projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
vfs: remove extraneous NULL d_inode check from do_filp_open
[linux-2.6-block.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4
PM		 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4
LT		 26#include <linux/init.h>
27#include <linux/kernel.h>
0d094efe 28#include <linux/tracehook.h>
1da177e4
LT		 29#include <linux/errno.h>
30#include <linux/sched.h>
31#include <linux/security.h>
32#include <linux/xattr.h>
33#include <linux/capability.h>
34#include <linux/unistd.h>
35#include <linux/mm.h>
36#include <linux/mman.h>
37#include <linux/slab.h>
38#include <linux/pagemap.h>
39#include <linux/swap.h>
1da177e4
LT		 40#include <linux/spinlock.h>
41#include <linux/syscalls.h>
42#include <linux/file.h>
9f3acc31 43#include <linux/fdtable.h>
1da177e4
LT		 44#include <linux/namei.h>
45#include <linux/mount.h>
1da177e4 46#include <linux/proc_fs.h>
1da177e4
LT		 47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 53#include <net/net_namespace.h>
d621d35e 54#include <net/netlabel.h>
f5269710 55#include <linux/uaccess.h>
1da177e4 56#include <asm/ioctls.h>
d621d35e 57#include <asm/atomic.h>
1da177e4
LT		 58#include <linux/bitops.h>
59#include <linux/interrupt.h>
60#include <linux/netdevice.h> /* for network interface checks */
61#include <linux/netlink.h>
62#include <linux/tcp.h>
63#include <linux/udp.h>
2ee92d46 64#include <linux/dccp.h>
1da177e4
LT		 65#include <linux/quota.h>
66#include <linux/un.h> /* for Unix socket types */
67#include <net/af_unix.h> /* for Unix socket types */
68#include <linux/parser.h>
69#include <linux/nfs_mount.h>
70#include <net/ipv6.h>
71#include <linux/hugetlb.h>
72#include <linux/personality.h>
73#include <linux/sysctl.h>
74#include <linux/audit.h>
6931dfc9 75#include <linux/string.h>
877ce7c1 76#include <linux/selinux.h>
23970741 77#include <linux/mutex.h>
f06febc9 78#include <linux/posix-timers.h>
1da177e4
LT		 79
80#include "avc.h"
81#include "objsec.h"
82#include "netif.h"
224dfbd8 83#include "netnode.h"
3e112172 84#include "netport.h"
d28d1e08 85#include "xfrm.h"
c60475bf 86#include "netlabel.h"
9d57a7f9 87#include "audit.h"
1da177e4
LT		 88
89#define XATTR_SELINUX_SUFFIX "selinux"
90#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91
11689d47 92#define NUM_SEL_MNT_OPTS 5
c9180a57 93
1da177e4 94extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
20510f2f 95extern struct security_operations *security_ops;
1da177e4 96
d621d35e
PM		 97/* SECMARK reference count */
98atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
1da177e4 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 101int selinux_enforcing;
1da177e4
LT		 102
103static int __init enforcing_setup(char *str)
104{
f5269710
EP		 105 unsigned long enforcing;
106 if (!strict_strtoul(str, 0, &enforcing))
107 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 108 return 1;
109}
110__setup("enforcing=", enforcing_setup);
111#endif
112
113#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116static int __init selinux_enabled_setup(char *str)
117{
f5269710
EP		 118 unsigned long enabled;
119 if (!strict_strtoul(str, 0, &enabled))
120 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 121 return 1;
122}
123__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 124#else
125int selinux_enabled = 1;
1da177e4
LT		 126#endif
127
1da177e4 128
6f0f0fd4
JM		 129/*
130 * Minimal support for a secondary security module,
131 * just to allow the use of the capability module.
132 */
828dfe1d 133static struct security_operations *secondary_ops;
1da177e4
LT		 134
135/* Lists of inode and superblock security structures initialized
136 before the policy was loaded. */
137static LIST_HEAD(superblock_security_head);
138static DEFINE_SPINLOCK(sb_security_lock);
139
e18b890b 140static struct kmem_cache *sel_inode_cache;
7cae7e26 141
d621d35e
PM		 142/**
143 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
144 *
145 * Description:
146 * This function checks the SECMARK reference counter to see if any SECMARK
147 * targets are currently configured, if the reference counter is greater than
148 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
149 * enabled, false (0) if SECMARK is disabled.
150 *
151 */
152static int selinux_secmark_enabled(void)
153{
154 return (atomic_read(&selinux_secmark_refcount) > 0);
155}
156
d84f4f99
DH		 157/*
158 * initialise the security for the init task
159 */
160static void cred_init_security(void)
1da177e4 161{
3b11a1de 162 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 163 struct task_security_struct *tsec;
164
89d155ef 165 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 166 if (!tsec)
d84f4f99 167 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 168
d84f4f99 169 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 170 cred->security = tsec;
1da177e4
LT		 171}
172
88e67f3b
DH		 173/*
174 * get the security ID of a set of credentials
175 */
176static inline u32 cred_sid(const struct cred *cred)
177{
178 const struct task_security_struct *tsec;
179
180 tsec = cred->security;
181 return tsec->sid;
182}
183
275bb41e 184/*
3b11a1de 185 * get the objective security ID of a task
275bb41e
DH		 186 */
187static inline u32 task_sid(const struct task_struct *task)
188{
275bb41e
DH		 189 u32 sid;
190
191 rcu_read_lock();
88e67f3b 192 sid = cred_sid(__task_cred(task));
275bb41e
DH		 193 rcu_read_unlock();
194 return sid;
195}
196
197/*
3b11a1de 198 * get the subjective security ID of the current task
275bb41e
DH		 199 */
200static inline u32 current_sid(void)
201{
202 const struct task_security_struct *tsec = current_cred()->security;
203
204 return tsec->sid;
205}
206
88e67f3b
DH		 207/* Allocate and free functions for each kind of security blob. */
208
1da177e4
LT		 209static int inode_alloc_security(struct inode *inode)
210{
1da177e4 211 struct inode_security_struct *isec;
275bb41e 212 u32 sid = current_sid();
1da177e4 213
a02fe132 214 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 215 if (!isec)
216 return -ENOMEM;
217
23970741 218 mutex_init(&isec->lock);
1da177e4 219 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 220 isec->inode = inode;
221 isec->sid = SECINITSID_UNLABELED;
222 isec->sclass = SECCLASS_FILE;
275bb41e 223 isec->task_sid = sid;
1da177e4
LT		 224 inode->i_security = isec;
225
226 return 0;
227}
228
229static void inode_free_security(struct inode *inode)
230{
231 struct inode_security_struct *isec = inode->i_security;
232 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
233
1da177e4
LT		 234 spin_lock(&sbsec->isec_lock);
235 if (!list_empty(&isec->list))
236 list_del_init(&isec->list);
237 spin_unlock(&sbsec->isec_lock);
238
239 inode->i_security = NULL;
7cae7e26 240 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 241}
242
243static int file_alloc_security(struct file *file)
244{
1da177e4 245 struct file_security_struct *fsec;
275bb41e 246 u32 sid = current_sid();
1da177e4 247
26d2a4be 248 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 249 if (!fsec)
250 return -ENOMEM;
251
275bb41e
DH		 252 fsec->sid = sid;
253 fsec->fown_sid = sid;
1da177e4
LT		 254 file->f_security = fsec;
255
256 return 0;
257}
258
259static void file_free_security(struct file *file)
260{
261 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 262 file->f_security = NULL;
263 kfree(fsec);
264}
265
266static int superblock_alloc_security(struct super_block *sb)
267{
268 struct superblock_security_struct *sbsec;
269
89d155ef 270 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 271 if (!sbsec)
272 return -ENOMEM;
273
bc7e982b 274 mutex_init(&sbsec->lock);
1da177e4
LT		 275 INIT_LIST_HEAD(&sbsec->list);
276 INIT_LIST_HEAD(&sbsec->isec_head);
277 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 278 sbsec->sb = sb;
279 sbsec->sid = SECINITSID_UNLABELED;
280 sbsec->def_sid = SECINITSID_FILE;
c312feb2 281 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 282 sb->s_security = sbsec;
283
284 return 0;
285}
286
287static void superblock_free_security(struct super_block *sb)
288{
289 struct superblock_security_struct *sbsec = sb->s_security;
290
1da177e4
LT		 291 spin_lock(&sb_security_lock);
292 if (!list_empty(&sbsec->list))
293 list_del_init(&sbsec->list);
294 spin_unlock(&sb_security_lock);
295
296 sb->s_security = NULL;
297 kfree(sbsec);
298}
299
7d877f3b 300static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 301{
302 struct sk_security_struct *ssec;
303
89d155ef 304 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 305 if (!ssec)
306 return -ENOMEM;
307
1da177e4 308 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 309 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 310 sk->sk_security = ssec;
311
389fb800 312 selinux_netlbl_sk_security_reset(ssec);
99f59ed0 313
1da177e4
LT		 314 return 0;
315}
316
317static void sk_free_security(struct sock *sk)
318{
319 struct sk_security_struct *ssec = sk->sk_security;
320
1da177e4 321 sk->sk_security = NULL;
6c5b3fc0 322 selinux_netlbl_sk_security_free(ssec);
1da177e4
LT		 323 kfree(ssec);
324}
1da177e4
LT		 325
326/* The security server must be initialized before
327 any labeling or access decisions can be provided. */
328extern int ss_initialized;
329
330/* The file system's label must be initialized prior to use. */
331
332static char *labeling_behaviors[6] = {
333 "uses xattr",
334 "uses transition SIDs",
335 "uses task SIDs",
336 "uses genfs_contexts",
337 "not configured for labeling",
338 "uses mountpoint labeling",
339};
340
341static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
342
343static inline int inode_doinit(struct inode *inode)
344{
345 return inode_doinit_with_dentry(inode, NULL);
346}
347
348enum {
31e87930 349 Opt_error = -1,
1da177e4
LT		 350 Opt_context = 1,
351 Opt_fscontext = 2,
c9180a57
EP		 352 Opt_defcontext = 3,
353 Opt_rootcontext = 4,
11689d47 354 Opt_labelsupport = 5,
1da177e4
LT		 355};
356
a447c093 357static const match_table_t tokens = {
832cbd9a
EP		 358 {Opt_context, CONTEXT_STR "%s"},
359 {Opt_fscontext, FSCONTEXT_STR "%s"},
360 {Opt_defcontext, DEFCONTEXT_STR "%s"},
361 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 362 {Opt_labelsupport, LABELSUPP_STR},
31e87930 363 {Opt_error, NULL},
1da177e4
LT		 364};
365
366#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
367
c312feb2
EP		 368static int may_context_mount_sb_relabel(u32 sid,
369 struct superblock_security_struct *sbsec,
275bb41e 370 const struct cred *cred)
c312feb2 371{
275bb41e 372 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 373 int rc;
374
375 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
376 FILESYSTEM__RELABELFROM, NULL);
377 if (rc)
378 return rc;
379
380 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
381 FILESYSTEM__RELABELTO, NULL);
382 return rc;
383}
384
0808925e
EP		 385static int may_context_mount_inode_relabel(u32 sid,
386 struct superblock_security_struct *sbsec,
275bb41e 387 const struct cred *cred)
0808925e 388{
275bb41e 389 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 390 int rc;
391 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
392 FILESYSTEM__RELABELFROM, NULL);
393 if (rc)
394 return rc;
395
396 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
397 FILESYSTEM__ASSOCIATE, NULL);
398 return rc;
399}
400
c9180a57 401static int sb_finish_set_opts(struct super_block *sb)
1da177e4 402{
1da177e4 403 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 404 struct dentry *root = sb->s_root;
405 struct inode *root_inode = root->d_inode;
406 int rc = 0;
1da177e4 407
c9180a57
EP		 408 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
409 /* Make sure that the xattr handler exists and that no
410 error other than -ENODATA is returned by getxattr on
411 the root directory. -ENODATA is ok, as this may be
412 the first boot of the SELinux kernel before we have
413 assigned xattr values to the filesystem. */
414 if (!root_inode->i_op->getxattr) {
415 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
416 "xattr support\n", sb->s_id, sb->s_type->name);
417 rc = -EOPNOTSUPP;
418 goto out;
419 }
420 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
421 if (rc < 0 && rc != -ENODATA) {
422 if (rc == -EOPNOTSUPP)
423 printk(KERN_WARNING "SELinux: (dev %s, type "
424 "%s) has no security xattr handler\n",
425 sb->s_id, sb->s_type->name);
426 else
427 printk(KERN_WARNING "SELinux: (dev %s, type "
428 "%s) getxattr errno %d\n", sb->s_id,
429 sb->s_type->name, -rc);
430 goto out;
431 }
432 }
1da177e4 433
11689d47 434 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
1da177e4 435
c9180a57
EP		 436 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
437 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
438 sb->s_id, sb->s_type->name);
439 else
440 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
441 sb->s_id, sb->s_type->name,
442 labeling_behaviors[sbsec->behavior-1]);
1da177e4 443
11689d47
DQ		 444 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
445 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
446 sbsec->behavior == SECURITY_FS_USE_NONE ||
447 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
448 sbsec->flags &= ~SE_SBLABELSUPP;
449
ddd29ec6
DQ		 450 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
451 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
452 sbsec->flags |= SE_SBLABELSUPP;
453
c9180a57
EP		 454 /* Initialize the root inode. */
455 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 456
c9180a57
EP		 457 /* Initialize any other inodes associated with the superblock, e.g.
458 inodes created prior to initial policy load or inodes created
459 during get_sb by a pseudo filesystem that directly
460 populates itself. */
461 spin_lock(&sbsec->isec_lock);
462next_inode:
463 if (!list_empty(&sbsec->isec_head)) {
464 struct inode_security_struct *isec =
465 list_entry(sbsec->isec_head.next,
466 struct inode_security_struct, list);
467 struct inode *inode = isec->inode;
468 spin_unlock(&sbsec->isec_lock);
469 inode = igrab(inode);
470 if (inode) {
471 if (!IS_PRIVATE(inode))
472 inode_doinit(inode);
473 iput(inode);
474 }
475 spin_lock(&sbsec->isec_lock);
476 list_del_init(&isec->list);
477 goto next_inode;
478 }
479 spin_unlock(&sbsec->isec_lock);
480out:
481 return rc;
482}
1da177e4 483
c9180a57
EP		 484/*
485 * This function should allow an FS to ask what it's mount security
486 * options were so it can use those later for submounts, displaying
487 * mount options, or whatever.
488 */
489static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 490 struct security_mnt_opts *opts)
c9180a57
EP		 491{
492 int rc = 0, i;
493 struct superblock_security_struct *sbsec = sb->s_security;
494 char *context = NULL;
495 u32 len;
496 char tmp;
1da177e4 497
e0007529 498 security_init_mnt_opts(opts);
1da177e4 499
0d90a7ec 500 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 501 return -EINVAL;
1da177e4 502
c9180a57
EP		 503 if (!ss_initialized)
504 return -EINVAL;
1da177e4 505
0d90a7ec 506 tmp = sbsec->flags & SE_MNTMASK;
c9180a57
EP		 507 /* count the number of mount options for this sb */
508 for (i = 0; i < 8; i++) {
509 if (tmp & 0x01)
e0007529 510 opts->num_mnt_opts++;
c9180a57
EP		 511 tmp >>= 1;
512 }
11689d47
DQ		 513 /* Check if the Label support flag is set */
514 if (sbsec->flags & SE_SBLABELSUPP)
515 opts->num_mnt_opts++;
1da177e4 516
e0007529
EP		 517 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
518 if (!opts->mnt_opts) {
c9180a57
EP		 519 rc = -ENOMEM;
520 goto out_free;
521 }
1da177e4 522
e0007529
EP		 523 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
524 if (!opts->mnt_opts_flags) {
c9180a57
EP		 525 rc = -ENOMEM;
526 goto out_free;
527 }
1da177e4 528
c9180a57
EP		 529 i = 0;
530 if (sbsec->flags & FSCONTEXT_MNT) {
531 rc = security_sid_to_context(sbsec->sid, &context, &len);
532 if (rc)
533 goto out_free;
e0007529
EP		 534 opts->mnt_opts[i] = context;
535 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 536 }
537 if (sbsec->flags & CONTEXT_MNT) {
538 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
539 if (rc)
540 goto out_free;
e0007529
EP		 541 opts->mnt_opts[i] = context;
542 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 543 }
544 if (sbsec->flags & DEFCONTEXT_MNT) {
545 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
546 if (rc)
547 goto out_free;
e0007529
EP		 548 opts->mnt_opts[i] = context;
549 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 550 }
551 if (sbsec->flags & ROOTCONTEXT_MNT) {
552 struct inode *root = sbsec->sb->s_root->d_inode;
553 struct inode_security_struct *isec = root->i_security;
0808925e 554
c9180a57
EP		 555 rc = security_sid_to_context(isec->sid, &context, &len);
556 if (rc)
557 goto out_free;
e0007529
EP		 558 opts->mnt_opts[i] = context;
559 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 560 }
11689d47
DQ		 561 if (sbsec->flags & SE_SBLABELSUPP) {
562 opts->mnt_opts[i] = NULL;
563 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
564 }
1da177e4 565
e0007529 566 BUG_ON(i != opts->num_mnt_opts);
1da177e4 567
c9180a57
EP		 568 return 0;
569
570out_free:
e0007529 571 security_free_mnt_opts(opts);
c9180a57
EP		 572 return rc;
573}
1da177e4 574
c9180a57
EP		 575static int bad_option(struct superblock_security_struct *sbsec, char flag,
576 u32 old_sid, u32 new_sid)
577{
0d90a7ec
DQ		 578 char mnt_flags = sbsec->flags & SE_MNTMASK;
579
c9180a57 580 /* check if the old mount command had the same options */
0d90a7ec 581 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 582 if (!(sbsec->flags & flag) ||
583 (old_sid != new_sid))
584 return 1;
585
586 /* check if we were passed the same options twice,
587 * aka someone passed context=a,context=b
588 */
0d90a7ec
DQ		 589 if (!(sbsec->flags & SE_SBINITIALIZED))
590 if (mnt_flags & flag)
c9180a57
EP		 591 return 1;
592 return 0;
593}
e0007529 594
c9180a57
EP		 595/*
596 * Allow filesystems with binary mount data to explicitly set mount point
597 * labeling information.
598 */
e0007529
EP		 599static int selinux_set_mnt_opts(struct super_block *sb,
600 struct security_mnt_opts *opts)
c9180a57 601{
275bb41e 602 const struct cred *cred = current_cred();
c9180a57 603 int rc = 0, i;
c9180a57
EP		 604 struct superblock_security_struct *sbsec = sb->s_security;
605 const char *name = sb->s_type->name;
089be43e
JM		 606 struct inode *inode = sbsec->sb->s_root->d_inode;
607 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 608 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
609 u32 defcontext_sid = 0;
e0007529
EP		 610 char **mount_options = opts->mnt_opts;
611 int *flags = opts->mnt_opts_flags;
612 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 613
614 mutex_lock(&sbsec->lock);
615
616 if (!ss_initialized) {
617 if (!num_opts) {
618 /* Defer initialization until selinux_complete_init,
619 after the initial policy is loaded and the security
620 server is ready to handle calls. */
621 spin_lock(&sb_security_lock);
622 if (list_empty(&sbsec->list))
623 list_add(&sbsec->list, &superblock_security_head);
624 spin_unlock(&sb_security_lock);
625 goto out;
626 }
627 rc = -EINVAL;
744ba35e
EP		 628 printk(KERN_WARNING "SELinux: Unable to set superblock options "
629 "before the security server is initialized\n");
1da177e4 630 goto out;
c9180a57 631 }
1da177e4 632
e0007529
EP		 633 /*
634 * Binary mount data FS will come through this function twice. Once
635 * from an explicit call and once from the generic calls from the vfs.
636 * Since the generic VFS calls will not contain any security mount data
637 * we need to skip the double mount verification.
638 *
639 * This does open a hole in which we will not notice if the first
640 * mount using this sb set explict options and a second mount using
641 * this sb does not set any security options. (The first options
642 * will be used for both mounts)
643 */
0d90a7ec 644 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 645 && (num_opts == 0))
f5269710 646 goto out;
e0007529 647
c9180a57
EP		 648 /*
649 * parse the mount options, check if they are valid sids.
650 * also check if someone is trying to mount the same sb more
651 * than once with different security options.
652 */
653 for (i = 0; i < num_opts; i++) {
654 u32 sid;
11689d47
DQ		 655
656 if (flags[i] == SE_SBLABELSUPP)
657 continue;
c9180a57
EP		 658 rc = security_context_to_sid(mount_options[i],
659 strlen(mount_options[i]), &sid);
1da177e4
LT		 660 if (rc) {
661 printk(KERN_WARNING "SELinux: security_context_to_sid"
662 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 663 mount_options[i], sb->s_id, name, rc);
664 goto out;
665 }
666 switch (flags[i]) {
667 case FSCONTEXT_MNT:
668 fscontext_sid = sid;
669
670 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
671 fscontext_sid))
672 goto out_double_mount;
673
674 sbsec->flags |= FSCONTEXT_MNT;
675 break;
676 case CONTEXT_MNT:
677 context_sid = sid;
678
679 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
680 context_sid))
681 goto out_double_mount;
682
683 sbsec->flags |= CONTEXT_MNT;
684 break;
685 case ROOTCONTEXT_MNT:
686 rootcontext_sid = sid;
687
688 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
689 rootcontext_sid))
690 goto out_double_mount;
691
692 sbsec->flags |= ROOTCONTEXT_MNT;
693
694 break;
695 case DEFCONTEXT_MNT:
696 defcontext_sid = sid;
697
698 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
699 defcontext_sid))
700 goto out_double_mount;
701
702 sbsec->flags |= DEFCONTEXT_MNT;
703
704 break;
705 default:
706 rc = -EINVAL;
707 goto out;
1da177e4 708 }
c9180a57
EP		 709 }
710
0d90a7ec 711 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 712 /* previously mounted with options, but not on this attempt? */
0d90a7ec 713 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 714 goto out_double_mount;
715 rc = 0;
716 goto out;
717 }
718
089be43e 719 if (strcmp(sb->s_type->name, "proc") == 0)
0d90a7ec 720 sbsec->flags |= SE_SBPROC;
c9180a57
EP		 721
722 /* Determine the labeling behavior to use for this filesystem type. */
0d90a7ec 723 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
c9180a57
EP		 724 if (rc) {
725 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
089be43e 726 __func__, sb->s_type->name, rc);
c9180a57
EP		 727 goto out;
728 }
1da177e4 729
c9180a57
EP		 730 /* sets the context of the superblock for the fs being mounted. */
731 if (fscontext_sid) {
275bb41e 732 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 733 if (rc)
c9180a57 734 goto out;
1da177e4 735
c9180a57 736 sbsec->sid = fscontext_sid;
c312feb2
EP		 737 }
738
739 /*
740 * Switch to using mount point labeling behavior.
741 * sets the label used on all file below the mountpoint, and will set
742 * the superblock context if not already set.
743 */
c9180a57
EP		 744 if (context_sid) {
745 if (!fscontext_sid) {
275bb41e
DH		 746 rc = may_context_mount_sb_relabel(context_sid, sbsec,
747 cred);
b04ea3ce 748 if (rc)
c9180a57
EP		 749 goto out;
750 sbsec->sid = context_sid;
b04ea3ce 751 } else {
275bb41e
DH		 752 rc = may_context_mount_inode_relabel(context_sid, sbsec,
753 cred);
b04ea3ce 754 if (rc)
c9180a57 755 goto out;
b04ea3ce 756 }
c9180a57
EP		 757 if (!rootcontext_sid)
758 rootcontext_sid = context_sid;
1da177e4 759
c9180a57 760 sbsec->mntpoint_sid = context_sid;
c312feb2 761 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 762 }
763
c9180a57 764 if (rootcontext_sid) {
275bb41e
DH		 765 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
766 cred);
0808925e 767 if (rc)
c9180a57 768 goto out;
0808925e 769
c9180a57
EP		 770 root_isec->sid = rootcontext_sid;
771 root_isec->initialized = 1;
0808925e
EP		 772 }
773
c9180a57
EP		 774 if (defcontext_sid) {
775 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
776 rc = -EINVAL;
777 printk(KERN_WARNING "SELinux: defcontext option is "
778 "invalid for this filesystem type\n");
779 goto out;
1da177e4
LT		 780 }
781
c9180a57
EP		 782 if (defcontext_sid != sbsec->def_sid) {
783 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 784 sbsec, cred);
c9180a57
EP		 785 if (rc)
786 goto out;
787 }
1da177e4 788
c9180a57 789 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 790 }
791
c9180a57 792 rc = sb_finish_set_opts(sb);
1da177e4 793out:
c9180a57 794 mutex_unlock(&sbsec->lock);
1da177e4 795 return rc;
c9180a57
EP		 796out_double_mount:
797 rc = -EINVAL;
798 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
799 "security settings for (dev %s, type %s)\n", sb->s_id, name);
800 goto out;
1da177e4
LT		 801}
802
c9180a57
EP		 803static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
804 struct super_block *newsb)
1da177e4 805{
c9180a57
EP		 806 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
807 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 808
c9180a57
EP		 809 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
810 int set_context = (oldsbsec->flags & CONTEXT_MNT);
811 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 812
0f5e6420
EP		 813 /*
814 * if the parent was able to be mounted it clearly had no special lsm
815 * mount options. thus we can safely put this sb on the list and deal
816 * with it later
817 */
818 if (!ss_initialized) {
819 spin_lock(&sb_security_lock);
820 if (list_empty(&newsbsec->list))
821 list_add(&newsbsec->list, &superblock_security_head);
822 spin_unlock(&sb_security_lock);
823 return;
824 }
c9180a57 825
c9180a57 826 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 827 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 828
5a552617 829 /* if fs is reusing a sb, just let its options stand... */
0d90a7ec 830 if (newsbsec->flags & SE_SBINITIALIZED)
5a552617
EP		 831 return;
832
c9180a57
EP		 833 mutex_lock(&newsbsec->lock);
834
835 newsbsec->flags = oldsbsec->flags;
836
837 newsbsec->sid = oldsbsec->sid;
838 newsbsec->def_sid = oldsbsec->def_sid;
839 newsbsec->behavior = oldsbsec->behavior;
840
841 if (set_context) {
842 u32 sid = oldsbsec->mntpoint_sid;
843
844 if (!set_fscontext)
845 newsbsec->sid = sid;
846 if (!set_rootcontext) {
847 struct inode *newinode = newsb->s_root->d_inode;
848 struct inode_security_struct *newisec = newinode->i_security;
849 newisec->sid = sid;
850 }
851 newsbsec->mntpoint_sid = sid;
1da177e4 852 }
c9180a57
EP		 853 if (set_rootcontext) {
854 const struct inode *oldinode = oldsb->s_root->d_inode;
855 const struct inode_security_struct *oldisec = oldinode->i_security;
856 struct inode *newinode = newsb->s_root->d_inode;
857 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 858
c9180a57 859 newisec->sid = oldisec->sid;
1da177e4
LT		 860 }
861
c9180a57
EP		 862 sb_finish_set_opts(newsb);
863 mutex_unlock(&newsbsec->lock);
864}
865
2e1479d9
AB		 866static int selinux_parse_opts_str(char *options,
867 struct security_mnt_opts *opts)
c9180a57 868{
e0007529 869 char *p;
c9180a57
EP		 870 char *context = NULL, *defcontext = NULL;
871 char *fscontext = NULL, *rootcontext = NULL;
e0007529 872 int rc, num_mnt_opts = 0;
1da177e4 873
e0007529 874 opts->num_mnt_opts = 0;
1da177e4 875
c9180a57
EP		 876 /* Standard string-based options. */
877 while ((p = strsep(&options, "|")) != NULL) {
878 int token;
879 substring_t args[MAX_OPT_ARGS];
1da177e4 880
c9180a57
EP		 881 if (!*p)
882 continue;
1da177e4 883
c9180a57 884 token = match_token(p, tokens, args);
1da177e4 885
c9180a57
EP		 886 switch (token) {
887 case Opt_context:
888 if (context || defcontext) {
889 rc = -EINVAL;
890 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
891 goto out_err;
892 }
893 context = match_strdup(&args[0]);
894 if (!context) {
895 rc = -ENOMEM;
896 goto out_err;
897 }
898 break;
899
900 case Opt_fscontext:
901 if (fscontext) {
902 rc = -EINVAL;
903 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
904 goto out_err;
905 }
906 fscontext = match_strdup(&args[0]);
907 if (!fscontext) {
908 rc = -ENOMEM;
909 goto out_err;
910 }
911 break;
912
913 case Opt_rootcontext:
914 if (rootcontext) {
915 rc = -EINVAL;
916 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
917 goto out_err;
918 }
919 rootcontext = match_strdup(&args[0]);
920 if (!rootcontext) {
921 rc = -ENOMEM;
922 goto out_err;
923 }
924 break;
925
926 case Opt_defcontext:
927 if (context || defcontext) {
928 rc = -EINVAL;
929 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
930 goto out_err;
931 }
932 defcontext = match_strdup(&args[0]);
933 if (!defcontext) {
934 rc = -ENOMEM;
935 goto out_err;
936 }
937 break;
11689d47
DQ		 938 case Opt_labelsupport:
939 break;
c9180a57
EP		 940 default:
941 rc = -EINVAL;
942 printk(KERN_WARNING "SELinux: unknown mount option\n");
943 goto out_err;
1da177e4 944
1da177e4 945 }
1da177e4 946 }
c9180a57 947
e0007529
EP		 948 rc = -ENOMEM;
949 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
950 if (!opts->mnt_opts)
951 goto out_err;
952
953 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
954 if (!opts->mnt_opts_flags) {
955 kfree(opts->mnt_opts);
956 goto out_err;
957 }
958
c9180a57 959 if (fscontext) {
e0007529
EP		 960 opts->mnt_opts[num_mnt_opts] = fscontext;
961 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 962 }
963 if (context) {
e0007529
EP		 964 opts->mnt_opts[num_mnt_opts] = context;
965 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 966 }
967 if (rootcontext) {
e0007529
EP		 968 opts->mnt_opts[num_mnt_opts] = rootcontext;
969 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 970 }
971 if (defcontext) {
e0007529
EP		 972 opts->mnt_opts[num_mnt_opts] = defcontext;
973 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 974 }
975
e0007529
EP		 976 opts->num_mnt_opts = num_mnt_opts;
977 return 0;
978
c9180a57
EP		 979out_err:
980 kfree(context);
981 kfree(defcontext);
982 kfree(fscontext);
983 kfree(rootcontext);
1da177e4
LT		 984 return rc;
985}
e0007529
EP		 986/*
987 * string mount options parsing and call set the sbsec
988 */
989static int superblock_doinit(struct super_block *sb, void *data)
990{
991 int rc = 0;
992 char *options = data;
993 struct security_mnt_opts opts;
994
995 security_init_mnt_opts(&opts);
996
997 if (!data)
998 goto out;
999
1000 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1001
1002 rc = selinux_parse_opts_str(options, &opts);
1003 if (rc)
1004 goto out_err;
1005
1006out:
1007 rc = selinux_set_mnt_opts(sb, &opts);
1008
1009out_err:
1010 security_free_mnt_opts(&opts);
1011 return rc;
1012}
1da177e4 1013
3583a711
AB		 1014static void selinux_write_opts(struct seq_file *m,
1015 struct security_mnt_opts *opts)
2069f457
EP		 1016{
1017 int i;
1018 char *prefix;
1019
1020 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1021 char *has_comma;
1022
1023 if (opts->mnt_opts[i])
1024 has_comma = strchr(opts->mnt_opts[i], ',');
1025 else
1026 has_comma = NULL;
2069f457
EP		 1027
1028 switch (opts->mnt_opts_flags[i]) {
1029 case CONTEXT_MNT:
1030 prefix = CONTEXT_STR;
1031 break;
1032 case FSCONTEXT_MNT:
1033 prefix = FSCONTEXT_STR;
1034 break;
1035 case ROOTCONTEXT_MNT:
1036 prefix = ROOTCONTEXT_STR;
1037 break;
1038 case DEFCONTEXT_MNT:
1039 prefix = DEFCONTEXT_STR;
1040 break;
11689d47
DQ		 1041 case SE_SBLABELSUPP:
1042 seq_putc(m, ',');
1043 seq_puts(m, LABELSUPP_STR);
1044 continue;
2069f457
EP		 1045 default:
1046 BUG();
1047 };
1048 /* we need a comma before each option */
1049 seq_putc(m, ',');
1050 seq_puts(m, prefix);
1051 if (has_comma)
1052 seq_putc(m, '\"');
1053 seq_puts(m, opts->mnt_opts[i]);
1054 if (has_comma)
1055 seq_putc(m, '\"');
1056 }
1057}
1058
1059static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1060{
1061 struct security_mnt_opts opts;
1062 int rc;
1063
1064 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1065 if (rc) {
1066 /* before policy load we may get EINVAL, don't show anything */
1067 if (rc == -EINVAL)
1068 rc = 0;
2069f457 1069 return rc;
383795c2 1070 }
2069f457
EP		 1071
1072 selinux_write_opts(m, &opts);
1073
1074 security_free_mnt_opts(&opts);
1075
1076 return rc;
1077}
1078
1da177e4
LT		 1079static inline u16 inode_mode_to_security_class(umode_t mode)
1080{
1081 switch (mode & S_IFMT) {
1082 case S_IFSOCK:
1083 return SECCLASS_SOCK_FILE;
1084 case S_IFLNK:
1085 return SECCLASS_LNK_FILE;
1086 case S_IFREG:
1087 return SECCLASS_FILE;
1088 case S_IFBLK:
1089 return SECCLASS_BLK_FILE;
1090 case S_IFDIR:
1091 return SECCLASS_DIR;
1092 case S_IFCHR:
1093 return SECCLASS_CHR_FILE;
1094 case S_IFIFO:
1095 return SECCLASS_FIFO_FILE;
1096
1097 }
1098
1099 return SECCLASS_FILE;
1100}
1101
13402580
JM		 1102static inline int default_protocol_stream(int protocol)
1103{
1104 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1105}
1106
1107static inline int default_protocol_dgram(int protocol)
1108{
1109 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1110}
1111
1da177e4
LT		 1112static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1113{
1114 switch (family) {
1115 case PF_UNIX:
1116 switch (type) {
1117 case SOCK_STREAM:
1118 case SOCK_SEQPACKET:
1119 return SECCLASS_UNIX_STREAM_SOCKET;
1120 case SOCK_DGRAM:
1121 return SECCLASS_UNIX_DGRAM_SOCKET;
1122 }
1123 break;
1124 case PF_INET:
1125 case PF_INET6:
1126 switch (type) {
1127 case SOCK_STREAM:
13402580
JM		 1128 if (default_protocol_stream(protocol))
1129 return SECCLASS_TCP_SOCKET;
1130 else
1131 return SECCLASS_RAWIP_SOCKET;
1da177e4 1132 case SOCK_DGRAM:
13402580
JM		 1133 if (default_protocol_dgram(protocol))
1134 return SECCLASS_UDP_SOCKET;
1135 else
1136 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1137 case SOCK_DCCP:
1138 return SECCLASS_DCCP_SOCKET;
13402580 1139 default:
1da177e4
LT		 1140 return SECCLASS_RAWIP_SOCKET;
1141 }
1142 break;
1143 case PF_NETLINK:
1144 switch (protocol) {
1145 case NETLINK_ROUTE:
1146 return SECCLASS_NETLINK_ROUTE_SOCKET;
1147 case NETLINK_FIREWALL:
1148 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1149 case NETLINK_INET_DIAG:
1da177e4
LT		 1150 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1151 case NETLINK_NFLOG:
1152 return SECCLASS_NETLINK_NFLOG_SOCKET;
1153 case NETLINK_XFRM:
1154 return SECCLASS_NETLINK_XFRM_SOCKET;
1155 case NETLINK_SELINUX:
1156 return SECCLASS_NETLINK_SELINUX_SOCKET;
1157 case NETLINK_AUDIT:
1158 return SECCLASS_NETLINK_AUDIT_SOCKET;
1159 case NETLINK_IP6_FW:
1160 return SECCLASS_NETLINK_IP6FW_SOCKET;
1161 case NETLINK_DNRTMSG:
1162 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1163 case NETLINK_KOBJECT_UEVENT:
1164 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1165 default:
1166 return SECCLASS_NETLINK_SOCKET;
1167 }
1168 case PF_PACKET:
1169 return SECCLASS_PACKET_SOCKET;
1170 case PF_KEY:
1171 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1172 case PF_APPLETALK:
1173 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1174 }
1175
1176 return SECCLASS_SOCKET;
1177}
1178
1179#ifdef CONFIG_PROC_FS
1180static int selinux_proc_get_sid(struct proc_dir_entry *de,
1181 u16 tclass,
1182 u32 *sid)
1183{
1184 int buflen, rc;
1185 char *buffer, *path, *end;
1186
828dfe1d 1187 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1188 if (!buffer)
1189 return -ENOMEM;
1190
1191 buflen = PAGE_SIZE;
1192 end = buffer+buflen;
1193 *--end = '\0';
1194 buflen--;
1195 path = end-1;
1196 *path = '/';
1197 while (de && de != de->parent) {
1198 buflen -= de->namelen + 1;
1199 if (buflen < 0)
1200 break;
1201 end -= de->namelen;
1202 memcpy(end, de->name, de->namelen);
1203 *--end = '/';
1204 path = end;
1205 de = de->parent;
1206 }
1207 rc = security_genfs_sid("proc", path, tclass, sid);
1208 free_page((unsigned long)buffer);
1209 return rc;
1210}
1211#else
1212static int selinux_proc_get_sid(struct proc_dir_entry *de,
1213 u16 tclass,
1214 u32 *sid)
1215{
1216 return -EINVAL;
1217}
1218#endif
1219
1220/* The inode's security attributes must be initialized before first use. */
1221static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1222{
1223 struct superblock_security_struct *sbsec = NULL;
1224 struct inode_security_struct *isec = inode->i_security;
1225 u32 sid;
1226 struct dentry *dentry;
1227#define INITCONTEXTLEN 255
1228 char *context = NULL;
1229 unsigned len = 0;
1230 int rc = 0;
1da177e4
LT		 1231
1232 if (isec->initialized)
1233 goto out;
1234
23970741 1235 mutex_lock(&isec->lock);
1da177e4 1236 if (isec->initialized)
23970741 1237 goto out_unlock;
1da177e4
LT		 1238
1239 sbsec = inode->i_sb->s_security;
0d90a7ec 1240 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1241 /* Defer initialization until selinux_complete_init,
1242 after the initial policy is loaded and the security
1243 server is ready to handle calls. */
1244 spin_lock(&sbsec->isec_lock);
1245 if (list_empty(&isec->list))
1246 list_add(&isec->list, &sbsec->isec_head);
1247 spin_unlock(&sbsec->isec_lock);
23970741 1248 goto out_unlock;
1da177e4
LT		 1249 }
1250
1251 switch (sbsec->behavior) {
1252 case SECURITY_FS_USE_XATTR:
1253 if (!inode->i_op->getxattr) {
1254 isec->sid = sbsec->def_sid;
1255 break;
1256 }
1257
1258 /* Need a dentry, since the xattr API requires one.
1259 Life would be simpler if we could just pass the inode. */
1260 if (opt_dentry) {
1261 /* Called from d_instantiate or d_splice_alias. */
1262 dentry = dget(opt_dentry);
1263 } else {
1264 /* Called from selinux_complete_init, try to find a dentry. */
1265 dentry = d_find_alias(inode);
1266 }
1267 if (!dentry) {
df7f54c0
EP		 1268 /*
1269 * this is can be hit on boot when a file is accessed
1270 * before the policy is loaded. When we load policy we
1271 * may find inodes that have no dentry on the
1272 * sbsec->isec_head list. No reason to complain as these
1273 * will get fixed up the next time we go through
1274 * inode_doinit with a dentry, before these inodes could
1275 * be used again by userspace.
1276 */
23970741 1277 goto out_unlock;
1da177e4
LT		 1278 }
1279
1280 len = INITCONTEXTLEN;
4cb912f1 1281 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1282 if (!context) {
1283 rc = -ENOMEM;
1284 dput(dentry);
23970741 1285 goto out_unlock;
1da177e4 1286 }
4cb912f1 1287 context[len] = '\0';
1da177e4
LT		 1288 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1289 context, len);
1290 if (rc == -ERANGE) {
314dabb8
JM		 1291 kfree(context);
1292
1da177e4
LT		 1293 /* Need a larger buffer. Query for the right size. */
1294 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1295 NULL, 0);
1296 if (rc < 0) {
1297 dput(dentry);
23970741 1298 goto out_unlock;
1da177e4 1299 }
1da177e4 1300 len = rc;
4cb912f1 1301 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1302 if (!context) {
1303 rc = -ENOMEM;
1304 dput(dentry);
23970741 1305 goto out_unlock;
1da177e4 1306 }
4cb912f1 1307 context[len] = '\0';
1da177e4
LT		 1308 rc = inode->i_op->getxattr(dentry,
1309 XATTR_NAME_SELINUX,
1310 context, len);
1311 }
1312 dput(dentry);
1313 if (rc < 0) {
1314 if (rc != -ENODATA) {
744ba35e 1315 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1316 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1317 -rc, inode->i_sb->s_id, inode->i_ino);
1318 kfree(context);
23970741 1319 goto out_unlock;
1da177e4
LT		 1320 }
1321 /* Map ENODATA to the default file SID */
1322 sid = sbsec->def_sid;
1323 rc = 0;
1324 } else {
f5c1d5b2 1325 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1326 sbsec->def_sid,
1327 GFP_NOFS);
1da177e4 1328 if (rc) {
4ba0a8ad
EP		 1329 char *dev = inode->i_sb->s_id;
1330 unsigned long ino = inode->i_ino;
1331
1332 if (rc == -EINVAL) {
1333 if (printk_ratelimit())
1334 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1335 "context=%s. This indicates you may need to relabel the inode or the "
1336 "filesystem in question.\n", ino, dev, context);
1337 } else {
1338 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1339 "returned %d for dev=%s ino=%ld\n",
1340 __func__, context, -rc, dev, ino);
1341 }
1da177e4
LT		 1342 kfree(context);
1343 /* Leave with the unlabeled SID */
1344 rc = 0;
1345 break;
1346 }
1347 }
1348 kfree(context);
1349 isec->sid = sid;
1350 break;
1351 case SECURITY_FS_USE_TASK:
1352 isec->sid = isec->task_sid;
1353 break;
1354 case SECURITY_FS_USE_TRANS:
1355 /* Default to the fs SID. */
1356 isec->sid = sbsec->sid;
1357
1358 /* Try to obtain a transition SID. */
1359 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1360 rc = security_transition_sid(isec->task_sid,
1361 sbsec->sid,
1362 isec->sclass,
1363 &sid);
1364 if (rc)
23970741 1365 goto out_unlock;
1da177e4
LT		 1366 isec->sid = sid;
1367 break;
c312feb2
EP		 1368 case SECURITY_FS_USE_MNTPOINT:
1369 isec->sid = sbsec->mntpoint_sid;
1370 break;
1da177e4 1371 default:
c312feb2 1372 /* Default to the fs superblock SID. */
1da177e4
LT		 1373 isec->sid = sbsec->sid;
1374
0d90a7ec 1375 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1da177e4
LT		 1376 struct proc_inode *proci = PROC_I(inode);
1377 if (proci->pde) {
1378 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1379 rc = selinux_proc_get_sid(proci->pde,
1380 isec->sclass,
1381 &sid);
1382 if (rc)
23970741 1383 goto out_unlock;
1da177e4
LT		 1384 isec->sid = sid;
1385 }
1386 }
1387 break;
1388 }
1389
1390 isec->initialized = 1;
1391
23970741
EP		 1392out_unlock:
1393 mutex_unlock(&isec->lock);
1da177e4
LT		 1394out:
1395 if (isec->sclass == SECCLASS_FILE)
1396 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1397 return rc;
1398}
1399
1400/* Convert a Linux signal to an access vector. */
1401static inline u32 signal_to_av(int sig)
1402{
1403 u32 perm = 0;
1404
1405 switch (sig) {
1406 case SIGCHLD:
1407 /* Commonly granted from child to parent. */
1408 perm = PROCESS__SIGCHLD;
1409 break;
1410 case SIGKILL:
1411 /* Cannot be caught or ignored */
1412 perm = PROCESS__SIGKILL;
1413 break;
1414 case SIGSTOP:
1415 /* Cannot be caught or ignored */
1416 perm = PROCESS__SIGSTOP;
1417 break;
1418 default:
1419 /* All other signals. */
1420 perm = PROCESS__SIGNAL;
1421 break;
1422 }
1423
1424 return perm;
1425}
1426
d84f4f99
DH		 1427/*
1428 * Check permission between a pair of credentials
1429 * fork check, ptrace check, etc.
1430 */
1431static int cred_has_perm(const struct cred *actor,
1432 const struct cred *target,
1433 u32 perms)
1434{
1435 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1436
1437 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1438}
1439
275bb41e 1440/*
88e67f3b 1441 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1442 * fork check, ptrace check, etc.
1443 * tsk1 is the actor and tsk2 is the target
3b11a1de 1444 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1445 */
1446static int task_has_perm(const struct task_struct *tsk1,
1447 const struct task_struct *tsk2,
1da177e4
LT		 1448 u32 perms)
1449{
275bb41e
DH		 1450 const struct task_security_struct *__tsec1, *__tsec2;
1451 u32 sid1, sid2;
1da177e4 1452
275bb41e
DH		 1453 rcu_read_lock();
1454 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1455 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1456 rcu_read_unlock();
1457 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1458}
1459
3b11a1de
DH		 1460/*
1461 * Check permission between current and another task, e.g. signal checks,
1462 * fork check, ptrace check, etc.
1463 * current is the actor and tsk2 is the target
1464 * - this uses current's subjective creds
1465 */
1466static int current_has_perm(const struct task_struct *tsk,
1467 u32 perms)
1468{
1469 u32 sid, tsid;
1470
1471 sid = current_sid();
1472 tsid = task_sid(tsk);
1473 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1474}
1475
b68e418c
SS		 1476#if CAP_LAST_CAP > 63
1477#error Fix SELinux to handle capabilities > 63.
1478#endif
1479
1da177e4
LT		 1480/* Check whether a task is allowed to use a capability. */
1481static int task_has_capability(struct task_struct *tsk,
3699c53c 1482 const struct cred *cred,
06112163 1483 int cap, int audit)
1da177e4 1484{
2bf49690 1485 struct common_audit_data ad;
06112163 1486 struct av_decision avd;
b68e418c 1487 u16 sclass;
3699c53c 1488 u32 sid = cred_sid(cred);
b68e418c 1489 u32 av = CAP_TO_MASK(cap);
06112163 1490 int rc;
1da177e4 1491
2bf49690 1492 COMMON_AUDIT_DATA_INIT(&ad, CAP);
1da177e4
LT		 1493 ad.tsk = tsk;
1494 ad.u.cap = cap;
1495
b68e418c
SS		 1496 switch (CAP_TO_INDEX(cap)) {
1497 case 0:
1498 sclass = SECCLASS_CAPABILITY;
1499 break;
1500 case 1:
1501 sclass = SECCLASS_CAPABILITY2;
1502 break;
1503 default:
1504 printk(KERN_ERR
1505 "SELinux: out of range capability %d\n", cap);
1506 BUG();
1507 }
06112163 1508
275bb41e 1509 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
06112163 1510 if (audit == SECURITY_CAP_AUDIT)
275bb41e 1511 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
06112163 1512 return rc;
1da177e4
LT		 1513}
1514
1515/* Check whether a task is allowed to use a system operation. */
1516static int task_has_system(struct task_struct *tsk,
1517 u32 perms)
1518{
275bb41e 1519 u32 sid = task_sid(tsk);
1da177e4 1520
275bb41e 1521 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1522 SECCLASS_SYSTEM, perms, NULL);
1523}
1524
1525/* Check whether a task has a particular permission to an inode.
1526 The 'adp' parameter is optional and allows other audit
1527 data to be passed (e.g. the dentry). */
88e67f3b 1528static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1529 struct inode *inode,
1530 u32 perms,
2bf49690 1531 struct common_audit_data *adp)
1da177e4 1532{
1da177e4 1533 struct inode_security_struct *isec;
2bf49690 1534 struct common_audit_data ad;
275bb41e 1535 u32 sid;
1da177e4 1536
e0e81739
DH		 1537 validate_creds(cred);
1538
828dfe1d 1539 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1540 return 0;
1541
88e67f3b 1542 sid = cred_sid(cred);
1da177e4
LT		 1543 isec = inode->i_security;
1544
1545 if (!adp) {
1546 adp = &ad;
2bf49690 1547 COMMON_AUDIT_DATA_INIT(&ad, FS);
1da177e4
LT		 1548 ad.u.fs.inode = inode;
1549 }
1550
275bb41e 1551 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1552}
1553
1554/* Same as inode_has_perm, but pass explicit audit data containing
1555 the dentry to help the auditing code to more easily generate the
1556 pathname if needed. */
88e67f3b 1557static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1558 struct vfsmount *mnt,
1559 struct dentry *dentry,
1560 u32 av)
1561{
1562 struct inode *inode = dentry->d_inode;
2bf49690 1563 struct common_audit_data ad;
88e67f3b 1564
2bf49690 1565 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf
JB		 1566 ad.u.fs.path.mnt = mnt;
1567 ad.u.fs.path.dentry = dentry;
88e67f3b 1568 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1569}
1570
1571/* Check whether a task can use an open file descriptor to
1572 access an inode in a given way. Check access to the
1573 descriptor itself, and then use dentry_has_perm to
1574 check a particular permission to the file.
1575 Access to the descriptor is implicitly granted if it
1576 has the same SID as the process. If av is zero, then
1577 access to the file is not checked, e.g. for cases
1578 where only the descriptor is affected like seek. */
88e67f3b
DH		 1579static int file_has_perm(const struct cred *cred,
1580 struct file *file,
1581 u32 av)
1da177e4 1582{
1da177e4 1583 struct file_security_struct *fsec = file->f_security;
44707fdf 1584 struct inode *inode = file->f_path.dentry->d_inode;
2bf49690 1585 struct common_audit_data ad;
88e67f3b 1586 u32 sid = cred_sid(cred);
1da177e4
LT		 1587 int rc;
1588
2bf49690 1589 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1590 ad.u.fs.path = file->f_path;
1da177e4 1591
275bb41e
DH		 1592 if (sid != fsec->sid) {
1593 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1594 SECCLASS_FD,
1595 FD__USE,
1596 &ad);
1597 if (rc)
88e67f3b 1598 goto out;
1da177e4
LT		 1599 }
1600
1601 /* av is zero if only checking access to the descriptor. */
88e67f3b 1602 rc = 0;
1da177e4 1603 if (av)
88e67f3b 1604 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1605
88e67f3b
DH		 1606out:
1607 return rc;
1da177e4
LT		 1608}
1609
1610/* Check whether a task can create a file. */
1611static int may_create(struct inode *dir,
1612 struct dentry *dentry,
1613 u16 tclass)
1614{
275bb41e
DH		 1615 const struct cred *cred = current_cred();
1616 const struct task_security_struct *tsec = cred->security;
1da177e4
LT		 1617 struct inode_security_struct *dsec;
1618 struct superblock_security_struct *sbsec;
275bb41e 1619 u32 sid, newsid;
2bf49690 1620 struct common_audit_data ad;
1da177e4
LT		 1621 int rc;
1622
1da177e4
LT		 1623 dsec = dir->i_security;
1624 sbsec = dir->i_sb->s_security;
1625
275bb41e
DH		 1626 sid = tsec->sid;
1627 newsid = tsec->create_sid;
1628
2bf49690 1629 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1630 ad.u.fs.path.dentry = dentry;
1da177e4 1631
275bb41e 1632 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1633 DIR__ADD_NAME | DIR__SEARCH,
1634 &ad);
1635 if (rc)
1636 return rc;
1637
cd89596f 1638 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
275bb41e 1639 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1da177e4
LT		 1640 if (rc)
1641 return rc;
1642 }
1643
275bb41e 1644 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1645 if (rc)
1646 return rc;
1647
1648 return avc_has_perm(newsid, sbsec->sid,
1649 SECCLASS_FILESYSTEM,
1650 FILESYSTEM__ASSOCIATE, &ad);
1651}
1652
4eb582cf
ML		 1653/* Check whether a task can create a key. */
1654static int may_create_key(u32 ksid,
1655 struct task_struct *ctx)
1656{
275bb41e 1657 u32 sid = task_sid(ctx);
4eb582cf 1658
275bb41e 1659 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1660}
1661
828dfe1d
EP		 1662#define MAY_LINK 0
1663#define MAY_UNLINK 1
1664#define MAY_RMDIR 2
1da177e4
LT		 1665
1666/* Check whether a task can link, unlink, or rmdir a file/directory. */
1667static int may_link(struct inode *dir,
1668 struct dentry *dentry,
1669 int kind)
1670
1671{
1da177e4 1672 struct inode_security_struct *dsec, *isec;
2bf49690 1673 struct common_audit_data ad;
275bb41e 1674 u32 sid = current_sid();
1da177e4
LT		 1675 u32 av;
1676 int rc;
1677
1da177e4
LT		 1678 dsec = dir->i_security;
1679 isec = dentry->d_inode->i_security;
1680
2bf49690 1681 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1682 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1683
1684 av = DIR__SEARCH;
1685 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1686 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1687 if (rc)
1688 return rc;
1689
1690 switch (kind) {
1691 case MAY_LINK:
1692 av = FILE__LINK;
1693 break;
1694 case MAY_UNLINK:
1695 av = FILE__UNLINK;
1696 break;
1697 case MAY_RMDIR:
1698 av = DIR__RMDIR;
1699 break;
1700 default:
744ba35e
EP		 1701 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1702 __func__, kind);
1da177e4
LT		 1703 return 0;
1704 }
1705
275bb41e 1706 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1707 return rc;
1708}
1709
1710static inline int may_rename(struct inode *old_dir,
1711 struct dentry *old_dentry,
1712 struct inode *new_dir,
1713 struct dentry *new_dentry)
1714{
1da177e4 1715 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1716 struct common_audit_data ad;
275bb41e 1717 u32 sid = current_sid();
1da177e4
LT		 1718 u32 av;
1719 int old_is_dir, new_is_dir;
1720 int rc;
1721
1da177e4
LT		 1722 old_dsec = old_dir->i_security;
1723 old_isec = old_dentry->d_inode->i_security;
1724 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1725 new_dsec = new_dir->i_security;
1726
2bf49690 1727 COMMON_AUDIT_DATA_INIT(&ad, FS);
1da177e4 1728
44707fdf 1729 ad.u.fs.path.dentry = old_dentry;
275bb41e 1730 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1731 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1732 if (rc)
1733 return rc;
275bb41e 1734 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1735 old_isec->sclass, FILE__RENAME, &ad);
1736 if (rc)
1737 return rc;
1738 if (old_is_dir && new_dir != old_dir) {
275bb41e 1739 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1740 old_isec->sclass, DIR__REPARENT, &ad);
1741 if (rc)
1742 return rc;
1743 }
1744
44707fdf 1745 ad.u.fs.path.dentry = new_dentry;
1da177e4
LT		 1746 av = DIR__ADD_NAME | DIR__SEARCH;
1747 if (new_dentry->d_inode)
1748 av |= DIR__REMOVE_NAME;
275bb41e 1749 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1750 if (rc)
1751 return rc;
1752 if (new_dentry->d_inode) {
1753 new_isec = new_dentry->d_inode->i_security;
1754 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
275bb41e 1755 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1756 new_isec->sclass,
1757 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1758 if (rc)
1759 return rc;
1760 }
1761
1762 return 0;
1763}
1764
1765/* Check whether a task can perform a filesystem operation. */
88e67f3b 1766static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1767 struct super_block *sb,
1768 u32 perms,
2bf49690 1769 struct common_audit_data *ad)
1da177e4 1770{
1da177e4 1771 struct superblock_security_struct *sbsec;
88e67f3b 1772 u32 sid = cred_sid(cred);
1da177e4 1773
1da177e4 1774 sbsec = sb->s_security;
275bb41e 1775 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1776}
1777
1778/* Convert a Linux mode and permission mask to an access vector. */
1779static inline u32 file_mask_to_av(int mode, int mask)
1780{
1781 u32 av = 0;
1782
1783 if ((mode & S_IFMT) != S_IFDIR) {
1784 if (mask & MAY_EXEC)
1785 av |= FILE__EXECUTE;
1786 if (mask & MAY_READ)
1787 av |= FILE__READ;
1788
1789 if (mask & MAY_APPEND)
1790 av |= FILE__APPEND;
1791 else if (mask & MAY_WRITE)
1792 av |= FILE__WRITE;
1793
1794 } else {
1795 if (mask & MAY_EXEC)
1796 av |= DIR__SEARCH;
1797 if (mask & MAY_WRITE)
1798 av |= DIR__WRITE;
1799 if (mask & MAY_READ)
1800 av |= DIR__READ;
1801 }
1802
1803 return av;
1804}
1805
8b6a5a37
EP		 1806/* Convert a Linux file to an access vector. */
1807static inline u32 file_to_av(struct file *file)
1808{
1809 u32 av = 0;
1810
1811 if (file->f_mode & FMODE_READ)
1812 av |= FILE__READ;
1813 if (file->f_mode & FMODE_WRITE) {
1814 if (file->f_flags & O_APPEND)
1815 av |= FILE__APPEND;
1816 else
1817 av |= FILE__WRITE;
1818 }
1819 if (!av) {
1820 /*
1821 * Special file opened with flags 3 for ioctl-only use.
1822 */
1823 av = FILE__IOCTL;
1824 }
1825
1826 return av;
1827}
1828
b0c636b9 1829/*
8b6a5a37 1830 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1831 * open permission.
1832 */
8b6a5a37 1833static inline u32 open_file_to_av(struct file *file)
b0c636b9 1834{
8b6a5a37 1835 u32 av = file_to_av(file);
b0c636b9
EP		 1836
1837 if (selinux_policycap_openperm) {
8b6a5a37 1838 mode_t mode = file->f_path.dentry->d_inode->i_mode;
b0c636b9
EP		 1839 /*
1840 * lnk files and socks do not really have an 'open'
1841 */
1842 if (S_ISREG(mode))
1843 av |= FILE__OPEN;
1844 else if (S_ISCHR(mode))
1845 av |= CHR_FILE__OPEN;
1846 else if (S_ISBLK(mode))
1847 av |= BLK_FILE__OPEN;
1848 else if (S_ISFIFO(mode))
1849 av |= FIFO_FILE__OPEN;
1850 else if (S_ISDIR(mode))
1851 av |= DIR__OPEN;
6a25b27d
EP		 1852 else if (S_ISSOCK(mode))
1853 av |= SOCK_FILE__OPEN;
b0c636b9 1854 else
744ba35e 1855 printk(KERN_ERR "SELinux: WARNING: inside %s with "
8b6a5a37 1856 "unknown mode:%o\n", __func__, mode);
b0c636b9
EP		 1857 }
1858 return av;
1859}
1860
1da177e4
LT		 1861/* Hook functions begin here. */
1862
9e48858f 1863static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 1864 unsigned int mode)
1da177e4 1865{
1da177e4
LT		 1866 int rc;
1867
9e48858f 1868 rc = cap_ptrace_access_check(child, mode);
1da177e4
LT		 1869 if (rc)
1870 return rc;
1871
006ebb40 1872 if (mode == PTRACE_MODE_READ) {
275bb41e
DH		 1873 u32 sid = current_sid();
1874 u32 csid = task_sid(child);
1875 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 1876 }
1877
3b11a1de 1878 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 1879}
1880
1881static int selinux_ptrace_traceme(struct task_struct *parent)
1882{
1883 int rc;
1884
200ac532 1885 rc = cap_ptrace_traceme(parent);
5cd9c58f
DH		 1886 if (rc)
1887 return rc;
1888
1889 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 1890}
1891
1892static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1893 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1894{
1895 int error;
1896
3b11a1de 1897 error = current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 1898 if (error)
1899 return error;
1900
200ac532 1901 return cap_capget(target, effective, inheritable, permitted);
1da177e4
LT		 1902}
1903
d84f4f99
DH		 1904static int selinux_capset(struct cred *new, const struct cred *old,
1905 const kernel_cap_t *effective,
1906 const kernel_cap_t *inheritable,
1907 const kernel_cap_t *permitted)
1da177e4
LT		 1908{
1909 int error;
1910
200ac532 1911 error = cap_capset(new, old,
d84f4f99 1912 effective, inheritable, permitted);
1da177e4
LT		 1913 if (error)
1914 return error;
1915
d84f4f99 1916 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 1917}
1918
5626d3e8
JM		 1919/*
1920 * (This comment used to live with the selinux_task_setuid hook,
1921 * which was removed).
1922 *
1923 * Since setuid only affects the current process, and since the SELinux
1924 * controls are not based on the Linux identity attributes, SELinux does not
1925 * need to control this operation. However, SELinux does control the use of
1926 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1927 */
1928
3699c53c
DH		 1929static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1930 int cap, int audit)
1da177e4
LT		 1931{
1932 int rc;
1933
200ac532 1934 rc = cap_capable(tsk, cred, cap, audit);
1da177e4
LT		 1935 if (rc)
1936 return rc;
1937
3699c53c 1938 return task_has_capability(tsk, cred, cap, audit);
1da177e4
LT		 1939}
1940
3fbfa981
EB		 1941static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1942{
1943 int buflen, rc;
1944 char *buffer, *path, *end;
1945
1946 rc = -ENOMEM;
828dfe1d 1947 buffer = (char *)__get_free_page(GFP_KERNEL);
3fbfa981
EB		 1948 if (!buffer)
1949 goto out;
1950
1951 buflen = PAGE_SIZE;
1952 end = buffer+buflen;
1953 *--end = '\0';
1954 buflen--;
1955 path = end-1;
1956 *path = '/';
1957 while (table) {
1958 const char *name = table->procname;
1959 size_t namelen = strlen(name);
1960 buflen -= namelen + 1;
1961 if (buflen < 0)
1962 goto out_free;
1963 end -= namelen;
1964 memcpy(end, name, namelen);
1965 *--end = '/';
1966 path = end;
1967 table = table->parent;
1968 }
b599fdfd
EB		 1969 buflen -= 4;
1970 if (buflen < 0)
1971 goto out_free;
1972 end -= 4;
1973 memcpy(end, "/sys", 4);
1974 path = end;
3fbfa981
EB		 1975 rc = security_genfs_sid("proc", path, tclass, sid);
1976out_free:
1977 free_page((unsigned long)buffer);
1978out:
1979 return rc;
1980}
1981
1da177e4
LT		 1982static int selinux_sysctl(ctl_table *table, int op)
1983{
1984 int error = 0;
1985 u32 av;
275bb41e 1986 u32 tsid, sid;
1da177e4
LT		 1987 int rc;
1988
275bb41e 1989 sid = current_sid();
1da177e4 1990
3fbfa981
EB		 1991 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1992 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1993 if (rc) {
1994 /* Default to the well-defined sysctl SID. */
1995 tsid = SECINITSID_SYSCTL;
1996 }
1997
1998 /* The op values are "defined" in sysctl.c, thereby creating
1999 * a bad coupling between this module and sysctl.c */
828dfe1d 2000 if (op == 001) {
275bb41e 2001 error = avc_has_perm(sid, tsid,
1da177e4
LT		 2002 SECCLASS_DIR, DIR__SEARCH, NULL);
2003 } else {
2004 av = 0;
2005 if (op & 004)
2006 av |= FILE__READ;
2007 if (op & 002)
2008 av |= FILE__WRITE;
2009 if (av)
275bb41e 2010 error = avc_has_perm(sid, tsid,
1da177e4 2011 SECCLASS_FILE, av, NULL);
828dfe1d 2012 }
1da177e4
LT		 2013
2014 return error;
2015}
2016
2017static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2018{
88e67f3b 2019 const struct cred *cred = current_cred();
1da177e4
LT		 2020 int rc = 0;
2021
2022 if (!sb)
2023 return 0;
2024
2025 switch (cmds) {
828dfe1d
EP		 2026 case Q_SYNC:
2027 case Q_QUOTAON:
2028 case Q_QUOTAOFF:
2029 case Q_SETINFO:
2030 case Q_SETQUOTA:
88e67f3b 2031 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2032 break;
2033 case Q_GETFMT:
2034 case Q_GETINFO:
2035 case Q_GETQUOTA:
88e67f3b 2036 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2037 break;
2038 default:
2039 rc = 0; /* let the kernel handle invalid cmds */
2040 break;
1da177e4
LT		 2041 }
2042 return rc;
2043}
2044
2045static int selinux_quota_on(struct dentry *dentry)
2046{
88e67f3b
DH		 2047 const struct cred *cred = current_cred();
2048
2049 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1da177e4
LT		 2050}
2051
2052static int selinux_syslog(int type)
2053{
2054 int rc;
2055
200ac532 2056 rc = cap_syslog(type);
1da177e4
LT		 2057 if (rc)
2058 return rc;
2059
2060 switch (type) {
828dfe1d
EP		 2061 case 3: /* Read last kernel messages */
2062 case 10: /* Return size of the log buffer */
2063 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2064 break;
2065 case 6: /* Disable logging to console */
2066 case 7: /* Enable logging to console */
2067 case 8: /* Set level of messages printed to console */
2068 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2069 break;
2070 case 0: /* Close log */
2071 case 1: /* Open log */
2072 case 2: /* Read from log */
2073 case 4: /* Read/clear last kernel messages */
2074 case 5: /* Clear ring buffer */
2075 default:
2076 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2077 break;
1da177e4
LT		 2078 }
2079 return rc;
2080}
2081
2082/*
2083 * Check that a process has enough memory to allocate a new virtual
2084 * mapping. 0 means there is enough memory for the allocation to
2085 * succeed and -ENOMEM implies there is not.
2086 *
1da177e4
LT		 2087 * Do not audit the selinux permission check, as this is applied to all
2088 * processes that allocate mappings.
2089 */
34b4e4aa 2090static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2091{
2092 int rc, cap_sys_admin = 0;
1da177e4 2093
3699c53c
DH		 2094 rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
2095 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2096 if (rc == 0)
2097 cap_sys_admin = 1;
2098
34b4e4aa 2099 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 2100}
2101
2102/* binprm security operations */
2103
a6f76f23 2104static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2105{
a6f76f23
DH		 2106 const struct task_security_struct *old_tsec;
2107 struct task_security_struct *new_tsec;
1da177e4 2108 struct inode_security_struct *isec;
2bf49690 2109 struct common_audit_data ad;
a6f76f23 2110 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 2111 int rc;
2112
200ac532 2113 rc = cap_bprm_set_creds(bprm);
1da177e4
LT		 2114 if (rc)
2115 return rc;
2116
a6f76f23
DH		 2117 /* SELinux context only depends on initial program or script and not
2118 * the script interpreter */
2119 if (bprm->cred_prepared)
1da177e4
LT		 2120 return 0;
2121
a6f76f23
DH		 2122 old_tsec = current_security();
2123 new_tsec = bprm->cred->security;
1da177e4
LT		 2124 isec = inode->i_security;
2125
2126 /* Default to the current task SID. */
a6f76f23
DH		 2127 new_tsec->sid = old_tsec->sid;
2128 new_tsec->osid = old_tsec->sid;
1da177e4 2129
28eba5bf 2130 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2131 new_tsec->create_sid = 0;
2132 new_tsec->keycreate_sid = 0;
2133 new_tsec->sockcreate_sid = 0;
1da177e4 2134
a6f76f23
DH		 2135 if (old_tsec->exec_sid) {
2136 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2137 /* Reset exec SID on execve. */
a6f76f23 2138 new_tsec->exec_sid = 0;
1da177e4
LT		 2139 } else {
2140 /* Check for a default transition on this program. */
a6f76f23
DH		 2141 rc = security_transition_sid(old_tsec->sid, isec->sid,
2142 SECCLASS_PROCESS, &new_tsec->sid);
1da177e4
LT		 2143 if (rc)
2144 return rc;
2145 }
2146
2bf49690 2147 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2148 ad.u.fs.path = bprm->file->f_path;
1da177e4 2149
3d5ff529 2150 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
a6f76f23 2151 new_tsec->sid = old_tsec->sid;
1da177e4 2152
a6f76f23
DH		 2153 if (new_tsec->sid == old_tsec->sid) {
2154 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2155 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2156 if (rc)
2157 return rc;
2158 } else {
2159 /* Check permissions for the transition. */
a6f76f23 2160 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2161 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2162 if (rc)
2163 return rc;
2164
a6f76f23 2165 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2166 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2167 if (rc)
2168 return rc;
2169
a6f76f23
DH		 2170 /* Check for shared state */
2171 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2172 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2173 SECCLASS_PROCESS, PROCESS__SHARE,
2174 NULL);
2175 if (rc)
2176 return -EPERM;
2177 }
2178
2179 /* Make sure that anyone attempting to ptrace over a task that
2180 * changes its SID has the appropriate permit */
2181 if (bprm->unsafe &
2182 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2183 struct task_struct *tracer;
2184 struct task_security_struct *sec;
2185 u32 ptsid = 0;
2186
2187 rcu_read_lock();
2188 tracer = tracehook_tracer_task(current);
2189 if (likely(tracer != NULL)) {
2190 sec = __task_cred(tracer)->security;
2191 ptsid = sec->sid;
2192 }
2193 rcu_read_unlock();
2194
2195 if (ptsid != 0) {
2196 rc = avc_has_perm(ptsid, new_tsec->sid,
2197 SECCLASS_PROCESS,
2198 PROCESS__PTRACE, NULL);
2199 if (rc)
2200 return -EPERM;
2201 }
2202 }
1da177e4 2203
a6f76f23
DH		 2204 /* Clear any possibly unsafe personality bits on exec: */
2205 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2206 }
2207
1da177e4
LT		 2208 return 0;
2209}
2210
828dfe1d 2211static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2212{
275bb41e
DH		 2213 const struct cred *cred = current_cred();
2214 const struct task_security_struct *tsec = cred->security;
2215 u32 sid, osid;
1da177e4
LT		 2216 int atsecure = 0;
2217
275bb41e
DH		 2218 sid = tsec->sid;
2219 osid = tsec->osid;
2220
2221 if (osid != sid) {
1da177e4
LT		 2222 /* Enable secure mode for SIDs transitions unless
2223 the noatsecure permission is granted between
2224 the two SIDs, i.e. ahp returns 0. */
275bb41e 2225 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2226 SECCLASS_PROCESS,
2227 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2228 }
2229
200ac532 2230 return (atsecure || cap_bprm_secureexec(bprm));
1da177e4
LT		 2231}
2232
1da177e4
LT		 2233extern struct vfsmount *selinuxfs_mount;
2234extern struct dentry *selinux_null;
2235
2236/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2237static inline void flush_unauthorized_files(const struct cred *cred,
2238 struct files_struct *files)
1da177e4 2239{
2bf49690 2240 struct common_audit_data ad;
1da177e4 2241 struct file *file, *devnull = NULL;
b20c8122 2242 struct tty_struct *tty;
badf1662 2243 struct fdtable *fdt;
1da177e4 2244 long j = -1;
24ec839c 2245 int drop_tty = 0;
1da177e4 2246
24ec839c 2247 tty = get_current_tty();
1da177e4
LT		 2248 if (tty) {
2249 file_list_lock();
37dd0bd0
EP		 2250 if (!list_empty(&tty->tty_files)) {
2251 struct inode *inode;
2252
1da177e4
LT		 2253 /* Revalidate access to controlling tty.
2254 Use inode_has_perm on the tty inode directly rather
2255 than using file_has_perm, as this particular open
2256 file may belong to another process and we are only
2257 interested in the inode-based check here. */
37dd0bd0
EP		 2258 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2259 inode = file->f_path.dentry->d_inode;
88e67f3b 2260 if (inode_has_perm(cred, inode,
1da177e4 2261 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2262 drop_tty = 1;
1da177e4
LT		 2263 }
2264 }
2265 file_list_unlock();
452a00d2 2266 tty_kref_put(tty);
1da177e4 2267 }
98a27ba4
EB		 2268 /* Reset controlling tty. */
2269 if (drop_tty)
2270 no_tty();
1da177e4
LT		 2271
2272 /* Revalidate access to inherited open files. */
2273
2bf49690 2274 COMMON_AUDIT_DATA_INIT(&ad, FS);
1da177e4
LT		 2275
2276 spin_lock(&files->file_lock);
2277 for (;;) {
2278 unsigned long set, i;
2279 int fd;
2280
2281 j++;
2282 i = j * __NFDBITS;
badf1662 2283 fdt = files_fdtable(files);
bbea9f69 2284 if (i >= fdt->max_fds)
1da177e4 2285 break;
badf1662 2286 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2287 if (!set)
2288 continue;
2289 spin_unlock(&files->file_lock);
828dfe1d 2290 for ( ; set ; i++, set >>= 1) {
1da177e4
LT		 2291 if (set & 1) {
2292 file = fget(i);
2293 if (!file)
2294 continue;
88e67f3b 2295 if (file_has_perm(cred,
1da177e4
LT		 2296 file,
2297 file_to_av(file))) {
2298 sys_close(i);
2299 fd = get_unused_fd();
2300 if (fd != i) {
2301 if (fd >= 0)
2302 put_unused_fd(fd);
2303 fput(file);
2304 continue;
2305 }
2306 if (devnull) {
095975da 2307 get_file(devnull);
1da177e4 2308 } else {
745ca247
DH		 2309 devnull = dentry_open(
2310 dget(selinux_null),
2311 mntget(selinuxfs_mount),
2312 O_RDWR, cred);
fc5d81e6
AM		 2313 if (IS_ERR(devnull)) {
2314 devnull = NULL;
1da177e4
LT		 2315 put_unused_fd(fd);
2316 fput(file);
2317 continue;
2318 }
2319 }
2320 fd_install(fd, devnull);
2321 }
2322 fput(file);
2323 }
2324 }
2325 spin_lock(&files->file_lock);
2326
2327 }
2328 spin_unlock(&files->file_lock);
2329}
2330
a6f76f23
DH		 2331/*
2332 * Prepare a process for imminent new credential changes due to exec
2333 */
2334static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2335{
a6f76f23
DH		 2336 struct task_security_struct *new_tsec;
2337 struct rlimit *rlim, *initrlim;
2338 int rc, i;
d84f4f99 2339
a6f76f23
DH		 2340 new_tsec = bprm->cred->security;
2341 if (new_tsec->sid == new_tsec->osid)
2342 return;
1da177e4 2343
a6f76f23
DH		 2344 /* Close files for which the new task SID is not authorized. */
2345 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2346
a6f76f23
DH		 2347 /* Always clear parent death signal on SID transitions. */
2348 current->pdeath_signal = 0;
0356357c 2349
a6f76f23
DH		 2350 /* Check whether the new SID can inherit resource limits from the old
2351 * SID. If not, reset all soft limits to the lower of the current
2352 * task's hard limit and the init task's soft limit.
2353 *
2354 * Note that the setting of hard limits (even to lower them) can be
2355 * controlled by the setrlimit check. The inclusion of the init task's
2356 * soft limit into the computation is to avoid resetting soft limits
2357 * higher than the default soft limit for cases where the default is
2358 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2359 */
2360 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2361 PROCESS__RLIMITINH, NULL);
2362 if (rc) {
2363 for (i = 0; i < RLIM_NLIMITS; i++) {
2364 rlim = current->signal->rlim + i;
2365 initrlim = init_task.signal->rlim + i;
2366 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2367 }
a6f76f23 2368 update_rlimit_cpu(rlim->rlim_cur);
1da177e4
LT		 2369 }
2370}
2371
2372/*
a6f76f23
DH		 2373 * Clean up the process immediately after the installation of new credentials
2374 * due to exec
1da177e4 2375 */
a6f76f23 2376static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2377{
a6f76f23 2378 const struct task_security_struct *tsec = current_security();
1da177e4 2379 struct itimerval itimer;
a6f76f23 2380 u32 osid, sid;
1da177e4
LT		 2381 int rc, i;
2382
a6f76f23
DH		 2383 osid = tsec->osid;
2384 sid = tsec->sid;
2385
2386 if (sid == osid)
1da177e4
LT		 2387 return;
2388
a6f76f23
DH		 2389 /* Check whether the new SID can inherit signal state from the old SID.
2390 * If not, clear itimers to avoid subsequent signal generation and
2391 * flush and unblock signals.
2392 *
2393 * This must occur _after_ the task SID has been updated so that any
2394 * kill done after the flush will be checked against the new SID.
2395 */
2396 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2397 if (rc) {
2398 memset(&itimer, 0, sizeof itimer);
2399 for (i = 0; i < 3; i++)
2400 do_setitimer(i, &itimer, NULL);
1da177e4 2401 spin_lock_irq(&current->sighand->siglock);
3bcac026
DH		 2402 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2403 __flush_signals(current);
2404 flush_signal_handlers(current, 1);
2405 sigemptyset(&current->blocked);
2406 }
1da177e4
LT		 2407 spin_unlock_irq(&current->sighand->siglock);
2408 }
2409
a6f76f23
DH		 2410 /* Wake up the parent if it is waiting so that it can recheck
2411 * wait permission to the new task SID. */
ecd6de3c 2412 read_lock(&tasklist_lock);
0b7570e7 2413 __wake_up_parent(current, current->real_parent);
ecd6de3c 2414 read_unlock(&tasklist_lock);
1da177e4
LT		 2415}
2416
2417/* superblock security operations */
2418
2419static int selinux_sb_alloc_security(struct super_block *sb)
2420{
2421 return superblock_alloc_security(sb);
2422}
2423
2424static void selinux_sb_free_security(struct super_block *sb)
2425{
2426 superblock_free_security(sb);
2427}
2428
2429static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2430{
2431 if (plen > olen)
2432 return 0;
2433
2434 return !memcmp(prefix, option, plen);
2435}
2436
2437static inline int selinux_option(char *option, int len)
2438{
832cbd9a
EP		 2439 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2440 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2441 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2442 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2443 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2444}
2445
2446static inline void take_option(char **to, char *from, int *first, int len)
2447{
2448 if (!*first) {
2449 **to = ',';
2450 *to += 1;
3528a953 2451 } else
1da177e4
LT		 2452 *first = 0;
2453 memcpy(*to, from, len);
2454 *to += len;
2455}
2456
828dfe1d
EP		 2457static inline void take_selinux_option(char **to, char *from, int *first,
2458 int len)
3528a953
CO		 2459{
2460 int current_size = 0;
2461
2462 if (!*first) {
2463 **to = '|';
2464 *to += 1;
828dfe1d 2465 } else
3528a953
CO		 2466 *first = 0;
2467
2468 while (current_size < len) {
2469 if (*from != '"') {
2470 **to = *from;
2471 *to += 1;
2472 }
2473 from += 1;
2474 current_size += 1;
2475 }
2476}
2477
e0007529 2478static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2479{
2480 int fnosec, fsec, rc = 0;
2481 char *in_save, *in_curr, *in_end;
2482 char *sec_curr, *nosec_save, *nosec;
3528a953 2483 int open_quote = 0;
1da177e4
LT		 2484
2485 in_curr = orig;
2486 sec_curr = copy;
2487
1da177e4
LT		 2488 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2489 if (!nosec) {
2490 rc = -ENOMEM;
2491 goto out;
2492 }
2493
2494 nosec_save = nosec;
2495 fnosec = fsec = 1;
2496 in_save = in_end = orig;
2497
2498 do {
3528a953
CO		 2499 if (*in_end == '"')
2500 open_quote = !open_quote;
2501 if ((*in_end == ',' && open_quote == 0) ||
2502 *in_end == '\0') {
1da177e4
LT		 2503 int len = in_end - in_curr;
2504
2505 if (selinux_option(in_curr, len))
3528a953 2506 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2507 else
2508 take_option(&nosec, in_curr, &fnosec, len);
2509
2510 in_curr = in_end + 1;
2511 }
2512 } while (*in_end++);
2513
6931dfc9 2514 strcpy(in_save, nosec_save);
da3caa20 2515 free_page((unsigned long)nosec_save);
1da177e4
LT		 2516out:
2517 return rc;
2518}
2519
12204e24 2520static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2521{
88e67f3b 2522 const struct cred *cred = current_cred();
2bf49690 2523 struct common_audit_data ad;
1da177e4
LT		 2524 int rc;
2525
2526 rc = superblock_doinit(sb, data);
2527 if (rc)
2528 return rc;
2529
74192246
JM		 2530 /* Allow all mounts performed by the kernel */
2531 if (flags & MS_KERNMOUNT)
2532 return 0;
2533
2bf49690 2534 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2535 ad.u.fs.path.dentry = sb->s_root;
88e67f3b 2536 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2537}
2538
726c3342 2539static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2540{
88e67f3b 2541 const struct cred *cred = current_cred();
2bf49690 2542 struct common_audit_data ad;
1da177e4 2543
2bf49690 2544 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2545 ad.u.fs.path.dentry = dentry->d_sb->s_root;
88e67f3b 2546 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2547}
2548
828dfe1d 2549static int selinux_mount(char *dev_name,
b5266eb4 2550 struct path *path,
828dfe1d
EP		 2551 char *type,
2552 unsigned long flags,
2553 void *data)
1da177e4 2554{
88e67f3b 2555 const struct cred *cred = current_cred();
1da177e4
LT		 2556
2557 if (flags & MS_REMOUNT)
88e67f3b 2558 return superblock_has_perm(cred, path->mnt->mnt_sb,
828dfe1d 2559 FILESYSTEM__REMOUNT, NULL);
1da177e4 2560 else
88e67f3b 2561 return dentry_has_perm(cred, path->mnt, path->dentry,
828dfe1d 2562 FILE__MOUNTON);
1da177e4
LT		 2563}
2564
2565static int selinux_umount(struct vfsmount *mnt, int flags)
2566{
88e67f3b 2567 const struct cred *cred = current_cred();
1da177e4 2568
88e67f3b 2569 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2570 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2571}
2572
2573/* inode security operations */
2574
2575static int selinux_inode_alloc_security(struct inode *inode)
2576{
2577 return inode_alloc_security(inode);
2578}
2579
2580static void selinux_inode_free_security(struct inode *inode)
2581{
2582 inode_free_security(inode);
2583}
2584
5e41ff9e
SS		 2585static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2586 char **name, void **value,
2587 size_t *len)
2588{
275bb41e
DH		 2589 const struct cred *cred = current_cred();
2590 const struct task_security_struct *tsec = cred->security;
5e41ff9e
SS		 2591 struct inode_security_struct *dsec;
2592 struct superblock_security_struct *sbsec;
275bb41e 2593 u32 sid, newsid, clen;
5e41ff9e 2594 int rc;
570bc1c2 2595 char *namep = NULL, *context;
5e41ff9e 2596
5e41ff9e
SS		 2597 dsec = dir->i_security;
2598 sbsec = dir->i_sb->s_security;
5e41ff9e 2599
275bb41e
DH		 2600 sid = tsec->sid;
2601 newsid = tsec->create_sid;
2602
cd89596f 2603 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
275bb41e 2604 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e
SS		 2605 inode_mode_to_security_class(inode->i_mode),
2606 &newsid);
2607 if (rc) {
2608 printk(KERN_WARNING "%s: "
2609 "security_transition_sid failed, rc=%d (dev=%s "
2610 "ino=%ld)\n",
dd6f953a 2611 __func__,
5e41ff9e
SS		 2612 -rc, inode->i_sb->s_id, inode->i_ino);
2613 return rc;
2614 }
2615 }
2616
296fddf7 2617 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2618 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2619 struct inode_security_struct *isec = inode->i_security;
2620 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2621 isec->sid = newsid;
2622 isec->initialized = 1;
2623 }
5e41ff9e 2624
cd89596f 2625 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
25a74f3b
SS		 2626 return -EOPNOTSUPP;
2627
570bc1c2 2628 if (name) {
a02fe132 2629 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2630 if (!namep)
2631 return -ENOMEM;
2632 *name = namep;
2633 }
5e41ff9e 2634
570bc1c2 2635 if (value && len) {
12b29f34 2636 rc = security_sid_to_context_force(newsid, &context, &clen);
570bc1c2
SS		 2637 if (rc) {
2638 kfree(namep);
2639 return rc;
2640 }
2641 *value = context;
2642 *len = clen;
5e41ff9e 2643 }
5e41ff9e 2644
5e41ff9e
SS		 2645 return 0;
2646}
2647
1da177e4
LT		 2648static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2649{
2650 return may_create(dir, dentry, SECCLASS_FILE);
2651}
2652
1da177e4
LT		 2653static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2654{
1da177e4
LT		 2655 return may_link(dir, old_dentry, MAY_LINK);
2656}
2657
1da177e4
LT		 2658static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2659{
1da177e4
LT		 2660 return may_link(dir, dentry, MAY_UNLINK);
2661}
2662
2663static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2664{
2665 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2666}
2667
1da177e4
LT		 2668static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2669{
2670 return may_create(dir, dentry, SECCLASS_DIR);
2671}
2672
1da177e4
LT		 2673static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2674{
2675 return may_link(dir, dentry, MAY_RMDIR);
2676}
2677
2678static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2679{
1da177e4
LT		 2680 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2681}
2682
1da177e4 2683static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2684 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2685{
2686 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2687}
2688
1da177e4
LT		 2689static int selinux_inode_readlink(struct dentry *dentry)
2690{
88e67f3b
DH		 2691 const struct cred *cred = current_cred();
2692
2693 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
1da177e4
LT		 2694}
2695
2696static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2697{
88e67f3b 2698 const struct cred *cred = current_cred();
1da177e4 2699
88e67f3b 2700 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
1da177e4
LT		 2701}
2702
b77b0646 2703static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2704{
88e67f3b 2705 const struct cred *cred = current_cred();
1da177e4
LT		 2706
2707 if (!mask) {
2708 /* No permission to check. Existence test. */
2709 return 0;
2710 }
2711
88e67f3b 2712 return inode_has_perm(cred, inode,
8b6a5a37 2713 file_mask_to_av(inode->i_mode, mask), NULL);
1da177e4
LT		 2714}
2715
2716static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2717{
88e67f3b 2718 const struct cred *cred = current_cred();
bc6a6008 2719 unsigned int ia_valid = iattr->ia_valid;
1da177e4 2720
bc6a6008
AW		 2721 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2722 if (ia_valid & ATTR_FORCE) {
2723 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2724 ATTR_FORCE);
2725 if (!ia_valid)
2726 return 0;
2727 }
1da177e4 2728
bc6a6008
AW		 2729 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2730 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
88e67f3b 2731 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
1da177e4 2732
88e67f3b 2733 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
1da177e4
LT		 2734}
2735
2736static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2737{
88e67f3b
DH		 2738 const struct cred *cred = current_cred();
2739
2740 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
1da177e4
LT		 2741}
2742
8f0cfa52 2743static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2744{
88e67f3b
DH		 2745 const struct cred *cred = current_cred();
2746
b5376771
SH		 2747 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2748 sizeof XATTR_SECURITY_PREFIX - 1)) {
2749 if (!strcmp(name, XATTR_NAME_CAPS)) {
2750 if (!capable(CAP_SETFCAP))
2751 return -EPERM;
2752 } else if (!capable(CAP_SYS_ADMIN)) {
2753 /* A different attribute in the security namespace.
2754 Restrict to administrator. */
2755 return -EPERM;
2756 }
2757 }
2758
2759 /* Not an attribute we recognize, so just check the
2760 ordinary setattr permission. */
88e67f3b 2761 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
b5376771
SH		 2762}
2763
8f0cfa52
DH		 2764static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2765 const void *value, size_t size, int flags)
1da177e4 2766{
1da177e4
LT		 2767 struct inode *inode = dentry->d_inode;
2768 struct inode_security_struct *isec = inode->i_security;
2769 struct superblock_security_struct *sbsec;
2bf49690 2770 struct common_audit_data ad;
275bb41e 2771 u32 newsid, sid = current_sid();
1da177e4
LT		 2772 int rc = 0;
2773
b5376771
SH		 2774 if (strcmp(name, XATTR_NAME_SELINUX))
2775 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2776
2777 sbsec = inode->i_sb->s_security;
cd89596f 2778 if (!(sbsec->flags & SE_SBLABELSUPP))
1da177e4
LT		 2779 return -EOPNOTSUPP;
2780
3bd858ab 2781 if (!is_owner_or_cap(inode))
1da177e4
LT		 2782 return -EPERM;
2783
2bf49690 2784 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2785 ad.u.fs.path.dentry = dentry;
1da177e4 2786
275bb41e 2787 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 2788 FILE__RELABELFROM, &ad);
2789 if (rc)
2790 return rc;
2791
2792 rc = security_context_to_sid(value, size, &newsid);
12b29f34
SS		 2793 if (rc == -EINVAL) {
2794 if (!capable(CAP_MAC_ADMIN))
2795 return rc;
2796 rc = security_context_to_sid_force(value, size, &newsid);
2797 }
1da177e4
LT		 2798 if (rc)
2799 return rc;
2800
275bb41e 2801 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 2802 FILE__RELABELTO, &ad);
2803 if (rc)
2804 return rc;
2805
275bb41e 2806 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 2807 isec->sclass);
1da177e4
LT		 2808 if (rc)
2809 return rc;
2810
2811 return avc_has_perm(newsid,
2812 sbsec->sid,
2813 SECCLASS_FILESYSTEM,
2814 FILESYSTEM__ASSOCIATE,
2815 &ad);
2816}
2817
8f0cfa52 2818static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 2819 const void *value, size_t size,
8f0cfa52 2820 int flags)
1da177e4
LT		 2821{
2822 struct inode *inode = dentry->d_inode;
2823 struct inode_security_struct *isec = inode->i_security;
2824 u32 newsid;
2825 int rc;
2826
2827 if (strcmp(name, XATTR_NAME_SELINUX)) {
2828 /* Not an attribute we recognize, so nothing to do. */
2829 return;
2830 }
2831
12b29f34 2832 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 2833 if (rc) {
12b29f34
SS		 2834 printk(KERN_ERR "SELinux: unable to map context to SID"
2835 "for (%s, %lu), rc=%d\n",
2836 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 2837 return;
2838 }
2839
2840 isec->sid = newsid;
2841 return;
2842}
2843
8f0cfa52 2844static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 2845{
88e67f3b
DH		 2846 const struct cred *cred = current_cred();
2847
2848 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
1da177e4
LT		 2849}
2850
828dfe1d 2851static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 2852{
88e67f3b
DH		 2853 const struct cred *cred = current_cred();
2854
2855 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
1da177e4
LT		 2856}
2857
8f0cfa52 2858static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 2859{
b5376771
SH		 2860 if (strcmp(name, XATTR_NAME_SELINUX))
2861 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2862
2863 /* No one is allowed to remove a SELinux security label.
2864 You can change the label, but all data must be labeled. */
2865 return -EACCES;
2866}
2867
d381d8a9 2868/*
abc69bb6 2869 * Copy the inode security context value to the user.
d381d8a9
JM		 2870 *
2871 * Permission check is handled by selinux_inode_getxattr hook.
2872 */
42492594 2873static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2874{
42492594
DQ		 2875 u32 size;
2876 int error;
2877 char *context = NULL;
1da177e4 2878 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2879
8c8570fb
DK		 2880 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2881 return -EOPNOTSUPP;
d381d8a9 2882
abc69bb6
SS		 2883 /*
2884 * If the caller has CAP_MAC_ADMIN, then get the raw context
2885 * value even if it is not defined by current policy; otherwise,
2886 * use the in-core value under current policy.
2887 * Use the non-auditing forms of the permission checks since
2888 * getxattr may be called by unprivileged processes commonly
2889 * and lack of permission just means that we fall back to the
2890 * in-core context value, not a denial.
2891 */
3699c53c
DH		 2892 error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2893 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 2894 if (!error)
2895 error = security_sid_to_context_force(isec->sid, &context,
2896 &size);
2897 else
2898 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 2899 if (error)
2900 return error;
2901 error = size;
2902 if (alloc) {
2903 *buffer = context;
2904 goto out_nofree;
2905 }
2906 kfree(context);
2907out_nofree:
2908 return error;
1da177e4
LT		 2909}
2910
2911static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 2912 const void *value, size_t size, int flags)
1da177e4
LT		 2913{
2914 struct inode_security_struct *isec = inode->i_security;
2915 u32 newsid;
2916 int rc;
2917
2918 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2919 return -EOPNOTSUPP;
2920
2921 if (!value || !size)
2922 return -EACCES;
2923
828dfe1d 2924 rc = security_context_to_sid((void *)value, size, &newsid);
1da177e4
LT		 2925 if (rc)
2926 return rc;
2927
2928 isec->sid = newsid;
ddd29ec6 2929 isec->initialized = 1;
1da177e4
LT		 2930 return 0;
2931}
2932
2933static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2934{
2935 const int len = sizeof(XATTR_NAME_SELINUX);
2936 if (buffer && len <= buffer_size)
2937 memcpy(buffer, XATTR_NAME_SELINUX, len);
2938 return len;
2939}
2940
713a04ae
AD		 2941static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2942{
2943 struct inode_security_struct *isec = inode->i_security;
2944 *secid = isec->sid;
2945}
2946
1da177e4
LT		 2947/* file security operations */
2948
788e7dd4 2949static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2950{
88e67f3b 2951 const struct cred *cred = current_cred();
3d5ff529 2952 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4 2953
1da177e4
LT		 2954 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2955 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2956 mask |= MAY_APPEND;
2957
389fb800
PM		 2958 return file_has_perm(cred, file,
2959 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 2960}
2961
788e7dd4
YN		 2962static int selinux_file_permission(struct file *file, int mask)
2963{
20dda18b
SS		 2964 struct inode *inode = file->f_path.dentry->d_inode;
2965 struct file_security_struct *fsec = file->f_security;
2966 struct inode_security_struct *isec = inode->i_security;
2967 u32 sid = current_sid();
2968
389fb800 2969 if (!mask)
788e7dd4
YN		 2970 /* No permission to check. Existence test. */
2971 return 0;
788e7dd4 2972
20dda18b
SS		 2973 if (sid == fsec->sid && fsec->isid == isec->sid &&
2974 fsec->pseqno == avc_policy_seqno())
2975 /* No change since dentry_open check. */
2976 return 0;
2977
788e7dd4
YN		 2978 return selinux_revalidate_file_permission(file, mask);
2979}
2980
1da177e4
LT		 2981static int selinux_file_alloc_security(struct file *file)
2982{
2983 return file_alloc_security(file);
2984}
2985
2986static void selinux_file_free_security(struct file *file)
2987{
2988 file_free_security(file);
2989}
2990
2991static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2992 unsigned long arg)
2993{
88e67f3b 2994 const struct cred *cred = current_cred();
242631c4 2995 u32 av = 0;
1da177e4 2996
242631c4
SS		 2997 if (_IOC_DIR(cmd) & _IOC_WRITE)
2998 av |= FILE__WRITE;
2999 if (_IOC_DIR(cmd) & _IOC_READ)
3000 av |= FILE__READ;
3001 if (!av)
3002 av = FILE__IOCTL;
1da177e4 3003
88e67f3b 3004 return file_has_perm(cred, file, av);
1da177e4
LT		 3005}
3006
3007static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3008{
88e67f3b 3009 const struct cred *cred = current_cred();
d84f4f99 3010 int rc = 0;
88e67f3b 3011
1da177e4
LT		 3012#ifndef CONFIG_PPC32
3013 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3014 /*
3015 * We are making executable an anonymous mapping or a
3016 * private file mapping that will also be writable.
3017 * This has an additional check.
3018 */
d84f4f99 3019 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3020 if (rc)
d84f4f99 3021 goto error;
1da177e4
LT		 3022 }
3023#endif
3024
3025 if (file) {
3026 /* read access is always possible with a mapping */
3027 u32 av = FILE__READ;
3028
3029 /* write access only matters if the mapping is shared */
3030 if (shared && (prot & PROT_WRITE))
3031 av |= FILE__WRITE;
3032
3033 if (prot & PROT_EXEC)
3034 av |= FILE__EXECUTE;
3035
88e67f3b 3036 return file_has_perm(cred, file, av);
1da177e4 3037 }
d84f4f99
DH		 3038
3039error:
3040 return rc;
1da177e4
LT		 3041}
3042
3043static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 3044 unsigned long prot, unsigned long flags,
3045 unsigned long addr, unsigned long addr_only)
1da177e4 3046{
ed032189 3047 int rc = 0;
275bb41e 3048 u32 sid = current_sid();
1da177e4 3049
84336d1a
EP		 3050 /*
3051 * notice that we are intentionally putting the SELinux check before
3052 * the secondary cap_file_mmap check. This is such a likely attempt
3053 * at bad behaviour/exploit that we always want to get the AVC, even
3054 * if DAC would have also denied the operation.
3055 */
a2551df7 3056 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
ed032189
EP		 3057 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3058 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3059 if (rc)
3060 return rc;
3061 }
3062
3063 /* do DAC check on address space usage */
3064 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
ed032189 3065 if (rc || addr_only)
1da177e4
LT		 3066 return rc;
3067
3068 if (selinux_checkreqprot)
3069 prot = reqprot;
3070
3071 return file_map_prot_check(file, prot,
3072 (flags & MAP_TYPE) == MAP_SHARED);
3073}
3074
3075static int selinux_file_mprotect(struct vm_area_struct *vma,
3076 unsigned long reqprot,
3077 unsigned long prot)
3078{
88e67f3b 3079 const struct cred *cred = current_cred();
1da177e4
LT		 3080
3081 if (selinux_checkreqprot)
3082 prot = reqprot;
3083
3084#ifndef CONFIG_PPC32
db4c9641 3085 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3086 int rc = 0;
db4c9641
SS		 3087 if (vma->vm_start >= vma->vm_mm->start_brk &&
3088 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3089 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3090 } else if (!vma->vm_file &&
3091 vma->vm_start <= vma->vm_mm->start_stack &&
3092 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3093 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3094 } else if (vma->vm_file && vma->anon_vma) {
3095 /*
3096 * We are making executable a file mapping that has
3097 * had some COW done. Since pages might have been
3098 * written, check ability to execute the possibly
3099 * modified content. This typically should only
3100 * occur for text relocations.
3101 */
d84f4f99 3102 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3103 }