projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
arm/arm64: KVM: Fixup incorrect config symbol in comment
[deliverable/linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
32#include <linux/security.h>
33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
ca10b9e9 54#include <net/sock.h>
1da177e4 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 56#include <net/inet_connection_sock.h>
220deb96 57#include <net/net_namespace.h>
d621d35e 58#include <net/netlabel.h>
f5269710 59#include <linux/uaccess.h>
1da177e4 60#include <asm/ioctls.h>
60063497 61#include <linux/atomic.h>
1da177e4
LT		 62#include <linux/bitops.h>
63#include <linux/interrupt.h>
64#include <linux/netdevice.h> /* for network interface checks */
77954983 65#include <net/netlink.h>
1da177e4
LT		 66#include <linux/tcp.h>
67#include <linux/udp.h>
2ee92d46 68#include <linux/dccp.h>
1da177e4
LT		 69#include <linux/quota.h>
70#include <linux/un.h> /* for Unix socket types */
71#include <net/af_unix.h> /* for Unix socket types */
72#include <linux/parser.h>
73#include <linux/nfs_mount.h>
74#include <net/ipv6.h>
75#include <linux/hugetlb.h>
76#include <linux/personality.h>
1da177e4 77#include <linux/audit.h>
6931dfc9 78#include <linux/string.h>
877ce7c1 79#include <linux/selinux.h>
23970741 80#include <linux/mutex.h>
f06febc9 81#include <linux/posix-timers.h>
00234592 82#include <linux/syslog.h>
3486740a 83#include <linux/user_namespace.h>
44fc7ea0 84#include <linux/export.h>
40401530
AV		 85#include <linux/msg.h>
86#include <linux/shm.h>
1da177e4
LT		 87
88#include "avc.h"
89#include "objsec.h"
90#include "netif.h"
224dfbd8 91#include "netnode.h"
3e112172 92#include "netport.h"
d28d1e08 93#include "xfrm.h"
c60475bf 94#include "netlabel.h"
9d57a7f9 95#include "audit.h"
7b98a585 96#include "avc_ss.h"
1da177e4 97
d621d35e 98/* SECMARK reference count */
56a4ca99 99static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 100
1da177e4 101#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 102int selinux_enforcing;
1da177e4
LT		 103
104static int __init enforcing_setup(char *str)
105{
f5269710 106 unsigned long enforcing;
29707b20 107 if (!kstrtoul(str, 0, &enforcing))
f5269710 108 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 109 return 1;
110}
111__setup("enforcing=", enforcing_setup);
112#endif
113
114#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117static int __init selinux_enabled_setup(char *str)
118{
f5269710 119 unsigned long enabled;
29707b20 120 if (!kstrtoul(str, 0, &enabled))
f5269710 121 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 122 return 1;
123}
124__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 125#else
126int selinux_enabled = 1;
1da177e4
LT		 127#endif
128
e18b890b 129static struct kmem_cache *sel_inode_cache;
7cae7e26 130
d621d35e
PM		 131/**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 140 *
141 */
142static int selinux_secmark_enabled(void)
143{
2be4d74f
CP		 144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145}
146
147/**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157static int selinux_peerlbl_enabled(void)
158{
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 160}
161
615e51fd
PM		 162static int selinux_netcache_avc_callback(u32 event)
163{
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171}
172
d84f4f99
DH		 173/*
174 * initialise the security for the init task
175 */
176static void cred_init_security(void)
1da177e4 177{
3b11a1de 178 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 179 struct task_security_struct *tsec;
180
89d155ef 181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 182 if (!tsec)
d84f4f99 183 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 184
d84f4f99 185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 186 cred->security = tsec;
1da177e4
LT		 187}
188
88e67f3b
DH		 189/*
190 * get the security ID of a set of credentials
191 */
192static inline u32 cred_sid(const struct cred *cred)
193{
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198}
199
275bb41e 200/*
3b11a1de 201 * get the objective security ID of a task
275bb41e
DH		 202 */
203static inline u32 task_sid(const struct task_struct *task)
204{
275bb41e
DH		 205 u32 sid;
206
207 rcu_read_lock();
88e67f3b 208 sid = cred_sid(__task_cred(task));
275bb41e
DH		 209 rcu_read_unlock();
210 return sid;
211}
212
213/*
3b11a1de 214 * get the subjective security ID of the current task
275bb41e
DH		 215 */
216static inline u32 current_sid(void)
217{
5fb49870 218 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 219
220 return tsec->sid;
221}
222
88e67f3b
DH		 223/* Allocate and free functions for each kind of security blob. */
224
1da177e4
LT		 225static int inode_alloc_security(struct inode *inode)
226{
1da177e4 227 struct inode_security_struct *isec;
275bb41e 228 u32 sid = current_sid();
1da177e4 229
a02fe132 230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 231 if (!isec)
232 return -ENOMEM;
233
23970741 234 mutex_init(&isec->lock);
1da177e4 235 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
275bb41e 239 isec->task_sid = sid;
1da177e4
LT		 240 inode->i_security = isec;
241
242 return 0;
243}
244
3dc91d43
SR		 245static void inode_free_rcu(struct rcu_head *head)
246{
247 struct inode_security_struct *isec;
248
249 isec = container_of(head, struct inode_security_struct, rcu);
250 kmem_cache_free(sel_inode_cache, isec);
251}
252
1da177e4
LT		 253static void inode_free_security(struct inode *inode)
254{
255 struct inode_security_struct *isec = inode->i_security;
256 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
257
1da177e4
LT		 258 spin_lock(&sbsec->isec_lock);
259 if (!list_empty(&isec->list))
260 list_del_init(&isec->list);
261 spin_unlock(&sbsec->isec_lock);
262
3dc91d43
SR		 263 /*
264 * The inode may still be referenced in a path walk and
265 * a call to selinux_inode_permission() can be made
266 * after inode_free_security() is called. Ideally, the VFS
267 * wouldn't do this, but fixing that is a much harder
268 * job. For now, simply free the i_security via RCU, and
269 * leave the current inode->i_security pointer intact.
270 * The inode will be freed after the RCU grace period too.
271 */
272 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 273}
274
275static int file_alloc_security(struct file *file)
276{
1da177e4 277 struct file_security_struct *fsec;
275bb41e 278 u32 sid = current_sid();
1da177e4 279
26d2a4be 280 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 281 if (!fsec)
282 return -ENOMEM;
283
275bb41e
DH		 284 fsec->sid = sid;
285 fsec->fown_sid = sid;
1da177e4
LT		 286 file->f_security = fsec;
287
288 return 0;
289}
290
291static void file_free_security(struct file *file)
292{
293 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 294 file->f_security = NULL;
295 kfree(fsec);
296}
297
298static int superblock_alloc_security(struct super_block *sb)
299{
300 struct superblock_security_struct *sbsec;
301
89d155ef 302 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 303 if (!sbsec)
304 return -ENOMEM;
305
bc7e982b 306 mutex_init(&sbsec->lock);
1da177e4
LT		 307 INIT_LIST_HEAD(&sbsec->isec_head);
308 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 309 sbsec->sb = sb;
310 sbsec->sid = SECINITSID_UNLABELED;
311 sbsec->def_sid = SECINITSID_FILE;
c312feb2 312 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 313 sb->s_security = sbsec;
314
315 return 0;
316}
317
318static void superblock_free_security(struct super_block *sb)
319{
320 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 321 sb->s_security = NULL;
322 kfree(sbsec);
323}
324
1da177e4
LT		 325/* The file system's label must be initialized prior to use. */
326
eb9ae686 327static const char *labeling_behaviors[7] = {
1da177e4
LT		 328 "uses xattr",
329 "uses transition SIDs",
330 "uses task SIDs",
331 "uses genfs_contexts",
332 "not configured for labeling",
333 "uses mountpoint labeling",
eb9ae686 334 "uses native labeling",
1da177e4
LT		 335};
336
337static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
338
339static inline int inode_doinit(struct inode *inode)
340{
341 return inode_doinit_with_dentry(inode, NULL);
342}
343
344enum {
31e87930 345 Opt_error = -1,
1da177e4
LT		 346 Opt_context = 1,
347 Opt_fscontext = 2,
c9180a57
EP		 348 Opt_defcontext = 3,
349 Opt_rootcontext = 4,
11689d47 350 Opt_labelsupport = 5,
d355987f 351 Opt_nextmntopt = 6,
1da177e4
LT		 352};
353
d355987f
EP		 354#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
355
a447c093 356static const match_table_t tokens = {
832cbd9a
EP		 357 {Opt_context, CONTEXT_STR "%s"},
358 {Opt_fscontext, FSCONTEXT_STR "%s"},
359 {Opt_defcontext, DEFCONTEXT_STR "%s"},
360 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 361 {Opt_labelsupport, LABELSUPP_STR},
31e87930 362 {Opt_error, NULL},
1da177e4
LT		 363};
364
365#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
366
c312feb2
EP		 367static int may_context_mount_sb_relabel(u32 sid,
368 struct superblock_security_struct *sbsec,
275bb41e 369 const struct cred *cred)
c312feb2 370{
275bb41e 371 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 372 int rc;
373
374 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
375 FILESYSTEM__RELABELFROM, NULL);
376 if (rc)
377 return rc;
378
379 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
380 FILESYSTEM__RELABELTO, NULL);
381 return rc;
382}
383
0808925e
EP		 384static int may_context_mount_inode_relabel(u32 sid,
385 struct superblock_security_struct *sbsec,
275bb41e 386 const struct cred *cred)
0808925e 387{
275bb41e 388 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 389 int rc;
390 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
391 FILESYSTEM__RELABELFROM, NULL);
392 if (rc)
393 return rc;
394
395 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
396 FILESYSTEM__ASSOCIATE, NULL);
397 return rc;
398}
399
b43e725d
EP		 400static int selinux_is_sblabel_mnt(struct super_block *sb)
401{
402 struct superblock_security_struct *sbsec = sb->s_security;
403
404 if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
405 sbsec->behavior == SECURITY_FS_USE_TRANS ||
406 sbsec->behavior == SECURITY_FS_USE_TASK)
407 return 1;
408
409 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
410 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
411 return 1;
412
413 /*
414 * Special handling for rootfs. Is genfs but supports
415 * setting SELinux context on in-core inodes.
416 */
417 if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
418 return 1;
419
420 return 0;
421}
422
c9180a57 423static int sb_finish_set_opts(struct super_block *sb)
1da177e4 424{
1da177e4 425 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 426 struct dentry *root = sb->s_root;
427 struct inode *root_inode = root->d_inode;
428 int rc = 0;
1da177e4 429
c9180a57
EP		 430 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
431 /* Make sure that the xattr handler exists and that no
432 error other than -ENODATA is returned by getxattr on
433 the root directory. -ENODATA is ok, as this may be
434 the first boot of the SELinux kernel before we have
435 assigned xattr values to the filesystem. */
436 if (!root_inode->i_op->getxattr) {
29b1deb2
LT		 437 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
438 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 439 rc = -EOPNOTSUPP;
440 goto out;
441 }
442 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
443 if (rc < 0 && rc != -ENODATA) {
444 if (rc == -EOPNOTSUPP)
445 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 446 "%s) has no security xattr handler\n",
447 sb->s_id, sb->s_type->name);
c9180a57
EP		 448 else
449 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 450 "%s) getxattr errno %d\n", sb->s_id,
451 sb->s_type->name, -rc);
c9180a57
EP		 452 goto out;
453 }
454 }
1da177e4 455
c9180a57 456 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 457 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
458 sb->s_id, sb->s_type->name);
c9180a57 459 else
29b1deb2
LT		 460 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
461 sb->s_id, sb->s_type->name,
c9180a57 462 labeling_behaviors[sbsec->behavior-1]);
1da177e4 463
eadcabc6 464 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 465 if (selinux_is_sblabel_mnt(sb))
12f348b9 466 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 467
c9180a57
EP		 468 /* Initialize the root inode. */
469 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 470
c9180a57
EP		 471 /* Initialize any other inodes associated with the superblock, e.g.
472 inodes created prior to initial policy load or inodes created
473 during get_sb by a pseudo filesystem that directly
474 populates itself. */
475 spin_lock(&sbsec->isec_lock);
476next_inode:
477 if (!list_empty(&sbsec->isec_head)) {
478 struct inode_security_struct *isec =
479 list_entry(sbsec->isec_head.next,
480 struct inode_security_struct, list);
481 struct inode *inode = isec->inode;
923190d3 482 list_del_init(&isec->list);
c9180a57
EP		 483 spin_unlock(&sbsec->isec_lock);
484 inode = igrab(inode);
485 if (inode) {
486 if (!IS_PRIVATE(inode))
487 inode_doinit(inode);
488 iput(inode);
489 }
490 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 491 goto next_inode;
492 }
493 spin_unlock(&sbsec->isec_lock);
494out:
495 return rc;
496}
1da177e4 497
c9180a57
EP		 498/*
499 * This function should allow an FS to ask what it's mount security
500 * options were so it can use those later for submounts, displaying
501 * mount options, or whatever.
502 */
503static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 504 struct security_mnt_opts *opts)
c9180a57
EP		 505{
506 int rc = 0, i;
507 struct superblock_security_struct *sbsec = sb->s_security;
508 char *context = NULL;
509 u32 len;
510 char tmp;
1da177e4 511
e0007529 512 security_init_mnt_opts(opts);
1da177e4 513
0d90a7ec 514 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 515 return -EINVAL;
1da177e4 516
c9180a57
EP		 517 if (!ss_initialized)
518 return -EINVAL;
1da177e4 519
af8e50cc
EP		 520 /* make sure we always check enough bits to cover the mask */
521 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
522
0d90a7ec 523 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 524 /* count the number of mount options for this sb */
af8e50cc 525 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 526 if (tmp & 0x01)
e0007529 527 opts->num_mnt_opts++;
c9180a57
EP		 528 tmp >>= 1;
529 }
11689d47 530 /* Check if the Label support flag is set */
0b4bdb35 531 if (sbsec->flags & SBLABEL_MNT)
11689d47 532 opts->num_mnt_opts++;
1da177e4 533
e0007529
EP		 534 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
535 if (!opts->mnt_opts) {
c9180a57
EP		 536 rc = -ENOMEM;
537 goto out_free;
538 }
1da177e4 539
e0007529
EP		 540 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
541 if (!opts->mnt_opts_flags) {
c9180a57
EP		 542 rc = -ENOMEM;
543 goto out_free;
544 }
1da177e4 545
c9180a57
EP		 546 i = 0;
547 if (sbsec->flags & FSCONTEXT_MNT) {
548 rc = security_sid_to_context(sbsec->sid, &context, &len);
549 if (rc)
550 goto out_free;
e0007529
EP		 551 opts->mnt_opts[i] = context;
552 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 553 }
554 if (sbsec->flags & CONTEXT_MNT) {
555 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
556 if (rc)
557 goto out_free;
e0007529
EP		 558 opts->mnt_opts[i] = context;
559 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 560 }
561 if (sbsec->flags & DEFCONTEXT_MNT) {
562 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
563 if (rc)
564 goto out_free;
e0007529
EP		 565 opts->mnt_opts[i] = context;
566 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 567 }
568 if (sbsec->flags & ROOTCONTEXT_MNT) {
569 struct inode *root = sbsec->sb->s_root->d_inode;
570 struct inode_security_struct *isec = root->i_security;
0808925e 571
c9180a57
EP		 572 rc = security_sid_to_context(isec->sid, &context, &len);
573 if (rc)
574 goto out_free;
e0007529
EP		 575 opts->mnt_opts[i] = context;
576 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 577 }
12f348b9 578 if (sbsec->flags & SBLABEL_MNT) {
11689d47 579 opts->mnt_opts[i] = NULL;
12f348b9 580 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 581 }
1da177e4 582
e0007529 583 BUG_ON(i != opts->num_mnt_opts);
1da177e4 584
c9180a57
EP		 585 return 0;
586
587out_free:
e0007529 588 security_free_mnt_opts(opts);
c9180a57
EP		 589 return rc;
590}
1da177e4 591
c9180a57
EP		 592static int bad_option(struct superblock_security_struct *sbsec, char flag,
593 u32 old_sid, u32 new_sid)
594{
0d90a7ec
DQ		 595 char mnt_flags = sbsec->flags & SE_MNTMASK;
596
c9180a57 597 /* check if the old mount command had the same options */
0d90a7ec 598 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 599 if (!(sbsec->flags & flag) ||
600 (old_sid != new_sid))
601 return 1;
602
603 /* check if we were passed the same options twice,
604 * aka someone passed context=a,context=b
605 */
0d90a7ec
DQ		 606 if (!(sbsec->flags & SE_SBINITIALIZED))
607 if (mnt_flags & flag)
c9180a57
EP		 608 return 1;
609 return 0;
610}
e0007529 611
c9180a57
EP		 612/*
613 * Allow filesystems with binary mount data to explicitly set mount point
614 * labeling information.
615 */
e0007529 616static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 617 struct security_mnt_opts *opts,
618 unsigned long kern_flags,
619 unsigned long *set_kern_flags)
c9180a57 620{
275bb41e 621 const struct cred *cred = current_cred();
c9180a57 622 int rc = 0, i;
c9180a57 623 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 624 const char *name = sb->s_type->name;
089be43e
JM		 625 struct inode *inode = sbsec->sb->s_root->d_inode;
626 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 627 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
628 u32 defcontext_sid = 0;
e0007529
EP		 629 char **mount_options = opts->mnt_opts;
630 int *flags = opts->mnt_opts_flags;
631 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 632
633 mutex_lock(&sbsec->lock);
634
635 if (!ss_initialized) {
636 if (!num_opts) {
637 /* Defer initialization until selinux_complete_init,
638 after the initial policy is loaded and the security
639 server is ready to handle calls. */
c9180a57
EP		 640 goto out;
641 }
642 rc = -EINVAL;
744ba35e
EP		 643 printk(KERN_WARNING "SELinux: Unable to set superblock options "
644 "before the security server is initialized\n");
1da177e4 645 goto out;
c9180a57 646 }
649f6e77
DQ		 647 if (kern_flags && !set_kern_flags) {
648 /* Specifying internal flags without providing a place to
649 * place the results is not allowed */
650 rc = -EINVAL;
651 goto out;
652 }
1da177e4 653
e0007529
EP		 654 /*
655 * Binary mount data FS will come through this function twice. Once
656 * from an explicit call and once from the generic calls from the vfs.
657 * Since the generic VFS calls will not contain any security mount data
658 * we need to skip the double mount verification.
659 *
660 * This does open a hole in which we will not notice if the first
661 * mount using this sb set explict options and a second mount using
662 * this sb does not set any security options. (The first options
663 * will be used for both mounts)
664 */
0d90a7ec 665 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 666 && (num_opts == 0))
f5269710 667 goto out;
e0007529 668
c9180a57
EP		 669 /*
670 * parse the mount options, check if they are valid sids.
671 * also check if someone is trying to mount the same sb more
672 * than once with different security options.
673 */
674 for (i = 0; i < num_opts; i++) {
675 u32 sid;
11689d47 676
12f348b9 677 if (flags[i] == SBLABEL_MNT)
11689d47 678 continue;
c9180a57 679 rc = security_context_to_sid(mount_options[i],
52a4c640 680 strlen(mount_options[i]), &sid, GFP_KERNEL);
1da177e4
LT		 681 if (rc) {
682 printk(KERN_WARNING "SELinux: security_context_to_sid"
29b1deb2
LT		 683 "(%s) failed for (dev %s, type %s) errno=%d\n",
684 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 685 goto out;
686 }
687 switch (flags[i]) {
688 case FSCONTEXT_MNT:
689 fscontext_sid = sid;
690
691 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
692 fscontext_sid))
693 goto out_double_mount;
694
695 sbsec->flags |= FSCONTEXT_MNT;
696 break;
697 case CONTEXT_MNT:
698 context_sid = sid;
699
700 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
701 context_sid))
702 goto out_double_mount;
703
704 sbsec->flags |= CONTEXT_MNT;
705 break;
706 case ROOTCONTEXT_MNT:
707 rootcontext_sid = sid;
708
709 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
710 rootcontext_sid))
711 goto out_double_mount;
712
713 sbsec->flags |= ROOTCONTEXT_MNT;
714
715 break;
716 case DEFCONTEXT_MNT:
717 defcontext_sid = sid;
718
719 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
720 defcontext_sid))
721 goto out_double_mount;
722
723 sbsec->flags |= DEFCONTEXT_MNT;
724
725 break;
726 default:
727 rc = -EINVAL;
728 goto out;
1da177e4 729 }
c9180a57
EP		 730 }
731
0d90a7ec 732 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 733 /* previously mounted with options, but not on this attempt? */
0d90a7ec 734 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 735 goto out_double_mount;
736 rc = 0;
737 goto out;
738 }
739
089be43e 740 if (strcmp(sb->s_type->name, "proc") == 0)
0d90a7ec 741 sbsec->flags |= SE_SBPROC;
c9180a57 742
eb9ae686
DQ		 743 if (!sbsec->behavior) {
744 /*
745 * Determine the labeling behavior to use for this
746 * filesystem type.
747 */
98f700f3 748 rc = security_fs_use(sb);
eb9ae686
DQ		 749 if (rc) {
750 printk(KERN_WARNING
751 "%s: security_fs_use(%s) returned %d\n",
752 __func__, sb->s_type->name, rc);
753 goto out;
754 }
c9180a57 755 }
c9180a57
EP		 756 /* sets the context of the superblock for the fs being mounted. */
757 if (fscontext_sid) {
275bb41e 758 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 759 if (rc)
c9180a57 760 goto out;
1da177e4 761
c9180a57 762 sbsec->sid = fscontext_sid;
c312feb2
EP		 763 }
764
765 /*
766 * Switch to using mount point labeling behavior.
767 * sets the label used on all file below the mountpoint, and will set
768 * the superblock context if not already set.
769 */
eb9ae686
DQ		 770 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
771 sbsec->behavior = SECURITY_FS_USE_NATIVE;
772 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
773 }
774
c9180a57
EP		 775 if (context_sid) {
776 if (!fscontext_sid) {
275bb41e
DH		 777 rc = may_context_mount_sb_relabel(context_sid, sbsec,
778 cred);
b04ea3ce 779 if (rc)
c9180a57
EP		 780 goto out;
781 sbsec->sid = context_sid;
b04ea3ce 782 } else {
275bb41e
DH		 783 rc = may_context_mount_inode_relabel(context_sid, sbsec,
784 cred);
b04ea3ce 785 if (rc)
c9180a57 786 goto out;
b04ea3ce 787 }
c9180a57
EP		 788 if (!rootcontext_sid)
789 rootcontext_sid = context_sid;
1da177e4 790
c9180a57 791 sbsec->mntpoint_sid = context_sid;
c312feb2 792 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 793 }
794
c9180a57 795 if (rootcontext_sid) {
275bb41e
DH		 796 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
797 cred);
0808925e 798 if (rc)
c9180a57 799 goto out;
0808925e 800
c9180a57
EP		 801 root_isec->sid = rootcontext_sid;
802 root_isec->initialized = 1;
0808925e
EP		 803 }
804
c9180a57 805 if (defcontext_sid) {
eb9ae686
DQ		 806 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
807 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 808 rc = -EINVAL;
809 printk(KERN_WARNING "SELinux: defcontext option is "
810 "invalid for this filesystem type\n");
811 goto out;
1da177e4
LT		 812 }
813
c9180a57
EP		 814 if (defcontext_sid != sbsec->def_sid) {
815 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 816 sbsec, cred);
c9180a57
EP		 817 if (rc)
818 goto out;
819 }
1da177e4 820
c9180a57 821 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 822 }
823
c9180a57 824 rc = sb_finish_set_opts(sb);
1da177e4 825out:
c9180a57 826 mutex_unlock(&sbsec->lock);
1da177e4 827 return rc;
c9180a57
EP		 828out_double_mount:
829 rc = -EINVAL;
830 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 831 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 832 goto out;
1da177e4
LT		 833}
834
094f7b69
JL		 835static int selinux_cmp_sb_context(const struct super_block *oldsb,
836 const struct super_block *newsb)
837{
838 struct superblock_security_struct *old = oldsb->s_security;
839 struct superblock_security_struct *new = newsb->s_security;
840 char oldflags = old->flags & SE_MNTMASK;
841 char newflags = new->flags & SE_MNTMASK;
842
843 if (oldflags != newflags)
844 goto mismatch;
845 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
846 goto mismatch;
847 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
848 goto mismatch;
849 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
850 goto mismatch;
851 if (oldflags & ROOTCONTEXT_MNT) {
852 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
853 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
854 if (oldroot->sid != newroot->sid)
855 goto mismatch;
856 }
857 return 0;
858mismatch:
859 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
860 "different security settings for (dev %s, "
861 "type %s)\n", newsb->s_id, newsb->s_type->name);
862 return -EBUSY;
863}
864
865static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 866 struct super_block *newsb)
1da177e4 867{
c9180a57
EP		 868 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
869 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 870
c9180a57
EP		 871 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
872 int set_context = (oldsbsec->flags & CONTEXT_MNT);
873 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 874
0f5e6420
EP		 875 /*
876 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 877 * mount options. thus we can safely deal with this superblock later
0f5e6420 878 */
e8c26255 879 if (!ss_initialized)
094f7b69 880 return 0;
c9180a57 881
c9180a57 882 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 883 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 884
094f7b69 885 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 886 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 887 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 888
c9180a57
EP		 889 mutex_lock(&newsbsec->lock);
890
891 newsbsec->flags = oldsbsec->flags;
892
893 newsbsec->sid = oldsbsec->sid;
894 newsbsec->def_sid = oldsbsec->def_sid;
895 newsbsec->behavior = oldsbsec->behavior;
896
897 if (set_context) {
898 u32 sid = oldsbsec->mntpoint_sid;
899
900 if (!set_fscontext)
901 newsbsec->sid = sid;
902 if (!set_rootcontext) {
903 struct inode *newinode = newsb->s_root->d_inode;
904 struct inode_security_struct *newisec = newinode->i_security;
905 newisec->sid = sid;
906 }
907 newsbsec->mntpoint_sid = sid;
1da177e4 908 }
c9180a57
EP		 909 if (set_rootcontext) {
910 const struct inode *oldinode = oldsb->s_root->d_inode;
911 const struct inode_security_struct *oldisec = oldinode->i_security;
912 struct inode *newinode = newsb->s_root->d_inode;
913 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 914
c9180a57 915 newisec->sid = oldisec->sid;
1da177e4
LT		 916 }
917
c9180a57
EP		 918 sb_finish_set_opts(newsb);
919 mutex_unlock(&newsbsec->lock);
094f7b69 920 return 0;
c9180a57
EP		 921}
922
2e1479d9
AB		 923static int selinux_parse_opts_str(char *options,
924 struct security_mnt_opts *opts)
c9180a57 925{
e0007529 926 char *p;
c9180a57
EP		 927 char *context = NULL, *defcontext = NULL;
928 char *fscontext = NULL, *rootcontext = NULL;
e0007529 929 int rc, num_mnt_opts = 0;
1da177e4 930
e0007529 931 opts->num_mnt_opts = 0;
1da177e4 932
c9180a57
EP		 933 /* Standard string-based options. */
934 while ((p = strsep(&options, "|")) != NULL) {
935 int token;
936 substring_t args[MAX_OPT_ARGS];
1da177e4 937
c9180a57
EP		 938 if (!*p)
939 continue;
1da177e4 940
c9180a57 941 token = match_token(p, tokens, args);
1da177e4 942
c9180a57
EP		 943 switch (token) {
944 case Opt_context:
945 if (context || defcontext) {
946 rc = -EINVAL;
947 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
948 goto out_err;
949 }
950 context = match_strdup(&args[0]);
951 if (!context) {
952 rc = -ENOMEM;
953 goto out_err;
954 }
955 break;
956
957 case Opt_fscontext:
958 if (fscontext) {
959 rc = -EINVAL;
960 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
961 goto out_err;
962 }
963 fscontext = match_strdup(&args[0]);
964 if (!fscontext) {
965 rc = -ENOMEM;
966 goto out_err;
967 }
968 break;
969
970 case Opt_rootcontext:
971 if (rootcontext) {
972 rc = -EINVAL;
973 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
974 goto out_err;
975 }
976 rootcontext = match_strdup(&args[0]);
977 if (!rootcontext) {
978 rc = -ENOMEM;
979 goto out_err;
980 }
981 break;
982
983 case Opt_defcontext:
984 if (context || defcontext) {
985 rc = -EINVAL;
986 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
987 goto out_err;
988 }
989 defcontext = match_strdup(&args[0]);
990 if (!defcontext) {
991 rc = -ENOMEM;
992 goto out_err;
993 }
994 break;
11689d47
DQ		 995 case Opt_labelsupport:
996 break;
c9180a57
EP		 997 default:
998 rc = -EINVAL;
999 printk(KERN_WARNING "SELinux: unknown mount option\n");
1000 goto out_err;
1da177e4 1001
1da177e4 1002 }
1da177e4 1003 }
c9180a57 1004
e0007529
EP		 1005 rc = -ENOMEM;
1006 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1007 if (!opts->mnt_opts)
1008 goto out_err;
1009
1010 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1011 if (!opts->mnt_opts_flags) {
1012 kfree(opts->mnt_opts);
1013 goto out_err;
1014 }
1015
c9180a57 1016 if (fscontext) {
e0007529
EP		 1017 opts->mnt_opts[num_mnt_opts] = fscontext;
1018 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1019 }
1020 if (context) {
e0007529
EP		 1021 opts->mnt_opts[num_mnt_opts] = context;
1022 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1023 }
1024 if (rootcontext) {
e0007529
EP		 1025 opts->mnt_opts[num_mnt_opts] = rootcontext;
1026 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1027 }
1028 if (defcontext) {
e0007529
EP		 1029 opts->mnt_opts[num_mnt_opts] = defcontext;
1030 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1031 }
1032
e0007529
EP		 1033 opts->num_mnt_opts = num_mnt_opts;
1034 return 0;
1035
c9180a57
EP		 1036out_err:
1037 kfree(context);
1038 kfree(defcontext);
1039 kfree(fscontext);
1040 kfree(rootcontext);
1da177e4
LT		 1041 return rc;
1042}
e0007529
EP		 1043/*
1044 * string mount options parsing and call set the sbsec
1045 */
1046static int superblock_doinit(struct super_block *sb, void *data)
1047{
1048 int rc = 0;
1049 char *options = data;
1050 struct security_mnt_opts opts;
1051
1052 security_init_mnt_opts(&opts);
1053
1054 if (!data)
1055 goto out;
1056
1057 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1058
1059 rc = selinux_parse_opts_str(options, &opts);
1060 if (rc)
1061 goto out_err;
1062
1063out:
649f6e77 1064 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1065
1066out_err:
1067 security_free_mnt_opts(&opts);
1068 return rc;
1069}
1da177e4 1070
3583a711
AB		 1071static void selinux_write_opts(struct seq_file *m,
1072 struct security_mnt_opts *opts)
2069f457
EP		 1073{
1074 int i;
1075 char *prefix;
1076
1077 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1078 char *has_comma;
1079
1080 if (opts->mnt_opts[i])
1081 has_comma = strchr(opts->mnt_opts[i], ',');
1082 else
1083 has_comma = NULL;
2069f457
EP		 1084
1085 switch (opts->mnt_opts_flags[i]) {
1086 case CONTEXT_MNT:
1087 prefix = CONTEXT_STR;
1088 break;
1089 case FSCONTEXT_MNT:
1090 prefix = FSCONTEXT_STR;
1091 break;
1092 case ROOTCONTEXT_MNT:
1093 prefix = ROOTCONTEXT_STR;
1094 break;
1095 case DEFCONTEXT_MNT:
1096 prefix = DEFCONTEXT_STR;
1097 break;
12f348b9 1098 case SBLABEL_MNT:
11689d47
DQ		 1099 seq_putc(m, ',');
1100 seq_puts(m, LABELSUPP_STR);
1101 continue;
2069f457
EP		 1102 default:
1103 BUG();
a35c6c83 1104 return;
2069f457
EP		 1105 };
1106 /* we need a comma before each option */
1107 seq_putc(m, ',');
1108 seq_puts(m, prefix);
1109 if (has_comma)
1110 seq_putc(m, '\"');
1111 seq_puts(m, opts->mnt_opts[i]);
1112 if (has_comma)
1113 seq_putc(m, '\"');
1114 }
1115}
1116
1117static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1118{
1119 struct security_mnt_opts opts;
1120 int rc;
1121
1122 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1123 if (rc) {
1124 /* before policy load we may get EINVAL, don't show anything */
1125 if (rc == -EINVAL)
1126 rc = 0;
2069f457 1127 return rc;
383795c2 1128 }
2069f457
EP		 1129
1130 selinux_write_opts(m, &opts);
1131
1132 security_free_mnt_opts(&opts);
1133
1134 return rc;
1135}
1136
1da177e4
LT		 1137static inline u16 inode_mode_to_security_class(umode_t mode)
1138{
1139 switch (mode & S_IFMT) {
1140 case S_IFSOCK:
1141 return SECCLASS_SOCK_FILE;
1142 case S_IFLNK:
1143 return SECCLASS_LNK_FILE;
1144 case S_IFREG:
1145 return SECCLASS_FILE;
1146 case S_IFBLK:
1147 return SECCLASS_BLK_FILE;
1148 case S_IFDIR:
1149 return SECCLASS_DIR;
1150 case S_IFCHR:
1151 return SECCLASS_CHR_FILE;
1152 case S_IFIFO:
1153 return SECCLASS_FIFO_FILE;
1154
1155 }
1156
1157 return SECCLASS_FILE;
1158}
1159
13402580
JM		 1160static inline int default_protocol_stream(int protocol)
1161{
1162 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1163}
1164
1165static inline int default_protocol_dgram(int protocol)
1166{
1167 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1168}
1169
1da177e4
LT		 1170static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1171{
1172 switch (family) {
1173 case PF_UNIX:
1174 switch (type) {
1175 case SOCK_STREAM:
1176 case SOCK_SEQPACKET:
1177 return SECCLASS_UNIX_STREAM_SOCKET;
1178 case SOCK_DGRAM:
1179 return SECCLASS_UNIX_DGRAM_SOCKET;
1180 }
1181 break;
1182 case PF_INET:
1183 case PF_INET6:
1184 switch (type) {
1185 case SOCK_STREAM:
13402580
JM		 1186 if (default_protocol_stream(protocol))
1187 return SECCLASS_TCP_SOCKET;
1188 else
1189 return SECCLASS_RAWIP_SOCKET;
1da177e4 1190 case SOCK_DGRAM:
13402580
JM		 1191 if (default_protocol_dgram(protocol))
1192 return SECCLASS_UDP_SOCKET;
1193 else
1194 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1195 case SOCK_DCCP:
1196 return SECCLASS_DCCP_SOCKET;
13402580 1197 default:
1da177e4
LT		 1198 return SECCLASS_RAWIP_SOCKET;
1199 }
1200 break;
1201 case PF_NETLINK:
1202 switch (protocol) {
1203 case NETLINK_ROUTE:
1204 return SECCLASS_NETLINK_ROUTE_SOCKET;
1205 case NETLINK_FIREWALL:
1206 return SECCLASS_NETLINK_FIREWALL_SOCKET;
7f1fb60c 1207 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1208 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1209 case NETLINK_NFLOG:
1210 return SECCLASS_NETLINK_NFLOG_SOCKET;
1211 case NETLINK_XFRM:
1212 return SECCLASS_NETLINK_XFRM_SOCKET;
1213 case NETLINK_SELINUX:
1214 return SECCLASS_NETLINK_SELINUX_SOCKET;
1215 case NETLINK_AUDIT:
1216 return SECCLASS_NETLINK_AUDIT_SOCKET;
1217 case NETLINK_IP6_FW:
1218 return SECCLASS_NETLINK_IP6FW_SOCKET;
1219 case NETLINK_DNRTMSG:
1220 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1221 case NETLINK_KOBJECT_UEVENT:
1222 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1223 default:
1224 return SECCLASS_NETLINK_SOCKET;
1225 }
1226 case PF_PACKET:
1227 return SECCLASS_PACKET_SOCKET;
1228 case PF_KEY:
1229 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1230 case PF_APPLETALK:
1231 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1232 }
1233
1234 return SECCLASS_SOCKET;
1235}
1236
1237#ifdef CONFIG_PROC_FS
8e6c9693 1238static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1239 u16 tclass,
1240 u32 *sid)
1241{
8e6c9693
LAG		 1242 int rc;
1243 char *buffer, *path;
1da177e4 1244
828dfe1d 1245 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1246 if (!buffer)
1247 return -ENOMEM;
1248
8e6c9693
LAG		 1249 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1250 if (IS_ERR(path))
1251 rc = PTR_ERR(path);
1252 else {
1253 /* each process gets a /proc/PID/ entry. Strip off the
1254 * PID part to get a valid selinux labeling.
1255 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1256 while (path[1] >= '0' && path[1] <= '9') {
1257 path[1] = '/';
1258 path++;
1259 }
1260 rc = security_genfs_sid("proc", path, tclass, sid);
1da177e4 1261 }
1da177e4
LT		 1262 free_page((unsigned long)buffer);
1263 return rc;
1264}
1265#else
8e6c9693 1266static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1267 u16 tclass,
1268 u32 *sid)
1269{
1270 return -EINVAL;
1271}
1272#endif
1273
1274/* The inode's security attributes must be initialized before first use. */
1275static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1276{
1277 struct superblock_security_struct *sbsec = NULL;
1278 struct inode_security_struct *isec = inode->i_security;
1279 u32 sid;
1280 struct dentry *dentry;
1281#define INITCONTEXTLEN 255
1282 char *context = NULL;
1283 unsigned len = 0;
1284 int rc = 0;
1da177e4
LT		 1285
1286 if (isec->initialized)
1287 goto out;
1288
23970741 1289 mutex_lock(&isec->lock);
1da177e4 1290 if (isec->initialized)
23970741 1291 goto out_unlock;
1da177e4
LT		 1292
1293 sbsec = inode->i_sb->s_security;
0d90a7ec 1294 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1295 /* Defer initialization until selinux_complete_init,
1296 after the initial policy is loaded and the security
1297 server is ready to handle calls. */
1298 spin_lock(&sbsec->isec_lock);
1299 if (list_empty(&isec->list))
1300 list_add(&isec->list, &sbsec->isec_head);
1301 spin_unlock(&sbsec->isec_lock);
23970741 1302 goto out_unlock;
1da177e4
LT		 1303 }
1304
1305 switch (sbsec->behavior) {
eb9ae686
DQ		 1306 case SECURITY_FS_USE_NATIVE:
1307 break;
1da177e4
LT		 1308 case SECURITY_FS_USE_XATTR:
1309 if (!inode->i_op->getxattr) {
1310 isec->sid = sbsec->def_sid;
1311 break;
1312 }
1313
1314 /* Need a dentry, since the xattr API requires one.
1315 Life would be simpler if we could just pass the inode. */
1316 if (opt_dentry) {
1317 /* Called from d_instantiate or d_splice_alias. */
1318 dentry = dget(opt_dentry);
1319 } else {
1320 /* Called from selinux_complete_init, try to find a dentry. */
1321 dentry = d_find_alias(inode);
1322 }
1323 if (!dentry) {
df7f54c0
EP		 1324 /*
1325 * this is can be hit on boot when a file is accessed
1326 * before the policy is loaded. When we load policy we
1327 * may find inodes that have no dentry on the
1328 * sbsec->isec_head list. No reason to complain as these
1329 * will get fixed up the next time we go through
1330 * inode_doinit with a dentry, before these inodes could
1331 * be used again by userspace.
1332 */
23970741 1333 goto out_unlock;
1da177e4
LT		 1334 }
1335
1336 len = INITCONTEXTLEN;
4cb912f1 1337 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1338 if (!context) {
1339 rc = -ENOMEM;
1340 dput(dentry);
23970741 1341 goto out_unlock;
1da177e4 1342 }
4cb912f1 1343 context[len] = '\0';
1da177e4
LT		 1344 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1345 context, len);
1346 if (rc == -ERANGE) {
314dabb8
JM		 1347 kfree(context);
1348
1da177e4
LT		 1349 /* Need a larger buffer. Query for the right size. */
1350 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1351 NULL, 0);
1352 if (rc < 0) {
1353 dput(dentry);
23970741 1354 goto out_unlock;
1da177e4 1355 }
1da177e4 1356 len = rc;
4cb912f1 1357 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1358 if (!context) {
1359 rc = -ENOMEM;
1360 dput(dentry);
23970741 1361 goto out_unlock;
1da177e4 1362 }
4cb912f1 1363 context[len] = '\0';
1da177e4
LT		 1364 rc = inode->i_op->getxattr(dentry,
1365 XATTR_NAME_SELINUX,
1366 context, len);
1367 }
1368 dput(dentry);
1369 if (rc < 0) {
1370 if (rc != -ENODATA) {
744ba35e 1371 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1372 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1373 -rc, inode->i_sb->s_id, inode->i_ino);
1374 kfree(context);
23970741 1375 goto out_unlock;
1da177e4
LT		 1376 }
1377 /* Map ENODATA to the default file SID */
1378 sid = sbsec->def_sid;
1379 rc = 0;
1380 } else {
f5c1d5b2 1381 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1382 sbsec->def_sid,
1383 GFP_NOFS);
1da177e4 1384 if (rc) {
4ba0a8ad
EP		 1385 char *dev = inode->i_sb->s_id;
1386 unsigned long ino = inode->i_ino;
1387
1388 if (rc == -EINVAL) {
1389 if (printk_ratelimit())
1390 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1391 "context=%s. This indicates you may need to relabel the inode or the "
1392 "filesystem in question.\n", ino, dev, context);
1393 } else {
1394 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1395 "returned %d for dev=%s ino=%ld\n",
1396 __func__, context, -rc, dev, ino);
1397 }
1da177e4
LT		 1398 kfree(context);
1399 /* Leave with the unlabeled SID */
1400 rc = 0;
1401 break;
1402 }
1403 }
1404 kfree(context);
1405 isec->sid = sid;
1406 break;
1407 case SECURITY_FS_USE_TASK:
1408 isec->sid = isec->task_sid;
1409 break;
1410 case SECURITY_FS_USE_TRANS:
1411 /* Default to the fs SID. */
1412 isec->sid = sbsec->sid;
1413
1414 /* Try to obtain a transition SID. */
1415 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1416 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1417 isec->sclass, NULL, &sid);
1da177e4 1418 if (rc)
23970741 1419 goto out_unlock;
1da177e4
LT		 1420 isec->sid = sid;
1421 break;
c312feb2
EP		 1422 case SECURITY_FS_USE_MNTPOINT:
1423 isec->sid = sbsec->mntpoint_sid;
1424 break;
1da177e4 1425 default:
c312feb2 1426 /* Default to the fs superblock SID. */
1da177e4
LT		 1427 isec->sid = sbsec->sid;
1428
0d90a7ec 1429 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1430 /* We must have a dentry to determine the label on
1431 * procfs inodes */
1432 if (opt_dentry)
1433 /* Called from d_instantiate or
1434 * d_splice_alias. */
1435 dentry = dget(opt_dentry);
1436 else
1437 /* Called from selinux_complete_init, try to
1438 * find a dentry. */
1439 dentry = d_find_alias(inode);
1440 /*
1441 * This can be hit on boot when a file is accessed
1442 * before the policy is loaded. When we load policy we
1443 * may find inodes that have no dentry on the
1444 * sbsec->isec_head list. No reason to complain as
1445 * these will get fixed up the next time we go through
1446 * inode_doinit() with a dentry, before these inodes
1447 * could be used again by userspace.
1448 */
1449 if (!dentry)
1450 goto out_unlock;
1451 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1452 rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1453 dput(dentry);
1454 if (rc)
1455 goto out_unlock;
1456 isec->sid = sid;
1da177e4
LT		 1457 }
1458 break;
1459 }
1460
1461 isec->initialized = 1;
1462
23970741
EP		 1463out_unlock:
1464 mutex_unlock(&isec->lock);
1da177e4
LT		 1465out:
1466 if (isec->sclass == SECCLASS_FILE)
1467 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1468 return rc;
1469}
1470
1471/* Convert a Linux signal to an access vector. */
1472static inline u32 signal_to_av(int sig)
1473{
1474 u32 perm = 0;
1475
1476 switch (sig) {
1477 case SIGCHLD:
1478 /* Commonly granted from child to parent. */
1479 perm = PROCESS__SIGCHLD;
1480 break;
1481 case SIGKILL:
1482 /* Cannot be caught or ignored */
1483 perm = PROCESS__SIGKILL;
1484 break;
1485 case SIGSTOP:
1486 /* Cannot be caught or ignored */
1487 perm = PROCESS__SIGSTOP;
1488 break;
1489 default:
1490 /* All other signals. */
1491 perm = PROCESS__SIGNAL;
1492 break;
1493 }
1494
1495 return perm;
1496}
1497
d84f4f99
DH		 1498/*
1499 * Check permission between a pair of credentials
1500 * fork check, ptrace check, etc.
1501 */
1502static int cred_has_perm(const struct cred *actor,
1503 const struct cred *target,
1504 u32 perms)
1505{
1506 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1507
1508 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1509}
1510
275bb41e 1511/*
88e67f3b 1512 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1513 * fork check, ptrace check, etc.
1514 * tsk1 is the actor and tsk2 is the target
3b11a1de 1515 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1516 */
1517static int task_has_perm(const struct task_struct *tsk1,
1518 const struct task_struct *tsk2,
1da177e4
LT		 1519 u32 perms)
1520{
275bb41e
DH		 1521 const struct task_security_struct *__tsec1, *__tsec2;
1522 u32 sid1, sid2;
1da177e4 1523
275bb41e
DH		 1524 rcu_read_lock();
1525 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1526 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1527 rcu_read_unlock();
1528 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1529}
1530
3b11a1de
DH		 1531/*
1532 * Check permission between current and another task, e.g. signal checks,
1533 * fork check, ptrace check, etc.
1534 * current is the actor and tsk2 is the target
1535 * - this uses current's subjective creds
1536 */
1537static int current_has_perm(const struct task_struct *tsk,
1538 u32 perms)
1539{
1540 u32 sid, tsid;
1541
1542 sid = current_sid();
1543 tsid = task_sid(tsk);
1544 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1545}
1546
b68e418c
SS		 1547#if CAP_LAST_CAP > 63
1548#error Fix SELinux to handle capabilities > 63.
1549#endif
1550
1da177e4 1551/* Check whether a task is allowed to use a capability. */
6a9de491 1552static int cred_has_capability(const struct cred *cred,
06112163 1553 int cap, int audit)
1da177e4 1554{
2bf49690 1555 struct common_audit_data ad;
06112163 1556 struct av_decision avd;
b68e418c 1557 u16 sclass;
3699c53c 1558 u32 sid = cred_sid(cred);
b68e418c 1559 u32 av = CAP_TO_MASK(cap);
06112163 1560 int rc;
1da177e4 1561
50c205f5 1562 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1563 ad.u.cap = cap;
1564
b68e418c
SS		 1565 switch (CAP_TO_INDEX(cap)) {
1566 case 0:
1567 sclass = SECCLASS_CAPABILITY;
1568 break;
1569 case 1:
1570 sclass = SECCLASS_CAPABILITY2;
1571 break;
1572 default:
1573 printk(KERN_ERR
1574 "SELinux: out of range capability %d\n", cap);
1575 BUG();
a35c6c83 1576 return -EINVAL;
b68e418c 1577 }
06112163 1578
275bb41e 1579 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1580 if (audit == SECURITY_CAP_AUDIT) {
ab354062 1581 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
9ade0cf4
EP		 1582 if (rc2)
1583 return rc2;
1584 }
06112163 1585 return rc;
1da177e4
LT		 1586}
1587
1588/* Check whether a task is allowed to use a system operation. */
1589static int task_has_system(struct task_struct *tsk,
1590 u32 perms)
1591{
275bb41e 1592 u32 sid = task_sid(tsk);
1da177e4 1593
275bb41e 1594 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1595 SECCLASS_SYSTEM, perms, NULL);
1596}
1597
1598/* Check whether a task has a particular permission to an inode.
1599 The 'adp' parameter is optional and allows other audit
1600 data to be passed (e.g. the dentry). */
88e67f3b 1601static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1602 struct inode *inode,
1603 u32 perms,
19e49834 1604 struct common_audit_data *adp)
1da177e4 1605{
1da177e4 1606 struct inode_security_struct *isec;
275bb41e 1607 u32 sid;
1da177e4 1608
e0e81739
DH		 1609 validate_creds(cred);
1610
828dfe1d 1611 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1612 return 0;
1613
88e67f3b 1614 sid = cred_sid(cred);
1da177e4
LT		 1615 isec = inode->i_security;
1616
19e49834 1617 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1618}
1619
1620/* Same as inode_has_perm, but pass explicit audit data containing
1621 the dentry to help the auditing code to more easily generate the
1622 pathname if needed. */
88e67f3b 1623static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1624 struct dentry *dentry,
1625 u32 av)
1626{
1627 struct inode *inode = dentry->d_inode;
2bf49690 1628 struct common_audit_data ad;
88e67f3b 1629
50c205f5 1630 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1631 ad.u.dentry = dentry;
19e49834 1632 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1633}
1634
1635/* Same as inode_has_perm, but pass explicit audit data containing
1636 the path to help the auditing code to more easily generate the
1637 pathname if needed. */
1638static inline int path_has_perm(const struct cred *cred,
1639 struct path *path,
1640 u32 av)
1641{
1642 struct inode *inode = path->dentry->d_inode;
1643 struct common_audit_data ad;
1644
50c205f5 1645 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1646 ad.u.path = *path;
19e49834 1647 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1648}
1649
13f8e981
DH		 1650/* Same as path_has_perm, but uses the inode from the file struct. */
1651static inline int file_path_has_perm(const struct cred *cred,
1652 struct file *file,
1653 u32 av)
1654{
1655 struct common_audit_data ad;
1656
1657 ad.type = LSM_AUDIT_DATA_PATH;
1658 ad.u.path = file->f_path;
19e49834 1659 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1660}
1661
1da177e4
LT		 1662/* Check whether a task can use an open file descriptor to
1663 access an inode in a given way. Check access to the
1664 descriptor itself, and then use dentry_has_perm to
1665 check a particular permission to the file.
1666 Access to the descriptor is implicitly granted if it
1667 has the same SID as the process. If av is zero, then
1668 access to the file is not checked, e.g. for cases
1669 where only the descriptor is affected like seek. */
88e67f3b
DH		 1670static int file_has_perm(const struct cred *cred,
1671 struct file *file,
1672 u32 av)
1da177e4 1673{
1da177e4 1674 struct file_security_struct *fsec = file->f_security;
496ad9aa 1675 struct inode *inode = file_inode(file);
2bf49690 1676 struct common_audit_data ad;
88e67f3b 1677 u32 sid = cred_sid(cred);
1da177e4
LT		 1678 int rc;
1679
50c205f5 1680 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 1681 ad.u.path = file->f_path;
1da177e4 1682
275bb41e
DH		 1683 if (sid != fsec->sid) {
1684 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1685 SECCLASS_FD,
1686 FD__USE,
1687 &ad);
1688 if (rc)
88e67f3b 1689 goto out;
1da177e4
LT		 1690 }
1691
1692 /* av is zero if only checking access to the descriptor. */
88e67f3b 1693 rc = 0;
1da177e4 1694 if (av)
19e49834 1695 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1696
88e67f3b
DH		 1697out:
1698 return rc;
1da177e4
LT		 1699}
1700
1701/* Check whether a task can create a file. */
1702static int may_create(struct inode *dir,
1703 struct dentry *dentry,
1704 u16 tclass)
1705{
5fb49870 1706 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1707 struct inode_security_struct *dsec;
1708 struct superblock_security_struct *sbsec;
275bb41e 1709 u32 sid, newsid;
2bf49690 1710 struct common_audit_data ad;
1da177e4
LT		 1711 int rc;
1712
1da177e4
LT		 1713 dsec = dir->i_security;
1714 sbsec = dir->i_sb->s_security;
1715
275bb41e
DH		 1716 sid = tsec->sid;
1717 newsid = tsec->create_sid;
1718
50c205f5 1719 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1720 ad.u.dentry = dentry;
1da177e4 1721
275bb41e 1722 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1723 DIR__ADD_NAME | DIR__SEARCH,
1724 &ad);
1725 if (rc)
1726 return rc;
1727
12f348b9 1728 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
cb1e922f
EP		 1729 rc = security_transition_sid(sid, dsec->sid, tclass,
1730 &dentry->d_name, &newsid);
1da177e4
LT		 1731 if (rc)
1732 return rc;
1733 }
1734
275bb41e 1735 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1736 if (rc)
1737 return rc;
1738
1739 return avc_has_perm(newsid, sbsec->sid,
1740 SECCLASS_FILESYSTEM,
1741 FILESYSTEM__ASSOCIATE, &ad);
1742}
1743
4eb582cf
ML		 1744/* Check whether a task can create a key. */
1745static int may_create_key(u32 ksid,
1746 struct task_struct *ctx)
1747{
275bb41e 1748 u32 sid = task_sid(ctx);
4eb582cf 1749
275bb41e 1750 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1751}
1752
828dfe1d
EP		 1753#define MAY_LINK 0
1754#define MAY_UNLINK 1
1755#define MAY_RMDIR 2
1da177e4
LT		 1756
1757/* Check whether a task can link, unlink, or rmdir a file/directory. */
1758static int may_link(struct inode *dir,
1759 struct dentry *dentry,
1760 int kind)
1761
1762{
1da177e4 1763 struct inode_security_struct *dsec, *isec;
2bf49690 1764 struct common_audit_data ad;
275bb41e 1765 u32 sid = current_sid();
1da177e4
LT		 1766 u32 av;
1767 int rc;
1768
1da177e4
LT		 1769 dsec = dir->i_security;
1770 isec = dentry->d_inode->i_security;
1771
50c205f5 1772 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1773 ad.u.dentry = dentry;
1da177e4
LT		 1774
1775 av = DIR__SEARCH;
1776 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1777 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1778 if (rc)
1779 return rc;
1780
1781 switch (kind) {
1782 case MAY_LINK:
1783 av = FILE__LINK;
1784 break;
1785 case MAY_UNLINK:
1786 av = FILE__UNLINK;
1787 break;
1788 case MAY_RMDIR:
1789 av = DIR__RMDIR;
1790 break;
1791 default:
744ba35e
EP		 1792 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1793 __func__, kind);
1da177e4
LT		 1794 return 0;
1795 }
1796
275bb41e 1797 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1798 return rc;
1799}
1800
1801static inline int may_rename(struct inode *old_dir,
1802 struct dentry *old_dentry,
1803 struct inode *new_dir,
1804 struct dentry *new_dentry)
1805{
1da177e4 1806 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1807 struct common_audit_data ad;
275bb41e 1808 u32 sid = current_sid();
1da177e4
LT		 1809 u32 av;
1810 int old_is_dir, new_is_dir;
1811 int rc;
1812
1da177e4
LT		 1813 old_dsec = old_dir->i_security;
1814 old_isec = old_dentry->d_inode->i_security;
1815 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1816 new_dsec = new_dir->i_security;
1817
50c205f5 1818 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1819
a269434d 1820 ad.u.dentry = old_dentry;
275bb41e 1821 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1822 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1823 if (rc)
1824 return rc;
275bb41e 1825 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1826 old_isec->sclass, FILE__RENAME, &ad);
1827 if (rc)
1828 return rc;
1829 if (old_is_dir && new_dir != old_dir) {
275bb41e 1830 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1831 old_isec->sclass, DIR__REPARENT, &ad);
1832 if (rc)
1833 return rc;
1834 }
1835
a269434d 1836 ad.u.dentry = new_dentry;
1da177e4
LT		 1837 av = DIR__ADD_NAME | DIR__SEARCH;
1838 if (new_dentry->d_inode)
1839 av |= DIR__REMOVE_NAME;
275bb41e 1840 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1841 if (rc)
1842 return rc;
1843 if (new_dentry->d_inode) {
1844 new_isec = new_dentry->d_inode->i_security;
1845 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
275bb41e 1846 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1847 new_isec->sclass,
1848 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1849 if (rc)
1850 return rc;
1851 }
1852
1853 return 0;
1854}
1855
1856/* Check whether a task can perform a filesystem operation. */
88e67f3b 1857static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1858 struct super_block *sb,
1859 u32 perms,
2bf49690 1860 struct common_audit_data *ad)
1da177e4 1861{
1da177e4 1862 struct superblock_security_struct *sbsec;
88e67f3b 1863 u32 sid = cred_sid(cred);
1da177e4 1864
1da177e4 1865 sbsec = sb->s_security;
275bb41e 1866 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1867}
1868
1869/* Convert a Linux mode and permission mask to an access vector. */
1870static inline u32 file_mask_to_av(int mode, int mask)
1871{
1872 u32 av = 0;
1873
dba19c60 1874 if (!S_ISDIR(mode)) {
1da177e4
LT		 1875 if (mask & MAY_EXEC)
1876 av |= FILE__EXECUTE;
1877 if (mask & MAY_READ)
1878 av |= FILE__READ;
1879
1880 if (mask & MAY_APPEND)
1881 av |= FILE__APPEND;
1882 else if (mask & MAY_WRITE)
1883 av |= FILE__WRITE;
1884
1885 } else {
1886 if (mask & MAY_EXEC)
1887 av |= DIR__SEARCH;
1888 if (mask & MAY_WRITE)
1889 av |= DIR__WRITE;
1890 if (mask & MAY_READ)
1891 av |= DIR__READ;
1892 }
1893
1894 return av;
1895}
1896
8b6a5a37
EP		 1897/* Convert a Linux file to an access vector. */
1898static inline u32 file_to_av(struct file *file)
1899{
1900 u32 av = 0;
1901
1902 if (file->f_mode & FMODE_READ)
1903 av |= FILE__READ;
1904 if (file->f_mode & FMODE_WRITE) {
1905 if (file->f_flags & O_APPEND)
1906 av |= FILE__APPEND;
1907 else
1908 av |= FILE__WRITE;
1909 }
1910 if (!av) {
1911 /*
1912 * Special file opened with flags 3 for ioctl-only use.
1913 */
1914 av = FILE__IOCTL;
1915 }
1916
1917 return av;
1918}
1919
b0c636b9 1920/*
8b6a5a37 1921 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1922 * open permission.
1923 */
8b6a5a37 1924static inline u32 open_file_to_av(struct file *file)
b0c636b9 1925{
8b6a5a37 1926 u32 av = file_to_av(file);
b0c636b9 1927
49b7b8de
EP		 1928 if (selinux_policycap_openperm)
1929 av |= FILE__OPEN;
1930
b0c636b9
EP		 1931 return av;
1932}
1933
1da177e4
LT		 1934/* Hook functions begin here. */
1935
9e48858f 1936static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 1937 unsigned int mode)
1da177e4 1938{
1da177e4
LT		 1939 int rc;
1940
9e48858f 1941 rc = cap_ptrace_access_check(child, mode);
1da177e4
LT		 1942 if (rc)
1943 return rc;
1944
69f594a3 1945 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 1946 u32 sid = current_sid();
1947 u32 csid = task_sid(child);
1948 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 1949 }
1950
3b11a1de 1951 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 1952}
1953
1954static int selinux_ptrace_traceme(struct task_struct *parent)
1955{
1956 int rc;
1957
200ac532 1958 rc = cap_ptrace_traceme(parent);
5cd9c58f
DH		 1959 if (rc)
1960 return rc;
1961
1962 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 1963}
1964
1965static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1966 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1967{
1968 int error;
1969
3b11a1de 1970 error = current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 1971 if (error)
1972 return error;
1973
200ac532 1974 return cap_capget(target, effective, inheritable, permitted);
1da177e4
LT		 1975}
1976
d84f4f99
DH		 1977static int selinux_capset(struct cred *new, const struct cred *old,
1978 const kernel_cap_t *effective,
1979 const kernel_cap_t *inheritable,
1980 const kernel_cap_t *permitted)
1da177e4
LT		 1981{
1982 int error;
1983
200ac532 1984 error = cap_capset(new, old,
d84f4f99 1985 effective, inheritable, permitted);
1da177e4
LT		 1986 if (error)
1987 return error;
1988
d84f4f99 1989 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 1990}
1991
5626d3e8
JM		 1992/*
1993 * (This comment used to live with the selinux_task_setuid hook,
1994 * which was removed).
1995 *
1996 * Since setuid only affects the current process, and since the SELinux
1997 * controls are not based on the Linux identity attributes, SELinux does not
1998 * need to control this operation. However, SELinux does control the use of
1999 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2000 */
2001
6a9de491
EP		 2002static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2003 int cap, int audit)
1da177e4
LT		 2004{
2005 int rc;
2006
6a9de491 2007 rc = cap_capable(cred, ns, cap, audit);
1da177e4
LT		 2008 if (rc)
2009 return rc;
2010
6a9de491 2011 return cred_has_capability(cred, cap, audit);
1da177e4
LT		 2012}
2013
1da177e4
LT		 2014static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2015{
88e67f3b 2016 const struct cred *cred = current_cred();
1da177e4
LT		 2017 int rc = 0;
2018
2019 if (!sb)
2020 return 0;
2021
2022 switch (cmds) {
828dfe1d
EP		 2023 case Q_SYNC:
2024 case Q_QUOTAON:
2025 case Q_QUOTAOFF:
2026 case Q_SETINFO:
2027 case Q_SETQUOTA:
88e67f3b 2028 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2029 break;
2030 case Q_GETFMT:
2031 case Q_GETINFO:
2032 case Q_GETQUOTA:
88e67f3b 2033 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2034 break;
2035 default:
2036 rc = 0; /* let the kernel handle invalid cmds */
2037 break;
1da177e4
LT		 2038 }
2039 return rc;
2040}
2041
2042static int selinux_quota_on(struct dentry *dentry)
2043{
88e67f3b
DH		 2044 const struct cred *cred = current_cred();
2045
2875fa00 2046 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2047}
2048
12b3052c 2049static int selinux_syslog(int type)
1da177e4
LT		 2050{
2051 int rc;
2052
1da177e4 2053 switch (type) {
d78ca3cd
KC		 2054 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2055 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2056 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2057 break;
d78ca3cd
KC		 2058 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2059 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2060 /* Set level of messages printed to console */
2061 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2062 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2063 break;
d78ca3cd
KC		 2064 case SYSLOG_ACTION_CLOSE: /* Close log */
2065 case SYSLOG_ACTION_OPEN: /* Open log */
2066 case SYSLOG_ACTION_READ: /* Read from log */
2067 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2068 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2069 default:
2070 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2071 break;
1da177e4
LT		 2072 }
2073 return rc;
2074}
2075
2076/*
2077 * Check that a process has enough memory to allocate a new virtual
2078 * mapping. 0 means there is enough memory for the allocation to
2079 * succeed and -ENOMEM implies there is not.
2080 *
1da177e4
LT		 2081 * Do not audit the selinux permission check, as this is applied to all
2082 * processes that allocate mappings.
2083 */
34b4e4aa 2084static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2085{
2086 int rc, cap_sys_admin = 0;
1da177e4 2087
6a9de491 2088 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
3699c53c 2089 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2090 if (rc == 0)
2091 cap_sys_admin = 1;
2092
34b4e4aa 2093 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 2094}
2095
2096/* binprm security operations */
2097
7b0d0b40
SS		 2098static int check_nnp_nosuid(const struct linux_binprm *bprm,
2099 const struct task_security_struct *old_tsec,
2100 const struct task_security_struct *new_tsec)
2101{
2102 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2103 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2104 int rc;
2105
2106 if (!nnp && !nosuid)
2107 return 0; /* neither NNP nor nosuid */
2108
2109 if (new_tsec->sid == old_tsec->sid)
2110 return 0; /* No change in credentials */
2111
2112 /*
2113 * The only transitions we permit under NNP or nosuid
2114 * are transitions to bounded SIDs, i.e. SIDs that are
2115 * guaranteed to only be allowed a subset of the permissions
2116 * of the current SID.
2117 */
2118 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2119 if (rc) {
2120 /*
2121 * On failure, preserve the errno values for NNP vs nosuid.
2122 * NNP: Operation not permitted for caller.
2123 * nosuid: Permission denied to file.
2124 */
2125 if (nnp)
2126 return -EPERM;
2127 else
2128 return -EACCES;
2129 }
2130 return 0;
2131}
2132
a6f76f23 2133static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2134{
a6f76f23
DH		 2135 const struct task_security_struct *old_tsec;
2136 struct task_security_struct *new_tsec;
1da177e4 2137 struct inode_security_struct *isec;
2bf49690 2138 struct common_audit_data ad;
496ad9aa 2139 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2140 int rc;
2141
200ac532 2142 rc = cap_bprm_set_creds(bprm);
1da177e4
LT		 2143 if (rc)
2144 return rc;
2145
a6f76f23
DH		 2146 /* SELinux context only depends on initial program or script and not
2147 * the script interpreter */
2148 if (bprm->cred_prepared)
1da177e4
LT		 2149 return 0;
2150
a6f76f23
DH		 2151 old_tsec = current_security();
2152 new_tsec = bprm->cred->security;
1da177e4
LT		 2153 isec = inode->i_security;
2154
2155 /* Default to the current task SID. */
a6f76f23
DH		 2156 new_tsec->sid = old_tsec->sid;
2157 new_tsec->osid = old_tsec->sid;
1da177e4 2158
28eba5bf 2159 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2160 new_tsec->create_sid = 0;
2161 new_tsec->keycreate_sid = 0;
2162 new_tsec->sockcreate_sid = 0;
1da177e4 2163
a6f76f23
DH		 2164 if (old_tsec->exec_sid) {
2165 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2166 /* Reset exec SID on execve. */
a6f76f23 2167 new_tsec->exec_sid = 0;
259e5e6c 2168
7b0d0b40
SS		 2169 /* Fail on NNP or nosuid if not an allowed transition. */
2170 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2171 if (rc)
2172 return rc;
1da177e4
LT		 2173 } else {
2174 /* Check for a default transition on this program. */
a6f76f23 2175 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2176 SECCLASS_PROCESS, NULL,
2177 &new_tsec->sid);
1da177e4
LT		 2178 if (rc)
2179 return rc;
7b0d0b40
SS		 2180
2181 /*
2182 * Fallback to old SID on NNP or nosuid if not an allowed
2183 * transition.
2184 */
2185 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2186 if (rc)
2187 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2188 }
2189
50c205f5 2190 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 2191 ad.u.path = bprm->file->f_path;
1da177e4 2192
a6f76f23
DH		 2193 if (new_tsec->sid == old_tsec->sid) {
2194 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2195 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2196 if (rc)
2197 return rc;
2198 } else {
2199 /* Check permissions for the transition. */
a6f76f23 2200 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2201 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2202 if (rc)
2203 return rc;
2204
a6f76f23 2205 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2206 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2207 if (rc)
2208 return rc;
2209
a6f76f23
DH		 2210 /* Check for shared state */
2211 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2212 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2213 SECCLASS_PROCESS, PROCESS__SHARE,
2214 NULL);
2215 if (rc)
2216 return -EPERM;
2217 }
2218
2219 /* Make sure that anyone attempting to ptrace over a task that
2220 * changes its SID has the appropriate permit */
2221 if (bprm->unsafe &
2222 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2223 struct task_struct *tracer;
2224 struct task_security_struct *sec;
2225 u32 ptsid = 0;
2226
2227 rcu_read_lock();
06d98473 2228 tracer = ptrace_parent(current);
a6f76f23
DH		 2229 if (likely(tracer != NULL)) {
2230 sec = __task_cred(tracer)->security;
2231 ptsid = sec->sid;
2232 }
2233 rcu_read_unlock();
2234
2235 if (ptsid != 0) {
2236 rc = avc_has_perm(ptsid, new_tsec->sid,
2237 SECCLASS_PROCESS,
2238 PROCESS__PTRACE, NULL);
2239 if (rc)
2240 return -EPERM;
2241 }
2242 }
1da177e4 2243
a6f76f23
DH		 2244 /* Clear any possibly unsafe personality bits on exec: */
2245 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2246 }
2247
1da177e4
LT		 2248 return 0;
2249}
2250
828dfe1d 2251static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2252{
5fb49870 2253 const struct task_security_struct *tsec = current_security();
275bb41e 2254 u32 sid, osid;
1da177e4
LT		 2255 int atsecure = 0;
2256
275bb41e
DH		 2257 sid = tsec->sid;
2258 osid = tsec->osid;
2259
2260 if (osid != sid) {
1da177e4
LT		 2261 /* Enable secure mode for SIDs transitions unless
2262 the noatsecure permission is granted between
2263 the two SIDs, i.e. ahp returns 0. */
275bb41e 2264 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2265 SECCLASS_PROCESS,
2266 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2267 }
2268
200ac532 2269 return (atsecure || cap_bprm_secureexec(bprm));
1da177e4
LT		 2270}
2271
c3c073f8
AV		 2272static int match_file(const void *p, struct file *file, unsigned fd)
2273{
2274 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2275}
2276
1da177e4 2277/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2278static inline void flush_unauthorized_files(const struct cred *cred,
2279 struct files_struct *files)
1da177e4 2280{
1da177e4 2281 struct file *file, *devnull = NULL;
b20c8122 2282 struct tty_struct *tty;
24ec839c 2283 int drop_tty = 0;
c3c073f8 2284 unsigned n;
1da177e4 2285
24ec839c 2286 tty = get_current_tty();
1da177e4 2287 if (tty) {
ee2ffa0d 2288 spin_lock(&tty_files_lock);
37dd0bd0 2289 if (!list_empty(&tty->tty_files)) {
d996b62a 2290 struct tty_file_private *file_priv;
37dd0bd0 2291
1da177e4 2292 /* Revalidate access to controlling tty.
13f8e981
DH		 2293 Use file_path_has_perm on the tty path directly
2294 rather than using file_has_perm, as this particular
2295 open file may belong to another process and we are
2296 only interested in the inode-based check here. */
d996b62a
NP		 2297 file_priv = list_first_entry(&tty->tty_files,
2298 struct tty_file_private, list);
2299 file = file_priv->file;
13f8e981 2300 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2301 drop_tty = 1;
1da177e4 2302 }
ee2ffa0d 2303 spin_unlock(&tty_files_lock);
452a00d2 2304 tty_kref_put(tty);
1da177e4 2305 }
98a27ba4
EB		 2306 /* Reset controlling tty. */
2307 if (drop_tty)
2308 no_tty();
1da177e4
LT		 2309
2310 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2311 n = iterate_fd(files, 0, match_file, cred);
2312 if (!n) /* none found? */
2313 return;
1da177e4 2314
c3c073f8 2315 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2316 if (IS_ERR(devnull))
2317 devnull = NULL;
2318 /* replace all the matching ones with this */
2319 do {
2320 replace_fd(n - 1, devnull, 0);
2321 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2322 if (devnull)
c3c073f8 2323 fput(devnull);
1da177e4
LT		 2324}
2325
a6f76f23
DH		 2326/*
2327 * Prepare a process for imminent new credential changes due to exec
2328 */
2329static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2330{
a6f76f23
DH		 2331 struct task_security_struct *new_tsec;
2332 struct rlimit *rlim, *initrlim;
2333 int rc, i;
d84f4f99 2334
a6f76f23
DH		 2335 new_tsec = bprm->cred->security;
2336 if (new_tsec->sid == new_tsec->osid)
2337 return;
1da177e4 2338
a6f76f23
DH		 2339 /* Close files for which the new task SID is not authorized. */
2340 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2341
a6f76f23
DH		 2342 /* Always clear parent death signal on SID transitions. */
2343 current->pdeath_signal = 0;
0356357c 2344
a6f76f23
DH		 2345 /* Check whether the new SID can inherit resource limits from the old
2346 * SID. If not, reset all soft limits to the lower of the current
2347 * task's hard limit and the init task's soft limit.
2348 *
2349 * Note that the setting of hard limits (even to lower them) can be
2350 * controlled by the setrlimit check. The inclusion of the init task's
2351 * soft limit into the computation is to avoid resetting soft limits
2352 * higher than the default soft limit for cases where the default is
2353 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2354 */
2355 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2356 PROCESS__RLIMITINH, NULL);
2357 if (rc) {
eb2d55a3
ON		 2358 /* protect against do_prlimit() */
2359 task_lock(current);
a6f76f23
DH		 2360 for (i = 0; i < RLIM_NLIMITS; i++) {
2361 rlim = current->signal->rlim + i;
2362 initrlim = init_task.signal->rlim + i;
2363 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2364 }
eb2d55a3
ON		 2365 task_unlock(current);
2366 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2367 }
2368}
2369
2370/*
a6f76f23
DH		 2371 * Clean up the process immediately after the installation of new credentials
2372 * due to exec
1da177e4 2373 */
a6f76f23 2374static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2375{
a6f76f23 2376 const struct task_security_struct *tsec = current_security();
1da177e4 2377 struct itimerval itimer;
a6f76f23 2378 u32 osid, sid;
1da177e4
LT		 2379 int rc, i;
2380
a6f76f23
DH		 2381 osid = tsec->osid;
2382 sid = tsec->sid;
2383
2384 if (sid == osid)
1da177e4
LT		 2385 return;
2386
a6f76f23
DH		 2387 /* Check whether the new SID can inherit signal state from the old SID.
2388 * If not, clear itimers to avoid subsequent signal generation and
2389 * flush and unblock signals.
2390 *
2391 * This must occur _after_ the task SID has been updated so that any
2392 * kill done after the flush will be checked against the new SID.
2393 */
2394 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2395 if (rc) {
2396 memset(&itimer, 0, sizeof itimer);
2397 for (i = 0; i < 3; i++)
2398 do_setitimer(i, &itimer, NULL);
1da177e4 2399 spin_lock_irq(&current->sighand->siglock);
3bcac026
DH		 2400 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2401 __flush_signals(current);
2402 flush_signal_handlers(current, 1);
2403 sigemptyset(&current->blocked);
2404 }
1da177e4
LT		 2405 spin_unlock_irq(&current->sighand->siglock);
2406 }
2407
a6f76f23
DH		 2408 /* Wake up the parent if it is waiting so that it can recheck
2409 * wait permission to the new task SID. */
ecd6de3c 2410 read_lock(&tasklist_lock);
0b7570e7 2411 __wake_up_parent(current, current->real_parent);
ecd6de3c 2412 read_unlock(&tasklist_lock);
1da177e4
LT		 2413}
2414
2415/* superblock security operations */
2416
2417static int selinux_sb_alloc_security(struct super_block *sb)
2418{
2419 return superblock_alloc_security(sb);
2420}
2421
2422static void selinux_sb_free_security(struct super_block *sb)
2423{
2424 superblock_free_security(sb);
2425}
2426
2427static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2428{
2429 if (plen > olen)
2430 return 0;
2431
2432 return !memcmp(prefix, option, plen);
2433}
2434
2435static inline int selinux_option(char *option, int len)
2436{
832cbd9a
EP		 2437 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2438 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2439 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2440 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2441 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2442}
2443
2444static inline void take_option(char **to, char *from, int *first, int len)
2445{
2446 if (!*first) {
2447 **to = ',';
2448 *to += 1;
3528a953 2449 } else
1da177e4
LT		 2450 *first = 0;
2451 memcpy(*to, from, len);
2452 *to += len;
2453}
2454
828dfe1d
EP		 2455static inline void take_selinux_option(char **to, char *from, int *first,
2456 int len)
3528a953
CO		 2457{
2458 int current_size = 0;
2459
2460 if (!*first) {
2461 **to = '|';
2462 *to += 1;
828dfe1d 2463 } else
3528a953
CO		 2464 *first = 0;
2465
2466 while (current_size < len) {
2467 if (*from != '"') {
2468 **to = *from;
2469 *to += 1;
2470 }
2471 from += 1;
2472 current_size += 1;
2473 }
2474}
2475
e0007529 2476static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2477{
2478 int fnosec, fsec, rc = 0;
2479 char *in_save, *in_curr, *in_end;
2480 char *sec_curr, *nosec_save, *nosec;
3528a953 2481 int open_quote = 0;
1da177e4
LT		 2482
2483 in_curr = orig;
2484 sec_curr = copy;
2485
1da177e4
LT		 2486 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2487 if (!nosec) {
2488 rc = -ENOMEM;
2489 goto out;
2490 }
2491
2492 nosec_save = nosec;
2493 fnosec = fsec = 1;
2494 in_save = in_end = orig;
2495
2496 do {
3528a953
CO		 2497 if (*in_end == '"')
2498 open_quote = !open_quote;
2499 if ((*in_end == ',' && open_quote == 0) ||
2500 *in_end == '\0') {
1da177e4
LT		 2501 int len = in_end - in_curr;
2502
2503 if (selinux_option(in_curr, len))
3528a953 2504 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2505 else
2506 take_option(&nosec, in_curr, &fnosec, len);
2507
2508 in_curr = in_end + 1;
2509 }
2510 } while (*in_end++);
2511
6931dfc9 2512 strcpy(in_save, nosec_save);
da3caa20 2513 free_page((unsigned long)nosec_save);
1da177e4
LT		 2514out:
2515 return rc;
2516}
2517
026eb167
EP		 2518static int selinux_sb_remount(struct super_block *sb, void *data)
2519{
2520 int rc, i, *flags;
2521 struct security_mnt_opts opts;
2522 char *secdata, **mount_options;
2523 struct superblock_security_struct *sbsec = sb->s_security;
2524
2525 if (!(sbsec->flags & SE_SBINITIALIZED))
2526 return 0;
2527
2528 if (!data)
2529 return 0;
2530
2531 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2532 return 0;
2533
2534 security_init_mnt_opts(&opts);
2535 secdata = alloc_secdata();
2536 if (!secdata)
2537 return -ENOMEM;
2538 rc = selinux_sb_copy_data(data, secdata);
2539 if (rc)
2540 goto out_free_secdata;
2541
2542 rc = selinux_parse_opts_str(secdata, &opts);
2543 if (rc)
2544 goto out_free_secdata;
2545
2546 mount_options = opts.mnt_opts;
2547 flags = opts.mnt_opts_flags;
2548
2549 for (i = 0; i < opts.num_mnt_opts; i++) {
2550 u32 sid;
2551 size_t len;
2552
12f348b9 2553 if (flags[i] == SBLABEL_MNT)
026eb167
EP		 2554 continue;
2555 len = strlen(mount_options[i]);
52a4c640
NA		 2556 rc = security_context_to_sid(mount_options[i], len, &sid,
2557 GFP_KERNEL);
026eb167
EP		 2558 if (rc) {
2559 printk(KERN_WARNING "SELinux: security_context_to_sid"
29b1deb2
LT		 2560 "(%s) failed for (dev %s, type %s) errno=%d\n",
2561 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2562 goto out_free_opts;
2563 }
2564 rc = -EINVAL;
2565 switch (flags[i]) {
2566 case FSCONTEXT_MNT:
2567 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2568 goto out_bad_option;
2569 break;
2570 case CONTEXT_MNT:
2571 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2572 goto out_bad_option;
2573 break;
2574 case ROOTCONTEXT_MNT: {
2575 struct inode_security_struct *root_isec;
2576 root_isec = sb->s_root->d_inode->i_security;
2577
2578 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2579 goto out_bad_option;
2580 break;
2581 }
2582 case DEFCONTEXT_MNT:
2583 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2584 goto out_bad_option;
2585 break;
2586 default:
2587 goto out_free_opts;
2588 }
2589 }
2590
2591 rc = 0;
2592out_free_opts:
2593 security_free_mnt_opts(&opts);
2594out_free_secdata:
2595 free_secdata(secdata);
2596 return rc;
2597out_bad_option:
2598 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2599 "during remount (dev %s, type=%s)\n", sb->s_id,
2600 sb->s_type->name);
026eb167
EP		 2601 goto out_free_opts;
2602}
2603
12204e24 2604static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2605{
88e67f3b 2606 const struct cred *cred = current_cred();
2bf49690 2607 struct common_audit_data ad;
1da177e4
LT		 2608 int rc;
2609
2610 rc = superblock_doinit(sb, data);
2611 if (rc)
2612 return rc;
2613
74192246
JM		 2614 /* Allow all mounts performed by the kernel */
2615 if (flags & MS_KERNMOUNT)
2616 return 0;
2617
50c205f5 2618 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2619 ad.u.dentry = sb->s_root;
88e67f3b 2620 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2621}
2622
726c3342 2623static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2624{
88e67f3b 2625 const struct cred *cred = current_cred();
2bf49690 2626 struct common_audit_data ad;
1da177e4 2627
50c205f5 2628 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2629 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2630 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2631}
2632
808d4e3c 2633static int selinux_mount(const char *dev_name,
b5266eb4 2634 struct path *path,
808d4e3c 2635 const char *type,
828dfe1d
EP		 2636 unsigned long flags,
2637 void *data)
1da177e4 2638{
88e67f3b 2639 const struct cred *cred = current_cred();
1da177e4
LT		 2640
2641 if (flags & MS_REMOUNT)
d8c9584e 2642 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2643 FILESYSTEM__REMOUNT, NULL);
1da177e4 2644 else
2875fa00 2645 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2646}
2647
2648static int selinux_umount(struct vfsmount *mnt, int flags)
2649{
88e67f3b 2650 const struct cred *cred = current_cred();
1da177e4 2651
88e67f3b 2652 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2653 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2654}
2655
2656/* inode security operations */
2657
2658static int selinux_inode_alloc_security(struct inode *inode)
2659{
2660 return inode_alloc_security(inode);
2661}
2662
2663static void selinux_inode_free_security(struct inode *inode)
2664{
2665 inode_free_security(inode);
2666}
2667
d47be3df
DQ		 2668static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2669 struct qstr *name, void **ctx,
2670 u32 *ctxlen)
2671{
2672 const struct cred *cred = current_cred();
2673 struct task_security_struct *tsec;
2674 struct inode_security_struct *dsec;
2675 struct superblock_security_struct *sbsec;
2676 struct inode *dir = dentry->d_parent->d_inode;
2677 u32 newsid;
2678 int rc;
2679
2680 tsec = cred->security;
2681 dsec = dir->i_security;
2682 sbsec = dir->i_sb->s_security;
2683
2684 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2685 newsid = tsec->create_sid;
2686 } else {
2687 rc = security_transition_sid(tsec->sid, dsec->sid,
2688 inode_mode_to_security_class(mode),
2689 name,
2690 &newsid);
2691 if (rc) {
2692 printk(KERN_WARNING
2693 "%s: security_transition_sid failed, rc=%d\n",
2694 __func__, -rc);
2695 return rc;
2696 }
2697 }
2698
2699 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2700}
2701
5e41ff9e 2702static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2703 const struct qstr *qstr,
2704 const char **name,
2a7dba39 2705 void **value, size_t *len)
5e41ff9e 2706{
5fb49870 2707 const struct task_security_struct *tsec = current_security();
5e41ff9e
SS		 2708 struct inode_security_struct *dsec;
2709 struct superblock_security_struct *sbsec;
275bb41e 2710 u32 sid, newsid, clen;
5e41ff9e 2711 int rc;
9548906b 2712 char *context;
5e41ff9e 2713
5e41ff9e
SS		 2714 dsec = dir->i_security;
2715 sbsec = dir->i_sb->s_security;
5e41ff9e 2716
275bb41e
DH		 2717 sid = tsec->sid;
2718 newsid = tsec->create_sid;
2719
415103f9
EP		 2720 if ((sbsec->flags & SE_SBINITIALIZED) &&
2721 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2722 newsid = sbsec->mntpoint_sid;
12f348b9 2723 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
275bb41e 2724 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e 2725 inode_mode_to_security_class(inode->i_mode),
652bb9b0 2726 qstr, &newsid);
5e41ff9e
SS		 2727 if (rc) {
2728 printk(KERN_WARNING "%s: "
2729 "security_transition_sid failed, rc=%d (dev=%s "
2730 "ino=%ld)\n",
dd6f953a 2731 __func__,
5e41ff9e
SS		 2732 -rc, inode->i_sb->s_id, inode->i_ino);
2733 return rc;
2734 }
2735 }
2736
296fddf7 2737 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2738 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2739 struct inode_security_struct *isec = inode->i_security;
2740 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2741 isec->sid = newsid;
2742 isec->initialized = 1;
2743 }
5e41ff9e 2744
12f348b9 2745 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2746 return -EOPNOTSUPP;
2747
9548906b
TH		 2748 if (name)
2749 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2750
570bc1c2 2751 if (value && len) {
12b29f34 2752 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2753 if (rc)
570bc1c2 2754 return rc;
570bc1c2
SS		 2755 *value = context;
2756 *len = clen;
5e41ff9e 2757 }
5e41ff9e 2758
5e41ff9e
SS		 2759 return 0;
2760}
2761
4acdaf27 2762static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2763{
2764 return may_create(dir, dentry, SECCLASS_FILE);
2765}
2766
1da177e4
LT		 2767static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2768{
1da177e4
LT		 2769 return may_link(dir, old_dentry, MAY_LINK);
2770}
2771
1da177e4
LT		 2772static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2773{
1da177e4
LT		 2774 return may_link(dir, dentry, MAY_UNLINK);
2775}
2776
2777static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2778{
2779 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2780}
2781
18bb1db3 2782static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2783{
2784 return may_create(dir, dentry, SECCLASS_DIR);
2785}
2786
1da177e4
LT		 2787static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2788{
2789 return may_link(dir, dentry, MAY_RMDIR);
2790}
2791
1a67aafb 2792static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2793{
1da177e4
LT		 2794 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2795}
2796
1da177e4 2797static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2798 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2799{
2800 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2801}
2802
1da177e4
LT		 2803static int selinux_inode_readlink(struct dentry *dentry)
2804{
88e67f3b
DH		 2805 const struct cred *cred = current_cred();
2806
2875fa00 2807 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2808}
2809
2810static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2811{
88e67f3b 2812 const struct cred *cred = current_cred();
1da177e4 2813
2875fa00 2814 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2815}
2816
d4cf970d
EP		 2817static noinline int audit_inode_permission(struct inode *inode,
2818 u32 perms, u32 audited, u32 denied,
626b9740 2819 int result,
d4cf970d 2820 unsigned flags)
1da177e4 2821{
b782e0a6 2822 struct common_audit_data ad;
d4cf970d
EP		 2823 struct inode_security_struct *isec = inode->i_security;
2824 int rc;
2825
50c205f5 2826 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2827 ad.u.inode = inode;
2828
2829 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 2830 audited, denied, result, &ad, flags);
d4cf970d
EP		 2831 if (rc)
2832 return rc;
2833 return 0;
2834}
2835
e74f71eb 2836static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2837{
88e67f3b 2838 const struct cred *cred = current_cred();
b782e0a6
EP		 2839 u32 perms;
2840 bool from_access;
cf1dd1da 2841 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2842 struct inode_security_struct *isec;
2843 u32 sid;
2844 struct av_decision avd;
2845 int rc, rc2;
2846 u32 audited, denied;
1da177e4 2847
b782e0a6 2848 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2849 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2850
b782e0a6
EP		 2851 /* No permission to check. Existence test. */
2852 if (!mask)
1da177e4 2853 return 0;
1da177e4 2854
2e334057 2855 validate_creds(cred);
b782e0a6 2856
2e334057
EP		 2857 if (unlikely(IS_PRIVATE(inode)))
2858 return 0;
b782e0a6
EP		 2859
2860 perms = file_mask_to_av(inode->i_mode, mask);
2861
2e334057
EP		 2862 sid = cred_sid(cred);
2863 isec = inode->i_security;
2864
2865 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2866 audited = avc_audit_required(perms, &avd, rc,
2867 from_access ? FILE__AUDIT_ACCESS : 0,
2868 &denied);
2869 if (likely(!audited))
2870 return rc;
2871
626b9740 2872 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 2873 if (rc2)
2874 return rc2;
2875 return rc;
1da177e4
LT		 2876}
2877
2878static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2879{
88e67f3b 2880 const struct cred *cred = current_cred();
bc6a6008 2881 unsigned int ia_valid = iattr->ia_valid;
95dbf739 2882 __u32 av = FILE__WRITE;
1da177e4 2883
bc6a6008
AW		 2884 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2885 if (ia_valid & ATTR_FORCE) {
2886 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2887 ATTR_FORCE);
2888 if (!ia_valid)
2889 return 0;
2890 }
1da177e4 2891
bc6a6008
AW		 2892 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2893 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 2894 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 2895
3d2195c3 2896 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
95dbf739
EP		 2897 av |= FILE__OPEN;
2898
2899 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 2900}
2901
2902static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2903{
88e67f3b 2904 const struct cred *cred = current_cred();
2875fa00
EP		 2905 struct path path;
2906
2907 path.dentry = dentry;
2908 path.mnt = mnt;
88e67f3b 2909
2875fa00 2910 return path_has_perm(cred, &path, FILE__GETATTR);
1da177e4
LT		 2911}
2912
8f0cfa52 2913static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2914{
88e67f3b
DH		 2915 const struct cred *cred = current_cred();
2916
b5376771
SH		 2917 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2918 sizeof XATTR_SECURITY_PREFIX - 1)) {
2919 if (!strcmp(name, XATTR_NAME_CAPS)) {
2920 if (!capable(CAP_SETFCAP))
2921 return -EPERM;
2922 } else if (!capable(CAP_SYS_ADMIN)) {
2923 /* A different attribute in the security namespace.
2924 Restrict to administrator. */
2925 return -EPERM;
2926 }
2927 }
2928
2929 /* Not an attribute we recognize, so just check the
2930 ordinary setattr permission. */
2875fa00 2931 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 2932}
2933
8f0cfa52
DH		 2934static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2935 const void *value, size_t size, int flags)
1da177e4 2936{
1da177e4
LT		 2937 struct inode *inode = dentry->d_inode;
2938 struct inode_security_struct *isec = inode->i_security;
2939 struct superblock_security_struct *sbsec;
2bf49690 2940 struct common_audit_data ad;
275bb41e 2941 u32 newsid, sid = current_sid();
1da177e4
LT		 2942 int rc = 0;
2943
b5376771
SH		 2944 if (strcmp(name, XATTR_NAME_SELINUX))
2945 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2946
2947 sbsec = inode->i_sb->s_security;
12f348b9 2948 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 2949 return -EOPNOTSUPP;
2950
2e149670 2951 if (!inode_owner_or_capable(inode))
1da177e4
LT		 2952 return -EPERM;
2953
50c205f5 2954 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2955 ad.u.dentry = dentry;
1da177e4 2956
275bb41e 2957 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 2958 FILE__RELABELFROM, &ad);
2959 if (rc)
2960 return rc;
2961
52a4c640 2962 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 2963 if (rc == -EINVAL) {
d6ea83ec
EP		 2964 if (!capable(CAP_MAC_ADMIN)) {
2965 struct audit_buffer *ab;
2966 size_t audit_size;
2967 const char *str;
2968
2969 /* We strip a nul only if it is at the end, otherwise the
2970 * context contains a nul and we should audit that */
e3fea3f7
AV		 2971 if (value) {
2972 str = value;
2973 if (str[size - 1] == '\0')
2974 audit_size = size - 1;
2975 else
2976 audit_size = size;
2977 } else {
2978 str = "";
2979 audit_size = 0;
2980 }
d6ea83ec
EP		 2981 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2982 audit_log_format(ab, "op=setxattr invalid_context=");
2983 audit_log_n_untrustedstring(ab, value, audit_size);
2984 audit_log_end(ab);
2985
12b29f34 2986 return rc;
d6ea83ec 2987 }
12b29f34
SS		 2988 rc = security_context_to_sid_force(value, size, &newsid);
2989 }
1da177e4
LT		 2990 if (rc)
2991 return rc;
2992
275bb41e 2993 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 2994 FILE__RELABELTO, &ad);
2995 if (rc)
2996 return rc;
2997
275bb41e 2998 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 2999 isec->sclass);
1da177e4
LT		 3000 if (rc)
3001 return rc;
3002
3003 return avc_has_perm(newsid,
3004 sbsec->sid,
3005 SECCLASS_FILESYSTEM,
3006 FILESYSTEM__ASSOCIATE,
3007 &ad);
3008}
3009
8f0cfa52 3010static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3011 const void *value, size_t size,
8f0cfa52 3012 int flags)
1da177e4
LT		 3013{
3014 struct inode *inode = dentry->d_inode;
3015 struct inode_security_struct *isec = inode->i_security;
3016 u32 newsid;
3017 int rc;
3018
3019 if (strcmp(name, XATTR_NAME_SELINUX)) {
3020 /* Not an attribute we recognize, so nothing to do. */
3021 return;
3022 }
3023
12b29f34 3024 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3025 if (rc) {
12b29f34
SS		 3026 printk(KERN_ERR "SELinux: unable to map context to SID"
3027 "for (%s, %lu), rc=%d\n",
3028 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3029 return;
3030 }
3031
aa9c2669 3032 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3033 isec->sid = newsid;
aa9c2669
DQ		 3034 isec->initialized = 1;
3035
1da177e4
LT		 3036 return;
3037}
3038
8f0cfa52 3039static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3040{
88e67f3b
DH		 3041 const struct cred *cred = current_cred();
3042
2875fa00 3043 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3044}
3045
828dfe1d 3046static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3047{
88e67f3b
DH		 3048 const struct cred *cred = current_cred();
3049
2875fa00 3050 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3051}
3052
8f0cfa52 3053static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3054{
b5376771
SH		 3055 if (strcmp(name, XATTR_NAME_SELINUX))
3056 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3057
3058 /* No one is allowed to remove a SELinux security label.
3059 You can change the label, but all data must be labeled. */
3060 return -EACCES;
3061}
3062
d381d8a9 3063/*
abc69bb6 3064 * Copy the inode security context value to the user.
d381d8a9
JM		 3065 *
3066 * Permission check is handled by selinux_inode_getxattr hook.
3067 */
42492594 3068static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3069{
42492594
DQ		 3070 u32 size;
3071 int error;
3072 char *context = NULL;
1da177e4 3073 struct inode_security_struct *isec = inode->i_security;
d381d8a9 3074
8c8570fb
DK		 3075 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3076 return -EOPNOTSUPP;
d381d8a9 3077
abc69bb6
SS		 3078 /*
3079 * If the caller has CAP_MAC_ADMIN, then get the raw context
3080 * value even if it is not defined by current policy; otherwise,
3081 * use the in-core value under current policy.
3082 * Use the non-auditing forms of the permission checks since
3083 * getxattr may be called by unprivileged processes commonly
3084 * and lack of permission just means that we fall back to the
3085 * in-core context value, not a denial.
3086 */
6a9de491 3087 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3699c53c 3088 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 3089 if (!error)
3090 error = security_sid_to_context_force(isec->sid, &context,
3091 &size);
3092 else
3093 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3094 if (error)
3095 return error;
3096 error = size;
3097 if (alloc) {
3098 *buffer = context;
3099 goto out_nofree;
3100 }
3101 kfree(context);
3102out_nofree:
3103 return error;
1da177e4
LT		 3104}
3105
3106static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3107 const void *value, size_t size, int flags)
1da177e4
LT		 3108{
3109 struct inode_security_struct *isec = inode->i_security;
3110 u32 newsid;
3111 int rc;
3112
3113 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3114 return -EOPNOTSUPP;
3115
3116 if (!value || !size)
3117 return -EACCES;
3118
52a4c640 3119 rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3120 if (rc)
3121 return rc;
3122
aa9c2669 3123 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3124 isec->sid = newsid;
ddd29ec6 3125 isec->initialized = 1;
1da177e4
LT		 3126 return 0;
3127}
3128
3129static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3130{
3131 const int len = sizeof(XATTR_NAME_SELINUX);
3132 if (buffer && len <= buffer_size)
3133 memcpy(buffer, XATTR_NAME_SELINUX, len);
3134 return len;
3135}
3136
713a04ae
AD		 3137static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3138{
3139 struct inode_security_struct *isec = inode->i_security;
3140 *secid = isec->sid;
3141}
3142
1da177e4
LT		 3143/* file security operations */
3144
788e7dd4 3145static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3146{
88e67f3b 3147 const struct cred *cred = current_cred();
496ad9aa 3148 struct inode *inode = file_inode(file);
1da177e4 3149
1da177e4
LT		 3150 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3151 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3152 mask |= MAY_APPEND;
3153
389fb800
PM		 3154 return file_has_perm(cred, file,
3155 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3156}
3157
788e7dd4
YN		 3158static int selinux_file_permission(struct file *file, int mask)
3159{
496ad9aa 3160 struct inode *inode = file_inode(file);
20dda18b
SS		 3161 struct file_security_struct *fsec = file->f_security;
3162 struct inode_security_struct *isec = inode->i_security;
3163 u32 sid = current_sid();
3164
389fb800 3165 if (!mask)
788e7dd4
YN		 3166 /* No permission to check. Existence test. */
3167 return 0;
788e7dd4 3168
20dda18b
SS		 3169 if (sid == fsec->sid && fsec->isid == isec->sid &&
3170 fsec->pseqno == avc_policy_seqno())
83d49856 3171 /* No change since file_open check. */
20dda18b
SS		 3172 return 0;
3173
788e7dd4
YN		 3174 return selinux_revalidate_file_permission(file, mask);
3175}
3176
1da177e4
LT		 3177static int selinux_file_alloc_security(struct file *file)
3178{
3179 return file_alloc_security(file);
3180}
3181
3182static void selinux_file_free_security(struct file *file)
3183{
3184 file_free_security(file);
3185}
3186
3187static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3188 unsigned long arg)
3189{
88e67f3b 3190 const struct cred *cred = current_cred();
0b24dcb7 3191 int error = 0;
1da177e4 3192
0b24dcb7
EP		 3193 switch (cmd) {
3194 case FIONREAD:
3195 /* fall through */
3196 case FIBMAP:
3197 /* fall through */
3198 case FIGETBSZ:
3199 /* fall through */
2f99c369 3200 case FS_IOC_GETFLAGS:
0b24dcb7 3201 /* fall through */
2f99c369 3202 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3203 error = file_has_perm(cred, file, FILE__GETATTR);
3204 break;
1da177e4 3205
2f99c369 3206 case FS_IOC_SETFLAGS:
0b24dcb7 3207 /* fall through */
2f99c369 3208 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3209 error = file_has_perm(cred, file, FILE__SETATTR);
3210 break;
3211
3212 /* sys_ioctl() checks */
3213 case FIONBIO:
3214 /* fall through */
3215 case FIOASYNC:
3216 error = file_has_perm(cred, file, 0);
3217 break;
1da177e4 3218
0b24dcb7
EP		 3219 case KDSKBENT:
3220 case KDSKBSENT:
6a9de491
EP		 3221 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3222 SECURITY_CAP_AUDIT);
0b24dcb7
EP		 3223 break;
3224
3225 /* default case assumes that the command will go
3226 * to the file's ioctl() function.
3227 */
3228 default:
3229 error = file_has_perm(cred, file, FILE__IOCTL);
3230 }
3231 return error;
1da177e4
LT		 3232}
3233
fcaaade1
SS		 3234static int default_noexec;
3235
1da177e4
LT		 3236static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3237{
88e67f3b 3238 const struct cred *cred = current_cred();
d84f4f99 3239 int rc = 0;
88e67f3b 3240
fcaaade1
SS		 3241 if (default_noexec &&
3242 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3243 /*
3244 * We are making executable an anonymous mapping or a
3245 * private file mapping that will also be writable.
3246 * This has an additional check.
3247 */
d84f4f99 3248 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3249 if (rc)
d84f4f99 3250 goto error;
1da177e4 3251 }
1da177e4
LT		 3252
3253 if (file) {
3254 /* read access is always possible with a mapping */
3255 u32 av = FILE__READ;
3256
3257 /* write access only matters if the mapping is shared */
3258 if (shared && (prot & PROT_WRITE))
3259 av |= FILE__WRITE;
3260
3261 if (prot & PROT_EXEC)
3262 av |= FILE__EXECUTE;
3263
88e67f3b 3264 return file_has_perm(cred, file, av);
1da177e4 3265 }
d84f4f99
DH		 3266
3267error:
3268 return rc;
1da177e4
LT		 3269}
3270
e5467859 3271static int selinux_mmap_addr(unsigned long addr)
1da177e4 3272{
98883bfd
PM		 3273 int rc;
3274
3275 /* do DAC check on address space usage */
3276 rc = cap_mmap_addr(addr);
3277 if (rc)
3278 return rc;
1da177e4 3279
a2551df7 3280 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3281 u32 sid = current_sid();
ed032189
EP		 3282 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3283 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3284 }
3285
98883bfd 3286 return rc;
e5467859 3287}
1da177e4 3288
e5467859
AV		 3289static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3290 unsigned long prot, unsigned long flags)
3291{
1da177e4
LT		 3292 if (selinux_checkreqprot)
3293 prot = reqprot;
3294
3295 return file_map_prot_check(file, prot,
3296 (flags & MAP_TYPE) == MAP_SHARED);
3297}
3298
3299static int selinux_file_mprotect(struct vm_area_struct *vma,
3300 unsigned long reqprot,
3301 unsigned long prot)
3302{
88e67f3b 3303 const struct cred *cred = current_cred();
1da177e4
LT		 3304
3305 if (selinux_checkreqprot)
3306 prot = reqprot;
3307
fcaaade1
SS		 3308 if (default_noexec &&
3309 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3310 int rc = 0;
db4c9641
SS		 3311 if (vma->vm_start >= vma->vm_mm->start_brk &&
3312 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3313 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3314 } else if (!vma->vm_file &&
3315 vma->vm_start <= vma->vm_mm->start_stack &&
3316 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3317 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3318 } else if (vma->vm_file && vma->anon_vma) {
3319 /*
3320 * We are making executable a file mapping that has
3321 * had some COW done. Since pages might have been
3322 * written, check ability to execute the possibly
3323 * modified content. This typically should only
3324 * occur for text relocations.
3325 */
d84f4f99 3326 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3327 }