbsec;
237
89d155ef 238 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 239 if (!sbsec)
240 return -ENOMEM;
241
1da177e4
LT		 242 init_MUTEX(&sbsec->sem);
243 INIT_LIST_HEAD(&sbsec->list);
244 INIT_LIST_HEAD(&sbsec->isec_head);
245 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 246 sbsec->sb = sb;
247 sbsec->sid = SECINITSID_UNLABELED;
248 sbsec->def_sid = SECINITSID_FILE;
c312feb2 249 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 250 sb->s_security = sbsec;
251
252 return 0;
253}
254
255static void superblock_free_security(struct super_block *sb)
256{
257 struct superblock_security_struct *sbsec = sb->s_security;
258
1da177e4
LT		 259 spin_lock(&sb_security_lock);
260 if (!list_empty(&sbsec->list))
261 list_del_init(&sbsec->list);
262 spin_unlock(&sb_security_lock);
263
264 sb->s_security = NULL;
265 kfree(sbsec);
266}
267
7d877f3b 268static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 269{
270 struct sk_security_struct *ssec;
271
272 if (family != PF_UNIX)
273 return 0;
274
89d155ef 275 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 276 if (!ssec)
277 return -ENOMEM;
278
1da177e4
LT		 279 ssec->sk = sk;
280 ssec->peer_sid = SECINITSID_UNLABELED;
281 sk->sk_security = ssec;
282
283 return 0;
284}
285
286static void sk_free_security(struct sock *sk)
287{
288 struct sk_security_struct *ssec = sk->sk_security;
289
9ac49d22 290 if (sk->sk_family != PF_UNIX)
1da177e4
LT		 291 return;
292
293 sk->sk_security = NULL;
294 kfree(ssec);
295}
1da177e4
LT		 296
297/* The security server must be initialized before
298 any labeling or access decisions can be provided. */
299extern int ss_initialized;
300
301/* The file system's label must be initialized prior to use. */
302
303static char *labeling_behaviors[6] = {
304 "uses xattr",
305 "uses transition SIDs",
306 "uses task SIDs",
307 "uses genfs_contexts",
308 "not configured for labeling",
309 "uses mountpoint labeling",
310};
311
312static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314static inline int inode_doinit(struct inode *inode)
315{
316 return inode_doinit_with_dentry(inode, NULL);
317}
318
319enum {
320 Opt_context = 1,
321 Opt_fscontext = 2,
322 Opt_defcontext = 4,
323};
324
325static match_table_t tokens = {
326 {Opt_context, "context=%s"},
327 {Opt_fscontext, "fscontext=%s"},
328 {Opt_defcontext, "defcontext=%s"},
329};
330
331#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
332
c312feb2
EP		 333static int may_context_mount_sb_relabel(u32 sid,
334 struct superblock_security_struct *sbsec,
335 struct task_security_struct *tsec)
336{
337 int rc;
338
339 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
340 FILESYSTEM__RELABELFROM, NULL);
341 if (rc)
342 return rc;
343
344 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
345 FILESYSTEM__RELABELTO, NULL);
346 return rc;
347}
348
1da177e4
LT		 349static int try_context_mount(struct super_block *sb, void *data)
350{
351 char *context = NULL, *defcontext = NULL;
c312feb2 352 char *fscontext = NULL;
1da177e4
LT		 353 const char *name;
354 u32 sid;
355 int alloc = 0, rc = 0, seen = 0;
356 struct task_security_struct *tsec = current->security;
357 struct superblock_security_struct *sbsec = sb->s_security;
358
359 if (!data)
360 goto out;
361
362 name = sb->s_type->name;
363
364 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
365
366 /* NFS we understand. */
367 if (!strcmp(name, "nfs")) {
368 struct nfs_mount_data *d = data;
369
370 if (d->version < NFS_MOUNT_VERSION)
371 goto out;
372
373 if (d->context[0]) {
374 context = d->context;
375 seen |= Opt_context;
376 }
377 } else
378 goto out;
379
380 } else {
381 /* Standard string-based options. */
382 char *p, *options = data;
383
384 while ((p = strsep(&options, ",")) != NULL) {
385 int token;
386 substring_t args[MAX_OPT_ARGS];
387
388 if (!*p)
389 continue;
390
391 token = match_token(p, tokens, args);
392
393 switch (token) {
394 case Opt_context:
c312feb2 395 if (seen & (Opt_context|Opt_defcontext)) {
1da177e4
LT		 396 rc = -EINVAL;
397 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
398 goto out_free;
399 }
400 context = match_strdup(&args[0]);
401 if (!context) {
402 rc = -ENOMEM;
403 goto out_free;
404 }
405 if (!alloc)
406 alloc = 1;
407 seen |= Opt_context;
408 break;
409
410 case Opt_fscontext:
c312feb2 411 if (seen & Opt_fscontext) {
1da177e4
LT		 412 rc = -EINVAL;
413 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
414 goto out_free;
415 }
c312feb2
EP		 416 fscontext = match_strdup(&args[0]);
417 if (!fscontext) {
1da177e4
LT		 418 rc = -ENOMEM;
419 goto out_free;
420 }
421 if (!alloc)
422 alloc = 1;
423 seen |= Opt_fscontext;
424 break;
425
426 case Opt_defcontext:
427 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
428 rc = -EINVAL;
429 printk(KERN_WARNING "SELinux: "
430 "defcontext option is invalid "
431 "for this filesystem type\n");
432 goto out_free;
433 }
434 if (seen & (Opt_context|Opt_defcontext)) {
435 rc = -EINVAL;
436 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
437 goto out_free;
438 }
439 defcontext = match_strdup(&args[0]);
440 if (!defcontext) {
441 rc = -ENOMEM;
442 goto out_free;
443 }
444 if (!alloc)
445 alloc = 1;
446 seen |= Opt_defcontext;
447 break;
448
449 default:
450 rc = -EINVAL;
451 printk(KERN_WARNING "SELinux: unknown mount "
452 "option\n");
453 goto out_free;
454
455 }
456 }
457 }
458
459 if (!seen)
460 goto out;
461
c312feb2
EP		 462 /* sets the context of the superblock for the fs being mounted. */
463 if (fscontext) {
464 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
1da177e4
LT		 465 if (rc) {
466 printk(KERN_WARNING "SELinux: security_context_to_sid"
467 "(%s) failed for (dev %s, type %s) errno=%d\n",
c312feb2 468 fscontext, sb->s_id, name, rc);
1da177e4
LT		 469 goto out_free;
470 }
471
c312feb2 472 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
1da177e4
LT		 473 if (rc)
474 goto out_free;
475
c312feb2
EP		 476 sbsec->sid = sid;
477 }
478
479 /*
480 * Switch to using mount point labeling behavior.
481 * sets the label used on all file below the mountpoint, and will set
482 * the superblock context if not already set.
483 */
484 if (context) {
485 rc = security_context_to_sid(context, strlen(context), &sid);
486 if (rc) {
487 printk(KERN_WARNING "SELinux: security_context_to_sid"
488 "(%s) failed for (dev %s, type %s) errno=%d\n",
489 context, sb->s_id, name, rc);
490 goto out_free;
491 }
492
493 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
1da177e4
LT		 494 if (rc)
495 goto out_free;
496
c312feb2
EP		 497 if (!fscontext)
498 sbsec->sid = sid;
499 sbsec->mntpoint_sid = sid;
1da177e4 500
c312feb2 501 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 502 }
503
504 if (defcontext) {
505 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
506 if (rc) {
507 printk(KERN_WARNING "SELinux: security_context_to_sid"
508 "(%s) failed for (dev %s, type %s) errno=%d\n",
509 defcontext, sb->s_id, name, rc);
510 goto out_free;
511 }
512
513 if (sid == sbsec->def_sid)
514 goto out_free;
515
516 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
517 FILESYSTEM__RELABELFROM, NULL);
518 if (rc)
519 goto out_free;
520
521 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
522 FILESYSTEM__ASSOCIATE, NULL);
523 if (rc)
524 goto out_free;
525
526 sbsec->def_sid = sid;
527 }
528
529out_free:
530 if (alloc) {
531 kfree(context);
532 kfree(defcontext);
c312feb2 533 kfree(fscontext);
1da177e4
LT		 534 }
535out:
536 return rc;
537}
538
539static int superblock_doinit(struct super_block *sb, void *data)
540{
541 struct superblock_security_struct *sbsec = sb->s_security;
542 struct dentry *root = sb->s_root;
543 struct inode *inode = root->d_inode;
544 int rc = 0;
545
546 down(&sbsec->sem);
547 if (sbsec->initialized)
548 goto out;
549
550 if (!ss_initialized) {
551 /* Defer initialization until selinux_complete_init,
552 after the initial policy is loaded and the security
553 server is ready to handle calls. */
554 spin_lock(&sb_security_lock);
555 if (list_empty(&sbsec->list))
556 list_add(&sbsec->list, &superblock_security_head);
557 spin_unlock(&sb_security_lock);
558 goto out;
559 }
560
561 /* Determine the labeling behavior to use for this filesystem type. */
562 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
563 if (rc) {
564 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
565 __FUNCTION__, sb->s_type->name, rc);
566 goto out;
567 }
568
569 rc = try_context_mount(sb, data);
570 if (rc)
571 goto out;
572
573 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
574 /* Make sure that the xattr handler exists and that no
575 error other than -ENODATA is returned by getxattr on
576 the root directory. -ENODATA is ok, as this may be
577 the first boot of the SELinux kernel before we have
578 assigned xattr values to the filesystem. */
579 if (!inode->i_op->getxattr) {
580 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
581 "xattr support\n", sb->s_id, sb->s_type->name);
582 rc = -EOPNOTSUPP;
583 goto out;
584 }
585 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
586 if (rc < 0 && rc != -ENODATA) {
587 if (rc == -EOPNOTSUPP)
588 printk(KERN_WARNING "SELinux: (dev %s, type "
589 "%s) has no security xattr handler\n",
590 sb->s_id, sb->s_type->name);
591 else
592 printk(KERN_WARNING "SELinux: (dev %s, type "
593 "%s) getxattr errno %d\n", sb->s_id,
594 sb->s_type->name, -rc);
595 goto out;
596 }
597 }
598
599 if (strcmp(sb->s_type->name, "proc") == 0)
600 sbsec->proc = 1;
601
602 sbsec->initialized = 1;
603
604 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
605 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
606 sb->s_id, sb->s_type->name);
607 }
608 else {
609 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
610 sb->s_id, sb->s_type->name,
611 labeling_behaviors[sbsec->behavior-1]);
612 }
613
614 /* Initialize the root inode. */
615 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
616
617 /* Initialize any other inodes associated with the superblock, e.g.
618 inodes created prior to initial policy load or inodes created
619 during get_sb by a pseudo filesystem that directly
620 populates itself. */
621 spin_lock(&sbsec->isec_lock);
622next_inode:
623 if (!list_empty(&sbsec->isec_head)) {
624 struct inode_security_struct *isec =
625 list_entry(sbsec->isec_head.next,
626 struct inode_security_struct, list);
627 struct inode *inode = isec->inode;
628 spin_unlock(&sbsec->isec_lock);
629 inode = igrab(inode);
630 if (inode) {
631 if (!IS_PRIVATE (inode))
632 inode_doinit(inode);
633 iput(inode);
634 }
635 spin_lock(&sbsec->isec_lock);
636 list_del_init(&isec->list);
637 goto next_inode;
638 }
639 spin_unlock(&sbsec->isec_lock);
640out:
641 up(&sbsec->sem);
642 return rc;
643}
644
645static inline u16 inode_mode_to_security_class(umode_t mode)
646{
647 switch (mode & S_IFMT) {
648 case S_IFSOCK:
649 return SECCLASS_SOCK_FILE;
650 case S_IFLNK:
651 return SECCLASS_LNK_FILE;
652 case S_IFREG:
653 return SECCLASS_FILE;
654 case S_IFBLK:
655 return SECCLASS_BLK_FILE;
656 case S_IFDIR:
657 return SECCLASS_DIR;
658 case S_IFCHR:
659 return SECCLASS_CHR_FILE;
660 case S_IFIFO:
661 return SECCLASS_FIFO_FILE;
662
663 }
664
665 return SECCLASS_FILE;
666}
667
13402580
JM		 668static inline int default_protocol_stream(int protocol)
669{
670 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
671}
672
673static inline int default_protocol_dgram(int protocol)
674{
675 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
676}
677
1da177e4
LT		 678static inline u16 socket_type_to_security_class(int family, int type, int protocol)
679{
680 switch (family) {
681 case PF_UNIX:
682 switch (type) {
683 case SOCK_STREAM:
684 case SOCK_SEQPACKET:
685 return SECCLASS_UNIX_STREAM_SOCKET;
686 case SOCK_DGRAM:
687 return SECCLASS_UNIX_DGRAM_SOCKET;
688 }
689 break;
690 case PF_INET:
691 case PF_INET6:
692 switch (type) {
693 case SOCK_STREAM:
13402580
JM		 694 if (default_protocol_stream(protocol))
695 return SECCLASS_TCP_SOCKET;
696 else
697 return SECCLASS_RAWIP_SOCKET;
1da177e4 698 case SOCK_DGRAM:
13402580
JM		 699 if (default_protocol_dgram(protocol))
700 return SECCLASS_UDP_SOCKET;
701 else
702 return SECCLASS_RAWIP_SOCKET;
703 default:
1da177e4
LT		 704 return SECCLASS_RAWIP_SOCKET;
705 }
706 break;
707 case PF_NETLINK:
708 switch (protocol) {
709 case NETLINK_ROUTE:
710 return SECCLASS_NETLINK_ROUTE_SOCKET;
711 case NETLINK_FIREWALL:
712 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 713 case NETLINK_INET_DIAG:
1da177e4
LT		 714 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
715 case NETLINK_NFLOG:
716 return SECCLASS_NETLINK_NFLOG_SOCKET;
717 case NETLINK_XFRM:
718 return SECCLASS_NETLINK_XFRM_SOCKET;
719 case NETLINK_SELINUX:
720 return SECCLASS_NETLINK_SELINUX_SOCKET;
721 case NETLINK_AUDIT:
722 return SECCLASS_NETLINK_AUDIT_SOCKET;
723 case NETLINK_IP6_FW:
724 return SECCLASS_NETLINK_IP6FW_SOCKET;
725 case NETLINK_DNRTMSG:
726 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 727 case NETLINK_KOBJECT_UEVENT:
728 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 729 default:
730 return SECCLASS_NETLINK_SOCKET;
731 }
732 case PF_PACKET:
733 return SECCLASS_PACKET_SOCKET;
734 case PF_KEY:
735 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 736 case PF_APPLETALK:
737 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 738 }
739
740 return SECCLASS_SOCKET;
741}
742
743#ifdef CONFIG_PROC_FS
744static int selinux_proc_get_sid(struct proc_dir_entry *de,
745 u16 tclass,
746 u32 *sid)
747{
748 int buflen, rc;
749 char *buffer, *path, *end;
750
751 buffer = (char*)__get_free_page(GFP_KERNEL);
752 if (!buffer)
753 return -ENOMEM;
754
755 buflen = PAGE_SIZE;
756 end = buffer+buflen;
757 *--end = '\0';
758 buflen--;
759 path = end-1;
760 *path = '/';
761 while (de && de != de->parent) {
762 buflen -= de->namelen + 1;
763 if (buflen < 0)
764 break;
765 end -= de->namelen;
766 memcpy(end, de->name, de->namelen);
767 *--end = '/';
768 path = end;
769 de = de->parent;
770 }
771 rc = security_genfs_sid("proc", path, tclass, sid);
772 free_page((unsigned long)buffer);
773 return rc;
774}
775#else
776static int selinux_proc_get_sid(struct proc_dir_entry *de,
777 u16 tclass,
778 u32 *sid)
779{
780 return -EINVAL;
781}
782#endif
783
784/* The inode's security attributes must be initialized before first use. */
785static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
786{
787 struct superblock_security_struct *sbsec = NULL;
788 struct inode_security_struct *isec = inode->i_security;
789 u32 sid;
790 struct dentry *dentry;
791#define INITCONTEXTLEN 255
792 char *context = NULL;
793 unsigned len = 0;
794 int rc = 0;
795 int hold_sem = 0;
796
797 if (isec->initialized)
798 goto out;
799
800 down(&isec->sem);
801 hold_sem = 1;
802 if (isec->initialized)
803 goto out;
804
805 sbsec = inode->i_sb->s_security;
806 if (!sbsec->initialized) {
807 /* Defer initialization until selinux_complete_init,
808 after the initial policy is loaded and the security
809 server is ready to handle calls. */
810 spin_lock(&sbsec->isec_lock);
811 if (list_empty(&isec->list))
812 list_add(&isec->list, &sbsec->isec_head);
813 spin_unlock(&sbsec->isec_lock);
814 goto out;
815 }
816
817 switch (sbsec->behavior) {
818 case SECURITY_FS_USE_XATTR:
819 if (!inode->i_op->getxattr) {
820 isec->sid = sbsec->def_sid;
821 break;
822 }
823
824 /* Need a dentry, since the xattr API requires one.
825 Life would be simpler if we could just pass the inode. */
826 if (opt_dentry) {
827 /* Called from d_instantiate or d_splice_alias. */
828 dentry = dget(opt_dentry);
829 } else {
830 /* Called from selinux_complete_init, try to find a dentry. */
831 dentry = d_find_alias(inode);
832 }
833 if (!dentry) {
834 printk(KERN_WARNING "%s: no dentry for dev=%s "
835 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
836 inode->i_ino);
837 goto out;
838 }
839
840 len = INITCONTEXTLEN;
841 context = kmalloc(len, GFP_KERNEL);
842 if (!context) {
843 rc = -ENOMEM;
844 dput(dentry);
845 goto out;
846 }
847 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
848 context, len);
849 if (rc == -ERANGE) {
850 /* Need a larger buffer. Query for the right size. */
851 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
852 NULL, 0);
853 if (rc < 0) {
854 dput(dentry);
855 goto out;
856 }
857 kfree(context);
858 len = rc;
859 context = kmalloc(len, GFP_KERNEL);
860 if (!context) {
861 rc = -ENOMEM;
862 dput(dentry);
863 goto out;
864 }
865 rc = inode->i_op->getxattr(dentry,
866 XATTR_NAME_SELINUX,
867 context, len);
868 }
869 dput(dentry);
870 if (rc < 0) {
871 if (rc != -ENODATA) {
872 printk(KERN_WARNING "%s: getxattr returned "
873 "%d for dev=%s ino=%ld\n", __FUNCTION__,
874 -rc, inode->i_sb->s_id, inode->i_ino);
875 kfree(context);
876 goto out;
877 }
878 /* Map ENODATA to the default file SID */
879 sid = sbsec->def_sid;
880 rc = 0;
881 } else {
f5c1d5b2
JM		 882 rc = security_context_to_sid_default(context, rc, &sid,
883 sbsec->def_sid);
1da177e4
LT		 884 if (rc) {
885 printk(KERN_WARNING "%s: context_to_sid(%s) "
886 "returned %d for dev=%s ino=%ld\n",
887 __FUNCTION__, context, -rc,
888 inode->i_sb->s_id, inode->i_ino);
889 kfree(context);
890 /* Leave with the unlabeled SID */
891 rc = 0;
892 break;
893 }
894 }
895 kfree(context);
896 isec->sid = sid;
897 break;
898 case SECURITY_FS_USE_TASK:
899 isec->sid = isec->task_sid;
900 break;
901 case SECURITY_FS_USE_TRANS:
902 /* Default to the fs SID. */
903 isec->sid = sbsec->sid;
904
905 /* Try to obtain a transition SID. */
906 isec->sclass = inode_mode_to_security_class(inode->i_mode);
907 rc = security_transition_sid(isec->task_sid,
908 sbsec->sid,
909 isec->sclass,
910 &sid);
911 if (rc)
912 goto out;
913 isec->sid = sid;
914 break;
c312feb2
EP		 915 case SECURITY_FS_USE_MNTPOINT:
916 isec->sid = sbsec->mntpoint_sid;
917 break;
1da177e4 918 default:
c312feb2 919 /* Default to the fs superblock SID. */
1da177e4
LT		 920 isec->sid = sbsec->sid;
921
922 if (sbsec->proc) {
923 struct proc_inode *proci = PROC_I(inode);
924 if (proci->pde) {
925 isec->sclass = inode_mode_to_security_class(inode->i_mode);
926 rc = selinux_proc_get_sid(proci->pde,
927 isec->sclass,
928 &sid);
929 if (rc)
930 goto out;
931 isec->sid = sid;
932 }
933 }
934 break;
935 }
936
937 isec->initialized = 1;
938
939out:
940 if (isec->sclass == SECCLASS_FILE)
941 isec->sclass = inode_mode_to_security_class(inode->i_mode);
942
943 if (hold_sem)
944 up(&isec->sem);
945 return rc;
946}
947
948/* Convert a Linux signal to an access vector. */
949static inline u32 signal_to_av(int sig)
950{
951 u32 perm = 0;
952
953 switch (sig) {
954 case SIGCHLD:
955 /* Commonly granted from child to parent. */
956 perm = PROCESS__SIGCHLD;
957 break;
958 case SIGKILL:
959 /* Cannot be caught or ignored */
960 perm = PROCESS__SIGKILL;
961 break;
962 case SIGSTOP:
963 /* Cannot be caught or ignored */
964 perm = PROCESS__SIGSTOP;
965 break;
966 default:
967 /* All other signals. */
968 perm = PROCESS__SIGNAL;
969 break;
970 }
971
972 return perm;
973}
974
975/* Check permission betweeen a pair of tasks, e.g. signal checks,
976 fork check, ptrace check, etc. */
977static int task_has_perm(struct task_struct *tsk1,
978 struct task_struct *tsk2,
979 u32 perms)
980{
981 struct task_security_struct *tsec1, *tsec2;
982
983 tsec1 = tsk1->security;
984 tsec2 = tsk2->security;
985 return avc_has_perm(tsec1->sid, tsec2->sid,
986 SECCLASS_PROCESS, perms, NULL);
987}
988
989/* Check whether a task is allowed to use a capability. */
990static int task_has_capability(struct task_struct *tsk,
991 int cap)
992{
993 struct task_security_struct *tsec;
994 struct avc_audit_data ad;
995
996 tsec = tsk->security;
997
998 AVC_AUDIT_DATA_INIT(&ad,CAP);
999 ad.tsk = tsk;
1000 ad.u.cap = cap;
1001
1002 return avc_has_perm(tsec->sid, tsec->sid,
1003 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1004}
1005
1006/* Check whether a task is allowed to use a system operation. */
1007static int task_has_system(struct task_struct *tsk,
1008 u32 perms)
1009{
1010 struct task_security_struct *tsec;
1011
1012 tsec = tsk->security;
1013
1014 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1015 SECCLASS_SYSTEM, perms, NULL);
1016}
1017
1018/* Check whether a task has a particular permission to an inode.
1019 The 'adp' parameter is optional and allows other audit
1020 data to be passed (e.g. the dentry). */
1021static int inode_has_perm(struct task_struct *tsk,
1022 struct inode *inode,
1023 u32 perms,
1024 struct avc_audit_data *adp)
1025{
1026 struct task_security_struct *tsec;
1027 struct inode_security_struct *isec;
1028 struct avc_audit_data ad;
1029
1030 tsec = tsk->security;
1031 isec = inode->i_security;
1032
1033 if (!adp) {
1034 adp = &ad;
1035 AVC_AUDIT_DATA_INIT(&ad, FS);
1036 ad.u.fs.inode = inode;
1037 }
1038
1039 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1040}
1041
1042/* Same as inode_has_perm, but pass explicit audit data containing
1043 the dentry to help the auditing code to more easily generate the
1044 pathname if needed. */
1045static inline int dentry_has_perm(struct task_struct *tsk,
1046 struct vfsmount *mnt,
1047 struct dentry *dentry,
1048 u32 av)
1049{
1050 struct inode *inode = dentry->d_inode;
1051 struct avc_audit_data ad;
1052 AVC_AUDIT_DATA_INIT(&ad,FS);
1053 ad.u.fs.mnt = mnt;
1054 ad.u.fs.dentry = dentry;
1055 return inode_has_perm(tsk, inode, av, &ad);
1056}
1057
1058/* Check whether a task can use an open file descriptor to
1059 access an inode in a given way. Check access to the
1060 descriptor itself, and then use dentry_has_perm to
1061 check a particular permission to the file.
1062 Access to the descriptor is implicitly granted if it
1063 has the same SID as the process. If av is zero, then
1064 access to the file is not checked, e.g. for cases
1065 where only the descriptor is affected like seek. */
858119e1 1066static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1067 struct file *file,
1068 u32 av)
1069{
1070 struct task_security_struct *tsec = tsk->security;
1071 struct file_security_struct *fsec = file->f_security;
1072 struct vfsmount *mnt = file->f_vfsmnt;
1073 struct dentry *dentry = file->f_dentry;
1074 struct inode *inode = dentry->d_inode;
1075 struct avc_audit_data ad;
1076 int rc;
1077
1078 AVC_AUDIT_DATA_INIT(&ad, FS);
1079 ad.u.fs.mnt = mnt;
1080 ad.u.fs.dentry = dentry;
1081
1082 if (tsec->sid != fsec->sid) {
1083 rc = avc_has_perm(tsec->sid, fsec->sid,
1084 SECCLASS_FD,
1085 FD__USE,
1086 &ad);
1087 if (rc)
1088 return rc;
1089 }
1090
1091 /* av is zero if only checking access to the descriptor. */
1092 if (av)
1093 return inode_has_perm(tsk, inode, av, &ad);
1094
1095 return 0;
1096}
1097
1098/* Check whether a task can create a file. */
1099static int may_create(struct inode *dir,
1100 struct dentry *dentry,
1101 u16 tclass)
1102{
1103 struct task_security_struct *tsec;
1104 struct inode_security_struct *dsec;
1105 struct superblock_security_struct *sbsec;
1106 u32 newsid;
1107 struct avc_audit_data ad;
1108 int rc;
1109
1110 tsec = current->security;
1111 dsec = dir->i_security;
1112 sbsec = dir->i_sb->s_security;
1113
1114 AVC_AUDIT_DATA_INIT(&ad, FS);
1115 ad.u.fs.dentry = dentry;
1116
1117 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1118 DIR__ADD_NAME | DIR__SEARCH,
1119 &ad);
1120 if (rc)
1121 return rc;
1122
1123 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1124 newsid = tsec->create_sid;
1125 } else {
1126 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1127 &newsid);
1128 if (rc)
1129 return rc;
1130 }
1131
1132 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1133 if (rc)
1134 return rc;
1135
1136 return avc_has_perm(newsid, sbsec->sid,
1137 SECCLASS_FILESYSTEM,
1138 FILESYSTEM__ASSOCIATE, &ad);
1139}
1140
4eb582cf
ML		 1141/* Check whether a task can create a key. */
1142static int may_create_key(u32 ksid,
1143 struct task_struct *ctx)
1144{
1145 struct task_security_struct *tsec;
1146
1147 tsec = ctx->security;
1148
1149 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1150}
1151
1da177e4
LT		 1152#define MAY_LINK 0
1153#define MAY_UNLINK 1
1154#define MAY_RMDIR 2
1155
1156/* Check whether a task can link, unlink, or rmdir a file/directory. */
1157static int may_link(struct inode *dir,
1158 struct dentry *dentry,
1159 int kind)
1160
1161{
1162 struct task_security_struct *tsec;
1163 struct inode_security_struct *dsec, *isec;
1164 struct avc_audit_data ad;
1165 u32 av;
1166 int rc;
1167
1168 tsec = current->security;
1169 dsec = dir->i_security;
1170 isec = dentry->d_inode->i_security;
1171
1172 AVC_AUDIT_DATA_INIT(&ad, FS);
1173 ad.u.fs.dentry = dentry;
1174
1175 av = DIR__SEARCH;
1176 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1177 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1178 if (rc)
1179 return rc;
1180
1181 switch (kind) {
1182 case MAY_LINK:
1183 av = FILE__LINK;
1184 break;
1185 case MAY_UNLINK:
1186 av = FILE__UNLINK;
1187 break;
1188 case MAY_RMDIR:
1189 av = DIR__RMDIR;
1190 break;
1191 default:
1192 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1193 return 0;
1194 }
1195
1196 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1197 return rc;
1198}
1199
1200static inline int may_rename(struct inode *old_dir,
1201 struct dentry *old_dentry,
1202 struct inode *new_dir,
1203 struct dentry *new_dentry)
1204{
1205 struct task_security_struct *tsec;
1206 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1207 struct avc_audit_data ad;
1208 u32 av;
1209 int old_is_dir, new_is_dir;
1210 int rc;
1211
1212 tsec = current->security;
1213 old_dsec = old_dir->i_security;
1214 old_isec = old_dentry->d_inode->i_security;
1215 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1216 new_dsec = new_dir->i_security;
1217
1218 AVC_AUDIT_DATA_INIT(&ad, FS);
1219
1220 ad.u.fs.dentry = old_dentry;
1221 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1222 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1223 if (rc)
1224 return rc;
1225 rc = avc_has_perm(tsec->sid, old_isec->sid,
1226 old_isec->sclass, FILE__RENAME, &ad);
1227 if (rc)
1228 return rc;
1229 if (old_is_dir && new_dir != old_dir) {
1230 rc = avc_has_perm(tsec->sid, old_isec->sid,
1231 old_isec->sclass, DIR__REPARENT, &ad);
1232 if (rc)
1233 return rc;
1234 }
1235
1236 ad.u.fs.dentry = new_dentry;
1237 av = DIR__ADD_NAME | DIR__SEARCH;
1238 if (new_dentry->d_inode)
1239 av |= DIR__REMOVE_NAME;
1240 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1241 if (rc)
1242 return rc;
1243 if (new_dentry->d_inode) {
1244 new_isec = new_dentry->d_inode->i_security;
1245 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1246 rc = avc_has_perm(tsec->sid, new_isec->sid,
1247 new_isec->sclass,
1248 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1249 if (rc)
1250 return rc;
1251 }
1252
1253 return 0;
1254}
1255
1256/* Check whether a task can perform a filesystem operation. */
1257static int superblock_has_perm(struct task_struct *tsk,
1258 struct super_block *sb,
1259 u32 perms,
1260 struct avc_audit_data *ad)
1261{
1262 struct task_security_struct *tsec;
1263 struct superblock_security_struct *sbsec;
1264
1265 tsec = tsk->security;
1266 sbsec = sb->s_security;
1267 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1268 perms, ad);
1269}
1270
1271/* Convert a Linux mode and permission mask to an access vector. */
1272static inline u32 file_mask_to_av(int mode, int mask)
1273{
1274 u32 av = 0;
1275
1276 if ((mode & S_IFMT) != S_IFDIR) {
1277 if (mask & MAY_EXEC)
1278 av |= FILE__EXECUTE;
1279 if (mask & MAY_READ)
1280 av |= FILE__READ;
1281
1282 if (mask & MAY_APPEND)
1283 av |= FILE__APPEND;
1284 else if (mask & MAY_WRITE)
1285 av |= FILE__WRITE;
1286
1287 } else {
1288 if (mask & MAY_EXEC)
1289 av |= DIR__SEARCH;
1290 if (mask & MAY_WRITE)
1291 av |= DIR__WRITE;
1292 if (mask & MAY_READ)
1293 av |= DIR__READ;
1294 }
1295
1296 return av;
1297}
1298
1299/* Convert a Linux file to an access vector. */
1300static inline u32 file_to_av(struct file *file)
1301{
1302 u32 av = 0;
1303
1304 if (file->f_mode & FMODE_READ)
1305 av |= FILE__READ;
1306 if (file->f_mode & FMODE_WRITE) {
1307 if (file->f_flags & O_APPEND)
1308 av |= FILE__APPEND;
1309 else
1310 av |= FILE__WRITE;
1311 }
1312
1313 return av;
1314}
1315
1316/* Set an inode's SID to a specified value. */
1317static int inode_security_set_sid(struct inode *inode, u32 sid)
1318{
1319 struct inode_security_struct *isec = inode->i_security;
1320 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1321
1322 if (!sbsec->initialized) {
1323 /* Defer initialization to selinux_complete_init. */
1324 return 0;
1325 }
1326
1327 down(&isec->sem);
1328 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1329 isec->sid = sid;
1330 isec->initialized = 1;
1331 up(&isec->sem);
1332 return 0;
1333}
1334
1da177e4
LT		 1335/* Hook functions begin here. */
1336
1337static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1338{
1339 struct task_security_struct *psec = parent->security;
1340 struct task_security_struct *csec = child->security;
1341 int rc;
1342
1343 rc = secondary_ops->ptrace(parent,child);
1344 if (rc)
1345 return rc;
1346
1347 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1348 /* Save the SID of the tracing process for later use in apply_creds. */
341c2d80 1349 if (!(child->ptrace & PT_PTRACED) && !rc)
1da177e4
LT		 1350 csec->ptrace_sid = psec->sid;
1351 return rc;
1352}
1353
1354static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1355 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1356{
1357 int error;
1358
1359 error = task_has_perm(current, target, PROCESS__GETCAP);
1360 if (error)
1361 return error;
1362
1363 return secondary_ops->capget(target, effective, inheritable, permitted);
1364}
1365
1366static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1367 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1368{
1369 int error;
1370
1371 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1372 if (error)
1373 return error;
1374
1375 return task_has_perm(current, target, PROCESS__SETCAP);
1376}
1377
1378static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1379 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1380{
1381 secondary_ops->capset_set(target, effective, inheritable, permitted);
1382}
1383
1384static int selinux_capable(struct task_struct *tsk, int cap)
1385{
1386 int rc;
1387
1388 rc = secondary_ops->capable(tsk, cap);
1389 if (rc)
1390 return rc;
1391
1392 return task_has_capability(tsk,cap);
1393}
1394
1395static int selinux_sysctl(ctl_table *table, int op)
1396{
1397 int error = 0;
1398 u32 av;
1399 struct task_security_struct *tsec;
1400 u32 tsid;
1401 int rc;
1402
1403 rc = secondary_ops->sysctl(table, op);
1404 if (rc)
1405 return rc;
1406
1407 tsec = current->security;
1408
1409 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1410 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1411 if (rc) {
1412 /* Default to the well-defined sysctl SID. */
1413 tsid = SECINITSID_SYSCTL;
1414 }
1415
1416 /* The op values are "defined" in sysctl.c, thereby creating
1417 * a bad coupling between this module and sysctl.c */
1418 if(op == 001) {
1419 error = avc_has_perm(tsec->sid, tsid,
1420 SECCLASS_DIR, DIR__SEARCH, NULL);
1421 } else {
1422 av = 0;
1423 if (op & 004)
1424 av |= FILE__READ;
1425 if (op & 002)
1426 av |= FILE__WRITE;
1427 if (av)
1428 error = avc_has_perm(tsec->sid, tsid,
1429 SECCLASS_FILE, av, NULL);
1430 }
1431
1432 return error;
1433}
1434
1435static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1436{
1437 int rc = 0;
1438
1439 if (!sb)
1440 return 0;
1441
1442 switch (cmds) {
1443 case Q_SYNC:
1444 case Q_QUOTAON:
1445 case Q_QUOTAOFF:
1446 case Q_SETINFO:
1447 case Q_SETQUOTA:
1448 rc = superblock_has_perm(current,
1449 sb,
1450 FILESYSTEM__QUOTAMOD, NULL);
1451 break;
1452 case Q_GETFMT:
1453 case Q_GETINFO:
1454 case Q_GETQUOTA:
1455 rc = superblock_has_perm(current,
1456 sb,
1457 FILESYSTEM__QUOTAGET, NULL);
1458 break;
1459 default:
1460 rc = 0; /* let the kernel handle invalid cmds */
1461 break;
1462 }
1463 return rc;
1464}
1465
1466static int selinux_quota_on(struct dentry *dentry)
1467{
1468 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1469}
1470
1471static int selinux_syslog(int type)
1472{
1473 int rc;
1474
1475 rc = secondary_ops->syslog(type);
1476 if (rc)
1477 return rc;
1478
1479 switch (type) {
1480 case 3: /* Read last kernel messages */
1481 case 10: /* Return size of the log buffer */
1482 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1483 break;
1484 case 6: /* Disable logging to console */
1485 case 7: /* Enable logging to console */
1486 case 8: /* Set level of messages printed to console */
1487 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1488 break;
1489 case 0: /* Close log */
1490 case 1: /* Open log */
1491 case 2: /* Read from log */
1492 case 4: /* Read/clear last kernel messages */
1493 case 5: /* Clear ring buffer */
1494 default:
1495 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1496 break;
1497 }
1498 return rc;
1499}
1500
1501/*
1502 * Check that a process has enough memory to allocate a new virtual
1503 * mapping. 0 means there is enough memory for the allocation to
1504 * succeed and -ENOMEM implies there is not.
1505 *
1506 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1507 * if the capability is granted, but __vm_enough_memory requires 1 if
1508 * the capability is granted.
1509 *
1510 * Do not audit the selinux permission check, as this is applied to all
1511 * processes that allocate mappings.
1512 */
1513static int selinux_vm_enough_memory(long pages)
1514{
1515 int rc, cap_sys_admin = 0;
1516 struct task_security_struct *tsec = current->security;
1517
1518 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1519 if (rc == 0)
1520 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1521 SECCLASS_CAPABILITY,
1522 CAP_TO_MASK(CAP_SYS_ADMIN),
1523 NULL);
1524
1525 if (rc == 0)
1526 cap_sys_admin = 1;
1527
1528 return __vm_enough_memory(pages, cap_sys_admin);
1529}
1530
1531/* binprm security operations */
1532
1533static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1534{
1535 struct bprm_security_struct *bsec;
1536
89d155ef 1537 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1538 if (!bsec)
1539 return -ENOMEM;
1540
1da177e4
LT		 1541 bsec->bprm = bprm;
1542 bsec->sid = SECINITSID_UNLABELED;
1543 bsec->set = 0;
1544
1545 bprm->security = bsec;
1546 return 0;
1547}
1548
1549static int selinux_bprm_set_security(struct linux_binprm *bprm)
1550{
1551 struct task_security_struct *tsec;
1552 struct inode *inode = bprm->file->f_dentry->d_inode;
1553 struct inode_security_struct *isec;
1554 struct bprm_security_struct *bsec;
1555 u32 newsid;
1556 struct avc_audit_data ad;
1557 int rc;
1558
1559 rc = secondary_ops->bprm_set_security(bprm);
1560 if (rc)
1561 return rc;
1562
1563 bsec = bprm->security;
1564
1565 if (bsec->set)
1566 return 0;
1567
1568 tsec = current->security;
1569 isec = inode->i_security;
1570
1571 /* Default to the current task SID. */
1572 bsec->sid = tsec->sid;
1573
28eba5bf 1574 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1575 tsec->create_sid = 0;
28eba5bf 1576 tsec->keycreate_sid = 0;
42c3e03e 1577 tsec->sockcreate_sid = 0;
1da177e4
LT		 1578
1579 if (tsec->exec_sid) {
1580 newsid = tsec->exec_sid;
1581 /* Reset exec SID on execve. */
1582 tsec->exec_sid = 0;
1583 } else {
1584 /* Check for a default transition on this program. */
1585 rc = security_transition_sid(tsec->sid, isec->sid,
1586 SECCLASS_PROCESS, &newsid);
1587 if (rc)
1588 return rc;
1589 }
1590
1591 AVC_AUDIT_DATA_INIT(&ad, FS);
1592 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1593 ad.u.fs.dentry = bprm->file->f_dentry;
1594
1595 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1596 newsid = tsec->sid;
1597
1598 if (tsec->sid == newsid) {
1599 rc = avc_has_perm(tsec->sid, isec->sid,
1600 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1601 if (rc)
1602 return rc;
1603 } else {
1604 /* Check permissions for the transition. */
1605 rc = avc_has_perm(tsec->sid, newsid,
1606 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1607 if (rc)
1608 return rc;
1609
1610 rc = avc_has_perm(newsid, isec->sid,
1611 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1612 if (rc)
1613 return rc;
1614
1615 /* Clear any possibly unsafe personality bits on exec: */
1616 current->personality &= ~PER_CLEAR_ON_SETID;
1617
1618 /* Set the security field to the new SID. */
1619 bsec->sid = newsid;
1620 }
1621
1622 bsec->set = 1;
1623 return 0;
1624}
1625
1626static int selinux_bprm_check_security (struct linux_binprm *bprm)
1627{
1628 return secondary_ops->bprm_check_security(bprm);
1629}
1630
1631
1632static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1633{
1634 struct task_security_struct *tsec = current->security;
1635 int atsecure = 0;
1636
1637 if (tsec->osid != tsec->sid) {
1638 /* Enable secure mode for SIDs transitions unless
1639 the noatsecure permission is granted between
1640 the two SIDs, i.e. ahp returns 0. */
1641 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1642 SECCLASS_PROCESS,
1643 PROCESS__NOATSECURE, NULL);
1644 }
1645
1646 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1647}
1648
1649static void selinux_bprm_free_security(struct linux_binprm *bprm)
1650{
9a5f04bf 1651 kfree(bprm->security);
1da177e4 1652 bprm->security = NULL;
1da177e4
LT		 1653}
1654
1655extern struct vfsmount *selinuxfs_mount;
1656extern struct dentry *selinux_null;
1657
1658/* Derived from fs/exec.c:flush_old_files. */
1659static inline void flush_unauthorized_files(struct files_struct * files)
1660{
1661 struct avc_audit_data ad;
1662 struct file *file, *devnull = NULL;
1663 struct tty_struct *tty = current->signal->tty;
badf1662 1664 struct fdtable *fdt;
1da177e4
LT		 1665 long j = -1;
1666
1667 if (tty) {
1668 file_list_lock();
2f512016 1669 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 1670 if (file) {
1671 /* Revalidate access to controlling tty.
1672 Use inode_has_perm on the tty inode directly rather
1673 than using file_has_perm, as this particular open
1674 file may belong to another process and we are only
1675 interested in the inode-based check here. */
1676 struct inode *inode = file->f_dentry->d_inode;
1677 if (inode_has_perm(current, inode,
1678 FILE__READ | FILE__WRITE, NULL)) {
1679 /* Reset controlling tty. */
1680 current->signal->tty = NULL;
1681 current->signal->tty_old_pgrp = 0;
1682 }
1683 }
1684 file_list_unlock();
1685 }
1686
1687 /* Revalidate access to inherited open files. */
1688
1689 AVC_AUDIT_DATA_INIT(&ad,FS);
1690
1691 spin_lock(&files->file_lock);
1692 for (;;) {
1693 unsigned long set, i;
1694 int fd;
1695
1696 j++;
1697 i = j * __NFDBITS;
badf1662
DS		 1698 fdt = files_fdtable(files);
1699 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1da177e4 1700 break;
badf1662 1701 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 1702 if (!set)
1703 continue;
1704 spin_unlock(&files->file_lock);
1705 for ( ; set ; i++,set >>= 1) {
1706 if (set & 1) {
1707 file = fget(i);
1708 if (!file)
1709 continue;
1710 if (file_has_perm(current,
1711 file,
1712 file_to_av(file))) {
1713 sys_close(i);
1714 fd = get_unused_fd();
1715 if (fd != i) {
1716 if (fd >= 0)
1717 put_unused_fd(fd);
1718 fput(file);
1719 continue;
1720 }
1721 if (devnull) {
095975da 1722 get_file(devnull);
1da177e4
LT		 1723 } else {
1724 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1725 if (!devnull) {
1726 put_unused_fd(fd);
1727 fput(file);
1728 continue;
1729 }
1730 }
1731 fd_install(fd, devnull);
1732 }
1733 fput(file);
1734 }
1735 }
1736 spin_lock(&files->file_lock);
1737
1738 }
1739 spin_unlock(&files->file_lock);
1740}
1741
1742static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1743{
1744 struct task_security_struct *tsec;
1745 struct bprm_security_struct *bsec;
1746 u32 sid;
1747 int rc;
1748
1749 secondary_ops->bprm_apply_creds(bprm, unsafe);
1750
1751 tsec = current->security;
1752
1753 bsec = bprm->security;
1754 sid = bsec->sid;
1755
1756 tsec->osid = tsec->sid;
1757 bsec->unsafe = 0;
1758 if (tsec->sid != sid) {
1759 /* Check for shared state. If not ok, leave SID
1760 unchanged and kill. */
1761 if (unsafe & LSM_UNSAFE_SHARE) {
1762 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1763 PROCESS__SHARE, NULL);
1764 if (rc) {
1765 bsec->unsafe = 1;
1766 return;
1767 }
1768 }
1769
1770 /* Check for ptracing, and update the task SID if ok.
1771 Otherwise, leave SID unchanged and kill. */
1772 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1773 rc = avc_has_perm(tsec->ptrace_sid, sid,
1774 SECCLASS_PROCESS, PROCESS__PTRACE,
1775 NULL);
1776 if (rc) {
1777 bsec->unsafe = 1;
1778 return;
1779 }
1780 }
1781 tsec->sid = sid;
1782 }
1783}
1784
1785/*
1786 * called after apply_creds without the task lock held
1787 */
1788static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1789{
1790 struct task_security_struct *tsec;
1791 struct rlimit *rlim, *initrlim;
1792 struct itimerval itimer;
1793 struct bprm_security_struct *bsec;
1794 int rc, i;
1795
1796 tsec = current->security;
1797 bsec = bprm->security;
1798
1799 if (bsec->unsafe) {
1800 force_sig_specific(SIGKILL, current);
1801 return;
1802 }
1803 if (tsec->osid == tsec->sid)
1804 return;
1805
1806 /* Close files for which the new task SID is not authorized. */
1807 flush_unauthorized_files(current->files);
1808
1809 /* Check whether the new SID can inherit signal state
1810 from the old SID. If not, clear itimers to avoid
1811 subsequent signal generation and flush and unblock
1812 signals. This must occur _after_ the task SID has
1813 been updated so that any kill done after the flush
1814 will be checked against the new SID. */
1815 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1816 PROCESS__SIGINH, NULL);
1817 if (rc) {
1818 memset(&itimer, 0, sizeof itimer);
1819 for (i = 0; i < 3; i++)
1820 do_setitimer(i, &itimer, NULL);
1821 flush_signals(current);
1822 spin_lock_irq(&current->sighand->siglock);
1823 flush_signal_handlers(current, 1);
1824 sigemptyset(&current->blocked);
1825 recalc_sigpending();
1826 spin_unlock_irq(&current->sighand->siglock);
1827 }
1828
1829 /* Check whether the new SID can inherit resource limits
1830 from the old SID. If not, reset all soft limits to
1831 the lower of the current task's hard limit and the init
1832 task's soft limit. Note that the setting of hard limits
1833 (even to lower them) can be controlled by the setrlimit
1834 check. The inclusion of the init task's soft limit into
1835 the computation is to avoid resetting soft limits higher
1836 than the default soft limit for cases where the default
1837 is lower than the hard limit, e.g. RLIMIT_CORE or
1838 RLIMIT_STACK.*/
1839 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1840 PROCESS__RLIMITINH, NULL);
1841 if (rc) {
1842 for (i = 0; i < RLIM_NLIMITS; i++) {
1843 rlim = current->signal->rlim + i;
1844 initrlim = init_task.signal->rlim+i;
1845 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1846 }
1847 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1848 /*
1849 * This will cause RLIMIT_CPU calculations
1850 * to be refigured.
1851 */
1852 current->it_prof_expires = jiffies_to_cputime(1);
1853 }
1854 }
1855
1856 /* Wake up the parent if it is waiting so that it can
1857 recheck wait permission to the new task SID. */
1858 wake_up_interruptible(&current->parent->signal->wait_chldexit);
1859}
1860
1861/* superblock security operations */
1862
1863static int selinux_sb_alloc_security(struct super_block *sb)
1864{
1865 return superblock_alloc_security(sb);
1866}
1867
1868static void selinux_sb_free_security(struct super_block *sb)
1869{
1870 superblock_free_security(sb);
1871}
1872
1873static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1874{
1875 if (plen > olen)
1876 return 0;
1877
1878 return !memcmp(prefix, option, plen);
1879}
1880
1881static inline int selinux_option(char *option, int len)
1882{
1883 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1884 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1885 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1886}
1887
1888static inline void take_option(char **to, char *from, int *first, int len)
1889{
1890 if (!*first) {
1891 **to = ',';
1892 *to += 1;
1893 }
1894 else
1895 *first = 0;
1896 memcpy(*to, from, len);
1897 *to += len;
1898}
1899
1900static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1901{
1902 int fnosec, fsec, rc = 0;
1903 char *in_save, *in_curr, *in_end;
1904 char *sec_curr, *nosec_save, *nosec;
1905
1906 in_curr = orig;
1907 sec_curr = copy;
1908
1909 /* Binary mount data: just copy */
1910 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1911 copy_page(sec_curr, in_curr);
1912 goto out;
1913 }
1914
1915 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1916 if (!nosec) {
1917 rc = -ENOMEM;
1918 goto out;
1919 }
1920
1921 nosec_save = nosec;
1922 fnosec = fsec = 1;
1923 in_save = in_end = orig;
1924
1925 do {
1926 if (*in_end == ',' || *in_end == '\0') {
1927 int len = in_end - in_curr;
1928
1929 if (selinux_option(in_curr, len))
1930 take_option(&sec_curr, in_curr, &fsec, len);
1931 else
1932 take_option(&nosec, in_curr, &fnosec, len);
1933
1934 in_curr = in_end + 1;
1935 }
1936 } while (*in_end++);
1937
6931dfc9 1938 strcpy(in_save, nosec_save);
da3caa20 1939 free_page((unsigned long)nosec_save);
1da177e4
LT		 1940out:
1941 return rc;
1942}
1943
1944static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1945{
1946 struct avc_audit_data ad;
1947 int rc;
1948
1949 rc = superblock_doinit(sb, data);
1950 if (rc)
1951 return rc;
1952
1953 AVC_AUDIT_DATA_INIT(&ad,FS);
1954 ad.u.fs.dentry = sb->s_root;
1955 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1956}
1957
726c3342 1958static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 1959{
1960 struct avc_audit_data ad;
1961
1962 AVC_AUDIT_DATA_INIT(&ad,FS);
726c3342
DH		 1963 ad.u.fs.dentry = dentry->d_sb->s_root;
1964 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 1965}
1966
1967static int selinux_mount(char * dev_name,
1968 struct nameidata *nd,
1969 char * type,
1970 unsigned long flags,
1971 void * data)
1972{
1973 int rc;
1974
1975 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1976 if (rc)
1977 return rc;
1978
1979 if (flags & MS_REMOUNT)
1980 return superblock_has_perm(current, nd->mnt->mnt_sb,
1981 FILESYSTEM__REMOUNT, NULL);
1982 else
1983 return dentry_has_perm(current, nd->mnt, nd->dentry,
1984 FILE__MOUNTON);
1985}
1986
1987static int selinux_umount(struct vfsmount *mnt, int flags)
1988{
1989 int rc;
1990
1991 rc = secondary_ops->sb_umount(mnt, flags);
1992 if (rc)
1993 return rc;
1994
1995 return superblock_has_perm(current,mnt->mnt_sb,
1996 FILESYSTEM__UNMOUNT,NULL);
1997}
1998
1999/* inode security operations */
2000
2001static int selinux_inode_alloc_security(struct inode *inode)
2002{
2003 return inode_alloc_security(inode);
2004}
2005
2006static void selinux_inode_free_security(struct inode *inode)
2007{
2008 inode_free_security(inode);
2009}
2010
5e41ff9e
SS		 2011static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2012 char **name, void **value,
2013 size_t *len)
2014{
2015 struct task_security_struct *tsec;
2016 struct inode_security_struct *dsec;
2017 struct superblock_security_struct *sbsec;
570bc1c2 2018 u32 newsid, clen;
5e41ff9e 2019 int rc;
570bc1c2 2020 char *namep = NULL, *context;
5e41ff9e
SS		 2021
2022 tsec = current->security;
2023 dsec = dir->i_security;
2024 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2025
2026 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2027 newsid = tsec->create_sid;
2028 } else {
2029 rc = security_transition_sid(tsec->sid, dsec->sid,
2030 inode_mode_to_security_class(inode->i_mode),
2031 &newsid);
2032 if (rc) {
2033 printk(KERN_WARNING "%s: "
2034 "security_transition_sid failed, rc=%d (dev=%s "
2035 "ino=%ld)\n",
2036 __FUNCTION__,
2037 -rc, inode->i_sb->s_id, inode->i_ino);
2038 return rc;
2039 }
2040 }
2041
2042 inode_security_set_sid(inode, newsid);
2043
8aad3875 2044 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2045 return -EOPNOTSUPP;
2046
570bc1c2
SS		 2047 if (name) {
2048 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2049 if (!namep)
2050 return -ENOMEM;
2051 *name = namep;
2052 }
5e41ff9e 2053
570bc1c2
SS		 2054 if (value && len) {
2055 rc = security_sid_to_context(newsid, &context, &clen);
2056 if (rc) {
2057 kfree(namep);
2058 return rc;
2059 }
2060 *value = context;
2061 *len = clen;
5e41ff9e 2062 }
5e41ff9e 2063
5e41ff9e
SS		 2064 return 0;
2065}
2066
1da177e4
LT		 2067static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2068{
2069 return may_create(dir, dentry, SECCLASS_FILE);
2070}
2071
1da177e4
LT		 2072static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2073{
2074 int rc;
2075
2076 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2077 if (rc)
2078 return rc;
2079 return may_link(dir, old_dentry, MAY_LINK);
2080}
2081
1da177e4
LT		 2082static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2083{
2084 int rc;
2085
2086 rc = secondary_ops->inode_unlink(dir, dentry);
2087 if (rc)
2088 return rc;
2089 return may_link(dir, dentry, MAY_UNLINK);
2090}
2091
2092static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2093{
2094 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2095}
2096
1da177e4
LT		 2097static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2098{
2099 return may_create(dir, dentry, SECCLASS_DIR);
2100}
2101
1da177e4
LT		 2102static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2103{
2104 return may_link(dir, dentry, MAY_RMDIR);
2105}
2106
2107static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2108{
2109 int rc;
2110
2111 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2112 if (rc)
2113 return rc;
2114
2115 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2116}
2117
1da177e4
LT		 2118static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2119 struct inode *new_inode, struct dentry *new_dentry)
2120{
2121 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2122}
2123
1da177e4
LT		 2124static int selinux_inode_readlink(struct dentry *dentry)
2125{
2126 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2127}
2128
2129static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2130{
2131 int rc;
2132
2133 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2134 if (rc)
2135 return rc;
2136 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2137}
2138
2139static int selinux_inode_permission(struct inode *inode, int mask,
2140 struct nameidata *nd)
2141{
2142 int rc;
2143
2144 rc = secondary_ops->inode_permission(inode, mask, nd);
2145 if (rc)
2146 return rc;
2147
2148 if (!mask) {
2149 /* No permission to check. Existence test. */
2150 return 0;
2151 }
2152
2153 return inode_has_perm(current, inode,
2154 file_mask_to_av(inode->i_mode, mask), NULL);
2155}
2156
2157static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2158{
2159 int rc;
2160
2161 rc = secondary_ops->inode_setattr(dentry, iattr);
2162 if (rc)
2163 return rc;
2164
2165 if (iattr->ia_valid & ATTR_FORCE)
2166 return 0;
2167
2168 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2169 ATTR_ATIME_SET | ATTR_MTIME_SET))
2170 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2171
2172 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2173}
2174
2175static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2176{
2177 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2178}
2179
2180static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2181{
2182 struct task_security_struct *tsec = current->security;
2183 struct inode *inode = dentry->d_inode;
2184 struct inode_security_struct *isec = inode->i_security;
2185 struct superblock_security_struct *sbsec;
2186 struct avc_audit_data ad;
2187 u32 newsid;
2188 int rc = 0;
2189
2190 if (strcmp(name, XATTR_NAME_SELINUX)) {
2191 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2192 sizeof XATTR_SECURITY_PREFIX - 1) &&
2193 !capable(CAP_SYS_ADMIN)) {
2194 /* A different attribute in the security namespace.
2195 Restrict to administrator. */
2196 return -EPERM;
2197 }
2198
2199 /* Not an attribute we recognize, so just check the
2200 ordinary setattr permission. */
2201 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2202 }
2203
2204 sbsec = inode->i_sb->s_security;
2205 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2206 return -EOPNOTSUPP;
2207
2208 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2209 return -EPERM;
2210
2211 AVC_AUDIT_DATA_INIT(&ad,FS);
2212 ad.u.fs.dentry = dentry;
2213
2214 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2215 FILE__RELABELFROM, &ad);
2216 if (rc)
2217 return rc;
2218
2219 rc = security_context_to_sid(value, size, &newsid);
2220 if (rc)
2221 return rc;
2222
2223 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2224 FILE__RELABELTO, &ad);
2225 if (rc)
2226 return rc;
2227
2228 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2229 isec->sclass);
2230 if (rc)
2231 return rc;
2232
2233 return avc_has_perm(newsid,
2234 sbsec->sid,
2235 SECCLASS_FILESYSTEM,
2236 FILESYSTEM__ASSOCIATE,
2237 &ad);
2238}
2239
2240static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2241 void *value, size_t size, int flags)
2242{
2243 struct inode *inode = dentry->d_inode;
2244 struct inode_security_struct *isec = inode->i_security;
2245 u32 newsid;
2246 int rc;
2247
2248 if (strcmp(name, XATTR_NAME_SELINUX)) {
2249 /* Not an attribute we recognize, so nothing to do. */
2250 return;
2251 }
2252
2253 rc = security_context_to_sid(value, size, &newsid);
2254 if (rc) {
2255 printk(KERN_WARNING "%s: unable to obtain SID for context "
2256 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2257 return;
2258 }
2259
2260 isec->sid = newsid;
2261 return;
2262}
2263
2264static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2265{
1da177e4
LT		 2266 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2267}
2268
2269static int selinux_inode_listxattr (struct dentry *dentry)
2270{
2271 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2272}
2273
2274static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2275{
2276 if (strcmp(name, XATTR_NAME_SELINUX)) {
2277 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2278 sizeof XATTR_SECURITY_PREFIX - 1) &&
2279 !capable(CAP_SYS_ADMIN)) {
2280 /* A different attribute in the security namespace.
2281 Restrict to administrator. */
2282 return -EPERM;
2283 }
2284
2285 /* Not an attribute we recognize, so just check the
2286 ordinary setattr permission. Might want a separate
2287 permission for removexattr. */
2288 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2289 }
2290
2291 /* No one is allowed to remove a SELinux security label.
2292 You can change the label, but all data must be labeled. */
2293 return -EACCES;
2294}
2295
8c8570fb
DK		 2296static const char *selinux_inode_xattr_getsuffix(void)
2297{
2298 return XATTR_SELINUX_SUFFIX;
2299}
2300
d381d8a9
JM		 2301/*
2302 * Copy the in-core inode security context value to the user. If the
2303 * getxattr() prior to this succeeded, check to see if we need to
2304 * canonicalize the value to be finally returned to the user.
2305 *
2306 * Permission check is handled by selinux_inode_getxattr hook.
2307 */
7306a0b9 2308static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
1da177e4
LT		 2309{
2310 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2311
8c8570fb
DK		 2312 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2313 return -EOPNOTSUPP;
d381d8a9 2314
8c8570fb 2315 return selinux_getsecurity(isec->sid, buffer, size);
1da177e4
LT		 2316}
2317
2318static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2319 const void *value, size_t size, int flags)
2320{
2321 struct inode_security_struct *isec = inode->i_security;
2322 u32 newsid;
2323 int rc;
2324
2325 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2326 return -EOPNOTSUPP;
2327
2328 if (!value || !size)
2329 return -EACCES;
2330
2331 rc = security_context_to_sid((void*)value, size, &newsid);
2332 if (rc)
2333 return rc;
2334
2335 isec->sid = newsid;
2336 return 0;
2337}
2338
2339static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2340{
2341 const int len = sizeof(XATTR_NAME_SELINUX);
2342 if (buffer && len <= buffer_size)
2343 memcpy(buffer, XATTR_NAME_SELINUX, len);
2344 return len;
2345}
2346
2347/* file security operations */
2348
2349static int selinux_file_permission(struct file *file, int mask)
2350{
2351 struct inode *inode = file->f_dentry->d_inode;
2352
2353 if (!mask) {
2354 /* No permission to check. Existence test. */
2355 return 0;
2356 }
2357
2358 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2359 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2360 mask |= MAY_APPEND;
2361
2362 return file_has_perm(current, file,
2363 file_mask_to_av(inode->i_mode, mask));
2364}
2365
2366static int selinux_file_alloc_security(struct file *file)
2367{
2368 return file_alloc_security(file);
2369}
2370
2371static void selinux_file_free_security(struct file *file)
2372{
2373 file_free_security(file);
2374}
2375
2376static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2377 unsigned long arg)
2378{
2379 int error = 0;
2380
2381 switch (cmd) {
2382 case FIONREAD:
2383 /* fall through */
2384 case FIBMAP:
2385 /* fall through */
2386 case FIGETBSZ:
2387 /* fall through */
2388 case EXT2_IOC_GETFLAGS:
2389 /* fall through */
2390 case EXT2_IOC_GETVERSION:
2391 error = file_has_perm(current, file, FILE__GETATTR);
2392 break;
2393
2394 case EXT2_IOC_SETFLAGS:
2395 /* fall through */
2396 case EXT2_IOC_SETVERSION:
2397 error = file_has_perm(current, file, FILE__SETATTR);
2398 break;
2399
2400 /* sys_ioctl() checks */
2401 case FIONBIO:
2402 /* fall through */
2403 case FIOASYNC:
2404 error = file_has_perm(current, file, 0);
2405 break;
2406
2407 case KDSKBENT:
2408 case KDSKBSENT:
2409 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2410 break;
2411
2412 /* default case assumes that the command will go
2413 * to the file's ioctl() function.
2414 */
2415 default:
2416 error = file_has_perm(current, file, FILE__IOCTL);
2417
2418 }
2419 return error;
2420}
2421
2422static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2423{
2424#ifndef CONFIG_PPC32
2425 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2426 /*
2427 * We are making executable an anonymous mapping or a
2428 * private file mapping that will also be writable.
2429 * This has an additional check.
2430 */
2431 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2432 if (rc)
2433 return rc;
2434 }
2435#endif
2436
2437 if (file) {
2438 /* read access is always possible with a mapping */
2439 u32 av = FILE__READ;
2440
2441 /* write access only matters if the mapping is shared */
2442 if (shared && (prot & PROT_WRITE))
2443 av |= FILE__WRITE;
2444
2445 if (prot & PROT_EXEC)
2446 av |= FILE__EXECUTE;
2447
2448 return file_has_perm(current, file, av);
2449 }
2450 return 0;
2451}
2452
2453static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2454 unsigned long prot, unsigned long flags)
2455{
2456 int rc;
2457
2458 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2459 if (rc)
2460 return rc;
2461
2462 if (selinux_checkreqprot)
2463 prot = reqprot;
2464
2465 return file_map_prot_check(file, prot,
2466 (flags & MAP_TYPE) == MAP_SHARED);
2467}
2468
2469static int selinux_file_mprotect(struct vm_area_struct *vma,
2470 unsigned long reqprot,
2471 unsigned long prot)
2472{
2473 int rc;
2474
2475 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2476 if (rc)
2477 return rc;
2478
2479 if (selinux_checkreqprot)
2480 prot = reqprot;
2481
2482#ifndef CONFIG_PPC32
db4c9641
SS		 2483 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2484 rc = 0;
2485 if (vma->vm_start >= vma->vm_mm->start_brk &&
2486 vma->vm_end <= vma->vm_mm->brk) {
2487 rc = task_has_perm(current, current,
2488 PROCESS__EXECHEAP);
2489 } else if (!vma->vm_file &&
2490 vma->vm_start <= vma->vm_mm->start_stack &&
2491 vma->vm_end >= vma->vm_mm->start_stack) {
2492 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2493 } else if (vma->vm_file && vma->anon_vma) {
2494 /*
2495 * We are making executable a file mapping that has
2496 * had some COW done. Since pages might have been
2497 * written, check ability to execute the possibly
2498 * modified content. This typically should only
2499 * occur for text relocations.
2500 */
2501 rc = file_has_perm(current, vma->vm_file,
2502 FILE__EXECMOD);
2503 }