]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
rlimits: selinux, do rlimits changes under task_lock
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4
PM		 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4
LT		 26#include <linux/init.h>
27#include <linux/kernel.h>
0d094efe 28#include <linux/tracehook.h>
1da177e4
LT		 29#include <linux/errno.h>
30#include <linux/sched.h>
31#include <linux/security.h>
32#include <linux/xattr.h>
33#include <linux/capability.h>
34#include <linux/unistd.h>
35#include <linux/mm.h>
36#include <linux/mman.h>
37#include <linux/slab.h>
38#include <linux/pagemap.h>
39#include <linux/swap.h>
1da177e4
LT		 40#include <linux/spinlock.h>
41#include <linux/syscalls.h>
42#include <linux/file.h>
9f3acc31 43#include <linux/fdtable.h>
1da177e4
LT		 44#include <linux/namei.h>
45#include <linux/mount.h>
1da177e4 46#include <linux/proc_fs.h>
1da177e4
LT		 47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 53#include <net/net_namespace.h>
d621d35e 54#include <net/netlabel.h>
f5269710 55#include <linux/uaccess.h>
1da177e4 56#include <asm/ioctls.h>
d621d35e 57#include <asm/atomic.h>
1da177e4
LT		 58#include <linux/bitops.h>
59#include <linux/interrupt.h>
60#include <linux/netdevice.h> /* for network interface checks */
61#include <linux/netlink.h>
62#include <linux/tcp.h>
63#include <linux/udp.h>
2ee92d46 64#include <linux/dccp.h>
1da177e4
LT		 65#include <linux/quota.h>
66#include <linux/un.h> /* for Unix socket types */
67#include <net/af_unix.h> /* for Unix socket types */
68#include <linux/parser.h>
69#include <linux/nfs_mount.h>
70#include <net/ipv6.h>
71#include <linux/hugetlb.h>
72#include <linux/personality.h>
73#include <linux/sysctl.h>
74#include <linux/audit.h>
6931dfc9 75#include <linux/string.h>
877ce7c1 76#include <linux/selinux.h>
23970741 77#include <linux/mutex.h>
f06febc9 78#include <linux/posix-timers.h>
00234592 79#include <linux/syslog.h>
1da177e4
LT		 80
81#include "avc.h"
82#include "objsec.h"
83#include "netif.h"
224dfbd8 84#include "netnode.h"
3e112172 85#include "netport.h"
d28d1e08 86#include "xfrm.h"
c60475bf 87#include "netlabel.h"
9d57a7f9 88#include "audit.h"
1da177e4
LT		 89
90#define XATTR_SELINUX_SUFFIX "selinux"
91#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
92
11689d47 93#define NUM_SEL_MNT_OPTS 5
c9180a57 94
1da177e4 95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
20510f2f 96extern struct security_operations *security_ops;
1da177e4 97
d621d35e
PM		 98/* SECMARK reference count */
99atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
1da177e4 101#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 102int selinux_enforcing;
1da177e4
LT		 103
104static int __init enforcing_setup(char *str)
105{
f5269710
EP		 106 unsigned long enforcing;
107 if (!strict_strtoul(str, 0, &enforcing))
108 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 109 return 1;
110}
111__setup("enforcing=", enforcing_setup);
112#endif
113
114#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117static int __init selinux_enabled_setup(char *str)
118{
f5269710
EP		 119 unsigned long enabled;
120 if (!strict_strtoul(str, 0, &enabled))
121 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 122 return 1;
123}
124__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 125#else
126int selinux_enabled = 1;
1da177e4
LT		 127#endif
128
e18b890b 129static struct kmem_cache *sel_inode_cache;
7cae7e26 130
d621d35e
PM		 131/**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled.
139 *
140 */
141static int selinux_secmark_enabled(void)
142{
143 return (atomic_read(&selinux_secmark_refcount) > 0);
144}
145
d84f4f99
DH		 146/*
147 * initialise the security for the init task
148 */
149static void cred_init_security(void)
1da177e4 150{
3b11a1de 151 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 152 struct task_security_struct *tsec;
153
89d155ef 154 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 155 if (!tsec)
d84f4f99 156 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 157
d84f4f99 158 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 159 cred->security = tsec;
1da177e4
LT		 160}
161
88e67f3b
DH		 162/*
163 * get the security ID of a set of credentials
164 */
165static inline u32 cred_sid(const struct cred *cred)
166{
167 const struct task_security_struct *tsec;
168
169 tsec = cred->security;
170 return tsec->sid;
171}
172
275bb41e 173/*
3b11a1de 174 * get the objective security ID of a task
275bb41e
DH		 175 */
176static inline u32 task_sid(const struct task_struct *task)
177{
275bb41e
DH		 178 u32 sid;
179
180 rcu_read_lock();
88e67f3b 181 sid = cred_sid(__task_cred(task));
275bb41e
DH		 182 rcu_read_unlock();
183 return sid;
184}
185
186/*
3b11a1de 187 * get the subjective security ID of the current task
275bb41e
DH		 188 */
189static inline u32 current_sid(void)
190{
191 const struct task_security_struct *tsec = current_cred()->security;
192
193 return tsec->sid;
194}
195
88e67f3b
DH		 196/* Allocate and free functions for each kind of security blob. */
197
1da177e4
LT		 198static int inode_alloc_security(struct inode *inode)
199{
1da177e4 200 struct inode_security_struct *isec;
275bb41e 201 u32 sid = current_sid();
1da177e4 202
a02fe132 203 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 204 if (!isec)
205 return -ENOMEM;
206
23970741 207 mutex_init(&isec->lock);
1da177e4 208 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 209 isec->inode = inode;
210 isec->sid = SECINITSID_UNLABELED;
211 isec->sclass = SECCLASS_FILE;
275bb41e 212 isec->task_sid = sid;
1da177e4
LT		 213 inode->i_security = isec;
214
215 return 0;
216}
217
218static void inode_free_security(struct inode *inode)
219{
220 struct inode_security_struct *isec = inode->i_security;
221 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
222
1da177e4
LT		 223 spin_lock(&sbsec->isec_lock);
224 if (!list_empty(&isec->list))
225 list_del_init(&isec->list);
226 spin_unlock(&sbsec->isec_lock);
227
228 inode->i_security = NULL;
7cae7e26 229 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 230}
231
232static int file_alloc_security(struct file *file)
233{
1da177e4 234 struct file_security_struct *fsec;
275bb41e 235 u32 sid = current_sid();
1da177e4 236
26d2a4be 237 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 238 if (!fsec)
239 return -ENOMEM;
240
275bb41e
DH		 241 fsec->sid = sid;
242 fsec->fown_sid = sid;
1da177e4
LT		 243 file->f_security = fsec;
244
245 return 0;
246}
247
248static void file_free_security(struct file *file)
249{
250 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 251 file->f_security = NULL;
252 kfree(fsec);
253}
254
255static int superblock_alloc_security(struct super_block *sb)
256{
257 struct superblock_security_struct *sbsec;
258
89d155ef 259 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 260 if (!sbsec)
261 return -ENOMEM;
262
bc7e982b 263 mutex_init(&sbsec->lock);
1da177e4
LT		 264 INIT_LIST_HEAD(&sbsec->isec_head);
265 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 266 sbsec->sb = sb;
267 sbsec->sid = SECINITSID_UNLABELED;
268 sbsec->def_sid = SECINITSID_FILE;
c312feb2 269 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 270 sb->s_security = sbsec;
271
272 return 0;
273}
274
275static void superblock_free_security(struct super_block *sb)
276{
277 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 278 sb->s_security = NULL;
279 kfree(sbsec);
280}
281
7d877f3b 282static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4 283{
dd3e7836 284 struct sk_security_struct *sksec;
1da177e4 285
dd3e7836
EP		 286 sksec = kzalloc(sizeof(*sksec), priority);
287 if (!sksec)
1da177e4
LT		 288 return -ENOMEM;
289
dd3e7836
EP		 290 sksec->peer_sid = SECINITSID_UNLABELED;
291 sksec->sid = SECINITSID_UNLABELED;
292 sk->sk_security = sksec;
1da177e4 293
dd3e7836 294 selinux_netlbl_sk_security_reset(sksec);
99f59ed0 295
1da177e4
LT		 296 return 0;
297}
298
299static void sk_free_security(struct sock *sk)
300{
dd3e7836 301 struct sk_security_struct *sksec = sk->sk_security;
1da177e4 302
1da177e4 303 sk->sk_security = NULL;
dd3e7836
EP		 304 selinux_netlbl_sk_security_free(sksec);
305 kfree(sksec);
1da177e4 306}
1da177e4
LT		 307
308/* The security server must be initialized before
309 any labeling or access decisions can be provided. */
310extern int ss_initialized;
311
312/* The file system's label must be initialized prior to use. */
313
634a539e 314static const char *labeling_behaviors[6] = {
1da177e4
LT		 315 "uses xattr",
316 "uses transition SIDs",
317 "uses task SIDs",
318 "uses genfs_contexts",
319 "not configured for labeling",
320 "uses mountpoint labeling",
321};
322
323static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
324
325static inline int inode_doinit(struct inode *inode)
326{
327 return inode_doinit_with_dentry(inode, NULL);
328}
329
330enum {
31e87930 331 Opt_error = -1,
1da177e4
LT		 332 Opt_context = 1,
333 Opt_fscontext = 2,
c9180a57
EP		 334 Opt_defcontext = 3,
335 Opt_rootcontext = 4,
11689d47 336 Opt_labelsupport = 5,
1da177e4
LT		 337};
338
a447c093 339static const match_table_t tokens = {
832cbd9a
EP		 340 {Opt_context, CONTEXT_STR "%s"},
341 {Opt_fscontext, FSCONTEXT_STR "%s"},
342 {Opt_defcontext, DEFCONTEXT_STR "%s"},
343 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 344 {Opt_labelsupport, LABELSUPP_STR},
31e87930 345 {Opt_error, NULL},
1da177e4
LT		 346};
347
348#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
349
c312feb2
EP		 350static int may_context_mount_sb_relabel(u32 sid,
351 struct superblock_security_struct *sbsec,
275bb41e 352 const struct cred *cred)
c312feb2 353{
275bb41e 354 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 355 int rc;
356
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
359 if (rc)
360 return rc;
361
362 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__RELABELTO, NULL);
364 return rc;
365}
366
0808925e
EP		 367static int may_context_mount_inode_relabel(u32 sid,
368 struct superblock_security_struct *sbsec,
275bb41e 369 const struct cred *cred)
0808925e 370{
275bb41e 371 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 372 int rc;
373 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
374 FILESYSTEM__RELABELFROM, NULL);
375 if (rc)
376 return rc;
377
378 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
379 FILESYSTEM__ASSOCIATE, NULL);
380 return rc;
381}
382
c9180a57 383static int sb_finish_set_opts(struct super_block *sb)
1da177e4 384{
1da177e4 385 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 386 struct dentry *root = sb->s_root;
387 struct inode *root_inode = root->d_inode;
388 int rc = 0;
1da177e4 389
c9180a57
EP		 390 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
391 /* Make sure that the xattr handler exists and that no
392 error other than -ENODATA is returned by getxattr on
393 the root directory. -ENODATA is ok, as this may be
394 the first boot of the SELinux kernel before we have
395 assigned xattr values to the filesystem. */
396 if (!root_inode->i_op->getxattr) {
397 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
398 "xattr support\n", sb->s_id, sb->s_type->name);
399 rc = -EOPNOTSUPP;
400 goto out;
401 }
402 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
403 if (rc < 0 && rc != -ENODATA) {
404 if (rc == -EOPNOTSUPP)
405 printk(KERN_WARNING "SELinux: (dev %s, type "
406 "%s) has no security xattr handler\n",
407 sb->s_id, sb->s_type->name);
408 else
409 printk(KERN_WARNING "SELinux: (dev %s, type "
410 "%s) getxattr errno %d\n", sb->s_id,
411 sb->s_type->name, -rc);
412 goto out;
413 }
414 }
1da177e4 415
11689d47 416 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
1da177e4 417
c9180a57
EP		 418 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
419 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
420 sb->s_id, sb->s_type->name);
421 else
422 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
423 sb->s_id, sb->s_type->name,
424 labeling_behaviors[sbsec->behavior-1]);
1da177e4 425
11689d47
DQ		 426 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
427 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
428 sbsec->behavior == SECURITY_FS_USE_NONE ||
429 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
430 sbsec->flags &= ~SE_SBLABELSUPP;
431
ddd29ec6
DQ		 432 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
433 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
434 sbsec->flags |= SE_SBLABELSUPP;
435
c9180a57
EP		 436 /* Initialize the root inode. */
437 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 438
c9180a57
EP		 439 /* Initialize any other inodes associated with the superblock, e.g.
440 inodes created prior to initial policy load or inodes created
441 during get_sb by a pseudo filesystem that directly
442 populates itself. */
443 spin_lock(&sbsec->isec_lock);
444next_inode:
445 if (!list_empty(&sbsec->isec_head)) {
446 struct inode_security_struct *isec =
447 list_entry(sbsec->isec_head.next,
448 struct inode_security_struct, list);
449 struct inode *inode = isec->inode;
450 spin_unlock(&sbsec->isec_lock);
451 inode = igrab(inode);
452 if (inode) {
453 if (!IS_PRIVATE(inode))
454 inode_doinit(inode);
455 iput(inode);
456 }
457 spin_lock(&sbsec->isec_lock);
458 list_del_init(&isec->list);
459 goto next_inode;
460 }
461 spin_unlock(&sbsec->isec_lock);
462out:
463 return rc;
464}
1da177e4 465
c9180a57
EP		 466/*
467 * This function should allow an FS to ask what it's mount security
468 * options were so it can use those later for submounts, displaying
469 * mount options, or whatever.
470 */
471static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 472 struct security_mnt_opts *opts)
c9180a57
EP		 473{
474 int rc = 0, i;
475 struct superblock_security_struct *sbsec = sb->s_security;
476 char *context = NULL;
477 u32 len;
478 char tmp;
1da177e4 479
e0007529 480 security_init_mnt_opts(opts);
1da177e4 481
0d90a7ec 482 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 483 return -EINVAL;
1da177e4 484
c9180a57
EP		 485 if (!ss_initialized)
486 return -EINVAL;
1da177e4 487
0d90a7ec 488 tmp = sbsec->flags & SE_MNTMASK;
c9180a57
EP		 489 /* count the number of mount options for this sb */
490 for (i = 0; i < 8; i++) {
491 if (tmp & 0x01)
e0007529 492 opts->num_mnt_opts++;
c9180a57
EP		 493 tmp >>= 1;
494 }
11689d47
DQ		 495 /* Check if the Label support flag is set */
496 if (sbsec->flags & SE_SBLABELSUPP)
497 opts->num_mnt_opts++;
1da177e4 498
e0007529
EP		 499 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
500 if (!opts->mnt_opts) {
c9180a57
EP		 501 rc = -ENOMEM;
502 goto out_free;
503 }
1da177e4 504
e0007529
EP		 505 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
506 if (!opts->mnt_opts_flags) {
c9180a57
EP		 507 rc = -ENOMEM;
508 goto out_free;
509 }
1da177e4 510
c9180a57
EP		 511 i = 0;
512 if (sbsec->flags & FSCONTEXT_MNT) {
513 rc = security_sid_to_context(sbsec->sid, &context, &len);
514 if (rc)
515 goto out_free;
e0007529
EP		 516 opts->mnt_opts[i] = context;
517 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 518 }
519 if (sbsec->flags & CONTEXT_MNT) {
520 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
521 if (rc)
522 goto out_free;
e0007529
EP		 523 opts->mnt_opts[i] = context;
524 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 525 }
526 if (sbsec->flags & DEFCONTEXT_MNT) {
527 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
528 if (rc)
529 goto out_free;
e0007529
EP		 530 opts->mnt_opts[i] = context;
531 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 532 }
533 if (sbsec->flags & ROOTCONTEXT_MNT) {
534 struct inode *root = sbsec->sb->s_root->d_inode;
535 struct inode_security_struct *isec = root->i_security;
0808925e 536
c9180a57
EP		 537 rc = security_sid_to_context(isec->sid, &context, &len);
538 if (rc)
539 goto out_free;
e0007529
EP		 540 opts->mnt_opts[i] = context;
541 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 542 }
11689d47
DQ		 543 if (sbsec->flags & SE_SBLABELSUPP) {
544 opts->mnt_opts[i] = NULL;
545 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
546 }
1da177e4 547
e0007529 548 BUG_ON(i != opts->num_mnt_opts);
1da177e4 549
c9180a57
EP		 550 return 0;
551
552out_free:
e0007529 553 security_free_mnt_opts(opts);
c9180a57
EP		 554 return rc;
555}
1da177e4 556
c9180a57
EP		 557static int bad_option(struct superblock_security_struct *sbsec, char flag,
558 u32 old_sid, u32 new_sid)
559{
0d90a7ec
DQ		 560 char mnt_flags = sbsec->flags & SE_MNTMASK;
561
c9180a57 562 /* check if the old mount command had the same options */
0d90a7ec 563 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 564 if (!(sbsec->flags & flag) ||
565 (old_sid != new_sid))
566 return 1;
567
568 /* check if we were passed the same options twice,
569 * aka someone passed context=a,context=b
570 */
0d90a7ec
DQ		 571 if (!(sbsec->flags & SE_SBINITIALIZED))
572 if (mnt_flags & flag)
c9180a57
EP		 573 return 1;
574 return 0;
575}
e0007529 576
c9180a57
EP		 577/*
578 * Allow filesystems with binary mount data to explicitly set mount point
579 * labeling information.
580 */
e0007529
EP		 581static int selinux_set_mnt_opts(struct super_block *sb,
582 struct security_mnt_opts *opts)
c9180a57 583{
275bb41e 584 const struct cred *cred = current_cred();
c9180a57 585 int rc = 0, i;
c9180a57
EP		 586 struct superblock_security_struct *sbsec = sb->s_security;
587 const char *name = sb->s_type->name;
089be43e
JM		 588 struct inode *inode = sbsec->sb->s_root->d_inode;
589 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 590 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
591 u32 defcontext_sid = 0;
e0007529
EP		 592 char **mount_options = opts->mnt_opts;
593 int *flags = opts->mnt_opts_flags;
594 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 595
596 mutex_lock(&sbsec->lock);
597
598 if (!ss_initialized) {
599 if (!num_opts) {
600 /* Defer initialization until selinux_complete_init,
601 after the initial policy is loaded and the security
602 server is ready to handle calls. */
c9180a57
EP		 603 goto out;
604 }
605 rc = -EINVAL;
744ba35e
EP		 606 printk(KERN_WARNING "SELinux: Unable to set superblock options "
607 "before the security server is initialized\n");
1da177e4 608 goto out;
c9180a57 609 }
1da177e4 610
e0007529
EP		 611 /*
612 * Binary mount data FS will come through this function twice. Once
613 * from an explicit call and once from the generic calls from the vfs.
614 * Since the generic VFS calls will not contain any security mount data
615 * we need to skip the double mount verification.
616 *
617 * This does open a hole in which we will not notice if the first
618 * mount using this sb set explict options and a second mount using
619 * this sb does not set any security options. (The first options
620 * will be used for both mounts)
621 */
0d90a7ec 622 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 623 && (num_opts == 0))
f5269710 624 goto out;
e0007529 625
c9180a57
EP		 626 /*
627 * parse the mount options, check if they are valid sids.
628 * also check if someone is trying to mount the same sb more
629 * than once with different security options.
630 */
631 for (i = 0; i < num_opts; i++) {
632 u32 sid;
11689d47
DQ		 633
634 if (flags[i] == SE_SBLABELSUPP)
635 continue;
c9180a57
EP		 636 rc = security_context_to_sid(mount_options[i],
637 strlen(mount_options[i]), &sid);
1da177e4
LT		 638 if (rc) {
639 printk(KERN_WARNING "SELinux: security_context_to_sid"
640 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 641 mount_options[i], sb->s_id, name, rc);
642 goto out;
643 }
644 switch (flags[i]) {
645 case FSCONTEXT_MNT:
646 fscontext_sid = sid;
647
648 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
649 fscontext_sid))
650 goto out_double_mount;
651
652 sbsec->flags |= FSCONTEXT_MNT;
653 break;
654 case CONTEXT_MNT:
655 context_sid = sid;
656
657 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
658 context_sid))
659 goto out_double_mount;
660
661 sbsec->flags |= CONTEXT_MNT;
662 break;
663 case ROOTCONTEXT_MNT:
664 rootcontext_sid = sid;
665
666 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
667 rootcontext_sid))
668 goto out_double_mount;
669
670 sbsec->flags |= ROOTCONTEXT_MNT;
671
672 break;
673 case DEFCONTEXT_MNT:
674 defcontext_sid = sid;
675
676 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
677 defcontext_sid))
678 goto out_double_mount;
679
680 sbsec->flags |= DEFCONTEXT_MNT;
681
682 break;
683 default:
684 rc = -EINVAL;
685 goto out;
1da177e4 686 }
c9180a57
EP		 687 }
688
0d90a7ec 689 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 690 /* previously mounted with options, but not on this attempt? */
0d90a7ec 691 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 692 goto out_double_mount;
693 rc = 0;
694 goto out;
695 }
696
089be43e 697 if (strcmp(sb->s_type->name, "proc") == 0)
0d90a7ec 698 sbsec->flags |= SE_SBPROC;
c9180a57
EP		 699
700 /* Determine the labeling behavior to use for this filesystem type. */
0d90a7ec 701 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
c9180a57
EP		 702 if (rc) {
703 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
089be43e 704 __func__, sb->s_type->name, rc);
c9180a57
EP		 705 goto out;
706 }
1da177e4 707
c9180a57
EP		 708 /* sets the context of the superblock for the fs being mounted. */
709 if (fscontext_sid) {
275bb41e 710 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 711 if (rc)
c9180a57 712 goto out;
1da177e4 713
c9180a57 714 sbsec->sid = fscontext_sid;
c312feb2
EP		 715 }
716
717 /*
718 * Switch to using mount point labeling behavior.
719 * sets the label used on all file below the mountpoint, and will set
720 * the superblock context if not already set.
721 */
c9180a57
EP		 722 if (context_sid) {
723 if (!fscontext_sid) {
275bb41e
DH		 724 rc = may_context_mount_sb_relabel(context_sid, sbsec,
725 cred);
b04ea3ce 726 if (rc)
c9180a57
EP		 727 goto out;
728 sbsec->sid = context_sid;
b04ea3ce 729 } else {
275bb41e
DH		 730 rc = may_context_mount_inode_relabel(context_sid, sbsec,
731 cred);
b04ea3ce 732 if (rc)
c9180a57 733 goto out;
b04ea3ce 734 }
c9180a57
EP		 735 if (!rootcontext_sid)
736 rootcontext_sid = context_sid;
1da177e4 737
c9180a57 738 sbsec->mntpoint_sid = context_sid;
c312feb2 739 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 740 }
741
c9180a57 742 if (rootcontext_sid) {
275bb41e
DH		 743 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
744 cred);
0808925e 745 if (rc)
c9180a57 746 goto out;
0808925e 747
c9180a57
EP		 748 root_isec->sid = rootcontext_sid;
749 root_isec->initialized = 1;
0808925e
EP		 750 }
751
c9180a57
EP		 752 if (defcontext_sid) {
753 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
754 rc = -EINVAL;
755 printk(KERN_WARNING "SELinux: defcontext option is "
756 "invalid for this filesystem type\n");
757 goto out;
1da177e4
LT		 758 }
759
c9180a57
EP		 760 if (defcontext_sid != sbsec->def_sid) {
761 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 762 sbsec, cred);
c9180a57
EP		 763 if (rc)
764 goto out;
765 }
1da177e4 766
c9180a57 767 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 768 }
769
c9180a57 770 rc = sb_finish_set_opts(sb);
1da177e4 771out:
c9180a57 772 mutex_unlock(&sbsec->lock);
1da177e4 773 return rc;
c9180a57
EP		 774out_double_mount:
775 rc = -EINVAL;
776 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
777 "security settings for (dev %s, type %s)\n", sb->s_id, name);
778 goto out;
1da177e4
LT		 779}
780
c9180a57
EP		 781static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
782 struct super_block *newsb)
1da177e4 783{
c9180a57
EP		 784 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
785 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 786
c9180a57
EP		 787 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
788 int set_context = (oldsbsec->flags & CONTEXT_MNT);
789 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 790
0f5e6420
EP		 791 /*
792 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 793 * mount options. thus we can safely deal with this superblock later
0f5e6420 794 */
e8c26255 795 if (!ss_initialized)
0f5e6420 796 return;
c9180a57 797
c9180a57 798 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 799 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 800
5a552617 801 /* if fs is reusing a sb, just let its options stand... */
0d90a7ec 802 if (newsbsec->flags & SE_SBINITIALIZED)
5a552617
EP		 803 return;
804
c9180a57
EP		 805 mutex_lock(&newsbsec->lock);
806
807 newsbsec->flags = oldsbsec->flags;
808
809 newsbsec->sid = oldsbsec->sid;
810 newsbsec->def_sid = oldsbsec->def_sid;
811 newsbsec->behavior = oldsbsec->behavior;
812
813 if (set_context) {
814 u32 sid = oldsbsec->mntpoint_sid;
815
816 if (!set_fscontext)
817 newsbsec->sid = sid;
818 if (!set_rootcontext) {
819 struct inode *newinode = newsb->s_root->d_inode;
820 struct inode_security_struct *newisec = newinode->i_security;
821 newisec->sid = sid;
822 }
823 newsbsec->mntpoint_sid = sid;
1da177e4 824 }
c9180a57
EP		 825 if (set_rootcontext) {
826 const struct inode *oldinode = oldsb->s_root->d_inode;
827 const struct inode_security_struct *oldisec = oldinode->i_security;
828 struct inode *newinode = newsb->s_root->d_inode;
829 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 830
c9180a57 831 newisec->sid = oldisec->sid;
1da177e4
LT		 832 }
833
c9180a57
EP		 834 sb_finish_set_opts(newsb);
835 mutex_unlock(&newsbsec->lock);
836}
837
2e1479d9
AB		 838static int selinux_parse_opts_str(char *options,
839 struct security_mnt_opts *opts)
c9180a57 840{
e0007529 841 char *p;
c9180a57
EP		 842 char *context = NULL, *defcontext = NULL;
843 char *fscontext = NULL, *rootcontext = NULL;
e0007529 844 int rc, num_mnt_opts = 0;
1da177e4 845
e0007529 846 opts->num_mnt_opts = 0;
1da177e4 847
c9180a57
EP		 848 /* Standard string-based options. */
849 while ((p = strsep(&options, "|")) != NULL) {
850 int token;
851 substring_t args[MAX_OPT_ARGS];
1da177e4 852
c9180a57
EP		 853 if (!*p)
854 continue;
1da177e4 855
c9180a57 856 token = match_token(p, tokens, args);
1da177e4 857
c9180a57
EP		 858 switch (token) {
859 case Opt_context:
860 if (context || defcontext) {
861 rc = -EINVAL;
862 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
863 goto out_err;
864 }
865 context = match_strdup(&args[0]);
866 if (!context) {
867 rc = -ENOMEM;
868 goto out_err;
869 }
870 break;
871
872 case Opt_fscontext:
873 if (fscontext) {
874 rc = -EINVAL;
875 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
876 goto out_err;
877 }
878 fscontext = match_strdup(&args[0]);
879 if (!fscontext) {
880 rc = -ENOMEM;
881 goto out_err;
882 }
883 break;
884
885 case Opt_rootcontext:
886 if (rootcontext) {
887 rc = -EINVAL;
888 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
889 goto out_err;
890 }
891 rootcontext = match_strdup(&args[0]);
892 if (!rootcontext) {
893 rc = -ENOMEM;
894 goto out_err;
895 }
896 break;
897
898 case Opt_defcontext:
899 if (context || defcontext) {
900 rc = -EINVAL;
901 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
902 goto out_err;
903 }
904 defcontext = match_strdup(&args[0]);
905 if (!defcontext) {
906 rc = -ENOMEM;
907 goto out_err;
908 }
909 break;
11689d47
DQ		 910 case Opt_labelsupport:
911 break;
c9180a57
EP		 912 default:
913 rc = -EINVAL;
914 printk(KERN_WARNING "SELinux: unknown mount option\n");
915 goto out_err;
1da177e4 916
1da177e4 917 }
1da177e4 918 }
c9180a57 919
e0007529
EP		 920 rc = -ENOMEM;
921 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
922 if (!opts->mnt_opts)
923 goto out_err;
924
925 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
926 if (!opts->mnt_opts_flags) {
927 kfree(opts->mnt_opts);
928 goto out_err;
929 }
930
c9180a57 931 if (fscontext) {
e0007529
EP		 932 opts->mnt_opts[num_mnt_opts] = fscontext;
933 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 934 }
935 if (context) {
e0007529
EP		 936 opts->mnt_opts[num_mnt_opts] = context;
937 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 938 }
939 if (rootcontext) {
e0007529
EP		 940 opts->mnt_opts[num_mnt_opts] = rootcontext;
941 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 942 }
943 if (defcontext) {
e0007529
EP		 944 opts->mnt_opts[num_mnt_opts] = defcontext;
945 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 946 }
947
e0007529
EP		 948 opts->num_mnt_opts = num_mnt_opts;
949 return 0;
950
c9180a57
EP		 951out_err:
952 kfree(context);
953 kfree(defcontext);
954 kfree(fscontext);
955 kfree(rootcontext);
1da177e4
LT		 956 return rc;
957}
e0007529
EP		 958/*
959 * string mount options parsing and call set the sbsec
960 */
961static int superblock_doinit(struct super_block *sb, void *data)
962{
963 int rc = 0;
964 char *options = data;
965 struct security_mnt_opts opts;
966
967 security_init_mnt_opts(&opts);
968
969 if (!data)
970 goto out;
971
972 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
973
974 rc = selinux_parse_opts_str(options, &opts);
975 if (rc)
976 goto out_err;
977
978out:
979 rc = selinux_set_mnt_opts(sb, &opts);
980
981out_err:
982 security_free_mnt_opts(&opts);
983 return rc;
984}
1da177e4 985
3583a711
AB		 986static void selinux_write_opts(struct seq_file *m,
987 struct security_mnt_opts *opts)
2069f457
EP		 988{
989 int i;
990 char *prefix;
991
992 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 993 char *has_comma;
994
995 if (opts->mnt_opts[i])
996 has_comma = strchr(opts->mnt_opts[i], ',');
997 else
998 has_comma = NULL;
2069f457
EP		 999
1000 switch (opts->mnt_opts_flags[i]) {
1001 case CONTEXT_MNT:
1002 prefix = CONTEXT_STR;
1003 break;
1004 case FSCONTEXT_MNT:
1005 prefix = FSCONTEXT_STR;
1006 break;
1007 case ROOTCONTEXT_MNT:
1008 prefix = ROOTCONTEXT_STR;
1009 break;
1010 case DEFCONTEXT_MNT:
1011 prefix = DEFCONTEXT_STR;
1012 break;
11689d47
DQ		 1013 case SE_SBLABELSUPP:
1014 seq_putc(m, ',');
1015 seq_puts(m, LABELSUPP_STR);
1016 continue;
2069f457
EP		 1017 default:
1018 BUG();
1019 };
1020 /* we need a comma before each option */
1021 seq_putc(m, ',');
1022 seq_puts(m, prefix);
1023 if (has_comma)
1024 seq_putc(m, '\"');
1025 seq_puts(m, opts->mnt_opts[i]);
1026 if (has_comma)
1027 seq_putc(m, '\"');
1028 }
1029}
1030
1031static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1032{
1033 struct security_mnt_opts opts;
1034 int rc;
1035
1036 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1037 if (rc) {
1038 /* before policy load we may get EINVAL, don't show anything */
1039 if (rc == -EINVAL)
1040 rc = 0;
2069f457 1041 return rc;
383795c2 1042 }
2069f457
EP		 1043
1044 selinux_write_opts(m, &opts);
1045
1046 security_free_mnt_opts(&opts);
1047
1048 return rc;
1049}
1050
1da177e4
LT		 1051static inline u16 inode_mode_to_security_class(umode_t mode)
1052{
1053 switch (mode & S_IFMT) {
1054 case S_IFSOCK:
1055 return SECCLASS_SOCK_FILE;
1056 case S_IFLNK:
1057 return SECCLASS_LNK_FILE;
1058 case S_IFREG:
1059 return SECCLASS_FILE;
1060 case S_IFBLK:
1061 return SECCLASS_BLK_FILE;
1062 case S_IFDIR:
1063 return SECCLASS_DIR;
1064 case S_IFCHR:
1065 return SECCLASS_CHR_FILE;
1066 case S_IFIFO:
1067 return SECCLASS_FIFO_FILE;
1068
1069 }
1070
1071 return SECCLASS_FILE;
1072}
1073
13402580
JM		 1074static inline int default_protocol_stream(int protocol)
1075{
1076 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1077}
1078
1079static inline int default_protocol_dgram(int protocol)
1080{
1081 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1082}
1083
1da177e4
LT		 1084static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1085{
1086 switch (family) {
1087 case PF_UNIX:
1088 switch (type) {
1089 case SOCK_STREAM:
1090 case SOCK_SEQPACKET:
1091 return SECCLASS_UNIX_STREAM_SOCKET;
1092 case SOCK_DGRAM:
1093 return SECCLASS_UNIX_DGRAM_SOCKET;
1094 }
1095 break;
1096 case PF_INET:
1097 case PF_INET6:
1098 switch (type) {
1099 case SOCK_STREAM:
13402580
JM		 1100 if (default_protocol_stream(protocol))
1101 return SECCLASS_TCP_SOCKET;
1102 else
1103 return SECCLASS_RAWIP_SOCKET;
1da177e4 1104 case SOCK_DGRAM:
13402580
JM		 1105 if (default_protocol_dgram(protocol))
1106 return SECCLASS_UDP_SOCKET;
1107 else
1108 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1109 case SOCK_DCCP:
1110 return SECCLASS_DCCP_SOCKET;
13402580 1111 default:
1da177e4
LT		 1112 return SECCLASS_RAWIP_SOCKET;
1113 }
1114 break;
1115 case PF_NETLINK:
1116 switch (protocol) {
1117 case NETLINK_ROUTE:
1118 return SECCLASS_NETLINK_ROUTE_SOCKET;
1119 case NETLINK_FIREWALL:
1120 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1121 case NETLINK_INET_DIAG:
1da177e4
LT		 1122 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1123 case NETLINK_NFLOG:
1124 return SECCLASS_NETLINK_NFLOG_SOCKET;
1125 case NETLINK_XFRM:
1126 return SECCLASS_NETLINK_XFRM_SOCKET;
1127 case NETLINK_SELINUX:
1128 return SECCLASS_NETLINK_SELINUX_SOCKET;
1129 case NETLINK_AUDIT:
1130 return SECCLASS_NETLINK_AUDIT_SOCKET;
1131 case NETLINK_IP6_FW:
1132 return SECCLASS_NETLINK_IP6FW_SOCKET;
1133 case NETLINK_DNRTMSG:
1134 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1135 case NETLINK_KOBJECT_UEVENT:
1136 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1137 default:
1138 return SECCLASS_NETLINK_SOCKET;
1139 }
1140 case PF_PACKET:
1141 return SECCLASS_PACKET_SOCKET;
1142 case PF_KEY:
1143 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1144 case PF_APPLETALK:
1145 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1146 }
1147
1148 return SECCLASS_SOCKET;
1149}
1150
1151#ifdef CONFIG_PROC_FS
1152static int selinux_proc_get_sid(struct proc_dir_entry *de,
1153 u16 tclass,
1154 u32 *sid)
1155{
1156 int buflen, rc;
1157 char *buffer, *path, *end;
1158
828dfe1d 1159 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1160 if (!buffer)
1161 return -ENOMEM;
1162
1163 buflen = PAGE_SIZE;
1164 end = buffer+buflen;
1165 *--end = '\0';
1166 buflen--;
1167 path = end-1;
1168 *path = '/';
1169 while (de && de != de->parent) {
1170 buflen -= de->namelen + 1;
1171 if (buflen < 0)
1172 break;
1173 end -= de->namelen;
1174 memcpy(end, de->name, de->namelen);
1175 *--end = '/';
1176 path = end;
1177 de = de->parent;
1178 }
1179 rc = security_genfs_sid("proc", path, tclass, sid);
1180 free_page((unsigned long)buffer);
1181 return rc;
1182}
1183#else
1184static int selinux_proc_get_sid(struct proc_dir_entry *de,
1185 u16 tclass,
1186 u32 *sid)
1187{
1188 return -EINVAL;
1189}
1190#endif
1191
1192/* The inode's security attributes must be initialized before first use. */
1193static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1194{
1195 struct superblock_security_struct *sbsec = NULL;
1196 struct inode_security_struct *isec = inode->i_security;
1197 u32 sid;
1198 struct dentry *dentry;
1199#define INITCONTEXTLEN 255
1200 char *context = NULL;
1201 unsigned len = 0;
1202 int rc = 0;
1da177e4
LT		 1203
1204 if (isec->initialized)
1205 goto out;
1206
23970741 1207 mutex_lock(&isec->lock);
1da177e4 1208 if (isec->initialized)
23970741 1209 goto out_unlock;
1da177e4
LT		 1210
1211 sbsec = inode->i_sb->s_security;
0d90a7ec 1212 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1213 /* Defer initialization until selinux_complete_init,
1214 after the initial policy is loaded and the security
1215 server is ready to handle calls. */
1216 spin_lock(&sbsec->isec_lock);
1217 if (list_empty(&isec->list))
1218 list_add(&isec->list, &sbsec->isec_head);
1219 spin_unlock(&sbsec->isec_lock);
23970741 1220 goto out_unlock;
1da177e4
LT		 1221 }
1222
1223 switch (sbsec->behavior) {
1224 case SECURITY_FS_USE_XATTR:
1225 if (!inode->i_op->getxattr) {
1226 isec->sid = sbsec->def_sid;
1227 break;
1228 }
1229
1230 /* Need a dentry, since the xattr API requires one.
1231 Life would be simpler if we could just pass the inode. */
1232 if (opt_dentry) {
1233 /* Called from d_instantiate or d_splice_alias. */
1234 dentry = dget(opt_dentry);
1235 } else {
1236 /* Called from selinux_complete_init, try to find a dentry. */
1237 dentry = d_find_alias(inode);
1238 }
1239 if (!dentry) {
df7f54c0
EP		 1240 /*
1241 * this is can be hit on boot when a file is accessed
1242 * before the policy is loaded. When we load policy we
1243 * may find inodes that have no dentry on the
1244 * sbsec->isec_head list. No reason to complain as these
1245 * will get fixed up the next time we go through
1246 * inode_doinit with a dentry, before these inodes could
1247 * be used again by userspace.
1248 */
23970741 1249 goto out_unlock;
1da177e4
LT		 1250 }
1251
1252 len = INITCONTEXTLEN;
4cb912f1 1253 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1254 if (!context) {
1255 rc = -ENOMEM;
1256 dput(dentry);
23970741 1257 goto out_unlock;
1da177e4 1258 }
4cb912f1 1259 context[len] = '\0';
1da177e4
LT		 1260 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1261 context, len);
1262 if (rc == -ERANGE) {
314dabb8
JM		 1263 kfree(context);
1264
1da177e4
LT		 1265 /* Need a larger buffer. Query for the right size. */
1266 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1267 NULL, 0);
1268 if (rc < 0) {
1269 dput(dentry);
23970741 1270 goto out_unlock;
1da177e4 1271 }
1da177e4 1272 len = rc;
4cb912f1 1273 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1274 if (!context) {
1275 rc = -ENOMEM;
1276 dput(dentry);
23970741 1277 goto out_unlock;
1da177e4 1278 }
4cb912f1 1279 context[len] = '\0';
1da177e4
LT		 1280 rc = inode->i_op->getxattr(dentry,
1281 XATTR_NAME_SELINUX,
1282 context, len);
1283 }
1284 dput(dentry);
1285 if (rc < 0) {
1286 if (rc != -ENODATA) {
744ba35e 1287 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1288 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1289 -rc, inode->i_sb->s_id, inode->i_ino);
1290 kfree(context);
23970741 1291 goto out_unlock;
1da177e4
LT		 1292 }
1293 /* Map ENODATA to the default file SID */
1294 sid = sbsec->def_sid;
1295 rc = 0;
1296 } else {
f5c1d5b2 1297 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1298 sbsec->def_sid,
1299 GFP_NOFS);
1da177e4 1300 if (rc) {
4ba0a8ad
EP		 1301 char *dev = inode->i_sb->s_id;
1302 unsigned long ino = inode->i_ino;
1303
1304 if (rc == -EINVAL) {
1305 if (printk_ratelimit())
1306 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1307 "context=%s. This indicates you may need to relabel the inode or the "
1308 "filesystem in question.\n", ino, dev, context);
1309 } else {
1310 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1311 "returned %d for dev=%s ino=%ld\n",
1312 __func__, context, -rc, dev, ino);
1313 }
1da177e4
LT		 1314 kfree(context);
1315 /* Leave with the unlabeled SID */
1316 rc = 0;
1317 break;
1318 }
1319 }
1320 kfree(context);
1321 isec->sid = sid;
1322 break;
1323 case SECURITY_FS_USE_TASK:
1324 isec->sid = isec->task_sid;
1325 break;
1326 case SECURITY_FS_USE_TRANS:
1327 /* Default to the fs SID. */
1328 isec->sid = sbsec->sid;
1329
1330 /* Try to obtain a transition SID. */
1331 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1332 rc = security_transition_sid(isec->task_sid,
1333 sbsec->sid,
1334 isec->sclass,
1335 &sid);
1336 if (rc)
23970741 1337 goto out_unlock;
1da177e4
LT		 1338 isec->sid = sid;
1339 break;
c312feb2
EP		 1340 case SECURITY_FS_USE_MNTPOINT:
1341 isec->sid = sbsec->mntpoint_sid;
1342 break;
1da177e4 1343 default:
c312feb2 1344 /* Default to the fs superblock SID. */
1da177e4
LT		 1345 isec->sid = sbsec->sid;
1346
0d90a7ec 1347 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1da177e4
LT		 1348 struct proc_inode *proci = PROC_I(inode);
1349 if (proci->pde) {
1350 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1351 rc = selinux_proc_get_sid(proci->pde,
1352 isec->sclass,
1353 &sid);
1354 if (rc)
23970741 1355 goto out_unlock;
1da177e4
LT		 1356 isec->sid = sid;
1357 }
1358 }
1359 break;
1360 }
1361
1362 isec->initialized = 1;
1363
23970741
EP		 1364out_unlock:
1365 mutex_unlock(&isec->lock);
1da177e4
LT		 1366out:
1367 if (isec->sclass == SECCLASS_FILE)
1368 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1369 return rc;
1370}
1371
1372/* Convert a Linux signal to an access vector. */
1373static inline u32 signal_to_av(int sig)
1374{
1375 u32 perm = 0;
1376
1377 switch (sig) {
1378 case SIGCHLD:
1379 /* Commonly granted from child to parent. */
1380 perm = PROCESS__SIGCHLD;
1381 break;
1382 case SIGKILL:
1383 /* Cannot be caught or ignored */
1384 perm = PROCESS__SIGKILL;
1385 break;
1386 case SIGSTOP:
1387 /* Cannot be caught or ignored */
1388 perm = PROCESS__SIGSTOP;
1389 break;
1390 default:
1391 /* All other signals. */
1392 perm = PROCESS__SIGNAL;
1393 break;
1394 }
1395
1396 return perm;
1397}
1398
d84f4f99
DH		 1399/*
1400 * Check permission between a pair of credentials
1401 * fork check, ptrace check, etc.
1402 */
1403static int cred_has_perm(const struct cred *actor,
1404 const struct cred *target,
1405 u32 perms)
1406{
1407 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1408
1409 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1410}
1411
275bb41e 1412/*
88e67f3b 1413 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1414 * fork check, ptrace check, etc.
1415 * tsk1 is the actor and tsk2 is the target
3b11a1de 1416 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1417 */
1418static int task_has_perm(const struct task_struct *tsk1,
1419 const struct task_struct *tsk2,
1da177e4
LT		 1420 u32 perms)
1421{
275bb41e
DH		 1422 const struct task_security_struct *__tsec1, *__tsec2;
1423 u32 sid1, sid2;
1da177e4 1424
275bb41e
DH		 1425 rcu_read_lock();
1426 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1427 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1428 rcu_read_unlock();
1429 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1430}
1431
3b11a1de
DH		 1432/*
1433 * Check permission between current and another task, e.g. signal checks,
1434 * fork check, ptrace check, etc.
1435 * current is the actor and tsk2 is the target
1436 * - this uses current's subjective creds
1437 */
1438static int current_has_perm(const struct task_struct *tsk,
1439 u32 perms)
1440{
1441 u32 sid, tsid;
1442
1443 sid = current_sid();
1444 tsid = task_sid(tsk);
1445 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1446}
1447
b68e418c
SS		 1448#if CAP_LAST_CAP > 63
1449#error Fix SELinux to handle capabilities > 63.
1450#endif
1451
1da177e4
LT		 1452/* Check whether a task is allowed to use a capability. */
1453static int task_has_capability(struct task_struct *tsk,
3699c53c 1454 const struct cred *cred,
06112163 1455 int cap, int audit)
1da177e4 1456{
2bf49690 1457 struct common_audit_data ad;
06112163 1458 struct av_decision avd;
b68e418c 1459 u16 sclass;
3699c53c 1460 u32 sid = cred_sid(cred);
b68e418c 1461 u32 av = CAP_TO_MASK(cap);
06112163 1462 int rc;
1da177e4 1463
2bf49690 1464 COMMON_AUDIT_DATA_INIT(&ad, CAP);
1da177e4
LT		 1465 ad.tsk = tsk;
1466 ad.u.cap = cap;
1467
b68e418c
SS		 1468 switch (CAP_TO_INDEX(cap)) {
1469 case 0:
1470 sclass = SECCLASS_CAPABILITY;
1471 break;
1472 case 1:
1473 sclass = SECCLASS_CAPABILITY2;
1474 break;
1475 default:
1476 printk(KERN_ERR
1477 "SELinux: out of range capability %d\n", cap);
1478 BUG();
1479 }
06112163 1480
275bb41e 1481 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
06112163 1482 if (audit == SECURITY_CAP_AUDIT)
275bb41e 1483 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
06112163 1484 return rc;
1da177e4
LT		 1485}
1486
1487/* Check whether a task is allowed to use a system operation. */
1488static int task_has_system(struct task_struct *tsk,
1489 u32 perms)
1490{
275bb41e 1491 u32 sid = task_sid(tsk);
1da177e4 1492
275bb41e 1493 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1494 SECCLASS_SYSTEM, perms, NULL);
1495}
1496
1497/* Check whether a task has a particular permission to an inode.
1498 The 'adp' parameter is optional and allows other audit
1499 data to be passed (e.g. the dentry). */
88e67f3b 1500static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1501 struct inode *inode,
1502 u32 perms,
2bf49690 1503 struct common_audit_data *adp)
1da177e4 1504{
1da177e4 1505 struct inode_security_struct *isec;
2bf49690 1506 struct common_audit_data ad;
275bb41e 1507 u32 sid;
1da177e4 1508
e0e81739
DH		 1509 validate_creds(cred);
1510
828dfe1d 1511 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1512 return 0;
1513
88e67f3b 1514 sid = cred_sid(cred);
1da177e4
LT		 1515 isec = inode->i_security;
1516
1517 if (!adp) {
1518 adp = &ad;
2bf49690 1519 COMMON_AUDIT_DATA_INIT(&ad, FS);
1da177e4
LT		 1520 ad.u.fs.inode = inode;
1521 }
1522
275bb41e 1523 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1524}
1525
1526/* Same as inode_has_perm, but pass explicit audit data containing
1527 the dentry to help the auditing code to more easily generate the
1528 pathname if needed. */
88e67f3b 1529static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1530 struct vfsmount *mnt,
1531 struct dentry *dentry,
1532 u32 av)
1533{
1534 struct inode *inode = dentry->d_inode;
2bf49690 1535 struct common_audit_data ad;
88e67f3b 1536
2bf49690 1537 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf
JB		 1538 ad.u.fs.path.mnt = mnt;
1539 ad.u.fs.path.dentry = dentry;
88e67f3b 1540 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1541}
1542
1543/* Check whether a task can use an open file descriptor to
1544 access an inode in a given way. Check access to the
1545 descriptor itself, and then use dentry_has_perm to
1546 check a particular permission to the file.
1547 Access to the descriptor is implicitly granted if it
1548 has the same SID as the process. If av is zero, then
1549 access to the file is not checked, e.g. for cases
1550 where only the descriptor is affected like seek. */
88e67f3b
DH		 1551static int file_has_perm(const struct cred *cred,
1552 struct file *file,
1553 u32 av)
1da177e4 1554{
1da177e4 1555 struct file_security_struct *fsec = file->f_security;
44707fdf 1556 struct inode *inode = file->f_path.dentry->d_inode;
2bf49690 1557 struct common_audit_data ad;
88e67f3b 1558 u32 sid = cred_sid(cred);
1da177e4
LT		 1559 int rc;
1560
2bf49690 1561 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1562 ad.u.fs.path = file->f_path;
1da177e4 1563
275bb41e
DH		 1564 if (sid != fsec->sid) {
1565 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1566 SECCLASS_FD,
1567 FD__USE,
1568 &ad);
1569 if (rc)
88e67f3b 1570 goto out;
1da177e4
LT		 1571 }
1572
1573 /* av is zero if only checking access to the descriptor. */
88e67f3b 1574 rc = 0;
1da177e4 1575 if (av)
88e67f3b 1576 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1577
88e67f3b
DH		 1578out:
1579 return rc;
1da177e4
LT		 1580}
1581
1582/* Check whether a task can create a file. */
1583static int may_create(struct inode *dir,
1584 struct dentry *dentry,
1585 u16 tclass)
1586{
275bb41e
DH		 1587 const struct cred *cred = current_cred();
1588 const struct task_security_struct *tsec = cred->security;
1da177e4
LT		 1589 struct inode_security_struct *dsec;
1590 struct superblock_security_struct *sbsec;
275bb41e 1591 u32 sid, newsid;
2bf49690 1592 struct common_audit_data ad;
1da177e4
LT		 1593 int rc;
1594
1da177e4
LT		 1595 dsec = dir->i_security;
1596 sbsec = dir->i_sb->s_security;
1597
275bb41e
DH		 1598 sid = tsec->sid;
1599 newsid = tsec->create_sid;
1600
2bf49690 1601 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1602 ad.u.fs.path.dentry = dentry;
1da177e4 1603
275bb41e 1604 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1605 DIR__ADD_NAME | DIR__SEARCH,
1606 &ad);
1607 if (rc)
1608 return rc;
1609
cd89596f 1610 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
275bb41e 1611 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1da177e4
LT		 1612 if (rc)
1613 return rc;
1614 }
1615
275bb41e 1616 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1617 if (rc)
1618 return rc;
1619
1620 return avc_has_perm(newsid, sbsec->sid,
1621 SECCLASS_FILESYSTEM,
1622 FILESYSTEM__ASSOCIATE, &ad);
1623}
1624
4eb582cf
ML		 1625/* Check whether a task can create a key. */
1626static int may_create_key(u32 ksid,
1627 struct task_struct *ctx)
1628{
275bb41e 1629 u32 sid = task_sid(ctx);
4eb582cf 1630
275bb41e 1631 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1632}
1633
828dfe1d
EP		 1634#define MAY_LINK 0
1635#define MAY_UNLINK 1
1636#define MAY_RMDIR 2
1da177e4
LT		 1637
1638/* Check whether a task can link, unlink, or rmdir a file/directory. */
1639static int may_link(struct inode *dir,
1640 struct dentry *dentry,
1641 int kind)
1642
1643{
1da177e4 1644 struct inode_security_struct *dsec, *isec;
2bf49690 1645 struct common_audit_data ad;
275bb41e 1646 u32 sid = current_sid();
1da177e4
LT		 1647 u32 av;
1648 int rc;
1649
1da177e4
LT		 1650 dsec = dir->i_security;
1651 isec = dentry->d_inode->i_security;
1652
2bf49690 1653 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1654 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1655
1656 av = DIR__SEARCH;
1657 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1658 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1659 if (rc)
1660 return rc;
1661
1662 switch (kind) {
1663 case MAY_LINK:
1664 av = FILE__LINK;
1665 break;
1666 case MAY_UNLINK:
1667 av = FILE__UNLINK;
1668 break;
1669 case MAY_RMDIR:
1670 av = DIR__RMDIR;
1671 break;
1672 default:
744ba35e
EP		 1673 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1674 __func__, kind);
1da177e4
LT		 1675 return 0;
1676 }
1677
275bb41e 1678 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1679 return rc;
1680}
1681
1682static inline int may_rename(struct inode *old_dir,
1683 struct dentry *old_dentry,
1684 struct inode *new_dir,
1685 struct dentry *new_dentry)
1686{
1da177e4 1687 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1688 struct common_audit_data ad;
275bb41e 1689 u32 sid = current_sid();
1da177e4
LT		 1690 u32 av;
1691 int old_is_dir, new_is_dir;
1692 int rc;
1693
1da177e4
LT		 1694 old_dsec = old_dir->i_security;
1695 old_isec = old_dentry->d_inode->i_security;
1696 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1697 new_dsec = new_dir->i_security;
1698
2bf49690 1699 COMMON_AUDIT_DATA_INIT(&ad, FS);
1da177e4 1700
44707fdf 1701 ad.u.fs.path.dentry = old_dentry;
275bb41e 1702 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1703 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1704 if (rc)
1705 return rc;
275bb41e 1706 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1707 old_isec->sclass, FILE__RENAME, &ad);
1708 if (rc)
1709 return rc;
1710 if (old_is_dir && new_dir != old_dir) {
275bb41e 1711 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1712 old_isec->sclass, DIR__REPARENT, &ad);
1713 if (rc)
1714 return rc;
1715 }
1716
44707fdf 1717 ad.u.fs.path.dentry = new_dentry;
1da177e4
LT		 1718 av = DIR__ADD_NAME | DIR__SEARCH;
1719 if (new_dentry->d_inode)
1720 av |= DIR__REMOVE_NAME;
275bb41e 1721 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1722 if (rc)
1723 return rc;
1724 if (new_dentry->d_inode) {
1725 new_isec = new_dentry->d_inode->i_security;
1726 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
275bb41e 1727 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1728 new_isec->sclass,
1729 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1730 if (rc)
1731 return rc;
1732 }
1733
1734 return 0;
1735}
1736
1737/* Check whether a task can perform a filesystem operation. */
88e67f3b 1738static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1739 struct super_block *sb,
1740 u32 perms,
2bf49690 1741 struct common_audit_data *ad)
1da177e4 1742{
1da177e4 1743 struct superblock_security_struct *sbsec;
88e67f3b 1744 u32 sid = cred_sid(cred);
1da177e4 1745
1da177e4 1746 sbsec = sb->s_security;
275bb41e 1747 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1748}
1749
1750/* Convert a Linux mode and permission mask to an access vector. */
1751static inline u32 file_mask_to_av(int mode, int mask)
1752{
1753 u32 av = 0;
1754
1755 if ((mode & S_IFMT) != S_IFDIR) {
1756 if (mask & MAY_EXEC)
1757 av |= FILE__EXECUTE;
1758 if (mask & MAY_READ)
1759 av |= FILE__READ;
1760
1761 if (mask & MAY_APPEND)
1762 av |= FILE__APPEND;
1763 else if (mask & MAY_WRITE)
1764 av |= FILE__WRITE;
1765
1766 } else {
1767 if (mask & MAY_EXEC)
1768 av |= DIR__SEARCH;
1769 if (mask & MAY_WRITE)
1770 av |= DIR__WRITE;
1771 if (mask & MAY_READ)
1772 av |= DIR__READ;
1773 }
1774
1775 return av;
1776}
1777
8b6a5a37
EP		 1778/* Convert a Linux file to an access vector. */
1779static inline u32 file_to_av(struct file *file)
1780{
1781 u32 av = 0;
1782
1783 if (file->f_mode & FMODE_READ)
1784 av |= FILE__READ;
1785 if (file->f_mode & FMODE_WRITE) {
1786 if (file->f_flags & O_APPEND)
1787 av |= FILE__APPEND;
1788 else
1789 av |= FILE__WRITE;
1790 }
1791 if (!av) {
1792 /*
1793 * Special file opened with flags 3 for ioctl-only use.
1794 */
1795 av = FILE__IOCTL;
1796 }
1797
1798 return av;
1799}
1800
b0c636b9 1801/*
8b6a5a37 1802 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1803 * open permission.
1804 */
8b6a5a37 1805static inline u32 open_file_to_av(struct file *file)
b0c636b9 1806{
8b6a5a37 1807 u32 av = file_to_av(file);
b0c636b9
EP		 1808
1809 if (selinux_policycap_openperm) {
8b6a5a37 1810 mode_t mode = file->f_path.dentry->d_inode->i_mode;
b0c636b9
EP		 1811 /*
1812 * lnk files and socks do not really have an 'open'
1813 */
1814 if (S_ISREG(mode))
1815 av |= FILE__OPEN;
1816 else if (S_ISCHR(mode))
1817 av |= CHR_FILE__OPEN;
1818 else if (S_ISBLK(mode))
1819 av |= BLK_FILE__OPEN;
1820 else if (S_ISFIFO(mode))
1821 av |= FIFO_FILE__OPEN;
1822 else if (S_ISDIR(mode))
1823 av |= DIR__OPEN;
6a25b27d
EP		 1824 else if (S_ISSOCK(mode))
1825 av |= SOCK_FILE__OPEN;
b0c636b9 1826 else
744ba35e 1827 printk(KERN_ERR "SELinux: WARNING: inside %s with "
8b6a5a37 1828 "unknown mode:%o\n", __func__, mode);
b0c636b9
EP		 1829 }
1830 return av;
1831}
1832
1da177e4
LT		 1833/* Hook functions begin here. */
1834
9e48858f 1835static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 1836 unsigned int mode)
1da177e4 1837{
1da177e4
LT		 1838 int rc;
1839
9e48858f 1840 rc = cap_ptrace_access_check(child, mode);
1da177e4
LT		 1841 if (rc)
1842 return rc;
1843
006ebb40 1844 if (mode == PTRACE_MODE_READ) {
275bb41e
DH		 1845 u32 sid = current_sid();
1846 u32 csid = task_sid(child);
1847 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 1848 }
1849
3b11a1de 1850 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 1851}
1852
1853static int selinux_ptrace_traceme(struct task_struct *parent)
1854{
1855 int rc;
1856
200ac532 1857 rc = cap_ptrace_traceme(parent);
5cd9c58f
DH		 1858 if (rc)
1859 return rc;
1860
1861 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 1862}
1863
1864static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1865 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1866{
1867 int error;
1868
3b11a1de 1869 error = current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 1870 if (error)
1871 return error;
1872
200ac532 1873 return cap_capget(target, effective, inheritable, permitted);
1da177e4
LT		 1874}
1875
d84f4f99
DH		 1876static int selinux_capset(struct cred *new, const struct cred *old,
1877 const kernel_cap_t *effective,
1878 const kernel_cap_t *inheritable,
1879 const kernel_cap_t *permitted)
1da177e4
LT		 1880{
1881 int error;
1882
200ac532 1883 error = cap_capset(new, old,
d84f4f99 1884 effective, inheritable, permitted);
1da177e4
LT		 1885 if (error)
1886 return error;
1887
d84f4f99 1888 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 1889}
1890
5626d3e8
JM		 1891/*
1892 * (This comment used to live with the selinux_task_setuid hook,
1893 * which was removed).
1894 *
1895 * Since setuid only affects the current process, and since the SELinux
1896 * controls are not based on the Linux identity attributes, SELinux does not
1897 * need to control this operation. However, SELinux does control the use of
1898 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1899 */
1900
3699c53c
DH		 1901static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1902 int cap, int audit)
1da177e4
LT		 1903{
1904 int rc;
1905
200ac532 1906 rc = cap_capable(tsk, cred, cap, audit);
1da177e4
LT		 1907 if (rc)
1908 return rc;
1909
3699c53c 1910 return task_has_capability(tsk, cred, cap, audit);
1da177e4
LT		 1911}
1912
3fbfa981
EB		 1913static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1914{
1915 int buflen, rc;
1916 char *buffer, *path, *end;
1917
1918 rc = -ENOMEM;
828dfe1d 1919 buffer = (char *)__get_free_page(GFP_KERNEL);
3fbfa981
EB		 1920 if (!buffer)
1921 goto out;
1922
1923 buflen = PAGE_SIZE;
1924 end = buffer+buflen;
1925 *--end = '\0';
1926 buflen--;
1927 path = end-1;
1928 *path = '/';
1929 while (table) {
1930 const char *name = table->procname;
1931 size_t namelen = strlen(name);
1932 buflen -= namelen + 1;
1933 if (buflen < 0)
1934 goto out_free;
1935 end -= namelen;
1936 memcpy(end, name, namelen);
1937 *--end = '/';
1938 path = end;
1939 table = table->parent;
1940 }
b599fdfd
EB		 1941 buflen -= 4;
1942 if (buflen < 0)
1943 goto out_free;
1944 end -= 4;
1945 memcpy(end, "/sys", 4);
1946 path = end;
3fbfa981
EB		 1947 rc = security_genfs_sid("proc", path, tclass, sid);
1948out_free:
1949 free_page((unsigned long)buffer);
1950out:
1951 return rc;
1952}
1953
1da177e4
LT		 1954static int selinux_sysctl(ctl_table *table, int op)
1955{
1956 int error = 0;
1957 u32 av;
275bb41e 1958 u32 tsid, sid;
1da177e4
LT		 1959 int rc;
1960
275bb41e 1961 sid = current_sid();
1da177e4 1962
3fbfa981
EB		 1963 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1964 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1965 if (rc) {
1966 /* Default to the well-defined sysctl SID. */
1967 tsid = SECINITSID_SYSCTL;
1968 }
1969
1970 /* The op values are "defined" in sysctl.c, thereby creating
1971 * a bad coupling between this module and sysctl.c */
828dfe1d 1972 if (op == 001) {
275bb41e 1973 error = avc_has_perm(sid, tsid,
1da177e4
LT		 1974 SECCLASS_DIR, DIR__SEARCH, NULL);
1975 } else {
1976 av = 0;
1977 if (op & 004)
1978 av |= FILE__READ;
1979 if (op & 002)
1980 av |= FILE__WRITE;
1981 if (av)
275bb41e 1982 error = avc_has_perm(sid, tsid,
1da177e4 1983 SECCLASS_FILE, av, NULL);
828dfe1d 1984 }
1da177e4
LT		 1985
1986 return error;
1987}
1988
1989static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1990{
88e67f3b 1991 const struct cred *cred = current_cred();
1da177e4
LT		 1992 int rc = 0;
1993
1994 if (!sb)
1995 return 0;
1996
1997 switch (cmds) {
828dfe1d
EP		 1998 case Q_SYNC:
1999 case Q_QUOTAON:
2000 case Q_QUOTAOFF:
2001 case Q_SETINFO:
2002 case Q_SETQUOTA:
88e67f3b 2003 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2004 break;
2005 case Q_GETFMT:
2006 case Q_GETINFO:
2007 case Q_GETQUOTA:
88e67f3b 2008 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2009 break;
2010 default:
2011 rc = 0; /* let the kernel handle invalid cmds */
2012 break;
1da177e4
LT		 2013 }
2014 return rc;
2015}
2016
2017static int selinux_quota_on(struct dentry *dentry)
2018{
88e67f3b
DH		 2019 const struct cred *cred = current_cred();
2020
2021 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1da177e4
LT		 2022}
2023
00234592 2024static int selinux_syslog(int type, bool from_file)
1da177e4
LT		 2025{
2026 int rc;
2027
00234592 2028 rc = cap_syslog(type, from_file);
1da177e4
LT		 2029 if (rc)
2030 return rc;
2031
2032 switch (type) {
d78ca3cd
KC		 2033 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2034 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2035 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2036 break;
d78ca3cd
KC		 2037 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2038 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2039 /* Set level of messages printed to console */
2040 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2041 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2042 break;
d78ca3cd
KC		 2043 case SYSLOG_ACTION_CLOSE: /* Close log */
2044 case SYSLOG_ACTION_OPEN: /* Open log */
2045 case SYSLOG_ACTION_READ: /* Read from log */
2046 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2047 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2048 default:
2049 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2050 break;
1da177e4
LT		 2051 }
2052 return rc;
2053}
2054
2055/*
2056 * Check that a process has enough memory to allocate a new virtual
2057 * mapping. 0 means there is enough memory for the allocation to
2058 * succeed and -ENOMEM implies there is not.
2059 *
1da177e4
LT		 2060 * Do not audit the selinux permission check, as this is applied to all
2061 * processes that allocate mappings.
2062 */
34b4e4aa 2063static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2064{
2065 int rc, cap_sys_admin = 0;
1da177e4 2066
3699c53c
DH		 2067 rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
2068 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2069 if (rc == 0)
2070 cap_sys_admin = 1;
2071
34b4e4aa 2072 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 2073}
2074
2075/* binprm security operations */
2076
a6f76f23 2077static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2078{
a6f76f23
DH		 2079 const struct task_security_struct *old_tsec;
2080 struct task_security_struct *new_tsec;
1da177e4 2081 struct inode_security_struct *isec;
2bf49690 2082 struct common_audit_data ad;
a6f76f23 2083 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 2084 int rc;
2085
200ac532 2086 rc = cap_bprm_set_creds(bprm);
1da177e4
LT		 2087 if (rc)
2088 return rc;
2089
a6f76f23
DH		 2090 /* SELinux context only depends on initial program or script and not
2091 * the script interpreter */
2092 if (bprm->cred_prepared)
1da177e4
LT		 2093 return 0;
2094
a6f76f23
DH		 2095 old_tsec = current_security();
2096 new_tsec = bprm->cred->security;
1da177e4
LT		 2097 isec = inode->i_security;
2098
2099 /* Default to the current task SID. */
a6f76f23
DH		 2100 new_tsec->sid = old_tsec->sid;
2101 new_tsec->osid = old_tsec->sid;
1da177e4 2102
28eba5bf 2103 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2104 new_tsec->create_sid = 0;
2105 new_tsec->keycreate_sid = 0;
2106 new_tsec->sockcreate_sid = 0;
1da177e4 2107
a6f76f23
DH		 2108 if (old_tsec->exec_sid) {
2109 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2110 /* Reset exec SID on execve. */
a6f76f23 2111 new_tsec->exec_sid = 0;
1da177e4
LT		 2112 } else {
2113 /* Check for a default transition on this program. */
a6f76f23
DH		 2114 rc = security_transition_sid(old_tsec->sid, isec->sid,
2115 SECCLASS_PROCESS, &new_tsec->sid);
1da177e4
LT		 2116 if (rc)
2117 return rc;
2118 }
2119
2bf49690 2120 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2121 ad.u.fs.path = bprm->file->f_path;
1da177e4 2122
3d5ff529 2123 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
a6f76f23 2124 new_tsec->sid = old_tsec->sid;
1da177e4 2125
a6f76f23
DH		 2126 if (new_tsec->sid == old_tsec->sid) {
2127 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2128 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2129 if (rc)
2130 return rc;
2131 } else {
2132 /* Check permissions for the transition. */
a6f76f23 2133 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2134 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2135 if (rc)
2136 return rc;
2137
a6f76f23 2138 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2139 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2140 if (rc)
2141 return rc;
2142
a6f76f23
DH		 2143 /* Check for shared state */
2144 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2145 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2146 SECCLASS_PROCESS, PROCESS__SHARE,
2147 NULL);
2148 if (rc)
2149 return -EPERM;
2150 }
2151
2152 /* Make sure that anyone attempting to ptrace over a task that
2153 * changes its SID has the appropriate permit */
2154 if (bprm->unsafe &
2155 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2156 struct task_struct *tracer;
2157 struct task_security_struct *sec;
2158 u32 ptsid = 0;
2159
2160 rcu_read_lock();
2161 tracer = tracehook_tracer_task(current);
2162 if (likely(tracer != NULL)) {
2163 sec = __task_cred(tracer)->security;
2164 ptsid = sec->sid;
2165 }
2166 rcu_read_unlock();
2167
2168 if (ptsid != 0) {
2169 rc = avc_has_perm(ptsid, new_tsec->sid,
2170 SECCLASS_PROCESS,
2171 PROCESS__PTRACE, NULL);
2172 if (rc)
2173 return -EPERM;
2174 }
2175 }
1da177e4 2176
a6f76f23
DH		 2177 /* Clear any possibly unsafe personality bits on exec: */
2178 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2179 }
2180
1da177e4
LT		 2181 return 0;
2182}
2183
828dfe1d 2184static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2185{
275bb41e
DH		 2186 const struct cred *cred = current_cred();
2187 const struct task_security_struct *tsec = cred->security;
2188 u32 sid, osid;
1da177e4
LT		 2189 int atsecure = 0;
2190
275bb41e
DH		 2191 sid = tsec->sid;
2192 osid = tsec->osid;
2193
2194 if (osid != sid) {
1da177e4
LT		 2195 /* Enable secure mode for SIDs transitions unless
2196 the noatsecure permission is granted between
2197 the two SIDs, i.e. ahp returns 0. */
275bb41e 2198 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2199 SECCLASS_PROCESS,
2200 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2201 }
2202
200ac532 2203 return (atsecure || cap_bprm_secureexec(bprm));
1da177e4
LT		 2204}
2205
1da177e4
LT		 2206extern struct vfsmount *selinuxfs_mount;
2207extern struct dentry *selinux_null;
2208
2209/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2210static inline void flush_unauthorized_files(const struct cred *cred,
2211 struct files_struct *files)
1da177e4 2212{
2bf49690 2213 struct common_audit_data ad;
1da177e4 2214 struct file *file, *devnull = NULL;
b20c8122 2215 struct tty_struct *tty;
badf1662 2216 struct fdtable *fdt;
1da177e4 2217 long j = -1;
24ec839c 2218 int drop_tty = 0;
1da177e4 2219
24ec839c 2220 tty = get_current_tty();
1da177e4
LT		 2221 if (tty) {
2222 file_list_lock();
37dd0bd0
EP		 2223 if (!list_empty(&tty->tty_files)) {
2224 struct inode *inode;
2225
1da177e4
LT		 2226 /* Revalidate access to controlling tty.
2227 Use inode_has_perm on the tty inode directly rather
2228 than using file_has_perm, as this particular open
2229 file may belong to another process and we are only
2230 interested in the inode-based check here. */
37dd0bd0
EP		 2231 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2232 inode = file->f_path.dentry->d_inode;
88e67f3b 2233 if (inode_has_perm(cred, inode,
1da177e4 2234 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2235 drop_tty = 1;
1da177e4
LT		 2236 }
2237 }
2238 file_list_unlock();
452a00d2 2239 tty_kref_put(tty);
1da177e4 2240 }
98a27ba4
EB		 2241 /* Reset controlling tty. */
2242 if (drop_tty)
2243 no_tty();
1da177e4
LT		 2244
2245 /* Revalidate access to inherited open files. */
2246
2bf49690 2247 COMMON_AUDIT_DATA_INIT(&ad, FS);
1da177e4
LT		 2248
2249 spin_lock(&files->file_lock);
2250 for (;;) {
2251 unsigned long set, i;
2252 int fd;
2253
2254 j++;
2255 i = j * __NFDBITS;
badf1662 2256 fdt = files_fdtable(files);
bbea9f69 2257 if (i >= fdt->max_fds)
1da177e4 2258 break;
badf1662 2259 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2260 if (!set)
2261 continue;
2262 spin_unlock(&files->file_lock);
828dfe1d 2263 for ( ; set ; i++, set >>= 1) {
1da177e4
LT		 2264 if (set & 1) {
2265 file = fget(i);
2266 if (!file)
2267 continue;
88e67f3b 2268 if (file_has_perm(cred,
1da177e4
LT		 2269 file,
2270 file_to_av(file))) {
2271 sys_close(i);
2272 fd = get_unused_fd();
2273 if (fd != i) {
2274 if (fd >= 0)
2275 put_unused_fd(fd);
2276 fput(file);
2277 continue;
2278 }
2279 if (devnull) {
095975da 2280 get_file(devnull);
1da177e4 2281 } else {
745ca247
DH		 2282 devnull = dentry_open(
2283 dget(selinux_null),
2284 mntget(selinuxfs_mount),
2285 O_RDWR, cred);
fc5d81e6
AM		 2286 if (IS_ERR(devnull)) {
2287 devnull = NULL;
1da177e4
LT		 2288 put_unused_fd(fd);
2289 fput(file);
2290 continue;
2291 }
2292 }
2293 fd_install(fd, devnull);
2294 }
2295 fput(file);
2296 }
2297 }
2298 spin_lock(&files->file_lock);
2299
2300 }
2301 spin_unlock(&files->file_lock);
2302}
2303
a6f76f23
DH		 2304/*
2305 * Prepare a process for imminent new credential changes due to exec
2306 */
2307static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2308{
a6f76f23
DH		 2309 struct task_security_struct *new_tsec;
2310 struct rlimit *rlim, *initrlim;
2311 int rc, i;
d84f4f99 2312
a6f76f23
DH		 2313 new_tsec = bprm->cred->security;
2314 if (new_tsec->sid == new_tsec->osid)
2315 return;
1da177e4 2316
a6f76f23
DH		 2317 /* Close files for which the new task SID is not authorized. */
2318 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2319
a6f76f23
DH		 2320 /* Always clear parent death signal on SID transitions. */
2321 current->pdeath_signal = 0;
0356357c 2322
a6f76f23
DH		 2323 /* Check whether the new SID can inherit resource limits from the old
2324 * SID. If not, reset all soft limits to the lower of the current
2325 * task's hard limit and the init task's soft limit.
2326 *
2327 * Note that the setting of hard limits (even to lower them) can be
2328 * controlled by the setrlimit check. The inclusion of the init task's
2329 * soft limit into the computation is to avoid resetting soft limits
2330 * higher than the default soft limit for cases where the default is
2331 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2332 */
2333 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2334 PROCESS__RLIMITINH, NULL);
2335 if (rc) {
eb2d55a3
ON		 2336 /* protect against do_prlimit() */
2337 task_lock(current);
a6f76f23
DH		 2338 for (i = 0; i < RLIM_NLIMITS; i++) {
2339 rlim = current->signal->rlim + i;
2340 initrlim = init_task.signal->rlim + i;
2341 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2342 }
eb2d55a3
ON		 2343 task_unlock(current);
2344 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2345 }
2346}
2347
2348/*
a6f76f23
DH		 2349 * Clean up the process immediately after the installation of new credentials
2350 * due to exec
1da177e4 2351 */
a6f76f23 2352static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2353{
a6f76f23 2354 const struct task_security_struct *tsec = current_security();
1da177e4 2355 struct itimerval itimer;
a6f76f23 2356 u32 osid, sid;
1da177e4
LT		 2357 int rc, i;
2358
a6f76f23
DH		 2359 osid = tsec->osid;
2360 sid = tsec->sid;
2361
2362 if (sid == osid)
1da177e4
LT		 2363 return;
2364
a6f76f23
DH		 2365 /* Check whether the new SID can inherit signal state from the old SID.
2366 * If not, clear itimers to avoid subsequent signal generation and
2367 * flush and unblock signals.
2368 *
2369 * This must occur _after_ the task SID has been updated so that any
2370 * kill done after the flush will be checked against the new SID.
2371 */
2372 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2373 if (rc) {
2374 memset(&itimer, 0, sizeof itimer);
2375 for (i = 0; i < 3; i++)
2376 do_setitimer(i, &itimer, NULL);
1da177e4 2377 spin_lock_irq(&current->sighand->siglock);
3bcac026
DH		 2378 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2379 __flush_signals(current);
2380 flush_signal_handlers(current, 1);
2381 sigemptyset(&current->blocked);
2382 }
1da177e4
LT		 2383 spin_unlock_irq(&current->sighand->siglock);
2384 }
2385
a6f76f23
DH		 2386 /* Wake up the parent if it is waiting so that it can recheck
2387 * wait permission to the new task SID. */
ecd6de3c 2388 read_lock(&tasklist_lock);
0b7570e7 2389 __wake_up_parent(current, current->real_parent);
ecd6de3c 2390 read_unlock(&tasklist_lock);
1da177e4
LT		 2391}
2392
2393/* superblock security operations */
2394
2395static int selinux_sb_alloc_security(struct super_block *sb)
2396{
2397 return superblock_alloc_security(sb);
2398}
2399
2400static void selinux_sb_free_security(struct super_block *sb)
2401{
2402 superblock_free_security(sb);
2403}
2404
2405static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2406{
2407 if (plen > olen)
2408 return 0;
2409
2410 return !memcmp(prefix, option, plen);
2411}
2412
2413static inline int selinux_option(char *option, int len)
2414{
832cbd9a
EP		 2415 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2416 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2417 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2418 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2419 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2420}
2421
2422static inline void take_option(char **to, char *from, int *first, int len)
2423{
2424 if (!*first) {
2425 **to = ',';
2426 *to += 1;
3528a953 2427 } else
1da177e4
LT		 2428 *first = 0;
2429 memcpy(*to, from, len);
2430 *to += len;
2431}
2432
828dfe1d
EP		 2433static inline void take_selinux_option(char **to, char *from, int *first,
2434 int len)
3528a953
CO		 2435{
2436 int current_size = 0;
2437
2438 if (!*first) {
2439 **to = '|';
2440 *to += 1;
828dfe1d 2441 } else
3528a953
CO		 2442 *first = 0;
2443
2444 while (current_size < len) {
2445 if (*from != '"') {
2446 **to = *from;
2447 *to += 1;
2448 }
2449 from += 1;
2450 current_size += 1;
2451 }
2452}
2453
e0007529 2454static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2455{
2456 int fnosec, fsec, rc = 0;
2457 char *in_save, *in_curr, *in_end;
2458 char *sec_curr, *nosec_save, *nosec;
3528a953 2459 int open_quote = 0;
1da177e4
LT		 2460
2461 in_curr = orig;
2462 sec_curr = copy;
2463
1da177e4
LT		 2464 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2465 if (!nosec) {
2466 rc = -ENOMEM;
2467 goto out;
2468 }
2469
2470 nosec_save = nosec;
2471 fnosec = fsec = 1;
2472 in_save = in_end = orig;
2473
2474 do {
3528a953
CO		 2475 if (*in_end == '"')
2476 open_quote = !open_quote;
2477 if ((*in_end == ',' && open_quote == 0) ||
2478 *in_end == '\0') {
1da177e4
LT		 2479 int len = in_end - in_curr;
2480
2481 if (selinux_option(in_curr, len))
3528a953 2482 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2483 else
2484 take_option(&nosec, in_curr, &fnosec, len);
2485
2486 in_curr = in_end + 1;
2487 }
2488 } while (*in_end++);
2489
6931dfc9 2490 strcpy(in_save, nosec_save);
da3caa20 2491 free_page((unsigned long)nosec_save);
1da177e4
LT		 2492out:
2493 return rc;
2494}
2495
12204e24 2496static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2497{
88e67f3b 2498 const struct cred *cred = current_cred();
2bf49690 2499 struct common_audit_data ad;
1da177e4
LT		 2500 int rc;
2501
2502 rc = superblock_doinit(sb, data);
2503 if (rc)
2504 return rc;
2505
74192246
JM		 2506 /* Allow all mounts performed by the kernel */
2507 if (flags & MS_KERNMOUNT)
2508 return 0;
2509
2bf49690 2510 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2511 ad.u.fs.path.dentry = sb->s_root;
88e67f3b 2512 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2513}
2514
726c3342 2515static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2516{
88e67f3b 2517 const struct cred *cred = current_cred();
2bf49690 2518 struct common_audit_data ad;
1da177e4 2519
2bf49690 2520 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2521 ad.u.fs.path.dentry = dentry->d_sb->s_root;
88e67f3b 2522 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2523}
2524
828dfe1d 2525static int selinux_mount(char *dev_name,
b5266eb4 2526 struct path *path,
828dfe1d
EP		 2527 char *type,
2528 unsigned long flags,
2529 void *data)
1da177e4 2530{
88e67f3b 2531 const struct cred *cred = current_cred();
1da177e4
LT		 2532
2533 if (flags & MS_REMOUNT)
88e67f3b 2534 return superblock_has_perm(cred, path->mnt->mnt_sb,
828dfe1d 2535 FILESYSTEM__REMOUNT, NULL);
1da177e4 2536 else
88e67f3b 2537 return dentry_has_perm(cred, path->mnt, path->dentry,
828dfe1d 2538 FILE__MOUNTON);
1da177e4
LT		 2539}
2540
2541static int selinux_umount(struct vfsmount *mnt, int flags)
2542{
88e67f3b 2543 const struct cred *cred = current_cred();
1da177e4 2544
88e67f3b 2545 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2546 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2547}
2548
2549/* inode security operations */
2550
2551static int selinux_inode_alloc_security(struct inode *inode)
2552{
2553 return inode_alloc_security(inode);
2554}
2555
2556static void selinux_inode_free_security(struct inode *inode)
2557{
2558 inode_free_security(inode);
2559}
2560
5e41ff9e
SS		 2561static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2562 char **name, void **value,
2563 size_t *len)
2564{
275bb41e
DH		 2565 const struct cred *cred = current_cred();
2566 const struct task_security_struct *tsec = cred->security;
5e41ff9e
SS		 2567 struct inode_security_struct *dsec;
2568 struct superblock_security_struct *sbsec;
275bb41e 2569 u32 sid, newsid, clen;
5e41ff9e 2570 int rc;
570bc1c2 2571 char *namep = NULL, *context;
5e41ff9e 2572
5e41ff9e
SS		 2573 dsec = dir->i_security;
2574 sbsec = dir->i_sb->s_security;
5e41ff9e 2575
275bb41e
DH		 2576 sid = tsec->sid;
2577 newsid = tsec->create_sid;
2578
cd89596f 2579 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
275bb41e 2580 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e
SS		 2581 inode_mode_to_security_class(inode->i_mode),
2582 &newsid);
2583 if (rc) {
2584 printk(KERN_WARNING "%s: "
2585 "security_transition_sid failed, rc=%d (dev=%s "
2586 "ino=%ld)\n",
dd6f953a 2587 __func__,
5e41ff9e
SS		 2588 -rc, inode->i_sb->s_id, inode->i_ino);
2589 return rc;
2590 }
2591 }
2592
296fddf7 2593 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2594 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2595 struct inode_security_struct *isec = inode->i_security;
2596 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2597 isec->sid = newsid;
2598 isec->initialized = 1;
2599 }
5e41ff9e 2600
cd89596f 2601 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
25a74f3b
SS		 2602 return -EOPNOTSUPP;
2603
570bc1c2 2604 if (name) {
a02fe132 2605 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2606 if (!namep)
2607 return -ENOMEM;
2608 *name = namep;
2609 }
5e41ff9e 2610
570bc1c2 2611 if (value && len) {
12b29f34 2612 rc = security_sid_to_context_force(newsid, &context, &clen);
570bc1c2
SS		 2613 if (rc) {
2614 kfree(namep);
2615 return rc;
2616 }
2617 *value = context;
2618 *len = clen;
5e41ff9e 2619 }
5e41ff9e 2620
5e41ff9e
SS		 2621 return 0;
2622}
2623
1da177e4
LT		 2624static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2625{
2626 return may_create(dir, dentry, SECCLASS_FILE);
2627}
2628
1da177e4
LT		 2629static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2630{
1da177e4
LT		 2631 return may_link(dir, old_dentry, MAY_LINK);
2632}
2633
1da177e4
LT		 2634static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2635{
1da177e4
LT		 2636 return may_link(dir, dentry, MAY_UNLINK);
2637}
2638
2639static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2640{
2641 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2642}
2643
1da177e4
LT		 2644static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2645{
2646 return may_create(dir, dentry, SECCLASS_DIR);
2647}
2648
1da177e4
LT		 2649static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2650{
2651 return may_link(dir, dentry, MAY_RMDIR);
2652}
2653
2654static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2655{
1da177e4
LT		 2656 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2657}
2658
1da177e4 2659static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2660 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2661{
2662 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2663}
2664
1da177e4
LT		 2665static int selinux_inode_readlink(struct dentry *dentry)
2666{
88e67f3b
DH		 2667 const struct cred *cred = current_cred();
2668
2669 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
1da177e4
LT		 2670}
2671
2672static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2673{
88e67f3b 2674 const struct cred *cred = current_cred();
1da177e4 2675
88e67f3b 2676 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
1da177e4
LT		 2677}
2678
b77b0646 2679static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2680{
88e67f3b 2681 const struct cred *cred = current_cred();
1da177e4
LT		 2682
2683 if (!mask) {
2684 /* No permission to check. Existence test. */
2685 return 0;
2686 }
2687
88e67f3b 2688 return inode_has_perm(cred, inode,
8b6a5a37 2689 file_mask_to_av(inode->i_mode, mask), NULL);
1da177e4
LT		 2690}
2691
2692static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2693{
88e67f3b 2694 const struct cred *cred = current_cred();
bc6a6008 2695 unsigned int ia_valid = iattr->ia_valid;
1da177e4 2696
bc6a6008
AW		 2697 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2698 if (ia_valid & ATTR_FORCE) {
2699 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2700 ATTR_FORCE);
2701 if (!ia_valid)
2702 return 0;
2703 }
1da177e4 2704
bc6a6008
AW		 2705 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2706 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
88e67f3b 2707 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
1da177e4 2708
88e67f3b 2709 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
1da177e4
LT		 2710}
2711
2712static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2713{
88e67f3b
DH		 2714 const struct cred *cred = current_cred();
2715
2716 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
1da177e4
LT		 2717}
2718
8f0cfa52 2719static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2720{
88e67f3b
DH		 2721 const struct cred *cred = current_cred();
2722
b5376771
SH		 2723 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2724 sizeof XATTR_SECURITY_PREFIX - 1)) {
2725 if (!strcmp(name, XATTR_NAME_CAPS)) {
2726 if (!capable(CAP_SETFCAP))
2727 return -EPERM;
2728 } else if (!capable(CAP_SYS_ADMIN)) {
2729 /* A different attribute in the security namespace.
2730 Restrict to administrator. */
2731 return -EPERM;
2732 }
2733 }
2734
2735 /* Not an attribute we recognize, so just check the
2736 ordinary setattr permission. */
88e67f3b 2737 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
b5376771
SH		 2738}
2739
8f0cfa52
DH		 2740static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2741 const void *value, size_t size, int flags)
1da177e4 2742{
1da177e4
LT		 2743 struct inode *inode = dentry->d_inode;
2744 struct inode_security_struct *isec = inode->i_security;
2745 struct superblock_security_struct *sbsec;
2bf49690 2746 struct common_audit_data ad;
275bb41e 2747 u32 newsid, sid = current_sid();
1da177e4
LT		 2748 int rc = 0;
2749
b5376771
SH		 2750 if (strcmp(name, XATTR_NAME_SELINUX))
2751 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2752
2753 sbsec = inode->i_sb->s_security;
cd89596f 2754 if (!(sbsec->flags & SE_SBLABELSUPP))
1da177e4
LT		 2755 return -EOPNOTSUPP;
2756
3bd858ab 2757 if (!is_owner_or_cap(inode))
1da177e4
LT		 2758 return -EPERM;
2759
2bf49690 2760 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2761 ad.u.fs.path.dentry = dentry;
1da177e4 2762
275bb41e 2763 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 2764 FILE__RELABELFROM, &ad);
2765 if (rc)
2766 return rc;
2767
2768 rc = security_context_to_sid(value, size, &newsid);
12b29f34
SS		 2769 if (rc == -EINVAL) {
2770 if (!capable(CAP_MAC_ADMIN))
2771 return rc;
2772 rc = security_context_to_sid_force(value, size, &newsid);
2773 }
1da177e4
LT		 2774 if (rc)
2775 return rc;
2776
275bb41e 2777 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 2778 FILE__RELABELTO, &ad);
2779 if (rc)
2780 return rc;
2781
275bb41e 2782 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 2783 isec->sclass);
1da177e4
LT		 2784 if (rc)
2785 return rc;
2786
2787 return avc_has_perm(newsid,
2788 sbsec->sid,
2789 SECCLASS_FILESYSTEM,
2790 FILESYSTEM__ASSOCIATE,
2791 &ad);
2792}
2793
8f0cfa52 2794static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 2795 const void *value, size_t size,
8f0cfa52 2796 int flags)
1da177e4
LT		 2797{
2798 struct inode *inode = dentry->d_inode;
2799 struct inode_security_struct *isec = inode->i_security;
2800 u32 newsid;
2801 int rc;
2802
2803 if (strcmp(name, XATTR_NAME_SELINUX)) {
2804 /* Not an attribute we recognize, so nothing to do. */
2805 return;
2806 }
2807
12b29f34 2808 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 2809 if (rc) {
12b29f34
SS		 2810 printk(KERN_ERR "SELinux: unable to map context to SID"
2811 "for (%s, %lu), rc=%d\n",
2812 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 2813 return;
2814 }
2815
2816 isec->sid = newsid;
2817 return;
2818}
2819
8f0cfa52 2820static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 2821{
88e67f3b
DH		 2822 const struct cred *cred = current_cred();
2823
2824 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
1da177e4
LT		 2825}
2826
828dfe1d 2827static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 2828{
88e67f3b
DH		 2829 const struct cred *cred = current_cred();
2830
2831 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
1da177e4
LT		 2832}
2833
8f0cfa52 2834static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 2835{
b5376771
SH		 2836 if (strcmp(name, XATTR_NAME_SELINUX))
2837 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2838
2839 /* No one is allowed to remove a SELinux security label.
2840 You can change the label, but all data must be labeled. */
2841 return -EACCES;
2842}
2843
d381d8a9 2844/*
abc69bb6 2845 * Copy the inode security context value to the user.
d381d8a9
JM		 2846 *
2847 * Permission check is handled by selinux_inode_getxattr hook.
2848 */
42492594 2849static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2850{
42492594
DQ		 2851 u32 size;
2852 int error;
2853 char *context = NULL;
1da177e4 2854 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2855
8c8570fb
DK		 2856 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2857 return -EOPNOTSUPP;
d381d8a9 2858
abc69bb6
SS		 2859 /*
2860 * If the caller has CAP_MAC_ADMIN, then get the raw context
2861 * value even if it is not defined by current policy; otherwise,
2862 * use the in-core value under current policy.
2863 * Use the non-auditing forms of the permission checks since
2864 * getxattr may be called by unprivileged processes commonly
2865 * and lack of permission just means that we fall back to the
2866 * in-core context value, not a denial.
2867 */
3699c53c
DH		 2868 error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2869 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 2870 if (!error)
2871 error = security_sid_to_context_force(isec->sid, &context,
2872 &size);
2873 else
2874 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 2875 if (error)
2876 return error;
2877 error = size;
2878 if (alloc) {
2879 *buffer = context;
2880 goto out_nofree;
2881 }
2882 kfree(context);
2883out_nofree:
2884 return error;
1da177e4
LT		 2885}
2886
2887static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 2888 const void *value, size_t size, int flags)
1da177e4
LT		 2889{
2890 struct inode_security_struct *isec = inode->i_security;
2891 u32 newsid;
2892 int rc;
2893
2894 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2895 return -EOPNOTSUPP;
2896
2897 if (!value || !size)
2898 return -EACCES;
2899
828dfe1d 2900 rc = security_context_to_sid((void *)value, size, &newsid);
1da177e4
LT		 2901 if (rc)
2902 return rc;
2903
2904 isec->sid = newsid;
ddd29ec6 2905 isec->initialized = 1;
1da177e4
LT		 2906 return 0;
2907}
2908
2909static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2910{
2911 const int len = sizeof(XATTR_NAME_SELINUX);
2912 if (buffer && len <= buffer_size)
2913 memcpy(buffer, XATTR_NAME_SELINUX, len);
2914 return len;
2915}
2916
713a04ae
AD		 2917static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2918{
2919 struct inode_security_struct *isec = inode->i_security;
2920 *secid = isec->sid;
2921}
2922
1da177e4
LT		 2923/* file security operations */
2924
788e7dd4 2925static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2926{
88e67f3b 2927 const struct cred *cred = current_cred();
3d5ff529 2928 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4 2929
1da177e4
LT		 2930 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2931 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2932 mask |= MAY_APPEND;
2933
389fb800
PM		 2934 return file_has_perm(cred, file,
2935 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 2936}
2937
788e7dd4
YN		 2938static int selinux_file_permission(struct file *file, int mask)
2939{
20dda18b
SS		 2940 struct inode *inode = file->f_path.dentry->d_inode;
2941 struct file_security_struct *fsec = file->f_security;
2942 struct inode_security_struct *isec = inode->i_security;
2943 u32 sid = current_sid();
2944
389fb800 2945 if (!mask)
788e7dd4
YN		 2946 /* No permission to check. Existence test. */
2947 return 0;
788e7dd4 2948
20dda18b
SS		 2949 if (sid == fsec->sid && fsec->isid == isec->sid &&
2950 fsec->pseqno == avc_policy_seqno())
2951 /* No change since dentry_open check. */
2952 return 0;
2953
788e7dd4
YN		 2954 return selinux_revalidate_file_permission(file, mask);
2955}
2956
1da177e4
LT		 2957static int selinux_file_alloc_security(struct file *file)
2958{
2959 return file_alloc_security(file);
2960}
2961
2962static void selinux_file_free_security(struct file *file)
2963{
2964 file_free_security(file);
2965}
2966
2967static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2968 unsigned long arg)
2969{
88e67f3b 2970 const struct cred *cred = current_cred();
242631c4 2971 u32 av = 0;
1da177e4 2972
242631c4
SS		 2973 if (_IOC_DIR(cmd) & _IOC_WRITE)
2974 av |= FILE__WRITE;
2975 if (_IOC_DIR(cmd) & _IOC_READ)
2976 av |= FILE__READ;
2977 if (!av)
2978 av = FILE__IOCTL;
1da177e4 2979
88e67f3b 2980 return file_has_perm(cred, file, av);
1da177e4
LT		 2981}
2982
fcaaade1
SS		 2983static int default_noexec;
2984
1da177e4
LT		 2985static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2986{
88e67f3b 2987 const struct cred *cred = current_cred();
d84f4f99 2988 int rc = 0;
88e67f3b 2989
fcaaade1
SS		 2990 if (default_noexec &&
2991 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 2992 /*
2993 * We are making executable an anonymous mapping or a
2994 * private file mapping that will also be writable.
2995 * This has an additional check.
2996 */
d84f4f99 2997 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 2998 if (rc)
d84f4f99 2999 goto error;
1da177e4 3000 }
1da177e4
LT		 3001
3002 if (file) {
3003 /* read access is always possible with a mapping */
3004 u32 av = FILE__READ;
3005
3006 /* write access only matters if the mapping is shared */
3007 if (shared && (prot & PROT_WRITE))
3008 av |= FILE__WRITE;
3009
3010 if (prot & PROT_EXEC)
3011 av |= FILE__EXECUTE;
3012
88e67f3b 3013 return file_has_perm(cred, file, av);
1da177e4 3014 }
d84f4f99
DH		 3015
3016error:
3017 return rc;
1da177e4
LT		 3018}
3019
3020static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 3021 unsigned long prot, unsigned long flags,
3022 unsigned long addr, unsigned long addr_only)
1da177e4 3023{
ed032189 3024 int rc = 0;
275bb41e 3025 u32 sid = current_sid();
1da177e4 3026
84336d1a
EP		 3027 /*
3028 * notice that we are intentionally putting the SELinux check before
3029 * the secondary cap_file_mmap check. This is such a likely attempt
3030 * at bad behaviour/exploit that we always want to get the AVC, even
3031 * if DAC would have also denied the operation.
3032 */
a2551df7 3033 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
ed032189
EP		 3034 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3035 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3036 if (rc)
3037 return rc;
3038 }
3039
3040 /* do DAC check on address space usage */
3041 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
ed032189 3042 if (rc || addr_only)
1da177e4
LT		 3043 return rc;
3044
3045 if (selinux_checkreqprot)
3046 prot = reqprot;
3047
3048 return file_map_prot_check(file, prot,
3049 (flags & MAP_TYPE) == MAP_SHARED);
3050}
3051
3052static int selinux_file_mprotect(struct vm_area_struct *vma,
3053 unsigned long reqprot,
3054 unsigned long prot)
3055{
88e67f3b 3056 const struct cred *cred = current_cred();
1da177e4
LT		 3057
3058 if (selinux_checkreqprot)
3059 prot = reqprot;
3060
fcaaade1
SS		 3061 if (default_noexec &&
3062 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3063 int rc = 0;
db4c9641
SS		 3064 if (vma->vm_start >= vma->vm_mm->start_brk &&
3065 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3066 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3067 } else if (!vma->vm_file &&
3068 vma->vm_start <= vma->vm_mm->start_stack &&
3069 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3070 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3071 } else if (vma->vm_file && vma->anon_vma) {
3072 /*
3073 * We are making executable a file mapping that has
3074 * had some COW done. Since pages might have been
3075 * written, check ability to execute the possibly
3076 * modified content. This typically should only
3077 * occur for text relocations.
3078 */
d84f4f99 3079 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3080 }