projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
VFS/Security: Rework inode_getsecurity and callers to return resulting buffer
[deliverable/linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
effad8df
PM		 15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
788e7dd4
YN		 17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
23 */
24
1da177e4
LT		 25#include <linux/init.h>
26#include <linux/kernel.h>
27#include <linux/ptrace.h>
28#include <linux/errno.h>
29#include <linux/sched.h>
30#include <linux/security.h>
31#include <linux/xattr.h>
32#include <linux/capability.h>
33#include <linux/unistd.h>
34#include <linux/mm.h>
35#include <linux/mman.h>
36#include <linux/slab.h>
37#include <linux/pagemap.h>
38#include <linux/swap.h>
1da177e4
LT		 39#include <linux/spinlock.h>
40#include <linux/syscalls.h>
41#include <linux/file.h>
42#include <linux/namei.h>
43#include <linux/mount.h>
44#include <linux/ext2_fs.h>
45#include <linux/proc_fs.h>
46#include <linux/kd.h>
47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 53#include <net/net_namespace.h>
d621d35e 54#include <net/netlabel.h>
1da177e4 55#include <asm/uaccess.h>
1da177e4 56#include <asm/ioctls.h>
d621d35e 57#include <asm/atomic.h>
1da177e4
LT		 58#include <linux/bitops.h>
59#include <linux/interrupt.h>
60#include <linux/netdevice.h> /* for network interface checks */
61#include <linux/netlink.h>
62#include <linux/tcp.h>
63#include <linux/udp.h>
2ee92d46 64#include <linux/dccp.h>
1da177e4
LT		 65#include <linux/quota.h>
66#include <linux/un.h> /* for Unix socket types */
67#include <net/af_unix.h> /* for Unix socket types */
68#include <linux/parser.h>
69#include <linux/nfs_mount.h>
70#include <net/ipv6.h>
71#include <linux/hugetlb.h>
72#include <linux/personality.h>
73#include <linux/sysctl.h>
74#include <linux/audit.h>
6931dfc9 75#include <linux/string.h>
877ce7c1 76#include <linux/selinux.h>
23970741 77#include <linux/mutex.h>
1da177e4
LT		 78
79#include "avc.h"
80#include "objsec.h"
81#include "netif.h"
224dfbd8 82#include "netnode.h"
d28d1e08 83#include "xfrm.h"
c60475bf 84#include "netlabel.h"
1da177e4
LT		 85
86#define XATTR_SELINUX_SUFFIX "selinux"
87#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
c9180a57
EP		 89#define NUM_SEL_MNT_OPTS 4
90
1da177e4
LT		 91extern unsigned int policydb_loaded_version;
92extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 93extern int selinux_compat_net;
20510f2f 94extern struct security_operations *security_ops;
1da177e4 95
d621d35e
PM		 96/* SECMARK reference count */
97atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
1da177e4
LT		 99#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100int selinux_enforcing = 0;
101
102static int __init enforcing_setup(char *str)
103{
104 selinux_enforcing = simple_strtol(str,NULL,0);
105 return 1;
106}
107__setup("enforcing=", enforcing_setup);
108#endif
109
110#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113static int __init selinux_enabled_setup(char *str)
114{
115 selinux_enabled = simple_strtol(str, NULL, 0);
116 return 1;
117}
118__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 119#else
120int selinux_enabled = 1;
1da177e4
LT		 121#endif
122
123/* Original (dummy) security module. */
124static struct security_operations *original_ops = NULL;
125
126/* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130static struct security_operations *secondary_ops = NULL;
131
132/* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134static LIST_HEAD(superblock_security_head);
135static DEFINE_SPINLOCK(sb_security_lock);
136
e18b890b 137static struct kmem_cache *sel_inode_cache;
7cae7e26 138
d621d35e
PM		 139/**
140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
141 *
142 * Description:
143 * This function checks the SECMARK reference counter to see if any SECMARK
144 * targets are currently configured, if the reference counter is greater than
145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
146 * enabled, false (0) if SECMARK is disabled.
147 *
148 */
149static int selinux_secmark_enabled(void)
150{
151 return (atomic_read(&selinux_secmark_refcount) > 0);
152}
153
1da177e4
LT		 154/* Allocate and free functions for each kind of security blob. */
155
156static int task_alloc_security(struct task_struct *task)
157{
158 struct task_security_struct *tsec;
159
89d155ef 160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 161 if (!tsec)
162 return -ENOMEM;
163
1da177e4
LT		 164 tsec->task = task;
165 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166 task->security = tsec;
167
168 return 0;
169}
170
171static void task_free_security(struct task_struct *task)
172{
173 struct task_security_struct *tsec = task->security;
1da177e4
LT		 174 task->security = NULL;
175 kfree(tsec);
176}
177
178static int inode_alloc_security(struct inode *inode)
179{
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
182
c3762229 183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
1da177e4
LT		 184 if (!isec)
185 return -ENOMEM;
186
23970741 187 mutex_init(&isec->lock);
1da177e4 188 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 189 isec->inode = inode;
190 isec->sid = SECINITSID_UNLABELED;
191 isec->sclass = SECCLASS_FILE;
9ac49d22 192 isec->task_sid = tsec->sid;
1da177e4
LT		 193 inode->i_security = isec;
194
195 return 0;
196}
197
198static void inode_free_security(struct inode *inode)
199{
200 struct inode_security_struct *isec = inode->i_security;
201 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
1da177e4
LT		 203 spin_lock(&sbsec->isec_lock);
204 if (!list_empty(&isec->list))
205 list_del_init(&isec->list);
206 spin_unlock(&sbsec->isec_lock);
207
208 inode->i_security = NULL;
7cae7e26 209 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 210}
211
212static int file_alloc_security(struct file *file)
213{
214 struct task_security_struct *tsec = current->security;
215 struct file_security_struct *fsec;
216
26d2a4be 217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 218 if (!fsec)
219 return -ENOMEM;
220
1da177e4 221 fsec->file = file;
9ac49d22
SS		 222 fsec->sid = tsec->sid;
223 fsec->fown_sid = tsec->sid;
1da177e4
LT		 224 file->f_security = fsec;
225
226 return 0;
227}
228
229static void file_free_security(struct file *file)
230{
231 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 232 file->f_security = NULL;
233 kfree(fsec);
234}
235
236static int superblock_alloc_security(struct super_block *sb)
237{
238 struct superblock_security_struct *sbsec;
239
89d155ef 240 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 241 if (!sbsec)
242 return -ENOMEM;
243
bc7e982b 244 mutex_init(&sbsec->lock);
1da177e4
LT		 245 INIT_LIST_HEAD(&sbsec->list);
246 INIT_LIST_HEAD(&sbsec->isec_head);
247 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 248 sbsec->sb = sb;
249 sbsec->sid = SECINITSID_UNLABELED;
250 sbsec->def_sid = SECINITSID_FILE;
c312feb2 251 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 252 sb->s_security = sbsec;
253
254 return 0;
255}
256
257static void superblock_free_security(struct super_block *sb)
258{
259 struct superblock_security_struct *sbsec = sb->s_security;
260
1da177e4
LT		 261 spin_lock(&sb_security_lock);
262 if (!list_empty(&sbsec->list))
263 list_del_init(&sbsec->list);
264 spin_unlock(&sb_security_lock);
265
266 sb->s_security = NULL;
267 kfree(sbsec);
268}
269
7d877f3b 270static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 271{
272 struct sk_security_struct *ssec;
273
89d155ef 274 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 275 if (!ssec)
276 return -ENOMEM;
277
1da177e4
LT		 278 ssec->sk = sk;
279 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 280 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 281 sk->sk_security = ssec;
282
99f59ed0
PM		 283 selinux_netlbl_sk_security_init(ssec, family);
284
1da177e4
LT		 285 return 0;
286}
287
288static void sk_free_security(struct sock *sk)
289{
290 struct sk_security_struct *ssec = sk->sk_security;
291
1da177e4
LT		 292 sk->sk_security = NULL;
293 kfree(ssec);
294}
1da177e4
LT		 295
296/* The security server must be initialized before
297 any labeling or access decisions can be provided. */
298extern int ss_initialized;
299
300/* The file system's label must be initialized prior to use. */
301
302static char *labeling_behaviors[6] = {
303 "uses xattr",
304 "uses transition SIDs",
305 "uses task SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
309};
310
311static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313static inline int inode_doinit(struct inode *inode)
314{
315 return inode_doinit_with_dentry(inode, NULL);
316}
317
318enum {
31e87930 319 Opt_error = -1,
1da177e4
LT		 320 Opt_context = 1,
321 Opt_fscontext = 2,
c9180a57
EP		 322 Opt_defcontext = 3,
323 Opt_rootcontext = 4,
1da177e4
LT		 324};
325
326static match_table_t tokens = {
327 {Opt_context, "context=%s"},
328 {Opt_fscontext, "fscontext=%s"},
329 {Opt_defcontext, "defcontext=%s"},
0808925e 330 {Opt_rootcontext, "rootcontext=%s"},
31e87930 331 {Opt_error, NULL},
1da177e4
LT		 332};
333
334#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
335
c312feb2
EP		 336static int may_context_mount_sb_relabel(u32 sid,
337 struct superblock_security_struct *sbsec,
338 struct task_security_struct *tsec)
339{
340 int rc;
341
342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343 FILESYSTEM__RELABELFROM, NULL);
344 if (rc)
345 return rc;
346
347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELTO, NULL);
349 return rc;
350}
351
0808925e
EP		 352static int may_context_mount_inode_relabel(u32 sid,
353 struct superblock_security_struct *sbsec,
354 struct task_security_struct *tsec)
355{
356 int rc;
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
359 if (rc)
360 return rc;
361
362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__ASSOCIATE, NULL);
364 return rc;
365}
366
c9180a57 367static int sb_finish_set_opts(struct super_block *sb)
1da177e4 368{
1da177e4 369 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 370 struct dentry *root = sb->s_root;
371 struct inode *root_inode = root->d_inode;
372 int rc = 0;
1da177e4 373
c9180a57
EP		 374 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375 /* Make sure that the xattr handler exists and that no
376 error other than -ENODATA is returned by getxattr on
377 the root directory. -ENODATA is ok, as this may be
378 the first boot of the SELinux kernel before we have
379 assigned xattr values to the filesystem. */
380 if (!root_inode->i_op->getxattr) {
381 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382 "xattr support\n", sb->s_id, sb->s_type->name);
383 rc = -EOPNOTSUPP;
384 goto out;
385 }
386 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387 if (rc < 0 && rc != -ENODATA) {
388 if (rc == -EOPNOTSUPP)
389 printk(KERN_WARNING "SELinux: (dev %s, type "
390 "%s) has no security xattr handler\n",
391 sb->s_id, sb->s_type->name);
392 else
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) getxattr errno %d\n", sb->s_id,
395 sb->s_type->name, -rc);
396 goto out;
397 }
398 }
1da177e4 399
c9180a57 400 sbsec->initialized = 1;
1da177e4 401
c9180a57
EP		 402 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404 sb->s_id, sb->s_type->name);
405 else
406 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407 sb->s_id, sb->s_type->name,
408 labeling_behaviors[sbsec->behavior-1]);
1da177e4 409
c9180a57
EP		 410 /* Initialize the root inode. */
411 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 412
c9180a57
EP		 413 /* Initialize any other inodes associated with the superblock, e.g.
414 inodes created prior to initial policy load or inodes created
415 during get_sb by a pseudo filesystem that directly
416 populates itself. */
417 spin_lock(&sbsec->isec_lock);
418next_inode:
419 if (!list_empty(&sbsec->isec_head)) {
420 struct inode_security_struct *isec =
421 list_entry(sbsec->isec_head.next,
422 struct inode_security_struct, list);
423 struct inode *inode = isec->inode;
424 spin_unlock(&sbsec->isec_lock);
425 inode = igrab(inode);
426 if (inode) {
427 if (!IS_PRIVATE(inode))
428 inode_doinit(inode);
429 iput(inode);
430 }
431 spin_lock(&sbsec->isec_lock);
432 list_del_init(&isec->list);
433 goto next_inode;
434 }
435 spin_unlock(&sbsec->isec_lock);
436out:
437 return rc;
438}
1da177e4 439
c9180a57
EP		 440/*
441 * This function should allow an FS to ask what it's mount security
442 * options were so it can use those later for submounts, displaying
443 * mount options, or whatever.
444 */
445static int selinux_get_mnt_opts(const struct super_block *sb,
446 char ***mount_options, int **mnt_opts_flags,
447 int *num_opts)
448{
449 int rc = 0, i;
450 struct superblock_security_struct *sbsec = sb->s_security;
451 char *context = NULL;
452 u32 len;
453 char tmp;
1da177e4 454
c9180a57
EP		 455 *num_opts = 0;
456 *mount_options = NULL;
457 *mnt_opts_flags = NULL;
1da177e4 458
c9180a57
EP		 459 if (!sbsec->initialized)
460 return -EINVAL;
1da177e4 461
c9180a57
EP		 462 if (!ss_initialized)
463 return -EINVAL;
1da177e4 464
c9180a57
EP		 465 /*
466 * if we ever use sbsec flags for anything other than tracking mount
467 * settings this is going to need a mask
468 */
469 tmp = sbsec->flags;
470 /* count the number of mount options for this sb */
471 for (i = 0; i < 8; i++) {
472 if (tmp & 0x01)
473 (*num_opts)++;
474 tmp >>= 1;
475 }
1da177e4 476
c9180a57
EP		 477 *mount_options = kcalloc(*num_opts, sizeof(char *), GFP_ATOMIC);
478 if (!*mount_options) {
479 rc = -ENOMEM;
480 goto out_free;
481 }
1da177e4 482
c9180a57
EP		 483 *mnt_opts_flags = kcalloc(*num_opts, sizeof(int), GFP_ATOMIC);
484 if (!*mnt_opts_flags) {
485 rc = -ENOMEM;
486 goto out_free;
487 }
1da177e4 488
c9180a57
EP		 489 i = 0;
490 if (sbsec->flags & FSCONTEXT_MNT) {
491 rc = security_sid_to_context(sbsec->sid, &context, &len);
492 if (rc)
493 goto out_free;
494 (*mount_options)[i] = context;
495 (*mnt_opts_flags)[i++] = FSCONTEXT_MNT;
496 }
497 if (sbsec->flags & CONTEXT_MNT) {
498 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
499 if (rc)
500 goto out_free;
501 (*mount_options)[i] = context;
502 (*mnt_opts_flags)[i++] = CONTEXT_MNT;
503 }
504 if (sbsec->flags & DEFCONTEXT_MNT) {
505 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
506 if (rc)
507 goto out_free;
508 (*mount_options)[i] = context;
509 (*mnt_opts_flags)[i++] = DEFCONTEXT_MNT;
510 }
511 if (sbsec->flags & ROOTCONTEXT_MNT) {
512 struct inode *root = sbsec->sb->s_root->d_inode;
513 struct inode_security_struct *isec = root->i_security;
0808925e 514
c9180a57
EP		 515 rc = security_sid_to_context(isec->sid, &context, &len);
516 if (rc)
517 goto out_free;
518 (*mount_options)[i] = context;
519 (*mnt_opts_flags)[i++] = ROOTCONTEXT_MNT;
520 }
1da177e4 521
c9180a57 522 BUG_ON(i != *num_opts);
1da177e4 523
c9180a57
EP		 524 return 0;
525
526out_free:
527 /* don't leak context string if security_sid_to_context had an error */
528 if (*mount_options && i)
529 for (; i > 0; i--)
530 kfree((*mount_options)[i-1]);
531 kfree(*mount_options);
532 *mount_options = NULL;
533 kfree(*mnt_opts_flags);
534 *mnt_opts_flags = NULL;
535 *num_opts = 0;
536 return rc;
537}
1da177e4 538
c9180a57
EP		 539static int bad_option(struct superblock_security_struct *sbsec, char flag,
540 u32 old_sid, u32 new_sid)
541{
542 /* check if the old mount command had the same options */
543 if (sbsec->initialized)
544 if (!(sbsec->flags & flag) ||
545 (old_sid != new_sid))
546 return 1;
547
548 /* check if we were passed the same options twice,
549 * aka someone passed context=a,context=b
550 */
551 if (!sbsec->initialized)
552 if (sbsec->flags & flag)
553 return 1;
554 return 0;
555}
556/*
557 * Allow filesystems with binary mount data to explicitly set mount point
558 * labeling information.
559 */
374ea019
AB		 560static int selinux_set_mnt_opts(struct super_block *sb, char **mount_options,
561 int *flags, int num_opts)
c9180a57
EP		 562{
563 int rc = 0, i;
564 struct task_security_struct *tsec = current->security;
565 struct superblock_security_struct *sbsec = sb->s_security;
566 const char *name = sb->s_type->name;
567 struct inode *inode = sbsec->sb->s_root->d_inode;
568 struct inode_security_struct *root_isec = inode->i_security;
569 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
570 u32 defcontext_sid = 0;
571
572 mutex_lock(&sbsec->lock);
573
574 if (!ss_initialized) {
575 if (!num_opts) {
576 /* Defer initialization until selinux_complete_init,
577 after the initial policy is loaded and the security
578 server is ready to handle calls. */
579 spin_lock(&sb_security_lock);
580 if (list_empty(&sbsec->list))
581 list_add(&sbsec->list, &superblock_security_head);
582 spin_unlock(&sb_security_lock);
583 goto out;
584 }
585 rc = -EINVAL;
586 printk(KERN_WARNING "Unable to set superblock options before "
587 "the security server is initialized\n");
1da177e4 588 goto out;
c9180a57 589 }
1da177e4 590
c9180a57
EP		 591 /*
592 * parse the mount options, check if they are valid sids.
593 * also check if someone is trying to mount the same sb more
594 * than once with different security options.
595 */
596 for (i = 0; i < num_opts; i++) {
597 u32 sid;
598 rc = security_context_to_sid(mount_options[i],
599 strlen(mount_options[i]), &sid);
1da177e4
LT		 600 if (rc) {
601 printk(KERN_WARNING "SELinux: security_context_to_sid"
602 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 603 mount_options[i], sb->s_id, name, rc);
604 goto out;
605 }
606 switch (flags[i]) {
607 case FSCONTEXT_MNT:
608 fscontext_sid = sid;
609
610 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
611 fscontext_sid))
612 goto out_double_mount;
613
614 sbsec->flags |= FSCONTEXT_MNT;
615 break;
616 case CONTEXT_MNT:
617 context_sid = sid;
618
619 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
620 context_sid))
621 goto out_double_mount;
622
623 sbsec->flags |= CONTEXT_MNT;
624 break;
625 case ROOTCONTEXT_MNT:
626 rootcontext_sid = sid;
627
628 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
629 rootcontext_sid))
630 goto out_double_mount;
631
632 sbsec->flags |= ROOTCONTEXT_MNT;
633
634 break;
635 case DEFCONTEXT_MNT:
636 defcontext_sid = sid;
637
638 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
639 defcontext_sid))
640 goto out_double_mount;
641
642 sbsec->flags |= DEFCONTEXT_MNT;
643
644 break;
645 default:
646 rc = -EINVAL;
647 goto out;
1da177e4 648 }
c9180a57
EP		 649 }
650
651 if (sbsec->initialized) {
652 /* previously mounted with options, but not on this attempt? */
653 if (sbsec->flags && !num_opts)
654 goto out_double_mount;
655 rc = 0;
656 goto out;
657 }
658
659 if (strcmp(sb->s_type->name, "proc") == 0)
660 sbsec->proc = 1;
661
662 /* Determine the labeling behavior to use for this filesystem type. */
663 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
664 if (rc) {
665 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
666 __FUNCTION__, sb->s_type->name, rc);
667 goto out;
668 }
1da177e4 669
c9180a57
EP		 670 /* sets the context of the superblock for the fs being mounted. */
671 if (fscontext_sid) {
672
673 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
1da177e4 674 if (rc)
c9180a57 675 goto out;
1da177e4 676
c9180a57 677 sbsec->sid = fscontext_sid;
c312feb2
EP		 678 }
679
680 /*
681 * Switch to using mount point labeling behavior.
682 * sets the label used on all file below the mountpoint, and will set
683 * the superblock context if not already set.
684 */
c9180a57
EP		 685 if (context_sid) {
686 if (!fscontext_sid) {
687 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
b04ea3ce 688 if (rc)
c9180a57
EP		 689 goto out;
690 sbsec->sid = context_sid;
b04ea3ce 691 } else {
c9180a57 692 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
b04ea3ce 693 if (rc)
c9180a57 694 goto out;
b04ea3ce 695 }
c9180a57
EP		 696 if (!rootcontext_sid)
697 rootcontext_sid = context_sid;
1da177e4 698
c9180a57 699 sbsec->mntpoint_sid = context_sid;
c312feb2 700 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 701 }
702
c9180a57
EP		 703 if (rootcontext_sid) {
704 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
0808925e 705 if (rc)
c9180a57 706 goto out;
0808925e 707
c9180a57
EP		 708 root_isec->sid = rootcontext_sid;
709 root_isec->initialized = 1;
0808925e
EP		 710 }
711
c9180a57
EP		 712 if (defcontext_sid) {
713 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
714 rc = -EINVAL;
715 printk(KERN_WARNING "SELinux: defcontext option is "
716 "invalid for this filesystem type\n");
717 goto out;
1da177e4
LT		 718 }
719
c9180a57
EP		 720 if (defcontext_sid != sbsec->def_sid) {
721 rc = may_context_mount_inode_relabel(defcontext_sid,
722 sbsec, tsec);
723 if (rc)
724 goto out;
725 }
1da177e4 726
c9180a57 727 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 728 }
729
c9180a57 730 rc = sb_finish_set_opts(sb);
1da177e4 731out:
c9180a57 732 mutex_unlock(&sbsec->lock);
1da177e4 733 return rc;
c9180a57
EP		 734out_double_mount:
735 rc = -EINVAL;
736 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
737 "security settings for (dev %s, type %s)\n", sb->s_id, name);
738 goto out;
1da177e4
LT		 739}
740
c9180a57
EP		 741static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
742 struct super_block *newsb)
1da177e4 743{
c9180a57
EP		 744 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
745 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 746
c9180a57
EP		 747 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
748 int set_context = (oldsbsec->flags & CONTEXT_MNT);
749 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 750
c9180a57
EP		 751 /* we can't error, we can't save the info, this shouldn't get called
752 * this early in the boot process. */
753 BUG_ON(!ss_initialized);
754
755 /* this might go away sometime down the line if there is a new user
756 * of clone, but for now, nfs better not get here... */
757 BUG_ON(newsbsec->initialized);
758
759 /* how can we clone if the old one wasn't set up?? */
760 BUG_ON(!oldsbsec->initialized);
761
762 mutex_lock(&newsbsec->lock);
763
764 newsbsec->flags = oldsbsec->flags;
765
766 newsbsec->sid = oldsbsec->sid;
767 newsbsec->def_sid = oldsbsec->def_sid;
768 newsbsec->behavior = oldsbsec->behavior;
769
770 if (set_context) {
771 u32 sid = oldsbsec->mntpoint_sid;
772
773 if (!set_fscontext)
774 newsbsec->sid = sid;
775 if (!set_rootcontext) {
776 struct inode *newinode = newsb->s_root->d_inode;
777 struct inode_security_struct *newisec = newinode->i_security;
778 newisec->sid = sid;
779 }
780 newsbsec->mntpoint_sid = sid;
1da177e4 781 }
c9180a57
EP		 782 if (set_rootcontext) {
783 const struct inode *oldinode = oldsb->s_root->d_inode;
784 const struct inode_security_struct *oldisec = oldinode->i_security;
785 struct inode *newinode = newsb->s_root->d_inode;
786 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 787
c9180a57 788 newisec->sid = oldisec->sid;
1da177e4
LT		 789 }
790
c9180a57
EP		 791 sb_finish_set_opts(newsb);
792 mutex_unlock(&newsbsec->lock);
793}
794
795/*
796 * string mount options parsing and call set the sbsec
797 */
798static int superblock_doinit(struct super_block *sb, void *data)
799{
800 char *context = NULL, *defcontext = NULL;
801 char *fscontext = NULL, *rootcontext = NULL;
802 int rc = 0;
803 char *p, *options = data;
804 /* selinux only know about a fixed number of mount options */
805 char *mnt_opts[NUM_SEL_MNT_OPTS];
806 int mnt_opts_flags[NUM_SEL_MNT_OPTS], num_mnt_opts = 0;
807
808 if (!data)
1da177e4
LT		 809 goto out;
810
c9180a57
EP		 811 /* with the nfs patch this will become a goto out; */
812 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
813 const char *name = sb->s_type->name;
814 /* NFS we understand. */
815 if (!strcmp(name, "nfs")) {
816 struct nfs_mount_data *d = data;
817
818 if (d->version != NFS_MOUNT_VERSION)
819 goto out;
820
821 if (d->context[0]) {
822 context = kstrdup(d->context, GFP_KERNEL);
823 if (!context) {
824 rc = -ENOMEM;
825 goto out;
826 }
827 }
828 goto build_flags;
829 } else
1da177e4 830 goto out;
1da177e4
LT		 831 }
832
c9180a57
EP		 833 /* Standard string-based options. */
834 while ((p = strsep(&options, "|")) != NULL) {
835 int token;
836 substring_t args[MAX_OPT_ARGS];
1da177e4 837
c9180a57
EP		 838 if (!*p)
839 continue;
1da177e4 840
c9180a57 841 token = match_token(p, tokens, args);
1da177e4 842
c9180a57
EP		 843 switch (token) {
844 case Opt_context:
845 if (context || defcontext) {
846 rc = -EINVAL;
847 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
848 goto out_err;
849 }
850 context = match_strdup(&args[0]);
851 if (!context) {
852 rc = -ENOMEM;
853 goto out_err;
854 }
855 break;
856
857 case Opt_fscontext:
858 if (fscontext) {
859 rc = -EINVAL;
860 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
861 goto out_err;
862 }
863 fscontext = match_strdup(&args[0]);
864 if (!fscontext) {
865 rc = -ENOMEM;
866 goto out_err;
867 }
868 break;
869
870 case Opt_rootcontext:
871 if (rootcontext) {
872 rc = -EINVAL;
873 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
874 goto out_err;
875 }
876 rootcontext = match_strdup(&args[0]);
877 if (!rootcontext) {
878 rc = -ENOMEM;
879 goto out_err;
880 }
881 break;
882
883 case Opt_defcontext:
884 if (context || defcontext) {
885 rc = -EINVAL;
886 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
887 goto out_err;
888 }
889 defcontext = match_strdup(&args[0]);
890 if (!defcontext) {
891 rc = -ENOMEM;
892 goto out_err;
893 }
894 break;
895
896 default:
897 rc = -EINVAL;
898 printk(KERN_WARNING "SELinux: unknown mount option\n");
899 goto out_err;
1da177e4 900
1da177e4 901 }
1da177e4 902 }
c9180a57
EP		 903
904build_flags:
905 if (fscontext) {
906 mnt_opts[num_mnt_opts] = fscontext;
907 mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
908 }
909 if (context) {
910 mnt_opts[num_mnt_opts] = context;
911 mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
912 }
913 if (rootcontext) {
914 mnt_opts[num_mnt_opts] = rootcontext;
915 mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
916 }
917 if (defcontext) {
918 mnt_opts[num_mnt_opts] = defcontext;
919 mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
920 }
921
1da177e4 922out:
c9180a57
EP		 923 rc = selinux_set_mnt_opts(sb, mnt_opts, mnt_opts_flags, num_mnt_opts);
924out_err:
925 kfree(context);
926 kfree(defcontext);
927 kfree(fscontext);
928 kfree(rootcontext);
1da177e4
LT		 929 return rc;
930}
931
932static inline u16 inode_mode_to_security_class(umode_t mode)
933{
934 switch (mode & S_IFMT) {
935 case S_IFSOCK:
936 return SECCLASS_SOCK_FILE;
937 case S_IFLNK:
938 return SECCLASS_LNK_FILE;
939 case S_IFREG:
940 return SECCLASS_FILE;
941 case S_IFBLK:
942 return SECCLASS_BLK_FILE;
943 case S_IFDIR:
944 return SECCLASS_DIR;
945 case S_IFCHR:
946 return SECCLASS_CHR_FILE;
947 case S_IFIFO:
948 return SECCLASS_FIFO_FILE;
949
950 }
951
952 return SECCLASS_FILE;
953}
954
13402580
JM		 955static inline int default_protocol_stream(int protocol)
956{
957 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
958}
959
960static inline int default_protocol_dgram(int protocol)
961{
962 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
963}
964
1da177e4
LT		 965static inline u16 socket_type_to_security_class(int family, int type, int protocol)
966{
967 switch (family) {
968 case PF_UNIX:
969 switch (type) {
970 case SOCK_STREAM:
971 case SOCK_SEQPACKET:
972 return SECCLASS_UNIX_STREAM_SOCKET;
973 case SOCK_DGRAM:
974 return SECCLASS_UNIX_DGRAM_SOCKET;
975 }
976 break;
977 case PF_INET:
978 case PF_INET6:
979 switch (type) {
980 case SOCK_STREAM:
13402580
JM		 981 if (default_protocol_stream(protocol))
982 return SECCLASS_TCP_SOCKET;
983 else
984 return SECCLASS_RAWIP_SOCKET;
1da177e4 985 case SOCK_DGRAM:
13402580
JM		 986 if (default_protocol_dgram(protocol))
987 return SECCLASS_UDP_SOCKET;
988 else
989 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 990 case SOCK_DCCP:
991 return SECCLASS_DCCP_SOCKET;
13402580 992 default:
1da177e4
LT		 993 return SECCLASS_RAWIP_SOCKET;
994 }
995 break;
996 case PF_NETLINK:
997 switch (protocol) {
998 case NETLINK_ROUTE:
999 return SECCLASS_NETLINK_ROUTE_SOCKET;
1000 case NETLINK_FIREWALL:
1001 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1002 case NETLINK_INET_DIAG:
1da177e4
LT		 1003 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1004 case NETLINK_NFLOG:
1005 return SECCLASS_NETLINK_NFLOG_SOCKET;
1006 case NETLINK_XFRM:
1007 return SECCLASS_NETLINK_XFRM_SOCKET;
1008 case NETLINK_SELINUX:
1009 return SECCLASS_NETLINK_SELINUX_SOCKET;
1010 case NETLINK_AUDIT:
1011 return SECCLASS_NETLINK_AUDIT_SOCKET;
1012 case NETLINK_IP6_FW:
1013 return SECCLASS_NETLINK_IP6FW_SOCKET;
1014 case NETLINK_DNRTMSG:
1015 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1016 case NETLINK_KOBJECT_UEVENT:
1017 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1018 default:
1019 return SECCLASS_NETLINK_SOCKET;
1020 }
1021 case PF_PACKET:
1022 return SECCLASS_PACKET_SOCKET;
1023 case PF_KEY:
1024 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1025 case PF_APPLETALK:
1026 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1027 }
1028
1029 return SECCLASS_SOCKET;
1030}
1031
1032#ifdef CONFIG_PROC_FS
1033static int selinux_proc_get_sid(struct proc_dir_entry *de,
1034 u16 tclass,
1035 u32 *sid)
1036{
1037 int buflen, rc;
1038 char *buffer, *path, *end;
1039
1040 buffer = (char*)__get_free_page(GFP_KERNEL);
1041 if (!buffer)
1042 return -ENOMEM;
1043
1044 buflen = PAGE_SIZE;
1045 end = buffer+buflen;
1046 *--end = '\0';
1047 buflen--;
1048 path = end-1;
1049 *path = '/';
1050 while (de && de != de->parent) {
1051 buflen -= de->namelen + 1;
1052 if (buflen < 0)
1053 break;
1054 end -= de->namelen;
1055 memcpy(end, de->name, de->namelen);
1056 *--end = '/';
1057 path = end;
1058 de = de->parent;
1059 }
1060 rc = security_genfs_sid("proc", path, tclass, sid);
1061 free_page((unsigned long)buffer);
1062 return rc;
1063}
1064#else
1065static int selinux_proc_get_sid(struct proc_dir_entry *de,
1066 u16 tclass,
1067 u32 *sid)
1068{
1069 return -EINVAL;
1070}
1071#endif
1072
1073/* The inode's security attributes must be initialized before first use. */
1074static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1075{
1076 struct superblock_security_struct *sbsec = NULL;
1077 struct inode_security_struct *isec = inode->i_security;
1078 u32 sid;
1079 struct dentry *dentry;
1080#define INITCONTEXTLEN 255
1081 char *context = NULL;
1082 unsigned len = 0;
1083 int rc = 0;
1da177e4
LT		 1084
1085 if (isec->initialized)
1086 goto out;
1087
23970741 1088 mutex_lock(&isec->lock);
1da177e4 1089 if (isec->initialized)
23970741 1090 goto out_unlock;
1da177e4
LT		 1091
1092 sbsec = inode->i_sb->s_security;
1093 if (!sbsec->initialized) {
1094 /* Defer initialization until selinux_complete_init,
1095 after the initial policy is loaded and the security
1096 server is ready to handle calls. */
1097 spin_lock(&sbsec->isec_lock);
1098 if (list_empty(&isec->list))
1099 list_add(&isec->list, &sbsec->isec_head);
1100 spin_unlock(&sbsec->isec_lock);
23970741 1101 goto out_unlock;
1da177e4
LT		 1102 }
1103
1104 switch (sbsec->behavior) {
1105 case SECURITY_FS_USE_XATTR:
1106 if (!inode->i_op->getxattr) {
1107 isec->sid = sbsec->def_sid;
1108 break;
1109 }
1110
1111 /* Need a dentry, since the xattr API requires one.
1112 Life would be simpler if we could just pass the inode. */
1113 if (opt_dentry) {
1114 /* Called from d_instantiate or d_splice_alias. */
1115 dentry = dget(opt_dentry);
1116 } else {
1117 /* Called from selinux_complete_init, try to find a dentry. */
1118 dentry = d_find_alias(inode);
1119 }
1120 if (!dentry) {
1121 printk(KERN_WARNING "%s: no dentry for dev=%s "
1122 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1123 inode->i_ino);
23970741 1124 goto out_unlock;
1da177e4
LT		 1125 }
1126
1127 len = INITCONTEXTLEN;
1128 context = kmalloc(len, GFP_KERNEL);
1129 if (!context) {
1130 rc = -ENOMEM;
1131 dput(dentry);
23970741 1132 goto out_unlock;
1da177e4
LT		 1133 }
1134 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1135 context, len);
1136 if (rc == -ERANGE) {
1137 /* Need a larger buffer. Query for the right size. */
1138 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1139 NULL, 0);
1140 if (rc < 0) {
1141 dput(dentry);
23970741 1142 goto out_unlock;
1da177e4
LT		 1143 }
1144 kfree(context);
1145 len = rc;
1146 context = kmalloc(len, GFP_KERNEL);
1147 if (!context) {
1148 rc = -ENOMEM;
1149 dput(dentry);
23970741 1150 goto out_unlock;
1da177e4
LT		 1151 }
1152 rc = inode->i_op->getxattr(dentry,
1153 XATTR_NAME_SELINUX,
1154 context, len);
1155 }
1156 dput(dentry);
1157 if (rc < 0) {
1158 if (rc != -ENODATA) {
1159 printk(KERN_WARNING "%s: getxattr returned "
1160 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1161 -rc, inode->i_sb->s_id, inode->i_ino);
1162 kfree(context);
23970741 1163 goto out_unlock;
1da177e4
LT		 1164 }
1165 /* Map ENODATA to the default file SID */
1166 sid = sbsec->def_sid;
1167 rc = 0;
1168 } else {
f5c1d5b2
JM		 1169 rc = security_context_to_sid_default(context, rc, &sid,
1170 sbsec->def_sid);
1da177e4
LT		 1171 if (rc) {
1172 printk(KERN_WARNING "%s: context_to_sid(%s) "
1173 "returned %d for dev=%s ino=%ld\n",
1174 __FUNCTION__, context, -rc,
1175 inode->i_sb->s_id, inode->i_ino);
1176 kfree(context);
1177 /* Leave with the unlabeled SID */
1178 rc = 0;
1179 break;
1180 }
1181 }
1182 kfree(context);
1183 isec->sid = sid;
1184 break;
1185 case SECURITY_FS_USE_TASK:
1186 isec->sid = isec->task_sid;
1187 break;
1188 case SECURITY_FS_USE_TRANS:
1189 /* Default to the fs SID. */
1190 isec->sid = sbsec->sid;
1191
1192 /* Try to obtain a transition SID. */
1193 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1194 rc = security_transition_sid(isec->task_sid,
1195 sbsec->sid,
1196 isec->sclass,
1197 &sid);
1198 if (rc)
23970741 1199 goto out_unlock;
1da177e4
LT		 1200 isec->sid = sid;
1201 break;
c312feb2
EP		 1202 case SECURITY_FS_USE_MNTPOINT:
1203 isec->sid = sbsec->mntpoint_sid;
1204 break;
1da177e4 1205 default:
c312feb2 1206 /* Default to the fs superblock SID. */
1da177e4
LT		 1207 isec->sid = sbsec->sid;
1208
1209 if (sbsec->proc) {
1210 struct proc_inode *proci = PROC_I(inode);
1211 if (proci->pde) {
1212 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1213 rc = selinux_proc_get_sid(proci->pde,
1214 isec->sclass,
1215 &sid);
1216 if (rc)
23970741 1217 goto out_unlock;
1da177e4
LT		 1218 isec->sid = sid;
1219 }
1220 }
1221 break;
1222 }
1223
1224 isec->initialized = 1;
1225
23970741
EP		 1226out_unlock:
1227 mutex_unlock(&isec->lock);
1da177e4
LT		 1228out:
1229 if (isec->sclass == SECCLASS_FILE)
1230 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1231 return rc;
1232}
1233
1234/* Convert a Linux signal to an access vector. */
1235static inline u32 signal_to_av(int sig)
1236{
1237 u32 perm = 0;
1238
1239 switch (sig) {
1240 case SIGCHLD:
1241 /* Commonly granted from child to parent. */
1242 perm = PROCESS__SIGCHLD;
1243 break;
1244 case SIGKILL:
1245 /* Cannot be caught or ignored */
1246 perm = PROCESS__SIGKILL;
1247 break;
1248 case SIGSTOP:
1249 /* Cannot be caught or ignored */
1250 perm = PROCESS__SIGSTOP;
1251 break;
1252 default:
1253 /* All other signals. */
1254 perm = PROCESS__SIGNAL;
1255 break;
1256 }
1257
1258 return perm;
1259}
1260
1261/* Check permission betweeen a pair of tasks, e.g. signal checks,
1262 fork check, ptrace check, etc. */
1263static int task_has_perm(struct task_struct *tsk1,
1264 struct task_struct *tsk2,
1265 u32 perms)
1266{
1267 struct task_security_struct *tsec1, *tsec2;
1268
1269 tsec1 = tsk1->security;
1270 tsec2 = tsk2->security;
1271 return avc_has_perm(tsec1->sid, tsec2->sid,
1272 SECCLASS_PROCESS, perms, NULL);
1273}
1274
1275/* Check whether a task is allowed to use a capability. */
1276static int task_has_capability(struct task_struct *tsk,
1277 int cap)
1278{
1279 struct task_security_struct *tsec;
1280 struct avc_audit_data ad;
1281
1282 tsec = tsk->security;
1283
1284 AVC_AUDIT_DATA_INIT(&ad,CAP);
1285 ad.tsk = tsk;
1286 ad.u.cap = cap;
1287
1288 return avc_has_perm(tsec->sid, tsec->sid,
1289 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1290}
1291
1292/* Check whether a task is allowed to use a system operation. */
1293static int task_has_system(struct task_struct *tsk,
1294 u32 perms)
1295{
1296 struct task_security_struct *tsec;
1297
1298 tsec = tsk->security;
1299
1300 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1301 SECCLASS_SYSTEM, perms, NULL);
1302}
1303
1304/* Check whether a task has a particular permission to an inode.
1305 The 'adp' parameter is optional and allows other audit
1306 data to be passed (e.g. the dentry). */
1307static int inode_has_perm(struct task_struct *tsk,
1308 struct inode *inode,
1309 u32 perms,
1310 struct avc_audit_data *adp)
1311{
1312 struct task_security_struct *tsec;
1313 struct inode_security_struct *isec;
1314 struct avc_audit_data ad;
1315
bbaca6c2
SS		 1316 if (unlikely (IS_PRIVATE (inode)))
1317 return 0;
1318
1da177e4
LT		 1319 tsec = tsk->security;
1320 isec = inode->i_security;
1321
1322 if (!adp) {
1323 adp = &ad;
1324 AVC_AUDIT_DATA_INIT(&ad, FS);
1325 ad.u.fs.inode = inode;
1326 }
1327
1328 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1329}
1330
1331/* Same as inode_has_perm, but pass explicit audit data containing
1332 the dentry to help the auditing code to more easily generate the
1333 pathname if needed. */
1334static inline int dentry_has_perm(struct task_struct *tsk,
1335 struct vfsmount *mnt,
1336 struct dentry *dentry,
1337 u32 av)
1338{
1339 struct inode *inode = dentry->d_inode;
1340 struct avc_audit_data ad;
1341 AVC_AUDIT_DATA_INIT(&ad,FS);
1342 ad.u.fs.mnt = mnt;
1343 ad.u.fs.dentry = dentry;
1344 return inode_has_perm(tsk, inode, av, &ad);
1345}
1346
1347/* Check whether a task can use an open file descriptor to
1348 access an inode in a given way. Check access to the
1349 descriptor itself, and then use dentry_has_perm to
1350 check a particular permission to the file.
1351 Access to the descriptor is implicitly granted if it
1352 has the same SID as the process. If av is zero, then
1353 access to the file is not checked, e.g. for cases
1354 where only the descriptor is affected like seek. */
858119e1 1355static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1356 struct file *file,
1357 u32 av)
1358{
1359 struct task_security_struct *tsec = tsk->security;
1360 struct file_security_struct *fsec = file->f_security;
3d5ff529
JS		 1361 struct vfsmount *mnt = file->f_path.mnt;
1362 struct dentry *dentry = file->f_path.dentry;
1da177e4
LT		 1363 struct inode *inode = dentry->d_inode;
1364 struct avc_audit_data ad;
1365 int rc;
1366
1367 AVC_AUDIT_DATA_INIT(&ad, FS);
1368 ad.u.fs.mnt = mnt;
1369 ad.u.fs.dentry = dentry;
1370
1371 if (tsec->sid != fsec->sid) {
1372 rc = avc_has_perm(tsec->sid, fsec->sid,
1373 SECCLASS_FD,
1374 FD__USE,
1375 &ad);
1376 if (rc)
1377 return rc;
1378 }
1379
1380 /* av is zero if only checking access to the descriptor. */
1381 if (av)
1382 return inode_has_perm(tsk, inode, av, &ad);
1383
1384 return 0;
1385}
1386
1387/* Check whether a task can create a file. */
1388static int may_create(struct inode *dir,
1389 struct dentry *dentry,
1390 u16 tclass)
1391{
1392 struct task_security_struct *tsec;
1393 struct inode_security_struct *dsec;
1394 struct superblock_security_struct *sbsec;
1395 u32 newsid;
1396 struct avc_audit_data ad;
1397 int rc;
1398
1399 tsec = current->security;
1400 dsec = dir->i_security;
1401 sbsec = dir->i_sb->s_security;
1402
1403 AVC_AUDIT_DATA_INIT(&ad, FS);
1404 ad.u.fs.dentry = dentry;
1405
1406 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1407 DIR__ADD_NAME | DIR__SEARCH,
1408 &ad);
1409 if (rc)
1410 return rc;
1411
1412 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1413 newsid = tsec->create_sid;
1414 } else {
1415 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1416 &newsid);
1417 if (rc)
1418 return rc;
1419 }
1420
1421 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1422 if (rc)
1423 return rc;
1424
1425 return avc_has_perm(newsid, sbsec->sid,
1426 SECCLASS_FILESYSTEM,
1427 FILESYSTEM__ASSOCIATE, &ad);
1428}
1429
4eb582cf
ML		 1430/* Check whether a task can create a key. */
1431static int may_create_key(u32 ksid,
1432 struct task_struct *ctx)
1433{
1434 struct task_security_struct *tsec;
1435
1436 tsec = ctx->security;
1437
1438 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1439}
1440
1da177e4
LT		 1441#define MAY_LINK 0
1442#define MAY_UNLINK 1
1443#define MAY_RMDIR 2
1444
1445/* Check whether a task can link, unlink, or rmdir a file/directory. */
1446static int may_link(struct inode *dir,
1447 struct dentry *dentry,
1448 int kind)
1449
1450{
1451 struct task_security_struct *tsec;
1452 struct inode_security_struct *dsec, *isec;
1453 struct avc_audit_data ad;
1454 u32 av;
1455 int rc;
1456
1457 tsec = current->security;
1458 dsec = dir->i_security;
1459 isec = dentry->d_inode->i_security;
1460
1461 AVC_AUDIT_DATA_INIT(&ad, FS);
1462 ad.u.fs.dentry = dentry;
1463
1464 av = DIR__SEARCH;
1465 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1466 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1467 if (rc)
1468 return rc;
1469
1470 switch (kind) {
1471 case MAY_LINK:
1472 av = FILE__LINK;
1473 break;
1474 case MAY_UNLINK:
1475 av = FILE__UNLINK;
1476 break;
1477 case MAY_RMDIR:
1478 av = DIR__RMDIR;
1479 break;
1480 default:
1481 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1482 return 0;
1483 }
1484
1485 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1486 return rc;
1487}
1488
1489static inline int may_rename(struct inode *old_dir,
1490 struct dentry *old_dentry,
1491 struct inode *new_dir,
1492 struct dentry *new_dentry)
1493{
1494 struct task_security_struct *tsec;
1495 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1496 struct avc_audit_data ad;
1497 u32 av;
1498 int old_is_dir, new_is_dir;
1499 int rc;
1500
1501 tsec = current->security;
1502 old_dsec = old_dir->i_security;
1503 old_isec = old_dentry->d_inode->i_security;
1504 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1505 new_dsec = new_dir->i_security;
1506
1507 AVC_AUDIT_DATA_INIT(&ad, FS);
1508
1509 ad.u.fs.dentry = old_dentry;
1510 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1511 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1512 if (rc)
1513 return rc;
1514 rc = avc_has_perm(tsec->sid, old_isec->sid,
1515 old_isec->sclass, FILE__RENAME, &ad);
1516 if (rc)
1517 return rc;
1518 if (old_is_dir && new_dir != old_dir) {
1519 rc = avc_has_perm(tsec->sid, old_isec->sid,
1520 old_isec->sclass, DIR__REPARENT, &ad);
1521 if (rc)
1522 return rc;
1523 }
1524
1525 ad.u.fs.dentry = new_dentry;
1526 av = DIR__ADD_NAME | DIR__SEARCH;
1527 if (new_dentry->d_inode)
1528 av |= DIR__REMOVE_NAME;
1529 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1530 if (rc)
1531 return rc;
1532 if (new_dentry->d_inode) {
1533 new_isec = new_dentry->d_inode->i_security;
1534 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1535 rc = avc_has_perm(tsec->sid, new_isec->sid,
1536 new_isec->sclass,
1537 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1538 if (rc)
1539 return rc;
1540 }
1541
1542 return 0;
1543}
1544
1545/* Check whether a task can perform a filesystem operation. */
1546static int superblock_has_perm(struct task_struct *tsk,
1547 struct super_block *sb,
1548 u32 perms,
1549 struct avc_audit_data *ad)
1550{
1551 struct task_security_struct *tsec;
1552 struct superblock_security_struct *sbsec;
1553
1554 tsec = tsk->security;
1555 sbsec = sb->s_security;
1556 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1557 perms, ad);
1558}
1559
1560/* Convert a Linux mode and permission mask to an access vector. */
1561static inline u32 file_mask_to_av(int mode, int mask)
1562{
1563 u32 av = 0;
1564
1565 if ((mode & S_IFMT) != S_IFDIR) {
1566 if (mask & MAY_EXEC)
1567 av |= FILE__EXECUTE;
1568 if (mask & MAY_READ)
1569 av |= FILE__READ;
1570
1571 if (mask & MAY_APPEND)
1572 av |= FILE__APPEND;
1573 else if (mask & MAY_WRITE)
1574 av |= FILE__WRITE;
1575
1576 } else {
1577 if (mask & MAY_EXEC)
1578 av |= DIR__SEARCH;
1579 if (mask & MAY_WRITE)
1580 av |= DIR__WRITE;
1581 if (mask & MAY_READ)
1582 av |= DIR__READ;
1583 }
1584
1585 return av;
1586}
1587
1588/* Convert a Linux file to an access vector. */
1589static inline u32 file_to_av(struct file *file)
1590{
1591 u32 av = 0;
1592
1593 if (file->f_mode & FMODE_READ)
1594 av |= FILE__READ;
1595 if (file->f_mode & FMODE_WRITE) {
1596 if (file->f_flags & O_APPEND)
1597 av |= FILE__APPEND;
1598 else
1599 av |= FILE__WRITE;
1600 }
1601
1602 return av;
1603}
1604
1da177e4
LT		 1605/* Hook functions begin here. */
1606
1607static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1608{
1609 struct task_security_struct *psec = parent->security;
1610 struct task_security_struct *csec = child->security;
1611 int rc;
1612
1613 rc = secondary_ops->ptrace(parent,child);
1614 if (rc)
1615 return rc;
1616
1617 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1618 /* Save the SID of the tracing process for later use in apply_creds. */
341c2d80 1619 if (!(child->ptrace & PT_PTRACED) && !rc)
1da177e4
LT		 1620 csec->ptrace_sid = psec->sid;
1621 return rc;
1622}
1623
1624static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1625 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1626{
1627 int error;
1628
1629 error = task_has_perm(current, target, PROCESS__GETCAP);
1630 if (error)
1631 return error;
1632
1633 return secondary_ops->capget(target, effective, inheritable, permitted);
1634}
1635
1636static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1637 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1638{
1639 int error;
1640
1641 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1642 if (error)
1643 return error;
1644
1645 return task_has_perm(current, target, PROCESS__SETCAP);
1646}
1647
1648static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1649 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1650{
1651 secondary_ops->capset_set(target, effective, inheritable, permitted);
1652}
1653
1654static int selinux_capable(struct task_struct *tsk, int cap)
1655{
1656 int rc;
1657
1658 rc = secondary_ops->capable(tsk, cap);
1659 if (rc)
1660 return rc;
1661
1662 return task_has_capability(tsk,cap);
1663}
1664
3fbfa981
EB		 1665static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1666{
1667 int buflen, rc;
1668 char *buffer, *path, *end;
1669
1670 rc = -ENOMEM;
1671 buffer = (char*)__get_free_page(GFP_KERNEL);
1672 if (!buffer)
1673 goto out;
1674
1675 buflen = PAGE_SIZE;
1676 end = buffer+buflen;
1677 *--end = '\0';
1678 buflen--;
1679 path = end-1;
1680 *path = '/';
1681 while (table) {
1682 const char *name = table->procname;
1683 size_t namelen = strlen(name);
1684 buflen -= namelen + 1;
1685 if (buflen < 0)
1686 goto out_free;
1687 end -= namelen;
1688 memcpy(end, name, namelen);
1689 *--end = '/';
1690 path = end;
1691 table = table->parent;
1692 }
b599fdfd
EB		 1693 buflen -= 4;
1694 if (buflen < 0)
1695 goto out_free;
1696 end -= 4;
1697 memcpy(end, "/sys", 4);
1698 path = end;
3fbfa981
EB		 1699 rc = security_genfs_sid("proc", path, tclass, sid);
1700out_free:
1701 free_page((unsigned long)buffer);
1702out:
1703 return rc;
1704}
1705
1da177e4
LT		 1706static int selinux_sysctl(ctl_table *table, int op)
1707{
1708 int error = 0;
1709 u32 av;
1710 struct task_security_struct *tsec;
1711 u32 tsid;
1712 int rc;
1713
1714 rc = secondary_ops->sysctl(table, op);
1715 if (rc)
1716 return rc;
1717
1718 tsec = current->security;
1719
3fbfa981
EB		 1720 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1721 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1722 if (rc) {
1723 /* Default to the well-defined sysctl SID. */
1724 tsid = SECINITSID_SYSCTL;
1725 }
1726
1727 /* The op values are "defined" in sysctl.c, thereby creating
1728 * a bad coupling between this module and sysctl.c */
1729 if(op == 001) {
1730 error = avc_has_perm(tsec->sid, tsid,
1731 SECCLASS_DIR, DIR__SEARCH, NULL);
1732 } else {
1733 av = 0;
1734 if (op & 004)
1735 av |= FILE__READ;
1736 if (op & 002)
1737 av |= FILE__WRITE;
1738 if (av)
1739 error = avc_has_perm(tsec->sid, tsid,
1740 SECCLASS_FILE, av, NULL);
1741 }
1742
1743 return error;
1744}
1745
1746static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1747{
1748 int rc = 0;
1749
1750 if (!sb)
1751 return 0;
1752
1753 switch (cmds) {
1754 case Q_SYNC:
1755 case Q_QUOTAON:
1756 case Q_QUOTAOFF:
1757 case Q_SETINFO:
1758 case Q_SETQUOTA:
1759 rc = superblock_has_perm(current,
1760 sb,
1761 FILESYSTEM__QUOTAMOD, NULL);
1762 break;
1763 case Q_GETFMT:
1764 case Q_GETINFO:
1765 case Q_GETQUOTA:
1766 rc = superblock_has_perm(current,
1767 sb,
1768 FILESYSTEM__QUOTAGET, NULL);
1769 break;
1770 default:
1771 rc = 0; /* let the kernel handle invalid cmds */
1772 break;
1773 }
1774 return rc;
1775}
1776
1777static int selinux_quota_on(struct dentry *dentry)
1778{
1779 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1780}
1781
1782static int selinux_syslog(int type)
1783{
1784 int rc;
1785
1786 rc = secondary_ops->syslog(type);
1787 if (rc)
1788 return rc;
1789
1790 switch (type) {
1791 case 3: /* Read last kernel messages */
1792 case 10: /* Return size of the log buffer */
1793 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1794 break;
1795 case 6: /* Disable logging to console */
1796 case 7: /* Enable logging to console */
1797 case 8: /* Set level of messages printed to console */
1798 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1799 break;
1800 case 0: /* Close log */
1801 case 1: /* Open log */
1802 case 2: /* Read from log */
1803 case 4: /* Read/clear last kernel messages */
1804 case 5: /* Clear ring buffer */
1805 default:
1806 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1807 break;
1808 }
1809 return rc;
1810}
1811
1812/*
1813 * Check that a process has enough memory to allocate a new virtual
1814 * mapping. 0 means there is enough memory for the allocation to
1815 * succeed and -ENOMEM implies there is not.
1816 *
1817 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1818 * if the capability is granted, but __vm_enough_memory requires 1 if
1819 * the capability is granted.
1820 *
1821 * Do not audit the selinux permission check, as this is applied to all
1822 * processes that allocate mappings.
1823 */
34b4e4aa 1824static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1825{
1826 int rc, cap_sys_admin = 0;
1827 struct task_security_struct *tsec = current->security;
1828
1829 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1830 if (rc == 0)
1831 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2c3c05db
SS		 1832 SECCLASS_CAPABILITY,
1833 CAP_TO_MASK(CAP_SYS_ADMIN),
1834 0,
1835 NULL);
1da177e4
LT		 1836
1837 if (rc == 0)
1838 cap_sys_admin = 1;
1839
34b4e4aa 1840 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 1841}
1842
1843/* binprm security operations */
1844
1845static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1846{
1847 struct bprm_security_struct *bsec;
1848
89d155ef 1849 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1850 if (!bsec)
1851 return -ENOMEM;
1852
1da177e4
LT		 1853 bsec->bprm = bprm;
1854 bsec->sid = SECINITSID_UNLABELED;
1855 bsec->set = 0;
1856
1857 bprm->security = bsec;
1858 return 0;
1859}
1860
1861static int selinux_bprm_set_security(struct linux_binprm *bprm)
1862{
1863 struct task_security_struct *tsec;
3d5ff529 1864 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 1865 struct inode_security_struct *isec;
1866 struct bprm_security_struct *bsec;
1867 u32 newsid;
1868 struct avc_audit_data ad;
1869 int rc;
1870
1871 rc = secondary_ops->bprm_set_security(bprm);
1872 if (rc)
1873 return rc;
1874
1875 bsec = bprm->security;
1876
1877 if (bsec->set)
1878 return 0;
1879
1880 tsec = current->security;
1881 isec = inode->i_security;
1882
1883 /* Default to the current task SID. */
1884 bsec->sid = tsec->sid;
1885
28eba5bf 1886 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1887 tsec->create_sid = 0;
28eba5bf 1888 tsec->keycreate_sid = 0;
42c3e03e 1889 tsec->sockcreate_sid = 0;
1da177e4
LT		 1890
1891 if (tsec->exec_sid) {
1892 newsid = tsec->exec_sid;
1893 /* Reset exec SID on execve. */
1894 tsec->exec_sid = 0;
1895 } else {
1896 /* Check for a default transition on this program. */
1897 rc = security_transition_sid(tsec->sid, isec->sid,
1898 SECCLASS_PROCESS, &newsid);
1899 if (rc)
1900 return rc;
1901 }
1902
1903 AVC_AUDIT_DATA_INIT(&ad, FS);
3d5ff529
JS		 1904 ad.u.fs.mnt = bprm->file->f_path.mnt;
1905 ad.u.fs.dentry = bprm->file->f_path.dentry;
1da177e4 1906
3d5ff529 1907 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1da177e4
LT		 1908 newsid = tsec->sid;
1909
1910 if (tsec->sid == newsid) {
1911 rc = avc_has_perm(tsec->sid, isec->sid,
1912 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1913 if (rc)
1914 return rc;
1915 } else {
1916 /* Check permissions for the transition. */
1917 rc = avc_has_perm(tsec->sid, newsid,
1918 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1919 if (rc)
1920 return rc;
1921
1922 rc = avc_has_perm(newsid, isec->sid,
1923 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1924 if (rc)
1925 return rc;
1926
1927 /* Clear any possibly unsafe personality bits on exec: */
1928 current->personality &= ~PER_CLEAR_ON_SETID;
1929
1930 /* Set the security field to the new SID. */
1931 bsec->sid = newsid;
1932 }
1933
1934 bsec->set = 1;
1935 return 0;
1936}
1937
1938static int selinux_bprm_check_security (struct linux_binprm *bprm)
1939{
1940 return secondary_ops->bprm_check_security(bprm);
1941}
1942
1943
1944static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1945{
1946 struct task_security_struct *tsec = current->security;
1947 int atsecure = 0;
1948
1949 if (tsec->osid != tsec->sid) {
1950 /* Enable secure mode for SIDs transitions unless
1951 the noatsecure permission is granted between
1952 the two SIDs, i.e. ahp returns 0. */
1953 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1954 SECCLASS_PROCESS,
1955 PROCESS__NOATSECURE, NULL);
1956 }
1957
1958 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1959}
1960
1961static void selinux_bprm_free_security(struct linux_binprm *bprm)
1962{
9a5f04bf 1963 kfree(bprm->security);
1da177e4 1964 bprm->security = NULL;
1da177e4
LT		 1965}
1966
1967extern struct vfsmount *selinuxfs_mount;
1968extern struct dentry *selinux_null;
1969
1970/* Derived from fs/exec.c:flush_old_files. */
1971static inline void flush_unauthorized_files(struct files_struct * files)
1972{
1973 struct avc_audit_data ad;
1974 struct file *file, *devnull = NULL;
b20c8122 1975 struct tty_struct *tty;
badf1662 1976 struct fdtable *fdt;
1da177e4 1977 long j = -1;
24ec839c 1978 int drop_tty = 0;
1da177e4 1979
b20c8122 1980 mutex_lock(&tty_mutex);
24ec839c 1981 tty = get_current_tty();
1da177e4
LT		 1982 if (tty) {
1983 file_list_lock();
2f512016 1984 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 1985 if (file) {
1986 /* Revalidate access to controlling tty.
1987 Use inode_has_perm on the tty inode directly rather
1988 than using file_has_perm, as this particular open
1989 file may belong to another process and we are only
1990 interested in the inode-based check here. */
3d5ff529 1991 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 1992 if (inode_has_perm(current, inode,
1993 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 1994 drop_tty = 1;
1da177e4
LT		 1995 }
1996 }
1997 file_list_unlock();
1998 }
b20c8122 1999 mutex_unlock(&tty_mutex);
98a27ba4
EB		 2000 /* Reset controlling tty. */
2001 if (drop_tty)
2002 no_tty();
1da177e4
LT		 2003
2004 /* Revalidate access to inherited open files. */
2005
2006 AVC_AUDIT_DATA_INIT(&ad,FS);
2007
2008 spin_lock(&files->file_lock);
2009 for (;;) {
2010 unsigned long set, i;
2011 int fd;
2012
2013 j++;
2014 i = j * __NFDBITS;
badf1662 2015 fdt = files_fdtable(files);
bbea9f69 2016 if (i >= fdt->max_fds)
1da177e4 2017 break;
badf1662 2018 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2019 if (!set)
2020 continue;
2021 spin_unlock(&files->file_lock);
2022 for ( ; set ; i++,set >>= 1) {
2023 if (set & 1) {
2024 file = fget(i);
2025 if (!file)
2026 continue;
2027 if (file_has_perm(current,
2028 file,
2029 file_to_av(file))) {
2030 sys_close(i);
2031 fd = get_unused_fd();
2032 if (fd != i) {
2033 if (fd >= 0)
2034 put_unused_fd(fd);
2035 fput(file);
2036 continue;
2037 }
2038 if (devnull) {
095975da 2039 get_file(devnull);
1da177e4
LT		 2040 } else {
2041 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
fc5d81e6
AM		 2042 if (IS_ERR(devnull)) {
2043 devnull = NULL;
1da177e4
LT		 2044 put_unused_fd(fd);
2045 fput(file);
2046 continue;
2047 }
2048 }
2049 fd_install(fd, devnull);
2050 }
2051 fput(file);
2052 }
2053 }
2054 spin_lock(&files->file_lock);
2055
2056 }
2057 spin_unlock(&files->file_lock);
2058}
2059
2060static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2061{
2062 struct task_security_struct *tsec;
2063 struct bprm_security_struct *bsec;
2064 u32 sid;
2065 int rc;
2066
2067 secondary_ops->bprm_apply_creds(bprm, unsafe);
2068
2069 tsec = current->security;
2070
2071 bsec = bprm->security;
2072 sid = bsec->sid;
2073
2074 tsec->osid = tsec->sid;
2075 bsec->unsafe = 0;
2076 if (tsec->sid != sid) {
2077 /* Check for shared state. If not ok, leave SID
2078 unchanged and kill. */
2079 if (unsafe & LSM_UNSAFE_SHARE) {
2080 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2081 PROCESS__SHARE, NULL);
2082 if (rc) {
2083 bsec->unsafe = 1;
2084 return;
2085 }
2086 }
2087
2088 /* Check for ptracing, and update the task SID if ok.
2089 Otherwise, leave SID unchanged and kill. */
2090 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2091 rc = avc_has_perm(tsec->ptrace_sid, sid,
2092 SECCLASS_PROCESS, PROCESS__PTRACE,
2093 NULL);
2094 if (rc) {
2095 bsec->unsafe = 1;
2096 return;
2097 }
2098 }
2099 tsec->sid = sid;
2100 }
2101}
2102
2103/*
2104 * called after apply_creds without the task lock held
2105 */
2106static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2107{
2108 struct task_security_struct *tsec;
2109 struct rlimit *rlim, *initrlim;
2110 struct itimerval itimer;
2111 struct bprm_security_struct *bsec;
2112 int rc, i;
2113
2114 tsec = current->security;
2115 bsec = bprm->security;
2116
2117 if (bsec->unsafe) {
2118 force_sig_specific(SIGKILL, current);
2119 return;
2120 }
2121 if (tsec->osid == tsec->sid)
2122 return;
2123
2124 /* Close files for which the new task SID is not authorized. */
2125 flush_unauthorized_files(current->files);
2126
2127 /* Check whether the new SID can inherit signal state
2128 from the old SID. If not, clear itimers to avoid
2129 subsequent signal generation and flush and unblock
2130 signals. This must occur _after_ the task SID has
2131 been updated so that any kill done after the flush
2132 will be checked against the new SID. */
2133 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2134 PROCESS__SIGINH, NULL);
2135 if (rc) {
2136 memset(&itimer, 0, sizeof itimer);
2137 for (i = 0; i < 3; i++)
2138 do_setitimer(i, &itimer, NULL);
2139 flush_signals(current);
2140 spin_lock_irq(&current->sighand->siglock);
2141 flush_signal_handlers(current, 1);
2142 sigemptyset(&current->blocked);
2143 recalc_sigpending();
2144 spin_unlock_irq(&current->sighand->siglock);
2145 }
2146
4ac212ad
SS		 2147 /* Always clear parent death signal on SID transitions. */
2148 current->pdeath_signal = 0;
2149
1da177e4
LT		 2150 /* Check whether the new SID can inherit resource limits
2151 from the old SID. If not, reset all soft limits to
2152 the lower of the current task's hard limit and the init
2153 task's soft limit. Note that the setting of hard limits
2154 (even to lower them) can be controlled by the setrlimit
2155 check. The inclusion of the init task's soft limit into
2156 the computation is to avoid resetting soft limits higher
2157 than the default soft limit for cases where the default
2158 is lower than the hard limit, e.g. RLIMIT_CORE or
2159 RLIMIT_STACK.*/
2160 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2161 PROCESS__RLIMITINH, NULL);
2162 if (rc) {
2163 for (i = 0; i < RLIM_NLIMITS; i++) {
2164 rlim = current->signal->rlim + i;
2165 initrlim = init_task.signal->rlim+i;
2166 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2167 }
2168 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2169 /*
2170 * This will cause RLIMIT_CPU calculations
2171 * to be refigured.
2172 */
2173 current->it_prof_expires = jiffies_to_cputime(1);
2174 }
2175 }
2176
2177 /* Wake up the parent if it is waiting so that it can
2178 recheck wait permission to the new task SID. */
2179 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2180}
2181
2182/* superblock security operations */
2183
2184static int selinux_sb_alloc_security(struct super_block *sb)
2185{
2186 return superblock_alloc_security(sb);
2187}
2188
2189static void selinux_sb_free_security(struct super_block *sb)
2190{
2191 superblock_free_security(sb);
2192}
2193
2194static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2195{
2196 if (plen > olen)
2197 return 0;
2198
2199 return !memcmp(prefix, option, plen);
2200}
2201
2202static inline int selinux_option(char *option, int len)
2203{
2204 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2205 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
0808925e
EP		 2206 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2207 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1da177e4
LT		 2208}
2209
2210static inline void take_option(char **to, char *from, int *first, int len)
2211{
2212 if (!*first) {
2213 **to = ',';
2214 *to += 1;
3528a953 2215 } else
1da177e4
LT		 2216 *first = 0;
2217 memcpy(*to, from, len);
2218 *to += len;
2219}
2220
3528a953
CO		 2221static inline void take_selinux_option(char **to, char *from, int *first,
2222 int len)
2223{
2224 int current_size = 0;
2225
2226 if (!*first) {
2227 **to = '|';
2228 *to += 1;
2229 }
2230 else
2231 *first = 0;
2232
2233 while (current_size < len) {
2234 if (*from != '"') {
2235 **to = *from;
2236 *to += 1;
2237 }
2238 from += 1;
2239 current_size += 1;
2240 }
2241}
2242
1da177e4
LT		 2243static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2244{
2245 int fnosec, fsec, rc = 0;
2246 char *in_save, *in_curr, *in_end;
2247 char *sec_curr, *nosec_save, *nosec;
3528a953 2248 int open_quote = 0;
1da177e4
LT		 2249
2250 in_curr = orig;
2251 sec_curr = copy;
2252
2253 /* Binary mount data: just copy */
2254 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2255 copy_page(sec_curr, in_curr);
2256 goto out;
2257 }
2258
2259 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2260 if (!nosec) {
2261 rc = -ENOMEM;
2262 goto out;
2263 }
2264
2265 nosec_save = nosec;
2266 fnosec = fsec = 1;
2267 in_save = in_end = orig;
2268
2269 do {
3528a953
CO		 2270 if (*in_end == '"')
2271 open_quote = !open_quote;
2272 if ((*in_end == ',' && open_quote == 0) ||
2273 *in_end == '\0') {
1da177e4
LT		 2274 int len = in_end - in_curr;
2275
2276 if (selinux_option(in_curr, len))
3528a953 2277 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2278 else
2279 take_option(&nosec, in_curr, &fnosec, len);
2280
2281 in_curr = in_end + 1;
2282 }
2283 } while (*in_end++);
2284
6931dfc9 2285 strcpy(in_save, nosec_save);
da3caa20 2286 free_page((unsigned long)nosec_save);
1da177e4
LT		 2287out:
2288 return rc;
2289}
2290
2291static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2292{
2293 struct avc_audit_data ad;
2294 int rc;
2295
2296 rc = superblock_doinit(sb, data);
2297 if (rc)
2298 return rc;
2299
2300 AVC_AUDIT_DATA_INIT(&ad,FS);
2301 ad.u.fs.dentry = sb->s_root;
2302 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2303}
2304
726c3342 2305static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2306{
2307 struct avc_audit_data ad;
2308
2309 AVC_AUDIT_DATA_INIT(&ad,FS);
726c3342
DH		 2310 ad.u.fs.dentry = dentry->d_sb->s_root;
2311 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2312}
2313
2314static int selinux_mount(char * dev_name,
2315 struct nameidata *nd,
2316 char * type,
2317 unsigned long flags,
2318 void * data)
2319{
2320 int rc;
2321
2322 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2323 if (rc)
2324 return rc;
2325
2326 if (flags & MS_REMOUNT)
2327 return superblock_has_perm(current, nd->mnt->mnt_sb,
2328 FILESYSTEM__REMOUNT, NULL);
2329 else
2330 return dentry_has_perm(current, nd->mnt, nd->dentry,
2331 FILE__MOUNTON);
2332}
2333
2334static int selinux_umount(struct vfsmount *mnt, int flags)
2335{
2336 int rc;
2337
2338 rc = secondary_ops->sb_umount(mnt, flags);
2339 if (rc)
2340 return rc;
2341
2342 return superblock_has_perm(current,mnt->mnt_sb,
2343 FILESYSTEM__UNMOUNT,NULL);
2344}
2345
2346/* inode security operations */
2347
2348static int selinux_inode_alloc_security(struct inode *inode)
2349{
2350 return inode_alloc_security(inode);
2351}
2352
2353static void selinux_inode_free_security(struct inode *inode)
2354{
2355 inode_free_security(inode);
2356}
2357
5e41ff9e
SS		 2358static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2359 char **name, void **value,
2360 size_t *len)
2361{
2362 struct task_security_struct *tsec;
2363 struct inode_security_struct *dsec;
2364 struct superblock_security_struct *sbsec;
570bc1c2 2365 u32 newsid, clen;
5e41ff9e 2366 int rc;
570bc1c2 2367 char *namep = NULL, *context;
5e41ff9e
SS		 2368
2369 tsec = current->security;
2370 dsec = dir->i_security;
2371 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2372
2373 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2374 newsid = tsec->create_sid;
2375 } else {
2376 rc = security_transition_sid(tsec->sid, dsec->sid,
2377 inode_mode_to_security_class(inode->i_mode),
2378 &newsid);
2379 if (rc) {
2380 printk(KERN_WARNING "%s: "
2381 "security_transition_sid failed, rc=%d (dev=%s "
2382 "ino=%ld)\n",
2383 __FUNCTION__,
2384 -rc, inode->i_sb->s_id, inode->i_ino);
2385 return rc;
2386 }
2387 }
2388
296fddf7
EP		 2389 /* Possibly defer initialization to selinux_complete_init. */
2390 if (sbsec->initialized) {
2391 struct inode_security_struct *isec = inode->i_security;
2392 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2393 isec->sid = newsid;
2394 isec->initialized = 1;
2395 }
5e41ff9e 2396
8aad3875 2397 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2398 return -EOPNOTSUPP;
2399
570bc1c2
SS		 2400 if (name) {
2401 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2402 if (!namep)
2403 return -ENOMEM;
2404 *name = namep;
2405 }
5e41ff9e 2406
570bc1c2
SS		 2407 if (value && len) {
2408 rc = security_sid_to_context(newsid, &context, &clen);
2409 if (rc) {
2410 kfree(namep);
2411 return rc;
2412 }
2413 *value = context;
2414 *len = clen;
5e41ff9e 2415 }
5e41ff9e 2416
5e41ff9e
SS		 2417 return 0;
2418}
2419
1da177e4
LT		 2420static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2421{
2422 return may_create(dir, dentry, SECCLASS_FILE);
2423}
2424
1da177e4
LT		 2425static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2426{
2427 int rc;
2428
2429 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2430 if (rc)
2431 return rc;
2432 return may_link(dir, old_dentry, MAY_LINK);
2433}
2434
1da177e4
LT		 2435static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2436{
2437 int rc;
2438
2439 rc = secondary_ops->inode_unlink(dir, dentry);
2440 if (rc)
2441 return rc;
2442 return may_link(dir, dentry, MAY_UNLINK);
2443}
2444
2445static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2446{
2447 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2448}
2449
1da177e4
LT		 2450static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2451{
2452 return may_create(dir, dentry, SECCLASS_DIR);
2453}
2454
1da177e4
LT		 2455static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2456{
2457 return may_link(dir, dentry, MAY_RMDIR);
2458}
2459
2460static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2461{
2462 int rc;
2463
2464 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2465 if (rc)
2466 return rc;
2467
2468 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2469}
2470
1da177e4
LT		 2471static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2472 struct inode *new_inode, struct dentry *new_dentry)
2473{
2474 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2475}
2476
1da177e4
LT		 2477static int selinux_inode_readlink(struct dentry *dentry)
2478{
2479 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2480}
2481
2482static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2483{
2484 int rc;
2485
2486 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2487 if (rc)
2488 return rc;
2489 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2490}
2491
2492static int selinux_inode_permission(struct inode *inode, int mask,
2493 struct nameidata *nd)
2494{
2495 int rc;
2496
2497 rc = secondary_ops->inode_permission(inode, mask, nd);
2498 if (rc)
2499 return rc;
2500
2501 if (!mask) {
2502 /* No permission to check. Existence test. */
2503 return 0;
2504 }
2505
2506 return inode_has_perm(current, inode,
2507 file_mask_to_av(inode->i_mode, mask), NULL);
2508}
2509
2510static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2511{
2512 int rc;
2513
2514 rc = secondary_ops->inode_setattr(dentry, iattr);
2515 if (rc)
2516 return rc;
2517
2518 if (iattr->ia_valid & ATTR_FORCE)
2519 return 0;
2520
2521 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2522 ATTR_ATIME_SET | ATTR_MTIME_SET))
2523 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2524
2525 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2526}
2527
2528static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2529{
2530 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2531}
2532
b5376771
SH		 2533static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2534{
2535 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2536 sizeof XATTR_SECURITY_PREFIX - 1)) {
2537 if (!strcmp(name, XATTR_NAME_CAPS)) {
2538 if (!capable(CAP_SETFCAP))
2539 return -EPERM;
2540 } else if (!capable(CAP_SYS_ADMIN)) {
2541 /* A different attribute in the security namespace.
2542 Restrict to administrator. */
2543 return -EPERM;
2544 }
2545 }
2546
2547 /* Not an attribute we recognize, so just check the
2548 ordinary setattr permission. */
2549 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2550}
2551
1da177e4
LT		 2552static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2553{
2554 struct task_security_struct *tsec = current->security;
2555 struct inode *inode = dentry->d_inode;
2556 struct inode_security_struct *isec = inode->i_security;
2557 struct superblock_security_struct *sbsec;
2558 struct avc_audit_data ad;
2559 u32 newsid;
2560 int rc = 0;
2561
b5376771
SH		 2562 if (strcmp(name, XATTR_NAME_SELINUX))
2563 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2564
2565 sbsec = inode->i_sb->s_security;
2566 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2567 return -EOPNOTSUPP;
2568
3bd858ab 2569 if (!is_owner_or_cap(inode))
1da177e4
LT		 2570 return -EPERM;
2571
2572 AVC_AUDIT_DATA_INIT(&ad,FS);
2573 ad.u.fs.dentry = dentry;
2574
2575 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2576 FILE__RELABELFROM, &ad);
2577 if (rc)
2578 return rc;
2579
2580 rc = security_context_to_sid(value, size, &newsid);
2581 if (rc)
2582 return rc;
2583
2584 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2585 FILE__RELABELTO, &ad);
2586 if (rc)
2587 return rc;
2588
2589 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2590 isec->sclass);
2591 if (rc)
2592 return rc;
2593
2594 return avc_has_perm(newsid,
2595 sbsec->sid,
2596 SECCLASS_FILESYSTEM,
2597 FILESYSTEM__ASSOCIATE,
2598 &ad);
2599}
2600
2601static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2602 void *value, size_t size, int flags)
2603{
2604 struct inode *inode = dentry->d_inode;
2605 struct inode_security_struct *isec = inode->i_security;
2606 u32 newsid;
2607 int rc;
2608
2609 if (strcmp(name, XATTR_NAME_SELINUX)) {
2610 /* Not an attribute we recognize, so nothing to do. */
2611 return;
2612 }
2613
2614 rc = security_context_to_sid(value, size, &newsid);
2615 if (rc) {
2616 printk(KERN_WARNING "%s: unable to obtain SID for context "
2617 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2618 return;
2619 }
2620
2621 isec->sid = newsid;
2622 return;
2623}
2624
2625static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2626{
1da177e4
LT		 2627 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2628}
2629
2630static int selinux_inode_listxattr (struct dentry *dentry)
2631{
2632 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2633}
2634
2635static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2636{
b5376771
SH		 2637 if (strcmp(name, XATTR_NAME_SELINUX))
2638 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2639
2640 /* No one is allowed to remove a SELinux security label.
2641 You can change the label, but all data must be labeled. */
2642 return -EACCES;
2643}
2644
d381d8a9
JM		 2645/*
2646 * Copy the in-core inode security context value to the user. If the
2647 * getxattr() prior to this succeeded, check to see if we need to
2648 * canonicalize the value to be finally returned to the user.
2649 *
2650 * Permission check is handled by selinux_inode_getxattr hook.
2651 */
42492594 2652static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2653{
42492594
DQ		 2654 u32 size;
2655 int error;
2656 char *context = NULL;
1da177e4 2657 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2658
8c8570fb
DK		 2659 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2660 return -EOPNOTSUPP;
d381d8a9 2661
42492594
DQ		 2662 error = security_sid_to_context(isec->sid, &context, &size);
2663 if (error)
2664 return error;
2665 error = size;
2666 if (alloc) {
2667 *buffer = context;
2668 goto out_nofree;
2669 }
2670 kfree(context);
2671out_nofree:
2672 return error;
1da177e4
LT		 2673}
2674
2675static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2676 const void *value, size_t size, int flags)
2677{
2678 struct inode_security_struct *isec = inode->i_security;
2679 u32 newsid;
2680 int rc;
2681
2682 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2683 return -EOPNOTSUPP;
2684
2685 if (!value || !size)
2686 return -EACCES;
2687
2688 rc = security_context_to_sid((void*)value, size, &newsid);
2689 if (rc)
2690 return rc;
2691
2692 isec->sid = newsid;
2693 return 0;
2694}
2695
2696static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2697{
2698 const int len = sizeof(XATTR_NAME_SELINUX);
2699 if (buffer && len <= buffer_size)
2700 memcpy(buffer, XATTR_NAME_SELINUX, len);
2701 return len;
2702}
2703
b5376771
SH		 2704static int selinux_inode_need_killpriv(struct dentry *dentry)
2705{
2706 return secondary_ops->inode_need_killpriv(dentry);
2707}
2708
2709static int selinux_inode_killpriv(struct dentry *dentry)
2710{
2711 return secondary_ops->inode_killpriv(dentry);
2712}
2713
1da177e4
LT		 2714/* file security operations */
2715
788e7dd4 2716static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2717{
7420ed23 2718 int rc;
3d5ff529 2719 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2720
2721 if (!mask) {
2722 /* No permission to check. Existence test. */
2723 return 0;
2724 }
2725
2726 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2727 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2728 mask |= MAY_APPEND;
2729
7420ed23
VY		 2730 rc = file_has_perm(current, file,
2731 file_mask_to_av(inode->i_mode, mask));
2732 if (rc)
2733 return rc;
2734
2735 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2736}
2737
788e7dd4
YN		 2738static int selinux_file_permission(struct file *file, int mask)
2739{
2740 struct inode *inode = file->f_path.dentry->d_inode;
2741 struct task_security_struct *tsec = current->security;
2742 struct file_security_struct *fsec = file->f_security;
2743 struct inode_security_struct *isec = inode->i_security;
2744
2745 if (!mask) {
2746 /* No permission to check. Existence test. */
2747 return 0;
2748 }
2749
2750 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2751 && fsec->pseqno == avc_policy_seqno())
2752 return selinux_netlbl_inode_permission(inode, mask);
2753
2754 return selinux_revalidate_file_permission(file, mask);
2755}
2756
1da177e4
LT		 2757static int selinux_file_alloc_security(struct file *file)
2758{
2759 return file_alloc_security(file);
2760}
2761
2762static void selinux_file_free_security(struct file *file)
2763{
2764 file_free_security(file);
2765}
2766
2767static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2768 unsigned long arg)
2769{
2770 int error = 0;
2771
2772 switch (cmd) {
2773 case FIONREAD:
2774 /* fall through */
2775 case FIBMAP:
2776 /* fall through */
2777 case FIGETBSZ:
2778 /* fall through */
2779 case EXT2_IOC_GETFLAGS:
2780 /* fall through */
2781 case EXT2_IOC_GETVERSION:
2782 error = file_has_perm(current, file, FILE__GETATTR);
2783 break;
2784
2785 case EXT2_IOC_SETFLAGS:
2786 /* fall through */
2787 case EXT2_IOC_SETVERSION:
2788 error = file_has_perm(current, file, FILE__SETATTR);
2789 break;
2790
2791 /* sys_ioctl() checks */
2792 case FIONBIO:
2793 /* fall through */
2794 case FIOASYNC:
2795 error = file_has_perm(current, file, 0);
2796 break;
2797
2798 case KDSKBENT:
2799 case KDSKBSENT:
2800 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2801 break;
2802
2803 /* default case assumes that the command will go
2804 * to the file's ioctl() function.
2805 */
2806 default:
2807 error = file_has_perm(current, file, FILE__IOCTL);
2808
2809 }
2810 return error;
2811}
2812
2813static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2814{
2815#ifndef CONFIG_PPC32
2816 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2817 /*
2818 * We are making executable an anonymous mapping or a
2819 * private file mapping that will also be writable.
2820 * This has an additional check.
2821 */
2822 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2823 if (rc)
2824 return rc;
2825 }
2826#endif
2827
2828 if (file) {
2829 /* read access is always possible with a mapping */
2830 u32 av = FILE__READ;
2831
2832 /* write access only matters if the mapping is shared */
2833 if (shared && (prot & PROT_WRITE))
2834 av |= FILE__WRITE;
2835
2836 if (prot & PROT_EXEC)
2837 av |= FILE__EXECUTE;
2838
2839 return file_has_perm(current, file, av);
2840 }
2841 return 0;
2842}
2843
2844static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 2845 unsigned long prot, unsigned long flags,
2846 unsigned long addr, unsigned long addr_only)
1da177e4 2847{
ed032189
EP		 2848 int rc = 0;
2849 u32 sid = ((struct task_security_struct*)(current->security))->sid;
1da177e4 2850
ed032189
EP		 2851 if (addr < mmap_min_addr)
2852 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2853 MEMPROTECT__MMAP_ZERO, NULL);
2854 if (rc || addr_only)
1da177e4
LT		 2855 return rc;
2856
2857 if (selinux_checkreqprot)
2858 prot = reqprot;
2859
2860 return file_map_prot_check(file, prot,
2861 (flags & MAP_TYPE) == MAP_SHARED);
2862}
2863
2864static int selinux_file_mprotect(struct vm_area_struct *vma,
2865 unsigned long reqprot,
2866 unsigned long prot)
2867{
2868 int rc;
2869
2870 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2871 if (rc)
2872 return rc;
2873
2874 if (selinux_checkreqprot)
2875 prot = reqprot;
2876
2877#ifndef CONFIG_PPC32
db4c9641
SS		 2878 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2879 rc = 0;
2880 if (vma->vm_start >= vma->vm_mm->start_brk &&
2881 vma->vm_end <= vma->vm_mm->brk) {
2882 rc = task_has_perm(current, current,
2883 PROCESS__EXECHEAP);
2884 } else if (!vma->vm_file &&
2885 vma->vm_start <= vma->vm_mm->start_stack &&
2886 vma->vm_end >= vma->vm_mm->start_stack) {
2887 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2888 } else if (vma->vm_file && vma->anon_vma) {
2889 /*
2890 * We are making executable a file mapping that has
2891 * had some COW done. Since pages might have been
2892 * written, check ability to execute the possibly
2893 * modified content. This typically should only
2894 * occur for text relocations.
2895 */
2896 rc = file_has_perm(current, vma->vm_file,
2897 FILE__EXECMOD);
2898 }