projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
[PATCH] slab: remove SLAB_DMA
[linux-2.6-block.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
7420ed23
VY		 15 * Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
16 * Paul Moore, <paul.moore@hp.com>
1da177e4
LT		 17 *
18 * This program is free software; you can redistribute it and/or modify
19 * it under the terms of the GNU General Public License version 2,
20 * as published by the Free Software Foundation.
21 */
22
1da177e4
LT		 23#include <linux/module.h>
24#include <linux/init.h>
25#include <linux/kernel.h>
26#include <linux/ptrace.h>
27#include <linux/errno.h>
28#include <linux/sched.h>
29#include <linux/security.h>
30#include <linux/xattr.h>
31#include <linux/capability.h>
32#include <linux/unistd.h>
33#include <linux/mm.h>
34#include <linux/mman.h>
35#include <linux/slab.h>
36#include <linux/pagemap.h>
37#include <linux/swap.h>
38#include <linux/smp_lock.h>
39#include <linux/spinlock.h>
40#include <linux/syscalls.h>
41#include <linux/file.h>
42#include <linux/namei.h>
43#include <linux/mount.h>
44#include <linux/ext2_fs.h>
45#include <linux/proc_fs.h>
46#include <linux/kd.h>
47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
51#include <net/ip.h> /* for sysctl_local_port_range[] */
52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53#include <asm/uaccess.h>
1da177e4
LT		 54#include <asm/ioctls.h>
55#include <linux/bitops.h>
56#include <linux/interrupt.h>
57#include <linux/netdevice.h> /* for network interface checks */
58#include <linux/netlink.h>
59#include <linux/tcp.h>
60#include <linux/udp.h>
2ee92d46 61#include <linux/dccp.h>
1da177e4
LT		 62#include <linux/quota.h>
63#include <linux/un.h> /* for Unix socket types */
64#include <net/af_unix.h> /* for Unix socket types */
65#include <linux/parser.h>
66#include <linux/nfs_mount.h>
67#include <net/ipv6.h>
68#include <linux/hugetlb.h>
69#include <linux/personality.h>
70#include <linux/sysctl.h>
71#include <linux/audit.h>
6931dfc9 72#include <linux/string.h>
877ce7c1 73#include <linux/selinux.h>
23970741 74#include <linux/mutex.h>
1da177e4
LT		 75
76#include "avc.h"
77#include "objsec.h"
78#include "netif.h"
d28d1e08 79#include "xfrm.h"
7420ed23 80#include "selinux_netlabel.h"
1da177e4
LT		 81
82#define XATTR_SELINUX_SUFFIX "selinux"
83#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
84
85extern unsigned int policydb_loaded_version;
86extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 87extern int selinux_compat_net;
1da177e4
LT		 88
89#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
90int selinux_enforcing = 0;
91
92static int __init enforcing_setup(char *str)
93{
94 selinux_enforcing = simple_strtol(str,NULL,0);
95 return 1;
96}
97__setup("enforcing=", enforcing_setup);
98#endif
99
100#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
101int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
102
103static int __init selinux_enabled_setup(char *str)
104{
105 selinux_enabled = simple_strtol(str, NULL, 0);
106 return 1;
107}
108__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 109#else
110int selinux_enabled = 1;
1da177e4
LT		 111#endif
112
113/* Original (dummy) security module. */
114static struct security_operations *original_ops = NULL;
115
116/* Minimal support for a secondary security module,
117 just to allow the use of the dummy or capability modules.
118 The owlsm module can alternatively be used as a secondary
119 module as long as CONFIG_OWLSM_FD is not enabled. */
120static struct security_operations *secondary_ops = NULL;
121
122/* Lists of inode and superblock security structures initialized
123 before the policy was loaded. */
124static LIST_HEAD(superblock_security_head);
125static DEFINE_SPINLOCK(sb_security_lock);
126
7cae7e26
JM		 127static kmem_cache_t *sel_inode_cache;
128
8c8570fb
DK		 129/* Return security context for a given sid or just the context
130 length if the buffer is null or length is 0 */
131static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
132{
133 char *context;
134 unsigned len;
135 int rc;
136
137 rc = security_sid_to_context(sid, &context, &len);
138 if (rc)
139 return rc;
140
141 if (!buffer || !size)
142 goto getsecurity_exit;
143
144 if (size < len) {
145 len = -ERANGE;
146 goto getsecurity_exit;
147 }
148 memcpy(buffer, context, len);
149
150getsecurity_exit:
151 kfree(context);
152 return len;
153}
154
1da177e4
LT		 155/* Allocate and free functions for each kind of security blob. */
156
157static int task_alloc_security(struct task_struct *task)
158{
159 struct task_security_struct *tsec;
160
89d155ef 161 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 162 if (!tsec)
163 return -ENOMEM;
164
1da177e4
LT		 165 tsec->task = task;
166 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
167 task->security = tsec;
168
169 return 0;
170}
171
172static void task_free_security(struct task_struct *task)
173{
174 struct task_security_struct *tsec = task->security;
1da177e4
LT		 175 task->security = NULL;
176 kfree(tsec);
177}
178
179static int inode_alloc_security(struct inode *inode)
180{
181 struct task_security_struct *tsec = current->security;
182 struct inode_security_struct *isec;
183
e94b1766 184 isec = kmem_cache_alloc(sel_inode_cache, GFP_KERNEL);
1da177e4
LT		 185 if (!isec)
186 return -ENOMEM;
187
7cae7e26 188 memset(isec, 0, sizeof(*isec));
23970741 189 mutex_init(&isec->lock);
1da177e4 190 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 191 isec->inode = inode;
192 isec->sid = SECINITSID_UNLABELED;
193 isec->sclass = SECCLASS_FILE;
9ac49d22 194 isec->task_sid = tsec->sid;
1da177e4
LT		 195 inode->i_security = isec;
196
197 return 0;
198}
199
200static void inode_free_security(struct inode *inode)
201{
202 struct inode_security_struct *isec = inode->i_security;
203 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
204
1da177e4
LT		 205 spin_lock(&sbsec->isec_lock);
206 if (!list_empty(&isec->list))
207 list_del_init(&isec->list);
208 spin_unlock(&sbsec->isec_lock);
209
210 inode->i_security = NULL;
7cae7e26 211 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 212}
213
214static int file_alloc_security(struct file *file)
215{
216 struct task_security_struct *tsec = current->security;
217 struct file_security_struct *fsec;
218
26d2a4be 219 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 220 if (!fsec)
221 return -ENOMEM;
222
1da177e4 223 fsec->file = file;
9ac49d22
SS		 224 fsec->sid = tsec->sid;
225 fsec->fown_sid = tsec->sid;
1da177e4
LT		 226 file->f_security = fsec;
227
228 return 0;
229}
230
231static void file_free_security(struct file *file)
232{
233 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 234 file->f_security = NULL;
235 kfree(fsec);
236}
237
238static int superblock_alloc_security(struct super_block *sb)
239{
240 struct superblock_security_struct *sbsec;
241
89d155ef 242 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 243 if (!sbsec)
244 return -ENOMEM;
245
bc7e982b 246 mutex_init(&sbsec->lock);
1da177e4
LT		 247 INIT_LIST_HEAD(&sbsec->list);
248 INIT_LIST_HEAD(&sbsec->isec_head);
249 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 250 sbsec->sb = sb;
251 sbsec->sid = SECINITSID_UNLABELED;
252 sbsec->def_sid = SECINITSID_FILE;
c312feb2 253 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 254 sb->s_security = sbsec;
255
256 return 0;
257}
258
259static void superblock_free_security(struct super_block *sb)
260{
261 struct superblock_security_struct *sbsec = sb->s_security;
262
1da177e4
LT		 263 spin_lock(&sb_security_lock);
264 if (!list_empty(&sbsec->list))
265 list_del_init(&sbsec->list);
266 spin_unlock(&sb_security_lock);
267
268 sb->s_security = NULL;
269 kfree(sbsec);
270}
271
7d877f3b 272static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 273{
274 struct sk_security_struct *ssec;
275
89d155ef 276 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 277 if (!ssec)
278 return -ENOMEM;
279
1da177e4
LT		 280 ssec->sk = sk;
281 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 282 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 283 sk->sk_security = ssec;
284
99f59ed0
PM		 285 selinux_netlbl_sk_security_init(ssec, family);
286
1da177e4
LT		 287 return 0;
288}
289
290static void sk_free_security(struct sock *sk)
291{
292 struct sk_security_struct *ssec = sk->sk_security;
293
1da177e4
LT		 294 sk->sk_security = NULL;
295 kfree(ssec);
296}
1da177e4
LT		 297
298/* The security server must be initialized before
299 any labeling or access decisions can be provided. */
300extern int ss_initialized;
301
302/* The file system's label must be initialized prior to use. */
303
304static char *labeling_behaviors[6] = {
305 "uses xattr",
306 "uses transition SIDs",
307 "uses task SIDs",
308 "uses genfs_contexts",
309 "not configured for labeling",
310 "uses mountpoint labeling",
311};
312
313static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
314
315static inline int inode_doinit(struct inode *inode)
316{
317 return inode_doinit_with_dentry(inode, NULL);
318}
319
320enum {
321 Opt_context = 1,
322 Opt_fscontext = 2,
323 Opt_defcontext = 4,
0808925e 324 Opt_rootcontext = 8,
1da177e4
LT		 325};
326
327static match_table_t tokens = {
328 {Opt_context, "context=%s"},
329 {Opt_fscontext, "fscontext=%s"},
330 {Opt_defcontext, "defcontext=%s"},
0808925e 331 {Opt_rootcontext, "rootcontext=%s"},
1da177e4
LT		 332};
333
334#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
335
c312feb2
EP		 336static int may_context_mount_sb_relabel(u32 sid,
337 struct superblock_security_struct *sbsec,
338 struct task_security_struct *tsec)
339{
340 int rc;
341
342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343 FILESYSTEM__RELABELFROM, NULL);
344 if (rc)
345 return rc;
346
347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELTO, NULL);
349 return rc;
350}
351
0808925e
EP		 352static int may_context_mount_inode_relabel(u32 sid,
353 struct superblock_security_struct *sbsec,
354 struct task_security_struct *tsec)
355{
356 int rc;
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
359 if (rc)
360 return rc;
361
362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__ASSOCIATE, NULL);
364 return rc;
365}
366
1da177e4
LT		 367static int try_context_mount(struct super_block *sb, void *data)
368{
369 char *context = NULL, *defcontext = NULL;
0808925e 370 char *fscontext = NULL, *rootcontext = NULL;
1da177e4
LT		 371 const char *name;
372 u32 sid;
373 int alloc = 0, rc = 0, seen = 0;
374 struct task_security_struct *tsec = current->security;
375 struct superblock_security_struct *sbsec = sb->s_security;
376
377 if (!data)
378 goto out;
379
380 name = sb->s_type->name;
381
382 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
383
384 /* NFS we understand. */
385 if (!strcmp(name, "nfs")) {
386 struct nfs_mount_data *d = data;
387
388 if (d->version < NFS_MOUNT_VERSION)
389 goto out;
390
391 if (d->context[0]) {
392 context = d->context;
393 seen |= Opt_context;
394 }
395 } else
396 goto out;
397
398 } else {
399 /* Standard string-based options. */
400 char *p, *options = data;
401
3528a953 402 while ((p = strsep(&options, "|")) != NULL) {
1da177e4
LT		 403 int token;
404 substring_t args[MAX_OPT_ARGS];
405
406 if (!*p)
407 continue;
408
409 token = match_token(p, tokens, args);
410
411 switch (token) {
412 case Opt_context:
c312feb2 413 if (seen & (Opt_context|Opt_defcontext)) {
1da177e4
LT		 414 rc = -EINVAL;
415 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
416 goto out_free;
417 }
418 context = match_strdup(&args[0]);
419 if (!context) {
420 rc = -ENOMEM;
421 goto out_free;
422 }
423 if (!alloc)
424 alloc = 1;
425 seen |= Opt_context;
426 break;
427
428 case Opt_fscontext:
c312feb2 429 if (seen & Opt_fscontext) {
1da177e4
LT		 430 rc = -EINVAL;
431 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
432 goto out_free;
433 }
c312feb2
EP		 434 fscontext = match_strdup(&args[0]);
435 if (!fscontext) {
1da177e4
LT		 436 rc = -ENOMEM;
437 goto out_free;
438 }
439 if (!alloc)
440 alloc = 1;
441 seen |= Opt_fscontext;
442 break;
443
0808925e
EP		 444 case Opt_rootcontext:
445 if (seen & Opt_rootcontext) {
446 rc = -EINVAL;
447 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
448 goto out_free;
449 }
450 rootcontext = match_strdup(&args[0]);
451 if (!rootcontext) {
452 rc = -ENOMEM;
453 goto out_free;
454 }
455 if (!alloc)
456 alloc = 1;
457 seen |= Opt_rootcontext;
458 break;
459
1da177e4
LT		 460 case Opt_defcontext:
461 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
462 rc = -EINVAL;
463 printk(KERN_WARNING "SELinux: "
464 "defcontext option is invalid "
465 "for this filesystem type\n");
466 goto out_free;
467 }
468 if (seen & (Opt_context|Opt_defcontext)) {
469 rc = -EINVAL;
470 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
471 goto out_free;
472 }
473 defcontext = match_strdup(&args[0]);
474 if (!defcontext) {
475 rc = -ENOMEM;
476 goto out_free;
477 }
478 if (!alloc)
479 alloc = 1;
480 seen |= Opt_defcontext;
481 break;
482
483 default:
484 rc = -EINVAL;
485 printk(KERN_WARNING "SELinux: unknown mount "
486 "option\n");
487 goto out_free;
488
489 }
490 }
491 }
492
493 if (!seen)
494 goto out;
495
c312feb2
EP		 496 /* sets the context of the superblock for the fs being mounted. */
497 if (fscontext) {
498 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
1da177e4
LT		 499 if (rc) {
500 printk(KERN_WARNING "SELinux: security_context_to_sid"
501 "(%s) failed for (dev %s, type %s) errno=%d\n",
c312feb2 502 fscontext, sb->s_id, name, rc);
1da177e4
LT		 503 goto out_free;
504 }
505
c312feb2 506 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
1da177e4
LT		 507 if (rc)
508 goto out_free;
509
c312feb2
EP		 510 sbsec->sid = sid;
511 }
512
513 /*
514 * Switch to using mount point labeling behavior.
515 * sets the label used on all file below the mountpoint, and will set
516 * the superblock context if not already set.
517 */
518 if (context) {
519 rc = security_context_to_sid(context, strlen(context), &sid);
520 if (rc) {
521 printk(KERN_WARNING "SELinux: security_context_to_sid"
522 "(%s) failed for (dev %s, type %s) errno=%d\n",
523 context, sb->s_id, name, rc);
524 goto out_free;
525 }
526
b04ea3ce
EP		 527 if (!fscontext) {
528 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
529 if (rc)
530 goto out_free;
c312feb2 531 sbsec->sid = sid;
b04ea3ce
EP		 532 } else {
533 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
534 if (rc)
535 goto out_free;
536 }
c312feb2 537 sbsec->mntpoint_sid = sid;
1da177e4 538
c312feb2 539 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 540 }
541
0808925e
EP		 542 if (rootcontext) {
543 struct inode *inode = sb->s_root->d_inode;
544 struct inode_security_struct *isec = inode->i_security;
545 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
546 if (rc) {
547 printk(KERN_WARNING "SELinux: security_context_to_sid"
548 "(%s) failed for (dev %s, type %s) errno=%d\n",
549 rootcontext, sb->s_id, name, rc);
550 goto out_free;
551 }
552
553 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
554 if (rc)
555 goto out_free;
556
557 isec->sid = sid;
558 isec->initialized = 1;
559 }
560
1da177e4
LT		 561 if (defcontext) {
562 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
563 if (rc) {
564 printk(KERN_WARNING "SELinux: security_context_to_sid"
565 "(%s) failed for (dev %s, type %s) errno=%d\n",
566 defcontext, sb->s_id, name, rc);
567 goto out_free;
568 }
569
570 if (sid == sbsec->def_sid)
571 goto out_free;
572
0808925e 573 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
1da177e4
LT		 574 if (rc)
575 goto out_free;
576
577 sbsec->def_sid = sid;
578 }
579
580out_free:
581 if (alloc) {
582 kfree(context);
583 kfree(defcontext);
c312feb2 584 kfree(fscontext);
0808925e 585 kfree(rootcontext);
1da177e4
LT		 586 }
587out:
588 return rc;
589}
590
591static int superblock_doinit(struct super_block *sb, void *data)
592{
593 struct superblock_security_struct *sbsec = sb->s_security;
594 struct dentry *root = sb->s_root;
595 struct inode *inode = root->d_inode;
596 int rc = 0;
597
bc7e982b 598 mutex_lock(&sbsec->lock);
1da177e4
LT		 599 if (sbsec->initialized)
600 goto out;
601
602 if (!ss_initialized) {
603 /* Defer initialization until selinux_complete_init,
604 after the initial policy is loaded and the security
605 server is ready to handle calls. */
606 spin_lock(&sb_security_lock);
607 if (list_empty(&sbsec->list))
608 list_add(&sbsec->list, &superblock_security_head);
609 spin_unlock(&sb_security_lock);
610 goto out;
611 }
612
613 /* Determine the labeling behavior to use for this filesystem type. */
614 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
615 if (rc) {
616 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
617 __FUNCTION__, sb->s_type->name, rc);
618 goto out;
619 }
620
621 rc = try_context_mount(sb, data);
622 if (rc)
623 goto out;
624
625 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
626 /* Make sure that the xattr handler exists and that no
627 error other than -ENODATA is returned by getxattr on
628 the root directory. -ENODATA is ok, as this may be
629 the first boot of the SELinux kernel before we have
630 assigned xattr values to the filesystem. */
631 if (!inode->i_op->getxattr) {
632 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
633 "xattr support\n", sb->s_id, sb->s_type->name);
634 rc = -EOPNOTSUPP;
635 goto out;
636 }
637 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
638 if (rc < 0 && rc != -ENODATA) {
639 if (rc == -EOPNOTSUPP)
640 printk(KERN_WARNING "SELinux: (dev %s, type "
641 "%s) has no security xattr handler\n",
642 sb->s_id, sb->s_type->name);
643 else
644 printk(KERN_WARNING "SELinux: (dev %s, type "
645 "%s) getxattr errno %d\n", sb->s_id,
646 sb->s_type->name, -rc);
647 goto out;
648 }
649 }
650
651 if (strcmp(sb->s_type->name, "proc") == 0)
652 sbsec->proc = 1;
653
654 sbsec->initialized = 1;
655
656 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
657 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
658 sb->s_id, sb->s_type->name);
659 }
660 else {
661 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
662 sb->s_id, sb->s_type->name,
663 labeling_behaviors[sbsec->behavior-1]);
664 }
665
666 /* Initialize the root inode. */
667 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
668
669 /* Initialize any other inodes associated with the superblock, e.g.
670 inodes created prior to initial policy load or inodes created
671 during get_sb by a pseudo filesystem that directly
672 populates itself. */
673 spin_lock(&sbsec->isec_lock);
674next_inode:
675 if (!list_empty(&sbsec->isec_head)) {
676 struct inode_security_struct *isec =
677 list_entry(sbsec->isec_head.next,
678 struct inode_security_struct, list);
679 struct inode *inode = isec->inode;
680 spin_unlock(&sbsec->isec_lock);
681 inode = igrab(inode);
682 if (inode) {
683 if (!IS_PRIVATE (inode))
684 inode_doinit(inode);
685 iput(inode);
686 }
687 spin_lock(&sbsec->isec_lock);
688 list_del_init(&isec->list);
689 goto next_inode;
690 }
691 spin_unlock(&sbsec->isec_lock);
692out:
bc7e982b 693 mutex_unlock(&sbsec->lock);
1da177e4
LT		 694 return rc;
695}
696
697static inline u16 inode_mode_to_security_class(umode_t mode)
698{
699 switch (mode & S_IFMT) {
700 case S_IFSOCK:
701 return SECCLASS_SOCK_FILE;
702 case S_IFLNK:
703 return SECCLASS_LNK_FILE;
704 case S_IFREG:
705 return SECCLASS_FILE;
706 case S_IFBLK:
707 return SECCLASS_BLK_FILE;
708 case S_IFDIR:
709 return SECCLASS_DIR;
710 case S_IFCHR:
711 return SECCLASS_CHR_FILE;
712 case S_IFIFO:
713 return SECCLASS_FIFO_FILE;
714
715 }
716
717 return SECCLASS_FILE;
718}
719
13402580
JM		 720static inline int default_protocol_stream(int protocol)
721{
722 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
723}
724
725static inline int default_protocol_dgram(int protocol)
726{
727 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
728}
729
1da177e4
LT		 730static inline u16 socket_type_to_security_class(int family, int type, int protocol)
731{
732 switch (family) {
733 case PF_UNIX:
734 switch (type) {
735 case SOCK_STREAM:
736 case SOCK_SEQPACKET:
737 return SECCLASS_UNIX_STREAM_SOCKET;
738 case SOCK_DGRAM:
739 return SECCLASS_UNIX_DGRAM_SOCKET;
740 }
741 break;
742 case PF_INET:
743 case PF_INET6:
744 switch (type) {
745 case SOCK_STREAM:
13402580
JM		 746 if (default_protocol_stream(protocol))
747 return SECCLASS_TCP_SOCKET;
748 else
749 return SECCLASS_RAWIP_SOCKET;
1da177e4 750 case SOCK_DGRAM:
13402580
JM		 751 if (default_protocol_dgram(protocol))
752 return SECCLASS_UDP_SOCKET;
753 else
754 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 755 case SOCK_DCCP:
756 return SECCLASS_DCCP_SOCKET;
13402580 757 default:
1da177e4
LT		 758 return SECCLASS_RAWIP_SOCKET;
759 }
760 break;
761 case PF_NETLINK:
762 switch (protocol) {
763 case NETLINK_ROUTE:
764 return SECCLASS_NETLINK_ROUTE_SOCKET;
765 case NETLINK_FIREWALL:
766 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 767 case NETLINK_INET_DIAG:
1da177e4
LT		 768 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
769 case NETLINK_NFLOG:
770 return SECCLASS_NETLINK_NFLOG_SOCKET;
771 case NETLINK_XFRM:
772 return SECCLASS_NETLINK_XFRM_SOCKET;
773 case NETLINK_SELINUX:
774 return SECCLASS_NETLINK_SELINUX_SOCKET;
775 case NETLINK_AUDIT:
776 return SECCLASS_NETLINK_AUDIT_SOCKET;
777 case NETLINK_IP6_FW:
778 return SECCLASS_NETLINK_IP6FW_SOCKET;
779 case NETLINK_DNRTMSG:
780 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 781 case NETLINK_KOBJECT_UEVENT:
782 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 783 default:
784 return SECCLASS_NETLINK_SOCKET;
785 }
786 case PF_PACKET:
787 return SECCLASS_PACKET_SOCKET;
788 case PF_KEY:
789 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 790 case PF_APPLETALK:
791 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 792 }
793
794 return SECCLASS_SOCKET;
795}
796
797#ifdef CONFIG_PROC_FS
798static int selinux_proc_get_sid(struct proc_dir_entry *de,
799 u16 tclass,
800 u32 *sid)
801{
802 int buflen, rc;
803 char *buffer, *path, *end;
804
805 buffer = (char*)__get_free_page(GFP_KERNEL);
806 if (!buffer)
807 return -ENOMEM;
808
809 buflen = PAGE_SIZE;
810 end = buffer+buflen;
811 *--end = '\0';
812 buflen--;
813 path = end-1;
814 *path = '/';
815 while (de && de != de->parent) {
816 buflen -= de->namelen + 1;
817 if (buflen < 0)
818 break;
819 end -= de->namelen;
820 memcpy(end, de->name, de->namelen);
821 *--end = '/';
822 path = end;
823 de = de->parent;
824 }
825 rc = security_genfs_sid("proc", path, tclass, sid);
826 free_page((unsigned long)buffer);
827 return rc;
828}
829#else
830static int selinux_proc_get_sid(struct proc_dir_entry *de,
831 u16 tclass,
832 u32 *sid)
833{
834 return -EINVAL;
835}
836#endif
837
838/* The inode's security attributes must be initialized before first use. */
839static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
840{
841 struct superblock_security_struct *sbsec = NULL;
842 struct inode_security_struct *isec = inode->i_security;
843 u32 sid;
844 struct dentry *dentry;
845#define INITCONTEXTLEN 255
846 char *context = NULL;
847 unsigned len = 0;
848 int rc = 0;
1da177e4
LT		 849
850 if (isec->initialized)
851 goto out;
852
23970741 853 mutex_lock(&isec->lock);
1da177e4 854 if (isec->initialized)
23970741 855 goto out_unlock;
1da177e4
LT		 856
857 sbsec = inode->i_sb->s_security;
858 if (!sbsec->initialized) {
859 /* Defer initialization until selinux_complete_init,
860 after the initial policy is loaded and the security
861 server is ready to handle calls. */
862 spin_lock(&sbsec->isec_lock);
863 if (list_empty(&isec->list))
864 list_add(&isec->list, &sbsec->isec_head);
865 spin_unlock(&sbsec->isec_lock);
23970741 866 goto out_unlock;
1da177e4
LT		 867 }
868
869 switch (sbsec->behavior) {
870 case SECURITY_FS_USE_XATTR:
871 if (!inode->i_op->getxattr) {
872 isec->sid = sbsec->def_sid;
873 break;
874 }
875
876 /* Need a dentry, since the xattr API requires one.
877 Life would be simpler if we could just pass the inode. */
878 if (opt_dentry) {
879 /* Called from d_instantiate or d_splice_alias. */
880 dentry = dget(opt_dentry);
881 } else {
882 /* Called from selinux_complete_init, try to find a dentry. */
883 dentry = d_find_alias(inode);
884 }
885 if (!dentry) {
886 printk(KERN_WARNING "%s: no dentry for dev=%s "
887 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
888 inode->i_ino);
23970741 889 goto out_unlock;
1da177e4
LT		 890 }
891
892 len = INITCONTEXTLEN;
893 context = kmalloc(len, GFP_KERNEL);
894 if (!context) {
895 rc = -ENOMEM;
896 dput(dentry);
23970741 897 goto out_unlock;
1da177e4
LT		 898 }
899 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
900 context, len);
901 if (rc == -ERANGE) {
902 /* Need a larger buffer. Query for the right size. */
903 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
904 NULL, 0);
905 if (rc < 0) {
906 dput(dentry);
23970741 907 goto out_unlock;
1da177e4
LT		 908 }
909 kfree(context);
910 len = rc;
911 context = kmalloc(len, GFP_KERNEL);
912 if (!context) {
913 rc = -ENOMEM;
914 dput(dentry);
23970741 915 goto out_unlock;
1da177e4
LT		 916 }
917 rc = inode->i_op->getxattr(dentry,
918 XATTR_NAME_SELINUX,
919 context, len);
920 }
921 dput(dentry);
922 if (rc < 0) {
923 if (rc != -ENODATA) {
924 printk(KERN_WARNING "%s: getxattr returned "
925 "%d for dev=%s ino=%ld\n", __FUNCTION__,
926 -rc, inode->i_sb->s_id, inode->i_ino);
927 kfree(context);
23970741 928 goto out_unlock;
1da177e4
LT		 929 }
930 /* Map ENODATA to the default file SID */
931 sid = sbsec->def_sid;
932 rc = 0;
933 } else {
f5c1d5b2
JM		 934 rc = security_context_to_sid_default(context, rc, &sid,
935 sbsec->def_sid);
1da177e4
LT		 936 if (rc) {
937 printk(KERN_WARNING "%s: context_to_sid(%s) "
938 "returned %d for dev=%s ino=%ld\n",
939 __FUNCTION__, context, -rc,
940 inode->i_sb->s_id, inode->i_ino);
941 kfree(context);
942 /* Leave with the unlabeled SID */
943 rc = 0;
944 break;
945 }
946 }
947 kfree(context);
948 isec->sid = sid;
949 break;
950 case SECURITY_FS_USE_TASK:
951 isec->sid = isec->task_sid;
952 break;
953 case SECURITY_FS_USE_TRANS:
954 /* Default to the fs SID. */
955 isec->sid = sbsec->sid;
956
957 /* Try to obtain a transition SID. */
958 isec->sclass = inode_mode_to_security_class(inode->i_mode);
959 rc = security_transition_sid(isec->task_sid,
960 sbsec->sid,
961 isec->sclass,
962 &sid);
963 if (rc)
23970741 964 goto out_unlock;
1da177e4
LT		 965 isec->sid = sid;
966 break;
c312feb2
EP		 967 case SECURITY_FS_USE_MNTPOINT:
968 isec->sid = sbsec->mntpoint_sid;
969 break;
1da177e4 970 default:
c312feb2 971 /* Default to the fs superblock SID. */
1da177e4
LT		 972 isec->sid = sbsec->sid;
973
974 if (sbsec->proc) {
975 struct proc_inode *proci = PROC_I(inode);
976 if (proci->pde) {
977 isec->sclass = inode_mode_to_security_class(inode->i_mode);
978 rc = selinux_proc_get_sid(proci->pde,
979 isec->sclass,
980 &sid);
981 if (rc)
23970741 982 goto out_unlock;
1da177e4
LT		 983 isec->sid = sid;
984 }
985 }
986 break;
987 }
988
989 isec->initialized = 1;
990
23970741
EP		 991out_unlock:
992 mutex_unlock(&isec->lock);
1da177e4
LT		 993out:
994 if (isec->sclass == SECCLASS_FILE)
995 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 996 return rc;
997}
998
999/* Convert a Linux signal to an access vector. */
1000static inline u32 signal_to_av(int sig)
1001{
1002 u32 perm = 0;
1003
1004 switch (sig) {
1005 case SIGCHLD:
1006 /* Commonly granted from child to parent. */
1007 perm = PROCESS__SIGCHLD;
1008 break;
1009 case SIGKILL:
1010 /* Cannot be caught or ignored */
1011 perm = PROCESS__SIGKILL;
1012 break;
1013 case SIGSTOP:
1014 /* Cannot be caught or ignored */
1015 perm = PROCESS__SIGSTOP;
1016 break;
1017 default:
1018 /* All other signals. */
1019 perm = PROCESS__SIGNAL;
1020 break;
1021 }
1022
1023 return perm;
1024}
1025
1026/* Check permission betweeen a pair of tasks, e.g. signal checks,
1027 fork check, ptrace check, etc. */
1028static int task_has_perm(struct task_struct *tsk1,
1029 struct task_struct *tsk2,
1030 u32 perms)
1031{
1032 struct task_security_struct *tsec1, *tsec2;
1033
1034 tsec1 = tsk1->security;
1035 tsec2 = tsk2->security;
1036 return avc_has_perm(tsec1->sid, tsec2->sid,
1037 SECCLASS_PROCESS, perms, NULL);
1038}
1039
1040/* Check whether a task is allowed to use a capability. */
1041static int task_has_capability(struct task_struct *tsk,
1042 int cap)
1043{
1044 struct task_security_struct *tsec;
1045 struct avc_audit_data ad;
1046
1047 tsec = tsk->security;
1048
1049 AVC_AUDIT_DATA_INIT(&ad,CAP);
1050 ad.tsk = tsk;
1051 ad.u.cap = cap;
1052
1053 return avc_has_perm(tsec->sid, tsec->sid,
1054 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1055}
1056
1057/* Check whether a task is allowed to use a system operation. */
1058static int task_has_system(struct task_struct *tsk,
1059 u32 perms)
1060{
1061 struct task_security_struct *tsec;
1062
1063 tsec = tsk->security;
1064
1065 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1066 SECCLASS_SYSTEM, perms, NULL);
1067}
1068
1069/* Check whether a task has a particular permission to an inode.
1070 The 'adp' parameter is optional and allows other audit
1071 data to be passed (e.g. the dentry). */
1072static int inode_has_perm(struct task_struct *tsk,
1073 struct inode *inode,
1074 u32 perms,
1075 struct avc_audit_data *adp)
1076{
1077 struct task_security_struct *tsec;
1078 struct inode_security_struct *isec;
1079 struct avc_audit_data ad;
1080
1081 tsec = tsk->security;
1082 isec = inode->i_security;
1083
1084 if (!adp) {
1085 adp = &ad;
1086 AVC_AUDIT_DATA_INIT(&ad, FS);
1087 ad.u.fs.inode = inode;
1088 }
1089
1090 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1091}
1092
1093/* Same as inode_has_perm, but pass explicit audit data containing
1094 the dentry to help the auditing code to more easily generate the
1095 pathname if needed. */
1096static inline int dentry_has_perm(struct task_struct *tsk,
1097 struct vfsmount *mnt,
1098 struct dentry *dentry,
1099 u32 av)
1100{
1101 struct inode *inode = dentry->d_inode;
1102 struct avc_audit_data ad;
1103 AVC_AUDIT_DATA_INIT(&ad,FS);
1104 ad.u.fs.mnt = mnt;
1105 ad.u.fs.dentry = dentry;
1106 return inode_has_perm(tsk, inode, av, &ad);
1107}
1108
1109/* Check whether a task can use an open file descriptor to
1110 access an inode in a given way. Check access to the
1111 descriptor itself, and then use dentry_has_perm to
1112 check a particular permission to the file.
1113 Access to the descriptor is implicitly granted if it
1114 has the same SID as the process. If av is zero, then
1115 access to the file is not checked, e.g. for cases
1116 where only the descriptor is affected like seek. */
858119e1 1117static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1118 struct file *file,
1119 u32 av)
1120{
1121 struct task_security_struct *tsec = tsk->security;
1122 struct file_security_struct *fsec = file->f_security;
1123 struct vfsmount *mnt = file->f_vfsmnt;
1124 struct dentry *dentry = file->f_dentry;
1125 struct inode *inode = dentry->d_inode;
1126 struct avc_audit_data ad;
1127 int rc;
1128
1129 AVC_AUDIT_DATA_INIT(&ad, FS);
1130 ad.u.fs.mnt = mnt;
1131 ad.u.fs.dentry = dentry;
1132
1133 if (tsec->sid != fsec->sid) {
1134 rc = avc_has_perm(tsec->sid, fsec->sid,
1135 SECCLASS_FD,
1136 FD__USE,
1137 &ad);
1138 if (rc)
1139 return rc;
1140 }
1141
1142 /* av is zero if only checking access to the descriptor. */
1143 if (av)
1144 return inode_has_perm(tsk, inode, av, &ad);
1145
1146 return 0;
1147}
1148
1149/* Check whether a task can create a file. */
1150static int may_create(struct inode *dir,
1151 struct dentry *dentry,
1152 u16 tclass)
1153{
1154 struct task_security_struct *tsec;
1155 struct inode_security_struct *dsec;
1156 struct superblock_security_struct *sbsec;
1157 u32 newsid;
1158 struct avc_audit_data ad;
1159 int rc;
1160
1161 tsec = current->security;
1162 dsec = dir->i_security;
1163 sbsec = dir->i_sb->s_security;
1164
1165 AVC_AUDIT_DATA_INIT(&ad, FS);
1166 ad.u.fs.dentry = dentry;
1167
1168 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1169 DIR__ADD_NAME | DIR__SEARCH,
1170 &ad);
1171 if (rc)
1172 return rc;
1173
1174 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1175 newsid = tsec->create_sid;
1176 } else {
1177 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1178 &newsid);
1179 if (rc)
1180 return rc;
1181 }
1182
1183 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1184 if (rc)
1185 return rc;
1186
1187 return avc_has_perm(newsid, sbsec->sid,
1188 SECCLASS_FILESYSTEM,
1189 FILESYSTEM__ASSOCIATE, &ad);
1190}
1191
4eb582cf
ML		 1192/* Check whether a task can create a key. */
1193static int may_create_key(u32 ksid,
1194 struct task_struct *ctx)
1195{
1196 struct task_security_struct *tsec;
1197
1198 tsec = ctx->security;
1199
1200 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1201}
1202
1da177e4
LT		 1203#define MAY_LINK 0
1204#define MAY_UNLINK 1
1205#define MAY_RMDIR 2
1206
1207/* Check whether a task can link, unlink, or rmdir a file/directory. */
1208static int may_link(struct inode *dir,
1209 struct dentry *dentry,
1210 int kind)
1211
1212{
1213 struct task_security_struct *tsec;
1214 struct inode_security_struct *dsec, *isec;
1215 struct avc_audit_data ad;
1216 u32 av;
1217 int rc;
1218
1219 tsec = current->security;
1220 dsec = dir->i_security;
1221 isec = dentry->d_inode->i_security;
1222
1223 AVC_AUDIT_DATA_INIT(&ad, FS);
1224 ad.u.fs.dentry = dentry;
1225
1226 av = DIR__SEARCH;
1227 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1228 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1229 if (rc)
1230 return rc;
1231
1232 switch (kind) {
1233 case MAY_LINK:
1234 av = FILE__LINK;
1235 break;
1236 case MAY_UNLINK:
1237 av = FILE__UNLINK;
1238 break;
1239 case MAY_RMDIR:
1240 av = DIR__RMDIR;
1241 break;
1242 default:
1243 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1244 return 0;
1245 }
1246
1247 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1248 return rc;
1249}
1250
1251static inline int may_rename(struct inode *old_dir,
1252 struct dentry *old_dentry,
1253 struct inode *new_dir,
1254 struct dentry *new_dentry)
1255{
1256 struct task_security_struct *tsec;
1257 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1258 struct avc_audit_data ad;
1259 u32 av;
1260 int old_is_dir, new_is_dir;
1261 int rc;
1262
1263 tsec = current->security;
1264 old_dsec = old_dir->i_security;
1265 old_isec = old_dentry->d_inode->i_security;
1266 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1267 new_dsec = new_dir->i_security;
1268
1269 AVC_AUDIT_DATA_INIT(&ad, FS);
1270
1271 ad.u.fs.dentry = old_dentry;
1272 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1273 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1274 if (rc)
1275 return rc;
1276 rc = avc_has_perm(tsec->sid, old_isec->sid,
1277 old_isec->sclass, FILE__RENAME, &ad);
1278 if (rc)
1279 return rc;
1280 if (old_is_dir && new_dir != old_dir) {
1281 rc = avc_has_perm(tsec->sid, old_isec->sid,
1282 old_isec->sclass, DIR__REPARENT, &ad);
1283 if (rc)
1284 return rc;
1285 }
1286
1287 ad.u.fs.dentry = new_dentry;
1288 av = DIR__ADD_NAME | DIR__SEARCH;
1289 if (new_dentry->d_inode)
1290 av |= DIR__REMOVE_NAME;
1291 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1292 if (rc)
1293 return rc;
1294 if (new_dentry->d_inode) {
1295 new_isec = new_dentry->d_inode->i_security;
1296 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1297 rc = avc_has_perm(tsec->sid, new_isec->sid,
1298 new_isec->sclass,
1299 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1300 if (rc)
1301 return rc;
1302 }
1303
1304 return 0;
1305}
1306
1307/* Check whether a task can perform a filesystem operation. */
1308static int superblock_has_perm(struct task_struct *tsk,
1309 struct super_block *sb,
1310 u32 perms,
1311 struct avc_audit_data *ad)
1312{
1313 struct task_security_struct *tsec;
1314 struct superblock_security_struct *sbsec;
1315
1316 tsec = tsk->security;
1317 sbsec = sb->s_security;
1318 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1319 perms, ad);
1320}
1321
1322/* Convert a Linux mode and permission mask to an access vector. */
1323static inline u32 file_mask_to_av(int mode, int mask)
1324{
1325 u32 av = 0;
1326
1327 if ((mode & S_IFMT) != S_IFDIR) {
1328 if (mask & MAY_EXEC)
1329 av |= FILE__EXECUTE;
1330 if (mask & MAY_READ)
1331 av |= FILE__READ;
1332
1333 if (mask & MAY_APPEND)
1334 av |= FILE__APPEND;
1335 else if (mask & MAY_WRITE)
1336 av |= FILE__WRITE;
1337
1338 } else {
1339 if (mask & MAY_EXEC)
1340 av |= DIR__SEARCH;
1341 if (mask & MAY_WRITE)
1342 av |= DIR__WRITE;
1343 if (mask & MAY_READ)
1344 av |= DIR__READ;
1345 }
1346
1347 return av;
1348}
1349
1350/* Convert a Linux file to an access vector. */
1351static inline u32 file_to_av(struct file *file)
1352{
1353 u32 av = 0;
1354
1355 if (file->f_mode & FMODE_READ)
1356 av |= FILE__READ;
1357 if (file->f_mode & FMODE_WRITE) {
1358 if (file->f_flags & O_APPEND)
1359 av |= FILE__APPEND;
1360 else
1361 av |= FILE__WRITE;
1362 }
1363
1364 return av;
1365}
1366
1da177e4
LT		 1367/* Hook functions begin here. */
1368
1369static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1370{
1371 struct task_security_struct *psec = parent->security;
1372 struct task_security_struct *csec = child->security;
1373 int rc;
1374
1375 rc = secondary_ops->ptrace(parent,child);
1376 if (rc)
1377 return rc;
1378
1379 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1380 /* Save the SID of the tracing process for later use in apply_creds. */
341c2d80 1381 if (!(child->ptrace & PT_PTRACED) && !rc)
1da177e4
LT		 1382 csec->ptrace_sid = psec->sid;
1383 return rc;
1384}
1385
1386static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1387 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1388{
1389 int error;
1390
1391 error = task_has_perm(current, target, PROCESS__GETCAP);
1392 if (error)
1393 return error;
1394
1395 return secondary_ops->capget(target, effective, inheritable, permitted);
1396}
1397
1398static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1399 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1400{
1401 int error;
1402
1403 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1404 if (error)
1405 return error;
1406
1407 return task_has_perm(current, target, PROCESS__SETCAP);
1408}
1409
1410static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1411 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1412{
1413 secondary_ops->capset_set(target, effective, inheritable, permitted);
1414}
1415
1416static int selinux_capable(struct task_struct *tsk, int cap)
1417{
1418 int rc;
1419
1420 rc = secondary_ops->capable(tsk, cap);
1421 if (rc)
1422 return rc;
1423
1424 return task_has_capability(tsk,cap);
1425}
1426
1427static int selinux_sysctl(ctl_table *table, int op)
1428{
1429 int error = 0;
1430 u32 av;
1431 struct task_security_struct *tsec;
1432 u32 tsid;
1433 int rc;
1434
1435 rc = secondary_ops->sysctl(table, op);
1436 if (rc)
1437 return rc;
1438
1439 tsec = current->security;
1440
1441 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1442 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1443 if (rc) {
1444 /* Default to the well-defined sysctl SID. */
1445 tsid = SECINITSID_SYSCTL;
1446 }
1447
1448 /* The op values are "defined" in sysctl.c, thereby creating
1449 * a bad coupling between this module and sysctl.c */
1450 if(op == 001) {
1451 error = avc_has_perm(tsec->sid, tsid,
1452 SECCLASS_DIR, DIR__SEARCH, NULL);
1453 } else {
1454 av = 0;
1455 if (op & 004)
1456 av |= FILE__READ;
1457 if (op & 002)
1458 av |= FILE__WRITE;
1459 if (av)
1460 error = avc_has_perm(tsec->sid, tsid,
1461 SECCLASS_FILE, av, NULL);
1462 }
1463
1464 return error;
1465}
1466
1467static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1468{
1469 int rc = 0;
1470
1471 if (!sb)
1472 return 0;
1473
1474 switch (cmds) {
1475 case Q_SYNC:
1476 case Q_QUOTAON:
1477 case Q_QUOTAOFF:
1478 case Q_SETINFO:
1479 case Q_SETQUOTA:
1480 rc = superblock_has_perm(current,
1481 sb,
1482 FILESYSTEM__QUOTAMOD, NULL);
1483 break;
1484 case Q_GETFMT:
1485 case Q_GETINFO:
1486 case Q_GETQUOTA:
1487 rc = superblock_has_perm(current,
1488 sb,
1489 FILESYSTEM__QUOTAGET, NULL);
1490 break;
1491 default:
1492 rc = 0; /* let the kernel handle invalid cmds */
1493 break;
1494 }
1495 return rc;
1496}
1497
1498static int selinux_quota_on(struct dentry *dentry)
1499{
1500 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1501}
1502
1503static int selinux_syslog(int type)
1504{
1505 int rc;
1506
1507 rc = secondary_ops->syslog(type);
1508 if (rc)
1509 return rc;
1510
1511 switch (type) {
1512 case 3: /* Read last kernel messages */
1513 case 10: /* Return size of the log buffer */
1514 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1515 break;
1516 case 6: /* Disable logging to console */
1517 case 7: /* Enable logging to console */
1518 case 8: /* Set level of messages printed to console */
1519 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1520 break;
1521 case 0: /* Close log */
1522 case 1: /* Open log */
1523 case 2: /* Read from log */
1524 case 4: /* Read/clear last kernel messages */
1525 case 5: /* Clear ring buffer */
1526 default:
1527 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1528 break;
1529 }
1530 return rc;
1531}
1532
1533/*
1534 * Check that a process has enough memory to allocate a new virtual
1535 * mapping. 0 means there is enough memory for the allocation to
1536 * succeed and -ENOMEM implies there is not.
1537 *
1538 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1539 * if the capability is granted, but __vm_enough_memory requires 1 if
1540 * the capability is granted.
1541 *
1542 * Do not audit the selinux permission check, as this is applied to all
1543 * processes that allocate mappings.
1544 */
1545static int selinux_vm_enough_memory(long pages)
1546{
1547 int rc, cap_sys_admin = 0;
1548 struct task_security_struct *tsec = current->security;
1549
1550 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1551 if (rc == 0)
1552 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1553 SECCLASS_CAPABILITY,
1554 CAP_TO_MASK(CAP_SYS_ADMIN),
1555 NULL);
1556
1557 if (rc == 0)
1558 cap_sys_admin = 1;
1559
1560 return __vm_enough_memory(pages, cap_sys_admin);
1561}
1562
1563/* binprm security operations */
1564
1565static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1566{
1567 struct bprm_security_struct *bsec;
1568
89d155ef 1569 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1570 if (!bsec)
1571 return -ENOMEM;
1572
1da177e4
LT		 1573 bsec->bprm = bprm;
1574 bsec->sid = SECINITSID_UNLABELED;
1575 bsec->set = 0;
1576
1577 bprm->security = bsec;
1578 return 0;
1579}
1580
1581static int selinux_bprm_set_security(struct linux_binprm *bprm)
1582{
1583 struct task_security_struct *tsec;
1584 struct inode *inode = bprm->file->f_dentry->d_inode;
1585 struct inode_security_struct *isec;
1586 struct bprm_security_struct *bsec;
1587 u32 newsid;
1588 struct avc_audit_data ad;
1589 int rc;
1590
1591 rc = secondary_ops->bprm_set_security(bprm);
1592 if (rc)
1593 return rc;
1594
1595 bsec = bprm->security;
1596
1597 if (bsec->set)
1598 return 0;
1599
1600 tsec = current->security;
1601 isec = inode->i_security;
1602
1603 /* Default to the current task SID. */
1604 bsec->sid = tsec->sid;
1605
28eba5bf 1606 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1607 tsec->create_sid = 0;
28eba5bf 1608 tsec->keycreate_sid = 0;
42c3e03e 1609 tsec->sockcreate_sid = 0;
1da177e4
LT		 1610
1611 if (tsec->exec_sid) {
1612 newsid = tsec->exec_sid;
1613 /* Reset exec SID on execve. */
1614 tsec->exec_sid = 0;
1615 } else {
1616 /* Check for a default transition on this program. */
1617 rc = security_transition_sid(tsec->sid, isec->sid,
1618 SECCLASS_PROCESS, &newsid);
1619 if (rc)
1620 return rc;
1621 }
1622
1623 AVC_AUDIT_DATA_INIT(&ad, FS);
1624 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1625 ad.u.fs.dentry = bprm->file->f_dentry;
1626
1627 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1628 newsid = tsec->sid;
1629
1630 if (tsec->sid == newsid) {
1631 rc = avc_has_perm(tsec->sid, isec->sid,
1632 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1633 if (rc)
1634 return rc;
1635 } else {
1636 /* Check permissions for the transition. */
1637 rc = avc_has_perm(tsec->sid, newsid,
1638 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1639 if (rc)
1640 return rc;
1641
1642 rc = avc_has_perm(newsid, isec->sid,
1643 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1644 if (rc)
1645 return rc;
1646
1647 /* Clear any possibly unsafe personality bits on exec: */
1648 current->personality &= ~PER_CLEAR_ON_SETID;
1649
1650 /* Set the security field to the new SID. */
1651 bsec->sid = newsid;
1652 }
1653
1654 bsec->set = 1;
1655 return 0;
1656}
1657
1658static int selinux_bprm_check_security (struct linux_binprm *bprm)
1659{
1660 return secondary_ops->bprm_check_security(bprm);
1661}
1662
1663
1664static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1665{
1666 struct task_security_struct *tsec = current->security;
1667 int atsecure = 0;
1668
1669 if (tsec->osid != tsec->sid) {
1670 /* Enable secure mode for SIDs transitions unless
1671 the noatsecure permission is granted between
1672 the two SIDs, i.e. ahp returns 0. */
1673 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1674 SECCLASS_PROCESS,
1675 PROCESS__NOATSECURE, NULL);
1676 }
1677
1678 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1679}
1680
1681static void selinux_bprm_free_security(struct linux_binprm *bprm)
1682{
9a5f04bf 1683 kfree(bprm->security);
1da177e4 1684 bprm->security = NULL;
1da177e4
LT		 1685}
1686
1687extern struct vfsmount *selinuxfs_mount;
1688extern struct dentry *selinux_null;
1689
1690/* Derived from fs/exec.c:flush_old_files. */
1691static inline void flush_unauthorized_files(struct files_struct * files)
1692{
1693 struct avc_audit_data ad;
1694 struct file *file, *devnull = NULL;
b20c8122 1695 struct tty_struct *tty;
badf1662 1696 struct fdtable *fdt;
1da177e4
LT		 1697 long j = -1;
1698
b20c8122
SS		 1699 mutex_lock(&tty_mutex);
1700 tty = current->signal->tty;
1da177e4
LT		 1701 if (tty) {
1702 file_list_lock();
2f512016 1703 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 1704 if (file) {
1705 /* Revalidate access to controlling tty.
1706 Use inode_has_perm on the tty inode directly rather
1707 than using file_has_perm, as this particular open
1708 file may belong to another process and we are only
1709 interested in the inode-based check here. */
1710 struct inode *inode = file->f_dentry->d_inode;
1711 if (inode_has_perm(current, inode,
1712 FILE__READ | FILE__WRITE, NULL)) {
1713 /* Reset controlling tty. */
1714 current->signal->tty = NULL;
1715 current->signal->tty_old_pgrp = 0;
1716 }
1717 }
1718 file_list_unlock();
1719 }
b20c8122 1720 mutex_unlock(&tty_mutex);
1da177e4
LT		 1721
1722 /* Revalidate access to inherited open files. */
1723
1724 AVC_AUDIT_DATA_INIT(&ad,FS);
1725
1726 spin_lock(&files->file_lock);
1727 for (;;) {
1728 unsigned long set, i;
1729 int fd;
1730
1731 j++;
1732 i = j * __NFDBITS;
badf1662
DS		 1733 fdt = files_fdtable(files);
1734 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1da177e4 1735 break;
badf1662 1736 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 1737 if (!set)
1738 continue;
1739 spin_unlock(&files->file_lock);
1740 for ( ; set ; i++,set >>= 1) {
1741 if (set & 1) {
1742 file = fget(i);
1743 if (!file)
1744 continue;
1745 if (file_has_perm(current,
1746 file,
1747 file_to_av(file))) {
1748 sys_close(i);
1749 fd = get_unused_fd();
1750 if (fd != i) {
1751 if (fd >= 0)
1752 put_unused_fd(fd);
1753 fput(file);
1754 continue;
1755 }
1756 if (devnull) {
095975da 1757 get_file(devnull);
1da177e4
LT		 1758 } else {
1759 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
fc5d81e6
AM		 1760 if (IS_ERR(devnull)) {
1761 devnull = NULL;
1da177e4
LT		 1762 put_unused_fd(fd);
1763 fput(file);
1764 continue;
1765 }
1766 }
1767 fd_install(fd, devnull);
1768 }
1769 fput(file);
1770 }
1771 }
1772 spin_lock(&files->file_lock);
1773
1774 }
1775 spin_unlock(&files->file_lock);
1776}
1777
1778static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1779{
1780 struct task_security_struct *tsec;
1781 struct bprm_security_struct *bsec;
1782 u32 sid;
1783 int rc;
1784
1785 secondary_ops->bprm_apply_creds(bprm, unsafe);
1786
1787 tsec = current->security;
1788
1789 bsec = bprm->security;
1790 sid = bsec->sid;
1791
1792 tsec->osid = tsec->sid;
1793 bsec->unsafe = 0;
1794 if (tsec->sid != sid) {
1795 /* Check for shared state. If not ok, leave SID
1796 unchanged and kill. */
1797 if (unsafe & LSM_UNSAFE_SHARE) {
1798 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1799 PROCESS__SHARE, NULL);
1800 if (rc) {
1801 bsec->unsafe = 1;
1802 return;
1803 }
1804 }
1805
1806 /* Check for ptracing, and update the task SID if ok.
1807 Otherwise, leave SID unchanged and kill. */
1808 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1809 rc = avc_has_perm(tsec->ptrace_sid, sid,
1810 SECCLASS_PROCESS, PROCESS__PTRACE,
1811 NULL);
1812 if (rc) {
1813 bsec->unsafe = 1;
1814 return;
1815 }
1816 }
1817 tsec->sid = sid;
1818 }
1819}
1820
1821/*
1822 * called after apply_creds without the task lock held
1823 */
1824static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1825{
1826 struct task_security_struct *tsec;
1827 struct rlimit *rlim, *initrlim;
1828 struct itimerval itimer;
1829 struct bprm_security_struct *bsec;
1830 int rc, i;
1831
1832 tsec = current->security;
1833 bsec = bprm->security;
1834
1835 if (bsec->unsafe) {
1836 force_sig_specific(SIGKILL, current);
1837 return;
1838 }
1839 if (tsec->osid == tsec->sid)
1840 return;
1841
1842 /* Close files for which the new task SID is not authorized. */
1843 flush_unauthorized_files(current->files);
1844
1845 /* Check whether the new SID can inherit signal state
1846 from the old SID. If not, clear itimers to avoid
1847 subsequent signal generation and flush and unblock
1848 signals. This must occur _after_ the task SID has
1849 been updated so that any kill done after the flush
1850 will be checked against the new SID. */
1851 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1852 PROCESS__SIGINH, NULL);
1853 if (rc) {
1854 memset(&itimer, 0, sizeof itimer);
1855 for (i = 0; i < 3; i++)
1856 do_setitimer(i, &itimer, NULL);
1857 flush_signals(current);
1858 spin_lock_irq(&current->sighand->siglock);
1859 flush_signal_handlers(current, 1);
1860 sigemptyset(&current->blocked);
1861 recalc_sigpending();
1862 spin_unlock_irq(&current->sighand->siglock);
1863 }
1864
1865 /* Check whether the new SID can inherit resource limits
1866 from the old SID. If not, reset all soft limits to
1867 the lower of the current task's hard limit and the init
1868 task's soft limit. Note that the setting of hard limits
1869 (even to lower them) can be controlled by the setrlimit
1870 check. The inclusion of the init task's soft limit into
1871 the computation is to avoid resetting soft limits higher
1872 than the default soft limit for cases where the default
1873 is lower than the hard limit, e.g. RLIMIT_CORE or
1874 RLIMIT_STACK.*/
1875 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1876 PROCESS__RLIMITINH, NULL);
1877 if (rc) {
1878 for (i = 0; i < RLIM_NLIMITS; i++) {
1879 rlim = current->signal->rlim + i;
1880 initrlim = init_task.signal->rlim+i;
1881 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1882 }
1883 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1884 /*
1885 * This will cause RLIMIT_CPU calculations
1886 * to be refigured.
1887 */
1888 current->it_prof_expires = jiffies_to_cputime(1);
1889 }
1890 }
1891
1892 /* Wake up the parent if it is waiting so that it can
1893 recheck wait permission to the new task SID. */
1894 wake_up_interruptible(&current->parent->signal->wait_chldexit);
1895}
1896
1897/* superblock security operations */
1898
1899static int selinux_sb_alloc_security(struct super_block *sb)
1900{
1901 return superblock_alloc_security(sb);
1902}
1903
1904static void selinux_sb_free_security(struct super_block *sb)
1905{
1906 superblock_free_security(sb);
1907}
1908
1909static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1910{
1911 if (plen > olen)
1912 return 0;
1913
1914 return !memcmp(prefix, option, plen);
1915}
1916
1917static inline int selinux_option(char *option, int len)
1918{
1919 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1920 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
0808925e
EP		 1921 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1922 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1da177e4
LT		 1923}
1924
1925static inline void take_option(char **to, char *from, int *first, int len)
1926{
1927 if (!*first) {
1928 **to = ',';
1929 *to += 1;
3528a953 1930 } else
1da177e4
LT		 1931 *first = 0;
1932 memcpy(*to, from, len);
1933 *to += len;
1934}
1935
3528a953
CO		 1936static inline void take_selinux_option(char **to, char *from, int *first,
1937 int len)
1938{
1939 int current_size = 0;
1940
1941 if (!*first) {
1942 **to = '|';
1943 *to += 1;
1944 }
1945 else
1946 *first = 0;
1947
1948 while (current_size < len) {
1949 if (*from != '"') {
1950 **to = *from;
1951 *to += 1;
1952 }
1953 from += 1;
1954 current_size += 1;
1955 }
1956}
1957
1da177e4
LT		 1958static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1959{
1960 int fnosec, fsec, rc = 0;
1961 char *in_save, *in_curr, *in_end;
1962 char *sec_curr, *nosec_save, *nosec;
3528a953 1963 int open_quote = 0;
1da177e4
LT		 1964
1965 in_curr = orig;
1966 sec_curr = copy;
1967
1968 /* Binary mount data: just copy */
1969 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1970 copy_page(sec_curr, in_curr);
1971 goto out;
1972 }
1973
1974 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1975 if (!nosec) {
1976 rc = -ENOMEM;
1977 goto out;
1978 }
1979
1980 nosec_save = nosec;
1981 fnosec = fsec = 1;
1982 in_save = in_end = orig;
1983
1984 do {
3528a953
CO		 1985 if (*in_end == '"')
1986 open_quote = !open_quote;
1987 if ((*in_end == ',' && open_quote == 0) ||
1988 *in_end == '\0') {
1da177e4
LT		 1989 int len = in_end - in_curr;
1990
1991 if (selinux_option(in_curr, len))
3528a953 1992 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 1993 else
1994 take_option(&nosec, in_curr, &fnosec, len);
1995
1996 in_curr = in_end + 1;
1997 }
1998 } while (*in_end++);
1999
6931dfc9 2000 strcpy(in_save, nosec_save);
da3caa20 2001 free_page((unsigned long)nosec_save);
1da177e4
LT		 2002out:
2003 return rc;
2004}
2005
2006static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2007{
2008 struct avc_audit_data ad;
2009 int rc;
2010
2011 rc = superblock_doinit(sb, data);
2012 if (rc)
2013 return rc;
2014
2015 AVC_AUDIT_DATA_INIT(&ad,FS);
2016 ad.u.fs.dentry = sb->s_root;
2017 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2018}
2019
726c3342 2020static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2021{
2022 struct avc_audit_data ad;
2023
2024 AVC_AUDIT_DATA_INIT(&ad,FS);
726c3342
DH		 2025 ad.u.fs.dentry = dentry->d_sb->s_root;
2026 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2027}
2028
2029static int selinux_mount(char * dev_name,
2030 struct nameidata *nd,
2031 char * type,
2032 unsigned long flags,
2033 void * data)
2034{
2035 int rc;
2036
2037 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2038 if (rc)
2039 return rc;
2040
2041 if (flags & MS_REMOUNT)
2042 return superblock_has_perm(current, nd->mnt->mnt_sb,
2043 FILESYSTEM__REMOUNT, NULL);
2044 else
2045 return dentry_has_perm(current, nd->mnt, nd->dentry,
2046 FILE__MOUNTON);
2047}
2048
2049static int selinux_umount(struct vfsmount *mnt, int flags)
2050{
2051 int rc;
2052
2053 rc = secondary_ops->sb_umount(mnt, flags);
2054 if (rc)
2055 return rc;
2056
2057 return superblock_has_perm(current,mnt->mnt_sb,
2058 FILESYSTEM__UNMOUNT,NULL);
2059}
2060
2061/* inode security operations */
2062
2063static int selinux_inode_alloc_security(struct inode *inode)
2064{
2065 return inode_alloc_security(inode);
2066}
2067
2068static void selinux_inode_free_security(struct inode *inode)
2069{
2070 inode_free_security(inode);
2071}
2072
5e41ff9e
SS		 2073static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2074 char **name, void **value,
2075 size_t *len)
2076{
2077 struct task_security_struct *tsec;
2078 struct inode_security_struct *dsec;
2079 struct superblock_security_struct *sbsec;
570bc1c2 2080 u32 newsid, clen;
5e41ff9e 2081 int rc;
570bc1c2 2082 char *namep = NULL, *context;
5e41ff9e
SS		 2083
2084 tsec = current->security;
2085 dsec = dir->i_security;
2086 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2087
2088 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2089 newsid = tsec->create_sid;
2090 } else {
2091 rc = security_transition_sid(tsec->sid, dsec->sid,
2092 inode_mode_to_security_class(inode->i_mode),
2093 &newsid);
2094 if (rc) {
2095 printk(KERN_WARNING "%s: "
2096 "security_transition_sid failed, rc=%d (dev=%s "
2097 "ino=%ld)\n",
2098 __FUNCTION__,
2099 -rc, inode->i_sb->s_id, inode->i_ino);
2100 return rc;
2101 }
2102 }
2103
296fddf7
EP		 2104 /* Possibly defer initialization to selinux_complete_init. */
2105 if (sbsec->initialized) {
2106 struct inode_security_struct *isec = inode->i_security;
2107 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2108 isec->sid = newsid;
2109 isec->initialized = 1;
2110 }
5e41ff9e 2111
8aad3875 2112 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2113 return -EOPNOTSUPP;
2114
570bc1c2
SS		 2115 if (name) {
2116 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2117 if (!namep)
2118 return -ENOMEM;
2119 *name = namep;
2120 }
5e41ff9e 2121
570bc1c2
SS		 2122 if (value && len) {
2123 rc = security_sid_to_context(newsid, &context, &clen);
2124 if (rc) {
2125 kfree(namep);
2126 return rc;
2127 }
2128 *value = context;
2129 *len = clen;
5e41ff9e 2130 }
5e41ff9e 2131
5e41ff9e
SS		 2132 return 0;
2133}
2134
1da177e4
LT		 2135static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2136{
2137 return may_create(dir, dentry, SECCLASS_FILE);
2138}
2139
1da177e4
LT		 2140static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2141{
2142 int rc;
2143
2144 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2145 if (rc)
2146 return rc;
2147 return may_link(dir, old_dentry, MAY_LINK);
2148}
2149
1da177e4
LT		 2150static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2151{
2152 int rc;
2153
2154 rc = secondary_ops->inode_unlink(dir, dentry);
2155 if (rc)
2156 return rc;
2157 return may_link(dir, dentry, MAY_UNLINK);
2158}
2159
2160static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2161{
2162 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2163}
2164
1da177e4
LT		 2165static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2166{
2167 return may_create(dir, dentry, SECCLASS_DIR);
2168}
2169
1da177e4
LT		 2170static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2171{
2172 return may_link(dir, dentry, MAY_RMDIR);
2173}
2174
2175static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2176{
2177 int rc;
2178
2179 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2180 if (rc)
2181 return rc;
2182
2183 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2184}
2185
1da177e4
LT		 2186static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2187 struct inode *new_inode, struct dentry *new_dentry)
2188{
2189 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2190}
2191
1da177e4
LT		 2192static int selinux_inode_readlink(struct dentry *dentry)
2193{
2194 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2195}
2196
2197static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2198{
2199 int rc;
2200
2201 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2202 if (rc)
2203 return rc;
2204 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2205}
2206
2207static int selinux_inode_permission(struct inode *inode, int mask,
2208 struct nameidata *nd)
2209{
2210 int rc;
2211
2212 rc = secondary_ops->inode_permission(inode, mask, nd);
2213 if (rc)
2214 return rc;
2215
2216 if (!mask) {
2217 /* No permission to check. Existence test. */
2218 return 0;
2219 }
2220
2221 return inode_has_perm(current, inode,
2222 file_mask_to_av(inode->i_mode, mask), NULL);
2223}
2224
2225static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2226{
2227 int rc;
2228
2229 rc = secondary_ops->inode_setattr(dentry, iattr);
2230 if (rc)
2231 return rc;
2232
2233 if (iattr->ia_valid & ATTR_FORCE)
2234 return 0;
2235
2236 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2237 ATTR_ATIME_SET | ATTR_MTIME_SET))
2238 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2239
2240 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2241}
2242
2243static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2244{
2245 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2246}
2247
2248static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2249{
2250 struct task_security_struct *tsec = current->security;
2251 struct inode *inode = dentry->d_inode;
2252 struct inode_security_struct *isec = inode->i_security;
2253 struct superblock_security_struct *sbsec;
2254 struct avc_audit_data ad;
2255 u32 newsid;
2256 int rc = 0;
2257
2258 if (strcmp(name, XATTR_NAME_SELINUX)) {
2259 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2260 sizeof XATTR_SECURITY_PREFIX - 1) &&
2261 !capable(CAP_SYS_ADMIN)) {
2262 /* A different attribute in the security namespace.
2263 Restrict to administrator. */
2264 return -EPERM;
2265 }
2266
2267 /* Not an attribute we recognize, so just check the
2268 ordinary setattr permission. */
2269 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2270 }
2271
2272 sbsec = inode->i_sb->s_security;
2273 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2274 return -EOPNOTSUPP;
2275
2276 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2277 return -EPERM;
2278
2279 AVC_AUDIT_DATA_INIT(&ad,FS);
2280 ad.u.fs.dentry = dentry;
2281
2282 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2283 FILE__RELABELFROM, &ad);
2284 if (rc)
2285 return rc;
2286
2287 rc = security_context_to_sid(value, size, &newsid);
2288 if (rc)
2289 return rc;
2290
2291 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2292 FILE__RELABELTO, &ad);
2293 if (rc)
2294 return rc;
2295
2296 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2297 isec->sclass);
2298 if (rc)
2299 return rc;
2300
2301 return avc_has_perm(newsid,
2302 sbsec->sid,
2303 SECCLASS_FILESYSTEM,
2304 FILESYSTEM__ASSOCIATE,
2305 &ad);
2306}
2307
2308static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2309 void *value, size_t size, int flags)
2310{
2311 struct inode *inode = dentry->d_inode;
2312 struct inode_security_struct *isec = inode->i_security;
2313 u32 newsid;
2314 int rc;
2315
2316 if (strcmp(name, XATTR_NAME_SELINUX)) {
2317 /* Not an attribute we recognize, so nothing to do. */
2318 return;
2319 }
2320
2321 rc = security_context_to_sid(value, size, &newsid);
2322 if (rc) {
2323 printk(KERN_WARNING "%s: unable to obtain SID for context "
2324 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2325 return;
2326 }
2327
2328 isec->sid = newsid;
2329 return;
2330}
2331
2332static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2333{
1da177e4
LT		 2334 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2335}
2336
2337static int selinux_inode_listxattr (struct dentry *dentry)
2338{
2339 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2340}
2341
2342static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2343{
2344 if (strcmp(name, XATTR_NAME_SELINUX)) {
2345 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2346 sizeof XATTR_SECURITY_PREFIX - 1) &&
2347 !capable(CAP_SYS_ADMIN)) {
2348 /* A different attribute in the security namespace.
2349 Restrict to administrator. */
2350 return -EPERM;
2351 }
2352
2353 /* Not an attribute we recognize, so just check the
2354 ordinary setattr permission. Might want a separate
2355 permission for removexattr. */
2356 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2357 }
2358
2359 /* No one is allowed to remove a SELinux security label.
2360 You can change the label, but all data must be labeled. */
2361 return -EACCES;
2362}
2363
8c8570fb
DK		 2364static const char *selinux_inode_xattr_getsuffix(void)
2365{
2366 return XATTR_SELINUX_SUFFIX;
2367}
2368
d381d8a9
JM		 2369/*
2370 * Copy the in-core inode security context value to the user. If the
2371 * getxattr() prior to this succeeded, check to see if we need to
2372 * canonicalize the value to be finally returned to the user.
2373 *
2374 * Permission check is handled by selinux_inode_getxattr hook.
2375 */
7306a0b9 2376static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
1da177e4
LT		 2377{
2378 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2379
8c8570fb
DK		 2380 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2381 return -EOPNOTSUPP;
d381d8a9 2382
8c8570fb 2383 return selinux_getsecurity(isec->sid, buffer, size);
1da177e4
LT		 2384}
2385
2386static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2387 const void *value, size_t size, int flags)
2388{
2389 struct inode_security_struct *isec = inode->i_security;
2390 u32 newsid;
2391 int rc;
2392
2393 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2394 return -EOPNOTSUPP;
2395
2396 if (!value || !size)
2397 return -EACCES;
2398
2399 rc = security_context_to_sid((void*)value, size, &newsid);
2400 if (rc)
2401 return rc;
2402
2403 isec->sid = newsid;
2404 return 0;
2405}
2406
2407static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2408{
2409 const int len = sizeof(XATTR_NAME_SELINUX);
2410 if (buffer && len <= buffer_size)
2411 memcpy(buffer, XATTR_NAME_SELINUX, len);
2412 return len;
2413}
2414
2415/* file security operations */
2416
2417static int selinux_file_permission(struct file *file, int mask)
2418{
7420ed23 2419 int rc;
1da177e4
LT		 2420 struct inode *inode = file->f_dentry->d_inode;
2421
2422 if (!mask) {
2423 /* No permission to check. Existence test. */
2424 return 0;
2425 }
2426
2427 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2428 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2429 mask |= MAY_APPEND;
2430
7420ed23
VY		 2431 rc = file_has_perm(current, file,
2432 file_mask_to_av(inode->i_mode, mask));
2433 if (rc)
2434 return rc;
2435
2436 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2437}
2438
2439static int selinux_file_alloc_security(struct file *file)
2440{
2441 return file_alloc_security(file);
2442}
2443
2444static void selinux_file_free_security(struct file *file)
2445{
2446 file_free_security(file);
2447}
2448
2449static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2450 unsigned long arg)
2451{
2452 int error = 0;
2453
2454 switch (cmd) {
2455 case FIONREAD:
2456 /* fall through */
2457 case FIBMAP:
2458 /* fall through */
2459 case FIGETBSZ:
2460 /* fall through */
2461 case EXT2_IOC_GETFLAGS:
2462 /* fall through */
2463 case EXT2_IOC_GETVERSION:
2464 error = file_has_perm(current, file, FILE__GETATTR);
2465 break;
2466
2467 case EXT2_IOC_SETFLAGS:
2468 /* fall through */
2469 case EXT2_IOC_SETVERSION:
2470 error = file_has_perm(current, file, FILE__SETATTR);
2471 break;
2472
2473 /* sys_ioctl() checks */
2474 case FIONBIO:
2475 /* fall through */
2476 case FIOASYNC:
2477 error = file_has_perm(current, file, 0);
2478 break;
2479
2480 case KDSKBENT:
2481 case KDSKBSENT:
2482 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2483 break;
2484
2485 /* default case assumes that the command will go
2486 * to the file's ioctl() function.
2487 */
2488 default:
2489 error = file_has_perm(current, file, FILE__IOCTL);
2490
2491 }
2492 return error;
2493}
2494
2495static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2496{
2497#ifndef CONFIG_PPC32
2498 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2499 /*
2500 * We are making executable an anonymous mapping or a
2501 * private file mapping that will also be writable.
2502 * This has an additional check.
2503 */
2504 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2505 if (rc)
2506 return rc;
2507 }
2508#endif
2509
2510 if (file) {
2511 /* read access is always possible with a mapping */
2512 u32 av = FILE__READ;
2513
2514 /* write access only matters if the mapping is shared */
2515 if (shared && (prot & PROT_WRITE))
2516 av |= FILE__WRITE;
2517
2518 if (prot & PROT_EXEC)
2519 av |= FILE__EXECUTE;
2520
2521 return file_has_perm(current, file, av);
2522 }
2523 return 0;
2524}
2525
2526static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2527 unsigned long prot, unsigned long flags)
2528{
2529 int rc;
2530
2531 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2532 if (rc)
2533 return rc;
2534
2535 if (selinux_checkreqprot)
2536 prot = reqprot;
2537
2538 return file_map_prot_check(file, prot,
2539 (flags & MAP_TYPE) == MAP_SHARED);
2540}
2541
2542static int selinux_file_mprotect(struct vm_area_struct *vma,
2543 unsigned long reqprot,
2544 unsigned long prot)
2545{
2546 int rc;
2547
2548 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2549 if (rc)
2550 return rc;
2551
2552 if (selinux_checkreqprot)
2553 prot = reqprot;
2554
2555#ifndef CONFIG_PPC32
db4c9641
SS		 2556 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2557 rc = 0;
2558 if (vma->vm_start >= vma->vm_mm->start_brk &&
2559 vma->vm_end <= vma->vm_mm->brk) {
2560 rc = task_has_perm(current, current,
2561 PROCESS__EXECHEAP);
2562 } else if (!vma->vm_file &&
2563 vma->vm_start <= vma->vm_mm->start_stack &&
2564 vma->vm_end >= vma->vm_mm->start_stack) {
2565 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2566 } else if (vma->vm_file && vma->anon_vma) {
2567 /*
2568 * We are making executable a file mapping that has
2569 * had some COW done. Since pages might have been
2570 * written, check ability to execute the possibly
2571 * modified content. This typically should only
2572 * occur for text relocations.
2573 */
2574 rc = file_has_perm(current, vma->vm_file,
2575 FILE__EXECMOD);
2576 }