projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
[NET]: Fix warnings after LSM-IPSEC changes.
[linux-2.6-block.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
19 */
20
21#include <linux/config.h>
22#include <linux/module.h>
23#include <linux/init.h>
24#include <linux/kernel.h>
25#include <linux/ptrace.h>
26#include <linux/errno.h>
27#include <linux/sched.h>
28#include <linux/security.h>
29#include <linux/xattr.h>
30#include <linux/capability.h>
31#include <linux/unistd.h>
32#include <linux/mm.h>
33#include <linux/mman.h>
34#include <linux/slab.h>
35#include <linux/pagemap.h>
36#include <linux/swap.h>
37#include <linux/smp_lock.h>
38#include <linux/spinlock.h>
39#include <linux/syscalls.h>
40#include <linux/file.h>
41#include <linux/namei.h>
42#include <linux/mount.h>
43#include <linux/ext2_fs.h>
44#include <linux/proc_fs.h>
45#include <linux/kd.h>
46#include <linux/netfilter_ipv4.h>
47#include <linux/netfilter_ipv6.h>
48#include <linux/tty.h>
49#include <net/icmp.h>
50#include <net/ip.h> /* for sysctl_local_port_range[] */
51#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
52#include <asm/uaccess.h>
53#include <asm/semaphore.h>
54#include <asm/ioctls.h>
55#include <linux/bitops.h>
56#include <linux/interrupt.h>
57#include <linux/netdevice.h> /* for network interface checks */
58#include <linux/netlink.h>
59#include <linux/tcp.h>
60#include <linux/udp.h>
61#include <linux/quota.h>
62#include <linux/un.h> /* for Unix socket types */
63#include <net/af_unix.h> /* for Unix socket types */
64#include <linux/parser.h>
65#include <linux/nfs_mount.h>
66#include <net/ipv6.h>
67#include <linux/hugetlb.h>
68#include <linux/personality.h>
69#include <linux/sysctl.h>
70#include <linux/audit.h>
6931dfc9 71#include <linux/string.h>
1da177e4
LT		 72
73#include "avc.h"
74#include "objsec.h"
75#include "netif.h"
d28d1e08 76#include "xfrm.h"
1da177e4
LT		 77
78#define XATTR_SELINUX_SUFFIX "selinux"
79#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81extern unsigned int policydb_loaded_version;
82extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83
84#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
85int selinux_enforcing = 0;
86
87static int __init enforcing_setup(char *str)
88{
89 selinux_enforcing = simple_strtol(str,NULL,0);
90 return 1;
91}
92__setup("enforcing=", enforcing_setup);
93#endif
94
95#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
96int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
97
98static int __init selinux_enabled_setup(char *str)
99{
100 selinux_enabled = simple_strtol(str, NULL, 0);
101 return 1;
102}
103__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 104#else
105int selinux_enabled = 1;
1da177e4
LT		 106#endif
107
108/* Original (dummy) security module. */
109static struct security_operations *original_ops = NULL;
110
111/* Minimal support for a secondary security module,
112 just to allow the use of the dummy or capability modules.
113 The owlsm module can alternatively be used as a secondary
114 module as long as CONFIG_OWLSM_FD is not enabled. */
115static struct security_operations *secondary_ops = NULL;
116
117/* Lists of inode and superblock security structures initialized
118 before the policy was loaded. */
119static LIST_HEAD(superblock_security_head);
120static DEFINE_SPINLOCK(sb_security_lock);
121
7cae7e26
JM		 122static kmem_cache_t *sel_inode_cache;
123
8c8570fb
DK		 124/* Return security context for a given sid or just the context
125 length if the buffer is null or length is 0 */
126static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
127{
128 char *context;
129 unsigned len;
130 int rc;
131
132 rc = security_sid_to_context(sid, &context, &len);
133 if (rc)
134 return rc;
135
136 if (!buffer || !size)
137 goto getsecurity_exit;
138
139 if (size < len) {
140 len = -ERANGE;
141 goto getsecurity_exit;
142 }
143 memcpy(buffer, context, len);
144
145getsecurity_exit:
146 kfree(context);
147 return len;
148}
149
1da177e4
LT		 150/* Allocate and free functions for each kind of security blob. */
151
152static int task_alloc_security(struct task_struct *task)
153{
154 struct task_security_struct *tsec;
155
89d155ef 156 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 157 if (!tsec)
158 return -ENOMEM;
159
1da177e4
LT		 160 tsec->task = task;
161 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
162 task->security = tsec;
163
164 return 0;
165}
166
167static void task_free_security(struct task_struct *task)
168{
169 struct task_security_struct *tsec = task->security;
1da177e4
LT		 170 task->security = NULL;
171 kfree(tsec);
172}
173
174static int inode_alloc_security(struct inode *inode)
175{
176 struct task_security_struct *tsec = current->security;
177 struct inode_security_struct *isec;
178
7cae7e26 179 isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
1da177e4
LT		 180 if (!isec)
181 return -ENOMEM;
182
7cae7e26 183 memset(isec, 0, sizeof(*isec));
1da177e4
LT		 184 init_MUTEX(&isec->sem);
185 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 186 isec->inode = inode;
187 isec->sid = SECINITSID_UNLABELED;
188 isec->sclass = SECCLASS_FILE;
9ac49d22 189 isec->task_sid = tsec->sid;
1da177e4
LT		 190 inode->i_security = isec;
191
192 return 0;
193}
194
195static void inode_free_security(struct inode *inode)
196{
197 struct inode_security_struct *isec = inode->i_security;
198 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
199
1da177e4
LT		 200 spin_lock(&sbsec->isec_lock);
201 if (!list_empty(&isec->list))
202 list_del_init(&isec->list);
203 spin_unlock(&sbsec->isec_lock);
204
205 inode->i_security = NULL;
7cae7e26 206 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 207}
208
209static int file_alloc_security(struct file *file)
210{
211 struct task_security_struct *tsec = current->security;
212 struct file_security_struct *fsec;
213
26d2a4be 214 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 215 if (!fsec)
216 return -ENOMEM;
217
1da177e4 218 fsec->file = file;
9ac49d22
SS		 219 fsec->sid = tsec->sid;
220 fsec->fown_sid = tsec->sid;
1da177e4
LT		 221 file->f_security = fsec;
222
223 return 0;
224}
225
226static void file_free_security(struct file *file)
227{
228 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 229 file->f_security = NULL;
230 kfree(fsec);
231}
232
233static int superblock_alloc_security(struct super_block *sb)
234{
235 struct superblock_security_struct *sbsec;
236
89d155ef 237 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 238 if (!sbsec)
239 return -ENOMEM;
240
1da177e4
LT		 241 init_MUTEX(&sbsec->sem);
242 INIT_LIST_HEAD(&sbsec->list);
243 INIT_LIST_HEAD(&sbsec->isec_head);
244 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 245 sbsec->sb = sb;
246 sbsec->sid = SECINITSID_UNLABELED;
247 sbsec->def_sid = SECINITSID_FILE;
248 sb->s_security = sbsec;
249
250 return 0;
251}
252
253static void superblock_free_security(struct super_block *sb)
254{
255 struct superblock_security_struct *sbsec = sb->s_security;
256
1da177e4
LT		 257 spin_lock(&sb_security_lock);
258 if (!list_empty(&sbsec->list))
259 list_del_init(&sbsec->list);
260 spin_unlock(&sb_security_lock);
261
262 sb->s_security = NULL;
263 kfree(sbsec);
264}
265
7d877f3b 266static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 267{
268 struct sk_security_struct *ssec;
269
270 if (family != PF_UNIX)
271 return 0;
272
89d155ef 273 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 274 if (!ssec)
275 return -ENOMEM;
276
1da177e4
LT		 277 ssec->sk = sk;
278 ssec->peer_sid = SECINITSID_UNLABELED;
279 sk->sk_security = ssec;
280
281 return 0;
282}
283
284static void sk_free_security(struct sock *sk)
285{
286 struct sk_security_struct *ssec = sk->sk_security;
287
9ac49d22 288 if (sk->sk_family != PF_UNIX)
1da177e4
LT		 289 return;
290
291 sk->sk_security = NULL;
292 kfree(ssec);
293}
1da177e4
LT		 294
295/* The security server must be initialized before
296 any labeling or access decisions can be provided. */
297extern int ss_initialized;
298
299/* The file system's label must be initialized prior to use. */
300
301static char *labeling_behaviors[6] = {
302 "uses xattr",
303 "uses transition SIDs",
304 "uses task SIDs",
305 "uses genfs_contexts",
306 "not configured for labeling",
307 "uses mountpoint labeling",
308};
309
310static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
311
312static inline int inode_doinit(struct inode *inode)
313{
314 return inode_doinit_with_dentry(inode, NULL);
315}
316
317enum {
318 Opt_context = 1,
319 Opt_fscontext = 2,
320 Opt_defcontext = 4,
321};
322
323static match_table_t tokens = {
324 {Opt_context, "context=%s"},
325 {Opt_fscontext, "fscontext=%s"},
326 {Opt_defcontext, "defcontext=%s"},
327};
328
329#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
330
331static int try_context_mount(struct super_block *sb, void *data)
332{
333 char *context = NULL, *defcontext = NULL;
334 const char *name;
335 u32 sid;
336 int alloc = 0, rc = 0, seen = 0;
337 struct task_security_struct *tsec = current->security;
338 struct superblock_security_struct *sbsec = sb->s_security;
339
340 if (!data)
341 goto out;
342
343 name = sb->s_type->name;
344
345 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
346
347 /* NFS we understand. */
348 if (!strcmp(name, "nfs")) {
349 struct nfs_mount_data *d = data;
350
351 if (d->version < NFS_MOUNT_VERSION)
352 goto out;
353
354 if (d->context[0]) {
355 context = d->context;
356 seen |= Opt_context;
357 }
358 } else
359 goto out;
360
361 } else {
362 /* Standard string-based options. */
363 char *p, *options = data;
364
365 while ((p = strsep(&options, ",")) != NULL) {
366 int token;
367 substring_t args[MAX_OPT_ARGS];
368
369 if (!*p)
370 continue;
371
372 token = match_token(p, tokens, args);
373
374 switch (token) {
375 case Opt_context:
376 if (seen) {
377 rc = -EINVAL;
378 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
379 goto out_free;
380 }
381 context = match_strdup(&args[0]);
382 if (!context) {
383 rc = -ENOMEM;
384 goto out_free;
385 }
386 if (!alloc)
387 alloc = 1;
388 seen |= Opt_context;
389 break;
390
391 case Opt_fscontext:
392 if (seen & (Opt_context|Opt_fscontext)) {
393 rc = -EINVAL;
394 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
395 goto out_free;
396 }
397 context = match_strdup(&args[0]);
398 if (!context) {
399 rc = -ENOMEM;
400 goto out_free;
401 }
402 if (!alloc)
403 alloc = 1;
404 seen |= Opt_fscontext;
405 break;
406
407 case Opt_defcontext:
408 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
409 rc = -EINVAL;
410 printk(KERN_WARNING "SELinux: "
411 "defcontext option is invalid "
412 "for this filesystem type\n");
413 goto out_free;
414 }
415 if (seen & (Opt_context|Opt_defcontext)) {
416 rc = -EINVAL;
417 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
418 goto out_free;
419 }
420 defcontext = match_strdup(&args[0]);
421 if (!defcontext) {
422 rc = -ENOMEM;
423 goto out_free;
424 }
425 if (!alloc)
426 alloc = 1;
427 seen |= Opt_defcontext;
428 break;
429
430 default:
431 rc = -EINVAL;
432 printk(KERN_WARNING "SELinux: unknown mount "
433 "option\n");
434 goto out_free;
435
436 }
437 }
438 }
439
440 if (!seen)
441 goto out;
442
443 if (context) {
444 rc = security_context_to_sid(context, strlen(context), &sid);
445 if (rc) {
446 printk(KERN_WARNING "SELinux: security_context_to_sid"
447 "(%s) failed for (dev %s, type %s) errno=%d\n",
448 context, sb->s_id, name, rc);
449 goto out_free;
450 }
451
452 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
453 FILESYSTEM__RELABELFROM, NULL);
454 if (rc)
455 goto out_free;
456
457 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
458 FILESYSTEM__RELABELTO, NULL);
459 if (rc)
460 goto out_free;
461
462 sbsec->sid = sid;
463
464 if (seen & Opt_context)
465 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
466 }
467
468 if (defcontext) {
469 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
470 if (rc) {
471 printk(KERN_WARNING "SELinux: security_context_to_sid"
472 "(%s) failed for (dev %s, type %s) errno=%d\n",
473 defcontext, sb->s_id, name, rc);
474 goto out_free;
475 }
476
477 if (sid == sbsec->def_sid)
478 goto out_free;
479
480 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
481 FILESYSTEM__RELABELFROM, NULL);
482 if (rc)
483 goto out_free;
484
485 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
486 FILESYSTEM__ASSOCIATE, NULL);
487 if (rc)
488 goto out_free;
489
490 sbsec->def_sid = sid;
491 }
492
493out_free:
494 if (alloc) {
495 kfree(context);
496 kfree(defcontext);
497 }
498out:
499 return rc;
500}
501
502static int superblock_doinit(struct super_block *sb, void *data)
503{
504 struct superblock_security_struct *sbsec = sb->s_security;
505 struct dentry *root = sb->s_root;
506 struct inode *inode = root->d_inode;
507 int rc = 0;
508
509 down(&sbsec->sem);
510 if (sbsec->initialized)
511 goto out;
512
513 if (!ss_initialized) {
514 /* Defer initialization until selinux_complete_init,
515 after the initial policy is loaded and the security
516 server is ready to handle calls. */
517 spin_lock(&sb_security_lock);
518 if (list_empty(&sbsec->list))
519 list_add(&sbsec->list, &superblock_security_head);
520 spin_unlock(&sb_security_lock);
521 goto out;
522 }
523
524 /* Determine the labeling behavior to use for this filesystem type. */
525 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
526 if (rc) {
527 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
528 __FUNCTION__, sb->s_type->name, rc);
529 goto out;
530 }
531
532 rc = try_context_mount(sb, data);
533 if (rc)
534 goto out;
535
536 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
537 /* Make sure that the xattr handler exists and that no
538 error other than -ENODATA is returned by getxattr on
539 the root directory. -ENODATA is ok, as this may be
540 the first boot of the SELinux kernel before we have
541 assigned xattr values to the filesystem. */
542 if (!inode->i_op->getxattr) {
543 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
544 "xattr support\n", sb->s_id, sb->s_type->name);
545 rc = -EOPNOTSUPP;
546 goto out;
547 }
548 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
549 if (rc < 0 && rc != -ENODATA) {
550 if (rc == -EOPNOTSUPP)
551 printk(KERN_WARNING "SELinux: (dev %s, type "
552 "%s) has no security xattr handler\n",
553 sb->s_id, sb->s_type->name);
554 else
555 printk(KERN_WARNING "SELinux: (dev %s, type "
556 "%s) getxattr errno %d\n", sb->s_id,
557 sb->s_type->name, -rc);
558 goto out;
559 }
560 }
561
562 if (strcmp(sb->s_type->name, "proc") == 0)
563 sbsec->proc = 1;
564
565 sbsec->initialized = 1;
566
567 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
568 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
569 sb->s_id, sb->s_type->name);
570 }
571 else {
572 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
573 sb->s_id, sb->s_type->name,
574 labeling_behaviors[sbsec->behavior-1]);
575 }
576
577 /* Initialize the root inode. */
578 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
579
580 /* Initialize any other inodes associated with the superblock, e.g.
581 inodes created prior to initial policy load or inodes created
582 during get_sb by a pseudo filesystem that directly
583 populates itself. */
584 spin_lock(&sbsec->isec_lock);
585next_inode:
586 if (!list_empty(&sbsec->isec_head)) {
587 struct inode_security_struct *isec =
588 list_entry(sbsec->isec_head.next,
589 struct inode_security_struct, list);
590 struct inode *inode = isec->inode;
591 spin_unlock(&sbsec->isec_lock);
592 inode = igrab(inode);
593 if (inode) {
594 if (!IS_PRIVATE (inode))
595 inode_doinit(inode);
596 iput(inode);
597 }
598 spin_lock(&sbsec->isec_lock);
599 list_del_init(&isec->list);
600 goto next_inode;
601 }
602 spin_unlock(&sbsec->isec_lock);
603out:
604 up(&sbsec->sem);
605 return rc;
606}
607
608static inline u16 inode_mode_to_security_class(umode_t mode)
609{
610 switch (mode & S_IFMT) {
611 case S_IFSOCK:
612 return SECCLASS_SOCK_FILE;
613 case S_IFLNK:
614 return SECCLASS_LNK_FILE;
615 case S_IFREG:
616 return SECCLASS_FILE;
617 case S_IFBLK:
618 return SECCLASS_BLK_FILE;
619 case S_IFDIR:
620 return SECCLASS_DIR;
621 case S_IFCHR:
622 return SECCLASS_CHR_FILE;
623 case S_IFIFO:
624 return SECCLASS_FIFO_FILE;
625
626 }
627
628 return SECCLASS_FILE;
629}
630
13402580
JM		 631static inline int default_protocol_stream(int protocol)
632{
633 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
634}
635
636static inline int default_protocol_dgram(int protocol)
637{
638 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
639}
640
1da177e4
LT		 641static inline u16 socket_type_to_security_class(int family, int type, int protocol)
642{
643 switch (family) {
644 case PF_UNIX:
645 switch (type) {
646 case SOCK_STREAM:
647 case SOCK_SEQPACKET:
648 return SECCLASS_UNIX_STREAM_SOCKET;
649 case SOCK_DGRAM:
650 return SECCLASS_UNIX_DGRAM_SOCKET;
651 }
652 break;
653 case PF_INET:
654 case PF_INET6:
655 switch (type) {
656 case SOCK_STREAM:
13402580
JM		 657 if (default_protocol_stream(protocol))
658 return SECCLASS_TCP_SOCKET;
659 else
660 return SECCLASS_RAWIP_SOCKET;
1da177e4 661 case SOCK_DGRAM:
13402580
JM		 662 if (default_protocol_dgram(protocol))
663 return SECCLASS_UDP_SOCKET;
664 else
665 return SECCLASS_RAWIP_SOCKET;
666 default:
1da177e4
LT		 667 return SECCLASS_RAWIP_SOCKET;
668 }
669 break;
670 case PF_NETLINK:
671 switch (protocol) {
672 case NETLINK_ROUTE:
673 return SECCLASS_NETLINK_ROUTE_SOCKET;
674 case NETLINK_FIREWALL:
675 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 676 case NETLINK_INET_DIAG:
1da177e4
LT		 677 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
678 case NETLINK_NFLOG:
679 return SECCLASS_NETLINK_NFLOG_SOCKET;
680 case NETLINK_XFRM:
681 return SECCLASS_NETLINK_XFRM_SOCKET;
682 case NETLINK_SELINUX:
683 return SECCLASS_NETLINK_SELINUX_SOCKET;
684 case NETLINK_AUDIT:
685 return SECCLASS_NETLINK_AUDIT_SOCKET;
686 case NETLINK_IP6_FW:
687 return SECCLASS_NETLINK_IP6FW_SOCKET;
688 case NETLINK_DNRTMSG:
689 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 690 case NETLINK_KOBJECT_UEVENT:
691 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 692 default:
693 return SECCLASS_NETLINK_SOCKET;
694 }
695 case PF_PACKET:
696 return SECCLASS_PACKET_SOCKET;
697 case PF_KEY:
698 return SECCLASS_KEY_SOCKET;
699 }
700
701 return SECCLASS_SOCKET;
702}
703
704#ifdef CONFIG_PROC_FS
705static int selinux_proc_get_sid(struct proc_dir_entry *de,
706 u16 tclass,
707 u32 *sid)
708{
709 int buflen, rc;
710 char *buffer, *path, *end;
711
712 buffer = (char*)__get_free_page(GFP_KERNEL);
713 if (!buffer)
714 return -ENOMEM;
715
716 buflen = PAGE_SIZE;
717 end = buffer+buflen;
718 *--end = '\0';
719 buflen--;
720 path = end-1;
721 *path = '/';
722 while (de && de != de->parent) {
723 buflen -= de->namelen + 1;
724 if (buflen < 0)
725 break;
726 end -= de->namelen;
727 memcpy(end, de->name, de->namelen);
728 *--end = '/';
729 path = end;
730 de = de->parent;
731 }
732 rc = security_genfs_sid("proc", path, tclass, sid);
733 free_page((unsigned long)buffer);
734 return rc;
735}
736#else
737static int selinux_proc_get_sid(struct proc_dir_entry *de,
738 u16 tclass,
739 u32 *sid)
740{
741 return -EINVAL;
742}
743#endif
744
745/* The inode's security attributes must be initialized before first use. */
746static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
747{
748 struct superblock_security_struct *sbsec = NULL;
749 struct inode_security_struct *isec = inode->i_security;
750 u32 sid;
751 struct dentry *dentry;
752#define INITCONTEXTLEN 255
753 char *context = NULL;
754 unsigned len = 0;
755 int rc = 0;
756 int hold_sem = 0;
757
758 if (isec->initialized)
759 goto out;
760
761 down(&isec->sem);
762 hold_sem = 1;
763 if (isec->initialized)
764 goto out;
765
766 sbsec = inode->i_sb->s_security;
767 if (!sbsec->initialized) {
768 /* Defer initialization until selinux_complete_init,
769 after the initial policy is loaded and the security
770 server is ready to handle calls. */
771 spin_lock(&sbsec->isec_lock);
772 if (list_empty(&isec->list))
773 list_add(&isec->list, &sbsec->isec_head);
774 spin_unlock(&sbsec->isec_lock);
775 goto out;
776 }
777
778 switch (sbsec->behavior) {
779 case SECURITY_FS_USE_XATTR:
780 if (!inode->i_op->getxattr) {
781 isec->sid = sbsec->def_sid;
782 break;
783 }
784
785 /* Need a dentry, since the xattr API requires one.
786 Life would be simpler if we could just pass the inode. */
787 if (opt_dentry) {
788 /* Called from d_instantiate or d_splice_alias. */
789 dentry = dget(opt_dentry);
790 } else {
791 /* Called from selinux_complete_init, try to find a dentry. */
792 dentry = d_find_alias(inode);
793 }
794 if (!dentry) {
795 printk(KERN_WARNING "%s: no dentry for dev=%s "
796 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
797 inode->i_ino);
798 goto out;
799 }
800
801 len = INITCONTEXTLEN;
802 context = kmalloc(len, GFP_KERNEL);
803 if (!context) {
804 rc = -ENOMEM;
805 dput(dentry);
806 goto out;
807 }
808 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
809 context, len);
810 if (rc == -ERANGE) {
811 /* Need a larger buffer. Query for the right size. */
812 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
813 NULL, 0);
814 if (rc < 0) {
815 dput(dentry);
816 goto out;
817 }
818 kfree(context);
819 len = rc;
820 context = kmalloc(len, GFP_KERNEL);
821 if (!context) {
822 rc = -ENOMEM;
823 dput(dentry);
824 goto out;
825 }
826 rc = inode->i_op->getxattr(dentry,
827 XATTR_NAME_SELINUX,
828 context, len);
829 }
830 dput(dentry);
831 if (rc < 0) {
832 if (rc != -ENODATA) {
833 printk(KERN_WARNING "%s: getxattr returned "
834 "%d for dev=%s ino=%ld\n", __FUNCTION__,
835 -rc, inode->i_sb->s_id, inode->i_ino);
836 kfree(context);
837 goto out;
838 }
839 /* Map ENODATA to the default file SID */
840 sid = sbsec->def_sid;
841 rc = 0;
842 } else {
f5c1d5b2
JM		 843 rc = security_context_to_sid_default(context, rc, &sid,
844 sbsec->def_sid);
1da177e4
LT		 845 if (rc) {
846 printk(KERN_WARNING "%s: context_to_sid(%s) "
847 "returned %d for dev=%s ino=%ld\n",
848 __FUNCTION__, context, -rc,
849 inode->i_sb->s_id, inode->i_ino);
850 kfree(context);
851 /* Leave with the unlabeled SID */
852 rc = 0;
853 break;
854 }
855 }
856 kfree(context);
857 isec->sid = sid;
858 break;
859 case SECURITY_FS_USE_TASK:
860 isec->sid = isec->task_sid;
861 break;
862 case SECURITY_FS_USE_TRANS:
863 /* Default to the fs SID. */
864 isec->sid = sbsec->sid;
865
866 /* Try to obtain a transition SID. */
867 isec->sclass = inode_mode_to_security_class(inode->i_mode);
868 rc = security_transition_sid(isec->task_sid,
869 sbsec->sid,
870 isec->sclass,
871 &sid);
872 if (rc)
873 goto out;
874 isec->sid = sid;
875 break;
876 default:
877 /* Default to the fs SID. */
878 isec->sid = sbsec->sid;
879
880 if (sbsec->proc) {
881 struct proc_inode *proci = PROC_I(inode);
882 if (proci->pde) {
883 isec->sclass = inode_mode_to_security_class(inode->i_mode);
884 rc = selinux_proc_get_sid(proci->pde,
885 isec->sclass,
886 &sid);
887 if (rc)
888 goto out;
889 isec->sid = sid;
890 }
891 }
892 break;
893 }
894
895 isec->initialized = 1;
896
897out:
898 if (isec->sclass == SECCLASS_FILE)
899 isec->sclass = inode_mode_to_security_class(inode->i_mode);
900
901 if (hold_sem)
902 up(&isec->sem);
903 return rc;
904}
905
906/* Convert a Linux signal to an access vector. */
907static inline u32 signal_to_av(int sig)
908{
909 u32 perm = 0;
910
911 switch (sig) {
912 case SIGCHLD:
913 /* Commonly granted from child to parent. */
914 perm = PROCESS__SIGCHLD;
915 break;
916 case SIGKILL:
917 /* Cannot be caught or ignored */
918 perm = PROCESS__SIGKILL;
919 break;
920 case SIGSTOP:
921 /* Cannot be caught or ignored */
922 perm = PROCESS__SIGSTOP;
923 break;
924 default:
925 /* All other signals. */
926 perm = PROCESS__SIGNAL;
927 break;
928 }
929
930 return perm;
931}
932
933/* Check permission betweeen a pair of tasks, e.g. signal checks,
934 fork check, ptrace check, etc. */
935static int task_has_perm(struct task_struct *tsk1,
936 struct task_struct *tsk2,
937 u32 perms)
938{
939 struct task_security_struct *tsec1, *tsec2;
940
941 tsec1 = tsk1->security;
942 tsec2 = tsk2->security;
943 return avc_has_perm(tsec1->sid, tsec2->sid,
944 SECCLASS_PROCESS, perms, NULL);
945}
946
947/* Check whether a task is allowed to use a capability. */
948static int task_has_capability(struct task_struct *tsk,
949 int cap)
950{
951 struct task_security_struct *tsec;
952 struct avc_audit_data ad;
953
954 tsec = tsk->security;
955
956 AVC_AUDIT_DATA_INIT(&ad,CAP);
957 ad.tsk = tsk;
958 ad.u.cap = cap;
959
960 return avc_has_perm(tsec->sid, tsec->sid,
961 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
962}
963
964/* Check whether a task is allowed to use a system operation. */
965static int task_has_system(struct task_struct *tsk,
966 u32 perms)
967{
968 struct task_security_struct *tsec;
969
970 tsec = tsk->security;
971
972 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
973 SECCLASS_SYSTEM, perms, NULL);
974}
975
976/* Check whether a task has a particular permission to an inode.
977 The 'adp' parameter is optional and allows other audit
978 data to be passed (e.g. the dentry). */
979static int inode_has_perm(struct task_struct *tsk,
980 struct inode *inode,
981 u32 perms,
982 struct avc_audit_data *adp)
983{
984 struct task_security_struct *tsec;
985 struct inode_security_struct *isec;
986 struct avc_audit_data ad;
987
988 tsec = tsk->security;
989 isec = inode->i_security;
990
991 if (!adp) {
992 adp = &ad;
993 AVC_AUDIT_DATA_INIT(&ad, FS);
994 ad.u.fs.inode = inode;
995 }
996
997 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
998}
999
1000/* Same as inode_has_perm, but pass explicit audit data containing
1001 the dentry to help the auditing code to more easily generate the
1002 pathname if needed. */
1003static inline int dentry_has_perm(struct task_struct *tsk,
1004 struct vfsmount *mnt,
1005 struct dentry *dentry,
1006 u32 av)
1007{
1008 struct inode *inode = dentry->d_inode;
1009 struct avc_audit_data ad;
1010 AVC_AUDIT_DATA_INIT(&ad,FS);
1011 ad.u.fs.mnt = mnt;
1012 ad.u.fs.dentry = dentry;
1013 return inode_has_perm(tsk, inode, av, &ad);
1014}
1015
1016/* Check whether a task can use an open file descriptor to
1017 access an inode in a given way. Check access to the
1018 descriptor itself, and then use dentry_has_perm to
1019 check a particular permission to the file.
1020 Access to the descriptor is implicitly granted if it
1021 has the same SID as the process. If av is zero, then
1022 access to the file is not checked, e.g. for cases
1023 where only the descriptor is affected like seek. */
858119e1 1024static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1025 struct file *file,
1026 u32 av)
1027{
1028 struct task_security_struct *tsec = tsk->security;
1029 struct file_security_struct *fsec = file->f_security;
1030 struct vfsmount *mnt = file->f_vfsmnt;
1031 struct dentry *dentry = file->f_dentry;
1032 struct inode *inode = dentry->d_inode;
1033 struct avc_audit_data ad;
1034 int rc;
1035
1036 AVC_AUDIT_DATA_INIT(&ad, FS);
1037 ad.u.fs.mnt = mnt;
1038 ad.u.fs.dentry = dentry;
1039
1040 if (tsec->sid != fsec->sid) {
1041 rc = avc_has_perm(tsec->sid, fsec->sid,
1042 SECCLASS_FD,
1043 FD__USE,
1044 &ad);
1045 if (rc)
1046 return rc;
1047 }
1048
1049 /* av is zero if only checking access to the descriptor. */
1050 if (av)
1051 return inode_has_perm(tsk, inode, av, &ad);
1052
1053 return 0;
1054}
1055
1056/* Check whether a task can create a file. */
1057static int may_create(struct inode *dir,
1058 struct dentry *dentry,
1059 u16 tclass)
1060{
1061 struct task_security_struct *tsec;
1062 struct inode_security_struct *dsec;
1063 struct superblock_security_struct *sbsec;
1064 u32 newsid;
1065 struct avc_audit_data ad;
1066 int rc;
1067
1068 tsec = current->security;
1069 dsec = dir->i_security;
1070 sbsec = dir->i_sb->s_security;
1071
1072 AVC_AUDIT_DATA_INIT(&ad, FS);
1073 ad.u.fs.dentry = dentry;
1074
1075 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1076 DIR__ADD_NAME | DIR__SEARCH,
1077 &ad);
1078 if (rc)
1079 return rc;
1080
1081 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1082 newsid = tsec->create_sid;
1083 } else {
1084 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1085 &newsid);
1086 if (rc)
1087 return rc;
1088 }
1089
1090 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1091 if (rc)
1092 return rc;
1093
1094 return avc_has_perm(newsid, sbsec->sid,
1095 SECCLASS_FILESYSTEM,
1096 FILESYSTEM__ASSOCIATE, &ad);
1097}
1098
1099#define MAY_LINK 0
1100#define MAY_UNLINK 1
1101#define MAY_RMDIR 2
1102
1103/* Check whether a task can link, unlink, or rmdir a file/directory. */
1104static int may_link(struct inode *dir,
1105 struct dentry *dentry,
1106 int kind)
1107
1108{
1109 struct task_security_struct *tsec;
1110 struct inode_security_struct *dsec, *isec;
1111 struct avc_audit_data ad;
1112 u32 av;
1113 int rc;
1114
1115 tsec = current->security;
1116 dsec = dir->i_security;
1117 isec = dentry->d_inode->i_security;
1118
1119 AVC_AUDIT_DATA_INIT(&ad, FS);
1120 ad.u.fs.dentry = dentry;
1121
1122 av = DIR__SEARCH;
1123 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1124 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1125 if (rc)
1126 return rc;
1127
1128 switch (kind) {
1129 case MAY_LINK:
1130 av = FILE__LINK;
1131 break;
1132 case MAY_UNLINK:
1133 av = FILE__UNLINK;
1134 break;
1135 case MAY_RMDIR:
1136 av = DIR__RMDIR;
1137 break;
1138 default:
1139 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1140 return 0;
1141 }
1142
1143 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1144 return rc;
1145}
1146
1147static inline int may_rename(struct inode *old_dir,
1148 struct dentry *old_dentry,
1149 struct inode *new_dir,
1150 struct dentry *new_dentry)
1151{
1152 struct task_security_struct *tsec;
1153 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1154 struct avc_audit_data ad;
1155 u32 av;
1156 int old_is_dir, new_is_dir;
1157 int rc;
1158
1159 tsec = current->security;
1160 old_dsec = old_dir->i_security;
1161 old_isec = old_dentry->d_inode->i_security;
1162 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1163 new_dsec = new_dir->i_security;
1164
1165 AVC_AUDIT_DATA_INIT(&ad, FS);
1166
1167 ad.u.fs.dentry = old_dentry;
1168 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1169 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1170 if (rc)
1171 return rc;
1172 rc = avc_has_perm(tsec->sid, old_isec->sid,
1173 old_isec->sclass, FILE__RENAME, &ad);
1174 if (rc)
1175 return rc;
1176 if (old_is_dir && new_dir != old_dir) {
1177 rc = avc_has_perm(tsec->sid, old_isec->sid,
1178 old_isec->sclass, DIR__REPARENT, &ad);
1179 if (rc)
1180 return rc;
1181 }
1182
1183 ad.u.fs.dentry = new_dentry;
1184 av = DIR__ADD_NAME | DIR__SEARCH;
1185 if (new_dentry->d_inode)
1186 av |= DIR__REMOVE_NAME;
1187 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1188 if (rc)
1189 return rc;
1190 if (new_dentry->d_inode) {
1191 new_isec = new_dentry->d_inode->i_security;
1192 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1193 rc = avc_has_perm(tsec->sid, new_isec->sid,
1194 new_isec->sclass,
1195 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1196 if (rc)
1197 return rc;
1198 }
1199
1200 return 0;
1201}
1202
1203/* Check whether a task can perform a filesystem operation. */
1204static int superblock_has_perm(struct task_struct *tsk,
1205 struct super_block *sb,
1206 u32 perms,
1207 struct avc_audit_data *ad)
1208{
1209 struct task_security_struct *tsec;
1210 struct superblock_security_struct *sbsec;
1211
1212 tsec = tsk->security;
1213 sbsec = sb->s_security;
1214 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1215 perms, ad);
1216}
1217
1218/* Convert a Linux mode and permission mask to an access vector. */
1219static inline u32 file_mask_to_av(int mode, int mask)
1220{
1221 u32 av = 0;
1222
1223 if ((mode & S_IFMT) != S_IFDIR) {
1224 if (mask & MAY_EXEC)
1225 av |= FILE__EXECUTE;
1226 if (mask & MAY_READ)
1227 av |= FILE__READ;
1228
1229 if (mask & MAY_APPEND)
1230 av |= FILE__APPEND;
1231 else if (mask & MAY_WRITE)
1232 av |= FILE__WRITE;
1233
1234 } else {
1235 if (mask & MAY_EXEC)
1236 av |= DIR__SEARCH;
1237 if (mask & MAY_WRITE)
1238 av |= DIR__WRITE;
1239 if (mask & MAY_READ)
1240 av |= DIR__READ;
1241 }
1242
1243 return av;
1244}
1245
1246/* Convert a Linux file to an access vector. */
1247static inline u32 file_to_av(struct file *file)
1248{
1249 u32 av = 0;
1250
1251 if (file->f_mode & FMODE_READ)
1252 av |= FILE__READ;
1253 if (file->f_mode & FMODE_WRITE) {
1254 if (file->f_flags & O_APPEND)
1255 av |= FILE__APPEND;
1256 else
1257 av |= FILE__WRITE;
1258 }
1259
1260 return av;
1261}
1262
1263/* Set an inode's SID to a specified value. */
1264static int inode_security_set_sid(struct inode *inode, u32 sid)
1265{
1266 struct inode_security_struct *isec = inode->i_security;
1267 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1268
1269 if (!sbsec->initialized) {
1270 /* Defer initialization to selinux_complete_init. */
1271 return 0;
1272 }
1273
1274 down(&isec->sem);
1275 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1276 isec->sid = sid;
1277 isec->initialized = 1;
1278 up(&isec->sem);
1279 return 0;
1280}
1281
1da177e4
LT		 1282/* Hook functions begin here. */
1283
1284static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1285{
1286 struct task_security_struct *psec = parent->security;
1287 struct task_security_struct *csec = child->security;
1288 int rc;
1289
1290 rc = secondary_ops->ptrace(parent,child);
1291 if (rc)
1292 return rc;
1293
1294 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1295 /* Save the SID of the tracing process for later use in apply_creds. */
341c2d80 1296 if (!(child->ptrace & PT_PTRACED) && !rc)
1da177e4
LT		 1297 csec->ptrace_sid = psec->sid;
1298 return rc;
1299}
1300
1301static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1302 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1303{
1304 int error;
1305
1306 error = task_has_perm(current, target, PROCESS__GETCAP);
1307 if (error)
1308 return error;
1309
1310 return secondary_ops->capget(target, effective, inheritable, permitted);
1311}
1312
1313static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1314 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1315{
1316 int error;
1317
1318 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1319 if (error)
1320 return error;
1321
1322 return task_has_perm(current, target, PROCESS__SETCAP);
1323}
1324
1325static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1326 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1327{
1328 secondary_ops->capset_set(target, effective, inheritable, permitted);
1329}
1330
1331static int selinux_capable(struct task_struct *tsk, int cap)
1332{
1333 int rc;
1334
1335 rc = secondary_ops->capable(tsk, cap);
1336 if (rc)
1337 return rc;
1338
1339 return task_has_capability(tsk,cap);
1340}
1341
1342static int selinux_sysctl(ctl_table *table, int op)
1343{
1344 int error = 0;
1345 u32 av;
1346 struct task_security_struct *tsec;
1347 u32 tsid;
1348 int rc;
1349
1350 rc = secondary_ops->sysctl(table, op);
1351 if (rc)
1352 return rc;
1353
1354 tsec = current->security;
1355
1356 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1357 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1358 if (rc) {
1359 /* Default to the well-defined sysctl SID. */
1360 tsid = SECINITSID_SYSCTL;
1361 }
1362
1363 /* The op values are "defined" in sysctl.c, thereby creating
1364 * a bad coupling between this module and sysctl.c */
1365 if(op == 001) {
1366 error = avc_has_perm(tsec->sid, tsid,
1367 SECCLASS_DIR, DIR__SEARCH, NULL);
1368 } else {
1369 av = 0;
1370 if (op & 004)
1371 av |= FILE__READ;
1372 if (op & 002)
1373 av |= FILE__WRITE;
1374 if (av)
1375 error = avc_has_perm(tsec->sid, tsid,
1376 SECCLASS_FILE, av, NULL);
1377 }
1378
1379 return error;
1380}
1381
1382static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1383{
1384 int rc = 0;
1385
1386 if (!sb)
1387 return 0;
1388
1389 switch (cmds) {
1390 case Q_SYNC:
1391 case Q_QUOTAON:
1392 case Q_QUOTAOFF:
1393 case Q_SETINFO:
1394 case Q_SETQUOTA:
1395 rc = superblock_has_perm(current,
1396 sb,
1397 FILESYSTEM__QUOTAMOD, NULL);
1398 break;
1399 case Q_GETFMT:
1400 case Q_GETINFO:
1401 case Q_GETQUOTA:
1402 rc = superblock_has_perm(current,
1403 sb,
1404 FILESYSTEM__QUOTAGET, NULL);
1405 break;
1406 default:
1407 rc = 0; /* let the kernel handle invalid cmds */
1408 break;
1409 }
1410 return rc;
1411}
1412
1413static int selinux_quota_on(struct dentry *dentry)
1414{
1415 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1416}
1417
1418static int selinux_syslog(int type)
1419{
1420 int rc;
1421
1422 rc = secondary_ops->syslog(type);
1423 if (rc)
1424 return rc;
1425
1426 switch (type) {
1427 case 3: /* Read last kernel messages */
1428 case 10: /* Return size of the log buffer */
1429 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1430 break;
1431 case 6: /* Disable logging to console */
1432 case 7: /* Enable logging to console */
1433 case 8: /* Set level of messages printed to console */
1434 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1435 break;
1436 case 0: /* Close log */
1437 case 1: /* Open log */
1438 case 2: /* Read from log */
1439 case 4: /* Read/clear last kernel messages */
1440 case 5: /* Clear ring buffer */
1441 default:
1442 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1443 break;
1444 }
1445 return rc;
1446}
1447
1448/*
1449 * Check that a process has enough memory to allocate a new virtual
1450 * mapping. 0 means there is enough memory for the allocation to
1451 * succeed and -ENOMEM implies there is not.
1452 *
1453 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1454 * if the capability is granted, but __vm_enough_memory requires 1 if
1455 * the capability is granted.
1456 *
1457 * Do not audit the selinux permission check, as this is applied to all
1458 * processes that allocate mappings.
1459 */
1460static int selinux_vm_enough_memory(long pages)
1461{
1462 int rc, cap_sys_admin = 0;
1463 struct task_security_struct *tsec = current->security;
1464
1465 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1466 if (rc == 0)
1467 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1468 SECCLASS_CAPABILITY,
1469 CAP_TO_MASK(CAP_SYS_ADMIN),
1470 NULL);
1471
1472 if (rc == 0)
1473 cap_sys_admin = 1;
1474
1475 return __vm_enough_memory(pages, cap_sys_admin);
1476}
1477
1478/* binprm security operations */
1479
1480static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1481{
1482 struct bprm_security_struct *bsec;
1483
89d155ef 1484 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1485 if (!bsec)
1486 return -ENOMEM;
1487
1da177e4
LT		 1488 bsec->bprm = bprm;
1489 bsec->sid = SECINITSID_UNLABELED;
1490 bsec->set = 0;
1491
1492 bprm->security = bsec;
1493 return 0;
1494}
1495
1496static int selinux_bprm_set_security(struct linux_binprm *bprm)
1497{
1498 struct task_security_struct *tsec;
1499 struct inode *inode = bprm->file->f_dentry->d_inode;
1500 struct inode_security_struct *isec;
1501 struct bprm_security_struct *bsec;
1502 u32 newsid;
1503 struct avc_audit_data ad;
1504 int rc;
1505
1506 rc = secondary_ops->bprm_set_security(bprm);
1507 if (rc)
1508 return rc;
1509
1510 bsec = bprm->security;
1511
1512 if (bsec->set)
1513 return 0;
1514
1515 tsec = current->security;
1516 isec = inode->i_security;
1517
1518 /* Default to the current task SID. */
1519 bsec->sid = tsec->sid;
1520
1521 /* Reset create SID on execve. */
1522 tsec->create_sid = 0;
1523
1524 if (tsec->exec_sid) {
1525 newsid = tsec->exec_sid;
1526 /* Reset exec SID on execve. */
1527 tsec->exec_sid = 0;
1528 } else {
1529 /* Check for a default transition on this program. */
1530 rc = security_transition_sid(tsec->sid, isec->sid,
1531 SECCLASS_PROCESS, &newsid);
1532 if (rc)
1533 return rc;
1534 }
1535
1536 AVC_AUDIT_DATA_INIT(&ad, FS);
1537 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1538 ad.u.fs.dentry = bprm->file->f_dentry;
1539
1540 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1541 newsid = tsec->sid;
1542
1543 if (tsec->sid == newsid) {
1544 rc = avc_has_perm(tsec->sid, isec->sid,
1545 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1546 if (rc)
1547 return rc;
1548 } else {
1549 /* Check permissions for the transition. */
1550 rc = avc_has_perm(tsec->sid, newsid,
1551 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1552 if (rc)
1553 return rc;
1554
1555 rc = avc_has_perm(newsid, isec->sid,
1556 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1557 if (rc)
1558 return rc;
1559
1560 /* Clear any possibly unsafe personality bits on exec: */
1561 current->personality &= ~PER_CLEAR_ON_SETID;
1562
1563 /* Set the security field to the new SID. */
1564 bsec->sid = newsid;
1565 }
1566
1567 bsec->set = 1;
1568 return 0;
1569}
1570
1571static int selinux_bprm_check_security (struct linux_binprm *bprm)
1572{
1573 return secondary_ops->bprm_check_security(bprm);
1574}
1575
1576
1577static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1578{
1579 struct task_security_struct *tsec = current->security;
1580 int atsecure = 0;
1581
1582 if (tsec->osid != tsec->sid) {
1583 /* Enable secure mode for SIDs transitions unless
1584 the noatsecure permission is granted between
1585 the two SIDs, i.e. ahp returns 0. */
1586 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1587 SECCLASS_PROCESS,
1588 PROCESS__NOATSECURE, NULL);
1589 }
1590
1591 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1592}
1593
1594static void selinux_bprm_free_security(struct linux_binprm *bprm)
1595{
9a5f04bf 1596 kfree(bprm->security);
1da177e4 1597 bprm->security = NULL;
1da177e4
LT		 1598}
1599
1600extern struct vfsmount *selinuxfs_mount;
1601extern struct dentry *selinux_null;
1602
1603/* Derived from fs/exec.c:flush_old_files. */
1604static inline void flush_unauthorized_files(struct files_struct * files)
1605{
1606 struct avc_audit_data ad;
1607 struct file *file, *devnull = NULL;
1608 struct tty_struct *tty = current->signal->tty;
badf1662 1609 struct fdtable *fdt;
1da177e4
LT		 1610 long j = -1;
1611
1612 if (tty) {
1613 file_list_lock();
2f512016 1614 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 1615 if (file) {
1616 /* Revalidate access to controlling tty.
1617 Use inode_has_perm on the tty inode directly rather
1618 than using file_has_perm, as this particular open
1619 file may belong to another process and we are only
1620 interested in the inode-based check here. */
1621 struct inode *inode = file->f_dentry->d_inode;
1622 if (inode_has_perm(current, inode,
1623 FILE__READ | FILE__WRITE, NULL)) {
1624 /* Reset controlling tty. */
1625 current->signal->tty = NULL;
1626 current->signal->tty_old_pgrp = 0;
1627 }
1628 }
1629 file_list_unlock();
1630 }
1631
1632 /* Revalidate access to inherited open files. */
1633
1634 AVC_AUDIT_DATA_INIT(&ad,FS);
1635
1636 spin_lock(&files->file_lock);
1637 for (;;) {
1638 unsigned long set, i;
1639 int fd;
1640
1641 j++;
1642 i = j * __NFDBITS;
badf1662
DS		 1643 fdt = files_fdtable(files);
1644 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1da177e4 1645 break;
badf1662 1646 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 1647 if (!set)
1648 continue;
1649 spin_unlock(&files->file_lock);
1650 for ( ; set ; i++,set >>= 1) {
1651 if (set & 1) {
1652 file = fget(i);
1653 if (!file)
1654 continue;
1655 if (file_has_perm(current,
1656 file,
1657 file_to_av(file))) {
1658 sys_close(i);
1659 fd = get_unused_fd();
1660 if (fd != i) {
1661 if (fd >= 0)
1662 put_unused_fd(fd);
1663 fput(file);
1664 continue;
1665 }
1666 if (devnull) {
095975da 1667 get_file(devnull);
1da177e4
LT		 1668 } else {
1669 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1670 if (!devnull) {
1671 put_unused_fd(fd);
1672 fput(file);
1673 continue;
1674 }
1675 }
1676 fd_install(fd, devnull);
1677 }
1678 fput(file);
1679 }
1680 }
1681 spin_lock(&files->file_lock);
1682
1683 }
1684 spin_unlock(&files->file_lock);
1685}
1686
1687static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1688{
1689 struct task_security_struct *tsec;
1690 struct bprm_security_struct *bsec;
1691 u32 sid;
1692 int rc;
1693
1694 secondary_ops->bprm_apply_creds(bprm, unsafe);
1695
1696 tsec = current->security;
1697
1698 bsec = bprm->security;
1699 sid = bsec->sid;
1700
1701 tsec->osid = tsec->sid;
1702 bsec->unsafe = 0;
1703 if (tsec->sid != sid) {
1704 /* Check for shared state. If not ok, leave SID
1705 unchanged and kill. */
1706 if (unsafe & LSM_UNSAFE_SHARE) {
1707 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1708 PROCESS__SHARE, NULL);
1709 if (rc) {
1710 bsec->unsafe = 1;
1711 return;
1712 }
1713 }
1714
1715 /* Check for ptracing, and update the task SID if ok.
1716 Otherwise, leave SID unchanged and kill. */
1717 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1718 rc = avc_has_perm(tsec->ptrace_sid, sid,
1719 SECCLASS_PROCESS, PROCESS__PTRACE,
1720 NULL);
1721 if (rc) {
1722 bsec->unsafe = 1;
1723 return;
1724 }
1725 }
1726 tsec->sid = sid;
1727 }
1728}
1729
1730/*
1731 * called after apply_creds without the task lock held
1732 */
1733static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1734{
1735 struct task_security_struct *tsec;
1736 struct rlimit *rlim, *initrlim;
1737 struct itimerval itimer;
1738 struct bprm_security_struct *bsec;
1739 int rc, i;
1740
1741 tsec = current->security;
1742 bsec = bprm->security;
1743
1744 if (bsec->unsafe) {
1745 force_sig_specific(SIGKILL, current);
1746 return;
1747 }
1748 if (tsec->osid == tsec->sid)
1749 return;
1750
1751 /* Close files for which the new task SID is not authorized. */
1752 flush_unauthorized_files(current->files);
1753
1754 /* Check whether the new SID can inherit signal state
1755 from the old SID. If not, clear itimers to avoid
1756 subsequent signal generation and flush and unblock
1757 signals. This must occur _after_ the task SID has
1758 been updated so that any kill done after the flush
1759 will be checked against the new SID. */
1760 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1761 PROCESS__SIGINH, NULL);
1762 if (rc) {
1763 memset(&itimer, 0, sizeof itimer);
1764 for (i = 0; i < 3; i++)
1765 do_setitimer(i, &itimer, NULL);
1766 flush_signals(current);
1767 spin_lock_irq(&current->sighand->siglock);
1768 flush_signal_handlers(current, 1);
1769 sigemptyset(&current->blocked);
1770 recalc_sigpending();
1771 spin_unlock_irq(&current->sighand->siglock);
1772 }
1773
1774 /* Check whether the new SID can inherit resource limits
1775 from the old SID. If not, reset all soft limits to
1776 the lower of the current task's hard limit and the init
1777 task's soft limit. Note that the setting of hard limits
1778 (even to lower them) can be controlled by the setrlimit
1779 check. The inclusion of the init task's soft limit into
1780 the computation is to avoid resetting soft limits higher
1781 than the default soft limit for cases where the default
1782 is lower than the hard limit, e.g. RLIMIT_CORE or
1783 RLIMIT_STACK.*/
1784 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1785 PROCESS__RLIMITINH, NULL);
1786 if (rc) {
1787 for (i = 0; i < RLIM_NLIMITS; i++) {
1788 rlim = current->signal->rlim + i;
1789 initrlim = init_task.signal->rlim+i;
1790 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1791 }
1792 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1793 /*
1794 * This will cause RLIMIT_CPU calculations
1795 * to be refigured.
1796 */
1797 current->it_prof_expires = jiffies_to_cputime(1);
1798 }
1799 }
1800
1801 /* Wake up the parent if it is waiting so that it can
1802 recheck wait permission to the new task SID. */
1803 wake_up_interruptible(&current->parent->signal->wait_chldexit);
1804}
1805
1806/* superblock security operations */
1807
1808static int selinux_sb_alloc_security(struct super_block *sb)
1809{
1810 return superblock_alloc_security(sb);
1811}
1812
1813static void selinux_sb_free_security(struct super_block *sb)
1814{
1815 superblock_free_security(sb);
1816}
1817
1818static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1819{
1820 if (plen > olen)
1821 return 0;
1822
1823 return !memcmp(prefix, option, plen);
1824}
1825
1826static inline int selinux_option(char *option, int len)
1827{
1828 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1829 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1830 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1831}
1832
1833static inline void take_option(char **to, char *from, int *first, int len)
1834{
1835 if (!*first) {
1836 **to = ',';
1837 *to += 1;
1838 }
1839 else
1840 *first = 0;
1841 memcpy(*to, from, len);
1842 *to += len;
1843}
1844
1845static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1846{
1847 int fnosec, fsec, rc = 0;
1848 char *in_save, *in_curr, *in_end;
1849 char *sec_curr, *nosec_save, *nosec;
1850
1851 in_curr = orig;
1852 sec_curr = copy;
1853
1854 /* Binary mount data: just copy */
1855 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1856 copy_page(sec_curr, in_curr);
1857 goto out;
1858 }
1859
1860 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1861 if (!nosec) {
1862 rc = -ENOMEM;
1863 goto out;
1864 }
1865
1866 nosec_save = nosec;
1867 fnosec = fsec = 1;
1868 in_save = in_end = orig;
1869
1870 do {
1871 if (*in_end == ',' || *in_end == '\0') {
1872 int len = in_end - in_curr;
1873
1874 if (selinux_option(in_curr, len))
1875 take_option(&sec_curr, in_curr, &fsec, len);
1876 else
1877 take_option(&nosec, in_curr, &fnosec, len);
1878
1879 in_curr = in_end + 1;
1880 }
1881 } while (*in_end++);
1882
6931dfc9 1883 strcpy(in_save, nosec_save);
da3caa20 1884 free_page((unsigned long)nosec_save);
1da177e4
LT		 1885out:
1886 return rc;
1887}
1888
1889static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1890{
1891 struct avc_audit_data ad;
1892 int rc;
1893
1894 rc = superblock_doinit(sb, data);
1895 if (rc)
1896 return rc;
1897
1898 AVC_AUDIT_DATA_INIT(&ad,FS);
1899 ad.u.fs.dentry = sb->s_root;
1900 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1901}
1902
1903static int selinux_sb_statfs(struct super_block *sb)
1904{
1905 struct avc_audit_data ad;
1906
1907 AVC_AUDIT_DATA_INIT(&ad,FS);
1908 ad.u.fs.dentry = sb->s_root;
1909 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1910}
1911
1912static int selinux_mount(char * dev_name,
1913 struct nameidata *nd,
1914 char * type,
1915 unsigned long flags,
1916 void * data)
1917{
1918 int rc;
1919
1920 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1921 if (rc)
1922 return rc;
1923
1924 if (flags & MS_REMOUNT)
1925 return superblock_has_perm(current, nd->mnt->mnt_sb,
1926 FILESYSTEM__REMOUNT, NULL);
1927 else
1928 return dentry_has_perm(current, nd->mnt, nd->dentry,
1929 FILE__MOUNTON);
1930}
1931
1932static int selinux_umount(struct vfsmount *mnt, int flags)
1933{
1934 int rc;
1935
1936 rc = secondary_ops->sb_umount(mnt, flags);
1937 if (rc)
1938 return rc;
1939
1940 return superblock_has_perm(current,mnt->mnt_sb,
1941 FILESYSTEM__UNMOUNT,NULL);
1942}
1943
1944/* inode security operations */
1945
1946static int selinux_inode_alloc_security(struct inode *inode)
1947{
1948 return inode_alloc_security(inode);
1949}
1950
1951static void selinux_inode_free_security(struct inode *inode)
1952{
1953 inode_free_security(inode);
1954}
1955
5e41ff9e
SS		 1956static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1957 char **name, void **value,
1958 size_t *len)
1959{
1960 struct task_security_struct *tsec;
1961 struct inode_security_struct *dsec;
1962 struct superblock_security_struct *sbsec;
570bc1c2 1963 u32 newsid, clen;
5e41ff9e 1964 int rc;
570bc1c2 1965 char *namep = NULL, *context;
5e41ff9e
SS		 1966
1967 tsec = current->security;
1968 dsec = dir->i_security;
1969 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 1970
1971 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1972 newsid = tsec->create_sid;
1973 } else {
1974 rc = security_transition_sid(tsec->sid, dsec->sid,
1975 inode_mode_to_security_class(inode->i_mode),
1976 &newsid);
1977 if (rc) {
1978 printk(KERN_WARNING "%s: "
1979 "security_transition_sid failed, rc=%d (dev=%s "
1980 "ino=%ld)\n",
1981 __FUNCTION__,
1982 -rc, inode->i_sb->s_id, inode->i_ino);
1983 return rc;
1984 }
1985 }
1986
1987 inode_security_set_sid(inode, newsid);
1988
8aad3875 1989 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 1990 return -EOPNOTSUPP;
1991
570bc1c2
SS		 1992 if (name) {
1993 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1994 if (!namep)
1995 return -ENOMEM;
1996 *name = namep;
1997 }
5e41ff9e 1998
570bc1c2
SS		 1999 if (value && len) {
2000 rc = security_sid_to_context(newsid, &context, &clen);
2001 if (rc) {
2002 kfree(namep);
2003 return rc;
2004 }
2005 *value = context;
2006 *len = clen;
5e41ff9e 2007 }
5e41ff9e 2008
5e41ff9e
SS		 2009 return 0;
2010}
2011
1da177e4
LT		 2012static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2013{
2014 return may_create(dir, dentry, SECCLASS_FILE);
2015}
2016
1da177e4
LT		 2017static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2018{
2019 int rc;
2020
2021 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2022 if (rc)
2023 return rc;
2024 return may_link(dir, old_dentry, MAY_LINK);
2025}
2026
1da177e4
LT		 2027static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2028{
2029 int rc;
2030
2031 rc = secondary_ops->inode_unlink(dir, dentry);
2032 if (rc)
2033 return rc;
2034 return may_link(dir, dentry, MAY_UNLINK);
2035}
2036
2037static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2038{
2039 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2040}
2041
1da177e4
LT		 2042static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2043{
2044 return may_create(dir, dentry, SECCLASS_DIR);
2045}
2046
1da177e4
LT		 2047static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2048{
2049 return may_link(dir, dentry, MAY_RMDIR);
2050}
2051
2052static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2053{
2054 int rc;
2055
2056 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2057 if (rc)
2058 return rc;
2059
2060 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2061}
2062
1da177e4
LT		 2063static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2064 struct inode *new_inode, struct dentry *new_dentry)
2065{
2066 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2067}
2068
1da177e4
LT		 2069static int selinux_inode_readlink(struct dentry *dentry)
2070{
2071 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2072}
2073
2074static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2075{
2076 int rc;
2077
2078 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2079 if (rc)
2080 return rc;
2081 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2082}
2083
2084static int selinux_inode_permission(struct inode *inode, int mask,
2085 struct nameidata *nd)
2086{
2087 int rc;
2088
2089 rc = secondary_ops->inode_permission(inode, mask, nd);
2090 if (rc)
2091 return rc;
2092
2093 if (!mask) {
2094 /* No permission to check. Existence test. */
2095 return 0;
2096 }
2097
2098 return inode_has_perm(current, inode,
2099 file_mask_to_av(inode->i_mode, mask), NULL);
2100}
2101
2102static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2103{
2104 int rc;
2105
2106 rc = secondary_ops->inode_setattr(dentry, iattr);
2107 if (rc)
2108 return rc;
2109
2110 if (iattr->ia_valid & ATTR_FORCE)
2111 return 0;
2112
2113 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2114 ATTR_ATIME_SET | ATTR_MTIME_SET))
2115 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2116
2117 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2118}
2119
2120static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2121{
2122 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2123}
2124
2125static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2126{
2127 struct task_security_struct *tsec = current->security;
2128 struct inode *inode = dentry->d_inode;
2129 struct inode_security_struct *isec = inode->i_security;
2130 struct superblock_security_struct *sbsec;
2131 struct avc_audit_data ad;
2132 u32 newsid;
2133 int rc = 0;
2134
2135 if (strcmp(name, XATTR_NAME_SELINUX)) {
2136 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2137 sizeof XATTR_SECURITY_PREFIX - 1) &&
2138 !capable(CAP_SYS_ADMIN)) {
2139 /* A different attribute in the security namespace.
2140 Restrict to administrator. */
2141 return -EPERM;
2142 }
2143
2144 /* Not an attribute we recognize, so just check the
2145 ordinary setattr permission. */
2146 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2147 }
2148
2149 sbsec = inode->i_sb->s_security;
2150 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2151 return -EOPNOTSUPP;
2152
2153 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2154 return -EPERM;
2155
2156 AVC_AUDIT_DATA_INIT(&ad,FS);
2157 ad.u.fs.dentry = dentry;
2158
2159 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2160 FILE__RELABELFROM, &ad);
2161 if (rc)
2162 return rc;
2163
2164 rc = security_context_to_sid(value, size, &newsid);
2165 if (rc)
2166 return rc;
2167
2168 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2169 FILE__RELABELTO, &ad);
2170 if (rc)
2171 return rc;
2172
2173 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2174 isec->sclass);
2175 if (rc)
2176 return rc;
2177
2178 return avc_has_perm(newsid,
2179 sbsec->sid,
2180 SECCLASS_FILESYSTEM,
2181 FILESYSTEM__ASSOCIATE,
2182 &ad);
2183}
2184
2185static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2186 void *value, size_t size, int flags)
2187{
2188 struct inode *inode = dentry->d_inode;
2189 struct inode_security_struct *isec = inode->i_security;
2190 u32 newsid;
2191 int rc;
2192
2193 if (strcmp(name, XATTR_NAME_SELINUX)) {
2194 /* Not an attribute we recognize, so nothing to do. */
2195 return;
2196 }
2197
2198 rc = security_context_to_sid(value, size, &newsid);
2199 if (rc) {
2200 printk(KERN_WARNING "%s: unable to obtain SID for context "
2201 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2202 return;
2203 }
2204
2205 isec->sid = newsid;
2206 return;
2207}
2208
2209static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2210{
1da177e4
LT		 2211 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2212}
2213
2214static int selinux_inode_listxattr (struct dentry *dentry)
2215{
2216 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2217}
2218
2219static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2220{
2221 if (strcmp(name, XATTR_NAME_SELINUX)) {
2222 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2223 sizeof XATTR_SECURITY_PREFIX - 1) &&
2224 !capable(CAP_SYS_ADMIN)) {
2225 /* A different attribute in the security namespace.
2226 Restrict to administrator. */
2227 return -EPERM;
2228 }
2229
2230 /* Not an attribute we recognize, so just check the
2231 ordinary setattr permission. Might want a separate
2232 permission for removexattr. */
2233 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2234 }
2235
2236 /* No one is allowed to remove a SELinux security label.
2237 You can change the label, but all data must be labeled. */
2238 return -EACCES;
2239}
2240
8c8570fb
DK		 2241static const char *selinux_inode_xattr_getsuffix(void)
2242{
2243 return XATTR_SELINUX_SUFFIX;
2244}
2245
d381d8a9
JM		 2246/*
2247 * Copy the in-core inode security context value to the user. If the
2248 * getxattr() prior to this succeeded, check to see if we need to
2249 * canonicalize the value to be finally returned to the user.
2250 *
2251 * Permission check is handled by selinux_inode_getxattr hook.
2252 */
7306a0b9 2253static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
1da177e4
LT		 2254{
2255 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2256
8c8570fb
DK		 2257 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2258 return -EOPNOTSUPP;
d381d8a9 2259
8c8570fb 2260 return selinux_getsecurity(isec->sid, buffer, size);
1da177e4
LT		 2261}
2262
2263static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2264 const void *value, size_t size, int flags)
2265{
2266 struct inode_security_struct *isec = inode->i_security;
2267 u32 newsid;
2268 int rc;
2269
2270 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2271 return -EOPNOTSUPP;
2272
2273 if (!value || !size)
2274 return -EACCES;
2275
2276 rc = security_context_to_sid((void*)value, size, &newsid);
2277 if (rc)
2278 return rc;
2279
2280 isec->sid = newsid;
2281 return 0;
2282}
2283
2284static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2285{
2286 const int len = sizeof(XATTR_NAME_SELINUX);
2287 if (buffer && len <= buffer_size)
2288 memcpy(buffer, XATTR_NAME_SELINUX, len);
2289 return len;
2290}
2291
2292/* file security operations */
2293
2294static int selinux_file_permission(struct file *file, int mask)
2295{
2296 struct inode *inode = file->f_dentry->d_inode;
2297
2298 if (!mask) {
2299 /* No permission to check. Existence test. */
2300 return 0;
2301 }
2302
2303 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2304 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2305 mask |= MAY_APPEND;
2306
2307 return file_has_perm(current, file,
2308 file_mask_to_av(inode->i_mode, mask));
2309}
2310
2311static int selinux_file_alloc_security(struct file *file)
2312{
2313 return file_alloc_security(file);
2314}
2315
2316static void selinux_file_free_security(struct file *file)
2317{
2318 file_free_security(file);
2319}
2320
2321static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2322 unsigned long arg)
2323{
2324 int error = 0;
2325
2326 switch (cmd) {
2327 case FIONREAD:
2328 /* fall through */
2329 case FIBMAP:
2330 /* fall through */
2331 case FIGETBSZ:
2332 /* fall through */
2333 case EXT2_IOC_GETFLAGS:
2334 /* fall through */
2335 case EXT2_IOC_GETVERSION:
2336 error = file_has_perm(current, file, FILE__GETATTR);
2337 break;
2338
2339 case EXT2_IOC_SETFLAGS:
2340 /* fall through */
2341 case EXT2_IOC_SETVERSION:
2342 error = file_has_perm(current, file, FILE__SETATTR);
2343 break;
2344
2345 /* sys_ioctl() checks */
2346 case FIONBIO:
2347 /* fall through */
2348 case FIOASYNC:
2349 error = file_has_perm(current, file, 0);
2350 break;
2351
2352 case KDSKBENT:
2353 case KDSKBSENT:
2354 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2355 break;
2356
2357 /* default case assumes that the command will go
2358 * to the file's ioctl() function.
2359 */
2360 default:
2361 error = file_has_perm(current, file, FILE__IOCTL);
2362
2363 }
2364 return error;
2365}
2366
2367static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2368{
2369#ifndef CONFIG_PPC32
2370 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2371 /*
2372 * We are making executable an anonymous mapping or a
2373 * private file mapping that will also be writable.
2374 * This has an additional check.
2375 */
2376 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2377 if (rc)
2378 return rc;
2379 }
2380#endif
2381
2382 if (file) {
2383 /* read access is always possible with a mapping */
2384 u32 av = FILE__READ;
2385
2386 /* write access only matters if the mapping is shared */
2387 if (shared && (prot & PROT_WRITE))
2388 av |= FILE__WRITE;
2389
2390 if (prot & PROT_EXEC)
2391 av |= FILE__EXECUTE;
2392
2393 return file_has_perm(current, file, av);
2394 }
2395 return 0;
2396}
2397
2398static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2399 unsigned long prot, unsigned long flags)
2400{
2401 int rc;
2402
2403 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2404 if (rc)
2405 return rc;
2406
2407 if (selinux_checkreqprot)
2408 prot = reqprot;
2409
2410 return file_map_prot_check(file, prot,
2411 (flags & MAP_TYPE) == MAP_SHARED);
2412}
2413
2414static int selinux_file_mprotect(struct vm_area_struct *vma,
2415 unsigned long reqprot,
2416 unsigned long prot)
2417{
2418 int rc;
2419
2420 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2421 if (rc)
2422 return rc;
2423
2424 if (selinux_checkreqprot)
2425 prot = reqprot;
2426
2427#ifndef CONFIG_PPC32
db4c9641
SS		 2428 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2429 rc = 0;
2430 if (vma->vm_start >= vma->vm_mm->start_brk &&
2431 vma->vm_end <= vma->vm_mm->brk) {
2432 rc = task_has_perm(current, current,
2433 PROCESS__EXECHEAP);
2434 } else if (!vma->vm_file &&
2435 vma->vm_start <= vma->vm_mm->start_stack &&
2436 vma->vm_end >= vma->vm_mm->start_stack) {
2437 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2438 } else if (vma->vm_file && vma->anon_vma) {
2439 /*
2440 * We are making executable a file mapping that has
2441 * had some COW done. Since pages might have been
2442 * written, check ability to execute the possibly
2443 * modified content. This typically should only
2444 * occur for text relocations.
2445 */
2446 rc = file_has_perm(current, vma->vm_file,
2447 FILE__EXECMOD);
2448 }