projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
[PATCH] page migration reorg
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
19 */
20
21#include <linux/config.h>
22#include <linux/module.h>
23#include <linux/init.h>
24#include <linux/kernel.h>
25#include <linux/ptrace.h>
26#include <linux/errno.h>
27#include <linux/sched.h>
28#include <linux/security.h>
29#include <linux/xattr.h>
30#include <linux/capability.h>
31#include <linux/unistd.h>
32#include <linux/mm.h>
33#include <linux/mman.h>
34#include <linux/slab.h>
35#include <linux/pagemap.h>
36#include <linux/swap.h>
37#include <linux/smp_lock.h>
38#include <linux/spinlock.h>
39#include <linux/syscalls.h>
40#include <linux/file.h>
41#include <linux/namei.h>
42#include <linux/mount.h>
43#include <linux/ext2_fs.h>
44#include <linux/proc_fs.h>
45#include <linux/kd.h>
46#include <linux/netfilter_ipv4.h>
47#include <linux/netfilter_ipv6.h>
48#include <linux/tty.h>
49#include <net/icmp.h>
50#include <net/ip.h> /* for sysctl_local_port_range[] */
51#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
52#include <asm/uaccess.h>
53#include <asm/semaphore.h>
54#include <asm/ioctls.h>
55#include <linux/bitops.h>
56#include <linux/interrupt.h>
57#include <linux/netdevice.h> /* for network interface checks */
58#include <linux/netlink.h>
59#include <linux/tcp.h>
60#include <linux/udp.h>
61#include <linux/quota.h>
62#include <linux/un.h> /* for Unix socket types */
63#include <net/af_unix.h> /* for Unix socket types */
64#include <linux/parser.h>
65#include <linux/nfs_mount.h>
66#include <net/ipv6.h>
67#include <linux/hugetlb.h>
68#include <linux/personality.h>
69#include <linux/sysctl.h>
70#include <linux/audit.h>
6931dfc9 71#include <linux/string.h>
1da177e4
LT		 72
73#include "avc.h"
74#include "objsec.h"
75#include "netif.h"
d28d1e08 76#include "xfrm.h"
1da177e4
LT		 77
78#define XATTR_SELINUX_SUFFIX "selinux"
79#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81extern unsigned int policydb_loaded_version;
82extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83
84#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
85int selinux_enforcing = 0;
86
87static int __init enforcing_setup(char *str)
88{
89 selinux_enforcing = simple_strtol(str,NULL,0);
90 return 1;
91}
92__setup("enforcing=", enforcing_setup);
93#endif
94
95#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
96int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
97
98static int __init selinux_enabled_setup(char *str)
99{
100 selinux_enabled = simple_strtol(str, NULL, 0);
101 return 1;
102}
103__setup("selinux=", selinux_enabled_setup);
104#endif
105
106/* Original (dummy) security module. */
107static struct security_operations *original_ops = NULL;
108
109/* Minimal support for a secondary security module,
110 just to allow the use of the dummy or capability modules.
111 The owlsm module can alternatively be used as a secondary
112 module as long as CONFIG_OWLSM_FD is not enabled. */
113static struct security_operations *secondary_ops = NULL;
114
115/* Lists of inode and superblock security structures initialized
116 before the policy was loaded. */
117static LIST_HEAD(superblock_security_head);
118static DEFINE_SPINLOCK(sb_security_lock);
119
120/* Allocate and free functions for each kind of security blob. */
121
122static int task_alloc_security(struct task_struct *task)
123{
124 struct task_security_struct *tsec;
125
89d155ef 126 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 127 if (!tsec)
128 return -ENOMEM;
129
1da177e4
LT		 130 tsec->task = task;
131 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
132 task->security = tsec;
133
134 return 0;
135}
136
137static void task_free_security(struct task_struct *task)
138{
139 struct task_security_struct *tsec = task->security;
1da177e4
LT		 140 task->security = NULL;
141 kfree(tsec);
142}
143
144static int inode_alloc_security(struct inode *inode)
145{
146 struct task_security_struct *tsec = current->security;
147 struct inode_security_struct *isec;
148
89d155ef 149 isec = kzalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
1da177e4
LT		 150 if (!isec)
151 return -ENOMEM;
152
1da177e4
LT		 153 init_MUTEX(&isec->sem);
154 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 155 isec->inode = inode;
156 isec->sid = SECINITSID_UNLABELED;
157 isec->sclass = SECCLASS_FILE;
9ac49d22 158 isec->task_sid = tsec->sid;
1da177e4
LT		 159 inode->i_security = isec;
160
161 return 0;
162}
163
164static void inode_free_security(struct inode *inode)
165{
166 struct inode_security_struct *isec = inode->i_security;
167 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
168
1da177e4
LT		 169 spin_lock(&sbsec->isec_lock);
170 if (!list_empty(&isec->list))
171 list_del_init(&isec->list);
172 spin_unlock(&sbsec->isec_lock);
173
174 inode->i_security = NULL;
175 kfree(isec);
176}
177
178static int file_alloc_security(struct file *file)
179{
180 struct task_security_struct *tsec = current->security;
181 struct file_security_struct *fsec;
182
26d2a4be 183 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 184 if (!fsec)
185 return -ENOMEM;
186
1da177e4 187 fsec->file = file;
9ac49d22
SS		 188 fsec->sid = tsec->sid;
189 fsec->fown_sid = tsec->sid;
1da177e4
LT		 190 file->f_security = fsec;
191
192 return 0;
193}
194
195static void file_free_security(struct file *file)
196{
197 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 198 file->f_security = NULL;
199 kfree(fsec);
200}
201
202static int superblock_alloc_security(struct super_block *sb)
203{
204 struct superblock_security_struct *sbsec;
205
89d155ef 206 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 207 if (!sbsec)
208 return -ENOMEM;
209
1da177e4
LT		 210 init_MUTEX(&sbsec->sem);
211 INIT_LIST_HEAD(&sbsec->list);
212 INIT_LIST_HEAD(&sbsec->isec_head);
213 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 214 sbsec->sb = sb;
215 sbsec->sid = SECINITSID_UNLABELED;
216 sbsec->def_sid = SECINITSID_FILE;
217 sb->s_security = sbsec;
218
219 return 0;
220}
221
222static void superblock_free_security(struct super_block *sb)
223{
224 struct superblock_security_struct *sbsec = sb->s_security;
225
1da177e4
LT		 226 spin_lock(&sb_security_lock);
227 if (!list_empty(&sbsec->list))
228 list_del_init(&sbsec->list);
229 spin_unlock(&sb_security_lock);
230
231 sb->s_security = NULL;
232 kfree(sbsec);
233}
234
7d877f3b 235static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 236{
237 struct sk_security_struct *ssec;
238
239 if (family != PF_UNIX)
240 return 0;
241
89d155ef 242 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 243 if (!ssec)
244 return -ENOMEM;
245
1da177e4
LT		 246 ssec->sk = sk;
247 ssec->peer_sid = SECINITSID_UNLABELED;
248 sk->sk_security = ssec;
249
250 return 0;
251}
252
253static void sk_free_security(struct sock *sk)
254{
255 struct sk_security_struct *ssec = sk->sk_security;
256
9ac49d22 257 if (sk->sk_family != PF_UNIX)
1da177e4
LT		 258 return;
259
260 sk->sk_security = NULL;
261 kfree(ssec);
262}
1da177e4
LT		 263
264/* The security server must be initialized before
265 any labeling or access decisions can be provided. */
266extern int ss_initialized;
267
268/* The file system's label must be initialized prior to use. */
269
270static char *labeling_behaviors[6] = {
271 "uses xattr",
272 "uses transition SIDs",
273 "uses task SIDs",
274 "uses genfs_contexts",
275 "not configured for labeling",
276 "uses mountpoint labeling",
277};
278
279static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
280
281static inline int inode_doinit(struct inode *inode)
282{
283 return inode_doinit_with_dentry(inode, NULL);
284}
285
286enum {
287 Opt_context = 1,
288 Opt_fscontext = 2,
289 Opt_defcontext = 4,
290};
291
292static match_table_t tokens = {
293 {Opt_context, "context=%s"},
294 {Opt_fscontext, "fscontext=%s"},
295 {Opt_defcontext, "defcontext=%s"},
296};
297
298#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
299
300static int try_context_mount(struct super_block *sb, void *data)
301{
302 char *context = NULL, *defcontext = NULL;
303 const char *name;
304 u32 sid;
305 int alloc = 0, rc = 0, seen = 0;
306 struct task_security_struct *tsec = current->security;
307 struct superblock_security_struct *sbsec = sb->s_security;
308
309 if (!data)
310 goto out;
311
312 name = sb->s_type->name;
313
314 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
315
316 /* NFS we understand. */
317 if (!strcmp(name, "nfs")) {
318 struct nfs_mount_data *d = data;
319
320 if (d->version < NFS_MOUNT_VERSION)
321 goto out;
322
323 if (d->context[0]) {
324 context = d->context;
325 seen |= Opt_context;
326 }
327 } else
328 goto out;
329
330 } else {
331 /* Standard string-based options. */
332 char *p, *options = data;
333
334 while ((p = strsep(&options, ",")) != NULL) {
335 int token;
336 substring_t args[MAX_OPT_ARGS];
337
338 if (!*p)
339 continue;
340
341 token = match_token(p, tokens, args);
342
343 switch (token) {
344 case Opt_context:
345 if (seen) {
346 rc = -EINVAL;
347 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
348 goto out_free;
349 }
350 context = match_strdup(&args[0]);
351 if (!context) {
352 rc = -ENOMEM;
353 goto out_free;
354 }
355 if (!alloc)
356 alloc = 1;
357 seen |= Opt_context;
358 break;
359
360 case Opt_fscontext:
361 if (seen & (Opt_context|Opt_fscontext)) {
362 rc = -EINVAL;
363 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
364 goto out_free;
365 }
366 context = match_strdup(&args[0]);
367 if (!context) {
368 rc = -ENOMEM;
369 goto out_free;
370 }
371 if (!alloc)
372 alloc = 1;
373 seen |= Opt_fscontext;
374 break;
375
376 case Opt_defcontext:
377 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
378 rc = -EINVAL;
379 printk(KERN_WARNING "SELinux: "
380 "defcontext option is invalid "
381 "for this filesystem type\n");
382 goto out_free;
383 }
384 if (seen & (Opt_context|Opt_defcontext)) {
385 rc = -EINVAL;
386 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
387 goto out_free;
388 }
389 defcontext = match_strdup(&args[0]);
390 if (!defcontext) {
391 rc = -ENOMEM;
392 goto out_free;
393 }
394 if (!alloc)
395 alloc = 1;
396 seen |= Opt_defcontext;
397 break;
398
399 default:
400 rc = -EINVAL;
401 printk(KERN_WARNING "SELinux: unknown mount "
402 "option\n");
403 goto out_free;
404
405 }
406 }
407 }
408
409 if (!seen)
410 goto out;
411
412 if (context) {
413 rc = security_context_to_sid(context, strlen(context), &sid);
414 if (rc) {
415 printk(KERN_WARNING "SELinux: security_context_to_sid"
416 "(%s) failed for (dev %s, type %s) errno=%d\n",
417 context, sb->s_id, name, rc);
418 goto out_free;
419 }
420
421 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
422 FILESYSTEM__RELABELFROM, NULL);
423 if (rc)
424 goto out_free;
425
426 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
427 FILESYSTEM__RELABELTO, NULL);
428 if (rc)
429 goto out_free;
430
431 sbsec->sid = sid;
432
433 if (seen & Opt_context)
434 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
435 }
436
437 if (defcontext) {
438 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
439 if (rc) {
440 printk(KERN_WARNING "SELinux: security_context_to_sid"
441 "(%s) failed for (dev %s, type %s) errno=%d\n",
442 defcontext, sb->s_id, name, rc);
443 goto out_free;
444 }
445
446 if (sid == sbsec->def_sid)
447 goto out_free;
448
449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450 FILESYSTEM__RELABELFROM, NULL);
451 if (rc)
452 goto out_free;
453
454 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
455 FILESYSTEM__ASSOCIATE, NULL);
456 if (rc)
457 goto out_free;
458
459 sbsec->def_sid = sid;
460 }
461
462out_free:
463 if (alloc) {
464 kfree(context);
465 kfree(defcontext);
466 }
467out:
468 return rc;
469}
470
471static int superblock_doinit(struct super_block *sb, void *data)
472{
473 struct superblock_security_struct *sbsec = sb->s_security;
474 struct dentry *root = sb->s_root;
475 struct inode *inode = root->d_inode;
476 int rc = 0;
477
478 down(&sbsec->sem);
479 if (sbsec->initialized)
480 goto out;
481
482 if (!ss_initialized) {
483 /* Defer initialization until selinux_complete_init,
484 after the initial policy is loaded and the security
485 server is ready to handle calls. */
486 spin_lock(&sb_security_lock);
487 if (list_empty(&sbsec->list))
488 list_add(&sbsec->list, &superblock_security_head);
489 spin_unlock(&sb_security_lock);
490 goto out;
491 }
492
493 /* Determine the labeling behavior to use for this filesystem type. */
494 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
495 if (rc) {
496 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
497 __FUNCTION__, sb->s_type->name, rc);
498 goto out;
499 }
500
501 rc = try_context_mount(sb, data);
502 if (rc)
503 goto out;
504
505 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
506 /* Make sure that the xattr handler exists and that no
507 error other than -ENODATA is returned by getxattr on
508 the root directory. -ENODATA is ok, as this may be
509 the first boot of the SELinux kernel before we have
510 assigned xattr values to the filesystem. */
511 if (!inode->i_op->getxattr) {
512 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
513 "xattr support\n", sb->s_id, sb->s_type->name);
514 rc = -EOPNOTSUPP;
515 goto out;
516 }
517 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
518 if (rc < 0 && rc != -ENODATA) {
519 if (rc == -EOPNOTSUPP)
520 printk(KERN_WARNING "SELinux: (dev %s, type "
521 "%s) has no security xattr handler\n",
522 sb->s_id, sb->s_type->name);
523 else
524 printk(KERN_WARNING "SELinux: (dev %s, type "
525 "%s) getxattr errno %d\n", sb->s_id,
526 sb->s_type->name, -rc);
527 goto out;
528 }
529 }
530
531 if (strcmp(sb->s_type->name, "proc") == 0)
532 sbsec->proc = 1;
533
534 sbsec->initialized = 1;
535
536 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
537 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
538 sb->s_id, sb->s_type->name);
539 }
540 else {
541 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
542 sb->s_id, sb->s_type->name,
543 labeling_behaviors[sbsec->behavior-1]);
544 }
545
546 /* Initialize the root inode. */
547 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
548
549 /* Initialize any other inodes associated with the superblock, e.g.
550 inodes created prior to initial policy load or inodes created
551 during get_sb by a pseudo filesystem that directly
552 populates itself. */
553 spin_lock(&sbsec->isec_lock);
554next_inode:
555 if (!list_empty(&sbsec->isec_head)) {
556 struct inode_security_struct *isec =
557 list_entry(sbsec->isec_head.next,
558 struct inode_security_struct, list);
559 struct inode *inode = isec->inode;
560 spin_unlock(&sbsec->isec_lock);
561 inode = igrab(inode);
562 if (inode) {
563 if (!IS_PRIVATE (inode))
564 inode_doinit(inode);
565 iput(inode);
566 }
567 spin_lock(&sbsec->isec_lock);
568 list_del_init(&isec->list);
569 goto next_inode;
570 }
571 spin_unlock(&sbsec->isec_lock);
572out:
573 up(&sbsec->sem);
574 return rc;
575}
576
577static inline u16 inode_mode_to_security_class(umode_t mode)
578{
579 switch (mode & S_IFMT) {
580 case S_IFSOCK:
581 return SECCLASS_SOCK_FILE;
582 case S_IFLNK:
583 return SECCLASS_LNK_FILE;
584 case S_IFREG:
585 return SECCLASS_FILE;
586 case S_IFBLK:
587 return SECCLASS_BLK_FILE;
588 case S_IFDIR:
589 return SECCLASS_DIR;
590 case S_IFCHR:
591 return SECCLASS_CHR_FILE;
592 case S_IFIFO:
593 return SECCLASS_FIFO_FILE;
594
595 }
596
597 return SECCLASS_FILE;
598}
599
13402580
JM		 600static inline int default_protocol_stream(int protocol)
601{
602 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
603}
604
605static inline int default_protocol_dgram(int protocol)
606{
607 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
608}
609
1da177e4
LT		 610static inline u16 socket_type_to_security_class(int family, int type, int protocol)
611{
612 switch (family) {
613 case PF_UNIX:
614 switch (type) {
615 case SOCK_STREAM:
616 case SOCK_SEQPACKET:
617 return SECCLASS_UNIX_STREAM_SOCKET;
618 case SOCK_DGRAM:
619 return SECCLASS_UNIX_DGRAM_SOCKET;
620 }
621 break;
622 case PF_INET:
623 case PF_INET6:
624 switch (type) {
625 case SOCK_STREAM:
13402580
JM		 626 if (default_protocol_stream(protocol))
627 return SECCLASS_TCP_SOCKET;
628 else
629 return SECCLASS_RAWIP_SOCKET;
1da177e4 630 case SOCK_DGRAM:
13402580
JM		 631 if (default_protocol_dgram(protocol))
632 return SECCLASS_UDP_SOCKET;
633 else
634 return SECCLASS_RAWIP_SOCKET;
635 default:
1da177e4
LT		 636 return SECCLASS_RAWIP_SOCKET;
637 }
638 break;
639 case PF_NETLINK:
640 switch (protocol) {
641 case NETLINK_ROUTE:
642 return SECCLASS_NETLINK_ROUTE_SOCKET;
643 case NETLINK_FIREWALL:
644 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 645 case NETLINK_INET_DIAG:
1da177e4
LT		 646 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
647 case NETLINK_NFLOG:
648 return SECCLASS_NETLINK_NFLOG_SOCKET;
649 case NETLINK_XFRM:
650 return SECCLASS_NETLINK_XFRM_SOCKET;
651 case NETLINK_SELINUX:
652 return SECCLASS_NETLINK_SELINUX_SOCKET;
653 case NETLINK_AUDIT:
654 return SECCLASS_NETLINK_AUDIT_SOCKET;
655 case NETLINK_IP6_FW:
656 return SECCLASS_NETLINK_IP6FW_SOCKET;
657 case NETLINK_DNRTMSG:
658 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 659 case NETLINK_KOBJECT_UEVENT:
660 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 661 default:
662 return SECCLASS_NETLINK_SOCKET;
663 }
664 case PF_PACKET:
665 return SECCLASS_PACKET_SOCKET;
666 case PF_KEY:
667 return SECCLASS_KEY_SOCKET;
668 }
669
670 return SECCLASS_SOCKET;
671}
672
673#ifdef CONFIG_PROC_FS
674static int selinux_proc_get_sid(struct proc_dir_entry *de,
675 u16 tclass,
676 u32 *sid)
677{
678 int buflen, rc;
679 char *buffer, *path, *end;
680
681 buffer = (char*)__get_free_page(GFP_KERNEL);
682 if (!buffer)
683 return -ENOMEM;
684
685 buflen = PAGE_SIZE;
686 end = buffer+buflen;
687 *--end = '\0';
688 buflen--;
689 path = end-1;
690 *path = '/';
691 while (de && de != de->parent) {
692 buflen -= de->namelen + 1;
693 if (buflen < 0)
694 break;
695 end -= de->namelen;
696 memcpy(end, de->name, de->namelen);
697 *--end = '/';
698 path = end;
699 de = de->parent;
700 }
701 rc = security_genfs_sid("proc", path, tclass, sid);
702 free_page((unsigned long)buffer);
703 return rc;
704}
705#else
706static int selinux_proc_get_sid(struct proc_dir_entry *de,
707 u16 tclass,
708 u32 *sid)
709{
710 return -EINVAL;
711}
712#endif
713
714/* The inode's security attributes must be initialized before first use. */
715static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
716{
717 struct superblock_security_struct *sbsec = NULL;
718 struct inode_security_struct *isec = inode->i_security;
719 u32 sid;
720 struct dentry *dentry;
721#define INITCONTEXTLEN 255
722 char *context = NULL;
723 unsigned len = 0;
724 int rc = 0;
725 int hold_sem = 0;
726
727 if (isec->initialized)
728 goto out;
729
730 down(&isec->sem);
731 hold_sem = 1;
732 if (isec->initialized)
733 goto out;
734
735 sbsec = inode->i_sb->s_security;
736 if (!sbsec->initialized) {
737 /* Defer initialization until selinux_complete_init,
738 after the initial policy is loaded and the security
739 server is ready to handle calls. */
740 spin_lock(&sbsec->isec_lock);
741 if (list_empty(&isec->list))
742 list_add(&isec->list, &sbsec->isec_head);
743 spin_unlock(&sbsec->isec_lock);
744 goto out;
745 }
746
747 switch (sbsec->behavior) {
748 case SECURITY_FS_USE_XATTR:
749 if (!inode->i_op->getxattr) {
750 isec->sid = sbsec->def_sid;
751 break;
752 }
753
754 /* Need a dentry, since the xattr API requires one.
755 Life would be simpler if we could just pass the inode. */
756 if (opt_dentry) {
757 /* Called from d_instantiate or d_splice_alias. */
758 dentry = dget(opt_dentry);
759 } else {
760 /* Called from selinux_complete_init, try to find a dentry. */
761 dentry = d_find_alias(inode);
762 }
763 if (!dentry) {
764 printk(KERN_WARNING "%s: no dentry for dev=%s "
765 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
766 inode->i_ino);
767 goto out;
768 }
769
770 len = INITCONTEXTLEN;
771 context = kmalloc(len, GFP_KERNEL);
772 if (!context) {
773 rc = -ENOMEM;
774 dput(dentry);
775 goto out;
776 }
777 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
778 context, len);
779 if (rc == -ERANGE) {
780 /* Need a larger buffer. Query for the right size. */
781 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
782 NULL, 0);
783 if (rc < 0) {
784 dput(dentry);
785 goto out;
786 }
787 kfree(context);
788 len = rc;
789 context = kmalloc(len, GFP_KERNEL);
790 if (!context) {
791 rc = -ENOMEM;
792 dput(dentry);
793 goto out;
794 }
795 rc = inode->i_op->getxattr(dentry,
796 XATTR_NAME_SELINUX,
797 context, len);
798 }
799 dput(dentry);
800 if (rc < 0) {
801 if (rc != -ENODATA) {
802 printk(KERN_WARNING "%s: getxattr returned "
803 "%d for dev=%s ino=%ld\n", __FUNCTION__,
804 -rc, inode->i_sb->s_id, inode->i_ino);
805 kfree(context);
806 goto out;
807 }
808 /* Map ENODATA to the default file SID */
809 sid = sbsec->def_sid;
810 rc = 0;
811 } else {
f5c1d5b2
JM		 812 rc = security_context_to_sid_default(context, rc, &sid,
813 sbsec->def_sid);
1da177e4
LT		 814 if (rc) {
815 printk(KERN_WARNING "%s: context_to_sid(%s) "
816 "returned %d for dev=%s ino=%ld\n",
817 __FUNCTION__, context, -rc,
818 inode->i_sb->s_id, inode->i_ino);
819 kfree(context);
820 /* Leave with the unlabeled SID */
821 rc = 0;
822 break;
823 }
824 }
825 kfree(context);
826 isec->sid = sid;
827 break;
828 case SECURITY_FS_USE_TASK:
829 isec->sid = isec->task_sid;
830 break;
831 case SECURITY_FS_USE_TRANS:
832 /* Default to the fs SID. */
833 isec->sid = sbsec->sid;
834
835 /* Try to obtain a transition SID. */
836 isec->sclass = inode_mode_to_security_class(inode->i_mode);
837 rc = security_transition_sid(isec->task_sid,
838 sbsec->sid,
839 isec->sclass,
840 &sid);
841 if (rc)
842 goto out;
843 isec->sid = sid;
844 break;
845 default:
846 /* Default to the fs SID. */
847 isec->sid = sbsec->sid;
848
849 if (sbsec->proc) {
850 struct proc_inode *proci = PROC_I(inode);
851 if (proci->pde) {
852 isec->sclass = inode_mode_to_security_class(inode->i_mode);
853 rc = selinux_proc_get_sid(proci->pde,
854 isec->sclass,
855 &sid);
856 if (rc)
857 goto out;
858 isec->sid = sid;
859 }
860 }
861 break;
862 }
863
864 isec->initialized = 1;
865
866out:
867 if (isec->sclass == SECCLASS_FILE)
868 isec->sclass = inode_mode_to_security_class(inode->i_mode);
869
870 if (hold_sem)
871 up(&isec->sem);
872 return rc;
873}
874
875/* Convert a Linux signal to an access vector. */
876static inline u32 signal_to_av(int sig)
877{
878 u32 perm = 0;
879
880 switch (sig) {
881 case SIGCHLD:
882 /* Commonly granted from child to parent. */
883 perm = PROCESS__SIGCHLD;
884 break;
885 case SIGKILL:
886 /* Cannot be caught or ignored */
887 perm = PROCESS__SIGKILL;
888 break;
889 case SIGSTOP:
890 /* Cannot be caught or ignored */
891 perm = PROCESS__SIGSTOP;
892 break;
893 default:
894 /* All other signals. */
895 perm = PROCESS__SIGNAL;
896 break;
897 }
898
899 return perm;
900}
901
902/* Check permission betweeen a pair of tasks, e.g. signal checks,
903 fork check, ptrace check, etc. */
904static int task_has_perm(struct task_struct *tsk1,
905 struct task_struct *tsk2,
906 u32 perms)
907{
908 struct task_security_struct *tsec1, *tsec2;
909
910 tsec1 = tsk1->security;
911 tsec2 = tsk2->security;
912 return avc_has_perm(tsec1->sid, tsec2->sid,
913 SECCLASS_PROCESS, perms, NULL);
914}
915
916/* Check whether a task is allowed to use a capability. */
917static int task_has_capability(struct task_struct *tsk,
918 int cap)
919{
920 struct task_security_struct *tsec;
921 struct avc_audit_data ad;
922
923 tsec = tsk->security;
924
925 AVC_AUDIT_DATA_INIT(&ad,CAP);
926 ad.tsk = tsk;
927 ad.u.cap = cap;
928
929 return avc_has_perm(tsec->sid, tsec->sid,
930 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
931}
932
933/* Check whether a task is allowed to use a system operation. */
934static int task_has_system(struct task_struct *tsk,
935 u32 perms)
936{
937 struct task_security_struct *tsec;
938
939 tsec = tsk->security;
940
941 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
942 SECCLASS_SYSTEM, perms, NULL);
943}
944
945/* Check whether a task has a particular permission to an inode.
946 The 'adp' parameter is optional and allows other audit
947 data to be passed (e.g. the dentry). */
948static int inode_has_perm(struct task_struct *tsk,
949 struct inode *inode,
950 u32 perms,
951 struct avc_audit_data *adp)
952{
953 struct task_security_struct *tsec;
954 struct inode_security_struct *isec;
955 struct avc_audit_data ad;
956
957 tsec = tsk->security;
958 isec = inode->i_security;
959
960 if (!adp) {
961 adp = &ad;
962 AVC_AUDIT_DATA_INIT(&ad, FS);
963 ad.u.fs.inode = inode;
964 }
965
966 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
967}
968
969/* Same as inode_has_perm, but pass explicit audit data containing
970 the dentry to help the auditing code to more easily generate the
971 pathname if needed. */
972static inline int dentry_has_perm(struct task_struct *tsk,
973 struct vfsmount *mnt,
974 struct dentry *dentry,
975 u32 av)
976{
977 struct inode *inode = dentry->d_inode;
978 struct avc_audit_data ad;
979 AVC_AUDIT_DATA_INIT(&ad,FS);
980 ad.u.fs.mnt = mnt;
981 ad.u.fs.dentry = dentry;
982 return inode_has_perm(tsk, inode, av, &ad);
983}
984
985/* Check whether a task can use an open file descriptor to
986 access an inode in a given way. Check access to the
987 descriptor itself, and then use dentry_has_perm to
988 check a particular permission to the file.
989 Access to the descriptor is implicitly granted if it
990 has the same SID as the process. If av is zero, then
991 access to the file is not checked, e.g. for cases
992 where only the descriptor is affected like seek. */
858119e1 993static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 994 struct file *file,
995 u32 av)
996{
997 struct task_security_struct *tsec = tsk->security;
998 struct file_security_struct *fsec = file->f_security;
999 struct vfsmount *mnt = file->f_vfsmnt;
1000 struct dentry *dentry = file->f_dentry;
1001 struct inode *inode = dentry->d_inode;
1002 struct avc_audit_data ad;
1003 int rc;
1004
1005 AVC_AUDIT_DATA_INIT(&ad, FS);
1006 ad.u.fs.mnt = mnt;
1007 ad.u.fs.dentry = dentry;
1008
1009 if (tsec->sid != fsec->sid) {
1010 rc = avc_has_perm(tsec->sid, fsec->sid,
1011 SECCLASS_FD,
1012 FD__USE,
1013 &ad);
1014 if (rc)
1015 return rc;
1016 }
1017
1018 /* av is zero if only checking access to the descriptor. */
1019 if (av)
1020 return inode_has_perm(tsk, inode, av, &ad);
1021
1022 return 0;
1023}
1024
1025/* Check whether a task can create a file. */
1026static int may_create(struct inode *dir,
1027 struct dentry *dentry,
1028 u16 tclass)
1029{
1030 struct task_security_struct *tsec;
1031 struct inode_security_struct *dsec;
1032 struct superblock_security_struct *sbsec;
1033 u32 newsid;
1034 struct avc_audit_data ad;
1035 int rc;
1036
1037 tsec = current->security;
1038 dsec = dir->i_security;
1039 sbsec = dir->i_sb->s_security;
1040
1041 AVC_AUDIT_DATA_INIT(&ad, FS);
1042 ad.u.fs.dentry = dentry;
1043
1044 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1045 DIR__ADD_NAME | DIR__SEARCH,
1046 &ad);
1047 if (rc)
1048 return rc;
1049
1050 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1051 newsid = tsec->create_sid;
1052 } else {
1053 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1054 &newsid);
1055 if (rc)
1056 return rc;
1057 }
1058
1059 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1060 if (rc)
1061 return rc;
1062
1063 return avc_has_perm(newsid, sbsec->sid,
1064 SECCLASS_FILESYSTEM,
1065 FILESYSTEM__ASSOCIATE, &ad);
1066}
1067
1068#define MAY_LINK 0
1069#define MAY_UNLINK 1
1070#define MAY_RMDIR 2
1071
1072/* Check whether a task can link, unlink, or rmdir a file/directory. */
1073static int may_link(struct inode *dir,
1074 struct dentry *dentry,
1075 int kind)
1076
1077{
1078 struct task_security_struct *tsec;
1079 struct inode_security_struct *dsec, *isec;
1080 struct avc_audit_data ad;
1081 u32 av;
1082 int rc;
1083
1084 tsec = current->security;
1085 dsec = dir->i_security;
1086 isec = dentry->d_inode->i_security;
1087
1088 AVC_AUDIT_DATA_INIT(&ad, FS);
1089 ad.u.fs.dentry = dentry;
1090
1091 av = DIR__SEARCH;
1092 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1093 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1094 if (rc)
1095 return rc;
1096
1097 switch (kind) {
1098 case MAY_LINK:
1099 av = FILE__LINK;
1100 break;
1101 case MAY_UNLINK:
1102 av = FILE__UNLINK;
1103 break;
1104 case MAY_RMDIR:
1105 av = DIR__RMDIR;
1106 break;
1107 default:
1108 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1109 return 0;
1110 }
1111
1112 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1113 return rc;
1114}
1115
1116static inline int may_rename(struct inode *old_dir,
1117 struct dentry *old_dentry,
1118 struct inode *new_dir,
1119 struct dentry *new_dentry)
1120{
1121 struct task_security_struct *tsec;
1122 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1123 struct avc_audit_data ad;
1124 u32 av;
1125 int old_is_dir, new_is_dir;
1126 int rc;
1127
1128 tsec = current->security;
1129 old_dsec = old_dir->i_security;
1130 old_isec = old_dentry->d_inode->i_security;
1131 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1132 new_dsec = new_dir->i_security;
1133
1134 AVC_AUDIT_DATA_INIT(&ad, FS);
1135
1136 ad.u.fs.dentry = old_dentry;
1137 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1138 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1139 if (rc)
1140 return rc;
1141 rc = avc_has_perm(tsec->sid, old_isec->sid,
1142 old_isec->sclass, FILE__RENAME, &ad);
1143 if (rc)
1144 return rc;
1145 if (old_is_dir && new_dir != old_dir) {
1146 rc = avc_has_perm(tsec->sid, old_isec->sid,
1147 old_isec->sclass, DIR__REPARENT, &ad);
1148 if (rc)
1149 return rc;
1150 }
1151
1152 ad.u.fs.dentry = new_dentry;
1153 av = DIR__ADD_NAME | DIR__SEARCH;
1154 if (new_dentry->d_inode)
1155 av |= DIR__REMOVE_NAME;
1156 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1157 if (rc)
1158 return rc;
1159 if (new_dentry->d_inode) {
1160 new_isec = new_dentry->d_inode->i_security;
1161 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1162 rc = avc_has_perm(tsec->sid, new_isec->sid,
1163 new_isec->sclass,
1164 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1165 if (rc)
1166 return rc;
1167 }
1168
1169 return 0;
1170}
1171
1172/* Check whether a task can perform a filesystem operation. */
1173static int superblock_has_perm(struct task_struct *tsk,
1174 struct super_block *sb,
1175 u32 perms,
1176 struct avc_audit_data *ad)
1177{
1178 struct task_security_struct *tsec;
1179 struct superblock_security_struct *sbsec;
1180
1181 tsec = tsk->security;
1182 sbsec = sb->s_security;
1183 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1184 perms, ad);
1185}
1186
1187/* Convert a Linux mode and permission mask to an access vector. */
1188static inline u32 file_mask_to_av(int mode, int mask)
1189{
1190 u32 av = 0;
1191
1192 if ((mode & S_IFMT) != S_IFDIR) {
1193 if (mask & MAY_EXEC)
1194 av |= FILE__EXECUTE;
1195 if (mask & MAY_READ)
1196 av |= FILE__READ;
1197
1198 if (mask & MAY_APPEND)
1199 av |= FILE__APPEND;
1200 else if (mask & MAY_WRITE)
1201 av |= FILE__WRITE;
1202
1203 } else {
1204 if (mask & MAY_EXEC)
1205 av |= DIR__SEARCH;
1206 if (mask & MAY_WRITE)
1207 av |= DIR__WRITE;
1208 if (mask & MAY_READ)
1209 av |= DIR__READ;
1210 }
1211
1212 return av;
1213}
1214
1215/* Convert a Linux file to an access vector. */
1216static inline u32 file_to_av(struct file *file)
1217{
1218 u32 av = 0;
1219
1220 if (file->f_mode & FMODE_READ)
1221 av |= FILE__READ;
1222 if (file->f_mode & FMODE_WRITE) {
1223 if (file->f_flags & O_APPEND)
1224 av |= FILE__APPEND;
1225 else
1226 av |= FILE__WRITE;
1227 }
1228
1229 return av;
1230}
1231
1232/* Set an inode's SID to a specified value. */
1233static int inode_security_set_sid(struct inode *inode, u32 sid)
1234{
1235 struct inode_security_struct *isec = inode->i_security;
1236 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1237
1238 if (!sbsec->initialized) {
1239 /* Defer initialization to selinux_complete_init. */
1240 return 0;
1241 }
1242
1243 down(&isec->sem);
1244 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1245 isec->sid = sid;
1246 isec->initialized = 1;
1247 up(&isec->sem);
1248 return 0;
1249}
1250
1da177e4
LT		 1251/* Hook functions begin here. */
1252
1253static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1254{
1255 struct task_security_struct *psec = parent->security;
1256 struct task_security_struct *csec = child->security;
1257 int rc;
1258
1259 rc = secondary_ops->ptrace(parent,child);
1260 if (rc)
1261 return rc;
1262
1263 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1264 /* Save the SID of the tracing process for later use in apply_creds. */
341c2d80 1265 if (!(child->ptrace & PT_PTRACED) && !rc)
1da177e4
LT		 1266 csec->ptrace_sid = psec->sid;
1267 return rc;
1268}
1269
1270static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1271 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1272{
1273 int error;
1274
1275 error = task_has_perm(current, target, PROCESS__GETCAP);
1276 if (error)
1277 return error;
1278
1279 return secondary_ops->capget(target, effective, inheritable, permitted);
1280}
1281
1282static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1283 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1284{
1285 int error;
1286
1287 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1288 if (error)
1289 return error;
1290
1291 return task_has_perm(current, target, PROCESS__SETCAP);
1292}
1293
1294static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1295 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1296{
1297 secondary_ops->capset_set(target, effective, inheritable, permitted);
1298}
1299
1300static int selinux_capable(struct task_struct *tsk, int cap)
1301{
1302 int rc;
1303
1304 rc = secondary_ops->capable(tsk, cap);
1305 if (rc)
1306 return rc;
1307
1308 return task_has_capability(tsk,cap);
1309}
1310
1311static int selinux_sysctl(ctl_table *table, int op)
1312{
1313 int error = 0;
1314 u32 av;
1315 struct task_security_struct *tsec;
1316 u32 tsid;
1317 int rc;
1318
1319 rc = secondary_ops->sysctl(table, op);
1320 if (rc)
1321 return rc;
1322
1323 tsec = current->security;
1324
1325 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1326 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1327 if (rc) {
1328 /* Default to the well-defined sysctl SID. */
1329 tsid = SECINITSID_SYSCTL;
1330 }
1331
1332 /* The op values are "defined" in sysctl.c, thereby creating
1333 * a bad coupling between this module and sysctl.c */
1334 if(op == 001) {
1335 error = avc_has_perm(tsec->sid, tsid,
1336 SECCLASS_DIR, DIR__SEARCH, NULL);
1337 } else {
1338 av = 0;
1339 if (op & 004)
1340 av |= FILE__READ;
1341 if (op & 002)
1342 av |= FILE__WRITE;
1343 if (av)
1344 error = avc_has_perm(tsec->sid, tsid,
1345 SECCLASS_FILE, av, NULL);
1346 }
1347
1348 return error;
1349}
1350
1351static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1352{
1353 int rc = 0;
1354
1355 if (!sb)
1356 return 0;
1357
1358 switch (cmds) {
1359 case Q_SYNC:
1360 case Q_QUOTAON:
1361 case Q_QUOTAOFF:
1362 case Q_SETINFO:
1363 case Q_SETQUOTA:
1364 rc = superblock_has_perm(current,
1365 sb,
1366 FILESYSTEM__QUOTAMOD, NULL);
1367 break;
1368 case Q_GETFMT:
1369 case Q_GETINFO:
1370 case Q_GETQUOTA:
1371 rc = superblock_has_perm(current,
1372 sb,
1373 FILESYSTEM__QUOTAGET, NULL);
1374 break;
1375 default:
1376 rc = 0; /* let the kernel handle invalid cmds */
1377 break;
1378 }
1379 return rc;
1380}
1381
1382static int selinux_quota_on(struct dentry *dentry)
1383{
1384 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1385}
1386
1387static int selinux_syslog(int type)
1388{
1389 int rc;
1390
1391 rc = secondary_ops->syslog(type);
1392 if (rc)
1393 return rc;
1394
1395 switch (type) {
1396 case 3: /* Read last kernel messages */
1397 case 10: /* Return size of the log buffer */
1398 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1399 break;
1400 case 6: /* Disable logging to console */
1401 case 7: /* Enable logging to console */
1402 case 8: /* Set level of messages printed to console */
1403 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1404 break;
1405 case 0: /* Close log */
1406 case 1: /* Open log */
1407 case 2: /* Read from log */
1408 case 4: /* Read/clear last kernel messages */
1409 case 5: /* Clear ring buffer */
1410 default:
1411 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1412 break;
1413 }
1414 return rc;
1415}
1416
1417/*
1418 * Check that a process has enough memory to allocate a new virtual
1419 * mapping. 0 means there is enough memory for the allocation to
1420 * succeed and -ENOMEM implies there is not.
1421 *
1422 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1423 * if the capability is granted, but __vm_enough_memory requires 1 if
1424 * the capability is granted.
1425 *
1426 * Do not audit the selinux permission check, as this is applied to all
1427 * processes that allocate mappings.
1428 */
1429static int selinux_vm_enough_memory(long pages)
1430{
1431 int rc, cap_sys_admin = 0;
1432 struct task_security_struct *tsec = current->security;
1433
1434 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1435 if (rc == 0)
1436 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1437 SECCLASS_CAPABILITY,
1438 CAP_TO_MASK(CAP_SYS_ADMIN),
1439 NULL);
1440
1441 if (rc == 0)
1442 cap_sys_admin = 1;
1443
1444 return __vm_enough_memory(pages, cap_sys_admin);
1445}
1446
1447/* binprm security operations */
1448
1449static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1450{
1451 struct bprm_security_struct *bsec;
1452
89d155ef 1453 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1454 if (!bsec)
1455 return -ENOMEM;
1456
1da177e4
LT		 1457 bsec->bprm = bprm;
1458 bsec->sid = SECINITSID_UNLABELED;
1459 bsec->set = 0;
1460
1461 bprm->security = bsec;
1462 return 0;
1463}
1464
1465static int selinux_bprm_set_security(struct linux_binprm *bprm)
1466{
1467 struct task_security_struct *tsec;
1468 struct inode *inode = bprm->file->f_dentry->d_inode;
1469 struct inode_security_struct *isec;
1470 struct bprm_security_struct *bsec;
1471 u32 newsid;
1472 struct avc_audit_data ad;
1473 int rc;
1474
1475 rc = secondary_ops->bprm_set_security(bprm);
1476 if (rc)
1477 return rc;
1478
1479 bsec = bprm->security;
1480
1481 if (bsec->set)
1482 return 0;
1483
1484 tsec = current->security;
1485 isec = inode->i_security;
1486
1487 /* Default to the current task SID. */
1488 bsec->sid = tsec->sid;
1489
1490 /* Reset create SID on execve. */
1491 tsec->create_sid = 0;
1492
1493 if (tsec->exec_sid) {
1494 newsid = tsec->exec_sid;
1495 /* Reset exec SID on execve. */
1496 tsec->exec_sid = 0;
1497 } else {
1498 /* Check for a default transition on this program. */
1499 rc = security_transition_sid(tsec->sid, isec->sid,
1500 SECCLASS_PROCESS, &newsid);
1501 if (rc)
1502 return rc;
1503 }
1504
1505 AVC_AUDIT_DATA_INIT(&ad, FS);
1506 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1507 ad.u.fs.dentry = bprm->file->f_dentry;
1508
1509 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1510 newsid = tsec->sid;
1511
1512 if (tsec->sid == newsid) {
1513 rc = avc_has_perm(tsec->sid, isec->sid,
1514 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1515 if (rc)
1516 return rc;
1517 } else {
1518 /* Check permissions for the transition. */
1519 rc = avc_has_perm(tsec->sid, newsid,
1520 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1521 if (rc)
1522 return rc;
1523
1524 rc = avc_has_perm(newsid, isec->sid,
1525 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1526 if (rc)
1527 return rc;
1528
1529 /* Clear any possibly unsafe personality bits on exec: */
1530 current->personality &= ~PER_CLEAR_ON_SETID;
1531
1532 /* Set the security field to the new SID. */
1533 bsec->sid = newsid;
1534 }
1535
1536 bsec->set = 1;
1537 return 0;
1538}
1539
1540static int selinux_bprm_check_security (struct linux_binprm *bprm)
1541{
1542 return secondary_ops->bprm_check_security(bprm);
1543}
1544
1545
1546static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1547{
1548 struct task_security_struct *tsec = current->security;
1549 int atsecure = 0;
1550
1551 if (tsec->osid != tsec->sid) {
1552 /* Enable secure mode for SIDs transitions unless
1553 the noatsecure permission is granted between
1554 the two SIDs, i.e. ahp returns 0. */
1555 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1556 SECCLASS_PROCESS,
1557 PROCESS__NOATSECURE, NULL);
1558 }
1559
1560 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1561}
1562
1563static void selinux_bprm_free_security(struct linux_binprm *bprm)
1564{
9a5f04bf 1565 kfree(bprm->security);
1da177e4 1566 bprm->security = NULL;
1da177e4
LT		 1567}
1568
1569extern struct vfsmount *selinuxfs_mount;
1570extern struct dentry *selinux_null;
1571
1572/* Derived from fs/exec.c:flush_old_files. */
1573static inline void flush_unauthorized_files(struct files_struct * files)
1574{
1575 struct avc_audit_data ad;
1576 struct file *file, *devnull = NULL;
1577 struct tty_struct *tty = current->signal->tty;
badf1662 1578 struct fdtable *fdt;
1da177e4
LT		 1579 long j = -1;
1580
1581 if (tty) {
1582 file_list_lock();
2f512016 1583 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 1584 if (file) {
1585 /* Revalidate access to controlling tty.
1586 Use inode_has_perm on the tty inode directly rather
1587 than using file_has_perm, as this particular open
1588 file may belong to another process and we are only
1589 interested in the inode-based check here. */
1590 struct inode *inode = file->f_dentry->d_inode;
1591 if (inode_has_perm(current, inode,
1592 FILE__READ | FILE__WRITE, NULL)) {
1593 /* Reset controlling tty. */
1594 current->signal->tty = NULL;
1595 current->signal->tty_old_pgrp = 0;
1596 }
1597 }
1598 file_list_unlock();
1599 }
1600
1601 /* Revalidate access to inherited open files. */
1602
1603 AVC_AUDIT_DATA_INIT(&ad,FS);
1604
1605 spin_lock(&files->file_lock);
1606 for (;;) {
1607 unsigned long set, i;
1608 int fd;
1609
1610 j++;
1611 i = j * __NFDBITS;
badf1662
DS		 1612 fdt = files_fdtable(files);
1613 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1da177e4 1614 break;
badf1662 1615 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 1616 if (!set)
1617 continue;
1618 spin_unlock(&files->file_lock);
1619 for ( ; set ; i++,set >>= 1) {
1620 if (set & 1) {
1621 file = fget(i);
1622 if (!file)
1623 continue;
1624 if (file_has_perm(current,
1625 file,
1626 file_to_av(file))) {
1627 sys_close(i);
1628 fd = get_unused_fd();
1629 if (fd != i) {
1630 if (fd >= 0)
1631 put_unused_fd(fd);
1632 fput(file);
1633 continue;
1634 }
1635 if (devnull) {
095975da 1636 get_file(devnull);
1da177e4
LT		 1637 } else {
1638 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1639 if (!devnull) {
1640 put_unused_fd(fd);
1641 fput(file);
1642 continue;
1643 }
1644 }
1645 fd_install(fd, devnull);
1646 }
1647 fput(file);
1648 }
1649 }
1650 spin_lock(&files->file_lock);
1651
1652 }
1653 spin_unlock(&files->file_lock);
1654}
1655
1656static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1657{
1658 struct task_security_struct *tsec;
1659 struct bprm_security_struct *bsec;
1660 u32 sid;
1661 int rc;
1662
1663 secondary_ops->bprm_apply_creds(bprm, unsafe);
1664
1665 tsec = current->security;
1666
1667 bsec = bprm->security;
1668 sid = bsec->sid;
1669
1670 tsec->osid = tsec->sid;
1671 bsec->unsafe = 0;
1672 if (tsec->sid != sid) {
1673 /* Check for shared state. If not ok, leave SID
1674 unchanged and kill. */
1675 if (unsafe & LSM_UNSAFE_SHARE) {
1676 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1677 PROCESS__SHARE, NULL);
1678 if (rc) {
1679 bsec->unsafe = 1;
1680 return;
1681 }
1682 }
1683
1684 /* Check for ptracing, and update the task SID if ok.
1685 Otherwise, leave SID unchanged and kill. */
1686 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1687 rc = avc_has_perm(tsec->ptrace_sid, sid,
1688 SECCLASS_PROCESS, PROCESS__PTRACE,
1689 NULL);
1690 if (rc) {
1691 bsec->unsafe = 1;
1692 return;
1693 }
1694 }
1695 tsec->sid = sid;
1696 }
1697}
1698
1699/*
1700 * called after apply_creds without the task lock held
1701 */
1702static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1703{
1704 struct task_security_struct *tsec;
1705 struct rlimit *rlim, *initrlim;
1706 struct itimerval itimer;
1707 struct bprm_security_struct *bsec;
1708 int rc, i;
1709
1710 tsec = current->security;
1711 bsec = bprm->security;
1712
1713 if (bsec->unsafe) {
1714 force_sig_specific(SIGKILL, current);
1715 return;
1716 }
1717 if (tsec->osid == tsec->sid)
1718 return;
1719
1720 /* Close files for which the new task SID is not authorized. */
1721 flush_unauthorized_files(current->files);
1722
1723 /* Check whether the new SID can inherit signal state
1724 from the old SID. If not, clear itimers to avoid
1725 subsequent signal generation and flush and unblock
1726 signals. This must occur _after_ the task SID has
1727 been updated so that any kill done after the flush
1728 will be checked against the new SID. */
1729 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1730 PROCESS__SIGINH, NULL);
1731 if (rc) {
1732 memset(&itimer, 0, sizeof itimer);
1733 for (i = 0; i < 3; i++)
1734 do_setitimer(i, &itimer, NULL);
1735 flush_signals(current);
1736 spin_lock_irq(&current->sighand->siglock);
1737 flush_signal_handlers(current, 1);
1738 sigemptyset(&current->blocked);
1739 recalc_sigpending();
1740 spin_unlock_irq(&current->sighand->siglock);
1741 }
1742
1743 /* Check whether the new SID can inherit resource limits
1744 from the old SID. If not, reset all soft limits to
1745 the lower of the current task's hard limit and the init
1746 task's soft limit. Note that the setting of hard limits
1747 (even to lower them) can be controlled by the setrlimit
1748 check. The inclusion of the init task's soft limit into
1749 the computation is to avoid resetting soft limits higher
1750 than the default soft limit for cases where the default
1751 is lower than the hard limit, e.g. RLIMIT_CORE or
1752 RLIMIT_STACK.*/
1753 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1754 PROCESS__RLIMITINH, NULL);
1755 if (rc) {
1756 for (i = 0; i < RLIM_NLIMITS; i++) {
1757 rlim = current->signal->rlim + i;
1758 initrlim = init_task.signal->rlim+i;
1759 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1760 }
1761 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1762 /*
1763 * This will cause RLIMIT_CPU calculations
1764 * to be refigured.
1765 */
1766 current->it_prof_expires = jiffies_to_cputime(1);
1767 }
1768 }
1769
1770 /* Wake up the parent if it is waiting so that it can
1771 recheck wait permission to the new task SID. */
1772 wake_up_interruptible(&current->parent->signal->wait_chldexit);
1773}
1774
1775/* superblock security operations */
1776
1777static int selinux_sb_alloc_security(struct super_block *sb)
1778{
1779 return superblock_alloc_security(sb);
1780}
1781
1782static void selinux_sb_free_security(struct super_block *sb)
1783{
1784 superblock_free_security(sb);
1785}
1786
1787static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1788{
1789 if (plen > olen)
1790 return 0;
1791
1792 return !memcmp(prefix, option, plen);
1793}
1794
1795static inline int selinux_option(char *option, int len)
1796{
1797 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1798 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1799 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1800}
1801
1802static inline void take_option(char **to, char *from, int *first, int len)
1803{
1804 if (!*first) {
1805 **to = ',';
1806 *to += 1;
1807 }
1808 else
1809 *first = 0;
1810 memcpy(*to, from, len);
1811 *to += len;
1812}
1813
1814static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1815{
1816 int fnosec, fsec, rc = 0;
1817 char *in_save, *in_curr, *in_end;
1818 char *sec_curr, *nosec_save, *nosec;
1819
1820 in_curr = orig;
1821 sec_curr = copy;
1822
1823 /* Binary mount data: just copy */
1824 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1825 copy_page(sec_curr, in_curr);
1826 goto out;
1827 }
1828
1829 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1830 if (!nosec) {
1831 rc = -ENOMEM;
1832 goto out;
1833 }
1834
1835 nosec_save = nosec;
1836 fnosec = fsec = 1;
1837 in_save = in_end = orig;
1838
1839 do {
1840 if (*in_end == ',' || *in_end == '\0') {
1841 int len = in_end - in_curr;
1842
1843 if (selinux_option(in_curr, len))
1844 take_option(&sec_curr, in_curr, &fsec, len);
1845 else
1846 take_option(&nosec, in_curr, &fnosec, len);
1847
1848 in_curr = in_end + 1;
1849 }
1850 } while (*in_end++);
1851
6931dfc9 1852 strcpy(in_save, nosec_save);
da3caa20 1853 free_page((unsigned long)nosec_save);
1da177e4
LT		 1854out:
1855 return rc;
1856}
1857
1858static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1859{
1860 struct avc_audit_data ad;
1861 int rc;
1862
1863 rc = superblock_doinit(sb, data);
1864 if (rc)
1865 return rc;
1866
1867 AVC_AUDIT_DATA_INIT(&ad,FS);
1868 ad.u.fs.dentry = sb->s_root;
1869 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1870}
1871
1872static int selinux_sb_statfs(struct super_block *sb)
1873{
1874 struct avc_audit_data ad;
1875
1876 AVC_AUDIT_DATA_INIT(&ad,FS);
1877 ad.u.fs.dentry = sb->s_root;
1878 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1879}
1880
1881static int selinux_mount(char * dev_name,
1882 struct nameidata *nd,
1883 char * type,
1884 unsigned long flags,
1885 void * data)
1886{
1887 int rc;
1888
1889 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1890 if (rc)
1891 return rc;
1892
1893 if (flags & MS_REMOUNT)
1894 return superblock_has_perm(current, nd->mnt->mnt_sb,
1895 FILESYSTEM__REMOUNT, NULL);
1896 else
1897 return dentry_has_perm(current, nd->mnt, nd->dentry,
1898 FILE__MOUNTON);
1899}
1900
1901static int selinux_umount(struct vfsmount *mnt, int flags)
1902{
1903 int rc;
1904
1905 rc = secondary_ops->sb_umount(mnt, flags);
1906 if (rc)
1907 return rc;
1908
1909 return superblock_has_perm(current,mnt->mnt_sb,
1910 FILESYSTEM__UNMOUNT,NULL);
1911}
1912
1913/* inode security operations */
1914
1915static int selinux_inode_alloc_security(struct inode *inode)
1916{
1917 return inode_alloc_security(inode);
1918}
1919
1920static void selinux_inode_free_security(struct inode *inode)
1921{
1922 inode_free_security(inode);
1923}
1924
5e41ff9e
SS		 1925static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1926 char **name, void **value,
1927 size_t *len)
1928{
1929 struct task_security_struct *tsec;
1930 struct inode_security_struct *dsec;
1931 struct superblock_security_struct *sbsec;
1932 struct inode_security_struct *isec;
570bc1c2 1933 u32 newsid, clen;
5e41ff9e 1934 int rc;
570bc1c2 1935 char *namep = NULL, *context;
5e41ff9e
SS		 1936
1937 tsec = current->security;
1938 dsec = dir->i_security;
1939 sbsec = dir->i_sb->s_security;
1940 isec = inode->i_security;
1941
1942 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1943 newsid = tsec->create_sid;
1944 } else {
1945 rc = security_transition_sid(tsec->sid, dsec->sid,
1946 inode_mode_to_security_class(inode->i_mode),
1947 &newsid);
1948 if (rc) {
1949 printk(KERN_WARNING "%s: "
1950 "security_transition_sid failed, rc=%d (dev=%s "
1951 "ino=%ld)\n",
1952 __FUNCTION__,
1953 -rc, inode->i_sb->s_id, inode->i_ino);
1954 return rc;
1955 }
1956 }
1957
1958 inode_security_set_sid(inode, newsid);
1959
25a74f3b
SS		 1960 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
1961 return -EOPNOTSUPP;
1962
570bc1c2
SS		 1963 if (name) {
1964 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1965 if (!namep)
1966 return -ENOMEM;
1967 *name = namep;
1968 }
5e41ff9e 1969
570bc1c2
SS		 1970 if (value && len) {
1971 rc = security_sid_to_context(newsid, &context, &clen);
1972 if (rc) {
1973 kfree(namep);
1974 return rc;
1975 }
1976 *value = context;
1977 *len = clen;
5e41ff9e 1978 }
5e41ff9e 1979
5e41ff9e
SS		 1980 return 0;
1981}
1982
1da177e4
LT		 1983static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
1984{
1985 return may_create(dir, dentry, SECCLASS_FILE);
1986}
1987
1da177e4
LT		 1988static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
1989{
1990 int rc;
1991
1992 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
1993 if (rc)
1994 return rc;
1995 return may_link(dir, old_dentry, MAY_LINK);
1996}
1997
1da177e4
LT		 1998static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
1999{
2000 int rc;
2001
2002 rc = secondary_ops->inode_unlink(dir, dentry);
2003 if (rc)
2004 return rc;
2005 return may_link(dir, dentry, MAY_UNLINK);
2006}
2007
2008static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2009{
2010 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2011}
2012
1da177e4
LT		 2013static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2014{
2015 return may_create(dir, dentry, SECCLASS_DIR);
2016}
2017
1da177e4
LT		 2018static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2019{
2020 return may_link(dir, dentry, MAY_RMDIR);
2021}
2022
2023static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2024{
2025 int rc;
2026
2027 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2028 if (rc)
2029 return rc;
2030
2031 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2032}
2033
1da177e4
LT		 2034static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2035 struct inode *new_inode, struct dentry *new_dentry)
2036{
2037 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2038}
2039
1da177e4
LT		 2040static int selinux_inode_readlink(struct dentry *dentry)
2041{
2042 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2043}
2044
2045static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2046{
2047 int rc;
2048
2049 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2050 if (rc)
2051 return rc;
2052 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2053}
2054
2055static int selinux_inode_permission(struct inode *inode, int mask,
2056 struct nameidata *nd)
2057{
2058 int rc;
2059
2060 rc = secondary_ops->inode_permission(inode, mask, nd);
2061 if (rc)
2062 return rc;
2063
2064 if (!mask) {
2065 /* No permission to check. Existence test. */
2066 return 0;
2067 }
2068
2069 return inode_has_perm(current, inode,
2070 file_mask_to_av(inode->i_mode, mask), NULL);
2071}
2072
2073static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2074{
2075 int rc;
2076
2077 rc = secondary_ops->inode_setattr(dentry, iattr);
2078 if (rc)
2079 return rc;
2080
2081 if (iattr->ia_valid & ATTR_FORCE)
2082 return 0;
2083
2084 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2085 ATTR_ATIME_SET | ATTR_MTIME_SET))
2086 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2087
2088 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2089}
2090
2091static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2092{
2093 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2094}
2095
2096static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2097{
2098 struct task_security_struct *tsec = current->security;
2099 struct inode *inode = dentry->d_inode;
2100 struct inode_security_struct *isec = inode->i_security;
2101 struct superblock_security_struct *sbsec;
2102 struct avc_audit_data ad;
2103 u32 newsid;
2104 int rc = 0;
2105
2106 if (strcmp(name, XATTR_NAME_SELINUX)) {
2107 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2108 sizeof XATTR_SECURITY_PREFIX - 1) &&
2109 !capable(CAP_SYS_ADMIN)) {
2110 /* A different attribute in the security namespace.
2111 Restrict to administrator. */
2112 return -EPERM;
2113 }
2114
2115 /* Not an attribute we recognize, so just check the
2116 ordinary setattr permission. */
2117 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2118 }
2119
2120 sbsec = inode->i_sb->s_security;
2121 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2122 return -EOPNOTSUPP;
2123
2124 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2125 return -EPERM;
2126
2127 AVC_AUDIT_DATA_INIT(&ad,FS);
2128 ad.u.fs.dentry = dentry;
2129
2130 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2131 FILE__RELABELFROM, &ad);
2132 if (rc)
2133 return rc;
2134
2135 rc = security_context_to_sid(value, size, &newsid);
2136 if (rc)
2137 return rc;
2138
2139 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2140 FILE__RELABELTO, &ad);
2141 if (rc)
2142 return rc;
2143
2144 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2145 isec->sclass);
2146 if (rc)
2147 return rc;
2148
2149 return avc_has_perm(newsid,
2150 sbsec->sid,
2151 SECCLASS_FILESYSTEM,
2152 FILESYSTEM__ASSOCIATE,
2153 &ad);
2154}
2155
2156static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2157 void *value, size_t size, int flags)
2158{
2159 struct inode *inode = dentry->d_inode;
2160 struct inode_security_struct *isec = inode->i_security;
2161 u32 newsid;
2162 int rc;
2163
2164 if (strcmp(name, XATTR_NAME_SELINUX)) {
2165 /* Not an attribute we recognize, so nothing to do. */
2166 return;
2167 }
2168
2169 rc = security_context_to_sid(value, size, &newsid);
2170 if (rc) {
2171 printk(KERN_WARNING "%s: unable to obtain SID for context "
2172 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2173 return;
2174 }
2175
2176 isec->sid = newsid;
2177 return;
2178}
2179
2180static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2181{
1da177e4
LT		 2182 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2183}
2184
2185static int selinux_inode_listxattr (struct dentry *dentry)
2186{
2187 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2188}
2189
2190static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2191{
2192 if (strcmp(name, XATTR_NAME_SELINUX)) {
2193 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2194 sizeof XATTR_SECURITY_PREFIX - 1) &&
2195 !capable(CAP_SYS_ADMIN)) {
2196 /* A different attribute in the security namespace.
2197 Restrict to administrator. */
2198 return -EPERM;
2199 }
2200
2201 /* Not an attribute we recognize, so just check the
2202 ordinary setattr permission. Might want a separate
2203 permission for removexattr. */
2204 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2205 }
2206
2207 /* No one is allowed to remove a SELinux security label.
2208 You can change the label, but all data must be labeled. */
2209 return -EACCES;
2210}
2211
d381d8a9
JM		 2212/*
2213 * Copy the in-core inode security context value to the user. If the
2214 * getxattr() prior to this succeeded, check to see if we need to
2215 * canonicalize the value to be finally returned to the user.
2216 *
2217 * Permission check is handled by selinux_inode_getxattr hook.
2218 */
2219static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
1da177e4
LT		 2220{
2221 struct inode_security_struct *isec = inode->i_security;
2222 char *context;
2223 unsigned len;
2224 int rc;
2225
d381d8a9
JM		 2226 if (strcmp(name, XATTR_SELINUX_SUFFIX)) {
2227 rc = -EOPNOTSUPP;
2228 goto out;
2229 }
1da177e4
LT		 2230
2231 rc = security_sid_to_context(isec->sid, &context, &len);
2232 if (rc)
d381d8a9 2233 goto out;
1da177e4 2234
d381d8a9 2235 /* Probe for required buffer size */
1da177e4 2236 if (!buffer || !size) {
d381d8a9
JM		 2237 rc = len;
2238 goto out_free;
1da177e4 2239 }
d381d8a9 2240
1da177e4 2241 if (size < len) {
d381d8a9
JM		 2242 rc = -ERANGE;
2243 goto out_free;
2244 }
2245
2246 if (err > 0) {
2247 if ((len == err) && !(memcmp(context, buffer, len))) {
2248 /* Don't need to canonicalize value */
2249 rc = err;
2250 goto out_free;
2251 }
2252 memset(buffer, 0, size);
1da177e4
LT		 2253 }
2254 memcpy(buffer, context, len);
d381d8a9
JM		 2255 rc = len;
2256out_free:
1da177e4 2257 kfree(context);
d381d8a9
JM		 2258out:
2259 return rc;
1da177e4
LT		 2260}
2261
2262static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2263 const void *value, size_t size, int flags)
2264{
2265 struct inode_security_struct *isec = inode->i_security;
2266 u32 newsid;
2267 int rc;
2268
2269 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2270 return -EOPNOTSUPP;
2271
2272 if (!value || !size)
2273 return -EACCES;
2274
2275 rc = security_context_to_sid((void*)value, size, &newsid);
2276 if (rc)
2277 return rc;
2278
2279 isec->sid = newsid;
2280 return 0;
2281}
2282
2283static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2284{
2285 const int len = sizeof(XATTR_NAME_SELINUX);
2286 if (buffer && len <= buffer_size)
2287 memcpy(buffer, XATTR_NAME_SELINUX, len);
2288 return len;
2289}
2290
2291/* file security operations */
2292
2293static int selinux_file_permission(struct file *file, int mask)
2294{
2295 struct inode *inode = file->f_dentry->d_inode;
2296
2297 if (!mask) {
2298 /* No permission to check. Existence test. */
2299 return 0;
2300 }
2301
2302 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2303 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2304 mask |= MAY_APPEND;
2305
2306 return file_has_perm(current, file,
2307 file_mask_to_av(inode->i_mode, mask));
2308}
2309
2310static int selinux_file_alloc_security(struct file *file)
2311{
2312 return file_alloc_security(file);
2313}
2314
2315static void selinux_file_free_security(struct file *file)
2316{
2317 file_free_security(file);
2318}
2319
2320static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2321 unsigned long arg)
2322{
2323 int error = 0;
2324
2325 switch (cmd) {
2326 case FIONREAD:
2327 /* fall through */
2328 case FIBMAP:
2329 /* fall through */
2330 case FIGETBSZ:
2331 /* fall through */
2332 case EXT2_IOC_GETFLAGS:
2333 /* fall through */
2334 case EXT2_IOC_GETVERSION:
2335 error = file_has_perm(current, file, FILE__GETATTR);
2336 break;
2337
2338 case EXT2_IOC_SETFLAGS:
2339 /* fall through */
2340 case EXT2_IOC_SETVERSION:
2341 error = file_has_perm(current, file, FILE__SETATTR);
2342 break;
2343
2344 /* sys_ioctl() checks */
2345 case FIONBIO:
2346 /* fall through */
2347 case FIOASYNC:
2348 error = file_has_perm(current, file, 0);
2349 break;
2350
2351 case KDSKBENT:
2352 case KDSKBSENT:
2353 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2354 break;
2355
2356 /* default case assumes that the command will go
2357 * to the file's ioctl() function.
2358 */
2359 default:
2360 error = file_has_perm(current, file, FILE__IOCTL);
2361
2362 }
2363 return error;
2364}
2365
2366static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2367{
2368#ifndef CONFIG_PPC32
2369 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2370 /*
2371 * We are making executable an anonymous mapping or a
2372 * private file mapping that will also be writable.
2373 * This has an additional check.
2374 */
2375 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2376 if (rc)
2377 return rc;
2378 }
2379#endif
2380
2381 if (file) {
2382 /* read access is always possible with a mapping */
2383 u32 av = FILE__READ;
2384
2385 /* write access only matters if the mapping is shared */
2386 if (shared && (prot & PROT_WRITE))
2387 av |= FILE__WRITE;
2388
2389 if (prot & PROT_EXEC)
2390 av |= FILE__EXECUTE;
2391
2392 return file_has_perm(current, file, av);
2393 }
2394 return 0;
2395}
2396
2397static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2398 unsigned long prot, unsigned long flags)
2399{
2400 int rc;
2401
2402 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2403 if (rc)
2404 return rc;
2405
2406 if (selinux_checkreqprot)
2407 prot = reqprot;
2408
2409 return file_map_prot_check(file, prot,
2410 (flags & MAP_TYPE) == MAP_SHARED);
2411}
2412
2413static int selinux_file_mprotect(struct vm_area_struct *vma,
2414 unsigned long reqprot,
2415 unsigned long prot)
2416{
2417 int rc;
2418
2419 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2420 if (rc)
2421 return rc;
2422
2423 if (selinux_checkreqprot)
2424 prot = reqprot;
2425
2426#ifndef CONFIG_PPC32
db4c9641
SS		 2427 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2428 rc = 0;
2429 if (vma->vm_start >= vma->vm_mm->start_brk &&
2430 vma->vm_end <= vma->vm_mm->brk) {
2431 rc = task_has_perm(current, current,
2432 PROCESS__EXECHEAP);
2433 } else if (!vma->vm_file &&
2434 vma->vm_start <= vma->vm_mm->start_stack &&
2435 vma->vm_end >= vma->vm_mm->start_stack) {
2436 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2437 } else if (vma->vm_file && vma->anon_vma) {
2438 /*
2439 * We are making executable a file mapping that has
2440 * had some COW done. Since pages might have been
2441 * written, check ability to execute the possibly
2442 * modified content. This typically should only
2443 * occur for text relocations.
2444 */
2445 rc = file_has_perm(current, vma->vm_file,
2446 FILE__EXECMOD);
2447 }