]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
->permission() sanitizing: don't pass flags to ->inode_permission()
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4
PM		 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4 30#include <linux/errno.h>
0b24dcb7 31#include <linux/ext2_fs.h>
1da177e4
LT		 32#include <linux/sched.h>
33#include <linux/security.h>
34#include <linux/xattr.h>
35#include <linux/capability.h>
36#include <linux/unistd.h>
37#include <linux/mm.h>
38#include <linux/mman.h>
39#include <linux/slab.h>
40#include <linux/pagemap.h>
0b24dcb7 41#include <linux/proc_fs.h>
1da177e4 42#include <linux/swap.h>
1da177e4
LT		 43#include <linux/spinlock.h>
44#include <linux/syscalls.h>
2a7dba39 45#include <linux/dcache.h>
1da177e4 46#include <linux/file.h>
9f3acc31 47#include <linux/fdtable.h>
1da177e4
LT		 48#include <linux/namei.h>
49#include <linux/mount.h>
1da177e4
LT		 50#include <linux/netfilter_ipv4.h>
51#include <linux/netfilter_ipv6.h>
52#include <linux/tty.h>
53#include <net/icmp.h>
227b60f5 54#include <net/ip.h> /* for local_port_range[] */
1da177e4 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
d621d35e 60#include <asm/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
64#include <linux/netlink.h>
65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
1da177e4
LT		 83
84#include "avc.h"
85#include "objsec.h"
86#include "netif.h"
224dfbd8 87#include "netnode.h"
3e112172 88#include "netport.h"
d28d1e08 89#include "xfrm.h"
c60475bf 90#include "netlabel.h"
9d57a7f9 91#include "audit.h"
1da177e4 92
11689d47 93#define NUM_SEL_MNT_OPTS 5
c9180a57 94
1da177e4 95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
20510f2f 96extern struct security_operations *security_ops;
1da177e4 97
d621d35e
PM		 98/* SECMARK reference count */
99atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
1da177e4 101#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 102int selinux_enforcing;
1da177e4
LT		 103
104static int __init enforcing_setup(char *str)
105{
f5269710
EP		 106 unsigned long enforcing;
107 if (!strict_strtoul(str, 0, &enforcing))
108 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 109 return 1;
110}
111__setup("enforcing=", enforcing_setup);
112#endif
113
114#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117static int __init selinux_enabled_setup(char *str)
118{
f5269710
EP		 119 unsigned long enabled;
120 if (!strict_strtoul(str, 0, &enabled))
121 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 122 return 1;
123}
124__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 125#else
126int selinux_enabled = 1;
1da177e4
LT		 127#endif
128
e18b890b 129static struct kmem_cache *sel_inode_cache;
7cae7e26 130
d621d35e
PM		 131/**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled.
139 *
140 */
141static int selinux_secmark_enabled(void)
142{
143 return (atomic_read(&selinux_secmark_refcount) > 0);
144}
145
d84f4f99
DH		 146/*
147 * initialise the security for the init task
148 */
149static void cred_init_security(void)
1da177e4 150{
3b11a1de 151 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 152 struct task_security_struct *tsec;
153
89d155ef 154 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 155 if (!tsec)
d84f4f99 156 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 157
d84f4f99 158 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 159 cred->security = tsec;
1da177e4
LT		 160}
161
88e67f3b
DH		 162/*
163 * get the security ID of a set of credentials
164 */
165static inline u32 cred_sid(const struct cred *cred)
166{
167 const struct task_security_struct *tsec;
168
169 tsec = cred->security;
170 return tsec->sid;
171}
172
275bb41e 173/*
3b11a1de 174 * get the objective security ID of a task
275bb41e
DH		 175 */
176static inline u32 task_sid(const struct task_struct *task)
177{
275bb41e
DH		 178 u32 sid;
179
180 rcu_read_lock();
88e67f3b 181 sid = cred_sid(__task_cred(task));
275bb41e
DH		 182 rcu_read_unlock();
183 return sid;
184}
185
186/*
3b11a1de 187 * get the subjective security ID of the current task
275bb41e
DH		 188 */
189static inline u32 current_sid(void)
190{
5fb49870 191 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 192
193 return tsec->sid;
194}
195
88e67f3b
DH		 196/* Allocate and free functions for each kind of security blob. */
197
1da177e4
LT		 198static int inode_alloc_security(struct inode *inode)
199{
1da177e4 200 struct inode_security_struct *isec;
275bb41e 201 u32 sid = current_sid();
1da177e4 202
a02fe132 203 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 204 if (!isec)
205 return -ENOMEM;
206
23970741 207 mutex_init(&isec->lock);
1da177e4 208 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 209 isec->inode = inode;
210 isec->sid = SECINITSID_UNLABELED;
211 isec->sclass = SECCLASS_FILE;
275bb41e 212 isec->task_sid = sid;
1da177e4
LT		 213 inode->i_security = isec;
214
215 return 0;
216}
217
218static void inode_free_security(struct inode *inode)
219{
220 struct inode_security_struct *isec = inode->i_security;
221 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
222
1da177e4
LT		 223 spin_lock(&sbsec->isec_lock);
224 if (!list_empty(&isec->list))
225 list_del_init(&isec->list);
226 spin_unlock(&sbsec->isec_lock);
227
228 inode->i_security = NULL;
7cae7e26 229 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 230}
231
232static int file_alloc_security(struct file *file)
233{
1da177e4 234 struct file_security_struct *fsec;
275bb41e 235 u32 sid = current_sid();
1da177e4 236
26d2a4be 237 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 238 if (!fsec)
239 return -ENOMEM;
240
275bb41e
DH		 241 fsec->sid = sid;
242 fsec->fown_sid = sid;
1da177e4
LT		 243 file->f_security = fsec;
244
245 return 0;
246}
247
248static void file_free_security(struct file *file)
249{
250 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 251 file->f_security = NULL;
252 kfree(fsec);
253}
254
255static int superblock_alloc_security(struct super_block *sb)
256{
257 struct superblock_security_struct *sbsec;
258
89d155ef 259 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 260 if (!sbsec)
261 return -ENOMEM;
262
bc7e982b 263 mutex_init(&sbsec->lock);
1da177e4
LT		 264 INIT_LIST_HEAD(&sbsec->isec_head);
265 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 266 sbsec->sb = sb;
267 sbsec->sid = SECINITSID_UNLABELED;
268 sbsec->def_sid = SECINITSID_FILE;
c312feb2 269 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 270 sb->s_security = sbsec;
271
272 return 0;
273}
274
275static void superblock_free_security(struct super_block *sb)
276{
277 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 278 sb->s_security = NULL;
279 kfree(sbsec);
280}
281
1da177e4
LT		 282/* The security server must be initialized before
283 any labeling or access decisions can be provided. */
284extern int ss_initialized;
285
286/* The file system's label must be initialized prior to use. */
287
634a539e 288static const char *labeling_behaviors[6] = {
1da177e4
LT		 289 "uses xattr",
290 "uses transition SIDs",
291 "uses task SIDs",
292 "uses genfs_contexts",
293 "not configured for labeling",
294 "uses mountpoint labeling",
295};
296
297static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
298
299static inline int inode_doinit(struct inode *inode)
300{
301 return inode_doinit_with_dentry(inode, NULL);
302}
303
304enum {
31e87930 305 Opt_error = -1,
1da177e4
LT		 306 Opt_context = 1,
307 Opt_fscontext = 2,
c9180a57
EP		 308 Opt_defcontext = 3,
309 Opt_rootcontext = 4,
11689d47 310 Opt_labelsupport = 5,
1da177e4
LT		 311};
312
a447c093 313static const match_table_t tokens = {
832cbd9a
EP		 314 {Opt_context, CONTEXT_STR "%s"},
315 {Opt_fscontext, FSCONTEXT_STR "%s"},
316 {Opt_defcontext, DEFCONTEXT_STR "%s"},
317 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 318 {Opt_labelsupport, LABELSUPP_STR},
31e87930 319 {Opt_error, NULL},
1da177e4
LT		 320};
321
322#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
323
c312feb2
EP		 324static int may_context_mount_sb_relabel(u32 sid,
325 struct superblock_security_struct *sbsec,
275bb41e 326 const struct cred *cred)
c312feb2 327{
275bb41e 328 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 329 int rc;
330
331 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
332 FILESYSTEM__RELABELFROM, NULL);
333 if (rc)
334 return rc;
335
336 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
337 FILESYSTEM__RELABELTO, NULL);
338 return rc;
339}
340
0808925e
EP		 341static int may_context_mount_inode_relabel(u32 sid,
342 struct superblock_security_struct *sbsec,
275bb41e 343 const struct cred *cred)
0808925e 344{
275bb41e 345 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 346 int rc;
347 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELFROM, NULL);
349 if (rc)
350 return rc;
351
352 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
353 FILESYSTEM__ASSOCIATE, NULL);
354 return rc;
355}
356
c9180a57 357static int sb_finish_set_opts(struct super_block *sb)
1da177e4 358{
1da177e4 359 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 360 struct dentry *root = sb->s_root;
361 struct inode *root_inode = root->d_inode;
362 int rc = 0;
1da177e4 363
c9180a57
EP		 364 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
365 /* Make sure that the xattr handler exists and that no
366 error other than -ENODATA is returned by getxattr on
367 the root directory. -ENODATA is ok, as this may be
368 the first boot of the SELinux kernel before we have
369 assigned xattr values to the filesystem. */
370 if (!root_inode->i_op->getxattr) {
371 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
372 "xattr support\n", sb->s_id, sb->s_type->name);
373 rc = -EOPNOTSUPP;
374 goto out;
375 }
376 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
377 if (rc < 0 && rc != -ENODATA) {
378 if (rc == -EOPNOTSUPP)
379 printk(KERN_WARNING "SELinux: (dev %s, type "
380 "%s) has no security xattr handler\n",
381 sb->s_id, sb->s_type->name);
382 else
383 printk(KERN_WARNING "SELinux: (dev %s, type "
384 "%s) getxattr errno %d\n", sb->s_id,
385 sb->s_type->name, -rc);
386 goto out;
387 }
388 }
1da177e4 389
11689d47 390 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
1da177e4 391
c9180a57
EP		 392 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
393 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
394 sb->s_id, sb->s_type->name);
395 else
396 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
397 sb->s_id, sb->s_type->name,
398 labeling_behaviors[sbsec->behavior-1]);
1da177e4 399
11689d47
DQ		 400 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
401 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
402 sbsec->behavior == SECURITY_FS_USE_NONE ||
403 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
404 sbsec->flags &= ~SE_SBLABELSUPP;
405
ddd29ec6
DQ		 406 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
407 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
408 sbsec->flags |= SE_SBLABELSUPP;
409
c9180a57
EP		 410 /* Initialize the root inode. */
411 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 412
c9180a57
EP		 413 /* Initialize any other inodes associated with the superblock, e.g.
414 inodes created prior to initial policy load or inodes created
415 during get_sb by a pseudo filesystem that directly
416 populates itself. */
417 spin_lock(&sbsec->isec_lock);
418next_inode:
419 if (!list_empty(&sbsec->isec_head)) {
420 struct inode_security_struct *isec =
421 list_entry(sbsec->isec_head.next,
422 struct inode_security_struct, list);
423 struct inode *inode = isec->inode;
424 spin_unlock(&sbsec->isec_lock);
425 inode = igrab(inode);
426 if (inode) {
427 if (!IS_PRIVATE(inode))
428 inode_doinit(inode);
429 iput(inode);
430 }
431 spin_lock(&sbsec->isec_lock);
432 list_del_init(&isec->list);
433 goto next_inode;
434 }
435 spin_unlock(&sbsec->isec_lock);
436out:
437 return rc;
438}
1da177e4 439
c9180a57
EP		 440/*
441 * This function should allow an FS to ask what it's mount security
442 * options were so it can use those later for submounts, displaying
443 * mount options, or whatever.
444 */
445static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 446 struct security_mnt_opts *opts)
c9180a57
EP		 447{
448 int rc = 0, i;
449 struct superblock_security_struct *sbsec = sb->s_security;
450 char *context = NULL;
451 u32 len;
452 char tmp;
1da177e4 453
e0007529 454 security_init_mnt_opts(opts);
1da177e4 455
0d90a7ec 456 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 457 return -EINVAL;
1da177e4 458
c9180a57
EP		 459 if (!ss_initialized)
460 return -EINVAL;
1da177e4 461
0d90a7ec 462 tmp = sbsec->flags & SE_MNTMASK;
c9180a57
EP		 463 /* count the number of mount options for this sb */
464 for (i = 0; i < 8; i++) {
465 if (tmp & 0x01)
e0007529 466 opts->num_mnt_opts++;
c9180a57
EP		 467 tmp >>= 1;
468 }
11689d47
DQ		 469 /* Check if the Label support flag is set */
470 if (sbsec->flags & SE_SBLABELSUPP)
471 opts->num_mnt_opts++;
1da177e4 472
e0007529
EP		 473 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
474 if (!opts->mnt_opts) {
c9180a57
EP		 475 rc = -ENOMEM;
476 goto out_free;
477 }
1da177e4 478
e0007529
EP		 479 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
480 if (!opts->mnt_opts_flags) {
c9180a57
EP		 481 rc = -ENOMEM;
482 goto out_free;
483 }
1da177e4 484
c9180a57
EP		 485 i = 0;
486 if (sbsec->flags & FSCONTEXT_MNT) {
487 rc = security_sid_to_context(sbsec->sid, &context, &len);
488 if (rc)
489 goto out_free;
e0007529
EP		 490 opts->mnt_opts[i] = context;
491 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 492 }
493 if (sbsec->flags & CONTEXT_MNT) {
494 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
495 if (rc)
496 goto out_free;
e0007529
EP		 497 opts->mnt_opts[i] = context;
498 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 499 }
500 if (sbsec->flags & DEFCONTEXT_MNT) {
501 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
502 if (rc)
503 goto out_free;
e0007529
EP		 504 opts->mnt_opts[i] = context;
505 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 506 }
507 if (sbsec->flags & ROOTCONTEXT_MNT) {
508 struct inode *root = sbsec->sb->s_root->d_inode;
509 struct inode_security_struct *isec = root->i_security;
0808925e 510
c9180a57
EP		 511 rc = security_sid_to_context(isec->sid, &context, &len);
512 if (rc)
513 goto out_free;
e0007529
EP		 514 opts->mnt_opts[i] = context;
515 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 516 }
11689d47
DQ		 517 if (sbsec->flags & SE_SBLABELSUPP) {
518 opts->mnt_opts[i] = NULL;
519 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
520 }
1da177e4 521
e0007529 522 BUG_ON(i != opts->num_mnt_opts);
1da177e4 523
c9180a57
EP		 524 return 0;
525
526out_free:
e0007529 527 security_free_mnt_opts(opts);
c9180a57
EP		 528 return rc;
529}
1da177e4 530
c9180a57
EP		 531static int bad_option(struct superblock_security_struct *sbsec, char flag,
532 u32 old_sid, u32 new_sid)
533{
0d90a7ec
DQ		 534 char mnt_flags = sbsec->flags & SE_MNTMASK;
535
c9180a57 536 /* check if the old mount command had the same options */
0d90a7ec 537 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 538 if (!(sbsec->flags & flag) ||
539 (old_sid != new_sid))
540 return 1;
541
542 /* check if we were passed the same options twice,
543 * aka someone passed context=a,context=b
544 */
0d90a7ec
DQ		 545 if (!(sbsec->flags & SE_SBINITIALIZED))
546 if (mnt_flags & flag)
c9180a57
EP		 547 return 1;
548 return 0;
549}
e0007529 550
c9180a57
EP		 551/*
552 * Allow filesystems with binary mount data to explicitly set mount point
553 * labeling information.
554 */
e0007529
EP		 555static int selinux_set_mnt_opts(struct super_block *sb,
556 struct security_mnt_opts *opts)
c9180a57 557{
275bb41e 558 const struct cred *cred = current_cred();
c9180a57 559 int rc = 0, i;
c9180a57
EP		 560 struct superblock_security_struct *sbsec = sb->s_security;
561 const char *name = sb->s_type->name;
089be43e
JM		 562 struct inode *inode = sbsec->sb->s_root->d_inode;
563 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 564 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
565 u32 defcontext_sid = 0;
e0007529
EP		 566 char **mount_options = opts->mnt_opts;
567 int *flags = opts->mnt_opts_flags;
568 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 569
570 mutex_lock(&sbsec->lock);
571
572 if (!ss_initialized) {
573 if (!num_opts) {
574 /* Defer initialization until selinux_complete_init,
575 after the initial policy is loaded and the security
576 server is ready to handle calls. */
c9180a57
EP		 577 goto out;
578 }
579 rc = -EINVAL;
744ba35e
EP		 580 printk(KERN_WARNING "SELinux: Unable to set superblock options "
581 "before the security server is initialized\n");
1da177e4 582 goto out;
c9180a57 583 }
1da177e4 584
e0007529
EP		 585 /*
586 * Binary mount data FS will come through this function twice. Once
587 * from an explicit call and once from the generic calls from the vfs.
588 * Since the generic VFS calls will not contain any security mount data
589 * we need to skip the double mount verification.
590 *
591 * This does open a hole in which we will not notice if the first
592 * mount using this sb set explict options and a second mount using
593 * this sb does not set any security options. (The first options
594 * will be used for both mounts)
595 */
0d90a7ec 596 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 597 && (num_opts == 0))
f5269710 598 goto out;
e0007529 599
c9180a57
EP		 600 /*
601 * parse the mount options, check if they are valid sids.
602 * also check if someone is trying to mount the same sb more
603 * than once with different security options.
604 */
605 for (i = 0; i < num_opts; i++) {
606 u32 sid;
11689d47
DQ		 607
608 if (flags[i] == SE_SBLABELSUPP)
609 continue;
c9180a57
EP		 610 rc = security_context_to_sid(mount_options[i],
611 strlen(mount_options[i]), &sid);
1da177e4
LT		 612 if (rc) {
613 printk(KERN_WARNING "SELinux: security_context_to_sid"
614 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 615 mount_options[i], sb->s_id, name, rc);
616 goto out;
617 }
618 switch (flags[i]) {
619 case FSCONTEXT_MNT:
620 fscontext_sid = sid;
621
622 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
623 fscontext_sid))
624 goto out_double_mount;
625
626 sbsec->flags |= FSCONTEXT_MNT;
627 break;
628 case CONTEXT_MNT:
629 context_sid = sid;
630
631 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
632 context_sid))
633 goto out_double_mount;
634
635 sbsec->flags |= CONTEXT_MNT;
636 break;
637 case ROOTCONTEXT_MNT:
638 rootcontext_sid = sid;
639
640 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
641 rootcontext_sid))
642 goto out_double_mount;
643
644 sbsec->flags |= ROOTCONTEXT_MNT;
645
646 break;
647 case DEFCONTEXT_MNT:
648 defcontext_sid = sid;
649
650 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
651 defcontext_sid))
652 goto out_double_mount;
653
654 sbsec->flags |= DEFCONTEXT_MNT;
655
656 break;
657 default:
658 rc = -EINVAL;
659 goto out;
1da177e4 660 }
c9180a57
EP		 661 }
662
0d90a7ec 663 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 664 /* previously mounted with options, but not on this attempt? */
0d90a7ec 665 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 666 goto out_double_mount;
667 rc = 0;
668 goto out;
669 }
670
089be43e 671 if (strcmp(sb->s_type->name, "proc") == 0)
0d90a7ec 672 sbsec->flags |= SE_SBPROC;
c9180a57
EP		 673
674 /* Determine the labeling behavior to use for this filesystem type. */
0d90a7ec 675 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
c9180a57
EP		 676 if (rc) {
677 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
089be43e 678 __func__, sb->s_type->name, rc);
c9180a57
EP		 679 goto out;
680 }
1da177e4 681
c9180a57
EP		 682 /* sets the context of the superblock for the fs being mounted. */
683 if (fscontext_sid) {
275bb41e 684 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 685 if (rc)
c9180a57 686 goto out;
1da177e4 687
c9180a57 688 sbsec->sid = fscontext_sid;
c312feb2
EP		 689 }
690
691 /*
692 * Switch to using mount point labeling behavior.
693 * sets the label used on all file below the mountpoint, and will set
694 * the superblock context if not already set.
695 */
c9180a57
EP		 696 if (context_sid) {
697 if (!fscontext_sid) {
275bb41e
DH		 698 rc = may_context_mount_sb_relabel(context_sid, sbsec,
699 cred);
b04ea3ce 700 if (rc)
c9180a57
EP		 701 goto out;
702 sbsec->sid = context_sid;
b04ea3ce 703 } else {
275bb41e
DH		 704 rc = may_context_mount_inode_relabel(context_sid, sbsec,
705 cred);
b04ea3ce 706 if (rc)
c9180a57 707 goto out;
b04ea3ce 708 }
c9180a57
EP		 709 if (!rootcontext_sid)
710 rootcontext_sid = context_sid;
1da177e4 711
c9180a57 712 sbsec->mntpoint_sid = context_sid;
c312feb2 713 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 714 }
715
c9180a57 716 if (rootcontext_sid) {
275bb41e
DH		 717 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
718 cred);
0808925e 719 if (rc)
c9180a57 720 goto out;
0808925e 721
c9180a57
EP		 722 root_isec->sid = rootcontext_sid;
723 root_isec->initialized = 1;
0808925e
EP		 724 }
725
c9180a57
EP		 726 if (defcontext_sid) {
727 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
728 rc = -EINVAL;
729 printk(KERN_WARNING "SELinux: defcontext option is "
730 "invalid for this filesystem type\n");
731 goto out;
1da177e4
LT		 732 }
733
c9180a57
EP		 734 if (defcontext_sid != sbsec->def_sid) {
735 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 736 sbsec, cred);
c9180a57
EP		 737 if (rc)
738 goto out;
739 }
1da177e4 740
c9180a57 741 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 742 }
743
c9180a57 744 rc = sb_finish_set_opts(sb);
1da177e4 745out:
c9180a57 746 mutex_unlock(&sbsec->lock);
1da177e4 747 return rc;
c9180a57
EP		 748out_double_mount:
749 rc = -EINVAL;
750 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
751 "security settings for (dev %s, type %s)\n", sb->s_id, name);
752 goto out;
1da177e4
LT		 753}
754
c9180a57
EP		 755static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
756 struct super_block *newsb)
1da177e4 757{
c9180a57
EP		 758 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
759 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 760
c9180a57
EP		 761 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
762 int set_context = (oldsbsec->flags & CONTEXT_MNT);
763 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 764
0f5e6420
EP		 765 /*
766 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 767 * mount options. thus we can safely deal with this superblock later
0f5e6420 768 */
e8c26255 769 if (!ss_initialized)
0f5e6420 770 return;
c9180a57 771
c9180a57 772 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 773 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 774
5a552617 775 /* if fs is reusing a sb, just let its options stand... */
0d90a7ec 776 if (newsbsec->flags & SE_SBINITIALIZED)
5a552617
EP		 777 return;
778
c9180a57
EP		 779 mutex_lock(&newsbsec->lock);
780
781 newsbsec->flags = oldsbsec->flags;
782
783 newsbsec->sid = oldsbsec->sid;
784 newsbsec->def_sid = oldsbsec->def_sid;
785 newsbsec->behavior = oldsbsec->behavior;
786
787 if (set_context) {
788 u32 sid = oldsbsec->mntpoint_sid;
789
790 if (!set_fscontext)
791 newsbsec->sid = sid;
792 if (!set_rootcontext) {
793 struct inode *newinode = newsb->s_root->d_inode;
794 struct inode_security_struct *newisec = newinode->i_security;
795 newisec->sid = sid;
796 }
797 newsbsec->mntpoint_sid = sid;
1da177e4 798 }
c9180a57
EP		 799 if (set_rootcontext) {
800 const struct inode *oldinode = oldsb->s_root->d_inode;
801 const struct inode_security_struct *oldisec = oldinode->i_security;
802 struct inode *newinode = newsb->s_root->d_inode;
803 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 804
c9180a57 805 newisec->sid = oldisec->sid;
1da177e4
LT		 806 }
807
c9180a57
EP		 808 sb_finish_set_opts(newsb);
809 mutex_unlock(&newsbsec->lock);
810}
811
2e1479d9
AB		 812static int selinux_parse_opts_str(char *options,
813 struct security_mnt_opts *opts)
c9180a57 814{
e0007529 815 char *p;
c9180a57
EP		 816 char *context = NULL, *defcontext = NULL;
817 char *fscontext = NULL, *rootcontext = NULL;
e0007529 818 int rc, num_mnt_opts = 0;
1da177e4 819
e0007529 820 opts->num_mnt_opts = 0;
1da177e4 821
c9180a57
EP		 822 /* Standard string-based options. */
823 while ((p = strsep(&options, "|")) != NULL) {
824 int token;
825 substring_t args[MAX_OPT_ARGS];
1da177e4 826
c9180a57
EP		 827 if (!*p)
828 continue;
1da177e4 829
c9180a57 830 token = match_token(p, tokens, args);
1da177e4 831
c9180a57
EP		 832 switch (token) {
833 case Opt_context:
834 if (context || defcontext) {
835 rc = -EINVAL;
836 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
837 goto out_err;
838 }
839 context = match_strdup(&args[0]);
840 if (!context) {
841 rc = -ENOMEM;
842 goto out_err;
843 }
844 break;
845
846 case Opt_fscontext:
847 if (fscontext) {
848 rc = -EINVAL;
849 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
850 goto out_err;
851 }
852 fscontext = match_strdup(&args[0]);
853 if (!fscontext) {
854 rc = -ENOMEM;
855 goto out_err;
856 }
857 break;
858
859 case Opt_rootcontext:
860 if (rootcontext) {
861 rc = -EINVAL;
862 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
863 goto out_err;
864 }
865 rootcontext = match_strdup(&args[0]);
866 if (!rootcontext) {
867 rc = -ENOMEM;
868 goto out_err;
869 }
870 break;
871
872 case Opt_defcontext:
873 if (context || defcontext) {
874 rc = -EINVAL;
875 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
876 goto out_err;
877 }
878 defcontext = match_strdup(&args[0]);
879 if (!defcontext) {
880 rc = -ENOMEM;
881 goto out_err;
882 }
883 break;
11689d47
DQ		 884 case Opt_labelsupport:
885 break;
c9180a57
EP		 886 default:
887 rc = -EINVAL;
888 printk(KERN_WARNING "SELinux: unknown mount option\n");
889 goto out_err;
1da177e4 890
1da177e4 891 }
1da177e4 892 }
c9180a57 893
e0007529
EP		 894 rc = -ENOMEM;
895 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
896 if (!opts->mnt_opts)
897 goto out_err;
898
899 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
900 if (!opts->mnt_opts_flags) {
901 kfree(opts->mnt_opts);
902 goto out_err;
903 }
904
c9180a57 905 if (fscontext) {
e0007529
EP		 906 opts->mnt_opts[num_mnt_opts] = fscontext;
907 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 908 }
909 if (context) {
e0007529
EP		 910 opts->mnt_opts[num_mnt_opts] = context;
911 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 912 }
913 if (rootcontext) {
e0007529
EP		 914 opts->mnt_opts[num_mnt_opts] = rootcontext;
915 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 916 }
917 if (defcontext) {
e0007529
EP		 918 opts->mnt_opts[num_mnt_opts] = defcontext;
919 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 920 }
921
e0007529
EP		 922 opts->num_mnt_opts = num_mnt_opts;
923 return 0;
924
c9180a57
EP		 925out_err:
926 kfree(context);
927 kfree(defcontext);
928 kfree(fscontext);
929 kfree(rootcontext);
1da177e4
LT		 930 return rc;
931}
e0007529
EP		 932/*
933 * string mount options parsing and call set the sbsec
934 */
935static int superblock_doinit(struct super_block *sb, void *data)
936{
937 int rc = 0;
938 char *options = data;
939 struct security_mnt_opts opts;
940
941 security_init_mnt_opts(&opts);
942
943 if (!data)
944 goto out;
945
946 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
947
948 rc = selinux_parse_opts_str(options, &opts);
949 if (rc)
950 goto out_err;
951
952out:
953 rc = selinux_set_mnt_opts(sb, &opts);
954
955out_err:
956 security_free_mnt_opts(&opts);
957 return rc;
958}
1da177e4 959
3583a711
AB		 960static void selinux_write_opts(struct seq_file *m,
961 struct security_mnt_opts *opts)
2069f457
EP		 962{
963 int i;
964 char *prefix;
965
966 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 967 char *has_comma;
968
969 if (opts->mnt_opts[i])
970 has_comma = strchr(opts->mnt_opts[i], ',');
971 else
972 has_comma = NULL;
2069f457
EP		 973
974 switch (opts->mnt_opts_flags[i]) {
975 case CONTEXT_MNT:
976 prefix = CONTEXT_STR;
977 break;
978 case FSCONTEXT_MNT:
979 prefix = FSCONTEXT_STR;
980 break;
981 case ROOTCONTEXT_MNT:
982 prefix = ROOTCONTEXT_STR;
983 break;
984 case DEFCONTEXT_MNT:
985 prefix = DEFCONTEXT_STR;
986 break;
11689d47
DQ		 987 case SE_SBLABELSUPP:
988 seq_putc(m, ',');
989 seq_puts(m, LABELSUPP_STR);
990 continue;
2069f457
EP		 991 default:
992 BUG();
a35c6c83 993 return;
2069f457
EP		 994 };
995 /* we need a comma before each option */
996 seq_putc(m, ',');
997 seq_puts(m, prefix);
998 if (has_comma)
999 seq_putc(m, '\"');
1000 seq_puts(m, opts->mnt_opts[i]);
1001 if (has_comma)
1002 seq_putc(m, '\"');
1003 }
1004}
1005
1006static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1007{
1008 struct security_mnt_opts opts;
1009 int rc;
1010
1011 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1012 if (rc) {
1013 /* before policy load we may get EINVAL, don't show anything */
1014 if (rc == -EINVAL)
1015 rc = 0;
2069f457 1016 return rc;
383795c2 1017 }
2069f457
EP		 1018
1019 selinux_write_opts(m, &opts);
1020
1021 security_free_mnt_opts(&opts);
1022
1023 return rc;
1024}
1025
1da177e4
LT		 1026static inline u16 inode_mode_to_security_class(umode_t mode)
1027{
1028 switch (mode & S_IFMT) {
1029 case S_IFSOCK:
1030 return SECCLASS_SOCK_FILE;
1031 case S_IFLNK:
1032 return SECCLASS_LNK_FILE;
1033 case S_IFREG:
1034 return SECCLASS_FILE;
1035 case S_IFBLK:
1036 return SECCLASS_BLK_FILE;
1037 case S_IFDIR:
1038 return SECCLASS_DIR;
1039 case S_IFCHR:
1040 return SECCLASS_CHR_FILE;
1041 case S_IFIFO:
1042 return SECCLASS_FIFO_FILE;
1043
1044 }
1045
1046 return SECCLASS_FILE;
1047}
1048
13402580
JM		 1049static inline int default_protocol_stream(int protocol)
1050{
1051 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1052}
1053
1054static inline int default_protocol_dgram(int protocol)
1055{
1056 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1057}
1058
1da177e4
LT		 1059static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1060{
1061 switch (family) {
1062 case PF_UNIX:
1063 switch (type) {
1064 case SOCK_STREAM:
1065 case SOCK_SEQPACKET:
1066 return SECCLASS_UNIX_STREAM_SOCKET;
1067 case SOCK_DGRAM:
1068 return SECCLASS_UNIX_DGRAM_SOCKET;
1069 }
1070 break;
1071 case PF_INET:
1072 case PF_INET6:
1073 switch (type) {
1074 case SOCK_STREAM:
13402580
JM		 1075 if (default_protocol_stream(protocol))
1076 return SECCLASS_TCP_SOCKET;
1077 else
1078 return SECCLASS_RAWIP_SOCKET;
1da177e4 1079 case SOCK_DGRAM:
13402580
JM		 1080 if (default_protocol_dgram(protocol))
1081 return SECCLASS_UDP_SOCKET;
1082 else
1083 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1084 case SOCK_DCCP:
1085 return SECCLASS_DCCP_SOCKET;
13402580 1086 default:
1da177e4
LT		 1087 return SECCLASS_RAWIP_SOCKET;
1088 }
1089 break;
1090 case PF_NETLINK:
1091 switch (protocol) {
1092 case NETLINK_ROUTE:
1093 return SECCLASS_NETLINK_ROUTE_SOCKET;
1094 case NETLINK_FIREWALL:
1095 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1096 case NETLINK_INET_DIAG:
1da177e4
LT		 1097 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1098 case NETLINK_NFLOG:
1099 return SECCLASS_NETLINK_NFLOG_SOCKET;
1100 case NETLINK_XFRM:
1101 return SECCLASS_NETLINK_XFRM_SOCKET;
1102 case NETLINK_SELINUX:
1103 return SECCLASS_NETLINK_SELINUX_SOCKET;
1104 case NETLINK_AUDIT:
1105 return SECCLASS_NETLINK_AUDIT_SOCKET;
1106 case NETLINK_IP6_FW:
1107 return SECCLASS_NETLINK_IP6FW_SOCKET;
1108 case NETLINK_DNRTMSG:
1109 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1110 case NETLINK_KOBJECT_UEVENT:
1111 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1112 default:
1113 return SECCLASS_NETLINK_SOCKET;
1114 }
1115 case PF_PACKET:
1116 return SECCLASS_PACKET_SOCKET;
1117 case PF_KEY:
1118 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1119 case PF_APPLETALK:
1120 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1121 }
1122
1123 return SECCLASS_SOCKET;
1124}
1125
1126#ifdef CONFIG_PROC_FS
8e6c9693 1127static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1128 u16 tclass,
1129 u32 *sid)
1130{
8e6c9693
LAG		 1131 int rc;
1132 char *buffer, *path;
1da177e4 1133
828dfe1d 1134 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1135 if (!buffer)
1136 return -ENOMEM;
1137
8e6c9693
LAG		 1138 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1139 if (IS_ERR(path))
1140 rc = PTR_ERR(path);
1141 else {
1142 /* each process gets a /proc/PID/ entry. Strip off the
1143 * PID part to get a valid selinux labeling.
1144 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1145 while (path[1] >= '0' && path[1] <= '9') {
1146 path[1] = '/';
1147 path++;
1148 }
1149 rc = security_genfs_sid("proc", path, tclass, sid);
1da177e4 1150 }
1da177e4
LT		 1151 free_page((unsigned long)buffer);
1152 return rc;
1153}
1154#else
8e6c9693 1155static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1156 u16 tclass,
1157 u32 *sid)
1158{
1159 return -EINVAL;
1160}
1161#endif
1162
1163/* The inode's security attributes must be initialized before first use. */
1164static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1165{
1166 struct superblock_security_struct *sbsec = NULL;
1167 struct inode_security_struct *isec = inode->i_security;
1168 u32 sid;
1169 struct dentry *dentry;
1170#define INITCONTEXTLEN 255
1171 char *context = NULL;
1172 unsigned len = 0;
1173 int rc = 0;
1da177e4
LT		 1174
1175 if (isec->initialized)
1176 goto out;
1177
23970741 1178 mutex_lock(&isec->lock);
1da177e4 1179 if (isec->initialized)
23970741 1180 goto out_unlock;
1da177e4
LT		 1181
1182 sbsec = inode->i_sb->s_security;
0d90a7ec 1183 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1184 /* Defer initialization until selinux_complete_init,
1185 after the initial policy is loaded and the security
1186 server is ready to handle calls. */
1187 spin_lock(&sbsec->isec_lock);
1188 if (list_empty(&isec->list))
1189 list_add(&isec->list, &sbsec->isec_head);
1190 spin_unlock(&sbsec->isec_lock);
23970741 1191 goto out_unlock;
1da177e4
LT		 1192 }
1193
1194 switch (sbsec->behavior) {
1195 case SECURITY_FS_USE_XATTR:
1196 if (!inode->i_op->getxattr) {
1197 isec->sid = sbsec->def_sid;
1198 break;
1199 }
1200
1201 /* Need a dentry, since the xattr API requires one.
1202 Life would be simpler if we could just pass the inode. */
1203 if (opt_dentry) {
1204 /* Called from d_instantiate or d_splice_alias. */
1205 dentry = dget(opt_dentry);
1206 } else {
1207 /* Called from selinux_complete_init, try to find a dentry. */
1208 dentry = d_find_alias(inode);
1209 }
1210 if (!dentry) {
df7f54c0
EP		 1211 /*
1212 * this is can be hit on boot when a file is accessed
1213 * before the policy is loaded. When we load policy we
1214 * may find inodes that have no dentry on the
1215 * sbsec->isec_head list. No reason to complain as these
1216 * will get fixed up the next time we go through
1217 * inode_doinit with a dentry, before these inodes could
1218 * be used again by userspace.
1219 */
23970741 1220 goto out_unlock;
1da177e4
LT		 1221 }
1222
1223 len = INITCONTEXTLEN;
4cb912f1 1224 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1225 if (!context) {
1226 rc = -ENOMEM;
1227 dput(dentry);
23970741 1228 goto out_unlock;
1da177e4 1229 }
4cb912f1 1230 context[len] = '\0';
1da177e4
LT		 1231 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1232 context, len);
1233 if (rc == -ERANGE) {
314dabb8
JM		 1234 kfree(context);
1235
1da177e4
LT		 1236 /* Need a larger buffer. Query for the right size. */
1237 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1238 NULL, 0);
1239 if (rc < 0) {
1240 dput(dentry);
23970741 1241 goto out_unlock;
1da177e4 1242 }
1da177e4 1243 len = rc;
4cb912f1 1244 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1245 if (!context) {
1246 rc = -ENOMEM;
1247 dput(dentry);
23970741 1248 goto out_unlock;
1da177e4 1249 }
4cb912f1 1250 context[len] = '\0';
1da177e4
LT		 1251 rc = inode->i_op->getxattr(dentry,
1252 XATTR_NAME_SELINUX,
1253 context, len);
1254 }
1255 dput(dentry);
1256 if (rc < 0) {
1257 if (rc != -ENODATA) {
744ba35e 1258 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1259 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1260 -rc, inode->i_sb->s_id, inode->i_ino);
1261 kfree(context);
23970741 1262 goto out_unlock;
1da177e4
LT		 1263 }
1264 /* Map ENODATA to the default file SID */
1265 sid = sbsec->def_sid;
1266 rc = 0;
1267 } else {
f5c1d5b2 1268 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1269 sbsec->def_sid,
1270 GFP_NOFS);
1da177e4 1271 if (rc) {
4ba0a8ad
EP		 1272 char *dev = inode->i_sb->s_id;
1273 unsigned long ino = inode->i_ino;
1274
1275 if (rc == -EINVAL) {
1276 if (printk_ratelimit())
1277 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1278 "context=%s. This indicates you may need to relabel the inode or the "
1279 "filesystem in question.\n", ino, dev, context);
1280 } else {
1281 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1282 "returned %d for dev=%s ino=%ld\n",
1283 __func__, context, -rc, dev, ino);
1284 }
1da177e4
LT		 1285 kfree(context);
1286 /* Leave with the unlabeled SID */
1287 rc = 0;
1288 break;
1289 }
1290 }
1291 kfree(context);
1292 isec->sid = sid;
1293 break;
1294 case SECURITY_FS_USE_TASK:
1295 isec->sid = isec->task_sid;
1296 break;
1297 case SECURITY_FS_USE_TRANS:
1298 /* Default to the fs SID. */
1299 isec->sid = sbsec->sid;
1300
1301 /* Try to obtain a transition SID. */
1302 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1303 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1304 isec->sclass, NULL, &sid);
1da177e4 1305 if (rc)
23970741 1306 goto out_unlock;
1da177e4
LT		 1307 isec->sid = sid;
1308 break;
c312feb2
EP		 1309 case SECURITY_FS_USE_MNTPOINT:
1310 isec->sid = sbsec->mntpoint_sid;
1311 break;
1da177e4 1312 default:
c312feb2 1313 /* Default to the fs superblock SID. */
1da177e4
LT		 1314 isec->sid = sbsec->sid;
1315
0d90a7ec 1316 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
8e6c9693 1317 if (opt_dentry) {
1da177e4 1318 isec->sclass = inode_mode_to_security_class(inode->i_mode);
8e6c9693 1319 rc = selinux_proc_get_sid(opt_dentry,
1da177e4
LT		 1320 isec->sclass,
1321 &sid);
1322 if (rc)
23970741 1323 goto out_unlock;
1da177e4
LT		 1324 isec->sid = sid;
1325 }
1326 }
1327 break;
1328 }
1329
1330 isec->initialized = 1;
1331
23970741
EP		 1332out_unlock:
1333 mutex_unlock(&isec->lock);
1da177e4
LT		 1334out:
1335 if (isec->sclass == SECCLASS_FILE)
1336 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1337 return rc;
1338}
1339
1340/* Convert a Linux signal to an access vector. */
1341static inline u32 signal_to_av(int sig)
1342{
1343 u32 perm = 0;
1344
1345 switch (sig) {
1346 case SIGCHLD:
1347 /* Commonly granted from child to parent. */
1348 perm = PROCESS__SIGCHLD;
1349 break;
1350 case SIGKILL:
1351 /* Cannot be caught or ignored */
1352 perm = PROCESS__SIGKILL;
1353 break;
1354 case SIGSTOP:
1355 /* Cannot be caught or ignored */
1356 perm = PROCESS__SIGSTOP;
1357 break;
1358 default:
1359 /* All other signals. */
1360 perm = PROCESS__SIGNAL;
1361 break;
1362 }
1363
1364 return perm;
1365}
1366
d84f4f99
DH		 1367/*
1368 * Check permission between a pair of credentials
1369 * fork check, ptrace check, etc.
1370 */
1371static int cred_has_perm(const struct cred *actor,
1372 const struct cred *target,
1373 u32 perms)
1374{
1375 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1376
1377 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1378}
1379
275bb41e 1380/*
88e67f3b 1381 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1382 * fork check, ptrace check, etc.
1383 * tsk1 is the actor and tsk2 is the target
3b11a1de 1384 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1385 */
1386static int task_has_perm(const struct task_struct *tsk1,
1387 const struct task_struct *tsk2,
1da177e4
LT		 1388 u32 perms)
1389{
275bb41e
DH		 1390 const struct task_security_struct *__tsec1, *__tsec2;
1391 u32 sid1, sid2;
1da177e4 1392
275bb41e
DH		 1393 rcu_read_lock();
1394 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1395 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1396 rcu_read_unlock();
1397 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1398}
1399
3b11a1de
DH		 1400/*
1401 * Check permission between current and another task, e.g. signal checks,
1402 * fork check, ptrace check, etc.
1403 * current is the actor and tsk2 is the target
1404 * - this uses current's subjective creds
1405 */
1406static int current_has_perm(const struct task_struct *tsk,
1407 u32 perms)
1408{
1409 u32 sid, tsid;
1410
1411 sid = current_sid();
1412 tsid = task_sid(tsk);
1413 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1414}
1415
b68e418c
SS		 1416#if CAP_LAST_CAP > 63
1417#error Fix SELinux to handle capabilities > 63.
1418#endif
1419
1da177e4
LT		 1420/* Check whether a task is allowed to use a capability. */
1421static int task_has_capability(struct task_struct *tsk,
3699c53c 1422 const struct cred *cred,
06112163 1423 int cap, int audit)
1da177e4 1424{
2bf49690 1425 struct common_audit_data ad;
06112163 1426 struct av_decision avd;
b68e418c 1427 u16 sclass;
3699c53c 1428 u32 sid = cred_sid(cred);
b68e418c 1429 u32 av = CAP_TO_MASK(cap);
06112163 1430 int rc;
1da177e4 1431
2bf49690 1432 COMMON_AUDIT_DATA_INIT(&ad, CAP);
1da177e4
LT		 1433 ad.tsk = tsk;
1434 ad.u.cap = cap;
1435
b68e418c
SS		 1436 switch (CAP_TO_INDEX(cap)) {
1437 case 0:
1438 sclass = SECCLASS_CAPABILITY;
1439 break;
1440 case 1:
1441 sclass = SECCLASS_CAPABILITY2;
1442 break;
1443 default:
1444 printk(KERN_ERR
1445 "SELinux: out of range capability %d\n", cap);
1446 BUG();
a35c6c83 1447 return -EINVAL;
b68e418c 1448 }
06112163 1449
275bb41e 1450 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4
EP		 1451 if (audit == SECURITY_CAP_AUDIT) {
1452 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1453 if (rc2)
1454 return rc2;
1455 }
06112163 1456 return rc;
1da177e4
LT		 1457}
1458
1459/* Check whether a task is allowed to use a system operation. */
1460static int task_has_system(struct task_struct *tsk,
1461 u32 perms)
1462{
275bb41e 1463 u32 sid = task_sid(tsk);
1da177e4 1464
275bb41e 1465 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1466 SECCLASS_SYSTEM, perms, NULL);
1467}
1468
1469/* Check whether a task has a particular permission to an inode.
1470 The 'adp' parameter is optional and allows other audit
1471 data to be passed (e.g. the dentry). */
88e67f3b 1472static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1473 struct inode *inode,
1474 u32 perms,
9ade0cf4
EP		 1475 struct common_audit_data *adp,
1476 unsigned flags)
1da177e4 1477{
1da177e4 1478 struct inode_security_struct *isec;
275bb41e 1479 u32 sid;
1da177e4 1480
e0e81739
DH		 1481 validate_creds(cred);
1482
828dfe1d 1483 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1484 return 0;
1485
88e67f3b 1486 sid = cred_sid(cred);
1da177e4
LT		 1487 isec = inode->i_security;
1488
9ade0cf4 1489 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1da177e4
LT		 1490}
1491
95f4efb2
LT		 1492static int inode_has_perm_noadp(const struct cred *cred,
1493 struct inode *inode,
1494 u32 perms,
1495 unsigned flags)
1496{
1497 struct common_audit_data ad;
1498
1499 COMMON_AUDIT_DATA_INIT(&ad, INODE);
1500 ad.u.inode = inode;
1501 return inode_has_perm(cred, inode, perms, &ad, flags);
1502}
1503
1da177e4
LT		 1504/* Same as inode_has_perm, but pass explicit audit data containing
1505 the dentry to help the auditing code to more easily generate the
1506 pathname if needed. */
88e67f3b 1507static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1508 struct dentry *dentry,
1509 u32 av)
1510{
1511 struct inode *inode = dentry->d_inode;
2bf49690 1512 struct common_audit_data ad;
88e67f3b 1513
2875fa00
EP		 1514 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1515 ad.u.dentry = dentry;
1516 return inode_has_perm(cred, inode, av, &ad, 0);
1517}
1518
1519/* Same as inode_has_perm, but pass explicit audit data containing
1520 the path to help the auditing code to more easily generate the
1521 pathname if needed. */
1522static inline int path_has_perm(const struct cred *cred,
1523 struct path *path,
1524 u32 av)
1525{
1526 struct inode *inode = path->dentry->d_inode;
1527 struct common_audit_data ad;
1528
f48b7399 1529 COMMON_AUDIT_DATA_INIT(&ad, PATH);
2875fa00 1530 ad.u.path = *path;
9ade0cf4 1531 return inode_has_perm(cred, inode, av, &ad, 0);
1da177e4
LT		 1532}
1533
1534/* Check whether a task can use an open file descriptor to
1535 access an inode in a given way. Check access to the
1536 descriptor itself, and then use dentry_has_perm to
1537 check a particular permission to the file.
1538 Access to the descriptor is implicitly granted if it
1539 has the same SID as the process. If av is zero, then
1540 access to the file is not checked, e.g. for cases
1541 where only the descriptor is affected like seek. */
88e67f3b
DH		 1542static int file_has_perm(const struct cred *cred,
1543 struct file *file,
1544 u32 av)
1da177e4 1545{
1da177e4 1546 struct file_security_struct *fsec = file->f_security;
44707fdf 1547 struct inode *inode = file->f_path.dentry->d_inode;
2bf49690 1548 struct common_audit_data ad;
88e67f3b 1549 u32 sid = cred_sid(cred);
1da177e4
LT		 1550 int rc;
1551
f48b7399
EP		 1552 COMMON_AUDIT_DATA_INIT(&ad, PATH);
1553 ad.u.path = file->f_path;
1da177e4 1554
275bb41e
DH		 1555 if (sid != fsec->sid) {
1556 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1557 SECCLASS_FD,
1558 FD__USE,
1559 &ad);
1560 if (rc)
88e67f3b 1561 goto out;
1da177e4
LT		 1562 }
1563
1564 /* av is zero if only checking access to the descriptor. */
88e67f3b 1565 rc = 0;
1da177e4 1566 if (av)
9ade0cf4 1567 rc = inode_has_perm(cred, inode, av, &ad, 0);
1da177e4 1568
88e67f3b
DH		 1569out:
1570 return rc;
1da177e4
LT		 1571}
1572
1573/* Check whether a task can create a file. */
1574static int may_create(struct inode *dir,
1575 struct dentry *dentry,
1576 u16 tclass)
1577{
5fb49870 1578 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1579 struct inode_security_struct *dsec;
1580 struct superblock_security_struct *sbsec;
275bb41e 1581 u32 sid, newsid;
2bf49690 1582 struct common_audit_data ad;
1da177e4
LT		 1583 int rc;
1584
1da177e4
LT		 1585 dsec = dir->i_security;
1586 sbsec = dir->i_sb->s_security;
1587
275bb41e
DH		 1588 sid = tsec->sid;
1589 newsid = tsec->create_sid;
1590
a269434d
EP		 1591 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1592 ad.u.dentry = dentry;
1da177e4 1593
275bb41e 1594 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1595 DIR__ADD_NAME | DIR__SEARCH,
1596 &ad);
1597 if (rc)
1598 return rc;
1599
cd89596f 1600 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
cb1e922f
EP		 1601 rc = security_transition_sid(sid, dsec->sid, tclass,
1602 &dentry->d_name, &newsid);
1da177e4
LT		 1603 if (rc)
1604 return rc;
1605 }
1606
275bb41e 1607 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1608 if (rc)
1609 return rc;
1610
1611 return avc_has_perm(newsid, sbsec->sid,
1612 SECCLASS_FILESYSTEM,
1613 FILESYSTEM__ASSOCIATE, &ad);
1614}
1615
4eb582cf
ML		 1616/* Check whether a task can create a key. */
1617static int may_create_key(u32 ksid,
1618 struct task_struct *ctx)
1619{
275bb41e 1620 u32 sid = task_sid(ctx);
4eb582cf 1621
275bb41e 1622 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1623}
1624
828dfe1d
EP		 1625#define MAY_LINK 0
1626#define MAY_UNLINK 1
1627#define MAY_RMDIR 2
1da177e4
LT		 1628
1629/* Check whether a task can link, unlink, or rmdir a file/directory. */
1630static int may_link(struct inode *dir,
1631 struct dentry *dentry,
1632 int kind)
1633
1634{
1da177e4 1635 struct inode_security_struct *dsec, *isec;
2bf49690 1636 struct common_audit_data ad;
275bb41e 1637 u32 sid = current_sid();
1da177e4
LT		 1638 u32 av;
1639 int rc;
1640
1da177e4
LT		 1641 dsec = dir->i_security;
1642 isec = dentry->d_inode->i_security;
1643
a269434d
EP		 1644 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1645 ad.u.dentry = dentry;
1da177e4
LT		 1646
1647 av = DIR__SEARCH;
1648 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1649 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1650 if (rc)
1651 return rc;
1652
1653 switch (kind) {
1654 case MAY_LINK:
1655 av = FILE__LINK;
1656 break;
1657 case MAY_UNLINK:
1658 av = FILE__UNLINK;
1659 break;
1660 case MAY_RMDIR:
1661 av = DIR__RMDIR;
1662 break;
1663 default:
744ba35e
EP		 1664 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1665 __func__, kind);
1da177e4
LT		 1666 return 0;
1667 }
1668
275bb41e 1669 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1670 return rc;
1671}
1672
1673static inline int may_rename(struct inode *old_dir,
1674 struct dentry *old_dentry,
1675 struct inode *new_dir,
1676 struct dentry *new_dentry)
1677{
1da177e4 1678 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1679 struct common_audit_data ad;
275bb41e 1680 u32 sid = current_sid();
1da177e4
LT		 1681 u32 av;
1682 int old_is_dir, new_is_dir;
1683 int rc;
1684
1da177e4
LT		 1685 old_dsec = old_dir->i_security;
1686 old_isec = old_dentry->d_inode->i_security;
1687 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1688 new_dsec = new_dir->i_security;
1689
a269434d 1690 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1da177e4 1691
a269434d 1692 ad.u.dentry = old_dentry;
275bb41e 1693 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1694 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1695 if (rc)
1696 return rc;
275bb41e 1697 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1698 old_isec->sclass, FILE__RENAME, &ad);
1699 if (rc)
1700 return rc;
1701 if (old_is_dir && new_dir != old_dir) {
275bb41e 1702 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1703 old_isec->sclass, DIR__REPARENT, &ad);
1704 if (rc)
1705 return rc;
1706 }
1707
a269434d 1708 ad.u.dentry = new_dentry;
1da177e4
LT		 1709 av = DIR__ADD_NAME | DIR__SEARCH;
1710 if (new_dentry->d_inode)
1711 av |= DIR__REMOVE_NAME;
275bb41e 1712 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1713 if (rc)
1714 return rc;
1715 if (new_dentry->d_inode) {
1716 new_isec = new_dentry->d_inode->i_security;
1717 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
275bb41e 1718 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1719 new_isec->sclass,
1720 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1721 if (rc)
1722 return rc;
1723 }
1724
1725 return 0;
1726}
1727
1728/* Check whether a task can perform a filesystem operation. */
88e67f3b 1729static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1730 struct super_block *sb,
1731 u32 perms,
2bf49690 1732 struct common_audit_data *ad)
1da177e4 1733{
1da177e4 1734 struct superblock_security_struct *sbsec;
88e67f3b 1735 u32 sid = cred_sid(cred);
1da177e4 1736
1da177e4 1737 sbsec = sb->s_security;
275bb41e 1738 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1739}
1740
1741/* Convert a Linux mode and permission mask to an access vector. */
1742static inline u32 file_mask_to_av(int mode, int mask)
1743{
1744 u32 av = 0;
1745
1746 if ((mode & S_IFMT) != S_IFDIR) {
1747 if (mask & MAY_EXEC)
1748 av |= FILE__EXECUTE;
1749 if (mask & MAY_READ)
1750 av |= FILE__READ;
1751
1752 if (mask & MAY_APPEND)
1753 av |= FILE__APPEND;
1754 else if (mask & MAY_WRITE)
1755 av |= FILE__WRITE;
1756
1757 } else {
1758 if (mask & MAY_EXEC)
1759 av |= DIR__SEARCH;
1760 if (mask & MAY_WRITE)
1761 av |= DIR__WRITE;
1762 if (mask & MAY_READ)
1763 av |= DIR__READ;
1764 }
1765
1766 return av;
1767}
1768
8b6a5a37
EP		 1769/* Convert a Linux file to an access vector. */
1770static inline u32 file_to_av(struct file *file)
1771{
1772 u32 av = 0;
1773
1774 if (file->f_mode & FMODE_READ)
1775 av |= FILE__READ;
1776 if (file->f_mode & FMODE_WRITE) {
1777 if (file->f_flags & O_APPEND)
1778 av |= FILE__APPEND;
1779 else
1780 av |= FILE__WRITE;
1781 }
1782 if (!av) {
1783 /*
1784 * Special file opened with flags 3 for ioctl-only use.
1785 */
1786 av = FILE__IOCTL;
1787 }
1788
1789 return av;
1790}
1791
b0c636b9 1792/*
8b6a5a37 1793 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1794 * open permission.
1795 */
8b6a5a37 1796static inline u32 open_file_to_av(struct file *file)
b0c636b9 1797{
8b6a5a37 1798 u32 av = file_to_av(file);
b0c636b9 1799
49b7b8de
EP		 1800 if (selinux_policycap_openperm)
1801 av |= FILE__OPEN;
1802
b0c636b9
EP		 1803 return av;
1804}
1805
1da177e4
LT		 1806/* Hook functions begin here. */
1807
9e48858f 1808static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 1809 unsigned int mode)
1da177e4 1810{
1da177e4
LT		 1811 int rc;
1812
9e48858f 1813 rc = cap_ptrace_access_check(child, mode);
1da177e4
LT		 1814 if (rc)
1815 return rc;
1816
006ebb40 1817 if (mode == PTRACE_MODE_READ) {
275bb41e
DH		 1818 u32 sid = current_sid();
1819 u32 csid = task_sid(child);
1820 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 1821 }
1822
3b11a1de 1823 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 1824}
1825
1826static int selinux_ptrace_traceme(struct task_struct *parent)
1827{
1828 int rc;
1829
200ac532 1830 rc = cap_ptrace_traceme(parent);
5cd9c58f
DH		 1831 if (rc)
1832 return rc;
1833
1834 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 1835}
1836
1837static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1838 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1839{
1840 int error;
1841
3b11a1de 1842 error = current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 1843 if (error)
1844 return error;
1845
200ac532 1846 return cap_capget(target, effective, inheritable, permitted);
1da177e4
LT		 1847}
1848
d84f4f99
DH		 1849static int selinux_capset(struct cred *new, const struct cred *old,
1850 const kernel_cap_t *effective,
1851 const kernel_cap_t *inheritable,
1852 const kernel_cap_t *permitted)
1da177e4
LT		 1853{
1854 int error;
1855
200ac532 1856 error = cap_capset(new, old,
d84f4f99 1857 effective, inheritable, permitted);
1da177e4
LT		 1858 if (error)
1859 return error;
1860
d84f4f99 1861 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 1862}
1863
5626d3e8
JM		 1864/*
1865 * (This comment used to live with the selinux_task_setuid hook,
1866 * which was removed).
1867 *
1868 * Since setuid only affects the current process, and since the SELinux
1869 * controls are not based on the Linux identity attributes, SELinux does not
1870 * need to control this operation. However, SELinux does control the use of
1871 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1872 */
1873
3699c53c 1874static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
3486740a 1875 struct user_namespace *ns, int cap, int audit)
1da177e4
LT		 1876{
1877 int rc;
1878
3486740a 1879 rc = cap_capable(tsk, cred, ns, cap, audit);
1da177e4
LT		 1880 if (rc)
1881 return rc;
1882
3699c53c 1883 return task_has_capability(tsk, cred, cap, audit);
1da177e4
LT		 1884}
1885
1da177e4
LT		 1886static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1887{
88e67f3b 1888 const struct cred *cred = current_cred();
1da177e4
LT		 1889 int rc = 0;
1890
1891 if (!sb)
1892 return 0;
1893
1894 switch (cmds) {
828dfe1d
EP		 1895 case Q_SYNC:
1896 case Q_QUOTAON:
1897 case Q_QUOTAOFF:
1898 case Q_SETINFO:
1899 case Q_SETQUOTA:
88e67f3b 1900 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 1901 break;
1902 case Q_GETFMT:
1903 case Q_GETINFO:
1904 case Q_GETQUOTA:
88e67f3b 1905 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 1906 break;
1907 default:
1908 rc = 0; /* let the kernel handle invalid cmds */
1909 break;
1da177e4
LT		 1910 }
1911 return rc;
1912}
1913
1914static int selinux_quota_on(struct dentry *dentry)
1915{
88e67f3b
DH		 1916 const struct cred *cred = current_cred();
1917
2875fa00 1918 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 1919}
1920
12b3052c 1921static int selinux_syslog(int type)
1da177e4
LT		 1922{
1923 int rc;
1924
1da177e4 1925 switch (type) {
d78ca3cd
KC		 1926 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1927 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 1928 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1929 break;
d78ca3cd
KC		 1930 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1931 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1932 /* Set level of messages printed to console */
1933 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 1934 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1935 break;
d78ca3cd
KC		 1936 case SYSLOG_ACTION_CLOSE: /* Close log */
1937 case SYSLOG_ACTION_OPEN: /* Open log */
1938 case SYSLOG_ACTION_READ: /* Read from log */
1939 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1940 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 1941 default:
1942 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1943 break;
1da177e4
LT		 1944 }
1945 return rc;
1946}
1947
1948/*
1949 * Check that a process has enough memory to allocate a new virtual
1950 * mapping. 0 means there is enough memory for the allocation to
1951 * succeed and -ENOMEM implies there is not.
1952 *
1da177e4
LT		 1953 * Do not audit the selinux permission check, as this is applied to all
1954 * processes that allocate mappings.
1955 */
34b4e4aa 1956static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1957{
1958 int rc, cap_sys_admin = 0;
1da177e4 1959
3486740a
SH		 1960 rc = selinux_capable(current, current_cred(),
1961 &init_user_ns, CAP_SYS_ADMIN,
3699c53c 1962 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 1963 if (rc == 0)
1964 cap_sys_admin = 1;
1965
34b4e4aa 1966 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 1967}
1968
1969/* binprm security operations */
1970
a6f76f23 1971static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 1972{
a6f76f23
DH		 1973 const struct task_security_struct *old_tsec;
1974 struct task_security_struct *new_tsec;
1da177e4 1975 struct inode_security_struct *isec;
2bf49690 1976 struct common_audit_data ad;
a6f76f23 1977 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 1978 int rc;
1979
200ac532 1980 rc = cap_bprm_set_creds(bprm);
1da177e4
LT		 1981 if (rc)
1982 return rc;
1983
a6f76f23
DH		 1984 /* SELinux context only depends on initial program or script and not
1985 * the script interpreter */
1986 if (bprm->cred_prepared)
1da177e4
LT		 1987 return 0;
1988
a6f76f23
DH		 1989 old_tsec = current_security();
1990 new_tsec = bprm->cred->security;
1da177e4
LT		 1991 isec = inode->i_security;
1992
1993 /* Default to the current task SID. */
a6f76f23
DH		 1994 new_tsec->sid = old_tsec->sid;
1995 new_tsec->osid = old_tsec->sid;
1da177e4 1996
28eba5bf 1997 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 1998 new_tsec->create_sid = 0;
1999 new_tsec->keycreate_sid = 0;
2000 new_tsec->sockcreate_sid = 0;
1da177e4 2001
a6f76f23
DH		 2002 if (old_tsec->exec_sid) {
2003 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2004 /* Reset exec SID on execve. */
a6f76f23 2005 new_tsec->exec_sid = 0;
1da177e4
LT		 2006 } else {
2007 /* Check for a default transition on this program. */
a6f76f23 2008 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2009 SECCLASS_PROCESS, NULL,
2010 &new_tsec->sid);
1da177e4
LT		 2011 if (rc)
2012 return rc;
2013 }
2014
f48b7399
EP		 2015 COMMON_AUDIT_DATA_INIT(&ad, PATH);
2016 ad.u.path = bprm->file->f_path;
1da177e4 2017
3d5ff529 2018 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
a6f76f23 2019 new_tsec->sid = old_tsec->sid;
1da177e4 2020
a6f76f23
DH		 2021 if (new_tsec->sid == old_tsec->sid) {
2022 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2023 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2024 if (rc)
2025 return rc;
2026 } else {
2027 /* Check permissions for the transition. */
a6f76f23 2028 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2029 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2030 if (rc)
2031 return rc;
2032
a6f76f23 2033 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2034 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2035 if (rc)
2036 return rc;
2037
a6f76f23
DH		 2038 /* Check for shared state */
2039 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2040 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2041 SECCLASS_PROCESS, PROCESS__SHARE,
2042 NULL);
2043 if (rc)
2044 return -EPERM;
2045 }
2046
2047 /* Make sure that anyone attempting to ptrace over a task that
2048 * changes its SID has the appropriate permit */
2049 if (bprm->unsafe &
2050 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2051 struct task_struct *tracer;
2052 struct task_security_struct *sec;
2053 u32 ptsid = 0;
2054
2055 rcu_read_lock();
2056 tracer = tracehook_tracer_task(current);
2057 if (likely(tracer != NULL)) {
2058 sec = __task_cred(tracer)->security;
2059 ptsid = sec->sid;
2060 }
2061 rcu_read_unlock();
2062
2063 if (ptsid != 0) {
2064 rc = avc_has_perm(ptsid, new_tsec->sid,
2065 SECCLASS_PROCESS,
2066 PROCESS__PTRACE, NULL);
2067 if (rc)
2068 return -EPERM;
2069 }
2070 }
1da177e4 2071
a6f76f23
DH		 2072 /* Clear any possibly unsafe personality bits on exec: */
2073 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2074 }
2075
1da177e4
LT		 2076 return 0;
2077}
2078
828dfe1d 2079static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2080{
5fb49870 2081 const struct task_security_struct *tsec = current_security();
275bb41e 2082 u32 sid, osid;
1da177e4
LT		 2083 int atsecure = 0;
2084
275bb41e
DH		 2085 sid = tsec->sid;
2086 osid = tsec->osid;
2087
2088 if (osid != sid) {
1da177e4
LT		 2089 /* Enable secure mode for SIDs transitions unless
2090 the noatsecure permission is granted between
2091 the two SIDs, i.e. ahp returns 0. */
275bb41e 2092 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2093 SECCLASS_PROCESS,
2094 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2095 }
2096
200ac532 2097 return (atsecure || cap_bprm_secureexec(bprm));
1da177e4
LT		 2098}
2099
1da177e4
LT		 2100extern struct vfsmount *selinuxfs_mount;
2101extern struct dentry *selinux_null;
2102
2103/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2104static inline void flush_unauthorized_files(const struct cred *cred,
2105 struct files_struct *files)
1da177e4 2106{
2bf49690 2107 struct common_audit_data ad;
1da177e4 2108 struct file *file, *devnull = NULL;
b20c8122 2109 struct tty_struct *tty;
badf1662 2110 struct fdtable *fdt;
1da177e4 2111 long j = -1;
24ec839c 2112 int drop_tty = 0;
1da177e4 2113
24ec839c 2114 tty = get_current_tty();
1da177e4 2115 if (tty) {
ee2ffa0d 2116 spin_lock(&tty_files_lock);
37dd0bd0 2117 if (!list_empty(&tty->tty_files)) {
d996b62a 2118 struct tty_file_private *file_priv;
37dd0bd0
EP		 2119 struct inode *inode;
2120
1da177e4
LT		 2121 /* Revalidate access to controlling tty.
2122 Use inode_has_perm on the tty inode directly rather
2123 than using file_has_perm, as this particular open
2124 file may belong to another process and we are only
2125 interested in the inode-based check here. */
d996b62a
NP		 2126 file_priv = list_first_entry(&tty->tty_files,
2127 struct tty_file_private, list);
2128 file = file_priv->file;
37dd0bd0 2129 inode = file->f_path.dentry->d_inode;
95f4efb2
LT		 2130 if (inode_has_perm_noadp(cred, inode,
2131 FILE__READ | FILE__WRITE, 0)) {
24ec839c 2132 drop_tty = 1;
1da177e4
LT		 2133 }
2134 }
ee2ffa0d 2135 spin_unlock(&tty_files_lock);
452a00d2 2136 tty_kref_put(tty);
1da177e4 2137 }
98a27ba4
EB		 2138 /* Reset controlling tty. */
2139 if (drop_tty)
2140 no_tty();
1da177e4
LT		 2141
2142 /* Revalidate access to inherited open files. */
2143
f48b7399 2144 COMMON_AUDIT_DATA_INIT(&ad, INODE);
1da177e4
LT		 2145
2146 spin_lock(&files->file_lock);
2147 for (;;) {
2148 unsigned long set, i;
2149 int fd;
2150
2151 j++;
2152 i = j * __NFDBITS;
badf1662 2153 fdt = files_fdtable(files);
bbea9f69 2154 if (i >= fdt->max_fds)
1da177e4 2155 break;
badf1662 2156 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2157 if (!set)
2158 continue;
2159 spin_unlock(&files->file_lock);
828dfe1d 2160 for ( ; set ; i++, set >>= 1) {
1da177e4
LT		 2161 if (set & 1) {
2162 file = fget(i);
2163 if (!file)
2164 continue;
88e67f3b 2165 if (file_has_perm(cred,
1da177e4
LT		 2166 file,
2167 file_to_av(file))) {
2168 sys_close(i);
2169 fd = get_unused_fd();
2170 if (fd != i) {
2171 if (fd >= 0)
2172 put_unused_fd(fd);
2173 fput(file);
2174 continue;
2175 }
2176 if (devnull) {
095975da 2177 get_file(devnull);
1da177e4 2178 } else {
745ca247
DH		 2179 devnull = dentry_open(
2180 dget(selinux_null),
2181 mntget(selinuxfs_mount),
2182 O_RDWR, cred);
fc5d81e6
AM		 2183 if (IS_ERR(devnull)) {
2184 devnull = NULL;
1da177e4
LT		 2185 put_unused_fd(fd);
2186 fput(file);
2187 continue;
2188 }
2189 }
2190 fd_install(fd, devnull);
2191 }
2192 fput(file);
2193 }
2194 }
2195 spin_lock(&files->file_lock);
2196
2197 }
2198 spin_unlock(&files->file_lock);
2199}
2200
a6f76f23
DH		 2201/*
2202 * Prepare a process for imminent new credential changes due to exec
2203 */
2204static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2205{
a6f76f23
DH		 2206 struct task_security_struct *new_tsec;
2207 struct rlimit *rlim, *initrlim;
2208 int rc, i;
d84f4f99 2209
a6f76f23
DH		 2210 new_tsec = bprm->cred->security;
2211 if (new_tsec->sid == new_tsec->osid)
2212 return;
1da177e4 2213
a6f76f23
DH		 2214 /* Close files for which the new task SID is not authorized. */
2215 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2216
a6f76f23
DH		 2217 /* Always clear parent death signal on SID transitions. */
2218 current->pdeath_signal = 0;
0356357c 2219
a6f76f23
DH		 2220 /* Check whether the new SID can inherit resource limits from the old
2221 * SID. If not, reset all soft limits to the lower of the current
2222 * task's hard limit and the init task's soft limit.
2223 *
2224 * Note that the setting of hard limits (even to lower them) can be
2225 * controlled by the setrlimit check. The inclusion of the init task's
2226 * soft limit into the computation is to avoid resetting soft limits
2227 * higher than the default soft limit for cases where the default is
2228 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2229 */
2230 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2231 PROCESS__RLIMITINH, NULL);
2232 if (rc) {
eb2d55a3
ON		 2233 /* protect against do_prlimit() */
2234 task_lock(current);
a6f76f23
DH		 2235 for (i = 0; i < RLIM_NLIMITS; i++) {
2236 rlim = current->signal->rlim + i;
2237 initrlim = init_task.signal->rlim + i;
2238 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2239 }
eb2d55a3
ON		 2240 task_unlock(current);
2241 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2242 }
2243}
2244
2245/*
a6f76f23
DH		 2246 * Clean up the process immediately after the installation of new credentials
2247 * due to exec
1da177e4 2248 */
a6f76f23 2249static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2250{
a6f76f23 2251 const struct task_security_struct *tsec = current_security();
1da177e4 2252 struct itimerval itimer;
a6f76f23 2253 u32 osid, sid;
1da177e4
LT		 2254 int rc, i;
2255
a6f76f23
DH		 2256 osid = tsec->osid;
2257 sid = tsec->sid;
2258
2259 if (sid == osid)
1da177e4
LT		 2260 return;
2261
a6f76f23
DH		 2262 /* Check whether the new SID can inherit signal state from the old SID.
2263 * If not, clear itimers to avoid subsequent signal generation and
2264 * flush and unblock signals.
2265 *
2266 * This must occur _after_ the task SID has been updated so that any
2267 * kill done after the flush will be checked against the new SID.
2268 */
2269 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2270 if (rc) {
2271 memset(&itimer, 0, sizeof itimer);
2272 for (i = 0; i < 3; i++)
2273 do_setitimer(i, &itimer, NULL);
1da177e4 2274 spin_lock_irq(&current->sighand->siglock);
3bcac026
DH		 2275 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2276 __flush_signals(current);
2277 flush_signal_handlers(current, 1);
2278 sigemptyset(&current->blocked);
2279 }
1da177e4
LT		 2280 spin_unlock_irq(&current->sighand->siglock);
2281 }
2282
a6f76f23
DH		 2283 /* Wake up the parent if it is waiting so that it can recheck
2284 * wait permission to the new task SID. */
ecd6de3c 2285 read_lock(&tasklist_lock);
0b7570e7 2286 __wake_up_parent(current, current->real_parent);
ecd6de3c 2287 read_unlock(&tasklist_lock);
1da177e4
LT		 2288}
2289
2290/* superblock security operations */
2291
2292static int selinux_sb_alloc_security(struct super_block *sb)
2293{
2294 return superblock_alloc_security(sb);
2295}
2296
2297static void selinux_sb_free_security(struct super_block *sb)
2298{
2299 superblock_free_security(sb);
2300}
2301
2302static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2303{
2304 if (plen > olen)
2305 return 0;
2306
2307 return !memcmp(prefix, option, plen);
2308}
2309
2310static inline int selinux_option(char *option, int len)
2311{
832cbd9a
EP		 2312 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2313 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2314 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2315 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2316 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2317}
2318
2319static inline void take_option(char **to, char *from, int *first, int len)
2320{
2321 if (!*first) {
2322 **to = ',';
2323 *to += 1;
3528a953 2324 } else
1da177e4
LT		 2325 *first = 0;
2326 memcpy(*to, from, len);
2327 *to += len;
2328}
2329
828dfe1d
EP		 2330static inline void take_selinux_option(char **to, char *from, int *first,
2331 int len)
3528a953
CO		 2332{
2333 int current_size = 0;
2334
2335 if (!*first) {
2336 **to = '|';
2337 *to += 1;
828dfe1d 2338 } else
3528a953
CO		 2339 *first = 0;
2340
2341 while (current_size < len) {
2342 if (*from != '"') {
2343 **to = *from;
2344 *to += 1;
2345 }
2346 from += 1;
2347 current_size += 1;
2348 }
2349}
2350
e0007529 2351static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2352{
2353 int fnosec, fsec, rc = 0;
2354 char *in_save, *in_curr, *in_end;
2355 char *sec_curr, *nosec_save, *nosec;
3528a953 2356 int open_quote = 0;
1da177e4
LT		 2357
2358 in_curr = orig;
2359 sec_curr = copy;
2360
1da177e4
LT		 2361 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2362 if (!nosec) {
2363 rc = -ENOMEM;
2364 goto out;
2365 }
2366
2367 nosec_save = nosec;
2368 fnosec = fsec = 1;
2369 in_save = in_end = orig;
2370
2371 do {
3528a953
CO		 2372 if (*in_end == '"')
2373 open_quote = !open_quote;
2374 if ((*in_end == ',' && open_quote == 0) ||
2375 *in_end == '\0') {
1da177e4
LT		 2376 int len = in_end - in_curr;
2377
2378 if (selinux_option(in_curr, len))
3528a953 2379 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2380 else
2381 take_option(&nosec, in_curr, &fnosec, len);
2382
2383 in_curr = in_end + 1;
2384 }
2385 } while (*in_end++);
2386
6931dfc9 2387 strcpy(in_save, nosec_save);
da3caa20 2388 free_page((unsigned long)nosec_save);
1da177e4
LT		 2389out:
2390 return rc;
2391}
2392
026eb167
EP		 2393static int selinux_sb_remount(struct super_block *sb, void *data)
2394{
2395 int rc, i, *flags;
2396 struct security_mnt_opts opts;
2397 char *secdata, **mount_options;
2398 struct superblock_security_struct *sbsec = sb->s_security;
2399
2400 if (!(sbsec->flags & SE_SBINITIALIZED))
2401 return 0;
2402
2403 if (!data)
2404 return 0;
2405
2406 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2407 return 0;
2408
2409 security_init_mnt_opts(&opts);
2410 secdata = alloc_secdata();
2411 if (!secdata)
2412 return -ENOMEM;
2413 rc = selinux_sb_copy_data(data, secdata);
2414 if (rc)
2415 goto out_free_secdata;
2416
2417 rc = selinux_parse_opts_str(secdata, &opts);
2418 if (rc)
2419 goto out_free_secdata;
2420
2421 mount_options = opts.mnt_opts;
2422 flags = opts.mnt_opts_flags;
2423
2424 for (i = 0; i < opts.num_mnt_opts; i++) {
2425 u32 sid;
2426 size_t len;
2427
2428 if (flags[i] == SE_SBLABELSUPP)
2429 continue;
2430 len = strlen(mount_options[i]);
2431 rc = security_context_to_sid(mount_options[i], len, &sid);
2432 if (rc) {
2433 printk(KERN_WARNING "SELinux: security_context_to_sid"
2434 "(%s) failed for (dev %s, type %s) errno=%d\n",
2435 mount_options[i], sb->s_id, sb->s_type->name, rc);
2436 goto out_free_opts;
2437 }
2438 rc = -EINVAL;
2439 switch (flags[i]) {
2440 case FSCONTEXT_MNT:
2441 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2442 goto out_bad_option;
2443 break;
2444 case CONTEXT_MNT:
2445 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2446 goto out_bad_option;
2447 break;
2448 case ROOTCONTEXT_MNT: {
2449 struct inode_security_struct *root_isec;
2450 root_isec = sb->s_root->d_inode->i_security;
2451
2452 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2453 goto out_bad_option;
2454 break;
2455 }
2456 case DEFCONTEXT_MNT:
2457 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2458 goto out_bad_option;
2459 break;
2460 default:
2461 goto out_free_opts;
2462 }
2463 }
2464
2465 rc = 0;
2466out_free_opts:
2467 security_free_mnt_opts(&opts);
2468out_free_secdata:
2469 free_secdata(secdata);
2470 return rc;
2471out_bad_option:
2472 printk(KERN_WARNING "SELinux: unable to change security options "
2473 "during remount (dev %s, type=%s)\n", sb->s_id,
2474 sb->s_type->name);
2475 goto out_free_opts;
2476}
2477
12204e24 2478static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2479{
88e67f3b 2480 const struct cred *cred = current_cred();
2bf49690 2481 struct common_audit_data ad;
1da177e4
LT		 2482 int rc;
2483
2484 rc = superblock_doinit(sb, data);
2485 if (rc)
2486 return rc;
2487
74192246
JM		 2488 /* Allow all mounts performed by the kernel */
2489 if (flags & MS_KERNMOUNT)
2490 return 0;
2491
a269434d
EP		 2492 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2493 ad.u.dentry = sb->s_root;
88e67f3b 2494 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2495}
2496
726c3342 2497static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2498{
88e67f3b 2499 const struct cred *cred = current_cred();
2bf49690 2500 struct common_audit_data ad;
1da177e4 2501
a269434d
EP		 2502 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2503 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2504 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2505}
2506
828dfe1d 2507static int selinux_mount(char *dev_name,
b5266eb4 2508 struct path *path,
828dfe1d
EP		 2509 char *type,
2510 unsigned long flags,
2511 void *data)
1da177e4 2512{
88e67f3b 2513 const struct cred *cred = current_cred();
1da177e4
LT		 2514
2515 if (flags & MS_REMOUNT)
88e67f3b 2516 return superblock_has_perm(cred, path->mnt->mnt_sb,
828dfe1d 2517 FILESYSTEM__REMOUNT, NULL);
1da177e4 2518 else
2875fa00 2519 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2520}
2521
2522static int selinux_umount(struct vfsmount *mnt, int flags)
2523{
88e67f3b 2524 const struct cred *cred = current_cred();
1da177e4 2525
88e67f3b 2526 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2527 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2528}
2529
2530/* inode security operations */
2531
2532static int selinux_inode_alloc_security(struct inode *inode)
2533{
2534 return inode_alloc_security(inode);
2535}
2536
2537static void selinux_inode_free_security(struct inode *inode)
2538{
2539 inode_free_security(inode);
2540}
2541
5e41ff9e 2542static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2a7dba39
EP		 2543 const struct qstr *qstr, char **name,
2544 void **value, size_t *len)
5e41ff9e 2545{
5fb49870 2546 const struct task_security_struct *tsec = current_security();
5e41ff9e
SS		 2547 struct inode_security_struct *dsec;
2548 struct superblock_security_struct *sbsec;
275bb41e 2549 u32 sid, newsid, clen;
5e41ff9e 2550 int rc;
570bc1c2 2551 char *namep = NULL, *context;
5e41ff9e 2552
5e41ff9e
SS		 2553 dsec = dir->i_security;
2554 sbsec = dir->i_sb->s_security;
5e41ff9e 2555
275bb41e
DH		 2556 sid = tsec->sid;
2557 newsid = tsec->create_sid;
2558
415103f9
EP		 2559 if ((sbsec->flags & SE_SBINITIALIZED) &&
2560 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2561 newsid = sbsec->mntpoint_sid;
2562 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
275bb41e 2563 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e 2564 inode_mode_to_security_class(inode->i_mode),
652bb9b0 2565 qstr, &newsid);
5e41ff9e
SS		 2566 if (rc) {
2567 printk(KERN_WARNING "%s: "
2568 "security_transition_sid failed, rc=%d (dev=%s "
2569 "ino=%ld)\n",
dd6f953a 2570 __func__,
5e41ff9e
SS		 2571 -rc, inode->i_sb->s_id, inode->i_ino);
2572 return rc;
2573 }
2574 }
2575
296fddf7 2576 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2577 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2578 struct inode_security_struct *isec = inode->i_security;
2579 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2580 isec->sid = newsid;
2581 isec->initialized = 1;
2582 }
5e41ff9e 2583
cd89596f 2584 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
25a74f3b
SS		 2585 return -EOPNOTSUPP;
2586
570bc1c2 2587 if (name) {
a02fe132 2588 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2589 if (!namep)
2590 return -ENOMEM;
2591 *name = namep;
2592 }
5e41ff9e 2593
570bc1c2 2594 if (value && len) {
12b29f34 2595 rc = security_sid_to_context_force(newsid, &context, &clen);
570bc1c2
SS		 2596 if (rc) {
2597 kfree(namep);
2598 return rc;
2599 }
2600 *value = context;
2601 *len = clen;
5e41ff9e 2602 }
5e41ff9e 2603
5e41ff9e
SS		 2604 return 0;
2605}
2606
1da177e4
LT		 2607static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2608{
2609 return may_create(dir, dentry, SECCLASS_FILE);
2610}
2611
1da177e4
LT		 2612static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2613{
1da177e4
LT		 2614 return may_link(dir, old_dentry, MAY_LINK);
2615}
2616
1da177e4
LT		 2617static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2618{
1da177e4
LT		 2619 return may_link(dir, dentry, MAY_UNLINK);
2620}
2621
2622static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2623{
2624 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2625}
2626
1da177e4
LT		 2627static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2628{
2629 return may_create(dir, dentry, SECCLASS_DIR);
2630}
2631
1da177e4
LT		 2632static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2633{
2634 return may_link(dir, dentry, MAY_RMDIR);
2635}
2636
2637static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2638{
1da177e4
LT		 2639 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2640}
2641
1da177e4 2642static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2643 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2644{
2645 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2646}
2647
1da177e4
LT		 2648static int selinux_inode_readlink(struct dentry *dentry)
2649{
88e67f3b
DH		 2650 const struct cred *cred = current_cred();
2651
2875fa00 2652 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2653}
2654
2655static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2656{
88e67f3b 2657 const struct cred *cred = current_cred();
1da177e4 2658
2875fa00 2659 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2660}
2661
e74f71eb 2662static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2663{
88e67f3b 2664 const struct cred *cred = current_cred();
b782e0a6
EP		 2665 struct common_audit_data ad;
2666 u32 perms;
2667 bool from_access;
e74f71eb 2668 unsigned __flags = mask & MAY_NOT_BLOCK ? IPERM_FLAG_RCU : 0;
1da177e4 2669
b782e0a6 2670 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2671 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2672
b782e0a6
EP		 2673 /* No permission to check. Existence test. */
2674 if (!mask)
1da177e4 2675 return 0;
1da177e4 2676
f48b7399
EP		 2677 COMMON_AUDIT_DATA_INIT(&ad, INODE);
2678 ad.u.inode = inode;
b782e0a6
EP		 2679
2680 if (from_access)
2681 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2682
2683 perms = file_mask_to_av(inode->i_mode, mask);
2684
e74f71eb 2685 return inode_has_perm(cred, inode, perms, &ad, __flags);
1da177e4
LT		 2686}
2687
2688static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2689{
88e67f3b 2690 const struct cred *cred = current_cred();
bc6a6008 2691 unsigned int ia_valid = iattr->ia_valid;
1da177e4 2692
bc6a6008
AW		 2693 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2694 if (ia_valid & ATTR_FORCE) {
2695 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2696 ATTR_FORCE);
2697 if (!ia_valid)
2698 return 0;
2699 }
1da177e4 2700
bc6a6008
AW		 2701 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2702 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 2703 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 2704
2875fa00 2705 return dentry_has_perm(cred, dentry, FILE__WRITE);
1da177e4
LT		 2706}
2707
2708static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2709{
88e67f3b 2710 const struct cred *cred = current_cred();
2875fa00
EP		 2711 struct path path;
2712
2713 path.dentry = dentry;
2714 path.mnt = mnt;
88e67f3b 2715
2875fa00 2716 return path_has_perm(cred, &path, FILE__GETATTR);
1da177e4
LT		 2717}
2718
8f0cfa52 2719static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2720{
88e67f3b
DH		 2721 const struct cred *cred = current_cred();
2722
b5376771
SH		 2723 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2724 sizeof XATTR_SECURITY_PREFIX - 1)) {
2725 if (!strcmp(name, XATTR_NAME_CAPS)) {
2726 if (!capable(CAP_SETFCAP))
2727 return -EPERM;
2728 } else if (!capable(CAP_SYS_ADMIN)) {
2729 /* A different attribute in the security namespace.
2730 Restrict to administrator. */
2731 return -EPERM;
2732 }
2733 }
2734
2735 /* Not an attribute we recognize, so just check the
2736 ordinary setattr permission. */
2875fa00 2737 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 2738}
2739
8f0cfa52
DH		 2740static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2741 const void *value, size_t size, int flags)
1da177e4 2742{
1da177e4
LT		 2743 struct inode *inode = dentry->d_inode;
2744 struct inode_security_struct *isec = inode->i_security;
2745 struct superblock_security_struct *sbsec;
2bf49690 2746 struct common_audit_data ad;
275bb41e 2747 u32 newsid, sid = current_sid();
1da177e4
LT		 2748 int rc = 0;
2749
b5376771
SH		 2750 if (strcmp(name, XATTR_NAME_SELINUX))
2751 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2752
2753 sbsec = inode->i_sb->s_security;
cd89596f 2754 if (!(sbsec->flags & SE_SBLABELSUPP))
1da177e4
LT		 2755 return -EOPNOTSUPP;
2756
2e149670 2757 if (!inode_owner_or_capable(inode))
1da177e4
LT		 2758 return -EPERM;
2759
a269434d
EP		 2760 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2761 ad.u.dentry = dentry;
1da177e4 2762
275bb41e 2763 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 2764 FILE__RELABELFROM, &ad);
2765 if (rc)
2766 return rc;
2767
2768 rc = security_context_to_sid(value, size, &newsid);
12b29f34
SS		 2769 if (rc == -EINVAL) {
2770 if (!capable(CAP_MAC_ADMIN))
2771 return rc;
2772 rc = security_context_to_sid_force(value, size, &newsid);
2773 }
1da177e4
LT		 2774 if (rc)
2775 return rc;
2776
275bb41e 2777 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 2778 FILE__RELABELTO, &ad);
2779 if (rc)
2780 return rc;
2781
275bb41e 2782 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 2783 isec->sclass);
1da177e4
LT		 2784 if (rc)
2785 return rc;
2786
2787 return avc_has_perm(newsid,
2788 sbsec->sid,
2789 SECCLASS_FILESYSTEM,
2790 FILESYSTEM__ASSOCIATE,
2791 &ad);
2792}
2793
8f0cfa52 2794static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 2795 const void *value, size_t size,
8f0cfa52 2796 int flags)
1da177e4
LT		 2797{
2798 struct inode *inode = dentry->d_inode;
2799 struct inode_security_struct *isec = inode->i_security;
2800 u32 newsid;
2801 int rc;
2802
2803 if (strcmp(name, XATTR_NAME_SELINUX)) {
2804 /* Not an attribute we recognize, so nothing to do. */
2805 return;
2806 }
2807
12b29f34 2808 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 2809 if (rc) {
12b29f34
SS		 2810 printk(KERN_ERR "SELinux: unable to map context to SID"
2811 "for (%s, %lu), rc=%d\n",
2812 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 2813 return;
2814 }
2815
2816 isec->sid = newsid;
2817 return;
2818}
2819
8f0cfa52 2820static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 2821{
88e67f3b
DH		 2822 const struct cred *cred = current_cred();
2823
2875fa00 2824 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 2825}
2826
828dfe1d 2827static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 2828{
88e67f3b
DH		 2829 const struct cred *cred = current_cred();
2830
2875fa00 2831 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 2832}
2833
8f0cfa52 2834static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 2835{
b5376771
SH		 2836 if (strcmp(name, XATTR_NAME_SELINUX))
2837 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2838
2839 /* No one is allowed to remove a SELinux security label.
2840 You can change the label, but all data must be labeled. */
2841 return -EACCES;
2842}
2843
d381d8a9 2844/*
abc69bb6 2845 * Copy the inode security context value to the user.
d381d8a9
JM		 2846 *
2847 * Permission check is handled by selinux_inode_getxattr hook.
2848 */
42492594 2849static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2850{
42492594
DQ		 2851 u32 size;
2852 int error;
2853 char *context = NULL;
1da177e4 2854 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2855
8c8570fb
DK		 2856 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2857 return -EOPNOTSUPP;
d381d8a9 2858
abc69bb6
SS		 2859 /*
2860 * If the caller has CAP_MAC_ADMIN, then get the raw context
2861 * value even if it is not defined by current policy; otherwise,
2862 * use the in-core value under current policy.
2863 * Use the non-auditing forms of the permission checks since
2864 * getxattr may be called by unprivileged processes commonly
2865 * and lack of permission just means that we fall back to the
2866 * in-core context value, not a denial.
2867 */
3486740a
SH		 2868 error = selinux_capable(current, current_cred(),
2869 &init_user_ns, CAP_MAC_ADMIN,
3699c53c 2870 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 2871 if (!error)
2872 error = security_sid_to_context_force(isec->sid, &context,
2873 &size);
2874 else
2875 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 2876 if (error)
2877 return error;
2878 error = size;
2879 if (alloc) {
2880 *buffer = context;
2881 goto out_nofree;
2882 }
2883 kfree(context);
2884out_nofree:
2885 return error;
1da177e4
LT		 2886}
2887
2888static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 2889 const void *value, size_t size, int flags)
1da177e4
LT		 2890{
2891 struct inode_security_struct *isec = inode->i_security;
2892 u32 newsid;
2893 int rc;
2894
2895 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2896 return -EOPNOTSUPP;
2897
2898 if (!value || !size)
2899 return -EACCES;
2900
828dfe1d 2901 rc = security_context_to_sid((void *)value, size, &newsid);
1da177e4
LT		 2902 if (rc)
2903 return rc;
2904
2905 isec->sid = newsid;
ddd29ec6 2906 isec->initialized = 1;
1da177e4
LT		 2907 return 0;
2908}
2909
2910static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2911{
2912 const int len = sizeof(XATTR_NAME_SELINUX);
2913 if (buffer && len <= buffer_size)
2914 memcpy(buffer, XATTR_NAME_SELINUX, len);
2915 return len;
2916}
2917
713a04ae
AD		 2918static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2919{
2920 struct inode_security_struct *isec = inode->i_security;
2921 *secid = isec->sid;
2922}
2923
1da177e4
LT		 2924/* file security operations */
2925
788e7dd4 2926static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2927{
88e67f3b 2928 const struct cred *cred = current_cred();
3d5ff529 2929 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4 2930
1da177e4
LT		 2931 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2932 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2933 mask |= MAY_APPEND;
2934
389fb800
PM		 2935 return file_has_perm(cred, file,
2936 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 2937}
2938
788e7dd4
YN		 2939static int selinux_file_permission(struct file *file, int mask)
2940{
20dda18b
SS		 2941 struct inode *inode = file->f_path.dentry->d_inode;
2942 struct file_security_struct *fsec = file->f_security;
2943 struct inode_security_struct *isec = inode->i_security;
2944 u32 sid = current_sid();
2945
389fb800 2946 if (!mask)
788e7dd4
YN		 2947 /* No permission to check. Existence test. */
2948 return 0;
788e7dd4 2949
20dda18b
SS		 2950 if (sid == fsec->sid && fsec->isid == isec->sid &&
2951 fsec->pseqno == avc_policy_seqno())
2952 /* No change since dentry_open check. */
2953 return 0;
2954
788e7dd4
YN		 2955 return selinux_revalidate_file_permission(file, mask);
2956}
2957
1da177e4
LT		 2958static int selinux_file_alloc_security(struct file *file)
2959{
2960 return file_alloc_security(file);
2961}
2962
2963static void selinux_file_free_security(struct file *file)
2964{
2965 file_free_security(file);
2966}
2967
2968static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2969 unsigned long arg)
2970{
88e67f3b 2971 const struct cred *cred = current_cred();
0b24dcb7 2972 int error = 0;
1da177e4 2973
0b24dcb7
EP		 2974 switch (cmd) {
2975 case FIONREAD:
2976 /* fall through */
2977 case FIBMAP:
2978 /* fall through */
2979 case FIGETBSZ:
2980 /* fall through */
2981 case EXT2_IOC_GETFLAGS:
2982 /* fall through */
2983 case EXT2_IOC_GETVERSION:
2984 error = file_has_perm(cred, file, FILE__GETATTR);
2985 break;
1da177e4 2986
0b24dcb7
EP		 2987 case EXT2_IOC_SETFLAGS:
2988 /* fall through */
2989 case EXT2_IOC_SETVERSION:
2990 error = file_has_perm(cred, file, FILE__SETATTR);
2991 break;
2992
2993 /* sys_ioctl() checks */
2994 case FIONBIO:
2995 /* fall through */
2996 case FIOASYNC:
2997 error = file_has_perm(cred, file, 0);
2998 break;
1da177e4 2999
0b24dcb7
EP		 3000 case KDSKBENT:
3001 case KDSKBSENT:
3002 error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
3486740a 3003 SECURITY_CAP_AUDIT);
0b24dcb7
EP		 3004 break;
3005
3006 /* default case assumes that the command will go
3007 * to the file's ioctl() function.
3008 */
3009 default:
3010 error = file_has_perm(cred, file, FILE__IOCTL);
3011 }
3012 return error;
1da177e4
LT		 3013}
3014
fcaaade1
SS		 3015static int default_noexec;
3016
1da177e4
LT		 3017static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3018{
88e67f3b 3019 const struct cred *cred = current_cred();
d84f4f99 3020 int rc = 0;
88e67f3b 3021
fcaaade1
SS		 3022 if (default_noexec &&
3023 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3024 /*
3025 * We are making executable an anonymous mapping or a
3026 * private file mapping that will also be writable.
3027 * This has an additional check.
3028 */
d84f4f99 3029 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3030 if (rc)
d84f4f99 3031 goto error;
1da177e4 3032 }
1da177e4
LT		 3033
3034 if (file) {
3035 /* read access is always possible with a mapping */
3036 u32 av = FILE__READ;
3037
3038 /* write access only matters if the mapping is shared */
3039 if (shared && (prot & PROT_WRITE))
3040 av |= FILE__WRITE;
3041
3042 if (prot & PROT_EXEC)
3043 av |= FILE__EXECUTE;
3044
88e67f3b 3045 return file_has_perm(cred, file, av);
1da177e4 3046 }
d84f4f99
DH		 3047
3048error:
3049 return rc;
1da177e4
LT		 3050}
3051
3052static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 3053 unsigned long prot, unsigned long flags,
3054 unsigned long addr, unsigned long addr_only)
1da177e4 3055{
ed032189 3056 int rc = 0;
275bb41e 3057 u32 sid = current_sid();
1da177e4 3058
84336d1a
EP		 3059 /*
3060 * notice that we are intentionally putting the SELinux check before
3061 * the secondary cap_file_mmap check. This is such a likely attempt
3062 * at bad behaviour/exploit that we always want to get the AVC, even
3063 * if DAC would have also denied the operation.
3064 */
a2551df7 3065 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
ed032189
EP		 3066 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3067 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3068 if (rc)
3069 return rc;
3070 }
3071
3072 /* do DAC check on address space usage */
3073 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
ed032189 3074 if (rc || addr_only)
1da177e4
LT		 3075 return rc;
3076
3077 if (selinux_checkreqprot)
3078 prot = reqprot;
3079
3080 return file_map_prot_check(file, prot,
3081 (flags & MAP_TYPE) == MAP_SHARED);
3082}
3083
3084static int selinux_file_mprotect(struct vm_area_struct *vma,
3085 unsigned long reqprot,
3086 unsigned long prot)
3087{
88e67f3b 3088 const struct cred *cred = current_cred();
1da177e4
LT		 3089
3090 if (selinux_checkreqprot)
3091 prot = reqprot;
3092
fcaaade1
SS		 3093 if (default_noexec &&
3094 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3095 int rc = 0;
db4c9641
SS		 3096 if (vma->vm_start >= vma->vm_mm->start_brk &&
3097 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3098 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3099 } else if (!vma->vm_file &&
3100 vma->vm_start <= vma->vm_mm->start_stack &&
3101 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3102 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3103 } else if (vma->vm_file && vma->anon_vma) {
3104 /*
3105 * We are making executable a file mapping that has
3106 * had some COW done. Since pages might have been
3107 * written, check ability to execute the possibly
3108 * modified content. This typically should only
3109 * occur for text relocations.
3110 */
d84f4f99 3111 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3112 }