projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
[NetLabel]: CIPSOv4 and Unlabeled packet integration
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
19 */
20
1da177e4
LT		 21#include <linux/module.h>
22#include <linux/init.h>
23#include <linux/kernel.h>
24#include <linux/ptrace.h>
25#include <linux/errno.h>
26#include <linux/sched.h>
27#include <linux/security.h>
28#include <linux/xattr.h>
29#include <linux/capability.h>
30#include <linux/unistd.h>
31#include <linux/mm.h>
32#include <linux/mman.h>
33#include <linux/slab.h>
34#include <linux/pagemap.h>
35#include <linux/swap.h>
36#include <linux/smp_lock.h>
37#include <linux/spinlock.h>
38#include <linux/syscalls.h>
39#include <linux/file.h>
40#include <linux/namei.h>
41#include <linux/mount.h>
42#include <linux/ext2_fs.h>
43#include <linux/proc_fs.h>
44#include <linux/kd.h>
45#include <linux/netfilter_ipv4.h>
46#include <linux/netfilter_ipv6.h>
47#include <linux/tty.h>
48#include <net/icmp.h>
49#include <net/ip.h> /* for sysctl_local_port_range[] */
50#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
51#include <asm/uaccess.h>
52#include <asm/semaphore.h>
53#include <asm/ioctls.h>
54#include <linux/bitops.h>
55#include <linux/interrupt.h>
56#include <linux/netdevice.h> /* for network interface checks */
57#include <linux/netlink.h>
58#include <linux/tcp.h>
59#include <linux/udp.h>
60#include <linux/quota.h>
61#include <linux/un.h> /* for Unix socket types */
62#include <net/af_unix.h> /* for Unix socket types */
63#include <linux/parser.h>
64#include <linux/nfs_mount.h>
65#include <net/ipv6.h>
66#include <linux/hugetlb.h>
67#include <linux/personality.h>
68#include <linux/sysctl.h>
69#include <linux/audit.h>
6931dfc9 70#include <linux/string.h>
877ce7c1 71#include <linux/selinux.h>
1da177e4
LT		 72
73#include "avc.h"
74#include "objsec.h"
75#include "netif.h"
d28d1e08 76#include "xfrm.h"
1da177e4
LT		 77
78#define XATTR_SELINUX_SUFFIX "selinux"
79#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81extern unsigned int policydb_loaded_version;
82extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 83extern int selinux_compat_net;
1da177e4
LT		 84
85#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
86int selinux_enforcing = 0;
87
88static int __init enforcing_setup(char *str)
89{
90 selinux_enforcing = simple_strtol(str,NULL,0);
91 return 1;
92}
93__setup("enforcing=", enforcing_setup);
94#endif
95
96#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
97int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
98
99static int __init selinux_enabled_setup(char *str)
100{
101 selinux_enabled = simple_strtol(str, NULL, 0);
102 return 1;
103}
104__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 105#else
106int selinux_enabled = 1;
1da177e4
LT		 107#endif
108
109/* Original (dummy) security module. */
110static struct security_operations *original_ops = NULL;
111
112/* Minimal support for a secondary security module,
113 just to allow the use of the dummy or capability modules.
114 The owlsm module can alternatively be used as a secondary
115 module as long as CONFIG_OWLSM_FD is not enabled. */
116static struct security_operations *secondary_ops = NULL;
117
118/* Lists of inode and superblock security structures initialized
119 before the policy was loaded. */
120static LIST_HEAD(superblock_security_head);
121static DEFINE_SPINLOCK(sb_security_lock);
122
7cae7e26
JM		 123static kmem_cache_t *sel_inode_cache;
124
8c8570fb
DK		 125/* Return security context for a given sid or just the context
126 length if the buffer is null or length is 0 */
127static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
128{
129 char *context;
130 unsigned len;
131 int rc;
132
133 rc = security_sid_to_context(sid, &context, &len);
134 if (rc)
135 return rc;
136
137 if (!buffer || !size)
138 goto getsecurity_exit;
139
140 if (size < len) {
141 len = -ERANGE;
142 goto getsecurity_exit;
143 }
144 memcpy(buffer, context, len);
145
146getsecurity_exit:
147 kfree(context);
148 return len;
149}
150
1da177e4
LT		 151/* Allocate and free functions for each kind of security blob. */
152
153static int task_alloc_security(struct task_struct *task)
154{
155 struct task_security_struct *tsec;
156
89d155ef 157 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 158 if (!tsec)
159 return -ENOMEM;
160
1da177e4
LT		 161 tsec->task = task;
162 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
163 task->security = tsec;
164
165 return 0;
166}
167
168static void task_free_security(struct task_struct *task)
169{
170 struct task_security_struct *tsec = task->security;
1da177e4
LT		 171 task->security = NULL;
172 kfree(tsec);
173}
174
175static int inode_alloc_security(struct inode *inode)
176{
177 struct task_security_struct *tsec = current->security;
178 struct inode_security_struct *isec;
179
7cae7e26 180 isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
1da177e4
LT		 181 if (!isec)
182 return -ENOMEM;
183
7cae7e26 184 memset(isec, 0, sizeof(*isec));
1da177e4
LT		 185 init_MUTEX(&isec->sem);
186 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 187 isec->inode = inode;
188 isec->sid = SECINITSID_UNLABELED;
189 isec->sclass = SECCLASS_FILE;
9ac49d22 190 isec->task_sid = tsec->sid;
1da177e4
LT		 191 inode->i_security = isec;
192
193 return 0;
194}
195
196static void inode_free_security(struct inode *inode)
197{
198 struct inode_security_struct *isec = inode->i_security;
199 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
200
1da177e4
LT		 201 spin_lock(&sbsec->isec_lock);
202 if (!list_empty(&isec->list))
203 list_del_init(&isec->list);
204 spin_unlock(&sbsec->isec_lock);
205
206 inode->i_security = NULL;
7cae7e26 207 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 208}
209
210static int file_alloc_security(struct file *file)
211{
212 struct task_security_struct *tsec = current->security;
213 struct file_security_struct *fsec;
214
26d2a4be 215 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 216 if (!fsec)
217 return -ENOMEM;
218
1da177e4 219 fsec->file = file;
9ac49d22
SS		 220 fsec->sid = tsec->sid;
221 fsec->fown_sid = tsec->sid;
1da177e4
LT		 222 file->f_security = fsec;
223
224 return 0;
225}
226
227static void file_free_security(struct file *file)
228{
229 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 230 file->f_security = NULL;
231 kfree(fsec);
232}
233
234static int superblock_alloc_security(struct super_block *sb)
235{
236 struct superblock_security_struct *sbsec;
237
89d155ef 238 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 239 if (!sbsec)
240 return -ENOMEM;
241
1da177e4
LT		 242 init_MUTEX(&sbsec->sem);
243 INIT_LIST_HEAD(&sbsec->list);
244 INIT_LIST_HEAD(&sbsec->isec_head);
245 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 246 sbsec->sb = sb;
247 sbsec->sid = SECINITSID_UNLABELED;
248 sbsec->def_sid = SECINITSID_FILE;
c312feb2 249 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 250 sb->s_security = sbsec;
251
252 return 0;
253}
254
255static void superblock_free_security(struct super_block *sb)
256{
257 struct superblock_security_struct *sbsec = sb->s_security;
258
1da177e4
LT		 259 spin_lock(&sb_security_lock);
260 if (!list_empty(&sbsec->list))
261 list_del_init(&sbsec->list);
262 spin_unlock(&sb_security_lock);
263
264 sb->s_security = NULL;
265 kfree(sbsec);
266}
267
7d877f3b 268static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 269{
270 struct sk_security_struct *ssec;
271
89d155ef 272 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 273 if (!ssec)
274 return -ENOMEM;
275
1da177e4
LT		 276 ssec->sk = sk;
277 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 278 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 279 sk->sk_security = ssec;
280
281 return 0;
282}
283
284static void sk_free_security(struct sock *sk)
285{
286 struct sk_security_struct *ssec = sk->sk_security;
287
1da177e4
LT		 288 sk->sk_security = NULL;
289 kfree(ssec);
290}
1da177e4
LT		 291
292/* The security server must be initialized before
293 any labeling or access decisions can be provided. */
294extern int ss_initialized;
295
296/* The file system's label must be initialized prior to use. */
297
298static char *labeling_behaviors[6] = {
299 "uses xattr",
300 "uses transition SIDs",
301 "uses task SIDs",
302 "uses genfs_contexts",
303 "not configured for labeling",
304 "uses mountpoint labeling",
305};
306
307static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
308
309static inline int inode_doinit(struct inode *inode)
310{
311 return inode_doinit_with_dentry(inode, NULL);
312}
313
314enum {
315 Opt_context = 1,
316 Opt_fscontext = 2,
317 Opt_defcontext = 4,
0808925e 318 Opt_rootcontext = 8,
1da177e4
LT		 319};
320
321static match_table_t tokens = {
322 {Opt_context, "context=%s"},
323 {Opt_fscontext, "fscontext=%s"},
324 {Opt_defcontext, "defcontext=%s"},
0808925e 325 {Opt_rootcontext, "rootcontext=%s"},
1da177e4
LT		 326};
327
328#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
329
c312feb2
EP		 330static int may_context_mount_sb_relabel(u32 sid,
331 struct superblock_security_struct *sbsec,
332 struct task_security_struct *tsec)
333{
334 int rc;
335
336 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
337 FILESYSTEM__RELABELFROM, NULL);
338 if (rc)
339 return rc;
340
341 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
342 FILESYSTEM__RELABELTO, NULL);
343 return rc;
344}
345
0808925e
EP		 346static int may_context_mount_inode_relabel(u32 sid,
347 struct superblock_security_struct *sbsec,
348 struct task_security_struct *tsec)
349{
350 int rc;
351 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
352 FILESYSTEM__RELABELFROM, NULL);
353 if (rc)
354 return rc;
355
356 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
357 FILESYSTEM__ASSOCIATE, NULL);
358 return rc;
359}
360
1da177e4
LT		 361static int try_context_mount(struct super_block *sb, void *data)
362{
363 char *context = NULL, *defcontext = NULL;
0808925e 364 char *fscontext = NULL, *rootcontext = NULL;
1da177e4
LT		 365 const char *name;
366 u32 sid;
367 int alloc = 0, rc = 0, seen = 0;
368 struct task_security_struct *tsec = current->security;
369 struct superblock_security_struct *sbsec = sb->s_security;
370
371 if (!data)
372 goto out;
373
374 name = sb->s_type->name;
375
376 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
377
378 /* NFS we understand. */
379 if (!strcmp(name, "nfs")) {
380 struct nfs_mount_data *d = data;
381
382 if (d->version < NFS_MOUNT_VERSION)
383 goto out;
384
385 if (d->context[0]) {
386 context = d->context;
387 seen |= Opt_context;
388 }
389 } else
390 goto out;
391
392 } else {
393 /* Standard string-based options. */
394 char *p, *options = data;
395
396 while ((p = strsep(&options, ",")) != NULL) {
397 int token;
398 substring_t args[MAX_OPT_ARGS];
399
400 if (!*p)
401 continue;
402
403 token = match_token(p, tokens, args);
404
405 switch (token) {
406 case Opt_context:
c312feb2 407 if (seen & (Opt_context|Opt_defcontext)) {
1da177e4
LT		 408 rc = -EINVAL;
409 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
410 goto out_free;
411 }
412 context = match_strdup(&args[0]);
413 if (!context) {
414 rc = -ENOMEM;
415 goto out_free;
416 }
417 if (!alloc)
418 alloc = 1;
419 seen |= Opt_context;
420 break;
421
422 case Opt_fscontext:
c312feb2 423 if (seen & Opt_fscontext) {
1da177e4
LT		 424 rc = -EINVAL;
425 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
426 goto out_free;
427 }
c312feb2
EP		 428 fscontext = match_strdup(&args[0]);
429 if (!fscontext) {
1da177e4
LT		 430 rc = -ENOMEM;
431 goto out_free;
432 }
433 if (!alloc)
434 alloc = 1;
435 seen |= Opt_fscontext;
436 break;
437
0808925e
EP		 438 case Opt_rootcontext:
439 if (seen & Opt_rootcontext) {
440 rc = -EINVAL;
441 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
442 goto out_free;
443 }
444 rootcontext = match_strdup(&args[0]);
445 if (!rootcontext) {
446 rc = -ENOMEM;
447 goto out_free;
448 }
449 if (!alloc)
450 alloc = 1;
451 seen |= Opt_rootcontext;
452 break;
453
1da177e4
LT		 454 case Opt_defcontext:
455 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
456 rc = -EINVAL;
457 printk(KERN_WARNING "SELinux: "
458 "defcontext option is invalid "
459 "for this filesystem type\n");
460 goto out_free;
461 }
462 if (seen & (Opt_context|Opt_defcontext)) {
463 rc = -EINVAL;
464 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
465 goto out_free;
466 }
467 defcontext = match_strdup(&args[0]);
468 if (!defcontext) {
469 rc = -ENOMEM;
470 goto out_free;
471 }
472 if (!alloc)
473 alloc = 1;
474 seen |= Opt_defcontext;
475 break;
476
477 default:
478 rc = -EINVAL;
479 printk(KERN_WARNING "SELinux: unknown mount "
480 "option\n");
481 goto out_free;
482
483 }
484 }
485 }
486
487 if (!seen)
488 goto out;
489
c312feb2
EP		 490 /* sets the context of the superblock for the fs being mounted. */
491 if (fscontext) {
492 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
1da177e4
LT		 493 if (rc) {
494 printk(KERN_WARNING "SELinux: security_context_to_sid"
495 "(%s) failed for (dev %s, type %s) errno=%d\n",
c312feb2 496 fscontext, sb->s_id, name, rc);
1da177e4
LT		 497 goto out_free;
498 }
499
c312feb2 500 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
1da177e4
LT		 501 if (rc)
502 goto out_free;
503
c312feb2
EP		 504 sbsec->sid = sid;
505 }
506
507 /*
508 * Switch to using mount point labeling behavior.
509 * sets the label used on all file below the mountpoint, and will set
510 * the superblock context if not already set.
511 */
512 if (context) {
513 rc = security_context_to_sid(context, strlen(context), &sid);
514 if (rc) {
515 printk(KERN_WARNING "SELinux: security_context_to_sid"
516 "(%s) failed for (dev %s, type %s) errno=%d\n",
517 context, sb->s_id, name, rc);
518 goto out_free;
519 }
520
b04ea3ce
EP		 521 if (!fscontext) {
522 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
523 if (rc)
524 goto out_free;
c312feb2 525 sbsec->sid = sid;
b04ea3ce
EP		 526 } else {
527 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
528 if (rc)
529 goto out_free;
530 }
c312feb2 531 sbsec->mntpoint_sid = sid;
1da177e4 532
c312feb2 533 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 534 }
535
0808925e
EP		 536 if (rootcontext) {
537 struct inode *inode = sb->s_root->d_inode;
538 struct inode_security_struct *isec = inode->i_security;
539 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
540 if (rc) {
541 printk(KERN_WARNING "SELinux: security_context_to_sid"
542 "(%s) failed for (dev %s, type %s) errno=%d\n",
543 rootcontext, sb->s_id, name, rc);
544 goto out_free;
545 }
546
547 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
548 if (rc)
549 goto out_free;
550
551 isec->sid = sid;
552 isec->initialized = 1;
553 }
554
1da177e4
LT		 555 if (defcontext) {
556 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
557 if (rc) {
558 printk(KERN_WARNING "SELinux: security_context_to_sid"
559 "(%s) failed for (dev %s, type %s) errno=%d\n",
560 defcontext, sb->s_id, name, rc);
561 goto out_free;
562 }
563
564 if (sid == sbsec->def_sid)
565 goto out_free;
566
0808925e 567 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
1da177e4
LT		 568 if (rc)
569 goto out_free;
570
571 sbsec->def_sid = sid;
572 }
573
574out_free:
575 if (alloc) {
576 kfree(context);
577 kfree(defcontext);
c312feb2 578 kfree(fscontext);
0808925e 579 kfree(rootcontext);
1da177e4
LT		 580 }
581out:
582 return rc;
583}
584
585static int superblock_doinit(struct super_block *sb, void *data)
586{
587 struct superblock_security_struct *sbsec = sb->s_security;
588 struct dentry *root = sb->s_root;
589 struct inode *inode = root->d_inode;
590 int rc = 0;
591
592 down(&sbsec->sem);
593 if (sbsec->initialized)
594 goto out;
595
596 if (!ss_initialized) {
597 /* Defer initialization until selinux_complete_init,
598 after the initial policy is loaded and the security
599 server is ready to handle calls. */
600 spin_lock(&sb_security_lock);
601 if (list_empty(&sbsec->list))
602 list_add(&sbsec->list, &superblock_security_head);
603 spin_unlock(&sb_security_lock);
604 goto out;
605 }
606
607 /* Determine the labeling behavior to use for this filesystem type. */
608 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
609 if (rc) {
610 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
611 __FUNCTION__, sb->s_type->name, rc);
612 goto out;
613 }
614
615 rc = try_context_mount(sb, data);
616 if (rc)
617 goto out;
618
619 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
620 /* Make sure that the xattr handler exists and that no
621 error other than -ENODATA is returned by getxattr on
622 the root directory. -ENODATA is ok, as this may be
623 the first boot of the SELinux kernel before we have
624 assigned xattr values to the filesystem. */
625 if (!inode->i_op->getxattr) {
626 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
627 "xattr support\n", sb->s_id, sb->s_type->name);
628 rc = -EOPNOTSUPP;
629 goto out;
630 }
631 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
632 if (rc < 0 && rc != -ENODATA) {
633 if (rc == -EOPNOTSUPP)
634 printk(KERN_WARNING "SELinux: (dev %s, type "
635 "%s) has no security xattr handler\n",
636 sb->s_id, sb->s_type->name);
637 else
638 printk(KERN_WARNING "SELinux: (dev %s, type "
639 "%s) getxattr errno %d\n", sb->s_id,
640 sb->s_type->name, -rc);
641 goto out;
642 }
643 }
644
645 if (strcmp(sb->s_type->name, "proc") == 0)
646 sbsec->proc = 1;
647
648 sbsec->initialized = 1;
649
650 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
651 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
652 sb->s_id, sb->s_type->name);
653 }
654 else {
655 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
656 sb->s_id, sb->s_type->name,
657 labeling_behaviors[sbsec->behavior-1]);
658 }
659
660 /* Initialize the root inode. */
661 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
662
663 /* Initialize any other inodes associated with the superblock, e.g.
664 inodes created prior to initial policy load or inodes created
665 during get_sb by a pseudo filesystem that directly
666 populates itself. */
667 spin_lock(&sbsec->isec_lock);
668next_inode:
669 if (!list_empty(&sbsec->isec_head)) {
670 struct inode_security_struct *isec =
671 list_entry(sbsec->isec_head.next,
672 struct inode_security_struct, list);
673 struct inode *inode = isec->inode;
674 spin_unlock(&sbsec->isec_lock);
675 inode = igrab(inode);
676 if (inode) {
677 if (!IS_PRIVATE (inode))
678 inode_doinit(inode);
679 iput(inode);
680 }
681 spin_lock(&sbsec->isec_lock);
682 list_del_init(&isec->list);
683 goto next_inode;
684 }
685 spin_unlock(&sbsec->isec_lock);
686out:
687 up(&sbsec->sem);
688 return rc;
689}
690
691static inline u16 inode_mode_to_security_class(umode_t mode)
692{
693 switch (mode & S_IFMT) {
694 case S_IFSOCK:
695 return SECCLASS_SOCK_FILE;
696 case S_IFLNK:
697 return SECCLASS_LNK_FILE;
698 case S_IFREG:
699 return SECCLASS_FILE;
700 case S_IFBLK:
701 return SECCLASS_BLK_FILE;
702 case S_IFDIR:
703 return SECCLASS_DIR;
704 case S_IFCHR:
705 return SECCLASS_CHR_FILE;
706 case S_IFIFO:
707 return SECCLASS_FIFO_FILE;
708
709 }
710
711 return SECCLASS_FILE;
712}
713
13402580
JM		 714static inline int default_protocol_stream(int protocol)
715{
716 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
717}
718
719static inline int default_protocol_dgram(int protocol)
720{
721 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
722}
723
1da177e4
LT		 724static inline u16 socket_type_to_security_class(int family, int type, int protocol)
725{
726 switch (family) {
727 case PF_UNIX:
728 switch (type) {
729 case SOCK_STREAM:
730 case SOCK_SEQPACKET:
731 return SECCLASS_UNIX_STREAM_SOCKET;
732 case SOCK_DGRAM:
733 return SECCLASS_UNIX_DGRAM_SOCKET;
734 }
735 break;
736 case PF_INET:
737 case PF_INET6:
738 switch (type) {
739 case SOCK_STREAM:
13402580
JM		 740 if (default_protocol_stream(protocol))
741 return SECCLASS_TCP_SOCKET;
742 else
743 return SECCLASS_RAWIP_SOCKET;
1da177e4 744 case SOCK_DGRAM:
13402580
JM		 745 if (default_protocol_dgram(protocol))
746 return SECCLASS_UDP_SOCKET;
747 else
748 return SECCLASS_RAWIP_SOCKET;
749 default:
1da177e4
LT		 750 return SECCLASS_RAWIP_SOCKET;
751 }
752 break;
753 case PF_NETLINK:
754 switch (protocol) {
755 case NETLINK_ROUTE:
756 return SECCLASS_NETLINK_ROUTE_SOCKET;
757 case NETLINK_FIREWALL:
758 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 759 case NETLINK_INET_DIAG:
1da177e4
LT		 760 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
761 case NETLINK_NFLOG:
762 return SECCLASS_NETLINK_NFLOG_SOCKET;
763 case NETLINK_XFRM:
764 return SECCLASS_NETLINK_XFRM_SOCKET;
765 case NETLINK_SELINUX:
766 return SECCLASS_NETLINK_SELINUX_SOCKET;
767 case NETLINK_AUDIT:
768 return SECCLASS_NETLINK_AUDIT_SOCKET;
769 case NETLINK_IP6_FW:
770 return SECCLASS_NETLINK_IP6FW_SOCKET;
771 case NETLINK_DNRTMSG:
772 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 773 case NETLINK_KOBJECT_UEVENT:
774 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 775 default:
776 return SECCLASS_NETLINK_SOCKET;
777 }
778 case PF_PACKET:
779 return SECCLASS_PACKET_SOCKET;
780 case PF_KEY:
781 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 782 case PF_APPLETALK:
783 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 784 }
785
786 return SECCLASS_SOCKET;
787}
788
789#ifdef CONFIG_PROC_FS
790static int selinux_proc_get_sid(struct proc_dir_entry *de,
791 u16 tclass,
792 u32 *sid)
793{
794 int buflen, rc;
795 char *buffer, *path, *end;
796
797 buffer = (char*)__get_free_page(GFP_KERNEL);
798 if (!buffer)
799 return -ENOMEM;
800
801 buflen = PAGE_SIZE;
802 end = buffer+buflen;
803 *--end = '\0';
804 buflen--;
805 path = end-1;
806 *path = '/';
807 while (de && de != de->parent) {
808 buflen -= de->namelen + 1;
809 if (buflen < 0)
810 break;
811 end -= de->namelen;
812 memcpy(end, de->name, de->namelen);
813 *--end = '/';
814 path = end;
815 de = de->parent;
816 }
817 rc = security_genfs_sid("proc", path, tclass, sid);
818 free_page((unsigned long)buffer);
819 return rc;
820}
821#else
822static int selinux_proc_get_sid(struct proc_dir_entry *de,
823 u16 tclass,
824 u32 *sid)
825{
826 return -EINVAL;
827}
828#endif
829
830/* The inode's security attributes must be initialized before first use. */
831static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
832{
833 struct superblock_security_struct *sbsec = NULL;
834 struct inode_security_struct *isec = inode->i_security;
835 u32 sid;
836 struct dentry *dentry;
837#define INITCONTEXTLEN 255
838 char *context = NULL;
839 unsigned len = 0;
840 int rc = 0;
841 int hold_sem = 0;
842
843 if (isec->initialized)
844 goto out;
845
846 down(&isec->sem);
847 hold_sem = 1;
848 if (isec->initialized)
849 goto out;
850
851 sbsec = inode->i_sb->s_security;
852 if (!sbsec->initialized) {
853 /* Defer initialization until selinux_complete_init,
854 after the initial policy is loaded and the security
855 server is ready to handle calls. */
856 spin_lock(&sbsec->isec_lock);
857 if (list_empty(&isec->list))
858 list_add(&isec->list, &sbsec->isec_head);
859 spin_unlock(&sbsec->isec_lock);
860 goto out;
861 }
862
863 switch (sbsec->behavior) {
864 case SECURITY_FS_USE_XATTR:
865 if (!inode->i_op->getxattr) {
866 isec->sid = sbsec->def_sid;
867 break;
868 }
869
870 /* Need a dentry, since the xattr API requires one.
871 Life would be simpler if we could just pass the inode. */
872 if (opt_dentry) {
873 /* Called from d_instantiate or d_splice_alias. */
874 dentry = dget(opt_dentry);
875 } else {
876 /* Called from selinux_complete_init, try to find a dentry. */
877 dentry = d_find_alias(inode);
878 }
879 if (!dentry) {
880 printk(KERN_WARNING "%s: no dentry for dev=%s "
881 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
882 inode->i_ino);
883 goto out;
884 }
885
886 len = INITCONTEXTLEN;
887 context = kmalloc(len, GFP_KERNEL);
888 if (!context) {
889 rc = -ENOMEM;
890 dput(dentry);
891 goto out;
892 }
893 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
894 context, len);
895 if (rc == -ERANGE) {
896 /* Need a larger buffer. Query for the right size. */
897 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
898 NULL, 0);
899 if (rc < 0) {
900 dput(dentry);
901 goto out;
902 }
903 kfree(context);
904 len = rc;
905 context = kmalloc(len, GFP_KERNEL);
906 if (!context) {
907 rc = -ENOMEM;
908 dput(dentry);
909 goto out;
910 }
911 rc = inode->i_op->getxattr(dentry,
912 XATTR_NAME_SELINUX,
913 context, len);
914 }
915 dput(dentry);
916 if (rc < 0) {
917 if (rc != -ENODATA) {
918 printk(KERN_WARNING "%s: getxattr returned "
919 "%d for dev=%s ino=%ld\n", __FUNCTION__,
920 -rc, inode->i_sb->s_id, inode->i_ino);
921 kfree(context);
922 goto out;
923 }
924 /* Map ENODATA to the default file SID */
925 sid = sbsec->def_sid;
926 rc = 0;
927 } else {
f5c1d5b2
JM		 928 rc = security_context_to_sid_default(context, rc, &sid,
929 sbsec->def_sid);
1da177e4
LT		 930 if (rc) {
931 printk(KERN_WARNING "%s: context_to_sid(%s) "
932 "returned %d for dev=%s ino=%ld\n",
933 __FUNCTION__, context, -rc,
934 inode->i_sb->s_id, inode->i_ino);
935 kfree(context);
936 /* Leave with the unlabeled SID */
937 rc = 0;
938 break;
939 }
940 }
941 kfree(context);
942 isec->sid = sid;
943 break;
944 case SECURITY_FS_USE_TASK:
945 isec->sid = isec->task_sid;
946 break;
947 case SECURITY_FS_USE_TRANS:
948 /* Default to the fs SID. */
949 isec->sid = sbsec->sid;
950
951 /* Try to obtain a transition SID. */
952 isec->sclass = inode_mode_to_security_class(inode->i_mode);
953 rc = security_transition_sid(isec->task_sid,
954 sbsec->sid,
955 isec->sclass,
956 &sid);
957 if (rc)
958 goto out;
959 isec->sid = sid;
960 break;
c312feb2
EP		 961 case SECURITY_FS_USE_MNTPOINT:
962 isec->sid = sbsec->mntpoint_sid;
963 break;
1da177e4 964 default:
c312feb2 965 /* Default to the fs superblock SID. */
1da177e4
LT		 966 isec->sid = sbsec->sid;
967
968 if (sbsec->proc) {
969 struct proc_inode *proci = PROC_I(inode);
970 if (proci->pde) {
971 isec->sclass = inode_mode_to_security_class(inode->i_mode);
972 rc = selinux_proc_get_sid(proci->pde,
973 isec->sclass,
974 &sid);
975 if (rc)
976 goto out;
977 isec->sid = sid;
978 }
979 }
980 break;
981 }
982
983 isec->initialized = 1;
984
985out:
986 if (isec->sclass == SECCLASS_FILE)
987 isec->sclass = inode_mode_to_security_class(inode->i_mode);
988
989 if (hold_sem)
990 up(&isec->sem);
991 return rc;
992}
993
994/* Convert a Linux signal to an access vector. */
995static inline u32 signal_to_av(int sig)
996{
997 u32 perm = 0;
998
999 switch (sig) {
1000 case SIGCHLD:
1001 /* Commonly granted from child to parent. */
1002 perm = PROCESS__SIGCHLD;
1003 break;
1004 case SIGKILL:
1005 /* Cannot be caught or ignored */
1006 perm = PROCESS__SIGKILL;
1007 break;
1008 case SIGSTOP:
1009 /* Cannot be caught or ignored */
1010 perm = PROCESS__SIGSTOP;
1011 break;
1012 default:
1013 /* All other signals. */
1014 perm = PROCESS__SIGNAL;
1015 break;
1016 }
1017
1018 return perm;
1019}
1020
1021/* Check permission betweeen a pair of tasks, e.g. signal checks,
1022 fork check, ptrace check, etc. */
1023static int task_has_perm(struct task_struct *tsk1,
1024 struct task_struct *tsk2,
1025 u32 perms)
1026{
1027 struct task_security_struct *tsec1, *tsec2;
1028
1029 tsec1 = tsk1->security;
1030 tsec2 = tsk2->security;
1031 return avc_has_perm(tsec1->sid, tsec2->sid,
1032 SECCLASS_PROCESS, perms, NULL);
1033}
1034
1035/* Check whether a task is allowed to use a capability. */
1036static int task_has_capability(struct task_struct *tsk,
1037 int cap)
1038{
1039 struct task_security_struct *tsec;
1040 struct avc_audit_data ad;
1041
1042 tsec = tsk->security;
1043
1044 AVC_AUDIT_DATA_INIT(&ad,CAP);
1045 ad.tsk = tsk;
1046 ad.u.cap = cap;
1047
1048 return avc_has_perm(tsec->sid, tsec->sid,
1049 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1050}
1051
1052/* Check whether a task is allowed to use a system operation. */
1053static int task_has_system(struct task_struct *tsk,
1054 u32 perms)
1055{
1056 struct task_security_struct *tsec;
1057
1058 tsec = tsk->security;
1059
1060 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1061 SECCLASS_SYSTEM, perms, NULL);
1062}
1063
1064/* Check whether a task has a particular permission to an inode.
1065 The 'adp' parameter is optional and allows other audit
1066 data to be passed (e.g. the dentry). */
1067static int inode_has_perm(struct task_struct *tsk,
1068 struct inode *inode,
1069 u32 perms,
1070 struct avc_audit_data *adp)
1071{
1072 struct task_security_struct *tsec;
1073 struct inode_security_struct *isec;
1074 struct avc_audit_data ad;
1075
1076 tsec = tsk->security;
1077 isec = inode->i_security;
1078
1079 if (!adp) {
1080 adp = &ad;
1081 AVC_AUDIT_DATA_INIT(&ad, FS);
1082 ad.u.fs.inode = inode;
1083 }
1084
1085 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1086}
1087
1088/* Same as inode_has_perm, but pass explicit audit data containing
1089 the dentry to help the auditing code to more easily generate the
1090 pathname if needed. */
1091static inline int dentry_has_perm(struct task_struct *tsk,
1092 struct vfsmount *mnt,
1093 struct dentry *dentry,
1094 u32 av)
1095{
1096 struct inode *inode = dentry->d_inode;
1097 struct avc_audit_data ad;
1098 AVC_AUDIT_DATA_INIT(&ad,FS);
1099 ad.u.fs.mnt = mnt;
1100 ad.u.fs.dentry = dentry;
1101 return inode_has_perm(tsk, inode, av, &ad);
1102}
1103
1104/* Check whether a task can use an open file descriptor to
1105 access an inode in a given way. Check access to the
1106 descriptor itself, and then use dentry_has_perm to
1107 check a particular permission to the file.
1108 Access to the descriptor is implicitly granted if it
1109 has the same SID as the process. If av is zero, then
1110 access to the file is not checked, e.g. for cases
1111 where only the descriptor is affected like seek. */
858119e1 1112static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1113 struct file *file,
1114 u32 av)
1115{
1116 struct task_security_struct *tsec = tsk->security;
1117 struct file_security_struct *fsec = file->f_security;
1118 struct vfsmount *mnt = file->f_vfsmnt;
1119 struct dentry *dentry = file->f_dentry;
1120 struct inode *inode = dentry->d_inode;
1121 struct avc_audit_data ad;
1122 int rc;
1123
1124 AVC_AUDIT_DATA_INIT(&ad, FS);
1125 ad.u.fs.mnt = mnt;
1126 ad.u.fs.dentry = dentry;
1127
1128 if (tsec->sid != fsec->sid) {
1129 rc = avc_has_perm(tsec->sid, fsec->sid,
1130 SECCLASS_FD,
1131 FD__USE,
1132 &ad);
1133 if (rc)
1134 return rc;
1135 }
1136
1137 /* av is zero if only checking access to the descriptor. */
1138 if (av)
1139 return inode_has_perm(tsk, inode, av, &ad);
1140
1141 return 0;
1142}
1143
1144/* Check whether a task can create a file. */
1145static int may_create(struct inode *dir,
1146 struct dentry *dentry,
1147 u16 tclass)
1148{
1149 struct task_security_struct *tsec;
1150 struct inode_security_struct *dsec;
1151 struct superblock_security_struct *sbsec;
1152 u32 newsid;
1153 struct avc_audit_data ad;
1154 int rc;
1155
1156 tsec = current->security;
1157 dsec = dir->i_security;
1158 sbsec = dir->i_sb->s_security;
1159
1160 AVC_AUDIT_DATA_INIT(&ad, FS);
1161 ad.u.fs.dentry = dentry;
1162
1163 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1164 DIR__ADD_NAME | DIR__SEARCH,
1165 &ad);
1166 if (rc)
1167 return rc;
1168
1169 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1170 newsid = tsec->create_sid;
1171 } else {
1172 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1173 &newsid);
1174 if (rc)
1175 return rc;
1176 }
1177
1178 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1179 if (rc)
1180 return rc;
1181
1182 return avc_has_perm(newsid, sbsec->sid,
1183 SECCLASS_FILESYSTEM,
1184 FILESYSTEM__ASSOCIATE, &ad);
1185}
1186
4eb582cf
ML		 1187/* Check whether a task can create a key. */
1188static int may_create_key(u32 ksid,
1189 struct task_struct *ctx)
1190{
1191 struct task_security_struct *tsec;
1192
1193 tsec = ctx->security;
1194
1195 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1196}
1197
1da177e4
LT		 1198#define MAY_LINK 0
1199#define MAY_UNLINK 1
1200#define MAY_RMDIR 2
1201
1202/* Check whether a task can link, unlink, or rmdir a file/directory. */
1203static int may_link(struct inode *dir,
1204 struct dentry *dentry,
1205 int kind)
1206
1207{
1208 struct task_security_struct *tsec;
1209 struct inode_security_struct *dsec, *isec;
1210 struct avc_audit_data ad;
1211 u32 av;
1212 int rc;
1213
1214 tsec = current->security;
1215 dsec = dir->i_security;
1216 isec = dentry->d_inode->i_security;
1217
1218 AVC_AUDIT_DATA_INIT(&ad, FS);
1219 ad.u.fs.dentry = dentry;
1220
1221 av = DIR__SEARCH;
1222 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1223 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1224 if (rc)
1225 return rc;
1226
1227 switch (kind) {
1228 case MAY_LINK:
1229 av = FILE__LINK;
1230 break;
1231 case MAY_UNLINK:
1232 av = FILE__UNLINK;
1233 break;
1234 case MAY_RMDIR:
1235 av = DIR__RMDIR;
1236 break;
1237 default:
1238 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1239 return 0;
1240 }
1241
1242 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1243 return rc;
1244}
1245
1246static inline int may_rename(struct inode *old_dir,
1247 struct dentry *old_dentry,
1248 struct inode *new_dir,
1249 struct dentry *new_dentry)
1250{
1251 struct task_security_struct *tsec;
1252 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1253 struct avc_audit_data ad;
1254 u32 av;
1255 int old_is_dir, new_is_dir;
1256 int rc;
1257
1258 tsec = current->security;
1259 old_dsec = old_dir->i_security;
1260 old_isec = old_dentry->d_inode->i_security;
1261 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1262 new_dsec = new_dir->i_security;
1263
1264 AVC_AUDIT_DATA_INIT(&ad, FS);
1265
1266 ad.u.fs.dentry = old_dentry;
1267 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1268 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1269 if (rc)
1270 return rc;
1271 rc = avc_has_perm(tsec->sid, old_isec->sid,
1272 old_isec->sclass, FILE__RENAME, &ad);
1273 if (rc)
1274 return rc;
1275 if (old_is_dir && new_dir != old_dir) {
1276 rc = avc_has_perm(tsec->sid, old_isec->sid,
1277 old_isec->sclass, DIR__REPARENT, &ad);
1278 if (rc)
1279 return rc;
1280 }
1281
1282 ad.u.fs.dentry = new_dentry;
1283 av = DIR__ADD_NAME | DIR__SEARCH;
1284 if (new_dentry->d_inode)
1285 av |= DIR__REMOVE_NAME;
1286 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1287 if (rc)
1288 return rc;
1289 if (new_dentry->d_inode) {
1290 new_isec = new_dentry->d_inode->i_security;
1291 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1292 rc = avc_has_perm(tsec->sid, new_isec->sid,
1293 new_isec->sclass,
1294 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1295 if (rc)
1296 return rc;
1297 }
1298
1299 return 0;
1300}
1301
1302/* Check whether a task can perform a filesystem operation. */
1303static int superblock_has_perm(struct task_struct *tsk,
1304 struct super_block *sb,
1305 u32 perms,
1306 struct avc_audit_data *ad)
1307{
1308 struct task_security_struct *tsec;
1309 struct superblock_security_struct *sbsec;
1310
1311 tsec = tsk->security;
1312 sbsec = sb->s_security;
1313 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1314 perms, ad);
1315}
1316
1317/* Convert a Linux mode and permission mask to an access vector. */
1318static inline u32 file_mask_to_av(int mode, int mask)
1319{
1320 u32 av = 0;
1321
1322 if ((mode & S_IFMT) != S_IFDIR) {
1323 if (mask & MAY_EXEC)
1324 av |= FILE__EXECUTE;
1325 if (mask & MAY_READ)
1326 av |= FILE__READ;
1327
1328 if (mask & MAY_APPEND)
1329 av |= FILE__APPEND;
1330 else if (mask & MAY_WRITE)
1331 av |= FILE__WRITE;
1332
1333 } else {
1334 if (mask & MAY_EXEC)
1335 av |= DIR__SEARCH;
1336 if (mask & MAY_WRITE)
1337 av |= DIR__WRITE;
1338 if (mask & MAY_READ)
1339 av |= DIR__READ;
1340 }
1341
1342 return av;
1343}
1344
1345/* Convert a Linux file to an access vector. */
1346static inline u32 file_to_av(struct file *file)
1347{
1348 u32 av = 0;
1349
1350 if (file->f_mode & FMODE_READ)
1351 av |= FILE__READ;
1352 if (file->f_mode & FMODE_WRITE) {
1353 if (file->f_flags & O_APPEND)
1354 av |= FILE__APPEND;
1355 else
1356 av |= FILE__WRITE;
1357 }
1358
1359 return av;
1360}
1361
1362/* Set an inode's SID to a specified value. */
1363static int inode_security_set_sid(struct inode *inode, u32 sid)
1364{
1365 struct inode_security_struct *isec = inode->i_security;
1366 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1367
1368 if (!sbsec->initialized) {
1369 /* Defer initialization to selinux_complete_init. */
1370 return 0;
1371 }
1372
1373 down(&isec->sem);
1374 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1375 isec->sid = sid;
1376 isec->initialized = 1;
1377 up(&isec->sem);
1378 return 0;
1379}
1380
1da177e4
LT		 1381/* Hook functions begin here. */
1382
1383static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1384{
1385 struct task_security_struct *psec = parent->security;
1386 struct task_security_struct *csec = child->security;
1387 int rc;
1388
1389 rc = secondary_ops->ptrace(parent,child);
1390 if (rc)
1391 return rc;
1392
1393 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1394 /* Save the SID of the tracing process for later use in apply_creds. */
341c2d80 1395 if (!(child->ptrace & PT_PTRACED) && !rc)
1da177e4
LT		 1396 csec->ptrace_sid = psec->sid;
1397 return rc;
1398}
1399
1400static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1401 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1402{
1403 int error;
1404
1405 error = task_has_perm(current, target, PROCESS__GETCAP);
1406 if (error)
1407 return error;
1408
1409 return secondary_ops->capget(target, effective, inheritable, permitted);
1410}
1411
1412static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1413 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1414{
1415 int error;
1416
1417 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1418 if (error)
1419 return error;
1420
1421 return task_has_perm(current, target, PROCESS__SETCAP);
1422}
1423
1424static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1425 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1426{
1427 secondary_ops->capset_set(target, effective, inheritable, permitted);
1428}
1429
1430static int selinux_capable(struct task_struct *tsk, int cap)
1431{
1432 int rc;
1433
1434 rc = secondary_ops->capable(tsk, cap);
1435 if (rc)
1436 return rc;
1437
1438 return task_has_capability(tsk,cap);
1439}
1440
1441static int selinux_sysctl(ctl_table *table, int op)
1442{
1443 int error = 0;
1444 u32 av;
1445 struct task_security_struct *tsec;
1446 u32 tsid;
1447 int rc;
1448
1449 rc = secondary_ops->sysctl(table, op);
1450 if (rc)
1451 return rc;
1452
1453 tsec = current->security;
1454
1455 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1456 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1457 if (rc) {
1458 /* Default to the well-defined sysctl SID. */
1459 tsid = SECINITSID_SYSCTL;
1460 }
1461
1462 /* The op values are "defined" in sysctl.c, thereby creating
1463 * a bad coupling between this module and sysctl.c */
1464 if(op == 001) {
1465 error = avc_has_perm(tsec->sid, tsid,
1466 SECCLASS_DIR, DIR__SEARCH, NULL);
1467 } else {
1468 av = 0;
1469 if (op & 004)
1470 av |= FILE__READ;
1471 if (op & 002)
1472 av |= FILE__WRITE;
1473 if (av)
1474 error = avc_has_perm(tsec->sid, tsid,
1475 SECCLASS_FILE, av, NULL);
1476 }
1477
1478 return error;
1479}
1480
1481static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1482{
1483 int rc = 0;
1484
1485 if (!sb)
1486 return 0;
1487
1488 switch (cmds) {
1489 case Q_SYNC:
1490 case Q_QUOTAON:
1491 case Q_QUOTAOFF:
1492 case Q_SETINFO:
1493 case Q_SETQUOTA:
1494 rc = superblock_has_perm(current,
1495 sb,
1496 FILESYSTEM__QUOTAMOD, NULL);
1497 break;
1498 case Q_GETFMT:
1499 case Q_GETINFO:
1500 case Q_GETQUOTA:
1501 rc = superblock_has_perm(current,
1502 sb,
1503 FILESYSTEM__QUOTAGET, NULL);
1504 break;
1505 default:
1506 rc = 0; /* let the kernel handle invalid cmds */
1507 break;
1508 }
1509 return rc;
1510}
1511
1512static int selinux_quota_on(struct dentry *dentry)
1513{
1514 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1515}
1516
1517static int selinux_syslog(int type)
1518{
1519 int rc;
1520
1521 rc = secondary_ops->syslog(type);
1522 if (rc)
1523 return rc;
1524
1525 switch (type) {
1526 case 3: /* Read last kernel messages */
1527 case 10: /* Return size of the log buffer */
1528 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1529 break;
1530 case 6: /* Disable logging to console */
1531 case 7: /* Enable logging to console */
1532 case 8: /* Set level of messages printed to console */
1533 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1534 break;
1535 case 0: /* Close log */
1536 case 1: /* Open log */
1537 case 2: /* Read from log */
1538 case 4: /* Read/clear last kernel messages */
1539 case 5: /* Clear ring buffer */
1540 default:
1541 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1542 break;
1543 }
1544 return rc;
1545}
1546
1547/*
1548 * Check that a process has enough memory to allocate a new virtual
1549 * mapping. 0 means there is enough memory for the allocation to
1550 * succeed and -ENOMEM implies there is not.
1551 *
1552 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1553 * if the capability is granted, but __vm_enough_memory requires 1 if
1554 * the capability is granted.
1555 *
1556 * Do not audit the selinux permission check, as this is applied to all
1557 * processes that allocate mappings.
1558 */
1559static int selinux_vm_enough_memory(long pages)
1560{
1561 int rc, cap_sys_admin = 0;
1562 struct task_security_struct *tsec = current->security;
1563
1564 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1565 if (rc == 0)
1566 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1567 SECCLASS_CAPABILITY,
1568 CAP_TO_MASK(CAP_SYS_ADMIN),
1569 NULL);
1570
1571 if (rc == 0)
1572 cap_sys_admin = 1;
1573
1574 return __vm_enough_memory(pages, cap_sys_admin);
1575}
1576
1577/* binprm security operations */
1578
1579static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1580{
1581 struct bprm_security_struct *bsec;
1582
89d155ef 1583 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1584 if (!bsec)
1585 return -ENOMEM;
1586
1da177e4
LT		 1587 bsec->bprm = bprm;
1588 bsec->sid = SECINITSID_UNLABELED;
1589 bsec->set = 0;
1590
1591 bprm->security = bsec;
1592 return 0;
1593}
1594
1595static int selinux_bprm_set_security(struct linux_binprm *bprm)
1596{
1597 struct task_security_struct *tsec;
1598 struct inode *inode = bprm->file->f_dentry->d_inode;
1599 struct inode_security_struct *isec;
1600 struct bprm_security_struct *bsec;
1601 u32 newsid;
1602 struct avc_audit_data ad;
1603 int rc;
1604
1605 rc = secondary_ops->bprm_set_security(bprm);
1606 if (rc)
1607 return rc;
1608
1609 bsec = bprm->security;
1610
1611 if (bsec->set)
1612 return 0;
1613
1614 tsec = current->security;
1615 isec = inode->i_security;
1616
1617 /* Default to the current task SID. */
1618 bsec->sid = tsec->sid;
1619
28eba5bf 1620 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1621 tsec->create_sid = 0;
28eba5bf 1622 tsec->keycreate_sid = 0;
42c3e03e 1623 tsec->sockcreate_sid = 0;
1da177e4
LT		 1624
1625 if (tsec->exec_sid) {
1626 newsid = tsec->exec_sid;
1627 /* Reset exec SID on execve. */
1628 tsec->exec_sid = 0;
1629 } else {
1630 /* Check for a default transition on this program. */
1631 rc = security_transition_sid(tsec->sid, isec->sid,
1632 SECCLASS_PROCESS, &newsid);
1633 if (rc)
1634 return rc;
1635 }
1636
1637 AVC_AUDIT_DATA_INIT(&ad, FS);
1638 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1639 ad.u.fs.dentry = bprm->file->f_dentry;
1640
1641 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1642 newsid = tsec->sid;
1643
1644 if (tsec->sid == newsid) {
1645 rc = avc_has_perm(tsec->sid, isec->sid,
1646 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1647 if (rc)
1648 return rc;
1649 } else {
1650 /* Check permissions for the transition. */
1651 rc = avc_has_perm(tsec->sid, newsid,
1652 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1653 if (rc)
1654 return rc;
1655
1656 rc = avc_has_perm(newsid, isec->sid,
1657 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1658 if (rc)
1659 return rc;
1660
1661 /* Clear any possibly unsafe personality bits on exec: */
1662 current->personality &= ~PER_CLEAR_ON_SETID;
1663
1664 /* Set the security field to the new SID. */
1665 bsec->sid = newsid;
1666 }
1667
1668 bsec->set = 1;
1669 return 0;
1670}
1671
1672static int selinux_bprm_check_security (struct linux_binprm *bprm)
1673{
1674 return secondary_ops->bprm_check_security(bprm);
1675}
1676
1677
1678static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1679{
1680 struct task_security_struct *tsec = current->security;
1681 int atsecure = 0;
1682
1683 if (tsec->osid != tsec->sid) {
1684 /* Enable secure mode for SIDs transitions unless
1685 the noatsecure permission is granted between
1686 the two SIDs, i.e. ahp returns 0. */
1687 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1688 SECCLASS_PROCESS,
1689 PROCESS__NOATSECURE, NULL);
1690 }
1691
1692 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1693}
1694
1695static void selinux_bprm_free_security(struct linux_binprm *bprm)
1696{
9a5f04bf 1697 kfree(bprm->security);
1da177e4 1698 bprm->security = NULL;
1da177e4
LT		 1699}
1700
1701extern struct vfsmount *selinuxfs_mount;
1702extern struct dentry *selinux_null;
1703
1704/* Derived from fs/exec.c:flush_old_files. */
1705static inline void flush_unauthorized_files(struct files_struct * files)
1706{
1707 struct avc_audit_data ad;
1708 struct file *file, *devnull = NULL;
1709 struct tty_struct *tty = current->signal->tty;
badf1662 1710 struct fdtable *fdt;
1da177e4
LT		 1711 long j = -1;
1712
1713 if (tty) {
1714 file_list_lock();
2f512016 1715 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 1716 if (file) {
1717 /* Revalidate access to controlling tty.
1718 Use inode_has_perm on the tty inode directly rather
1719 than using file_has_perm, as this particular open
1720 file may belong to another process and we are only
1721 interested in the inode-based check here. */
1722 struct inode *inode = file->f_dentry->d_inode;
1723 if (inode_has_perm(current, inode,
1724 FILE__READ | FILE__WRITE, NULL)) {
1725 /* Reset controlling tty. */
1726 current->signal->tty = NULL;
1727 current->signal->tty_old_pgrp = 0;
1728 }
1729 }
1730 file_list_unlock();
1731 }
1732
1733 /* Revalidate access to inherited open files. */
1734
1735 AVC_AUDIT_DATA_INIT(&ad,FS);
1736
1737 spin_lock(&files->file_lock);
1738 for (;;) {
1739 unsigned long set, i;
1740 int fd;
1741
1742 j++;
1743 i = j * __NFDBITS;
badf1662
DS		 1744 fdt = files_fdtable(files);
1745 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1da177e4 1746 break;
badf1662 1747 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 1748 if (!set)
1749 continue;
1750 spin_unlock(&files->file_lock);
1751 for ( ; set ; i++,set >>= 1) {
1752 if (set & 1) {
1753 file = fget(i);
1754 if (!file)
1755 continue;
1756 if (file_has_perm(current,
1757 file,
1758 file_to_av(file))) {
1759 sys_close(i);
1760 fd = get_unused_fd();
1761 if (fd != i) {
1762 if (fd >= 0)
1763 put_unused_fd(fd);
1764 fput(file);
1765 continue;
1766 }
1767 if (devnull) {
095975da 1768 get_file(devnull);
1da177e4
LT		 1769 } else {
1770 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1771 if (!devnull) {
1772 put_unused_fd(fd);
1773 fput(file);
1774 continue;
1775 }
1776 }
1777 fd_install(fd, devnull);
1778 }
1779 fput(file);
1780 }
1781 }
1782 spin_lock(&files->file_lock);
1783
1784 }
1785 spin_unlock(&files->file_lock);
1786}
1787
1788static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1789{
1790 struct task_security_struct *tsec;
1791 struct bprm_security_struct *bsec;
1792 u32 sid;
1793 int rc;
1794
1795 secondary_ops->bprm_apply_creds(bprm, unsafe);
1796
1797 tsec = current->security;
1798
1799 bsec = bprm->security;
1800 sid = bsec->sid;
1801
1802 tsec->osid = tsec->sid;
1803 bsec->unsafe = 0;
1804 if (tsec->sid != sid) {
1805 /* Check for shared state. If not ok, leave SID
1806 unchanged and kill. */
1807 if (unsafe & LSM_UNSAFE_SHARE) {
1808 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1809 PROCESS__SHARE, NULL);
1810 if (rc) {
1811 bsec->unsafe = 1;
1812 return;
1813 }
1814 }
1815
1816 /* Check for ptracing, and update the task SID if ok.
1817 Otherwise, leave SID unchanged and kill. */
1818 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1819 rc = avc_has_perm(tsec->ptrace_sid, sid,
1820 SECCLASS_PROCESS, PROCESS__PTRACE,
1821 NULL);
1822 if (rc) {
1823 bsec->unsafe = 1;
1824 return;
1825 }
1826 }
1827 tsec->sid = sid;
1828 }
1829}
1830
1831/*
1832 * called after apply_creds without the task lock held
1833 */
1834static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1835{
1836 struct task_security_struct *tsec;
1837 struct rlimit *rlim, *initrlim;
1838 struct itimerval itimer;
1839 struct bprm_security_struct *bsec;
1840 int rc, i;
1841
1842 tsec = current->security;
1843 bsec = bprm->security;
1844
1845 if (bsec->unsafe) {
1846 force_sig_specific(SIGKILL, current);
1847 return;
1848 }
1849 if (tsec->osid == tsec->sid)
1850 return;
1851
1852 /* Close files for which the new task SID is not authorized. */
1853 flush_unauthorized_files(current->files);
1854
1855 /* Check whether the new SID can inherit signal state
1856 from the old SID. If not, clear itimers to avoid
1857 subsequent signal generation and flush and unblock
1858 signals. This must occur _after_ the task SID has
1859 been updated so that any kill done after the flush
1860 will be checked against the new SID. */
1861 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1862 PROCESS__SIGINH, NULL);
1863 if (rc) {
1864 memset(&itimer, 0, sizeof itimer);
1865 for (i = 0; i < 3; i++)
1866 do_setitimer(i, &itimer, NULL);
1867 flush_signals(current);
1868 spin_lock_irq(&current->sighand->siglock);
1869 flush_signal_handlers(current, 1);
1870 sigemptyset(&current->blocked);
1871 recalc_sigpending();
1872 spin_unlock_irq(&current->sighand->siglock);
1873 }
1874
1875 /* Check whether the new SID can inherit resource limits
1876 from the old SID. If not, reset all soft limits to
1877 the lower of the current task's hard limit and the init
1878 task's soft limit. Note that the setting of hard limits
1879 (even to lower them) can be controlled by the setrlimit
1880 check. The inclusion of the init task's soft limit into
1881 the computation is to avoid resetting soft limits higher
1882 than the default soft limit for cases where the default
1883 is lower than the hard limit, e.g. RLIMIT_CORE or
1884 RLIMIT_STACK.*/
1885 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1886 PROCESS__RLIMITINH, NULL);
1887 if (rc) {
1888 for (i = 0; i < RLIM_NLIMITS; i++) {
1889 rlim = current->signal->rlim + i;
1890 initrlim = init_task.signal->rlim+i;
1891 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1892 }
1893 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1894 /*
1895 * This will cause RLIMIT_CPU calculations
1896 * to be refigured.
1897 */
1898 current->it_prof_expires = jiffies_to_cputime(1);
1899 }
1900 }
1901
1902 /* Wake up the parent if it is waiting so that it can
1903 recheck wait permission to the new task SID. */
1904 wake_up_interruptible(&current->parent->signal->wait_chldexit);
1905}
1906
1907/* superblock security operations */
1908
1909static int selinux_sb_alloc_security(struct super_block *sb)
1910{
1911 return superblock_alloc_security(sb);
1912}
1913
1914static void selinux_sb_free_security(struct super_block *sb)
1915{
1916 superblock_free_security(sb);
1917}
1918
1919static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1920{
1921 if (plen > olen)
1922 return 0;
1923
1924 return !memcmp(prefix, option, plen);
1925}
1926
1927static inline int selinux_option(char *option, int len)
1928{
1929 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1930 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
0808925e
EP		 1931 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1932 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1da177e4
LT		 1933}
1934
1935static inline void take_option(char **to, char *from, int *first, int len)
1936{
1937 if (!*first) {
1938 **to = ',';
1939 *to += 1;
1940 }
1941 else
1942 *first = 0;
1943 memcpy(*to, from, len);
1944 *to += len;
1945}
1946
1947static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1948{
1949 int fnosec, fsec, rc = 0;
1950 char *in_save, *in_curr, *in_end;
1951 char *sec_curr, *nosec_save, *nosec;
1952
1953 in_curr = orig;
1954 sec_curr = copy;
1955
1956 /* Binary mount data: just copy */
1957 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1958 copy_page(sec_curr, in_curr);
1959 goto out;
1960 }
1961
1962 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1963 if (!nosec) {
1964 rc = -ENOMEM;
1965 goto out;
1966 }
1967
1968 nosec_save = nosec;
1969 fnosec = fsec = 1;
1970 in_save = in_end = orig;
1971
1972 do {
1973 if (*in_end == ',' || *in_end == '\0') {
1974 int len = in_end - in_curr;
1975
1976 if (selinux_option(in_curr, len))
1977 take_option(&sec_curr, in_curr, &fsec, len);
1978 else
1979 take_option(&nosec, in_curr, &fnosec, len);
1980
1981 in_curr = in_end + 1;
1982 }
1983 } while (*in_end++);
1984
6931dfc9 1985 strcpy(in_save, nosec_save);
da3caa20 1986 free_page((unsigned long)nosec_save);
1da177e4
LT		 1987out:
1988 return rc;
1989}
1990
1991static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1992{
1993 struct avc_audit_data ad;
1994 int rc;
1995
1996 rc = superblock_doinit(sb, data);
1997 if (rc)
1998 return rc;
1999
2000 AVC_AUDIT_DATA_INIT(&ad,FS);
2001 ad.u.fs.dentry = sb->s_root;
2002 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2003}
2004
726c3342 2005static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2006{
2007 struct avc_audit_data ad;
2008
2009 AVC_AUDIT_DATA_INIT(&ad,FS);
726c3342
DH		 2010 ad.u.fs.dentry = dentry->d_sb->s_root;
2011 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2012}
2013
2014static int selinux_mount(char * dev_name,
2015 struct nameidata *nd,
2016 char * type,
2017 unsigned long flags,
2018 void * data)
2019{
2020 int rc;
2021
2022 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2023 if (rc)
2024 return rc;
2025
2026 if (flags & MS_REMOUNT)
2027 return superblock_has_perm(current, nd->mnt->mnt_sb,
2028 FILESYSTEM__REMOUNT, NULL);
2029 else
2030 return dentry_has_perm(current, nd->mnt, nd->dentry,
2031 FILE__MOUNTON);
2032}
2033
2034static int selinux_umount(struct vfsmount *mnt, int flags)
2035{
2036 int rc;
2037
2038 rc = secondary_ops->sb_umount(mnt, flags);
2039 if (rc)
2040 return rc;
2041
2042 return superblock_has_perm(current,mnt->mnt_sb,
2043 FILESYSTEM__UNMOUNT,NULL);
2044}
2045
2046/* inode security operations */
2047
2048static int selinux_inode_alloc_security(struct inode *inode)
2049{
2050 return inode_alloc_security(inode);
2051}
2052
2053static void selinux_inode_free_security(struct inode *inode)
2054{
2055 inode_free_security(inode);
2056}
2057
5e41ff9e
SS		 2058static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2059 char **name, void **value,
2060 size_t *len)
2061{
2062 struct task_security_struct *tsec;
2063 struct inode_security_struct *dsec;
2064 struct superblock_security_struct *sbsec;
570bc1c2 2065 u32 newsid, clen;
5e41ff9e 2066 int rc;
570bc1c2 2067 char *namep = NULL, *context;
5e41ff9e
SS		 2068
2069 tsec = current->security;
2070 dsec = dir->i_security;
2071 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2072
2073 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2074 newsid = tsec->create_sid;
2075 } else {
2076 rc = security_transition_sid(tsec->sid, dsec->sid,
2077 inode_mode_to_security_class(inode->i_mode),
2078 &newsid);
2079 if (rc) {
2080 printk(KERN_WARNING "%s: "
2081 "security_transition_sid failed, rc=%d (dev=%s "
2082 "ino=%ld)\n",
2083 __FUNCTION__,
2084 -rc, inode->i_sb->s_id, inode->i_ino);
2085 return rc;
2086 }
2087 }
2088
2089 inode_security_set_sid(inode, newsid);
2090
8aad3875 2091 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2092 return -EOPNOTSUPP;
2093
570bc1c2
SS		 2094 if (name) {
2095 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2096 if (!namep)
2097 return -ENOMEM;
2098 *name = namep;
2099 }
5e41ff9e 2100
570bc1c2
SS		 2101 if (value && len) {
2102 rc = security_sid_to_context(newsid, &context, &clen);
2103 if (rc) {
2104 kfree(namep);
2105 return rc;
2106 }
2107 *value = context;
2108 *len = clen;
5e41ff9e 2109 }
5e41ff9e 2110
5e41ff9e
SS		 2111 return 0;
2112}
2113
1da177e4
LT		 2114static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2115{
2116 return may_create(dir, dentry, SECCLASS_FILE);
2117}
2118
1da177e4
LT		 2119static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2120{
2121 int rc;
2122
2123 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2124 if (rc)
2125 return rc;
2126 return may_link(dir, old_dentry, MAY_LINK);
2127}
2128
1da177e4
LT		 2129static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2130{
2131 int rc;
2132
2133 rc = secondary_ops->inode_unlink(dir, dentry);
2134 if (rc)
2135 return rc;
2136 return may_link(dir, dentry, MAY_UNLINK);
2137}
2138
2139static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2140{
2141 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2142}
2143
1da177e4
LT		 2144static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2145{
2146 return may_create(dir, dentry, SECCLASS_DIR);
2147}
2148
1da177e4
LT		 2149static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2150{
2151 return may_link(dir, dentry, MAY_RMDIR);
2152}
2153
2154static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2155{
2156 int rc;
2157
2158 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2159 if (rc)
2160 return rc;
2161
2162 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2163}
2164
1da177e4
LT		 2165static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2166 struct inode *new_inode, struct dentry *new_dentry)
2167{
2168 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2169}
2170
1da177e4
LT		 2171static int selinux_inode_readlink(struct dentry *dentry)
2172{
2173 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2174}
2175
2176static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2177{
2178 int rc;
2179
2180 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2181 if (rc)
2182 return rc;
2183 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2184}
2185
2186static int selinux_inode_permission(struct inode *inode, int mask,
2187 struct nameidata *nd)
2188{
2189 int rc;
2190
2191 rc = secondary_ops->inode_permission(inode, mask, nd);
2192 if (rc)
2193 return rc;
2194
2195 if (!mask) {
2196 /* No permission to check. Existence test. */
2197 return 0;
2198 }
2199
2200 return inode_has_perm(current, inode,
2201 file_mask_to_av(inode->i_mode, mask), NULL);
2202}
2203
2204static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2205{
2206 int rc;
2207
2208 rc = secondary_ops->inode_setattr(dentry, iattr);
2209 if (rc)
2210 return rc;
2211
2212 if (iattr->ia_valid & ATTR_FORCE)
2213 return 0;
2214
2215 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2216 ATTR_ATIME_SET | ATTR_MTIME_SET))
2217 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2218
2219 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2220}
2221
2222static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2223{
2224 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2225}
2226
2227static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2228{
2229 struct task_security_struct *tsec = current->security;
2230 struct inode *inode = dentry->d_inode;
2231 struct inode_security_struct *isec = inode->i_security;
2232 struct superblock_security_struct *sbsec;
2233 struct avc_audit_data ad;
2234 u32 newsid;
2235 int rc = 0;
2236
2237 if (strcmp(name, XATTR_NAME_SELINUX)) {
2238 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2239 sizeof XATTR_SECURITY_PREFIX - 1) &&
2240 !capable(CAP_SYS_ADMIN)) {
2241 /* A different attribute in the security namespace.
2242 Restrict to administrator. */
2243 return -EPERM;
2244 }
2245
2246 /* Not an attribute we recognize, so just check the
2247 ordinary setattr permission. */
2248 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2249 }
2250
2251 sbsec = inode->i_sb->s_security;
2252 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2253 return -EOPNOTSUPP;
2254
2255 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2256 return -EPERM;
2257
2258 AVC_AUDIT_DATA_INIT(&ad,FS);
2259 ad.u.fs.dentry = dentry;
2260
2261 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2262 FILE__RELABELFROM, &ad);
2263 if (rc)
2264 return rc;
2265
2266 rc = security_context_to_sid(value, size, &newsid);
2267 if (rc)
2268 return rc;
2269
2270 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2271 FILE__RELABELTO, &ad);
2272 if (rc)
2273 return rc;
2274
2275 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2276 isec->sclass);
2277 if (rc)
2278 return rc;
2279
2280 return avc_has_perm(newsid,
2281 sbsec->sid,
2282 SECCLASS_FILESYSTEM,
2283 FILESYSTEM__ASSOCIATE,
2284 &ad);
2285}
2286
2287static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2288 void *value, size_t size, int flags)
2289{
2290 struct inode *inode = dentry->d_inode;
2291 struct inode_security_struct *isec = inode->i_security;
2292 u32 newsid;
2293 int rc;
2294
2295 if (strcmp(name, XATTR_NAME_SELINUX)) {
2296 /* Not an attribute we recognize, so nothing to do. */
2297 return;
2298 }
2299
2300 rc = security_context_to_sid(value, size, &newsid);
2301 if (rc) {
2302 printk(KERN_WARNING "%s: unable to obtain SID for context "
2303 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2304 return;
2305 }
2306
2307 isec->sid = newsid;
2308 return;
2309}
2310
2311static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2312{
1da177e4
LT		 2313 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2314}
2315
2316static int selinux_inode_listxattr (struct dentry *dentry)
2317{
2318 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2319}
2320
2321static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2322{
2323 if (strcmp(name, XATTR_NAME_SELINUX)) {
2324 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2325 sizeof XATTR_SECURITY_PREFIX - 1) &&
2326 !capable(CAP_SYS_ADMIN)) {
2327 /* A different attribute in the security namespace.
2328 Restrict to administrator. */
2329 return -EPERM;
2330 }
2331
2332 /* Not an attribute we recognize, so just check the
2333 ordinary setattr permission. Might want a separate
2334 permission for removexattr. */
2335 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2336 }
2337
2338 /* No one is allowed to remove a SELinux security label.
2339 You can change the label, but all data must be labeled. */
2340 return -EACCES;
2341}
2342
8c8570fb
DK		 2343static const char *selinux_inode_xattr_getsuffix(void)
2344{
2345 return XATTR_SELINUX_SUFFIX;
2346}
2347
d381d8a9
JM		 2348/*
2349 * Copy the in-core inode security context value to the user. If the
2350 * getxattr() prior to this succeeded, check to see if we need to
2351 * canonicalize the value to be finally returned to the user.
2352 *
2353 * Permission check is handled by selinux_inode_getxattr hook.
2354 */
7306a0b9 2355static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
1da177e4
LT		 2356{
2357 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2358
8c8570fb
DK		 2359 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2360 return -EOPNOTSUPP;
d381d8a9 2361
8c8570fb 2362 return selinux_getsecurity(isec->sid, buffer, size);
1da177e4
LT		 2363}
2364
2365static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2366 const void *value, size_t size, int flags)
2367{
2368 struct inode_security_struct *isec = inode->i_security;
2369 u32 newsid;
2370 int rc;
2371
2372 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2373 return -EOPNOTSUPP;
2374
2375 if (!value || !size)
2376 return -EACCES;
2377
2378 rc = security_context_to_sid((void*)value, size, &newsid);
2379 if (rc)
2380 return rc;
2381
2382 isec->sid = newsid;
2383 return 0;
2384}
2385
2386static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2387{
2388 const int len = sizeof(XATTR_NAME_SELINUX);
2389 if (buffer && len <= buffer_size)
2390 memcpy(buffer, XATTR_NAME_SELINUX, len);
2391 return len;
2392}
2393
2394/* file security operations */
2395
2396static int selinux_file_permission(struct file *file, int mask)
2397{
2398 struct inode *inode = file->f_dentry->d_inode;
2399
2400 if (!mask) {
2401 /* No permission to check. Existence test. */
2402 return 0;
2403 }
2404
2405 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2406 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2407 mask |= MAY_APPEND;
2408
2409 return file_has_perm(current, file,
2410 file_mask_to_av(inode->i_mode, mask));
2411}
2412
2413static int selinux_file_alloc_security(struct file *file)
2414{
2415 return file_alloc_security(file);
2416}
2417
2418static void selinux_file_free_security(struct file *file)
2419{
2420 file_free_security(file);
2421}
2422
2423static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2424 unsigned long arg)
2425{
2426 int error = 0;
2427
2428 switch (cmd) {
2429 case FIONREAD:
2430 /* fall through */
2431 case FIBMAP:
2432 /* fall through */
2433 case FIGETBSZ:
2434 /* fall through */
2435 case EXT2_IOC_GETFLAGS:
2436 /* fall through */
2437 case EXT2_IOC_GETVERSION:
2438 error = file_has_perm(current, file, FILE__GETATTR);
2439 break;
2440
2441 case EXT2_IOC_SETFLAGS:
2442 /* fall through */
2443 case EXT2_IOC_SETVERSION:
2444 error = file_has_perm(current, file, FILE__SETATTR);
2445 break;
2446
2447 /* sys_ioctl() checks */
2448 case FIONBIO:
2449 /* fall through */
2450 case FIOASYNC:
2451 error = file_has_perm(current, file, 0);
2452 break;
2453
2454 case KDSKBENT:
2455 case KDSKBSENT:
2456 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2457 break;
2458
2459 /* default case assumes that the command will go
2460 * to the file's ioctl() function.
2461 */
2462 default:
2463 error = file_has_perm(current, file, FILE__IOCTL);
2464
2465 }
2466 return error;
2467}
2468
2469static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2470{
2471#ifndef CONFIG_PPC32
2472 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2473 /*
2474 * We are making executable an anonymous mapping or a
2475 * private file mapping that will also be writable.
2476 * This has an additional check.
2477 */
2478 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2479 if (rc)
2480 return rc;
2481 }
2482#endif
2483
2484 if (file) {
2485 /* read access is always possible with a mapping */
2486 u32 av = FILE__READ;
2487
2488 /* write access only matters if the mapping is shared */
2489 if (shared && (prot & PROT_WRITE))
2490 av |= FILE__WRITE;
2491
2492 if (prot & PROT_EXEC)
2493 av |= FILE__EXECUTE;
2494
2495 return file_has_perm(current, file, av);
2496 }
2497 return 0;
2498}
2499
2500static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2501 unsigned long prot, unsigned long flags)
2502{
2503 int rc;
2504
2505 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2506 if (rc)
2507 return rc;
2508
2509 if (selinux_checkreqprot)
2510 prot = reqprot;
2511
2512 return file_map_prot_check(file, prot,
2513 (flags & MAP_TYPE) == MAP_SHARED);
2514}
2515
2516static int selinux_file_mprotect(struct vm_area_struct *vma,
2517 unsigned long reqprot,
2518 unsigned long prot)
2519{
2520 int rc;
2521
2522 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2523 if (rc)
2524 return rc;
2525
2526 if (selinux_checkreqprot)
2527 prot = reqprot;
2528
2529#ifndef CONFIG_PPC32
db4c9641
SS		 2530 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2531 rc = 0;
2532 if (vma->vm_start >= vma->vm_mm->start_brk &&
2533 vma->vm_end <= vma->vm_mm->brk) {
2534 rc = task_has_perm(current, current,
2535 PROCESS__EXECHEAP);
2536 } else if (!vma->vm_file &&
2537 vma->vm_start <= vma->vm_mm->start_stack &&
2538 vma->vm_end >= vma->vm_mm->start_stack) {
2539 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2540 } else if (vma->vm_file && vma->anon_vma) {
2541 /*
2542 * We are making executable a file mapping that has
2543 * had some COW done. Since pages might have been
2544 * written, check ability to execute the possibly
2545 * modified content. This typically should only
2546 * occur for text relocations.
2547 */
2548 rc = file_has_perm(current, vma->vm_file,
2549 FILE__EXECMOD);
2550 }