projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/async_tx
[deliverable/linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
effad8df 16 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
828dfe1d 17 * Paul Moore <paul.moore@hp.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4
LT		 26#include <linux/init.h>
27#include <linux/kernel.h>
0d094efe 28#include <linux/tracehook.h>
1da177e4
LT		 29#include <linux/errno.h>
30#include <linux/sched.h>
31#include <linux/security.h>
32#include <linux/xattr.h>
33#include <linux/capability.h>
34#include <linux/unistd.h>
35#include <linux/mm.h>
36#include <linux/mman.h>
37#include <linux/slab.h>
38#include <linux/pagemap.h>
39#include <linux/swap.h>
1da177e4
LT		 40#include <linux/spinlock.h>
41#include <linux/syscalls.h>
42#include <linux/file.h>
9f3acc31 43#include <linux/fdtable.h>
1da177e4
LT		 44#include <linux/namei.h>
45#include <linux/mount.h>
1da177e4 46#include <linux/proc_fs.h>
1da177e4
LT		 47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 53#include <net/net_namespace.h>
d621d35e 54#include <net/netlabel.h>
f5269710 55#include <linux/uaccess.h>
1da177e4 56#include <asm/ioctls.h>
d621d35e 57#include <asm/atomic.h>
1da177e4
LT		 58#include <linux/bitops.h>
59#include <linux/interrupt.h>
60#include <linux/netdevice.h> /* for network interface checks */
61#include <linux/netlink.h>
62#include <linux/tcp.h>
63#include <linux/udp.h>
2ee92d46 64#include <linux/dccp.h>
1da177e4
LT		 65#include <linux/quota.h>
66#include <linux/un.h> /* for Unix socket types */
67#include <net/af_unix.h> /* for Unix socket types */
68#include <linux/parser.h>
69#include <linux/nfs_mount.h>
70#include <net/ipv6.h>
71#include <linux/hugetlb.h>
72#include <linux/personality.h>
73#include <linux/sysctl.h>
74#include <linux/audit.h>
6931dfc9 75#include <linux/string.h>
877ce7c1 76#include <linux/selinux.h>
23970741 77#include <linux/mutex.h>
f06febc9 78#include <linux/posix-timers.h>
1da177e4
LT		 79
80#include "avc.h"
81#include "objsec.h"
82#include "netif.h"
224dfbd8 83#include "netnode.h"
3e112172 84#include "netport.h"
d28d1e08 85#include "xfrm.h"
c60475bf 86#include "netlabel.h"
9d57a7f9 87#include "audit.h"
1da177e4
LT		 88
89#define XATTR_SELINUX_SUFFIX "selinux"
90#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91
c9180a57
EP		 92#define NUM_SEL_MNT_OPTS 4
93
1da177e4
LT		 94extern unsigned int policydb_loaded_version;
95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 96extern int selinux_compat_net;
20510f2f 97extern struct security_operations *security_ops;
1da177e4 98
d621d35e
PM		 99/* SECMARK reference count */
100atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101
1da177e4 102#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 103int selinux_enforcing;
1da177e4
LT		 104
105static int __init enforcing_setup(char *str)
106{
f5269710
EP		 107 unsigned long enforcing;
108 if (!strict_strtoul(str, 0, &enforcing))
109 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 110 return 1;
111}
112__setup("enforcing=", enforcing_setup);
113#endif
114
115#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117
118static int __init selinux_enabled_setup(char *str)
119{
f5269710
EP		 120 unsigned long enabled;
121 if (!strict_strtoul(str, 0, &enabled))
122 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 123 return 1;
124}
125__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 126#else
127int selinux_enabled = 1;
1da177e4
LT		 128#endif
129
1da177e4 130
6f0f0fd4
JM		 131/*
132 * Minimal support for a secondary security module,
133 * just to allow the use of the capability module.
134 */
828dfe1d 135static struct security_operations *secondary_ops;
1da177e4
LT		 136
137/* Lists of inode and superblock security structures initialized
138 before the policy was loaded. */
139static LIST_HEAD(superblock_security_head);
140static DEFINE_SPINLOCK(sb_security_lock);
141
e18b890b 142static struct kmem_cache *sel_inode_cache;
7cae7e26 143
d621d35e
PM		 144/**
145 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
146 *
147 * Description:
148 * This function checks the SECMARK reference counter to see if any SECMARK
149 * targets are currently configured, if the reference counter is greater than
150 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
151 * enabled, false (0) if SECMARK is disabled.
152 *
153 */
154static int selinux_secmark_enabled(void)
155{
156 return (atomic_read(&selinux_secmark_refcount) > 0);
157}
158
d84f4f99
DH		 159/*
160 * initialise the security for the init task
161 */
162static void cred_init_security(void)
1da177e4 163{
3b11a1de 164 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 165 struct task_security_struct *tsec;
166
89d155ef 167 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 168 if (!tsec)
d84f4f99 169 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 170
d84f4f99 171 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 172 cred->security = tsec;
1da177e4
LT		 173}
174
88e67f3b
DH		 175/*
176 * get the security ID of a set of credentials
177 */
178static inline u32 cred_sid(const struct cred *cred)
179{
180 const struct task_security_struct *tsec;
181
182 tsec = cred->security;
183 return tsec->sid;
184}
185
275bb41e 186/*
3b11a1de 187 * get the objective security ID of a task
275bb41e
DH		 188 */
189static inline u32 task_sid(const struct task_struct *task)
190{
275bb41e
DH		 191 u32 sid;
192
193 rcu_read_lock();
88e67f3b 194 sid = cred_sid(__task_cred(task));
275bb41e
DH		 195 rcu_read_unlock();
196 return sid;
197}
198
199/*
3b11a1de 200 * get the subjective security ID of the current task
275bb41e
DH		 201 */
202static inline u32 current_sid(void)
203{
204 const struct task_security_struct *tsec = current_cred()->security;
205
206 return tsec->sid;
207}
208
88e67f3b
DH		 209/* Allocate and free functions for each kind of security blob. */
210
1da177e4
LT		 211static int inode_alloc_security(struct inode *inode)
212{
1da177e4 213 struct inode_security_struct *isec;
275bb41e 214 u32 sid = current_sid();
1da177e4 215
a02fe132 216 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 217 if (!isec)
218 return -ENOMEM;
219
23970741 220 mutex_init(&isec->lock);
1da177e4 221 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 222 isec->inode = inode;
223 isec->sid = SECINITSID_UNLABELED;
224 isec->sclass = SECCLASS_FILE;
275bb41e 225 isec->task_sid = sid;
1da177e4
LT		 226 inode->i_security = isec;
227
228 return 0;
229}
230
231static void inode_free_security(struct inode *inode)
232{
233 struct inode_security_struct *isec = inode->i_security;
234 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
235
1da177e4
LT		 236 spin_lock(&sbsec->isec_lock);
237 if (!list_empty(&isec->list))
238 list_del_init(&isec->list);
239 spin_unlock(&sbsec->isec_lock);
240
241 inode->i_security = NULL;
7cae7e26 242 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 243}
244
245static int file_alloc_security(struct file *file)
246{
1da177e4 247 struct file_security_struct *fsec;
275bb41e 248 u32 sid = current_sid();
1da177e4 249
26d2a4be 250 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 251 if (!fsec)
252 return -ENOMEM;
253
275bb41e
DH		 254 fsec->sid = sid;
255 fsec->fown_sid = sid;
1da177e4
LT		 256 file->f_security = fsec;
257
258 return 0;
259}
260
261static void file_free_security(struct file *file)
262{
263 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 264 file->f_security = NULL;
265 kfree(fsec);
266}
267
268static int superblock_alloc_security(struct super_block *sb)
269{
270 struct superblock_security_struct *sbsec;
271
89d155ef 272 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 273 if (!sbsec)
274 return -ENOMEM;
275
bc7e982b 276 mutex_init(&sbsec->lock);
1da177e4
LT		 277 INIT_LIST_HEAD(&sbsec->list);
278 INIT_LIST_HEAD(&sbsec->isec_head);
279 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 280 sbsec->sb = sb;
281 sbsec->sid = SECINITSID_UNLABELED;
282 sbsec->def_sid = SECINITSID_FILE;
c312feb2 283 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 284 sb->s_security = sbsec;
285
286 return 0;
287}
288
289static void superblock_free_security(struct super_block *sb)
290{
291 struct superblock_security_struct *sbsec = sb->s_security;
292
1da177e4
LT		 293 spin_lock(&sb_security_lock);
294 if (!list_empty(&sbsec->list))
295 list_del_init(&sbsec->list);
296 spin_unlock(&sb_security_lock);
297
298 sb->s_security = NULL;
299 kfree(sbsec);
300}
301
7d877f3b 302static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 303{
304 struct sk_security_struct *ssec;
305
89d155ef 306 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 307 if (!ssec)
308 return -ENOMEM;
309
1da177e4 310 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 311 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 312 sk->sk_security = ssec;
313
f74af6e8 314 selinux_netlbl_sk_security_reset(ssec, family);
99f59ed0 315
1da177e4
LT		 316 return 0;
317}
318
319static void sk_free_security(struct sock *sk)
320{
321 struct sk_security_struct *ssec = sk->sk_security;
322
1da177e4 323 sk->sk_security = NULL;
6c5b3fc0 324 selinux_netlbl_sk_security_free(ssec);
1da177e4
LT		 325 kfree(ssec);
326}
1da177e4
LT		 327
328/* The security server must be initialized before
329 any labeling or access decisions can be provided. */
330extern int ss_initialized;
331
332/* The file system's label must be initialized prior to use. */
333
334static char *labeling_behaviors[6] = {
335 "uses xattr",
336 "uses transition SIDs",
337 "uses task SIDs",
338 "uses genfs_contexts",
339 "not configured for labeling",
340 "uses mountpoint labeling",
341};
342
343static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
344
345static inline int inode_doinit(struct inode *inode)
346{
347 return inode_doinit_with_dentry(inode, NULL);
348}
349
350enum {
31e87930 351 Opt_error = -1,
1da177e4
LT		 352 Opt_context = 1,
353 Opt_fscontext = 2,
c9180a57
EP		 354 Opt_defcontext = 3,
355 Opt_rootcontext = 4,
1da177e4
LT		 356};
357
a447c093 358static const match_table_t tokens = {
832cbd9a
EP		 359 {Opt_context, CONTEXT_STR "%s"},
360 {Opt_fscontext, FSCONTEXT_STR "%s"},
361 {Opt_defcontext, DEFCONTEXT_STR "%s"},
362 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
31e87930 363 {Opt_error, NULL},
1da177e4
LT		 364};
365
366#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
367
c312feb2
EP		 368static int may_context_mount_sb_relabel(u32 sid,
369 struct superblock_security_struct *sbsec,
275bb41e 370 const struct cred *cred)
c312feb2 371{
275bb41e 372 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 373 int rc;
374
375 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
376 FILESYSTEM__RELABELFROM, NULL);
377 if (rc)
378 return rc;
379
380 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
381 FILESYSTEM__RELABELTO, NULL);
382 return rc;
383}
384
0808925e
EP		 385static int may_context_mount_inode_relabel(u32 sid,
386 struct superblock_security_struct *sbsec,
275bb41e 387 const struct cred *cred)
0808925e 388{
275bb41e 389 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 390 int rc;
391 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
392 FILESYSTEM__RELABELFROM, NULL);
393 if (rc)
394 return rc;
395
396 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
397 FILESYSTEM__ASSOCIATE, NULL);
398 return rc;
399}
400
c9180a57 401static int sb_finish_set_opts(struct super_block *sb)
1da177e4 402{
1da177e4 403 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 404 struct dentry *root = sb->s_root;
405 struct inode *root_inode = root->d_inode;
406 int rc = 0;
1da177e4 407
c9180a57
EP		 408 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
409 /* Make sure that the xattr handler exists and that no
410 error other than -ENODATA is returned by getxattr on
411 the root directory. -ENODATA is ok, as this may be
412 the first boot of the SELinux kernel before we have
413 assigned xattr values to the filesystem. */
414 if (!root_inode->i_op->getxattr) {
415 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
416 "xattr support\n", sb->s_id, sb->s_type->name);
417 rc = -EOPNOTSUPP;
418 goto out;
419 }
420 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
421 if (rc < 0 && rc != -ENODATA) {
422 if (rc == -EOPNOTSUPP)
423 printk(KERN_WARNING "SELinux: (dev %s, type "
424 "%s) has no security xattr handler\n",
425 sb->s_id, sb->s_type->name);
426 else
427 printk(KERN_WARNING "SELinux: (dev %s, type "
428 "%s) getxattr errno %d\n", sb->s_id,
429 sb->s_type->name, -rc);
430 goto out;
431 }
432 }
1da177e4 433
c9180a57 434 sbsec->initialized = 1;
1da177e4 435
c9180a57
EP		 436 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
437 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
438 sb->s_id, sb->s_type->name);
439 else
440 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
441 sb->s_id, sb->s_type->name,
442 labeling_behaviors[sbsec->behavior-1]);
1da177e4 443
c9180a57
EP		 444 /* Initialize the root inode. */
445 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 446
c9180a57
EP		 447 /* Initialize any other inodes associated with the superblock, e.g.
448 inodes created prior to initial policy load or inodes created
449 during get_sb by a pseudo filesystem that directly
450 populates itself. */
451 spin_lock(&sbsec->isec_lock);
452next_inode:
453 if (!list_empty(&sbsec->isec_head)) {
454 struct inode_security_struct *isec =
455 list_entry(sbsec->isec_head.next,
456 struct inode_security_struct, list);
457 struct inode *inode = isec->inode;
458 spin_unlock(&sbsec->isec_lock);
459 inode = igrab(inode);
460 if (inode) {
461 if (!IS_PRIVATE(inode))
462 inode_doinit(inode);
463 iput(inode);
464 }
465 spin_lock(&sbsec->isec_lock);
466 list_del_init(&isec->list);
467 goto next_inode;
468 }
469 spin_unlock(&sbsec->isec_lock);
470out:
471 return rc;
472}
1da177e4 473
c9180a57
EP		 474/*
475 * This function should allow an FS to ask what it's mount security
476 * options were so it can use those later for submounts, displaying
477 * mount options, or whatever.
478 */
479static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 480 struct security_mnt_opts *opts)
c9180a57
EP		 481{
482 int rc = 0, i;
483 struct superblock_security_struct *sbsec = sb->s_security;
484 char *context = NULL;
485 u32 len;
486 char tmp;
1da177e4 487
e0007529 488 security_init_mnt_opts(opts);
1da177e4 489
c9180a57
EP		 490 if (!sbsec->initialized)
491 return -EINVAL;
1da177e4 492
c9180a57
EP		 493 if (!ss_initialized)
494 return -EINVAL;
1da177e4 495
c9180a57
EP		 496 /*
497 * if we ever use sbsec flags for anything other than tracking mount
498 * settings this is going to need a mask
499 */
500 tmp = sbsec->flags;
501 /* count the number of mount options for this sb */
502 for (i = 0; i < 8; i++) {
503 if (tmp & 0x01)
e0007529 504 opts->num_mnt_opts++;
c9180a57
EP		 505 tmp >>= 1;
506 }
1da177e4 507
e0007529
EP		 508 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
509 if (!opts->mnt_opts) {
c9180a57
EP		 510 rc = -ENOMEM;
511 goto out_free;
512 }
1da177e4 513
e0007529
EP		 514 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
515 if (!opts->mnt_opts_flags) {
c9180a57
EP		 516 rc = -ENOMEM;
517 goto out_free;
518 }
1da177e4 519
c9180a57
EP		 520 i = 0;
521 if (sbsec->flags & FSCONTEXT_MNT) {
522 rc = security_sid_to_context(sbsec->sid, &context, &len);
523 if (rc)
524 goto out_free;
e0007529
EP		 525 opts->mnt_opts[i] = context;
526 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 527 }
528 if (sbsec->flags & CONTEXT_MNT) {
529 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
530 if (rc)
531 goto out_free;
e0007529
EP		 532 opts->mnt_opts[i] = context;
533 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 534 }
535 if (sbsec->flags & DEFCONTEXT_MNT) {
536 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
537 if (rc)
538 goto out_free;
e0007529
EP		 539 opts->mnt_opts[i] = context;
540 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 541 }
542 if (sbsec->flags & ROOTCONTEXT_MNT) {
543 struct inode *root = sbsec->sb->s_root->d_inode;
544 struct inode_security_struct *isec = root->i_security;
0808925e 545
c9180a57
EP		 546 rc = security_sid_to_context(isec->sid, &context, &len);
547 if (rc)
548 goto out_free;
e0007529
EP		 549 opts->mnt_opts[i] = context;
550 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 551 }
1da177e4 552
e0007529 553 BUG_ON(i != opts->num_mnt_opts);
1da177e4 554
c9180a57
EP		 555 return 0;
556
557out_free:
e0007529 558 security_free_mnt_opts(opts);
c9180a57
EP		 559 return rc;
560}
1da177e4 561
c9180a57
EP		 562static int bad_option(struct superblock_security_struct *sbsec, char flag,
563 u32 old_sid, u32 new_sid)
564{
565 /* check if the old mount command had the same options */
566 if (sbsec->initialized)
567 if (!(sbsec->flags & flag) ||
568 (old_sid != new_sid))
569 return 1;
570
571 /* check if we were passed the same options twice,
572 * aka someone passed context=a,context=b
573 */
574 if (!sbsec->initialized)
575 if (sbsec->flags & flag)
576 return 1;
577 return 0;
578}
e0007529 579
c9180a57
EP		 580/*
581 * Allow filesystems with binary mount data to explicitly set mount point
582 * labeling information.
583 */
e0007529
EP		 584static int selinux_set_mnt_opts(struct super_block *sb,
585 struct security_mnt_opts *opts)
c9180a57 586{
275bb41e 587 const struct cred *cred = current_cred();
c9180a57 588 int rc = 0, i;
c9180a57
EP		 589 struct superblock_security_struct *sbsec = sb->s_security;
590 const char *name = sb->s_type->name;
089be43e
JM		 591 struct inode *inode = sbsec->sb->s_root->d_inode;
592 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 593 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
594 u32 defcontext_sid = 0;
e0007529
EP		 595 char **mount_options = opts->mnt_opts;
596 int *flags = opts->mnt_opts_flags;
597 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 598
599 mutex_lock(&sbsec->lock);
600
601 if (!ss_initialized) {
602 if (!num_opts) {
603 /* Defer initialization until selinux_complete_init,
604 after the initial policy is loaded and the security
605 server is ready to handle calls. */
606 spin_lock(&sb_security_lock);
607 if (list_empty(&sbsec->list))
608 list_add(&sbsec->list, &superblock_security_head);
609 spin_unlock(&sb_security_lock);
610 goto out;
611 }
612 rc = -EINVAL;
744ba35e
EP		 613 printk(KERN_WARNING "SELinux: Unable to set superblock options "
614 "before the security server is initialized\n");
1da177e4 615 goto out;
c9180a57 616 }
1da177e4 617
e0007529
EP		 618 /*
619 * Binary mount data FS will come through this function twice. Once
620 * from an explicit call and once from the generic calls from the vfs.
621 * Since the generic VFS calls will not contain any security mount data
622 * we need to skip the double mount verification.
623 *
624 * This does open a hole in which we will not notice if the first
625 * mount using this sb set explict options and a second mount using
626 * this sb does not set any security options. (The first options
627 * will be used for both mounts)
628 */
629 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
630 && (num_opts == 0))
f5269710 631 goto out;
e0007529 632
c9180a57
EP		 633 /*
634 * parse the mount options, check if they are valid sids.
635 * also check if someone is trying to mount the same sb more
636 * than once with different security options.
637 */
638 for (i = 0; i < num_opts; i++) {
639 u32 sid;
640 rc = security_context_to_sid(mount_options[i],
641 strlen(mount_options[i]), &sid);
1da177e4
LT		 642 if (rc) {
643 printk(KERN_WARNING "SELinux: security_context_to_sid"
644 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 645 mount_options[i], sb->s_id, name, rc);
646 goto out;
647 }
648 switch (flags[i]) {
649 case FSCONTEXT_MNT:
650 fscontext_sid = sid;
651
652 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
653 fscontext_sid))
654 goto out_double_mount;
655
656 sbsec->flags |= FSCONTEXT_MNT;
657 break;
658 case CONTEXT_MNT:
659 context_sid = sid;
660
661 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
662 context_sid))
663 goto out_double_mount;
664
665 sbsec->flags |= CONTEXT_MNT;
666 break;
667 case ROOTCONTEXT_MNT:
668 rootcontext_sid = sid;
669
670 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
671 rootcontext_sid))
672 goto out_double_mount;
673
674 sbsec->flags |= ROOTCONTEXT_MNT;
675
676 break;
677 case DEFCONTEXT_MNT:
678 defcontext_sid = sid;
679
680 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
681 defcontext_sid))
682 goto out_double_mount;
683
684 sbsec->flags |= DEFCONTEXT_MNT;
685
686 break;
687 default:
688 rc = -EINVAL;
689 goto out;
1da177e4 690 }
c9180a57
EP		 691 }
692
693 if (sbsec->initialized) {
694 /* previously mounted with options, but not on this attempt? */
695 if (sbsec->flags && !num_opts)
696 goto out_double_mount;
697 rc = 0;
698 goto out;
699 }
700
089be43e 701 if (strcmp(sb->s_type->name, "proc") == 0)
c9180a57
EP		 702 sbsec->proc = 1;
703
704 /* Determine the labeling behavior to use for this filesystem type. */
459c19f5 705 rc = security_fs_use(sbsec->proc ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
c9180a57
EP		 706 if (rc) {
707 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
089be43e 708 __func__, sb->s_type->name, rc);
c9180a57
EP		 709 goto out;
710 }
1da177e4 711
c9180a57
EP		 712 /* sets the context of the superblock for the fs being mounted. */
713 if (fscontext_sid) {
275bb41e 714 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 715 if (rc)
c9180a57 716 goto out;
1da177e4 717
c9180a57 718 sbsec->sid = fscontext_sid;
c312feb2
EP		 719 }
720
721 /*
722 * Switch to using mount point labeling behavior.
723 * sets the label used on all file below the mountpoint, and will set
724 * the superblock context if not already set.
725 */
c9180a57
EP		 726 if (context_sid) {
727 if (!fscontext_sid) {
275bb41e
DH		 728 rc = may_context_mount_sb_relabel(context_sid, sbsec,
729 cred);
b04ea3ce 730 if (rc)
c9180a57
EP		 731 goto out;
732 sbsec->sid = context_sid;
b04ea3ce 733 } else {
275bb41e
DH		 734 rc = may_context_mount_inode_relabel(context_sid, sbsec,
735 cred);
b04ea3ce 736 if (rc)
c9180a57 737 goto out;
b04ea3ce 738 }
c9180a57
EP		 739 if (!rootcontext_sid)
740 rootcontext_sid = context_sid;
1da177e4 741
c9180a57 742 sbsec->mntpoint_sid = context_sid;
c312feb2 743 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 744 }
745
c9180a57 746 if (rootcontext_sid) {
275bb41e
DH		 747 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
748 cred);
0808925e 749 if (rc)
c9180a57 750 goto out;
0808925e 751
c9180a57
EP		 752 root_isec->sid = rootcontext_sid;
753 root_isec->initialized = 1;
0808925e
EP		 754 }
755
c9180a57
EP		 756 if (defcontext_sid) {
757 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
758 rc = -EINVAL;
759 printk(KERN_WARNING "SELinux: defcontext option is "
760 "invalid for this filesystem type\n");
761 goto out;
1da177e4
LT		 762 }
763
c9180a57
EP		 764 if (defcontext_sid != sbsec->def_sid) {
765 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 766 sbsec, cred);
c9180a57
EP		 767 if (rc)
768 goto out;
769 }
1da177e4 770
c9180a57 771 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 772 }
773
c9180a57 774 rc = sb_finish_set_opts(sb);
1da177e4 775out:
c9180a57 776 mutex_unlock(&sbsec->lock);
1da177e4 777 return rc;
c9180a57
EP		 778out_double_mount:
779 rc = -EINVAL;
780 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
781 "security settings for (dev %s, type %s)\n", sb->s_id, name);
782 goto out;
1da177e4
LT		 783}
784
c9180a57
EP		 785static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
786 struct super_block *newsb)
1da177e4 787{
c9180a57
EP		 788 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
789 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 790
c9180a57
EP		 791 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
792 int set_context = (oldsbsec->flags & CONTEXT_MNT);
793 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 794
0f5e6420
EP		 795 /*
796 * if the parent was able to be mounted it clearly had no special lsm
797 * mount options. thus we can safely put this sb on the list and deal
798 * with it later
799 */
800 if (!ss_initialized) {
801 spin_lock(&sb_security_lock);
802 if (list_empty(&newsbsec->list))
803 list_add(&newsbsec->list, &superblock_security_head);
804 spin_unlock(&sb_security_lock);
805 return;
806 }
c9180a57 807
c9180a57
EP		 808 /* how can we clone if the old one wasn't set up?? */
809 BUG_ON(!oldsbsec->initialized);
810
5a552617
EP		 811 /* if fs is reusing a sb, just let its options stand... */
812 if (newsbsec->initialized)
813 return;
814
c9180a57
EP		 815 mutex_lock(&newsbsec->lock);
816
817 newsbsec->flags = oldsbsec->flags;
818
819 newsbsec->sid = oldsbsec->sid;
820 newsbsec->def_sid = oldsbsec->def_sid;
821 newsbsec->behavior = oldsbsec->behavior;
822
823 if (set_context) {
824 u32 sid = oldsbsec->mntpoint_sid;
825
826 if (!set_fscontext)
827 newsbsec->sid = sid;
828 if (!set_rootcontext) {
829 struct inode *newinode = newsb->s_root->d_inode;
830 struct inode_security_struct *newisec = newinode->i_security;
831 newisec->sid = sid;
832 }
833 newsbsec->mntpoint_sid = sid;
1da177e4 834 }
c9180a57
EP		 835 if (set_rootcontext) {
836 const struct inode *oldinode = oldsb->s_root->d_inode;
837 const struct inode_security_struct *oldisec = oldinode->i_security;
838 struct inode *newinode = newsb->s_root->d_inode;
839 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 840
c9180a57 841 newisec->sid = oldisec->sid;
1da177e4
LT		 842 }
843
c9180a57
EP		 844 sb_finish_set_opts(newsb);
845 mutex_unlock(&newsbsec->lock);
846}
847
2e1479d9
AB		 848static int selinux_parse_opts_str(char *options,
849 struct security_mnt_opts *opts)
c9180a57 850{
e0007529 851 char *p;
c9180a57
EP		 852 char *context = NULL, *defcontext = NULL;
853 char *fscontext = NULL, *rootcontext = NULL;
e0007529 854 int rc, num_mnt_opts = 0;
1da177e4 855
e0007529 856 opts->num_mnt_opts = 0;
1da177e4 857
c9180a57
EP		 858 /* Standard string-based options. */
859 while ((p = strsep(&options, "|")) != NULL) {
860 int token;
861 substring_t args[MAX_OPT_ARGS];
1da177e4 862
c9180a57
EP		 863 if (!*p)
864 continue;
1da177e4 865
c9180a57 866 token = match_token(p, tokens, args);
1da177e4 867
c9180a57
EP		 868 switch (token) {
869 case Opt_context:
870 if (context || defcontext) {
871 rc = -EINVAL;
872 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
873 goto out_err;
874 }
875 context = match_strdup(&args[0]);
876 if (!context) {
877 rc = -ENOMEM;
878 goto out_err;
879 }
880 break;
881
882 case Opt_fscontext:
883 if (fscontext) {
884 rc = -EINVAL;
885 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
886 goto out_err;
887 }
888 fscontext = match_strdup(&args[0]);
889 if (!fscontext) {
890 rc = -ENOMEM;
891 goto out_err;
892 }
893 break;
894
895 case Opt_rootcontext:
896 if (rootcontext) {
897 rc = -EINVAL;
898 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
899 goto out_err;
900 }
901 rootcontext = match_strdup(&args[0]);
902 if (!rootcontext) {
903 rc = -ENOMEM;
904 goto out_err;
905 }
906 break;
907
908 case Opt_defcontext:
909 if (context || defcontext) {
910 rc = -EINVAL;
911 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
912 goto out_err;
913 }
914 defcontext = match_strdup(&args[0]);
915 if (!defcontext) {
916 rc = -ENOMEM;
917 goto out_err;
918 }
919 break;
920
921 default:
922 rc = -EINVAL;
923 printk(KERN_WARNING "SELinux: unknown mount option\n");
924 goto out_err;
1da177e4 925
1da177e4 926 }
1da177e4 927 }
c9180a57 928
e0007529
EP		 929 rc = -ENOMEM;
930 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
931 if (!opts->mnt_opts)
932 goto out_err;
933
934 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
935 if (!opts->mnt_opts_flags) {
936 kfree(opts->mnt_opts);
937 goto out_err;
938 }
939
c9180a57 940 if (fscontext) {
e0007529
EP		 941 opts->mnt_opts[num_mnt_opts] = fscontext;
942 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 943 }
944 if (context) {
e0007529
EP		 945 opts->mnt_opts[num_mnt_opts] = context;
946 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 947 }
948 if (rootcontext) {
e0007529
EP		 949 opts->mnt_opts[num_mnt_opts] = rootcontext;
950 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 951 }
952 if (defcontext) {
e0007529
EP		 953 opts->mnt_opts[num_mnt_opts] = defcontext;
954 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 955 }
956
e0007529
EP		 957 opts->num_mnt_opts = num_mnt_opts;
958 return 0;
959
c9180a57
EP		 960out_err:
961 kfree(context);
962 kfree(defcontext);
963 kfree(fscontext);
964 kfree(rootcontext);
1da177e4
LT		 965 return rc;
966}
e0007529
EP		 967/*
968 * string mount options parsing and call set the sbsec
969 */
970static int superblock_doinit(struct super_block *sb, void *data)
971{
972 int rc = 0;
973 char *options = data;
974 struct security_mnt_opts opts;
975
976 security_init_mnt_opts(&opts);
977
978 if (!data)
979 goto out;
980
981 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
982
983 rc = selinux_parse_opts_str(options, &opts);
984 if (rc)
985 goto out_err;
986
987out:
988 rc = selinux_set_mnt_opts(sb, &opts);
989
990out_err:
991 security_free_mnt_opts(&opts);
992 return rc;
993}
1da177e4 994
3583a711
AB		 995static void selinux_write_opts(struct seq_file *m,
996 struct security_mnt_opts *opts)
2069f457
EP		 997{
998 int i;
999 char *prefix;
1000
1001 for (i = 0; i < opts->num_mnt_opts; i++) {
1002 char *has_comma = strchr(opts->mnt_opts[i], ',');
1003
1004 switch (opts->mnt_opts_flags[i]) {
1005 case CONTEXT_MNT:
1006 prefix = CONTEXT_STR;
1007 break;
1008 case FSCONTEXT_MNT:
1009 prefix = FSCONTEXT_STR;
1010 break;
1011 case ROOTCONTEXT_MNT:
1012 prefix = ROOTCONTEXT_STR;
1013 break;
1014 case DEFCONTEXT_MNT:
1015 prefix = DEFCONTEXT_STR;
1016 break;
1017 default:
1018 BUG();
1019 };
1020 /* we need a comma before each option */
1021 seq_putc(m, ',');
1022 seq_puts(m, prefix);
1023 if (has_comma)
1024 seq_putc(m, '\"');
1025 seq_puts(m, opts->mnt_opts[i]);
1026 if (has_comma)
1027 seq_putc(m, '\"');
1028 }
1029}
1030
1031static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1032{
1033 struct security_mnt_opts opts;
1034 int rc;
1035
1036 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1037 if (rc) {
1038 /* before policy load we may get EINVAL, don't show anything */
1039 if (rc == -EINVAL)
1040 rc = 0;
2069f457 1041 return rc;
383795c2 1042 }
2069f457
EP		 1043
1044 selinux_write_opts(m, &opts);
1045
1046 security_free_mnt_opts(&opts);
1047
1048 return rc;
1049}
1050
1da177e4
LT		 1051static inline u16 inode_mode_to_security_class(umode_t mode)
1052{
1053 switch (mode & S_IFMT) {
1054 case S_IFSOCK:
1055 return SECCLASS_SOCK_FILE;
1056 case S_IFLNK:
1057 return SECCLASS_LNK_FILE;
1058 case S_IFREG:
1059 return SECCLASS_FILE;
1060 case S_IFBLK:
1061 return SECCLASS_BLK_FILE;
1062 case S_IFDIR:
1063 return SECCLASS_DIR;
1064 case S_IFCHR:
1065 return SECCLASS_CHR_FILE;
1066 case S_IFIFO:
1067 return SECCLASS_FIFO_FILE;
1068
1069 }
1070
1071 return SECCLASS_FILE;
1072}
1073
13402580
JM		 1074static inline int default_protocol_stream(int protocol)
1075{
1076 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1077}
1078
1079static inline int default_protocol_dgram(int protocol)
1080{
1081 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1082}
1083
1da177e4
LT		 1084static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1085{
1086 switch (family) {
1087 case PF_UNIX:
1088 switch (type) {
1089 case SOCK_STREAM:
1090 case SOCK_SEQPACKET:
1091 return SECCLASS_UNIX_STREAM_SOCKET;
1092 case SOCK_DGRAM:
1093 return SECCLASS_UNIX_DGRAM_SOCKET;
1094 }
1095 break;
1096 case PF_INET:
1097 case PF_INET6:
1098 switch (type) {
1099 case SOCK_STREAM:
13402580
JM		 1100 if (default_protocol_stream(protocol))
1101 return SECCLASS_TCP_SOCKET;
1102 else
1103 return SECCLASS_RAWIP_SOCKET;
1da177e4 1104 case SOCK_DGRAM:
13402580
JM		 1105 if (default_protocol_dgram(protocol))
1106 return SECCLASS_UDP_SOCKET;
1107 else
1108 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1109 case SOCK_DCCP:
1110 return SECCLASS_DCCP_SOCKET;
13402580 1111 default:
1da177e4
LT		 1112 return SECCLASS_RAWIP_SOCKET;
1113 }
1114 break;
1115 case PF_NETLINK:
1116 switch (protocol) {
1117 case NETLINK_ROUTE:
1118 return SECCLASS_NETLINK_ROUTE_SOCKET;
1119 case NETLINK_FIREWALL:
1120 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1121 case NETLINK_INET_DIAG:
1da177e4
LT		 1122 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1123 case NETLINK_NFLOG:
1124 return SECCLASS_NETLINK_NFLOG_SOCKET;
1125 case NETLINK_XFRM:
1126 return SECCLASS_NETLINK_XFRM_SOCKET;
1127 case NETLINK_SELINUX:
1128 return SECCLASS_NETLINK_SELINUX_SOCKET;
1129 case NETLINK_AUDIT:
1130 return SECCLASS_NETLINK_AUDIT_SOCKET;
1131 case NETLINK_IP6_FW:
1132 return SECCLASS_NETLINK_IP6FW_SOCKET;
1133 case NETLINK_DNRTMSG:
1134 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1135 case NETLINK_KOBJECT_UEVENT:
1136 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1137 default:
1138 return SECCLASS_NETLINK_SOCKET;
1139 }
1140 case PF_PACKET:
1141 return SECCLASS_PACKET_SOCKET;
1142 case PF_KEY:
1143 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1144 case PF_APPLETALK:
1145 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1146 }
1147
1148 return SECCLASS_SOCKET;
1149}
1150
1151#ifdef CONFIG_PROC_FS
1152static int selinux_proc_get_sid(struct proc_dir_entry *de,
1153 u16 tclass,
1154 u32 *sid)
1155{
1156 int buflen, rc;
1157 char *buffer, *path, *end;
1158
828dfe1d 1159 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1160 if (!buffer)
1161 return -ENOMEM;
1162
1163 buflen = PAGE_SIZE;
1164 end = buffer+buflen;
1165 *--end = '\0';
1166 buflen--;
1167 path = end-1;
1168 *path = '/';
1169 while (de && de != de->parent) {
1170 buflen -= de->namelen + 1;
1171 if (buflen < 0)
1172 break;
1173 end -= de->namelen;
1174 memcpy(end, de->name, de->namelen);
1175 *--end = '/';
1176 path = end;
1177 de = de->parent;
1178 }
1179 rc = security_genfs_sid("proc", path, tclass, sid);
1180 free_page((unsigned long)buffer);
1181 return rc;
1182}
1183#else
1184static int selinux_proc_get_sid(struct proc_dir_entry *de,
1185 u16 tclass,
1186 u32 *sid)
1187{
1188 return -EINVAL;
1189}
1190#endif
1191
1192/* The inode's security attributes must be initialized before first use. */
1193static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1194{
1195 struct superblock_security_struct *sbsec = NULL;
1196 struct inode_security_struct *isec = inode->i_security;
1197 u32 sid;
1198 struct dentry *dentry;
1199#define INITCONTEXTLEN 255
1200 char *context = NULL;
1201 unsigned len = 0;
1202 int rc = 0;
1da177e4
LT		 1203
1204 if (isec->initialized)
1205 goto out;
1206
23970741 1207 mutex_lock(&isec->lock);
1da177e4 1208 if (isec->initialized)
23970741 1209 goto out_unlock;
1da177e4
LT		 1210
1211 sbsec = inode->i_sb->s_security;
1212 if (!sbsec->initialized) {
1213 /* Defer initialization until selinux_complete_init,
1214 after the initial policy is loaded and the security
1215 server is ready to handle calls. */
1216 spin_lock(&sbsec->isec_lock);
1217 if (list_empty(&isec->list))
1218 list_add(&isec->list, &sbsec->isec_head);
1219 spin_unlock(&sbsec->isec_lock);
23970741 1220 goto out_unlock;
1da177e4
LT		 1221 }
1222
1223 switch (sbsec->behavior) {
1224 case SECURITY_FS_USE_XATTR:
1225 if (!inode->i_op->getxattr) {
1226 isec->sid = sbsec->def_sid;
1227 break;
1228 }
1229
1230 /* Need a dentry, since the xattr API requires one.
1231 Life would be simpler if we could just pass the inode. */
1232 if (opt_dentry) {
1233 /* Called from d_instantiate or d_splice_alias. */
1234 dentry = dget(opt_dentry);
1235 } else {
1236 /* Called from selinux_complete_init, try to find a dentry. */
1237 dentry = d_find_alias(inode);
1238 }
1239 if (!dentry) {
744ba35e 1240 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
dd6f953a 1241 "ino=%ld\n", __func__, inode->i_sb->s_id,
1da177e4 1242 inode->i_ino);
23970741 1243 goto out_unlock;
1da177e4
LT		 1244 }
1245
1246 len = INITCONTEXTLEN;
869ab514 1247 context = kmalloc(len, GFP_NOFS);
1da177e4
LT		 1248 if (!context) {
1249 rc = -ENOMEM;
1250 dput(dentry);
23970741 1251 goto out_unlock;
1da177e4
LT		 1252 }
1253 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1254 context, len);
1255 if (rc == -ERANGE) {
1256 /* Need a larger buffer. Query for the right size. */
1257 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1258 NULL, 0);
1259 if (rc < 0) {
1260 dput(dentry);
23970741 1261 goto out_unlock;
1da177e4
LT		 1262 }
1263 kfree(context);
1264 len = rc;
869ab514 1265 context = kmalloc(len, GFP_NOFS);
1da177e4
LT		 1266 if (!context) {
1267 rc = -ENOMEM;
1268 dput(dentry);
23970741 1269 goto out_unlock;
1da177e4
LT		 1270 }
1271 rc = inode->i_op->getxattr(dentry,
1272 XATTR_NAME_SELINUX,
1273 context, len);
1274 }
1275 dput(dentry);
1276 if (rc < 0) {
1277 if (rc != -ENODATA) {
744ba35e 1278 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1279 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1280 -rc, inode->i_sb->s_id, inode->i_ino);
1281 kfree(context);
23970741 1282 goto out_unlock;
1da177e4
LT		 1283 }
1284 /* Map ENODATA to the default file SID */
1285 sid = sbsec->def_sid;
1286 rc = 0;
1287 } else {
f5c1d5b2 1288 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1289 sbsec->def_sid,
1290 GFP_NOFS);
1da177e4 1291 if (rc) {
744ba35e 1292 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1da177e4 1293 "returned %d for dev=%s ino=%ld\n",
dd6f953a 1294 __func__, context, -rc,
1da177e4
LT		 1295 inode->i_sb->s_id, inode->i_ino);
1296 kfree(context);
1297 /* Leave with the unlabeled SID */
1298 rc = 0;
1299 break;
1300 }
1301 }
1302 kfree(context);
1303 isec->sid = sid;
1304 break;
1305 case SECURITY_FS_USE_TASK:
1306 isec->sid = isec->task_sid;
1307 break;
1308 case SECURITY_FS_USE_TRANS:
1309 /* Default to the fs SID. */
1310 isec->sid = sbsec->sid;
1311
1312 /* Try to obtain a transition SID. */
1313 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1314 rc = security_transition_sid(isec->task_sid,
1315 sbsec->sid,
1316 isec->sclass,
1317 &sid);
1318 if (rc)
23970741 1319 goto out_unlock;
1da177e4
LT		 1320 isec->sid = sid;
1321 break;
c312feb2
EP		 1322 case SECURITY_FS_USE_MNTPOINT:
1323 isec->sid = sbsec->mntpoint_sid;
1324 break;
1da177e4 1325 default:
c312feb2 1326 /* Default to the fs superblock SID. */
1da177e4
LT		 1327 isec->sid = sbsec->sid;
1328
ea6b184f 1329 if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
1da177e4
LT		 1330 struct proc_inode *proci = PROC_I(inode);
1331 if (proci->pde) {
1332 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333 rc = selinux_proc_get_sid(proci->pde,
1334 isec->sclass,
1335 &sid);
1336 if (rc)
23970741 1337 goto out_unlock;
1da177e4
LT		 1338 isec->sid = sid;
1339 }
1340 }
1341 break;
1342 }
1343
1344 isec->initialized = 1;
1345
23970741
EP		 1346out_unlock:
1347 mutex_unlock(&isec->lock);
1da177e4
LT		 1348out:
1349 if (isec->sclass == SECCLASS_FILE)
1350 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1351 return rc;
1352}
1353
1354/* Convert a Linux signal to an access vector. */
1355static inline u32 signal_to_av(int sig)
1356{
1357 u32 perm = 0;
1358
1359 switch (sig) {
1360 case SIGCHLD:
1361 /* Commonly granted from child to parent. */
1362 perm = PROCESS__SIGCHLD;
1363 break;
1364 case SIGKILL:
1365 /* Cannot be caught or ignored */
1366 perm = PROCESS__SIGKILL;
1367 break;
1368 case SIGSTOP:
1369 /* Cannot be caught or ignored */
1370 perm = PROCESS__SIGSTOP;
1371 break;
1372 default:
1373 /* All other signals. */
1374 perm = PROCESS__SIGNAL;
1375 break;
1376 }
1377
1378 return perm;
1379}
1380
d84f4f99
DH		 1381/*
1382 * Check permission between a pair of credentials
1383 * fork check, ptrace check, etc.
1384 */
1385static int cred_has_perm(const struct cred *actor,
1386 const struct cred *target,
1387 u32 perms)
1388{
1389 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1390
1391 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1392}
1393
275bb41e 1394/*
88e67f3b 1395 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1396 * fork check, ptrace check, etc.
1397 * tsk1 is the actor and tsk2 is the target
3b11a1de 1398 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1399 */
1400static int task_has_perm(const struct task_struct *tsk1,
1401 const struct task_struct *tsk2,
1da177e4
LT		 1402 u32 perms)
1403{
275bb41e
DH		 1404 const struct task_security_struct *__tsec1, *__tsec2;
1405 u32 sid1, sid2;
1da177e4 1406
275bb41e
DH		 1407 rcu_read_lock();
1408 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1409 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1410 rcu_read_unlock();
1411 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1412}
1413
3b11a1de
DH		 1414/*
1415 * Check permission between current and another task, e.g. signal checks,
1416 * fork check, ptrace check, etc.
1417 * current is the actor and tsk2 is the target
1418 * - this uses current's subjective creds
1419 */
1420static int current_has_perm(const struct task_struct *tsk,
1421 u32 perms)
1422{
1423 u32 sid, tsid;
1424
1425 sid = current_sid();
1426 tsid = task_sid(tsk);
1427 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1428}
1429
b68e418c
SS		 1430#if CAP_LAST_CAP > 63
1431#error Fix SELinux to handle capabilities > 63.
1432#endif
1433
1da177e4
LT		 1434/* Check whether a task is allowed to use a capability. */
1435static int task_has_capability(struct task_struct *tsk,
3699c53c 1436 const struct cred *cred,
06112163 1437 int cap, int audit)
1da177e4 1438{
1da177e4 1439 struct avc_audit_data ad;
06112163 1440 struct av_decision avd;
b68e418c 1441 u16 sclass;
3699c53c 1442 u32 sid = cred_sid(cred);
b68e418c 1443 u32 av = CAP_TO_MASK(cap);
06112163 1444 int rc;
1da177e4 1445
828dfe1d 1446 AVC_AUDIT_DATA_INIT(&ad, CAP);
1da177e4
LT		 1447 ad.tsk = tsk;
1448 ad.u.cap = cap;
1449
b68e418c
SS		 1450 switch (CAP_TO_INDEX(cap)) {
1451 case 0:
1452 sclass = SECCLASS_CAPABILITY;
1453 break;
1454 case 1:
1455 sclass = SECCLASS_CAPABILITY2;
1456 break;
1457 default:
1458 printk(KERN_ERR
1459 "SELinux: out of range capability %d\n", cap);
1460 BUG();
1461 }
06112163 1462
275bb41e 1463 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
06112163 1464 if (audit == SECURITY_CAP_AUDIT)
275bb41e 1465 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
06112163 1466 return rc;
1da177e4
LT		 1467}
1468
1469/* Check whether a task is allowed to use a system operation. */
1470static int task_has_system(struct task_struct *tsk,
1471 u32 perms)
1472{
275bb41e 1473 u32 sid = task_sid(tsk);
1da177e4 1474
275bb41e 1475 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1476 SECCLASS_SYSTEM, perms, NULL);
1477}
1478
1479/* Check whether a task has a particular permission to an inode.
1480 The 'adp' parameter is optional and allows other audit
1481 data to be passed (e.g. the dentry). */
88e67f3b 1482static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1483 struct inode *inode,
1484 u32 perms,
1485 struct avc_audit_data *adp)
1486{
1da177e4
LT		 1487 struct inode_security_struct *isec;
1488 struct avc_audit_data ad;
275bb41e 1489 u32 sid;
1da177e4 1490
828dfe1d 1491 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1492 return 0;
1493
88e67f3b 1494 sid = cred_sid(cred);
1da177e4
LT		 1495 isec = inode->i_security;
1496
1497 if (!adp) {
1498 adp = &ad;
1499 AVC_AUDIT_DATA_INIT(&ad, FS);
1500 ad.u.fs.inode = inode;
1501 }
1502
275bb41e 1503 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1504}
1505
1506/* Same as inode_has_perm, but pass explicit audit data containing
1507 the dentry to help the auditing code to more easily generate the
1508 pathname if needed. */
88e67f3b 1509static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1510 struct vfsmount *mnt,
1511 struct dentry *dentry,
1512 u32 av)
1513{
1514 struct inode *inode = dentry->d_inode;
1515 struct avc_audit_data ad;
88e67f3b 1516
828dfe1d 1517 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf
JB		 1518 ad.u.fs.path.mnt = mnt;
1519 ad.u.fs.path.dentry = dentry;
88e67f3b 1520 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1521}
1522
1523/* Check whether a task can use an open file descriptor to
1524 access an inode in a given way. Check access to the
1525 descriptor itself, and then use dentry_has_perm to
1526 check a particular permission to the file.
1527 Access to the descriptor is implicitly granted if it
1528 has the same SID as the process. If av is zero, then
1529 access to the file is not checked, e.g. for cases
1530 where only the descriptor is affected like seek. */
88e67f3b
DH		 1531static int file_has_perm(const struct cred *cred,
1532 struct file *file,
1533 u32 av)
1da177e4 1534{
1da177e4 1535 struct file_security_struct *fsec = file->f_security;
44707fdf 1536 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4 1537 struct avc_audit_data ad;
88e67f3b 1538 u32 sid = cred_sid(cred);
1da177e4
LT		 1539 int rc;
1540
1541 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1542 ad.u.fs.path = file->f_path;
1da177e4 1543
275bb41e
DH		 1544 if (sid != fsec->sid) {
1545 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1546 SECCLASS_FD,
1547 FD__USE,
1548 &ad);
1549 if (rc)
88e67f3b 1550 goto out;
1da177e4
LT		 1551 }
1552
1553 /* av is zero if only checking access to the descriptor. */
88e67f3b 1554 rc = 0;
1da177e4 1555 if (av)
88e67f3b 1556 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1557
88e67f3b
DH		 1558out:
1559 return rc;
1da177e4
LT		 1560}
1561
1562/* Check whether a task can create a file. */
1563static int may_create(struct inode *dir,
1564 struct dentry *dentry,
1565 u16 tclass)
1566{
275bb41e
DH		 1567 const struct cred *cred = current_cred();
1568 const struct task_security_struct *tsec = cred->security;
1da177e4
LT		 1569 struct inode_security_struct *dsec;
1570 struct superblock_security_struct *sbsec;
275bb41e 1571 u32 sid, newsid;
1da177e4
LT		 1572 struct avc_audit_data ad;
1573 int rc;
1574
1da177e4
LT		 1575 dsec = dir->i_security;
1576 sbsec = dir->i_sb->s_security;
1577
275bb41e
DH		 1578 sid = tsec->sid;
1579 newsid = tsec->create_sid;
1580
1da177e4 1581 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1582 ad.u.fs.path.dentry = dentry;
1da177e4 1583
275bb41e 1584 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1585 DIR__ADD_NAME | DIR__SEARCH,
1586 &ad);
1587 if (rc)
1588 return rc;
1589
275bb41e
DH		 1590 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
1591 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1da177e4
LT		 1592 if (rc)
1593 return rc;
1594 }
1595
275bb41e 1596 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1597 if (rc)
1598 return rc;
1599
1600 return avc_has_perm(newsid, sbsec->sid,
1601 SECCLASS_FILESYSTEM,
1602 FILESYSTEM__ASSOCIATE, &ad);
1603}
1604
4eb582cf
ML		 1605/* Check whether a task can create a key. */
1606static int may_create_key(u32 ksid,
1607 struct task_struct *ctx)
1608{
275bb41e 1609 u32 sid = task_sid(ctx);
4eb582cf 1610
275bb41e 1611 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1612}
1613
828dfe1d
EP		 1614#define MAY_LINK 0
1615#define MAY_UNLINK 1
1616#define MAY_RMDIR 2
1da177e4
LT		 1617
1618/* Check whether a task can link, unlink, or rmdir a file/directory. */
1619static int may_link(struct inode *dir,
1620 struct dentry *dentry,
1621 int kind)
1622
1623{
1da177e4
LT		 1624 struct inode_security_struct *dsec, *isec;
1625 struct avc_audit_data ad;
275bb41e 1626 u32 sid = current_sid();
1da177e4
LT		 1627 u32 av;
1628 int rc;
1629
1da177e4
LT		 1630 dsec = dir->i_security;
1631 isec = dentry->d_inode->i_security;
1632
1633 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1634 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1635
1636 av = DIR__SEARCH;
1637 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1638 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1639 if (rc)
1640 return rc;
1641
1642 switch (kind) {
1643 case MAY_LINK:
1644 av = FILE__LINK;
1645 break;
1646 case MAY_UNLINK:
1647 av = FILE__UNLINK;
1648 break;
1649 case MAY_RMDIR:
1650 av = DIR__RMDIR;
1651 break;
1652 default:
744ba35e
EP		 1653 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1654 __func__, kind);
1da177e4
LT		 1655 return 0;
1656 }
1657
275bb41e 1658 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1659 return rc;
1660}
1661
1662static inline int may_rename(struct inode *old_dir,
1663 struct dentry *old_dentry,
1664 struct inode *new_dir,
1665 struct dentry *new_dentry)
1666{
1da177e4
LT		 1667 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1668 struct avc_audit_data ad;
275bb41e 1669 u32 sid = current_sid();
1da177e4
LT		 1670 u32 av;
1671 int old_is_dir, new_is_dir;
1672 int rc;
1673
1da177e4
LT		 1674 old_dsec = old_dir->i_security;
1675 old_isec = old_dentry->d_inode->i_security;
1676 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1677 new_dsec = new_dir->i_security;
1678
1679 AVC_AUDIT_DATA_INIT(&ad, FS);
1680
44707fdf 1681 ad.u.fs.path.dentry = old_dentry;
275bb41e 1682 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1683 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1684 if (rc)
1685 return rc;
275bb41e 1686 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1687 old_isec->sclass, FILE__RENAME, &ad);
1688 if (rc)
1689 return rc;
1690 if (old_is_dir && new_dir != old_dir) {
275bb41e 1691 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1692 old_isec->sclass, DIR__REPARENT, &ad);
1693 if (rc)
1694 return rc;
1695 }
1696
44707fdf 1697 ad.u.fs.path.dentry = new_dentry;
1da177e4
LT		 1698 av = DIR__ADD_NAME | DIR__SEARCH;
1699 if (new_dentry->d_inode)
1700 av |= DIR__REMOVE_NAME;
275bb41e 1701 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1702 if (rc)
1703 return rc;
1704 if (new_dentry->d_inode) {
1705 new_isec = new_dentry->d_inode->i_security;
1706 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
275bb41e 1707 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1708 new_isec->sclass,
1709 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1710 if (rc)
1711 return rc;
1712 }
1713
1714 return 0;
1715}
1716
1717/* Check whether a task can perform a filesystem operation. */
88e67f3b 1718static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1719 struct super_block *sb,
1720 u32 perms,
1721 struct avc_audit_data *ad)
1722{
1da177e4 1723 struct superblock_security_struct *sbsec;
88e67f3b 1724 u32 sid = cred_sid(cred);
1da177e4 1725
1da177e4 1726 sbsec = sb->s_security;
275bb41e 1727 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1728}
1729
1730/* Convert a Linux mode and permission mask to an access vector. */
1731static inline u32 file_mask_to_av(int mode, int mask)
1732{
1733 u32 av = 0;
1734
1735 if ((mode & S_IFMT) != S_IFDIR) {
1736 if (mask & MAY_EXEC)
1737 av |= FILE__EXECUTE;
1738 if (mask & MAY_READ)
1739 av |= FILE__READ;
1740
1741 if (mask & MAY_APPEND)
1742 av |= FILE__APPEND;
1743 else if (mask & MAY_WRITE)
1744 av |= FILE__WRITE;
1745
1746 } else {
1747 if (mask & MAY_EXEC)
1748 av |= DIR__SEARCH;
1749 if (mask & MAY_WRITE)
1750 av |= DIR__WRITE;
1751 if (mask & MAY_READ)
1752 av |= DIR__READ;
1753 }
1754
1755 return av;
1756}
1757
8b6a5a37
EP		 1758/* Convert a Linux file to an access vector. */
1759static inline u32 file_to_av(struct file *file)
1760{
1761 u32 av = 0;
1762
1763 if (file->f_mode & FMODE_READ)
1764 av |= FILE__READ;
1765 if (file->f_mode & FMODE_WRITE) {
1766 if (file->f_flags & O_APPEND)
1767 av |= FILE__APPEND;
1768 else
1769 av |= FILE__WRITE;
1770 }
1771 if (!av) {
1772 /*
1773 * Special file opened with flags 3 for ioctl-only use.
1774 */
1775 av = FILE__IOCTL;
1776 }
1777
1778 return av;
1779}
1780
b0c636b9 1781/*
8b6a5a37 1782 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1783 * open permission.
1784 */
8b6a5a37 1785static inline u32 open_file_to_av(struct file *file)
b0c636b9 1786{
8b6a5a37 1787 u32 av = file_to_av(file);
b0c636b9
EP		 1788
1789 if (selinux_policycap_openperm) {
8b6a5a37 1790 mode_t mode = file->f_path.dentry->d_inode->i_mode;
b0c636b9
EP		 1791 /*
1792 * lnk files and socks do not really have an 'open'
1793 */
1794 if (S_ISREG(mode))
1795 av |= FILE__OPEN;
1796 else if (S_ISCHR(mode))
1797 av |= CHR_FILE__OPEN;
1798 else if (S_ISBLK(mode))
1799 av |= BLK_FILE__OPEN;
1800 else if (S_ISFIFO(mode))
1801 av |= FIFO_FILE__OPEN;
1802 else if (S_ISDIR(mode))
1803 av |= DIR__OPEN;
1804 else
744ba35e 1805 printk(KERN_ERR "SELinux: WARNING: inside %s with "
8b6a5a37 1806 "unknown mode:%o\n", __func__, mode);
b0c636b9
EP		 1807 }
1808 return av;
1809}
1810
1da177e4
LT		 1811/* Hook functions begin here. */
1812
5cd9c58f
DH		 1813static int selinux_ptrace_may_access(struct task_struct *child,
1814 unsigned int mode)
1da177e4 1815{
1da177e4
LT		 1816 int rc;
1817
5cd9c58f 1818 rc = secondary_ops->ptrace_may_access(child, mode);
1da177e4
LT		 1819 if (rc)
1820 return rc;
1821
006ebb40 1822 if (mode == PTRACE_MODE_READ) {
275bb41e
DH		 1823 u32 sid = current_sid();
1824 u32 csid = task_sid(child);
1825 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 1826 }
1827
3b11a1de 1828 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 1829}
1830
1831static int selinux_ptrace_traceme(struct task_struct *parent)
1832{
1833 int rc;
1834
1835 rc = secondary_ops->ptrace_traceme(parent);
1836 if (rc)
1837 return rc;
1838
1839 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 1840}
1841
1842static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1843 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1844{
1845 int error;
1846
3b11a1de 1847 error = current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 1848 if (error)
1849 return error;
1850
1851 return secondary_ops->capget(target, effective, inheritable, permitted);
1852}
1853
d84f4f99
DH		 1854static int selinux_capset(struct cred *new, const struct cred *old,
1855 const kernel_cap_t *effective,
1856 const kernel_cap_t *inheritable,
1857 const kernel_cap_t *permitted)
1da177e4
LT		 1858{
1859 int error;
1860
d84f4f99
DH		 1861 error = secondary_ops->capset(new, old,
1862 effective, inheritable, permitted);
1da177e4
LT		 1863 if (error)
1864 return error;
1865
d84f4f99 1866 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 1867}
1868
3699c53c
DH		 1869static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1870 int cap, int audit)
1da177e4
LT		 1871{
1872 int rc;
1873
3699c53c 1874 rc = secondary_ops->capable(tsk, cred, cap, audit);
1da177e4
LT		 1875 if (rc)
1876 return rc;
1877
3699c53c 1878 return task_has_capability(tsk, cred, cap, audit);
1da177e4
LT		 1879}
1880
3fbfa981
EB		 1881static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1882{
1883 int buflen, rc;
1884 char *buffer, *path, *end;
1885
1886 rc = -ENOMEM;
828dfe1d 1887 buffer = (char *)__get_free_page(GFP_KERNEL);
3fbfa981
EB		 1888 if (!buffer)
1889 goto out;
1890
1891 buflen = PAGE_SIZE;
1892 end = buffer+buflen;
1893 *--end = '\0';
1894 buflen--;
1895 path = end-1;
1896 *path = '/';
1897 while (table) {
1898 const char *name = table->procname;
1899 size_t namelen = strlen(name);
1900 buflen -= namelen + 1;
1901 if (buflen < 0)
1902 goto out_free;
1903 end -= namelen;
1904 memcpy(end, name, namelen);
1905 *--end = '/';
1906 path = end;
1907 table = table->parent;
1908 }
b599fdfd
EB		 1909 buflen -= 4;
1910 if (buflen < 0)
1911 goto out_free;
1912 end -= 4;
1913 memcpy(end, "/sys", 4);
1914 path = end;
3fbfa981
EB		 1915 rc = security_genfs_sid("proc", path, tclass, sid);
1916out_free:
1917 free_page((unsigned long)buffer);
1918out:
1919 return rc;
1920}
1921
1da177e4
LT		 1922static int selinux_sysctl(ctl_table *table, int op)
1923{
1924 int error = 0;
1925 u32 av;
275bb41e 1926 u32 tsid, sid;
1da177e4
LT		 1927 int rc;
1928
1929 rc = secondary_ops->sysctl(table, op);
1930 if (rc)
1931 return rc;
1932
275bb41e 1933 sid = current_sid();
1da177e4 1934
3fbfa981
EB		 1935 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1936 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1937 if (rc) {
1938 /* Default to the well-defined sysctl SID. */
1939 tsid = SECINITSID_SYSCTL;
1940 }
1941
1942 /* The op values are "defined" in sysctl.c, thereby creating
1943 * a bad coupling between this module and sysctl.c */
828dfe1d 1944 if (op == 001) {
275bb41e 1945 error = avc_has_perm(sid, tsid,
1da177e4
LT		 1946 SECCLASS_DIR, DIR__SEARCH, NULL);
1947 } else {
1948 av = 0;
1949 if (op & 004)
1950 av |= FILE__READ;
1951 if (op & 002)
1952 av |= FILE__WRITE;
1953 if (av)
275bb41e 1954 error = avc_has_perm(sid, tsid,
1da177e4 1955 SECCLASS_FILE, av, NULL);
828dfe1d 1956 }
1da177e4
LT		 1957
1958 return error;
1959}
1960
1961static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1962{
88e67f3b 1963 const struct cred *cred = current_cred();
1da177e4
LT		 1964 int rc = 0;
1965
1966 if (!sb)
1967 return 0;
1968
1969 switch (cmds) {
828dfe1d
EP		 1970 case Q_SYNC:
1971 case Q_QUOTAON:
1972 case Q_QUOTAOFF:
1973 case Q_SETINFO:
1974 case Q_SETQUOTA:
88e67f3b 1975 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 1976 break;
1977 case Q_GETFMT:
1978 case Q_GETINFO:
1979 case Q_GETQUOTA:
88e67f3b 1980 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 1981 break;
1982 default:
1983 rc = 0; /* let the kernel handle invalid cmds */
1984 break;
1da177e4
LT		 1985 }
1986 return rc;
1987}
1988
1989static int selinux_quota_on(struct dentry *dentry)
1990{
88e67f3b
DH		 1991 const struct cred *cred = current_cred();
1992
1993 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1da177e4
LT		 1994}
1995
1996static int selinux_syslog(int type)
1997{
1998 int rc;
1999
2000 rc = secondary_ops->syslog(type);
2001 if (rc)
2002 return rc;
2003
2004 switch (type) {
828dfe1d
EP		 2005 case 3: /* Read last kernel messages */
2006 case 10: /* Return size of the log buffer */
2007 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2008 break;
2009 case 6: /* Disable logging to console */
2010 case 7: /* Enable logging to console */
2011 case 8: /* Set level of messages printed to console */
2012 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2013 break;
2014 case 0: /* Close log */
2015 case 1: /* Open log */
2016 case 2: /* Read from log */
2017 case 4: /* Read/clear last kernel messages */
2018 case 5: /* Clear ring buffer */
2019 default:
2020 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2021 break;
1da177e4
LT		 2022 }
2023 return rc;
2024}
2025
2026/*
2027 * Check that a process has enough memory to allocate a new virtual
2028 * mapping. 0 means there is enough memory for the allocation to
2029 * succeed and -ENOMEM implies there is not.
2030 *
2031 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
2032 * if the capability is granted, but __vm_enough_memory requires 1 if
2033 * the capability is granted.
2034 *
2035 * Do not audit the selinux permission check, as this is applied to all
2036 * processes that allocate mappings.
2037 */
34b4e4aa 2038static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2039{
2040 int rc, cap_sys_admin = 0;
1da177e4 2041
3699c53c
DH		 2042 rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
2043 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2044 if (rc == 0)
2045 cap_sys_admin = 1;
2046
34b4e4aa 2047 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 2048}
2049
2050/* binprm security operations */
2051
a6f76f23 2052static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2053{
a6f76f23
DH		 2054 const struct task_security_struct *old_tsec;
2055 struct task_security_struct *new_tsec;
1da177e4 2056 struct inode_security_struct *isec;
1da177e4 2057 struct avc_audit_data ad;
a6f76f23 2058 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 2059 int rc;
2060
a6f76f23 2061 rc = secondary_ops->bprm_set_creds(bprm);
1da177e4
LT		 2062 if (rc)
2063 return rc;
2064
a6f76f23
DH		 2065 /* SELinux context only depends on initial program or script and not
2066 * the script interpreter */
2067 if (bprm->cred_prepared)
1da177e4
LT		 2068 return 0;
2069
a6f76f23
DH		 2070 old_tsec = current_security();
2071 new_tsec = bprm->cred->security;
1da177e4
LT		 2072 isec = inode->i_security;
2073
2074 /* Default to the current task SID. */
a6f76f23
DH		 2075 new_tsec->sid = old_tsec->sid;
2076 new_tsec->osid = old_tsec->sid;
1da177e4 2077
28eba5bf 2078 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2079 new_tsec->create_sid = 0;
2080 new_tsec->keycreate_sid = 0;
2081 new_tsec->sockcreate_sid = 0;
1da177e4 2082
a6f76f23
DH		 2083 if (old_tsec->exec_sid) {
2084 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2085 /* Reset exec SID on execve. */
a6f76f23 2086 new_tsec->exec_sid = 0;
1da177e4
LT		 2087 } else {
2088 /* Check for a default transition on this program. */
a6f76f23
DH		 2089 rc = security_transition_sid(old_tsec->sid, isec->sid,
2090 SECCLASS_PROCESS, &new_tsec->sid);
1da177e4
LT		 2091 if (rc)
2092 return rc;
2093 }
2094
2095 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2096 ad.u.fs.path = bprm->file->f_path;
1da177e4 2097
3d5ff529 2098 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
a6f76f23 2099 new_tsec->sid = old_tsec->sid;
1da177e4 2100
a6f76f23
DH		 2101 if (new_tsec->sid == old_tsec->sid) {
2102 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2103 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2104 if (rc)
2105 return rc;
2106 } else {
2107 /* Check permissions for the transition. */
a6f76f23 2108 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2109 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2110 if (rc)
2111 return rc;
2112
a6f76f23 2113 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2114 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2115 if (rc)
2116 return rc;
2117
a6f76f23
DH		 2118 /* Check for shared state */
2119 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2120 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2121 SECCLASS_PROCESS, PROCESS__SHARE,
2122 NULL);
2123 if (rc)
2124 return -EPERM;
2125 }
2126
2127 /* Make sure that anyone attempting to ptrace over a task that
2128 * changes its SID has the appropriate permit */
2129 if (bprm->unsafe &
2130 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2131 struct task_struct *tracer;
2132 struct task_security_struct *sec;
2133 u32 ptsid = 0;
2134
2135 rcu_read_lock();
2136 tracer = tracehook_tracer_task(current);
2137 if (likely(tracer != NULL)) {
2138 sec = __task_cred(tracer)->security;
2139 ptsid = sec->sid;
2140 }
2141 rcu_read_unlock();
2142
2143 if (ptsid != 0) {
2144 rc = avc_has_perm(ptsid, new_tsec->sid,
2145 SECCLASS_PROCESS,
2146 PROCESS__PTRACE, NULL);
2147 if (rc)
2148 return -EPERM;
2149 }
2150 }
1da177e4 2151
a6f76f23
DH		 2152 /* Clear any possibly unsafe personality bits on exec: */
2153 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2154 }
2155
1da177e4
LT		 2156 return 0;
2157}
2158
828dfe1d 2159static int selinux_bprm_check_security(struct linux_binprm *bprm)
1da177e4
LT		 2160{
2161 return secondary_ops->bprm_check_security(bprm);
2162}
2163
828dfe1d 2164static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2165{
275bb41e
DH		 2166 const struct cred *cred = current_cred();
2167 const struct task_security_struct *tsec = cred->security;
2168 u32 sid, osid;
1da177e4
LT		 2169 int atsecure = 0;
2170
275bb41e
DH		 2171 sid = tsec->sid;
2172 osid = tsec->osid;
2173
2174 if (osid != sid) {
1da177e4
LT		 2175 /* Enable secure mode for SIDs transitions unless
2176 the noatsecure permission is granted between
2177 the two SIDs, i.e. ahp returns 0. */
275bb41e 2178 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2179 SECCLASS_PROCESS,
2180 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2181 }
2182
2183 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2184}
2185
1da177e4
LT		 2186extern struct vfsmount *selinuxfs_mount;
2187extern struct dentry *selinux_null;
2188
2189/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2190static inline void flush_unauthorized_files(const struct cred *cred,
2191 struct files_struct *files)
1da177e4
LT		 2192{
2193 struct avc_audit_data ad;
2194 struct file *file, *devnull = NULL;
b20c8122 2195 struct tty_struct *tty;
badf1662 2196 struct fdtable *fdt;
1da177e4 2197 long j = -1;
24ec839c 2198 int drop_tty = 0;
1da177e4 2199
24ec839c 2200 tty = get_current_tty();
1da177e4
LT		 2201 if (tty) {
2202 file_list_lock();
37dd0bd0
EP		 2203 if (!list_empty(&tty->tty_files)) {
2204 struct inode *inode;
2205
1da177e4
LT		 2206 /* Revalidate access to controlling tty.
2207 Use inode_has_perm on the tty inode directly rather
2208 than using file_has_perm, as this particular open
2209 file may belong to another process and we are only
2210 interested in the inode-based check here. */
37dd0bd0
EP		 2211 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2212 inode = file->f_path.dentry->d_inode;
88e67f3b 2213 if (inode_has_perm(cred, inode,
1da177e4 2214 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2215 drop_tty = 1;
1da177e4
LT		 2216 }
2217 }
2218 file_list_unlock();
452a00d2 2219 tty_kref_put(tty);
1da177e4 2220 }
98a27ba4
EB		 2221 /* Reset controlling tty. */
2222 if (drop_tty)
2223 no_tty();
1da177e4
LT		 2224
2225 /* Revalidate access to inherited open files. */
2226
828dfe1d 2227 AVC_AUDIT_DATA_INIT(&ad, FS);
1da177e4
LT		 2228
2229 spin_lock(&files->file_lock);
2230 for (;;) {
2231 unsigned long set, i;
2232 int fd;
2233
2234 j++;
2235 i = j * __NFDBITS;
badf1662 2236 fdt = files_fdtable(files);
bbea9f69 2237 if (i >= fdt->max_fds)
1da177e4 2238 break;
badf1662 2239 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2240 if (!set)
2241 continue;
2242 spin_unlock(&files->file_lock);
828dfe1d 2243 for ( ; set ; i++, set >>= 1) {
1da177e4
LT		 2244 if (set & 1) {
2245 file = fget(i);
2246 if (!file)
2247 continue;
88e67f3b 2248 if (file_has_perm(cred,
1da177e4
LT		 2249 file,
2250 file_to_av(file))) {
2251 sys_close(i);
2252 fd = get_unused_fd();
2253 if (fd != i) {
2254 if (fd >= 0)
2255 put_unused_fd(fd);
2256 fput(file);
2257 continue;
2258 }
2259 if (devnull) {
095975da 2260 get_file(devnull);
1da177e4 2261 } else {
745ca247
DH		 2262 devnull = dentry_open(
2263 dget(selinux_null),
2264 mntget(selinuxfs_mount),
2265 O_RDWR, cred);
fc5d81e6
AM		 2266 if (IS_ERR(devnull)) {
2267 devnull = NULL;
1da177e4
LT		 2268 put_unused_fd(fd);
2269 fput(file);
2270 continue;
2271 }
2272 }
2273 fd_install(fd, devnull);
2274 }
2275 fput(file);
2276 }
2277 }
2278 spin_lock(&files->file_lock);
2279
2280 }
2281 spin_unlock(&files->file_lock);
2282}
2283
a6f76f23
DH		 2284/*
2285 * Prepare a process for imminent new credential changes due to exec
2286 */
2287static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2288{
a6f76f23
DH		 2289 struct task_security_struct *new_tsec;
2290 struct rlimit *rlim, *initrlim;
2291 int rc, i;
d84f4f99 2292
a6f76f23 2293 secondary_ops->bprm_committing_creds(bprm);
1da177e4 2294
a6f76f23
DH		 2295 new_tsec = bprm->cred->security;
2296 if (new_tsec->sid == new_tsec->osid)
2297 return;
1da177e4 2298
a6f76f23
DH		 2299 /* Close files for which the new task SID is not authorized. */
2300 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2301
a6f76f23
DH		 2302 /* Always clear parent death signal on SID transitions. */
2303 current->pdeath_signal = 0;
0356357c 2304
a6f76f23
DH		 2305 /* Check whether the new SID can inherit resource limits from the old
2306 * SID. If not, reset all soft limits to the lower of the current
2307 * task's hard limit and the init task's soft limit.
2308 *
2309 * Note that the setting of hard limits (even to lower them) can be
2310 * controlled by the setrlimit check. The inclusion of the init task's
2311 * soft limit into the computation is to avoid resetting soft limits
2312 * higher than the default soft limit for cases where the default is
2313 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2314 */
2315 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2316 PROCESS__RLIMITINH, NULL);
2317 if (rc) {
2318 for (i = 0; i < RLIM_NLIMITS; i++) {
2319 rlim = current->signal->rlim + i;
2320 initrlim = init_task.signal->rlim + i;
2321 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2322 }
a6f76f23 2323 update_rlimit_cpu(rlim->rlim_cur);
1da177e4
LT		 2324 }
2325}
2326
2327/*
a6f76f23
DH		 2328 * Clean up the process immediately after the installation of new credentials
2329 * due to exec
1da177e4 2330 */
a6f76f23 2331static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2332{
a6f76f23 2333 const struct task_security_struct *tsec = current_security();
1da177e4 2334 struct itimerval itimer;
41d9f9c5 2335 struct sighand_struct *psig;
a6f76f23 2336 u32 osid, sid;
1da177e4 2337 int rc, i;
41d9f9c5 2338 unsigned long flags;
1da177e4 2339
a6f76f23 2340 secondary_ops->bprm_committed_creds(bprm);
1da177e4 2341
a6f76f23
DH		 2342 osid = tsec->osid;
2343 sid = tsec->sid;
2344
2345 if (sid == osid)
1da177e4
LT		 2346 return;
2347
a6f76f23
DH		 2348 /* Check whether the new SID can inherit signal state from the old SID.
2349 * If not, clear itimers to avoid subsequent signal generation and
2350 * flush and unblock signals.
2351 *
2352 * This must occur _after_ the task SID has been updated so that any
2353 * kill done after the flush will be checked against the new SID.
2354 */
2355 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2356 if (rc) {
2357 memset(&itimer, 0, sizeof itimer);
2358 for (i = 0; i < 3; i++)
2359 do_setitimer(i, &itimer, NULL);
2360 flush_signals(current);
2361 spin_lock_irq(&current->sighand->siglock);
2362 flush_signal_handlers(current, 1);
2363 sigemptyset(&current->blocked);
2364 recalc_sigpending();
2365 spin_unlock_irq(&current->sighand->siglock);
2366 }
2367
a6f76f23
DH		 2368 /* Wake up the parent if it is waiting so that it can recheck
2369 * wait permission to the new task SID. */
41d9f9c5
EP		 2370 read_lock_irq(&tasklist_lock);
2371 psig = current->parent->sighand;
2372 spin_lock_irqsave(&psig->siglock, flags);
1da177e4 2373 wake_up_interruptible(&current->parent->signal->wait_chldexit);
41d9f9c5
EP		 2374 spin_unlock_irqrestore(&psig->siglock, flags);
2375 read_unlock_irq(&tasklist_lock);
1da177e4
LT		 2376}
2377
2378/* superblock security operations */
2379
2380static int selinux_sb_alloc_security(struct super_block *sb)
2381{
2382 return superblock_alloc_security(sb);
2383}
2384
2385static void selinux_sb_free_security(struct super_block *sb)
2386{
2387 superblock_free_security(sb);
2388}
2389
2390static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2391{
2392 if (plen > olen)
2393 return 0;
2394
2395 return !memcmp(prefix, option, plen);
2396}
2397
2398static inline int selinux_option(char *option, int len)
2399{
832cbd9a
EP		 2400 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2401 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2402 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2403 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
1da177e4
LT		 2404}
2405
2406static inline void take_option(char **to, char *from, int *first, int len)
2407{
2408 if (!*first) {
2409 **to = ',';
2410 *to += 1;
3528a953 2411 } else
1da177e4
LT		 2412 *first = 0;
2413 memcpy(*to, from, len);
2414 *to += len;
2415}
2416
828dfe1d
EP		 2417static inline void take_selinux_option(char **to, char *from, int *first,
2418 int len)
3528a953
CO		 2419{
2420 int current_size = 0;
2421
2422 if (!*first) {
2423 **to = '|';
2424 *to += 1;
828dfe1d 2425 } else
3528a953
CO		 2426 *first = 0;
2427
2428 while (current_size < len) {
2429 if (*from != '"') {
2430 **to = *from;
2431 *to += 1;
2432 }
2433 from += 1;
2434 current_size += 1;
2435 }
2436}
2437
e0007529 2438static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2439{
2440 int fnosec, fsec, rc = 0;
2441 char *in_save, *in_curr, *in_end;
2442 char *sec_curr, *nosec_save, *nosec;
3528a953 2443 int open_quote = 0;
1da177e4
LT		 2444
2445 in_curr = orig;
2446 sec_curr = copy;
2447
1da177e4
LT		 2448 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2449 if (!nosec) {
2450 rc = -ENOMEM;
2451 goto out;
2452 }
2453
2454 nosec_save = nosec;
2455 fnosec = fsec = 1;
2456 in_save = in_end = orig;
2457
2458 do {
3528a953
CO		 2459 if (*in_end == '"')
2460 open_quote = !open_quote;
2461 if ((*in_end == ',' && open_quote == 0) ||
2462 *in_end == '\0') {
1da177e4
LT		 2463 int len = in_end - in_curr;
2464
2465 if (selinux_option(in_curr, len))
3528a953 2466 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2467 else
2468 take_option(&nosec, in_curr, &fnosec, len);
2469
2470 in_curr = in_end + 1;
2471 }
2472 } while (*in_end++);
2473
6931dfc9 2474 strcpy(in_save, nosec_save);
da3caa20 2475 free_page((unsigned long)nosec_save);
1da177e4
LT		 2476out:
2477 return rc;
2478}
2479
12204e24 2480static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2481{
88e67f3b 2482 const struct cred *cred = current_cred();
1da177e4
LT		 2483 struct avc_audit_data ad;
2484 int rc;
2485
2486 rc = superblock_doinit(sb, data);
2487 if (rc)
2488 return rc;
2489
74192246
JM		 2490 /* Allow all mounts performed by the kernel */
2491 if (flags & MS_KERNMOUNT)
2492 return 0;
2493
828dfe1d 2494 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2495 ad.u.fs.path.dentry = sb->s_root;
88e67f3b 2496 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2497}
2498
726c3342 2499static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2500{
88e67f3b 2501 const struct cred *cred = current_cred();
1da177e4
LT		 2502 struct avc_audit_data ad;
2503
828dfe1d 2504 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2505 ad.u.fs.path.dentry = dentry->d_sb->s_root;
88e67f3b 2506 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2507}
2508
828dfe1d 2509static int selinux_mount(char *dev_name,
b5266eb4 2510 struct path *path,
828dfe1d
EP		 2511 char *type,
2512 unsigned long flags,
2513 void *data)
1da177e4 2514{
88e67f3b 2515 const struct cred *cred = current_cred();
1da177e4
LT		 2516 int rc;
2517
b5266eb4 2518 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
1da177e4
LT		 2519 if (rc)
2520 return rc;
2521
2522 if (flags & MS_REMOUNT)
88e67f3b 2523 return superblock_has_perm(cred, path->mnt->mnt_sb,
828dfe1d 2524 FILESYSTEM__REMOUNT, NULL);
1da177e4 2525 else
88e67f3b 2526 return dentry_has_perm(cred, path->mnt, path->dentry,
828dfe1d 2527 FILE__MOUNTON);
1da177e4
LT		 2528}
2529
2530static int selinux_umount(struct vfsmount *mnt, int flags)
2531{
88e67f3b 2532 const struct cred *cred = current_cred();
1da177e4
LT		 2533 int rc;
2534
2535 rc = secondary_ops->sb_umount(mnt, flags);
2536 if (rc)
2537 return rc;
2538
88e67f3b 2539 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2540 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2541}
2542
2543/* inode security operations */
2544
2545static int selinux_inode_alloc_security(struct inode *inode)
2546{
2547 return inode_alloc_security(inode);
2548}
2549
2550static void selinux_inode_free_security(struct inode *inode)
2551{
2552 inode_free_security(inode);
2553}
2554
5e41ff9e
SS		 2555static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2556 char **name, void **value,
2557 size_t *len)
2558{
275bb41e
DH		 2559 const struct cred *cred = current_cred();
2560 const struct task_security_struct *tsec = cred->security;
5e41ff9e
SS		 2561 struct inode_security_struct *dsec;
2562 struct superblock_security_struct *sbsec;
275bb41e 2563 u32 sid, newsid, clen;
5e41ff9e 2564 int rc;
570bc1c2 2565 char *namep = NULL, *context;
5e41ff9e 2566
5e41ff9e
SS		 2567 dsec = dir->i_security;
2568 sbsec = dir->i_sb->s_security;
5e41ff9e 2569
275bb41e
DH		 2570 sid = tsec->sid;
2571 newsid = tsec->create_sid;
2572
2573 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
2574 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e
SS		 2575 inode_mode_to_security_class(inode->i_mode),
2576 &newsid);
2577 if (rc) {
2578 printk(KERN_WARNING "%s: "
2579 "security_transition_sid failed, rc=%d (dev=%s "
2580 "ino=%ld)\n",
dd6f953a 2581 __func__,
5e41ff9e
SS		 2582 -rc, inode->i_sb->s_id, inode->i_ino);
2583 return rc;
2584 }
2585 }
2586
296fddf7
EP		 2587 /* Possibly defer initialization to selinux_complete_init. */
2588 if (sbsec->initialized) {
2589 struct inode_security_struct *isec = inode->i_security;
2590 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2591 isec->sid = newsid;
2592 isec->initialized = 1;
2593 }
5e41ff9e 2594
8aad3875 2595 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2596 return -EOPNOTSUPP;
2597
570bc1c2 2598 if (name) {
a02fe132 2599 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2600 if (!namep)
2601 return -ENOMEM;
2602 *name = namep;
2603 }
5e41ff9e 2604
570bc1c2 2605 if (value && len) {
12b29f34 2606 rc = security_sid_to_context_force(newsid, &context, &clen);
570bc1c2
SS		 2607 if (rc) {
2608 kfree(namep);
2609 return rc;
2610 }
2611 *value = context;
2612 *len = clen;
5e41ff9e 2613 }
5e41ff9e 2614
5e41ff9e
SS		 2615 return 0;
2616}
2617
1da177e4
LT		 2618static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2619{
2620 return may_create(dir, dentry, SECCLASS_FILE);
2621}
2622
1da177e4
LT		 2623static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2624{
2625 int rc;
2626
828dfe1d 2627 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
1da177e4
LT		 2628 if (rc)
2629 return rc;
2630 return may_link(dir, old_dentry, MAY_LINK);
2631}
2632
1da177e4
LT		 2633static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2634{
2635 int rc;
2636
2637 rc = secondary_ops->inode_unlink(dir, dentry);
2638 if (rc)
2639 return rc;
2640 return may_link(dir, dentry, MAY_UNLINK);
2641}
2642
2643static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2644{
2645 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2646}
2647
1da177e4
LT		 2648static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2649{
2650 return may_create(dir, dentry, SECCLASS_DIR);
2651}
2652
1da177e4
LT		 2653static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2654{
2655 return may_link(dir, dentry, MAY_RMDIR);
2656}
2657
2658static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2659{
2660 int rc;
2661
2662 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2663 if (rc)
2664 return rc;
2665
2666 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2667}
2668
1da177e4 2669static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2670 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2671{
2672 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2673}
2674
1da177e4
LT		 2675static int selinux_inode_readlink(struct dentry *dentry)
2676{
88e67f3b
DH		 2677 const struct cred *cred = current_cred();
2678
2679 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
1da177e4
LT		 2680}
2681
2682static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2683{
88e67f3b 2684 const struct cred *cred = current_cred();
1da177e4
LT		 2685 int rc;
2686
828dfe1d 2687 rc = secondary_ops->inode_follow_link(dentry, nameidata);
1da177e4
LT		 2688 if (rc)
2689 return rc;
88e67f3b 2690 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
1da177e4
LT		 2691}
2692
b77b0646 2693static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2694{
88e67f3b 2695 const struct cred *cred = current_cred();
1da177e4
LT		 2696 int rc;
2697
b77b0646 2698 rc = secondary_ops->inode_permission(inode, mask);
1da177e4
LT		 2699 if (rc)
2700 return rc;
2701
2702 if (!mask) {
2703 /* No permission to check. Existence test. */
2704 return 0;
2705 }
2706
88e67f3b 2707 return inode_has_perm(cred, inode,
8b6a5a37 2708 file_mask_to_av(inode->i_mode, mask), NULL);
1da177e4
LT		 2709}
2710
2711static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2712{
88e67f3b 2713 const struct cred *cred = current_cred();
1da177e4
LT		 2714 int rc;
2715
2716 rc = secondary_ops->inode_setattr(dentry, iattr);
2717 if (rc)
2718 return rc;
2719
2720 if (iattr->ia_valid & ATTR_FORCE)
2721 return 0;
2722
2723 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2724 ATTR_ATIME_SET | ATTR_MTIME_SET))
88e67f3b 2725 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
1da177e4 2726
88e67f3b 2727 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
1da177e4
LT		 2728}
2729
2730static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2731{
88e67f3b
DH		 2732 const struct cred *cred = current_cred();
2733
2734 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
1da177e4
LT		 2735}
2736
8f0cfa52 2737static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2738{
88e67f3b
DH		 2739 const struct cred *cred = current_cred();
2740
b5376771
SH		 2741 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2742 sizeof XATTR_SECURITY_PREFIX - 1)) {
2743 if (!strcmp(name, XATTR_NAME_CAPS)) {
2744 if (!capable(CAP_SETFCAP))
2745 return -EPERM;
2746 } else if (!capable(CAP_SYS_ADMIN)) {
2747 /* A different attribute in the security namespace.
2748 Restrict to administrator. */
2749 return -EPERM;
2750 }
2751 }
2752
2753 /* Not an attribute we recognize, so just check the
2754 ordinary setattr permission. */
88e67f3b 2755 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
b5376771
SH		 2756}
2757
8f0cfa52
DH		 2758static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2759 const void *value, size_t size, int flags)
1da177e4 2760{
1da177e4
LT		 2761 struct inode *inode = dentry->d_inode;
2762 struct inode_security_struct *isec = inode->i_security;
2763 struct superblock_security_struct *sbsec;
2764 struct avc_audit_data ad;
275bb41e 2765 u32 newsid, sid = current_sid();
1da177e4
LT		 2766 int rc = 0;
2767
b5376771
SH		 2768 if (strcmp(name, XATTR_NAME_SELINUX))
2769 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2770
2771 sbsec = inode->i_sb->s_security;
2772 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2773 return -EOPNOTSUPP;
2774
3bd858ab 2775 if (!is_owner_or_cap(inode))
1da177e4
LT		 2776 return -EPERM;
2777
828dfe1d 2778 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2779 ad.u.fs.path.dentry = dentry;
1da177e4 2780
275bb41e 2781 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 2782 FILE__RELABELFROM, &ad);
2783 if (rc)
2784 return rc;
2785
2786 rc = security_context_to_sid(value, size, &newsid);
12b29f34
SS		 2787 if (rc == -EINVAL) {
2788 if (!capable(CAP_MAC_ADMIN))
2789 return rc;
2790 rc = security_context_to_sid_force(value, size, &newsid);
2791 }
1da177e4
LT		 2792 if (rc)
2793 return rc;
2794
275bb41e 2795 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 2796 FILE__RELABELTO, &ad);
2797 if (rc)
2798 return rc;
2799
275bb41e 2800 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 2801 isec->sclass);
1da177e4
LT		 2802 if (rc)
2803 return rc;
2804
2805 return avc_has_perm(newsid,
2806 sbsec->sid,
2807 SECCLASS_FILESYSTEM,
2808 FILESYSTEM__ASSOCIATE,
2809 &ad);
2810}
2811
8f0cfa52 2812static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 2813 const void *value, size_t size,
8f0cfa52 2814 int flags)
1da177e4
LT		 2815{
2816 struct inode *inode = dentry->d_inode;
2817 struct inode_security_struct *isec = inode->i_security;
2818 u32 newsid;
2819 int rc;
2820
2821 if (strcmp(name, XATTR_NAME_SELINUX)) {
2822 /* Not an attribute we recognize, so nothing to do. */
2823 return;
2824 }
2825
12b29f34 2826 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 2827 if (rc) {
12b29f34
SS		 2828 printk(KERN_ERR "SELinux: unable to map context to SID"
2829 "for (%s, %lu), rc=%d\n",
2830 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 2831 return;
2832 }
2833
2834 isec->sid = newsid;
2835 return;
2836}
2837
8f0cfa52 2838static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 2839{
88e67f3b
DH		 2840 const struct cred *cred = current_cred();
2841
2842 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
1da177e4
LT		 2843}
2844
828dfe1d 2845static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 2846{
88e67f3b
DH		 2847 const struct cred *cred = current_cred();
2848
2849 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
1da177e4
LT		 2850}
2851
8f0cfa52 2852static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 2853{
b5376771
SH		 2854 if (strcmp(name, XATTR_NAME_SELINUX))
2855 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2856
2857 /* No one is allowed to remove a SELinux security label.
2858 You can change the label, but all data must be labeled. */
2859 return -EACCES;
2860}
2861
d381d8a9 2862/*
abc69bb6 2863 * Copy the inode security context value to the user.
d381d8a9
JM		 2864 *
2865 * Permission check is handled by selinux_inode_getxattr hook.
2866 */
42492594 2867static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2868{
42492594
DQ		 2869 u32 size;
2870 int error;
2871 char *context = NULL;
1da177e4 2872 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2873
8c8570fb
DK		 2874 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2875 return -EOPNOTSUPP;
d381d8a9 2876
abc69bb6
SS		 2877 /*
2878 * If the caller has CAP_MAC_ADMIN, then get the raw context
2879 * value even if it is not defined by current policy; otherwise,
2880 * use the in-core value under current policy.
2881 * Use the non-auditing forms of the permission checks since
2882 * getxattr may be called by unprivileged processes commonly
2883 * and lack of permission just means that we fall back to the
2884 * in-core context value, not a denial.
2885 */
3699c53c
DH		 2886 error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2887 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 2888 if (!error)
2889 error = security_sid_to_context_force(isec->sid, &context,
2890 &size);
2891 else
2892 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 2893 if (error)
2894 return error;
2895 error = size;
2896 if (alloc) {
2897 *buffer = context;
2898 goto out_nofree;
2899 }
2900 kfree(context);
2901out_nofree:
2902 return error;
1da177e4
LT		 2903}
2904
2905static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 2906 const void *value, size_t size, int flags)
1da177e4
LT		 2907{
2908 struct inode_security_struct *isec = inode->i_security;
2909 u32 newsid;
2910 int rc;
2911
2912 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2913 return -EOPNOTSUPP;
2914
2915 if (!value || !size)
2916 return -EACCES;
2917
828dfe1d 2918 rc = security_context_to_sid((void *)value, size, &newsid);
1da177e4
LT		 2919 if (rc)
2920 return rc;
2921
2922 isec->sid = newsid;
2923 return 0;
2924}
2925
2926static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2927{
2928 const int len = sizeof(XATTR_NAME_SELINUX);
2929 if (buffer && len <= buffer_size)
2930 memcpy(buffer, XATTR_NAME_SELINUX, len);
2931 return len;
2932}
2933
b5376771
SH		 2934static int selinux_inode_need_killpriv(struct dentry *dentry)
2935{
2936 return secondary_ops->inode_need_killpriv(dentry);
2937}
2938
2939static int selinux_inode_killpriv(struct dentry *dentry)
2940{
2941 return secondary_ops->inode_killpriv(dentry);
2942}
2943
713a04ae
AD		 2944static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2945{
2946 struct inode_security_struct *isec = inode->i_security;
2947 *secid = isec->sid;
2948}
2949
1da177e4
LT		 2950/* file security operations */
2951
788e7dd4 2952static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2953{
88e67f3b 2954 const struct cred *cred = current_cred();
7420ed23 2955 int rc;
3d5ff529 2956 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2957
2958 if (!mask) {
2959 /* No permission to check. Existence test. */
2960 return 0;
2961 }
2962
2963 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2964 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2965 mask |= MAY_APPEND;
2966
88e67f3b 2967 rc = file_has_perm(cred, file,
7420ed23
VY		 2968 file_mask_to_av(inode->i_mode, mask));
2969 if (rc)
2970 return rc;
2971
2972 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2973}
2974
788e7dd4
YN		 2975static int selinux_file_permission(struct file *file, int mask)
2976{
2977 struct inode *inode = file->f_path.dentry->d_inode;
788e7dd4
YN		 2978 struct file_security_struct *fsec = file->f_security;
2979 struct inode_security_struct *isec = inode->i_security;
275bb41e 2980 u32 sid = current_sid();
788e7dd4
YN		 2981
2982 if (!mask) {
2983 /* No permission to check. Existence test. */
2984 return 0;
2985 }
2986
275bb41e 2987 if (sid == fsec->sid && fsec->isid == isec->sid
788e7dd4
YN		 2988 && fsec->pseqno == avc_policy_seqno())
2989 return selinux_netlbl_inode_permission(inode, mask);
2990
2991 return selinux_revalidate_file_permission(file, mask);
2992}
2993
1da177e4
LT		 2994static int selinux_file_alloc_security(struct file *file)
2995{
2996 return file_alloc_security(file);
2997}
2998
2999static void selinux_file_free_security(struct file *file)
3000{
3001 file_free_security(file);
3002}
3003
3004static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3005 unsigned long arg)
3006{
88e67f3b 3007 const struct cred *cred = current_cred();
242631c4 3008 u32 av = 0;
1da177e4 3009
242631c4
SS		 3010 if (_IOC_DIR(cmd) & _IOC_WRITE)
3011 av |= FILE__WRITE;
3012 if (_IOC_DIR(cmd) & _IOC_READ)
3013 av |= FILE__READ;
3014 if (!av)
3015 av = FILE__IOCTL;
1da177e4 3016
88e67f3b 3017 return file_has_perm(cred, file, av);
1da177e4
LT		 3018}
3019
3020static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3021{
88e67f3b 3022 const struct cred *cred = current_cred();
d84f4f99 3023 int rc = 0;
88e67f3b 3024
1da177e4
LT		 3025#ifndef CONFIG_PPC32
3026 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3027 /*
3028 * We are making executable an anonymous mapping or a
3029 * private file mapping that will also be writable.
3030 * This has an additional check.
3031 */
d84f4f99 3032 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3033 if (rc)
d84f4f99 3034 goto error;
1da177e4
LT		 3035 }
3036#endif
3037
3038 if (file) {
3039 /* read access is always possible with a mapping */
3040 u32 av = FILE__READ;
3041
3042 /* write access only matters if the mapping is shared */
3043 if (shared && (prot & PROT_WRITE))
3044 av |= FILE__WRITE;
3045
3046 if (prot & PROT_EXEC)
3047 av |= FILE__EXECUTE;
3048
88e67f3b 3049 return file_has_perm(cred, file, av);
1da177e4 3050 }
d84f4f99
DH		 3051
3052error:
3053 return rc;
1da177e4
LT		 3054}
3055
3056static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 3057 unsigned long prot, unsigned long flags,
3058 unsigned long addr, unsigned long addr_only)
1da177e4 3059{
ed032189 3060 int rc = 0;
275bb41e 3061 u32 sid = current_sid();
1da177e4 3062
ed032189
EP		 3063 if (addr < mmap_min_addr)
3064 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3065 MEMPROTECT__MMAP_ZERO, NULL);
3066 if (rc || addr_only)
1da177e4
LT		 3067 return rc;
3068
3069 if (selinux_checkreqprot)
3070 prot = reqprot;
3071
3072 return file_map_prot_check(file, prot,
3073 (flags & MAP_TYPE) == MAP_SHARED);
3074}
3075
3076static int selinux_file_mprotect(struct vm_area_struct *vma,
3077 unsigned long reqprot,
3078 unsigned long prot)
3079{
88e67f3b 3080 const struct cred *cred = current_cred();
1da177e4
LT		 3081 int rc;
3082
3083 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3084 if (rc)
3085 return rc;
3086
3087 if (selinux_checkreqprot)
3088 prot = reqprot;
3089
3090#ifndef CONFIG_PPC32
db4c9641
SS		 3091 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3092 rc = 0;
3093 if (vma->vm_start >= vma->vm_mm->start_brk &&
3094 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3095 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3096 } else if (!vma->vm_file &&
3097 vma->vm_start <= vma->vm_mm->start_stack &&
3098 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3099 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3100 } else if (vma->vm_file && vma->anon_vma) {
3101 /*
3102 * We are making executable a file mapping that has
3103 * had some COW done. Since pages might have been
3104 * written, check ability to execute the possibly
3105 * modified content. This typically should only
3106 * occur for text relocations.
3107 */
d84f4f99 3108 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3109 }