projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
security: update selinux
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
32#include <linux/security.h>
33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
ca10b9e9 54#include <net/sock.h>
1da177e4 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
216c4a77 56#include <net/inet_connection_sock.h>
220deb96 57#include <net/net_namespace.h>
d621d35e 58#include <net/netlabel.h>
f5269710 59#include <linux/uaccess.h>
1da177e4 60#include <asm/ioctls.h>
60063497 61#include <linux/atomic.h>
1da177e4
LT		 62#include <linux/bitops.h>
63#include <linux/interrupt.h>
64#include <linux/netdevice.h> /* for network interface checks */
77954983 65#include <net/netlink.h>
1da177e4
LT		 66#include <linux/tcp.h>
67#include <linux/udp.h>
2ee92d46 68#include <linux/dccp.h>
1da177e4
LT		 69#include <linux/quota.h>
70#include <linux/un.h> /* for Unix socket types */
71#include <net/af_unix.h> /* for Unix socket types */
72#include <linux/parser.h>
73#include <linux/nfs_mount.h>
74#include <net/ipv6.h>
75#include <linux/hugetlb.h>
76#include <linux/personality.h>
1da177e4 77#include <linux/audit.h>
6931dfc9 78#include <linux/string.h>
877ce7c1 79#include <linux/selinux.h>
23970741 80#include <linux/mutex.h>
f06febc9 81#include <linux/posix-timers.h>
00234592 82#include <linux/syslog.h>
3486740a 83#include <linux/user_namespace.h>
44fc7ea0 84#include <linux/export.h>
40401530
AV		 85#include <linux/msg.h>
86#include <linux/shm.h>
1da177e4 87
949c2c1d
S		 88// [ SEC_SELINUX_PORTING COMMON
89#include <linux/delay.h>
90// ] SEC_SELINUX_PORTING COMMON
91
1da177e4
LT		 92#include "avc.h"
93#include "objsec.h"
94#include "netif.h"
224dfbd8 95#include "netnode.h"
3e112172 96#include "netport.h"
d28d1e08 97#include "xfrm.h"
c60475bf 98#include "netlabel.h"
9d57a7f9 99#include "audit.h"
7b98a585 100#include "avc_ss.h"
1da177e4 101
11689d47 102#define NUM_SEL_MNT_OPTS 5
c9180a57 103
20510f2f 104extern struct security_operations *security_ops;
1da177e4 105
d621d35e 106/* SECMARK reference count */
56a4ca99 107static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 108
1da177e4 109#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 110int selinux_enforcing;
1da177e4
LT		 111
112static int __init enforcing_setup(char *str)
113{
f5269710
EP		 114 unsigned long enforcing;
115 if (!strict_strtoul(str, 0, &enforcing))
116 selinux_enforcing = enforcing ? 1 : 0;
949c2c1d 117
1da177e4
LT		 118 return 1;
119}
120__setup("enforcing=", enforcing_setup);
121#endif
122
123#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
125
126static int __init selinux_enabled_setup(char *str)
127{
f5269710
EP		 128 unsigned long enabled;
129 if (!strict_strtoul(str, 0, &enabled))
130 selinux_enabled = enabled ? 1 : 0;
949c2c1d 131
1da177e4
LT		 132 return 1;
133}
134__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 135#else
136int selinux_enabled = 1;
1da177e4
LT		 137#endif
138
e18b890b 139static struct kmem_cache *sel_inode_cache;
7cae7e26 140
d621d35e
PM		 141/**
142 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
143 *
144 * Description:
145 * This function checks the SECMARK reference counter to see if any SECMARK
146 * targets are currently configured, if the reference counter is greater than
147 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
148 * enabled, false (0) if SECMARK is disabled.
149 *
150 */
151static int selinux_secmark_enabled(void)
152{
153 return (atomic_read(&selinux_secmark_refcount) > 0);
154}
155
d84f4f99
DH		 156/*
157 * initialise the security for the init task
158 */
159static void cred_init_security(void)
1da177e4 160{
3b11a1de 161 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 162 struct task_security_struct *tsec;
163
89d155ef 164 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 165 if (!tsec)
d84f4f99 166 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 167
d84f4f99 168 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 169 cred->security = tsec;
1da177e4
LT		 170}
171
88e67f3b
DH		 172/*
173 * get the security ID of a set of credentials
174 */
175static inline u32 cred_sid(const struct cred *cred)
176{
177 const struct task_security_struct *tsec;
178
179 tsec = cred->security;
180 return tsec->sid;
181}
182
275bb41e 183/*
3b11a1de 184 * get the objective security ID of a task
275bb41e
DH		 185 */
186static inline u32 task_sid(const struct task_struct *task)
187{
275bb41e
DH		 188 u32 sid;
189
190 rcu_read_lock();
88e67f3b 191 sid = cred_sid(__task_cred(task));
275bb41e
DH		 192 rcu_read_unlock();
193 return sid;
194}
195
196/*
3b11a1de 197 * get the subjective security ID of the current task
275bb41e
DH		 198 */
199static inline u32 current_sid(void)
200{
5fb49870 201 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 202
203 return tsec->sid;
204}
205
88e67f3b
DH		 206/* Allocate and free functions for each kind of security blob. */
207
1da177e4
LT		 208static int inode_alloc_security(struct inode *inode)
209{
1da177e4 210 struct inode_security_struct *isec;
275bb41e 211 u32 sid = current_sid();
1da177e4 212
a02fe132 213 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 214 if (!isec)
215 return -ENOMEM;
216
23970741 217 mutex_init(&isec->lock);
1da177e4 218 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 219 isec->inode = inode;
220 isec->sid = SECINITSID_UNLABELED;
221 isec->sclass = SECCLASS_FILE;
275bb41e 222 isec->task_sid = sid;
1da177e4
LT		 223 inode->i_security = isec;
224
225 return 0;
226}
227
057f2f7d
SR		 228static void inode_free_rcu(struct rcu_head *head)
229{
230 struct inode_security_struct *isec;
231
232 isec = container_of(head, struct inode_security_struct, rcu);
233 kmem_cache_free(sel_inode_cache, isec);
234}
235
1da177e4
LT		 236static void inode_free_security(struct inode *inode)
237{
238 struct inode_security_struct *isec = inode->i_security;
239 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
240
1da177e4
LT		 241 spin_lock(&sbsec->isec_lock);
242 if (!list_empty(&isec->list))
243 list_del_init(&isec->list);
244 spin_unlock(&sbsec->isec_lock);
245
057f2f7d
SR		 246 /*
247 * The inode may still be referenced in a path walk and
248 * a call to selinux_inode_permission() can be made
249 * after inode_free_security() is called. Ideally, the VFS
250 * wouldn't do this, but fixing that is a much harder
251 * job. For now, simply free the i_security via RCU, and
252 * leave the current inode->i_security pointer intact.
253 * The inode will be freed after the RCU grace period too.
254 */
255 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 256}
257
258static int file_alloc_security(struct file *file)
259{
1da177e4 260 struct file_security_struct *fsec;
275bb41e 261 u32 sid = current_sid();
1da177e4 262
26d2a4be 263 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 264 if (!fsec)
265 return -ENOMEM;
266
275bb41e
DH		 267 fsec->sid = sid;
268 fsec->fown_sid = sid;
1da177e4
LT		 269 file->f_security = fsec;
270
271 return 0;
272}
273
274static void file_free_security(struct file *file)
275{
276 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 277 file->f_security = NULL;
278 kfree(fsec);
279}
280
281static int superblock_alloc_security(struct super_block *sb)
282{
283 struct superblock_security_struct *sbsec;
284
89d155ef 285 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 286 if (!sbsec)
287 return -ENOMEM;
288
bc7e982b 289 mutex_init(&sbsec->lock);
1da177e4
LT		 290 INIT_LIST_HEAD(&sbsec->isec_head);
291 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 292 sbsec->sb = sb;
293 sbsec->sid = SECINITSID_UNLABELED;
294 sbsec->def_sid = SECINITSID_FILE;
c312feb2 295 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 296 sb->s_security = sbsec;
297
298 return 0;
299}
300
301static void superblock_free_security(struct super_block *sb)
302{
303 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 304 sb->s_security = NULL;
305 kfree(sbsec);
306}
307
1da177e4
LT		 308/* The file system's label must be initialized prior to use. */
309
634a539e 310static const char *labeling_behaviors[6] = {
1da177e4
LT		 311 "uses xattr",
312 "uses transition SIDs",
313 "uses task SIDs",
314 "uses genfs_contexts",
315 "not configured for labeling",
316 "uses mountpoint labeling",
317};
318
319static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
320
321static inline int inode_doinit(struct inode *inode)
322{
323 return inode_doinit_with_dentry(inode, NULL);
324}
325
326enum {
31e87930 327 Opt_error = -1,
1da177e4
LT		 328 Opt_context = 1,
329 Opt_fscontext = 2,
c9180a57
EP		 330 Opt_defcontext = 3,
331 Opt_rootcontext = 4,
11689d47 332 Opt_labelsupport = 5,
1da177e4
LT		 333};
334
a447c093 335static const match_table_t tokens = {
832cbd9a
EP		 336 {Opt_context, CONTEXT_STR "%s"},
337 {Opt_fscontext, FSCONTEXT_STR "%s"},
338 {Opt_defcontext, DEFCONTEXT_STR "%s"},
339 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 340 {Opt_labelsupport, LABELSUPP_STR},
31e87930 341 {Opt_error, NULL},
1da177e4
LT		 342};
343
344#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
345
c312feb2
EP		 346static int may_context_mount_sb_relabel(u32 sid,
347 struct superblock_security_struct *sbsec,
275bb41e 348 const struct cred *cred)
c312feb2 349{
275bb41e 350 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 351 int rc;
352
353 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
354 FILESYSTEM__RELABELFROM, NULL);
355 if (rc)
356 return rc;
357
358 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
359 FILESYSTEM__RELABELTO, NULL);
360 return rc;
361}
362
0808925e
EP		 363static int may_context_mount_inode_relabel(u32 sid,
364 struct superblock_security_struct *sbsec,
275bb41e 365 const struct cred *cred)
0808925e 366{
275bb41e 367 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 368 int rc;
369 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
370 FILESYSTEM__RELABELFROM, NULL);
371 if (rc)
372 return rc;
373
374 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
375 FILESYSTEM__ASSOCIATE, NULL);
376 return rc;
377}
378
c9180a57 379static int sb_finish_set_opts(struct super_block *sb)
1da177e4 380{
1da177e4 381 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 382 struct dentry *root = sb->s_root;
383 struct inode *root_inode = root->d_inode;
384 int rc = 0;
1da177e4 385
c9180a57
EP		 386 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
387 /* Make sure that the xattr handler exists and that no
388 error other than -ENODATA is returned by getxattr on
389 the root directory. -ENODATA is ok, as this may be
390 the first boot of the SELinux kernel before we have
391 assigned xattr values to the filesystem. */
392 if (!root_inode->i_op->getxattr) {
393 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
394 "xattr support\n", sb->s_id, sb->s_type->name);
395 rc = -EOPNOTSUPP;
396 goto out;
397 }
398 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
399 if (rc < 0 && rc != -ENODATA) {
400 if (rc == -EOPNOTSUPP)
401 printk(KERN_WARNING "SELinux: (dev %s, type "
402 "%s) has no security xattr handler\n",
403 sb->s_id, sb->s_type->name);
404 else
405 printk(KERN_WARNING "SELinux: (dev %s, type "
406 "%s) getxattr errno %d\n", sb->s_id,
407 sb->s_type->name, -rc);
408 goto out;
409 }
410 }
1da177e4 411
11689d47 412 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
1da177e4 413
c9180a57
EP		 414 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
415 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
416 sb->s_id, sb->s_type->name);
417 else
418 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
419 sb->s_id, sb->s_type->name,
420 labeling_behaviors[sbsec->behavior-1]);
1da177e4 421
11689d47
DQ		 422 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
423 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
424 sbsec->behavior == SECURITY_FS_USE_NONE ||
425 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
426 sbsec->flags &= ~SE_SBLABELSUPP;
427
949c2c1d
S		 428 /* Special handling. Is genfs but also has in-core setxattr handler*/
429 if (!strcmp(sb->s_type->name, "sysfs") ||
430 !strcmp(sb->s_type->name, "pstore") ||
431 !strcmp(sb->s_type->name, "debugfs") ||
432 !strcmp(sb->s_type->name, "tmpfs") ||
433 !strcmp(sb->s_type->name, "rootfs"))
6fa3eb70
S		 434 sbsec->flags |= SE_SBLABELSUPP;
435
c9180a57
EP		 436 /* Initialize the root inode. */
437 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 438
c9180a57
EP		 439 /* Initialize any other inodes associated with the superblock, e.g.
440 inodes created prior to initial policy load or inodes created
441 during get_sb by a pseudo filesystem that directly
442 populates itself. */
443 spin_lock(&sbsec->isec_lock);
444next_inode:
445 if (!list_empty(&sbsec->isec_head)) {
446 struct inode_security_struct *isec =
447 list_entry(sbsec->isec_head.next,
448 struct inode_security_struct, list);
449 struct inode *inode = isec->inode;
e38e049b 450 list_del_init(&isec->list);
c9180a57
EP		 451 spin_unlock(&sbsec->isec_lock);
452 inode = igrab(inode);
453 if (inode) {
454 if (!IS_PRIVATE(inode))
455 inode_doinit(inode);
456 iput(inode);
457 }
458 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 459 goto next_inode;
460 }
461 spin_unlock(&sbsec->isec_lock);
462out:
463 return rc;
464}
1da177e4 465
c9180a57
EP		 466/*
467 * This function should allow an FS to ask what it's mount security
468 * options were so it can use those later for submounts, displaying
469 * mount options, or whatever.
470 */
471static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 472 struct security_mnt_opts *opts)
c9180a57
EP		 473{
474 int rc = 0, i;
475 struct superblock_security_struct *sbsec = sb->s_security;
476 char *context = NULL;
477 u32 len;
478 char tmp;
1da177e4 479
e0007529 480 security_init_mnt_opts(opts);
1da177e4 481
0d90a7ec 482 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 483 return -EINVAL;
1da177e4 484
c9180a57
EP		 485 if (!ss_initialized)
486 return -EINVAL;
1da177e4 487
0d90a7ec 488 tmp = sbsec->flags & SE_MNTMASK;
c9180a57
EP		 489 /* count the number of mount options for this sb */
490 for (i = 0; i < 8; i++) {
491 if (tmp & 0x01)
e0007529 492 opts->num_mnt_opts++;
c9180a57
EP		 493 tmp >>= 1;
494 }
11689d47
DQ		 495 /* Check if the Label support flag is set */
496 if (sbsec->flags & SE_SBLABELSUPP)
497 opts->num_mnt_opts++;
1da177e4 498
e0007529
EP		 499 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
500 if (!opts->mnt_opts) {
c9180a57
EP		 501 rc = -ENOMEM;
502 goto out_free;
503 }
1da177e4 504
e0007529
EP		 505 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
506 if (!opts->mnt_opts_flags) {
c9180a57
EP		 507 rc = -ENOMEM;
508 goto out_free;
509 }
1da177e4 510
c9180a57
EP		 511 i = 0;
512 if (sbsec->flags & FSCONTEXT_MNT) {
513 rc = security_sid_to_context(sbsec->sid, &context, &len);
514 if (rc)
515 goto out_free;
e0007529
EP		 516 opts->mnt_opts[i] = context;
517 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 518 }
519 if (sbsec->flags & CONTEXT_MNT) {
520 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
521 if (rc)
522 goto out_free;
e0007529
EP		 523 opts->mnt_opts[i] = context;
524 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 525 }
526 if (sbsec->flags & DEFCONTEXT_MNT) {
527 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
528 if (rc)
529 goto out_free;
e0007529
EP		 530 opts->mnt_opts[i] = context;
531 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 532 }
533 if (sbsec->flags & ROOTCONTEXT_MNT) {
534 struct inode *root = sbsec->sb->s_root->d_inode;
535 struct inode_security_struct *isec = root->i_security;
0808925e 536
c9180a57
EP		 537 rc = security_sid_to_context(isec->sid, &context, &len);
538 if (rc)
539 goto out_free;
e0007529
EP		 540 opts->mnt_opts[i] = context;
541 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 542 }
11689d47
DQ		 543 if (sbsec->flags & SE_SBLABELSUPP) {
544 opts->mnt_opts[i] = NULL;
545 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
546 }
1da177e4 547
e0007529 548 BUG_ON(i != opts->num_mnt_opts);
1da177e4 549
c9180a57
EP		 550 return 0;
551
552out_free:
e0007529 553 security_free_mnt_opts(opts);
c9180a57
EP		 554 return rc;
555}
1da177e4 556
c9180a57
EP		 557static int bad_option(struct superblock_security_struct *sbsec, char flag,
558 u32 old_sid, u32 new_sid)
559{
0d90a7ec
DQ		 560 char mnt_flags = sbsec->flags & SE_MNTMASK;
561
c9180a57 562 /* check if the old mount command had the same options */
0d90a7ec 563 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 564 if (!(sbsec->flags & flag) ||
565 (old_sid != new_sid))
566 return 1;
567
568 /* check if we were passed the same options twice,
569 * aka someone passed context=a,context=b
570 */
0d90a7ec
DQ		 571 if (!(sbsec->flags & SE_SBINITIALIZED))
572 if (mnt_flags & flag)
c9180a57
EP		 573 return 1;
574 return 0;
575}
e0007529 576
c9180a57
EP		 577/*
578 * Allow filesystems with binary mount data to explicitly set mount point
579 * labeling information.
580 */
e0007529
EP		 581static int selinux_set_mnt_opts(struct super_block *sb,
582 struct security_mnt_opts *opts)
c9180a57 583{
275bb41e 584 const struct cred *cred = current_cred();
c9180a57 585 int rc = 0, i;
c9180a57
EP		 586 struct superblock_security_struct *sbsec = sb->s_security;
587 const char *name = sb->s_type->name;
089be43e
JM		 588 struct inode *inode = sbsec->sb->s_root->d_inode;
589 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 590 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
591 u32 defcontext_sid = 0;
e0007529
EP		 592 char **mount_options = opts->mnt_opts;
593 int *flags = opts->mnt_opts_flags;
594 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 595
596 mutex_lock(&sbsec->lock);
597
598 if (!ss_initialized) {
599 if (!num_opts) {
600 /* Defer initialization until selinux_complete_init,
601 after the initial policy is loaded and the security
602 server is ready to handle calls. */
c9180a57
EP		 603 goto out;
604 }
605 rc = -EINVAL;
744ba35e
EP		 606 printk(KERN_WARNING "SELinux: Unable to set superblock options "
607 "before the security server is initialized\n");
1da177e4 608 goto out;
c9180a57 609 }
1da177e4 610
e0007529
EP		 611 /*
612 * Binary mount data FS will come through this function twice. Once
613 * from an explicit call and once from the generic calls from the vfs.
614 * Since the generic VFS calls will not contain any security mount data
615 * we need to skip the double mount verification.
616 *
617 * This does open a hole in which we will not notice if the first
618 * mount using this sb set explict options and a second mount using
619 * this sb does not set any security options. (The first options
620 * will be used for both mounts)
621 */
0d90a7ec 622 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 623 && (num_opts == 0))
f5269710 624 goto out;
e0007529 625
c9180a57
EP		 626 /*
627 * parse the mount options, check if they are valid sids.
628 * also check if someone is trying to mount the same sb more
629 * than once with different security options.
630 */
631 for (i = 0; i < num_opts; i++) {
632 u32 sid;
11689d47
DQ		 633
634 if (flags[i] == SE_SBLABELSUPP)
635 continue;
c9180a57
EP		 636 rc = security_context_to_sid(mount_options[i],
637 strlen(mount_options[i]), &sid);
1da177e4
LT		 638 if (rc) {
639 printk(KERN_WARNING "SELinux: security_context_to_sid"
640 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 641 mount_options[i], sb->s_id, name, rc);
642 goto out;
643 }
644 switch (flags[i]) {
645 case FSCONTEXT_MNT:
646 fscontext_sid = sid;
647
648 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
649 fscontext_sid))
650 goto out_double_mount;
651
652 sbsec->flags |= FSCONTEXT_MNT;
653 break;
654 case CONTEXT_MNT:
655 context_sid = sid;
656
657 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
658 context_sid))
659 goto out_double_mount;
660
661 sbsec->flags |= CONTEXT_MNT;
662 break;
663 case ROOTCONTEXT_MNT:
664 rootcontext_sid = sid;
665
666 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
667 rootcontext_sid))
668 goto out_double_mount;
669
670 sbsec->flags |= ROOTCONTEXT_MNT;
671
672 break;
673 case DEFCONTEXT_MNT:
674 defcontext_sid = sid;
675
676 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
677 defcontext_sid))
678 goto out_double_mount;
679
680 sbsec->flags |= DEFCONTEXT_MNT;
681
682 break;
683 default:
684 rc = -EINVAL;
685 goto out;
1da177e4 686 }
c9180a57
EP		 687 }
688
0d90a7ec 689 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 690 /* previously mounted with options, but not on this attempt? */
0d90a7ec 691 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 692 goto out_double_mount;
693 rc = 0;
694 goto out;
695 }
696
089be43e 697 if (strcmp(sb->s_type->name, "proc") == 0)
0d90a7ec 698 sbsec->flags |= SE_SBPROC;
c9180a57
EP		 699
700 /* Determine the labeling behavior to use for this filesystem type. */
0d90a7ec 701 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
c9180a57
EP		 702 if (rc) {
703 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
089be43e 704 __func__, sb->s_type->name, rc);
c9180a57
EP		 705 goto out;
706 }
1da177e4 707
c9180a57
EP		 708 /* sets the context of the superblock for the fs being mounted. */
709 if (fscontext_sid) {
275bb41e 710 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 711 if (rc)
c9180a57 712 goto out;
1da177e4 713
c9180a57 714 sbsec->sid = fscontext_sid;
c312feb2
EP		 715 }
716
717 /*
718 * Switch to using mount point labeling behavior.
719 * sets the label used on all file below the mountpoint, and will set
720 * the superblock context if not already set.
721 */
c9180a57
EP		 722 if (context_sid) {
723 if (!fscontext_sid) {
275bb41e
DH		 724 rc = may_context_mount_sb_relabel(context_sid, sbsec,
725 cred);
b04ea3ce 726 if (rc)
c9180a57
EP		 727 goto out;
728 sbsec->sid = context_sid;
b04ea3ce 729 } else {
275bb41e
DH		 730 rc = may_context_mount_inode_relabel(context_sid, sbsec,
731 cred);
b04ea3ce 732 if (rc)
c9180a57 733 goto out;
b04ea3ce 734 }
c9180a57
EP		 735 if (!rootcontext_sid)
736 rootcontext_sid = context_sid;
1da177e4 737
c9180a57 738 sbsec->mntpoint_sid = context_sid;
c312feb2 739 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 740 }
741
c9180a57 742 if (rootcontext_sid) {
275bb41e
DH		 743 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
744 cred);
0808925e 745 if (rc)
c9180a57 746 goto out;
0808925e 747
c9180a57
EP		 748 root_isec->sid = rootcontext_sid;
749 root_isec->initialized = 1;
0808925e
EP		 750 }
751
c9180a57
EP		 752 if (defcontext_sid) {
753 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
754 rc = -EINVAL;
755 printk(KERN_WARNING "SELinux: defcontext option is "
756 "invalid for this filesystem type\n");
757 goto out;
1da177e4
LT		 758 }
759
c9180a57
EP		 760 if (defcontext_sid != sbsec->def_sid) {
761 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 762 sbsec, cred);
c9180a57
EP		 763 if (rc)
764 goto out;
765 }
1da177e4 766
c9180a57 767 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 768 }
769
c9180a57 770 rc = sb_finish_set_opts(sb);
1da177e4 771out:
c9180a57 772 mutex_unlock(&sbsec->lock);
1da177e4 773 return rc;
c9180a57
EP		 774out_double_mount:
775 rc = -EINVAL;
776 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
777 "security settings for (dev %s, type %s)\n", sb->s_id, name);
778 goto out;
1da177e4
LT		 779}
780
094f7b69
JL		 781static int selinux_cmp_sb_context(const struct super_block *oldsb,
782 const struct super_block *newsb)
783{
784 struct superblock_security_struct *old = oldsb->s_security;
785 struct superblock_security_struct *new = newsb->s_security;
786 char oldflags = old->flags & SE_MNTMASK;
787 char newflags = new->flags & SE_MNTMASK;
788
789 if (oldflags != newflags)
790 goto mismatch;
791 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
792 goto mismatch;
793 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
794 goto mismatch;
795 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
796 goto mismatch;
797 if (oldflags & ROOTCONTEXT_MNT) {
798 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
799 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
800 if (oldroot->sid != newroot->sid)
801 goto mismatch;
802 }
803 return 0;
804mismatch:
805 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
806 "different security settings for (dev %s, "
807 "type %s)\n", newsb->s_id, newsb->s_type->name);
808 return -EBUSY;
809}
810
811static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 812 struct super_block *newsb)
1da177e4 813{
c9180a57
EP		 814 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
815 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 816
c9180a57
EP		 817 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
818 int set_context = (oldsbsec->flags & CONTEXT_MNT);
819 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 820
0f5e6420
EP		 821 /*
822 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 823 * mount options. thus we can safely deal with this superblock later
0f5e6420 824 */
e8c26255 825 if (!ss_initialized)
094f7b69 826 return 0;
c9180a57 827
c9180a57 828 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 829 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 830
094f7b69 831 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 832 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 833 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 834
c9180a57
EP		 835 mutex_lock(&newsbsec->lock);
836
837 newsbsec->flags = oldsbsec->flags;
838
839 newsbsec->sid = oldsbsec->sid;
840 newsbsec->def_sid = oldsbsec->def_sid;
841 newsbsec->behavior = oldsbsec->behavior;
842
843 if (set_context) {
844 u32 sid = oldsbsec->mntpoint_sid;
845
846 if (!set_fscontext)
847 newsbsec->sid = sid;
848 if (!set_rootcontext) {
849 struct inode *newinode = newsb->s_root->d_inode;
850 struct inode_security_struct *newisec = newinode->i_security;
851 newisec->sid = sid;
852 }
853 newsbsec->mntpoint_sid = sid;
1da177e4 854 }
c9180a57
EP		 855 if (set_rootcontext) {
856 const struct inode *oldinode = oldsb->s_root->d_inode;
857 const struct inode_security_struct *oldisec = oldinode->i_security;
858 struct inode *newinode = newsb->s_root->d_inode;
859 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 860
c9180a57 861 newisec->sid = oldisec->sid;
1da177e4
LT		 862 }
863
c9180a57
EP		 864 sb_finish_set_opts(newsb);
865 mutex_unlock(&newsbsec->lock);
094f7b69 866 return 0;
c9180a57
EP		 867}
868
2e1479d9
AB		 869static int selinux_parse_opts_str(char *options,
870 struct security_mnt_opts *opts)
c9180a57 871{
e0007529 872 char *p;
c9180a57
EP		 873 char *context = NULL, *defcontext = NULL;
874 char *fscontext = NULL, *rootcontext = NULL;
e0007529 875 int rc, num_mnt_opts = 0;
e0007529 876 opts->num_mnt_opts = 0;
1da177e4 877
c9180a57
EP		 878 /* Standard string-based options. */
879 while ((p = strsep(&options, "|")) != NULL) {
880 int token;
881 substring_t args[MAX_OPT_ARGS];
1da177e4 882
c9180a57
EP		 883 if (!*p)
884 continue;
1da177e4 885
c9180a57 886 token = match_token(p, tokens, args);
1da177e4 887
c9180a57
EP		 888 switch (token) {
889 case Opt_context:
890 if (context || defcontext) {
891 rc = -EINVAL;
892 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
893 goto out_err;
894 }
895 context = match_strdup(&args[0]);
896 if (!context) {
897 rc = -ENOMEM;
898 goto out_err;
899 }
900 break;
901
902 case Opt_fscontext:
903 if (fscontext) {
904 rc = -EINVAL;
905 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
906 goto out_err;
907 }
908 fscontext = match_strdup(&args[0]);
909 if (!fscontext) {
910 rc = -ENOMEM;
911 goto out_err;
912 }
913 break;
914
915 case Opt_rootcontext:
916 if (rootcontext) {
917 rc = -EINVAL;
918 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
919 goto out_err;
920 }
921 rootcontext = match_strdup(&args[0]);
922 if (!rootcontext) {
923 rc = -ENOMEM;
924 goto out_err;
925 }
926 break;
927
928 case Opt_defcontext:
929 if (context || defcontext) {
930 rc = -EINVAL;
931 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
932 goto out_err;
933 }
934 defcontext = match_strdup(&args[0]);
935 if (!defcontext) {
936 rc = -ENOMEM;
937 goto out_err;
938 }
939 break;
11689d47
DQ		 940 case Opt_labelsupport:
941 break;
c9180a57
EP		 942 default:
943 rc = -EINVAL;
944 printk(KERN_WARNING "SELinux: unknown mount option\n");
945 goto out_err;
1da177e4 946
1da177e4 947 }
1da177e4 948 }
c9180a57 949
e0007529
EP		 950 rc = -ENOMEM;
951 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
952 if (!opts->mnt_opts)
953 goto out_err;
954
955 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
956 if (!opts->mnt_opts_flags) {
957 kfree(opts->mnt_opts);
958 goto out_err;
959 }
960
c9180a57 961 if (fscontext) {
e0007529
EP		 962 opts->mnt_opts[num_mnt_opts] = fscontext;
963 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 964 }
965 if (context) {
e0007529
EP		 966 opts->mnt_opts[num_mnt_opts] = context;
967 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 968 }
969 if (rootcontext) {
e0007529
EP		 970 opts->mnt_opts[num_mnt_opts] = rootcontext;
971 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 972 }
973 if (defcontext) {
e0007529
EP		 974 opts->mnt_opts[num_mnt_opts] = defcontext;
975 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 976 }
977
e0007529
EP		 978 opts->num_mnt_opts = num_mnt_opts;
979 return 0;
980
c9180a57
EP		 981out_err:
982 kfree(context);
983 kfree(defcontext);
984 kfree(fscontext);
985 kfree(rootcontext);
1da177e4
LT		 986 return rc;
987}
e0007529
EP		 988/*
989 * string mount options parsing and call set the sbsec
990 */
991static int superblock_doinit(struct super_block *sb, void *data)
992{
993 int rc = 0;
994 char *options = data;
995 struct security_mnt_opts opts;
996
997 security_init_mnt_opts(&opts);
998
999 if (!data)
1000 goto out;
1001
1002 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1003
1004 rc = selinux_parse_opts_str(options, &opts);
1005 if (rc)
1006 goto out_err;
1007
1008out:
1009 rc = selinux_set_mnt_opts(sb, &opts);
1010
1011out_err:
1012 security_free_mnt_opts(&opts);
1013 return rc;
1014}
1da177e4 1015
3583a711
AB		 1016static void selinux_write_opts(struct seq_file *m,
1017 struct security_mnt_opts *opts)
2069f457
EP		 1018{
1019 int i;
1020 char *prefix;
1021
1022 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1023 char *has_comma;
1024
1025 if (opts->mnt_opts[i])
1026 has_comma = strchr(opts->mnt_opts[i], ',');
1027 else
1028 has_comma = NULL;
2069f457
EP		 1029
1030 switch (opts->mnt_opts_flags[i]) {
1031 case CONTEXT_MNT:
1032 prefix = CONTEXT_STR;
1033 break;
1034 case FSCONTEXT_MNT:
1035 prefix = FSCONTEXT_STR;
1036 break;
1037 case ROOTCONTEXT_MNT:
1038 prefix = ROOTCONTEXT_STR;
1039 break;
1040 case DEFCONTEXT_MNT:
1041 prefix = DEFCONTEXT_STR;
1042 break;
11689d47
DQ		 1043 case SE_SBLABELSUPP:
1044 seq_putc(m, ',');
1045 seq_puts(m, LABELSUPP_STR);
1046 continue;
2069f457
EP		 1047 default:
1048 BUG();
a35c6c83 1049 return;
2069f457
EP		 1050 };
1051 /* we need a comma before each option */
1052 seq_putc(m, ',');
1053 seq_puts(m, prefix);
1054 if (has_comma)
1055 seq_putc(m, '\"');
1056 seq_puts(m, opts->mnt_opts[i]);
1057 if (has_comma)
1058 seq_putc(m, '\"');
1059 }
1060}
1061
1062static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1063{
1064 struct security_mnt_opts opts;
1065 int rc;
1066
1067 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1068 if (rc) {
1069 /* before policy load we may get EINVAL, don't show anything */
1070 if (rc == -EINVAL)
1071 rc = 0;
2069f457 1072 return rc;
383795c2 1073 }
2069f457
EP		 1074
1075 selinux_write_opts(m, &opts);
1076
1077 security_free_mnt_opts(&opts);
1078
1079 return rc;
1080}
1081
1da177e4
LT		 1082static inline u16 inode_mode_to_security_class(umode_t mode)
1083{
1084 switch (mode & S_IFMT) {
1085 case S_IFSOCK:
1086 return SECCLASS_SOCK_FILE;
1087 case S_IFLNK:
1088 return SECCLASS_LNK_FILE;
1089 case S_IFREG:
1090 return SECCLASS_FILE;
1091 case S_IFBLK:
1092 return SECCLASS_BLK_FILE;
1093 case S_IFDIR:
1094 return SECCLASS_DIR;
1095 case S_IFCHR:
1096 return SECCLASS_CHR_FILE;
1097 case S_IFIFO:
1098 return SECCLASS_FIFO_FILE;
1099
1100 }
1101
1102 return SECCLASS_FILE;
1103}
1104
13402580
JM		 1105static inline int default_protocol_stream(int protocol)
1106{
1107 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1108}
1109
1110static inline int default_protocol_dgram(int protocol)
1111{
1112 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1113}
1114
1da177e4
LT		 1115static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1116{
1117 switch (family) {
1118 case PF_UNIX:
1119 switch (type) {
1120 case SOCK_STREAM:
1121 case SOCK_SEQPACKET:
1122 return SECCLASS_UNIX_STREAM_SOCKET;
1123 case SOCK_DGRAM:
1124 return SECCLASS_UNIX_DGRAM_SOCKET;
1125 }
1126 break;
1127 case PF_INET:
1128 case PF_INET6:
1129 switch (type) {
1130 case SOCK_STREAM:
13402580
JM		 1131 if (default_protocol_stream(protocol))
1132 return SECCLASS_TCP_SOCKET;
1133 else
1134 return SECCLASS_RAWIP_SOCKET;
1da177e4 1135 case SOCK_DGRAM:
13402580
JM		 1136 if (default_protocol_dgram(protocol))
1137 return SECCLASS_UDP_SOCKET;
1138 else
1139 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1140 case SOCK_DCCP:
1141 return SECCLASS_DCCP_SOCKET;
13402580 1142 default:
1da177e4
LT		 1143 return SECCLASS_RAWIP_SOCKET;
1144 }
1145 break;
1146 case PF_NETLINK:
1147 switch (protocol) {
1148 case NETLINK_ROUTE:
1149 return SECCLASS_NETLINK_ROUTE_SOCKET;
1150 case NETLINK_FIREWALL:
1151 return SECCLASS_NETLINK_FIREWALL_SOCKET;
7f1fb60c 1152 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1153 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1154 case NETLINK_NFLOG:
1155 return SECCLASS_NETLINK_NFLOG_SOCKET;
1156 case NETLINK_XFRM:
1157 return SECCLASS_NETLINK_XFRM_SOCKET;
1158 case NETLINK_SELINUX:
1159 return SECCLASS_NETLINK_SELINUX_SOCKET;
1160 case NETLINK_AUDIT:
1161 return SECCLASS_NETLINK_AUDIT_SOCKET;
1162 case NETLINK_IP6_FW:
1163 return SECCLASS_NETLINK_IP6FW_SOCKET;
1164 case NETLINK_DNRTMSG:
1165 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1166 case NETLINK_KOBJECT_UEVENT:
1167 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1168 default:
1169 return SECCLASS_NETLINK_SOCKET;
1170 }
1171 case PF_PACKET:
1172 return SECCLASS_PACKET_SOCKET;
1173 case PF_KEY:
1174 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1175 case PF_APPLETALK:
1176 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1177 }
1178
1179 return SECCLASS_SOCKET;
1180}
1181
1182#ifdef CONFIG_PROC_FS
8e6c9693 1183static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1184 u16 tclass,
1185 u32 *sid)
1186{
8e6c9693
LAG		 1187 int rc;
1188 char *buffer, *path;
1da177e4 1189
828dfe1d 1190 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1191 if (!buffer)
1192 return -ENOMEM;
1193
8e6c9693
LAG		 1194 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1195 if (IS_ERR(path))
1196 rc = PTR_ERR(path);
1197 else {
1198 /* each process gets a /proc/PID/ entry. Strip off the
1199 * PID part to get a valid selinux labeling.
1200 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1201 while (path[1] >= '0' && path[1] <= '9') {
1202 path[1] = '/';
1203 path++;
1204 }
1205 rc = security_genfs_sid("proc", path, tclass, sid);
1da177e4 1206 }
1da177e4
LT		 1207 free_page((unsigned long)buffer);
1208 return rc;
1209}
1210#else
8e6c9693 1211static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1212 u16 tclass,
1213 u32 *sid)
1214{
1215 return -EINVAL;
1216}
1217#endif
1218
1219/* The inode's security attributes must be initialized before first use. */
1220static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1221{
1222 struct superblock_security_struct *sbsec = NULL;
1223 struct inode_security_struct *isec = inode->i_security;
1224 u32 sid;
1225 struct dentry *dentry;
1226#define INITCONTEXTLEN 255
1227 char *context = NULL;
1228 unsigned len = 0;
1229 int rc = 0;
1da177e4
LT		 1230
1231 if (isec->initialized)
1232 goto out;
1233
23970741 1234 mutex_lock(&isec->lock);
1da177e4 1235 if (isec->initialized)
23970741 1236 goto out_unlock;
1da177e4
LT		 1237
1238 sbsec = inode->i_sb->s_security;
949c2c1d
S		 1239 /* To prevent Null pointer exception */
1240 if (!sbsec) {
1241 printk(KERN_ERR "[SELinux] sbsec is NULL, inode->i_sb->s_security is already freed. \n");
1242 rc = -EINVAL;
1243 goto out_unlock;
1244 }
1245
0d90a7ec 1246 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1247 /* Defer initialization until selinux_complete_init,
1248 after the initial policy is loaded and the security
1249 server is ready to handle calls. */
1250 spin_lock(&sbsec->isec_lock);
1251 if (list_empty(&isec->list))
1252 list_add(&isec->list, &sbsec->isec_head);
1253 spin_unlock(&sbsec->isec_lock);
23970741 1254 goto out_unlock;
1da177e4
LT		 1255 }
1256
1257 switch (sbsec->behavior) {
1258 case SECURITY_FS_USE_XATTR:
1259 if (!inode->i_op->getxattr) {
1260 isec->sid = sbsec->def_sid;
1261 break;
1262 }
1263
1264 /* Need a dentry, since the xattr API requires one.
1265 Life would be simpler if we could just pass the inode. */
1266 if (opt_dentry) {
1267 /* Called from d_instantiate or d_splice_alias. */
1268 dentry = dget(opt_dentry);
1269 } else {
1270 /* Called from selinux_complete_init, try to find a dentry. */
1271 dentry = d_find_alias(inode);
1272 }
1273 if (!dentry) {
df7f54c0
EP		 1274 /*
1275 * this is can be hit on boot when a file is accessed
1276 * before the policy is loaded. When we load policy we
1277 * may find inodes that have no dentry on the
1278 * sbsec->isec_head list. No reason to complain as these
1279 * will get fixed up the next time we go through
1280 * inode_doinit with a dentry, before these inodes could
1281 * be used again by userspace.
1282 */
23970741 1283 goto out_unlock;
1da177e4
LT		 1284 }
1285
1286 len = INITCONTEXTLEN;
4cb912f1 1287 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1288 if (!context) {
1289 rc = -ENOMEM;
1290 dput(dentry);
23970741 1291 goto out_unlock;
1da177e4 1292 }
4cb912f1 1293 context[len] = '\0';
1da177e4
LT		 1294 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1295 context, len);
1296 if (rc == -ERANGE) {
314dabb8
JM		 1297 kfree(context);
1298
1da177e4
LT		 1299 /* Need a larger buffer. Query for the right size. */
1300 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1301 NULL, 0);
1302 if (rc < 0) {
1303 dput(dentry);
23970741 1304 goto out_unlock;
1da177e4 1305 }
1da177e4 1306 len = rc;
4cb912f1 1307 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1308 if (!context) {
1309 rc = -ENOMEM;
1310 dput(dentry);
23970741 1311 goto out_unlock;
1da177e4 1312 }
4cb912f1 1313 context[len] = '\0';
1da177e4
LT		 1314 rc = inode->i_op->getxattr(dentry,
1315 XATTR_NAME_SELINUX,
1316 context, len);
1317 }
1318 dput(dentry);
1319 if (rc < 0) {
1320 if (rc != -ENODATA) {
744ba35e 1321 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1322 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1323 -rc, inode->i_sb->s_id, inode->i_ino);
1324 kfree(context);
23970741 1325 goto out_unlock;
1da177e4
LT		 1326 }
1327 /* Map ENODATA to the default file SID */
1328 sid = sbsec->def_sid;
1329 rc = 0;
1330 } else {
f5c1d5b2 1331 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1332 sbsec->def_sid,
1333 GFP_NOFS);
1da177e4 1334 if (rc) {
4ba0a8ad
EP		 1335 char *dev = inode->i_sb->s_id;
1336 unsigned long ino = inode->i_ino;
1337
1338 if (rc == -EINVAL) {
1339 if (printk_ratelimit())
1340 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1341 "context=%s. This indicates you may need to relabel the inode or the "
1342 "filesystem in question.\n", ino, dev, context);
1343 } else {
1344 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1345 "returned %d for dev=%s ino=%ld\n",
1346 __func__, context, -rc, dev, ino);
1347 }
1da177e4
LT		 1348 kfree(context);
1349 /* Leave with the unlabeled SID */
1350 rc = 0;
1351 break;
1352 }
1353 }
1354 kfree(context);
1355 isec->sid = sid;
1356 break;
1357 case SECURITY_FS_USE_TASK:
1358 isec->sid = isec->task_sid;
1359 break;
1360 case SECURITY_FS_USE_TRANS:
1361 /* Default to the fs SID. */
1362 isec->sid = sbsec->sid;
1363
1364 /* Try to obtain a transition SID. */
1365 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1366 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1367 isec->sclass, NULL, &sid);
1da177e4 1368 if (rc)
23970741 1369 goto out_unlock;
1da177e4
LT		 1370 isec->sid = sid;
1371 break;
c312feb2
EP		 1372 case SECURITY_FS_USE_MNTPOINT:
1373 isec->sid = sbsec->mntpoint_sid;
1374 break;
1da177e4 1375 default:
c312feb2 1376 /* Default to the fs superblock SID. */
1da177e4
LT		 1377 isec->sid = sbsec->sid;
1378
0d90a7ec 1379 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
913a13b6
PM		 1380 /* We must have a dentry to determine the label on
1381 * procfs inodes */
1382 if (opt_dentry)
1383 /* Called from d_instantiate or
1384 * d_splice_alias. */
1385 dentry = dget(opt_dentry);
1386 else
1387 /* Called from selinux_complete_init, try to
1388 * find a dentry. */
1389 dentry = d_find_alias(inode);
1390 /*
1391 * This can be hit on boot when a file is accessed
1392 * before the policy is loaded. When we load policy we
1393 * may find inodes that have no dentry on the
1394 * sbsec->isec_head list. No reason to complain as
1395 * these will get fixed up the next time we go through
1396 * inode_doinit() with a dentry, before these inodes
1397 * could be used again by userspace.
1398 */
1399 if (!dentry)
1400 goto out_unlock;
1401 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1402 rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1403 dput(dentry);
1404 if (rc)
1405 goto out_unlock;
1406 isec->sid = sid;
1da177e4
LT		 1407 }
1408 break;
1409 }
1410
1411 isec->initialized = 1;
1412
23970741
EP		 1413out_unlock:
1414 mutex_unlock(&isec->lock);
1da177e4
LT		 1415out:
1416 if (isec->sclass == SECCLASS_FILE)
1417 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1418 return rc;
1419}
1420
1421/* Convert a Linux signal to an access vector. */
1422static inline u32 signal_to_av(int sig)
1423{
1424 u32 perm = 0;
1425
1426 switch (sig) {
1427 case SIGCHLD:
1428 /* Commonly granted from child to parent. */
1429 perm = PROCESS__SIGCHLD;
1430 break;
1431 case SIGKILL:
1432 /* Cannot be caught or ignored */
1433 perm = PROCESS__SIGKILL;
1434 break;
1435 case SIGSTOP:
1436 /* Cannot be caught or ignored */
1437 perm = PROCESS__SIGSTOP;
1438 break;
1439 default:
1440 /* All other signals. */
1441 perm = PROCESS__SIGNAL;
1442 break;
1443 }
1444
1445 return perm;
1446}
1447
d84f4f99
DH		 1448/*
1449 * Check permission between a pair of credentials
1450 * fork check, ptrace check, etc.
1451 */
1452static int cred_has_perm(const struct cred *actor,
1453 const struct cred *target,
1454 u32 perms)
1455{
1456 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1457
1458 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1459}
1460
275bb41e 1461/*
88e67f3b 1462 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1463 * fork check, ptrace check, etc.
1464 * tsk1 is the actor and tsk2 is the target
3b11a1de 1465 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1466 */
1467static int task_has_perm(const struct task_struct *tsk1,
1468 const struct task_struct *tsk2,
1da177e4
LT		 1469 u32 perms)
1470{
275bb41e
DH		 1471 const struct task_security_struct *__tsec1, *__tsec2;
1472 u32 sid1, sid2;
1da177e4 1473
275bb41e 1474 rcu_read_lock();
949c2c1d 1475
275bb41e
DH		 1476 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1477 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
949c2c1d 1478
275bb41e
DH		 1479 rcu_read_unlock();
1480 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1481}
1482
3b11a1de
DH		 1483/*
1484 * Check permission between current and another task, e.g. signal checks,
1485 * fork check, ptrace check, etc.
1486 * current is the actor and tsk2 is the target
1487 * - this uses current's subjective creds
1488 */
1489static int current_has_perm(const struct task_struct *tsk,
1490 u32 perms)
1491{
1492 u32 sid, tsid;
1493
1494 sid = current_sid();
1495 tsid = task_sid(tsk);
1496 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1497}
1498
b68e418c
SS		 1499#if CAP_LAST_CAP > 63
1500#error Fix SELinux to handle capabilities > 63.
1501#endif
1502
1da177e4 1503/* Check whether a task is allowed to use a capability. */
6a9de491 1504static int cred_has_capability(const struct cred *cred,
06112163 1505 int cap, int audit)
1da177e4 1506{
2bf49690 1507 struct common_audit_data ad;
06112163 1508 struct av_decision avd;
b68e418c 1509 u16 sclass;
3699c53c 1510 u32 sid = cred_sid(cred);
b68e418c 1511 u32 av = CAP_TO_MASK(cap);
06112163 1512 int rc;
1da177e4 1513
50c205f5 1514 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1515 ad.u.cap = cap;
1516
b68e418c
SS		 1517 switch (CAP_TO_INDEX(cap)) {
1518 case 0:
1519 sclass = SECCLASS_CAPABILITY;
1520 break;
1521 case 1:
1522 sclass = SECCLASS_CAPABILITY2;
1523 break;
1524 default:
1525 printk(KERN_ERR
1526 "SELinux: out of range capability %d\n", cap);
1527 BUG();
a35c6c83 1528 return -EINVAL;
b68e418c 1529 }
06112163 1530
275bb41e 1531 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4
EP		 1532 if (audit == SECURITY_CAP_AUDIT) {
1533 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1534 if (rc2)
1535 return rc2;
1536 }
06112163 1537 return rc;
1da177e4
LT		 1538}
1539
1540/* Check whether a task is allowed to use a system operation. */
1541static int task_has_system(struct task_struct *tsk,
1542 u32 perms)
1543{
275bb41e 1544 u32 sid = task_sid(tsk);
1da177e4 1545
275bb41e 1546 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1547 SECCLASS_SYSTEM, perms, NULL);
1548}
1549
1550/* Check whether a task has a particular permission to an inode.
1551 The 'adp' parameter is optional and allows other audit
1552 data to be passed (e.g. the dentry). */
88e67f3b 1553static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1554 struct inode *inode,
1555 u32 perms,
9ade0cf4
EP		 1556 struct common_audit_data *adp,
1557 unsigned flags)
1da177e4 1558{
1da177e4 1559 struct inode_security_struct *isec;
275bb41e 1560 u32 sid;
1da177e4 1561
e0e81739
DH		 1562 validate_creds(cred);
1563
828dfe1d 1564 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1565 return 0;
1566
88e67f3b 1567 sid = cred_sid(cred);
1da177e4
LT		 1568 isec = inode->i_security;
1569
949c2c1d
S		 1570 if (unlikely(!isec)){
1571 printk(KERN_CRIT "[SELinux] isec is NULL, inode->i_security is already freed. \n");
1572 return -EINVAL;
1573 }
1574
9ade0cf4 1575 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1da177e4
LT		 1576}
1577
1578/* Same as inode_has_perm, but pass explicit audit data containing
1579 the dentry to help the auditing code to more easily generate the
1580 pathname if needed. */
88e67f3b 1581static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1582 struct dentry *dentry,
1583 u32 av)
1584{
1585 struct inode *inode = dentry->d_inode;
2bf49690 1586 struct common_audit_data ad;
88e67f3b 1587
50c205f5 1588 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00
EP		 1589 ad.u.dentry = dentry;
1590 return inode_has_perm(cred, inode, av, &ad, 0);
1591}
1592
1593/* Same as inode_has_perm, but pass explicit audit data containing
1594 the path to help the auditing code to more easily generate the
1595 pathname if needed. */
1596static inline int path_has_perm(const struct cred *cred,
1597 struct path *path,
1598 u32 av)
1599{
1600 struct inode *inode = path->dentry->d_inode;
1601 struct common_audit_data ad;
1602
50c205f5 1603 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1604 ad.u.path = *path;
9ade0cf4 1605 return inode_has_perm(cred, inode, av, &ad, 0);
1da177e4
LT		 1606}
1607
1608/* Check whether a task can use an open file descriptor to
1609 access an inode in a given way. Check access to the
1610 descriptor itself, and then use dentry_has_perm to
1611 check a particular permission to the file.
1612 Access to the descriptor is implicitly granted if it
1613 has the same SID as the process. If av is zero, then
1614 access to the file is not checked, e.g. for cases
1615 where only the descriptor is affected like seek. */
88e67f3b
DH		 1616static int file_has_perm(const struct cred *cred,
1617 struct file *file,
1618 u32 av)
1da177e4 1619{
1da177e4 1620 struct file_security_struct *fsec = file->f_security;
496ad9aa 1621 struct inode *inode = file_inode(file);
2bf49690 1622 struct common_audit_data ad;
88e67f3b 1623 u32 sid = cred_sid(cred);
1da177e4
LT		 1624 int rc;
1625
50c205f5 1626 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 1627 ad.u.path = file->f_path;
1da177e4 1628
275bb41e
DH		 1629 if (sid != fsec->sid) {
1630 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1631 SECCLASS_FD,
1632 FD__USE,
1633 &ad);
1634 if (rc)
88e67f3b 1635 goto out;
1da177e4
LT		 1636 }
1637
1638 /* av is zero if only checking access to the descriptor. */
88e67f3b 1639 rc = 0;
1da177e4 1640 if (av)
9ade0cf4 1641 rc = inode_has_perm(cred, inode, av, &ad, 0);
1da177e4 1642
88e67f3b
DH		 1643out:
1644 return rc;
1da177e4
LT		 1645}
1646
1647/* Check whether a task can create a file. */
1648static int may_create(struct inode *dir,
1649 struct dentry *dentry,
1650 u16 tclass)
1651{
5fb49870 1652 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1653 struct inode_security_struct *dsec;
1654 struct superblock_security_struct *sbsec;
275bb41e 1655 u32 sid, newsid;
2bf49690 1656 struct common_audit_data ad;
1da177e4
LT		 1657 int rc;
1658
1da177e4
LT		 1659 dsec = dir->i_security;
1660 sbsec = dir->i_sb->s_security;
1661
275bb41e
DH		 1662 sid = tsec->sid;
1663 newsid = tsec->create_sid;
1664
50c205f5 1665 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1666 ad.u.dentry = dentry;
1da177e4 1667
275bb41e 1668 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1669 DIR__ADD_NAME | DIR__SEARCH,
1670 &ad);
1671 if (rc)
1672 return rc;
1673
cd89596f 1674 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
cb1e922f
EP		 1675 rc = security_transition_sid(sid, dsec->sid, tclass,
1676 &dentry->d_name, &newsid);
1da177e4
LT		 1677 if (rc)
1678 return rc;
1679 }
1680
275bb41e 1681 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1682 if (rc)
1683 return rc;
1684
1685 return avc_has_perm(newsid, sbsec->sid,
1686 SECCLASS_FILESYSTEM,
1687 FILESYSTEM__ASSOCIATE, &ad);
1688}
1689
4eb582cf
ML		 1690/* Check whether a task can create a key. */
1691static int may_create_key(u32 ksid,
1692 struct task_struct *ctx)
1693{
275bb41e 1694 u32 sid = task_sid(ctx);
4eb582cf 1695
275bb41e 1696 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1697}
1698
828dfe1d
EP		 1699#define MAY_LINK 0
1700#define MAY_UNLINK 1
1701#define MAY_RMDIR 2
1da177e4
LT		 1702
1703/* Check whether a task can link, unlink, or rmdir a file/directory. */
1704static int may_link(struct inode *dir,
1705 struct dentry *dentry,
1706 int kind)
1707
1708{
1da177e4 1709 struct inode_security_struct *dsec, *isec;
2bf49690 1710 struct common_audit_data ad;
275bb41e 1711 u32 sid = current_sid();
1da177e4
LT		 1712 u32 av;
1713 int rc;
1714
1da177e4
LT		 1715 dsec = dir->i_security;
1716 isec = dentry->d_inode->i_security;
1717
50c205f5 1718 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1719 ad.u.dentry = dentry;
1da177e4
LT		 1720
1721 av = DIR__SEARCH;
1722 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1723 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1724 if (rc)
1725 return rc;
1726
1727 switch (kind) {
1728 case MAY_LINK:
1729 av = FILE__LINK;
1730 break;
1731 case MAY_UNLINK:
1732 av = FILE__UNLINK;
1733 break;
1734 case MAY_RMDIR:
1735 av = DIR__RMDIR;
1736 break;
1737 default:
744ba35e
EP		 1738 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1739 __func__, kind);
1da177e4
LT		 1740 return 0;
1741 }
1742
275bb41e 1743 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1744 return rc;
1745}
1746
1747static inline int may_rename(struct inode *old_dir,
1748 struct dentry *old_dentry,
1749 struct inode *new_dir,
1750 struct dentry *new_dentry)
1751{
1da177e4 1752 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1753 struct common_audit_data ad;
275bb41e 1754 u32 sid = current_sid();
1da177e4
LT		 1755 u32 av;
1756 int old_is_dir, new_is_dir;
1757 int rc;
1758
1da177e4
LT		 1759 old_dsec = old_dir->i_security;
1760 old_isec = old_dentry->d_inode->i_security;
1761 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1762 new_dsec = new_dir->i_security;
1763
50c205f5 1764 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1765
a269434d 1766 ad.u.dentry = old_dentry;
275bb41e 1767 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1768 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1769 if (rc)
1770 return rc;
275bb41e 1771 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1772 old_isec->sclass, FILE__RENAME, &ad);
1773 if (rc)
1774 return rc;
1775 if (old_is_dir && new_dir != old_dir) {
275bb41e 1776 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1777 old_isec->sclass, DIR__REPARENT, &ad);
1778 if (rc)
1779 return rc;
1780 }
1781
a269434d 1782 ad.u.dentry = new_dentry;
1da177e4
LT		 1783 av = DIR__ADD_NAME | DIR__SEARCH;
1784 if (new_dentry->d_inode)
1785 av |= DIR__REMOVE_NAME;
275bb41e 1786 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1787 if (rc)
1788 return rc;
1789 if (new_dentry->d_inode) {
1790 new_isec = new_dentry->d_inode->i_security;
1791 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
275bb41e 1792 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1793 new_isec->sclass,
1794 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1795 if (rc)
1796 return rc;
1797 }
1798
1799 return 0;
1800}
1801
1802/* Check whether a task can perform a filesystem operation. */
88e67f3b 1803static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1804 struct super_block *sb,
1805 u32 perms,
2bf49690 1806 struct common_audit_data *ad)
1da177e4 1807{
1da177e4 1808 struct superblock_security_struct *sbsec;
88e67f3b 1809 u32 sid = cred_sid(cred);
1da177e4 1810
1da177e4 1811 sbsec = sb->s_security;
275bb41e 1812 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1813}
1814
1815/* Convert a Linux mode and permission mask to an access vector. */
1816static inline u32 file_mask_to_av(int mode, int mask)
1817{
1818 u32 av = 0;
1819
dba19c60 1820 if (!S_ISDIR(mode)) {
1da177e4
LT		 1821 if (mask & MAY_EXEC)
1822 av |= FILE__EXECUTE;
1823 if (mask & MAY_READ)
1824 av |= FILE__READ;
1825
1826 if (mask & MAY_APPEND)
1827 av |= FILE__APPEND;
1828 else if (mask & MAY_WRITE)
1829 av |= FILE__WRITE;
1830
1831 } else {
1832 if (mask & MAY_EXEC)
1833 av |= DIR__SEARCH;
1834 if (mask & MAY_WRITE)
1835 av |= DIR__WRITE;
1836 if (mask & MAY_READ)
1837 av |= DIR__READ;
1838 }
1839
1840 return av;
1841}
1842
8b6a5a37
EP		 1843/* Convert a Linux file to an access vector. */
1844static inline u32 file_to_av(struct file *file)
1845{
1846 u32 av = 0;
1847
1848 if (file->f_mode & FMODE_READ)
1849 av |= FILE__READ;
1850 if (file->f_mode & FMODE_WRITE) {
1851 if (file->f_flags & O_APPEND)
1852 av |= FILE__APPEND;
1853 else
1854 av |= FILE__WRITE;
1855 }
1856 if (!av) {
1857 /*
1858 * Special file opened with flags 3 for ioctl-only use.
1859 */
1860 av = FILE__IOCTL;
1861 }
1862
1863 return av;
1864}
1865
b0c636b9 1866/*
8b6a5a37 1867 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1868 * open permission.
1869 */
8b6a5a37 1870static inline u32 open_file_to_av(struct file *file)
b0c636b9 1871{
8b6a5a37 1872 u32 av = file_to_av(file);
b0c636b9 1873
49b7b8de
EP		 1874 if (selinux_policycap_openperm)
1875 av |= FILE__OPEN;
1876
b0c636b9
EP		 1877 return av;
1878}
1879
1da177e4
LT		 1880/* Hook functions begin here. */
1881
6fa3eb70
S		 1882static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1883{
1884 u32 mysid = current_sid();
1885 u32 mgrsid = task_sid(mgr);
1886
1887 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, BINDER__SET_CONTEXT_MGR, NULL);
1888}
1889
1890static int selinux_binder_transaction(struct task_struct *from, struct task_struct *to)
1891{
1892 u32 mysid = current_sid();
1893 u32 fromsid = task_sid(from);
1894 u32 tosid = task_sid(to);
1895 int rc;
1896
1897 if (mysid != fromsid) {
1898 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, BINDER__IMPERSONATE, NULL);
1899 if (rc)
1900 return rc;
1901 }
1902
1903 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, NULL);
1904}
1905
1906static int selinux_binder_transfer_binder(struct task_struct *from, struct task_struct *to)
1907{
1908 u32 fromsid = task_sid(from);
1909 u32 tosid = task_sid(to);
949c2c1d 1910
6fa3eb70
S		 1911 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, NULL);
1912}
1913
1914static int selinux_binder_transfer_file(struct task_struct *from, struct task_struct *to, struct file *file)
1915{
1916 u32 sid = task_sid(to);
1917 struct file_security_struct *fsec = file->f_security;
1918 struct inode *inode = file->f_path.dentry->d_inode;
1919 struct inode_security_struct *isec = inode->i_security;
1920 struct common_audit_data ad;
1921 struct selinux_audit_data sad = {0,};
1922 int rc;
1923
1924 ad.type = LSM_AUDIT_DATA_PATH;
1925 ad.u.path = file->f_path;
1926 ad.selinux_audit_data = &sad;
1927
1928 if (sid != fsec->sid) {
1929 rc = avc_has_perm(sid, fsec->sid,
1930 SECCLASS_FD,
1931 FD__USE,
1932 &ad);
1933 if (rc)
1934 return rc;
1935 }
1936
1937 if (unlikely(IS_PRIVATE(inode)))
1938 return 0;
1939
1940 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
1941 &ad);
1942}
1943
9e48858f 1944static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 1945 unsigned int mode)
1da177e4 1946{
1da177e4
LT		 1947 int rc;
1948
9e48858f 1949 rc = cap_ptrace_access_check(child, mode);
1da177e4
LT		 1950 if (rc)
1951 return rc;
1952
69f594a3 1953 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 1954 u32 sid = current_sid();
1955 u32 csid = task_sid(child);
1956 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 1957 }
1958
3b11a1de 1959 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 1960}
1961
1962static int selinux_ptrace_traceme(struct task_struct *parent)
1963{
1964 int rc;
1965
200ac532 1966 rc = cap_ptrace_traceme(parent);
5cd9c58f
DH		 1967 if (rc)
1968 return rc;
1969
1970 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 1971}
1972
1973static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1974 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1975{
1976 int error;
1977
3b11a1de 1978 error = current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 1979 if (error)
1980 return error;
1981
200ac532 1982 return cap_capget(target, effective, inheritable, permitted);
1da177e4
LT		 1983}
1984
d84f4f99
DH		 1985static int selinux_capset(struct cred *new, const struct cred *old,
1986 const kernel_cap_t *effective,
1987 const kernel_cap_t *inheritable,
1988 const kernel_cap_t *permitted)
1da177e4
LT		 1989{
1990 int error;
1991
200ac532 1992 error = cap_capset(new, old,
d84f4f99 1993 effective, inheritable, permitted);
1da177e4
LT		 1994 if (error)
1995 return error;
1996
d84f4f99 1997 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 1998}
1999
5626d3e8
JM		 2000/*
2001 * (This comment used to live with the selinux_task_setuid hook,
2002 * which was removed).
2003 *
2004 * Since setuid only affects the current process, and since the SELinux
2005 * controls are not based on the Linux identity attributes, SELinux does not
2006 * need to control this operation. However, SELinux does control the use of
2007 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2008 */
2009
6a9de491
EP		 2010static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2011 int cap, int audit)
1da177e4
LT		 2012{
2013 int rc;
2014
6a9de491 2015 rc = cap_capable(cred, ns, cap, audit);
1da177e4
LT		 2016 if (rc)
2017 return rc;
2018
6a9de491 2019 return cred_has_capability(cred, cap, audit);
1da177e4
LT		 2020}
2021
1da177e4
LT		 2022static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2023{
88e67f3b 2024 const struct cred *cred = current_cred();
1da177e4
LT		 2025 int rc = 0;
2026
2027 if (!sb)
2028 return 0;
2029
2030 switch (cmds) {
828dfe1d
EP		 2031 case Q_SYNC:
2032 case Q_QUOTAON:
2033 case Q_QUOTAOFF:
2034 case Q_SETINFO:
2035 case Q_SETQUOTA:
88e67f3b 2036 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2037 break;
2038 case Q_GETFMT:
2039 case Q_GETINFO:
2040 case Q_GETQUOTA:
88e67f3b 2041 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2042 break;
2043 default:
2044 rc = 0; /* let the kernel handle invalid cmds */
2045 break;
1da177e4
LT		 2046 }
2047 return rc;
2048}
2049
2050static int selinux_quota_on(struct dentry *dentry)
2051{
88e67f3b
DH		 2052 const struct cred *cred = current_cred();
2053
2875fa00 2054 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2055}
2056
12b3052c 2057static int selinux_syslog(int type)
1da177e4
LT		 2058{
2059 int rc;
2060
1da177e4 2061 switch (type) {
d78ca3cd
KC		 2062 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2063 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2064 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2065 break;
d78ca3cd
KC		 2066 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2067 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2068 /* Set level of messages printed to console */
2069 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2070 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2071 break;
d78ca3cd
KC		 2072 case SYSLOG_ACTION_CLOSE: /* Close log */
2073 case SYSLOG_ACTION_OPEN: /* Open log */
2074 case SYSLOG_ACTION_READ: /* Read from log */
2075 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2076 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2077 default:
2078 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2079 break;
1da177e4
LT		 2080 }
2081 return rc;
2082}
2083
2084/*
2085 * Check that a process has enough memory to allocate a new virtual
2086 * mapping. 0 means there is enough memory for the allocation to
2087 * succeed and -ENOMEM implies there is not.
2088 *
1da177e4
LT		 2089 * Do not audit the selinux permission check, as this is applied to all
2090 * processes that allocate mappings.
2091 */
34b4e4aa 2092static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2093{
2094 int rc, cap_sys_admin = 0;
1da177e4 2095
6a9de491 2096 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
3699c53c 2097 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2098 if (rc == 0)
2099 cap_sys_admin = 1;
2100
34b4e4aa 2101 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 2102}
2103
2104/* binprm security operations */
2105
a6f76f23 2106static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2107{
a6f76f23
DH		 2108 const struct task_security_struct *old_tsec;
2109 struct task_security_struct *new_tsec;
1da177e4 2110 struct inode_security_struct *isec;
2bf49690 2111 struct common_audit_data ad;
496ad9aa 2112 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2113 int rc;
2114
200ac532 2115 rc = cap_bprm_set_creds(bprm);
1da177e4
LT		 2116 if (rc)
2117 return rc;
2118
a6f76f23
DH		 2119 /* SELinux context only depends on initial program or script and not
2120 * the script interpreter */
2121 if (bprm->cred_prepared)
1da177e4
LT		 2122 return 0;
2123
a6f76f23
DH		 2124 old_tsec = current_security();
2125 new_tsec = bprm->cred->security;
1da177e4
LT		 2126 isec = inode->i_security;
2127
2128 /* Default to the current task SID. */
a6f76f23
DH		 2129 new_tsec->sid = old_tsec->sid;
2130 new_tsec->osid = old_tsec->sid;
1da177e4 2131
28eba5bf 2132 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2133 new_tsec->create_sid = 0;
2134 new_tsec->keycreate_sid = 0;
2135 new_tsec->sockcreate_sid = 0;
1da177e4 2136
a6f76f23
DH		 2137 if (old_tsec->exec_sid) {
2138 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2139 /* Reset exec SID on execve. */
a6f76f23 2140 new_tsec->exec_sid = 0;
259e5e6c
AL		 2141
2142 /*
2143 * Minimize confusion: if no_new_privs and a transition is
2144 * explicitly requested, then fail the exec.
2145 */
2146 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2147 return -EPERM;
1da177e4
LT		 2148 } else {
2149 /* Check for a default transition on this program. */
a6f76f23 2150 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2151 SECCLASS_PROCESS, NULL,
2152 &new_tsec->sid);
1da177e4
LT		 2153 if (rc)
2154 return rc;
2155 }
2156
50c205f5 2157 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 2158 ad.u.path = bprm->file->f_path;
1da177e4 2159
259e5e6c
AL		 2160 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2161 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
a6f76f23 2162 new_tsec->sid = old_tsec->sid;
1da177e4 2163
a6f76f23
DH		 2164 if (new_tsec->sid == old_tsec->sid) {
2165 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2166 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2167 if (rc)
2168 return rc;
2169 } else {
2170 /* Check permissions for the transition. */
a6f76f23 2171 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2172 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2173 if (rc)
2174 return rc;
2175
a6f76f23 2176 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2177 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2178 if (rc)
2179 return rc;
2180
a6f76f23
DH		 2181 /* Check for shared state */
2182 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2183 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2184 SECCLASS_PROCESS, PROCESS__SHARE,
2185 NULL);
2186 if (rc)
2187 return -EPERM;
2188 }
2189
2190 /* Make sure that anyone attempting to ptrace over a task that
2191 * changes its SID has the appropriate permit */
2192 if (bprm->unsafe &
2193 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2194 struct task_struct *tracer;
2195 struct task_security_struct *sec;
2196 u32 ptsid = 0;
2197
2198 rcu_read_lock();
06d98473 2199 tracer = ptrace_parent(current);
a6f76f23
DH		 2200 if (likely(tracer != NULL)) {
2201 sec = __task_cred(tracer)->security;
2202 ptsid = sec->sid;
2203 }
2204 rcu_read_unlock();
2205
2206 if (ptsid != 0) {
2207 rc = avc_has_perm(ptsid, new_tsec->sid,
2208 SECCLASS_PROCESS,
2209 PROCESS__PTRACE, NULL);
2210 if (rc)
2211 return -EPERM;
2212 }
2213 }
1da177e4 2214
a6f76f23
DH		 2215 /* Clear any possibly unsafe personality bits on exec: */
2216 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2217 }
2218
1da177e4
LT		 2219 return 0;
2220}
2221
828dfe1d 2222static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2223{
5fb49870 2224 const struct task_security_struct *tsec = current_security();
275bb41e 2225 u32 sid, osid;
1da177e4
LT		 2226 int atsecure = 0;
2227
275bb41e
DH		 2228 sid = tsec->sid;
2229 osid = tsec->osid;
2230
2231 if (osid != sid) {
1da177e4
LT		 2232 /* Enable secure mode for SIDs transitions unless
2233 the noatsecure permission is granted between
2234 the two SIDs, i.e. ahp returns 0. */
275bb41e 2235 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2236 SECCLASS_PROCESS,
2237 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2238 }
2239
200ac532 2240 return (atsecure || cap_bprm_secureexec(bprm));
1da177e4
LT		 2241}
2242
c3c073f8
AV		 2243static int match_file(const void *p, struct file *file, unsigned fd)
2244{
2245 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2246}
2247
1da177e4 2248/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2249static inline void flush_unauthorized_files(const struct cred *cred,
2250 struct files_struct *files)
1da177e4 2251{
1da177e4 2252 struct file *file, *devnull = NULL;
b20c8122 2253 struct tty_struct *tty;
24ec839c 2254 int drop_tty = 0;
c3c073f8 2255 unsigned n;
1da177e4 2256
24ec839c 2257 tty = get_current_tty();
1da177e4 2258 if (tty) {
ee2ffa0d 2259 spin_lock(&tty_files_lock);
37dd0bd0 2260 if (!list_empty(&tty->tty_files)) {
d996b62a 2261 struct tty_file_private *file_priv;
37dd0bd0 2262
1da177e4 2263 /* Revalidate access to controlling tty.
602a8dd6 2264 Use path_has_perm on the tty path directly rather
1da177e4
LT		 2265 than using file_has_perm, as this particular open
2266 file may belong to another process and we are only
2267 interested in the inode-based check here. */
d996b62a
NP		 2268 file_priv = list_first_entry(&tty->tty_files,
2269 struct tty_file_private, list);
2270 file = file_priv->file;
602a8dd6 2271 if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
24ec839c 2272 drop_tty = 1;
1da177e4 2273 }
ee2ffa0d 2274 spin_unlock(&tty_files_lock);
452a00d2 2275 tty_kref_put(tty);
1da177e4 2276 }
98a27ba4
EB		 2277 /* Reset controlling tty. */
2278 if (drop_tty)
2279 no_tty();
1da177e4
LT		 2280
2281 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2282 n = iterate_fd(files, 0, match_file, cred);
2283 if (!n) /* none found? */
2284 return;
1da177e4 2285
c3c073f8 2286 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2287 if (IS_ERR(devnull))
2288 devnull = NULL;
2289 /* replace all the matching ones with this */
2290 do {
2291 replace_fd(n - 1, devnull, 0);
2292 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2293 if (devnull)
c3c073f8 2294 fput(devnull);
1da177e4
LT		 2295}
2296
a6f76f23
DH		 2297/*
2298 * Prepare a process for imminent new credential changes due to exec
2299 */
2300static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2301{
a6f76f23
DH		 2302 struct task_security_struct *new_tsec;
2303 struct rlimit *rlim, *initrlim;
2304 int rc, i;
d84f4f99 2305
a6f76f23
DH		 2306 new_tsec = bprm->cred->security;
2307 if (new_tsec->sid == new_tsec->osid)
2308 return;
1da177e4 2309
a6f76f23
DH		 2310 /* Close files for which the new task SID is not authorized. */
2311 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2312
a6f76f23
DH		 2313 /* Always clear parent death signal on SID transitions. */
2314 current->pdeath_signal = 0;
0356357c 2315
a6f76f23
DH		 2316 /* Check whether the new SID can inherit resource limits from the old
2317 * SID. If not, reset all soft limits to the lower of the current
2318 * task's hard limit and the init task's soft limit.
2319 *
2320 * Note that the setting of hard limits (even to lower them) can be
2321 * controlled by the setrlimit check. The inclusion of the init task's
2322 * soft limit into the computation is to avoid resetting soft limits
2323 * higher than the default soft limit for cases where the default is
2324 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2325 */
2326 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2327 PROCESS__RLIMITINH, NULL);
2328 if (rc) {
eb2d55a3
ON		 2329 /* protect against do_prlimit() */
2330 task_lock(current);
a6f76f23
DH		 2331 for (i = 0; i < RLIM_NLIMITS; i++) {
2332 rlim = current->signal->rlim + i;
2333 initrlim = init_task.signal->rlim + i;
2334 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2335 }
eb2d55a3
ON		 2336 task_unlock(current);
2337 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2338 }
2339}
2340
2341/*
a6f76f23
DH		 2342 * Clean up the process immediately after the installation of new credentials
2343 * due to exec
1da177e4 2344 */
a6f76f23 2345static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2346{
a6f76f23 2347 const struct task_security_struct *tsec = current_security();
1da177e4 2348 struct itimerval itimer;
a6f76f23 2349 u32 osid, sid;
1da177e4
LT		 2350 int rc, i;
2351
a6f76f23
DH		 2352 osid = tsec->osid;
2353 sid = tsec->sid;
2354
2355 if (sid == osid)
1da177e4
LT		 2356 return;
2357
a6f76f23
DH		 2358 /* Check whether the new SID can inherit signal state from the old SID.
2359 * If not, clear itimers to avoid subsequent signal generation and
2360 * flush and unblock signals.
2361 *
2362 * This must occur _after_ the task SID has been updated so that any
2363 * kill done after the flush will be checked against the new SID.
2364 */
2365 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2366 if (rc) {
2367 memset(&itimer, 0, sizeof itimer);
2368 for (i = 0; i < 3; i++)
2369 do_setitimer(i, &itimer, NULL);
1da177e4 2370 spin_lock_irq(&current->sighand->siglock);
3bcac026
DH		 2371 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2372 __flush_signals(current);
2373 flush_signal_handlers(current, 1);
2374 sigemptyset(&current->blocked);
2375 }
1da177e4
LT		 2376 spin_unlock_irq(&current->sighand->siglock);
2377 }
2378
a6f76f23
DH		 2379 /* Wake up the parent if it is waiting so that it can recheck
2380 * wait permission to the new task SID. */
ecd6de3c 2381 read_lock(&tasklist_lock);
0b7570e7 2382 __wake_up_parent(current, current->real_parent);
ecd6de3c 2383 read_unlock(&tasklist_lock);
1da177e4
LT		 2384}
2385
2386/* superblock security operations */
2387
2388static int selinux_sb_alloc_security(struct super_block *sb)
2389{
2390 return superblock_alloc_security(sb);
2391}
2392
2393static void selinux_sb_free_security(struct super_block *sb)
2394{
2395 superblock_free_security(sb);
2396}
2397
2398static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2399{
2400 if (plen > olen)
2401 return 0;
2402
2403 return !memcmp(prefix, option, plen);
2404}
2405
2406static inline int selinux_option(char *option, int len)
2407{
832cbd9a
EP		 2408 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2409 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2410 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2411 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2412 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2413}
2414
2415static inline void take_option(char **to, char *from, int *first, int len)
2416{
2417 if (!*first) {
2418 **to = ',';
2419 *to += 1;
3528a953 2420 } else
1da177e4
LT		 2421 *first = 0;
2422 memcpy(*to, from, len);
2423 *to += len;
2424}
2425
828dfe1d
EP		 2426static inline void take_selinux_option(char **to, char *from, int *first,
2427 int len)
3528a953
CO		 2428{
2429 int current_size = 0;
2430
2431 if (!*first) {
2432 **to = '|';
2433 *to += 1;
828dfe1d 2434 } else
3528a953
CO		 2435 *first = 0;
2436
2437 while (current_size < len) {
2438 if (*from != '"') {
2439 **to = *from;
2440 *to += 1;
2441 }
2442 from += 1;
2443 current_size += 1;
2444 }
2445}
2446
e0007529 2447static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2448{
2449 int fnosec, fsec, rc = 0;
2450 char *in_save, *in_curr, *in_end;
2451 char *sec_curr, *nosec_save, *nosec;
3528a953 2452 int open_quote = 0;
1da177e4
LT		 2453
2454 in_curr = orig;
2455 sec_curr = copy;
2456
1da177e4
LT		 2457 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2458 if (!nosec) {
2459 rc = -ENOMEM;
2460 goto out;
2461 }
2462
2463 nosec_save = nosec;
2464 fnosec = fsec = 1;
2465 in_save = in_end = orig;
2466
2467 do {
3528a953
CO		 2468 if (*in_end == '"')
2469 open_quote = !open_quote;
2470 if ((*in_end == ',' && open_quote == 0) ||
2471 *in_end == '\0') {
1da177e4
LT		 2472 int len = in_end - in_curr;
2473
2474 if (selinux_option(in_curr, len))
3528a953 2475 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2476 else
2477 take_option(&nosec, in_curr, &fnosec, len);
2478
2479 in_curr = in_end + 1;
2480 }
2481 } while (*in_end++);
2482
6931dfc9 2483 strcpy(in_save, nosec_save);
da3caa20 2484 free_page((unsigned long)nosec_save);
1da177e4
LT		 2485out:
2486 return rc;
2487}
2488
026eb167
EP		 2489static int selinux_sb_remount(struct super_block *sb, void *data)
2490{
2491 int rc, i, *flags;
2492 struct security_mnt_opts opts;
2493 char *secdata, **mount_options;
2494 struct superblock_security_struct *sbsec = sb->s_security;
2495
2496 if (!(sbsec->flags & SE_SBINITIALIZED))
2497 return 0;
2498
2499 if (!data)
2500 return 0;
2501
2502 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2503 return 0;
2504
2505 security_init_mnt_opts(&opts);
2506 secdata = alloc_secdata();
2507 if (!secdata)
2508 return -ENOMEM;
2509 rc = selinux_sb_copy_data(data, secdata);
2510 if (rc)
2511 goto out_free_secdata;
2512
2513 rc = selinux_parse_opts_str(secdata, &opts);
2514 if (rc)
2515 goto out_free_secdata;
2516
2517 mount_options = opts.mnt_opts;
2518 flags = opts.mnt_opts_flags;
2519
2520 for (i = 0; i < opts.num_mnt_opts; i++) {
2521 u32 sid;
2522 size_t len;
2523
2524 if (flags[i] == SE_SBLABELSUPP)
2525 continue;
2526 len = strlen(mount_options[i]);
2527 rc = security_context_to_sid(mount_options[i], len, &sid);
2528 if (rc) {
2529 printk(KERN_WARNING "SELinux: security_context_to_sid"
2530 "(%s) failed for (dev %s, type %s) errno=%d\n",
2531 mount_options[i], sb->s_id, sb->s_type->name, rc);
2532 goto out_free_opts;
2533 }
2534 rc = -EINVAL;
2535 switch (flags[i]) {
2536 case FSCONTEXT_MNT:
2537 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2538 goto out_bad_option;
2539 break;
2540 case CONTEXT_MNT:
2541 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2542 goto out_bad_option;
2543 break;
2544 case ROOTCONTEXT_MNT: {
2545 struct inode_security_struct *root_isec;
2546 root_isec = sb->s_root->d_inode->i_security;
2547
2548 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2549 goto out_bad_option;
2550 break;
2551 }
2552 case DEFCONTEXT_MNT:
2553 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2554 goto out_bad_option;
2555 break;
2556 default:
2557 goto out_free_opts;
2558 }
2559 }
2560
2561 rc = 0;
2562out_free_opts:
2563 security_free_mnt_opts(&opts);
2564out_free_secdata:
2565 free_secdata(secdata);
2566 return rc;
2567out_bad_option:
2568 printk(KERN_WARNING "SELinux: unable to change security options "
2569 "during remount (dev %s, type=%s)\n", sb->s_id,
2570 sb->s_type->name);
2571 goto out_free_opts;
2572}
2573
12204e24 2574static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2575{
88e67f3b 2576 const struct cred *cred = current_cred();
2bf49690 2577 struct common_audit_data ad;
1da177e4
LT		 2578 int rc;
2579
2580 rc = superblock_doinit(sb, data);
2581 if (rc)
2582 return rc;
2583
74192246
JM		 2584 /* Allow all mounts performed by the kernel */
2585 if (flags & MS_KERNMOUNT)
2586 return 0;
2587
50c205f5 2588 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2589 ad.u.dentry = sb->s_root;
88e67f3b 2590 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2591}
2592
726c3342 2593static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2594{
88e67f3b 2595 const struct cred *cred = current_cred();
2bf49690 2596 struct common_audit_data ad;
1da177e4 2597
50c205f5 2598 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2599 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2600 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2601}
2602
808d4e3c 2603static int selinux_mount(const char *dev_name,
b5266eb4 2604 struct path *path,
808d4e3c 2605 const char *type,
828dfe1d
EP		 2606 unsigned long flags,
2607 void *data)
1da177e4 2608{
88e67f3b 2609 const struct cred *cred = current_cred();
1da177e4 2610 if (flags & MS_REMOUNT)
d8c9584e 2611 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2612 FILESYSTEM__REMOUNT, NULL);
1da177e4 2613 else
2875fa00 2614 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2615}
2616
2617static int selinux_umount(struct vfsmount *mnt, int flags)
2618{
88e67f3b 2619 const struct cred *cred = current_cred();
1da177e4 2620
88e67f3b 2621 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2622 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2623}
2624
2625/* inode security operations */
2626
2627static int selinux_inode_alloc_security(struct inode *inode)
2628{
2629 return inode_alloc_security(inode);
2630}
2631
2632static void selinux_inode_free_security(struct inode *inode)
2633{
2634 inode_free_security(inode);
2635}
2636
5e41ff9e 2637static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2a7dba39
EP		 2638 const struct qstr *qstr, char **name,
2639 void **value, size_t *len)
5e41ff9e 2640{
5fb49870 2641 const struct task_security_struct *tsec = current_security();
5e41ff9e
SS		 2642 struct inode_security_struct *dsec;
2643 struct superblock_security_struct *sbsec;
275bb41e 2644 u32 sid, newsid, clen;
5e41ff9e 2645 int rc;
570bc1c2 2646 char *namep = NULL, *context;
5e41ff9e 2647
5e41ff9e
SS		 2648 dsec = dir->i_security;
2649 sbsec = dir->i_sb->s_security;
5e41ff9e 2650
275bb41e
DH		 2651 sid = tsec->sid;
2652 newsid = tsec->create_sid;
2653
415103f9
EP		 2654 if ((sbsec->flags & SE_SBINITIALIZED) &&
2655 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2656 newsid = sbsec->mntpoint_sid;
2657 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
275bb41e 2658 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e 2659 inode_mode_to_security_class(inode->i_mode),
652bb9b0 2660 qstr, &newsid);
5e41ff9e
SS		 2661 if (rc) {
2662 printk(KERN_WARNING "%s: "
2663 "security_transition_sid failed, rc=%d (dev=%s "
2664 "ino=%ld)\n",
dd6f953a 2665 __func__,
5e41ff9e
SS		 2666 -rc, inode->i_sb->s_id, inode->i_ino);
2667 return rc;
2668 }
2669 }
2670
296fddf7 2671 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2672 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2673 struct inode_security_struct *isec = inode->i_security;
2674 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2675 isec->sid = newsid;
2676 isec->initialized = 1;
2677 }
5e41ff9e 2678
cd89596f 2679 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
25a74f3b
SS		 2680 return -EOPNOTSUPP;
2681
570bc1c2 2682 if (name) {
a02fe132 2683 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2684 if (!namep)
2685 return -ENOMEM;
2686 *name = namep;
2687 }
5e41ff9e 2688
570bc1c2 2689 if (value && len) {
12b29f34 2690 rc = security_sid_to_context_force(newsid, &context, &clen);
570bc1c2
SS		 2691 if (rc) {
2692 kfree(namep);
2693 return rc;
2694 }
2695 *value = context;
2696 *len = clen;
5e41ff9e 2697 }
5e41ff9e 2698
5e41ff9e
SS		 2699 return 0;
2700}
2701
4acdaf27 2702static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2703{
2704 return may_create(dir, dentry, SECCLASS_FILE);
2705}
2706
1da177e4
LT		 2707static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2708{
1da177e4
LT		 2709 return may_link(dir, old_dentry, MAY_LINK);
2710}
2711
1da177e4
LT		 2712static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2713{
1da177e4
LT		 2714 return may_link(dir, dentry, MAY_UNLINK);
2715}
2716
2717static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2718{
2719 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2720}
2721
18bb1db3 2722static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2723{
2724 return may_create(dir, dentry, SECCLASS_DIR);
2725}
2726
1da177e4
LT		 2727static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2728{
2729 return may_link(dir, dentry, MAY_RMDIR);
2730}
2731
1a67aafb 2732static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2733{
1da177e4
LT		 2734 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2735}
2736
1da177e4 2737static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2738 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2739{
2740 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2741}
2742
1da177e4
LT		 2743static int selinux_inode_readlink(struct dentry *dentry)
2744{
88e67f3b
DH		 2745 const struct cred *cred = current_cred();
2746
2875fa00 2747 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2748}
2749
2750static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2751{
88e67f3b 2752 const struct cred *cred = current_cred();
1da177e4 2753
2875fa00 2754 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2755}
2756
d4cf970d
EP		 2757static noinline int audit_inode_permission(struct inode *inode,
2758 u32 perms, u32 audited, u32 denied,
6fa3eb70 2759 int result,
d4cf970d 2760 unsigned flags)
1da177e4 2761{
b782e0a6 2762 struct common_audit_data ad;
d4cf970d
EP		 2763 struct inode_security_struct *isec = inode->i_security;
2764 int rc;
2765
50c205f5 2766 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2767 ad.u.inode = inode;
2768
2769 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
6fa3eb70 2770 audited, denied, result, &ad, flags);
d4cf970d
EP		 2771 if (rc)
2772 return rc;
2773 return 0;
2774}
2775
e74f71eb 2776static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2777{
88e67f3b 2778 const struct cred *cred = current_cred();
b782e0a6
EP		 2779 u32 perms;
2780 bool from_access;
cf1dd1da 2781 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2782 struct inode_security_struct *isec;
2783 u32 sid;
2784 struct av_decision avd;
2785 int rc, rc2;
2786 u32 audited, denied;
1da177e4 2787
b782e0a6 2788 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2789 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2790
b782e0a6
EP		 2791 /* No permission to check. Existence test. */
2792 if (!mask)
1da177e4 2793 return 0;
1da177e4 2794
2e334057 2795 validate_creds(cred);
b782e0a6 2796
2e334057
EP		 2797 if (unlikely(IS_PRIVATE(inode)))
2798 return 0;
b782e0a6
EP		 2799
2800 perms = file_mask_to_av(inode->i_mode, mask);
2801
2e334057
EP		 2802 sid = cred_sid(cred);
2803 isec = inode->i_security;
2804
949c2c1d
S		 2805// [ SEC_SELINUX_PORTING COMMON
2806 /* skip sid == 1(kernel), it means first boot time */
2807 if(isec->initialized != 1 && sid != 1) {
2808 int count = 5;
2809
2810 while(count-- > 0) {
2811 printk(KERN_ERR "SELinux : inode->i_security is not initialized. waiting...(%d/5)\n", 5-count);
2812 udelay(500);
2813 if(isec->initialized == 1) {
2814 printk(KERN_ERR "SELinux : inode->i_security is INITIALIZED.\n");
2815 break;
2816 }
2817 }
2818 if(isec->initialized != 1) {
2819 printk(KERN_ERR "SELinux : inode->i_security is not initialized. not fixed.\n");
2820 }
2821 }
2822// ] SEC_SELINUX_PORTING COMMON
2823
2e334057
EP		 2824 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2825 audited = avc_audit_required(perms, &avd, rc,
2826 from_access ? FILE__AUDIT_ACCESS : 0,
2827 &denied);
2828 if (likely(!audited))
2829 return rc;
2830
6fa3eb70 2831 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 2832 if (rc2)
2833 return rc2;
2834 return rc;
1da177e4
LT		 2835}
2836
2837static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2838{
88e67f3b 2839 const struct cred *cred = current_cred();
bc6a6008 2840 unsigned int ia_valid = iattr->ia_valid;
95dbf739 2841 __u32 av = FILE__WRITE;
1da177e4 2842
bc6a6008
AW		 2843 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2844 if (ia_valid & ATTR_FORCE) {
2845 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2846 ATTR_FORCE);
2847 if (!ia_valid)
2848 return 0;
2849 }
1da177e4 2850
bc6a6008
AW		 2851 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2852 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 2853 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 2854
949c2c1d
S		 2855 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
2856 && !(ia_valid & ATTR_FILE))
95dbf739
EP		 2857 av |= FILE__OPEN;
2858
2859 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 2860}
2861
2862static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2863{
88e67f3b 2864 const struct cred *cred = current_cred();
2875fa00
EP		 2865 struct path path;
2866
2867 path.dentry = dentry;
2868 path.mnt = mnt;
88e67f3b 2869
2875fa00 2870 return path_has_perm(cred, &path, FILE__GETATTR);
1da177e4
LT		 2871}
2872
8f0cfa52 2873static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2874{
88e67f3b
DH		 2875 const struct cred *cred = current_cred();
2876
b5376771
SH		 2877 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2878 sizeof XATTR_SECURITY_PREFIX - 1)) {
2879 if (!strcmp(name, XATTR_NAME_CAPS)) {
2880 if (!capable(CAP_SETFCAP))
2881 return -EPERM;
2882 } else if (!capable(CAP_SYS_ADMIN)) {
2883 /* A different attribute in the security namespace.
2884 Restrict to administrator. */
2885 return -EPERM;
2886 }
2887 }
2888
2889 /* Not an attribute we recognize, so just check the
2890 ordinary setattr permission. */
2875fa00 2891 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 2892}
2893
8f0cfa52
DH		 2894static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2895 const void *value, size_t size, int flags)
1da177e4 2896{
1da177e4
LT		 2897 struct inode *inode = dentry->d_inode;
2898 struct inode_security_struct *isec = inode->i_security;
2899 struct superblock_security_struct *sbsec;
2bf49690 2900 struct common_audit_data ad;
275bb41e 2901 u32 newsid, sid = current_sid();
1da177e4
LT		 2902 int rc = 0;
2903
b5376771
SH		 2904 if (strcmp(name, XATTR_NAME_SELINUX))
2905 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2906
2907 sbsec = inode->i_sb->s_security;
cd89596f 2908 if (!(sbsec->flags & SE_SBLABELSUPP))
1da177e4
LT		 2909 return -EOPNOTSUPP;
2910
2e149670 2911 if (!inode_owner_or_capable(inode))
1da177e4
LT		 2912 return -EPERM;
2913
50c205f5 2914 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2915 ad.u.dentry = dentry;
1da177e4 2916
275bb41e 2917 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 2918 FILE__RELABELFROM, &ad);
2919 if (rc)
2920 return rc;
2921
2922 rc = security_context_to_sid(value, size, &newsid);
12b29f34 2923 if (rc == -EINVAL) {
d6ea83ec
EP		 2924 if (!capable(CAP_MAC_ADMIN)) {
2925 struct audit_buffer *ab;
2926 size_t audit_size;
2927 const char *str;
2928
2929 /* We strip a nul only if it is at the end, otherwise the
2930 * context contains a nul and we should audit that */
e3fea3f7
AV		 2931 if (value) {
2932 str = value;
2933 if (str[size - 1] == '\0')
2934 audit_size = size - 1;
2935 else
2936 audit_size = size;
2937 } else {
2938 str = "";
2939 audit_size = 0;
2940 }
d6ea83ec
EP		 2941 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2942 audit_log_format(ab, "op=setxattr invalid_context=");
2943 audit_log_n_untrustedstring(ab, value, audit_size);
2944 audit_log_end(ab);
2945
12b29f34 2946 return rc;
d6ea83ec 2947 }
12b29f34
SS		 2948 rc = security_context_to_sid_force(value, size, &newsid);
2949 }
1da177e4
LT		 2950 if (rc)
2951 return rc;
2952
275bb41e 2953 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 2954 FILE__RELABELTO, &ad);
2955 if (rc)
2956 return rc;
2957
275bb41e 2958 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 2959 isec->sclass);
1da177e4
LT		 2960 if (rc)
2961 return rc;
2962
2963 return avc_has_perm(newsid,
2964 sbsec->sid,
2965 SECCLASS_FILESYSTEM,
2966 FILESYSTEM__ASSOCIATE,
2967 &ad);
2968}
2969
8f0cfa52 2970static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 2971 const void *value, size_t size,
8f0cfa52 2972 int flags)
1da177e4
LT		 2973{
2974 struct inode *inode = dentry->d_inode;
2975 struct inode_security_struct *isec = inode->i_security;
2976 u32 newsid;
2977 int rc;
2978
2979 if (strcmp(name, XATTR_NAME_SELINUX)) {
2980 /* Not an attribute we recognize, so nothing to do. */
2981 return;
2982 }
2983
12b29f34 2984 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 2985 if (rc) {
12b29f34
SS		 2986 printk(KERN_ERR "SELinux: unable to map context to SID"
2987 "for (%s, %lu), rc=%d\n",
2988 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 2989 return;
2990 }
2991
2992 isec->sid = newsid;
2993 return;
2994}
2995
8f0cfa52 2996static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 2997{
88e67f3b
DH		 2998 const struct cred *cred = current_cred();
2999
2875fa00 3000 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3001}
3002
828dfe1d 3003static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3004{
88e67f3b
DH		 3005 const struct cred *cred = current_cred();
3006
2875fa00 3007 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3008}
3009
8f0cfa52 3010static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3011{
b5376771
SH		 3012 if (strcmp(name, XATTR_NAME_SELINUX))
3013 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3014
3015 /* No one is allowed to remove a SELinux security label.
3016 You can change the label, but all data must be labeled. */
3017 return -EACCES;
3018}
3019
d381d8a9 3020/*
abc69bb6 3021 * Copy the inode security context value to the user.
d381d8a9
JM		 3022 *
3023 * Permission check is handled by selinux_inode_getxattr hook.
3024 */
42492594 3025static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3026{
42492594
DQ		 3027 u32 size;
3028 int error;
3029 char *context = NULL;
1da177e4 3030 struct inode_security_struct *isec = inode->i_security;
d381d8a9 3031
8c8570fb
DK		 3032 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3033 return -EOPNOTSUPP;
d381d8a9 3034
abc69bb6
SS		 3035 /*
3036 * If the caller has CAP_MAC_ADMIN, then get the raw context
3037 * value even if it is not defined by current policy; otherwise,
3038 * use the in-core value under current policy.
3039 * Use the non-auditing forms of the permission checks since
3040 * getxattr may be called by unprivileged processes commonly
3041 * and lack of permission just means that we fall back to the
3042 * in-core context value, not a denial.
3043 */
6a9de491 3044 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3699c53c 3045 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 3046 if (!error)
3047 error = security_sid_to_context_force(isec->sid, &context,
3048 &size);
3049 else
3050 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3051 if (error)
3052 return error;
3053 error = size;
3054 if (alloc) {
3055 *buffer = context;
3056 goto out_nofree;
3057 }
3058 kfree(context);
3059out_nofree:
3060 return error;
1da177e4
LT		 3061}
3062
3063static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3064 const void *value, size_t size, int flags)
1da177e4
LT		 3065{
3066 struct inode_security_struct *isec = inode->i_security;
3067 u32 newsid;
3068 int rc;
3069
3070 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3071 return -EOPNOTSUPP;
3072
3073 if (!value || !size)
3074 return -EACCES;
3075
828dfe1d 3076 rc = security_context_to_sid((void *)value, size, &newsid);
1da177e4
LT		 3077 if (rc)
3078 return rc;
3079
3080 isec->sid = newsid;
ddd29ec6 3081 isec->initialized = 1;
1da177e4
LT		 3082 return 0;
3083}
3084
3085static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3086{
3087 const int len = sizeof(XATTR_NAME_SELINUX);
949c2c1d 3088
1da177e4
LT		 3089 if (buffer && len <= buffer_size)
3090 memcpy(buffer, XATTR_NAME_SELINUX, len);
3091 return len;
3092}
3093
713a04ae
AD		 3094static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3095{
3096 struct inode_security_struct *isec = inode->i_security;
3097 *secid = isec->sid;
3098}
3099
1da177e4
LT		 3100/* file security operations */
3101
788e7dd4 3102static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3103{
88e67f3b 3104 const struct cred *cred = current_cred();
496ad9aa 3105 struct inode *inode = file_inode(file);
1da177e4 3106
1da177e4
LT		 3107 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3108 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3109 mask |= MAY_APPEND;
3110
389fb800
PM		 3111 return file_has_perm(cred, file,
3112 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3113}
3114
788e7dd4
YN		 3115static int selinux_file_permission(struct file *file, int mask)
3116{
496ad9aa 3117 struct inode *inode = file_inode(file);
20dda18b
SS		 3118 struct file_security_struct *fsec = file->f_security;
3119 struct inode_security_struct *isec = inode->i_security;
3120 u32 sid = current_sid();
3121
389fb800 3122 if (!mask)
788e7dd4
YN		 3123 /* No permission to check. Existence test. */
3124 return 0;
788e7dd4 3125
20dda18b
SS		 3126 if (sid == fsec->sid && fsec->isid == isec->sid &&
3127 fsec->pseqno == avc_policy_seqno())
83d49856 3128 /* No change since file_open check. */
20dda18b
SS		 3129 return 0;
3130
788e7dd4
YN		 3131 return selinux_revalidate_file_permission(file, mask);
3132}
3133
1da177e4
LT		 3134static int selinux_file_alloc_security(struct file *file)
3135{
3136 return file_alloc_security(file);
3137}
3138
3139static void selinux_file_free_security(struct file *file)
3140{
3141 file_free_security(file);
3142}
3143
949c2c1d
S		 3144/*
3145 * Check whether a task has the ioctl permission and cmd
3146 * operation to an inode.
3147 */
3148int ioctl_has_perm(const struct cred *cred, struct file *file,
3149 u32 requested, u16 cmd)
3150{
3151 struct common_audit_data ad;
3152 struct file_security_struct *fsec = file->f_security;
3153 struct inode *inode = file_inode(file);
3154 struct inode_security_struct *isec = inode->i_security;
3155 struct lsm_ioctlop_audit ioctl;
3156 u32 ssid = cred_sid(cred);
3157 int rc;
3158 u8 driver = cmd >> 8;
3159 u8 xperm = cmd & 0xff;
3160
3161 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3162 ad.u.op = &ioctl;
3163 ad.u.op->cmd = cmd;
3164 ad.u.op->path = file->f_path;
3165
3166 if (ssid != fsec->sid) {
3167 rc = avc_has_perm(ssid, fsec->sid,
3168 SECCLASS_FD,
3169 FD__USE,
3170 &ad);
3171 if (rc)
3172 goto out;
3173 }
3174
3175 if (unlikely(IS_PRIVATE(inode)))
3176 return 0;
3177
3178 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3179 requested, driver, xperm, &ad);
3180out:
3181 return rc;
3182}
3183
1da177e4
LT		 3184static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3185 unsigned long arg)
3186{
88e67f3b 3187 const struct cred *cred = current_cred();
0b24dcb7 3188 int error = 0;
1da177e4 3189
0b24dcb7
EP		 3190 switch (cmd) {
3191 case FIONREAD:
3192 /* fall through */
3193 case FIBMAP:
3194 /* fall through */
3195 case FIGETBSZ:
3196 /* fall through */
2f99c369 3197 case FS_IOC_GETFLAGS:
0b24dcb7 3198 /* fall through */
2f99c369 3199 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3200 error = file_has_perm(cred, file, FILE__GETATTR);
3201 break;
1da177e4 3202
2f99c369 3203 case FS_IOC_SETFLAGS:
0b24dcb7 3204 /* fall through */
2f99c369 3205 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3206 error = file_has_perm(cred, file, FILE__SETATTR);
3207 break;
3208
3209 /* sys_ioctl() checks */
3210 case FIONBIO:
3211 /* fall through */
3212 case FIOASYNC:
3213 error = file_has_perm(cred, file, 0);
3214 break;
1da177e4 3215
0b24dcb7
EP		 3216 case KDSKBENT:
3217 case KDSKBSENT:
6a9de491
EP		 3218 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3219 SECURITY_CAP_AUDIT);
0b24dcb7
EP		 3220 break;
3221
3222 /* default case assumes that the command will go
3223 * to the file's ioctl() function.
3224 */
3225 default:
949c2c1d 3226 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3227 }
3228 return error;
1da177e4
LT		 3229}
3230
fcaaade1
SS		 3231static int default_noexec;
3232
1da177e4
LT		 3233static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3234{
88e67f3b 3235 const struct cred *cred = current_cred();
d84f4f99 3236 int rc = 0;
88e67f3b 3237
fcaaade1
SS		 3238 if (default_noexec &&
3239 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3240 /*
3241 * We are making executable an anonymous mapping or a
3242 * private file mapping that will also be writable.
3243 * This has an additional check.
3244 */
d84f4f99 3245 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3246 if (rc)
d84f4f99 3247 goto error;
1da177e4 3248 }
1da177e4
LT		 3249
3250 if (file) {
3251 /* read access is always possible with a mapping */
3252 u32 av = FILE__READ;
3253
3254 /* write access only matters if the mapping is shared */
3255 if (shared && (prot & PROT_WRITE))
3256 av |= FILE__WRITE;
3257
3258 if (prot & PROT_EXEC)
3259 av |= FILE__EXECUTE;
3260
88e67f3b 3261 return file_has_perm(cred, file, av);
1da177e4 3262 }
d84f4f99
DH		 3263
3264error:
3265 return rc;
1da177e4
LT		 3266}
3267
e5467859 3268static int selinux_mmap_addr(unsigned long addr)
1da177e4 3269{
ed032189 3270 int rc = 0;
275bb41e 3271 u32 sid = current_sid();
1da177e4 3272
84336d1a
EP		 3273 /*
3274 * notice that we are intentionally putting the SELinux check before
3275 * the secondary cap_file_mmap check. This is such a likely attempt
3276 * at bad behaviour/exploit that we always want to get the AVC, even
3277 * if DAC would have also denied the operation.
3278 */
a2551df7 3279 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
ed032189
EP		 3280 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3281 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3282 if (rc)
3283 return rc;
3284 }
3285
3286 /* do DAC check on address space usage */
e5467859
AV		 3287 return cap_mmap_addr(addr);
3288}
1da177e4 3289
e5467859
AV		 3290static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3291 unsigned long prot, unsigned long flags)
3292{
1da177e4
LT		 3293 if (selinux_checkreqprot)
3294 prot = reqprot;
3295
3296 return file_map_prot_check(file, prot,
3297 (flags & MAP_TYPE) == MAP_SHARED);
3298}
3299
3300static int selinux_file_mprotect(struct vm_area_struct *vma,
3301 unsigned long reqprot,
3302 unsigned long prot)
3303{
88e67f3b 3304 const struct cred *cred = current_cred();
1da177e4
LT		 3305
3306 if (selinux_checkreqprot)
3307 prot = reqprot;
3308
fcaaade1
SS		 3309 if (default_noexec &&
3310 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3311 int rc = 0;
db4c9641
SS		 3312 if (vma->vm_start >= vma->vm_mm->start_brk &&
3313 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3314 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3315 } else if (!vma->vm_file &&
3316 vma->vm_start <= vma->vm_mm->start_stack &&
3317 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3318 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3319 } else if (vma->vm_file && vma->anon_vma) {
3320 /*
3321 * We are making executable a file mapping that has
3322 * had some COW done. Since pages might have been
3323 * written, check ability to execute the possibly
3324 * modified content. This typically should only
3325 * occur for text relocations.
3326 */
d84f4f99 3327 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3328 }