]> git.ipfire.org Git - thirdparty/linux.git/blame - security/selinux/hooks.c
projects / thirdparty / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: Inode label revalidation performance fix
[thirdparty/linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
3c4ed7bd 32#include <linux/lsm_hooks.h>
1da177e4
LT		 33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
1da177e4 54#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 55#include <net/inet_connection_sock.h>
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
60063497 60#include <linux/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
77954983 64#include <net/netlink.h>
1da177e4
LT		 65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
44fc7ea0 83#include <linux/export.h>
40401530
AV		 84#include <linux/msg.h>
85#include <linux/shm.h>
1da177e4
LT		 86
87#include "avc.h"
88#include "objsec.h"
89#include "netif.h"
224dfbd8 90#include "netnode.h"
3e112172 91#include "netport.h"
d28d1e08 92#include "xfrm.h"
c60475bf 93#include "netlabel.h"
9d57a7f9 94#include "audit.h"
7b98a585 95#include "avc_ss.h"
1da177e4 96
d621d35e 97/* SECMARK reference count */
56a4ca99 98static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 99
1da177e4 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 101int selinux_enforcing;
1da177e4
LT		 102
103static int __init enforcing_setup(char *str)
104{
f5269710 105 unsigned long enforcing;
29707b20 106 if (!kstrtoul(str, 0, &enforcing))
f5269710 107 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 108 return 1;
109}
110__setup("enforcing=", enforcing_setup);
111#endif
112
113#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116static int __init selinux_enabled_setup(char *str)
117{
f5269710 118 unsigned long enabled;
29707b20 119 if (!kstrtoul(str, 0, &enabled))
f5269710 120 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 121 return 1;
122}
123__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 124#else
125int selinux_enabled = 1;
1da177e4
LT		 126#endif
127
e18b890b 128static struct kmem_cache *sel_inode_cache;
63205654 129static struct kmem_cache *file_security_cache;
7cae7e26 130
d621d35e
PM		 131/**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 140 *
141 */
142static int selinux_secmark_enabled(void)
143{
2be4d74f
CP		 144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145}
146
147/**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157static int selinux_peerlbl_enabled(void)
158{
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 160}
161
615e51fd
PM		 162static int selinux_netcache_avc_callback(u32 event)
163{
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171}
172
d84f4f99
DH		 173/*
174 * initialise the security for the init task
175 */
176static void cred_init_security(void)
1da177e4 177{
3b11a1de 178 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 179 struct task_security_struct *tsec;
180
89d155ef 181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 182 if (!tsec)
d84f4f99 183 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 184
d84f4f99 185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 186 cred->security = tsec;
1da177e4
LT		 187}
188
88e67f3b
DH		 189/*
190 * get the security ID of a set of credentials
191 */
192static inline u32 cred_sid(const struct cred *cred)
193{
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198}
199
275bb41e 200/*
3b11a1de 201 * get the objective security ID of a task
275bb41e
DH		 202 */
203static inline u32 task_sid(const struct task_struct *task)
204{
275bb41e
DH		 205 u32 sid;
206
207 rcu_read_lock();
88e67f3b 208 sid = cred_sid(__task_cred(task));
275bb41e
DH		 209 rcu_read_unlock();
210 return sid;
211}
212
213/*
3b11a1de 214 * get the subjective security ID of the current task
275bb41e
DH		 215 */
216static inline u32 current_sid(void)
217{
5fb49870 218 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 219
220 return tsec->sid;
221}
222
88e67f3b
DH		 223/* Allocate and free functions for each kind of security blob. */
224
1da177e4
LT		 225static int inode_alloc_security(struct inode *inode)
226{
1da177e4 227 struct inode_security_struct *isec;
275bb41e 228 u32 sid = current_sid();
1da177e4 229
a02fe132 230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 231 if (!isec)
232 return -ENOMEM;
233
23970741 234 mutex_init(&isec->lock);
1da177e4 235 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
275bb41e 239 isec->task_sid = sid;
1da177e4
LT		 240 inode->i_security = isec;
241
242 return 0;
243}
244
5d226df4
AG		 245static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246
247/*
248 * Try reloading inode security labels that have been marked as invalid. The
249 * @may_sleep parameter indicates when sleeping and thus reloading labels is
250 * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is
251 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
252 * when no dentry is available, set it to NULL instead.
253 */
254static int __inode_security_revalidate(struct inode *inode,
255 struct dentry *opt_dentry,
256 bool may_sleep)
257{
258 struct inode_security_struct *isec = inode->i_security;
259
260 might_sleep_if(may_sleep);
261
262 if (isec->initialized == LABEL_INVALID) {
263 if (!may_sleep)
264 return -ECHILD;
265
266 /*
267 * Try reloading the inode security label. This will fail if
268 * @opt_dentry is NULL and no dentry for this inode can be
269 * found; in that case, continue using the old label.
270 */
271 inode_doinit_with_dentry(inode, opt_dentry);
272 }
273 return 0;
274}
275
5d226df4
AG		 276static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277{
278 return inode->i_security;
279}
280
281static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282{
283 int error;
284
285 error = __inode_security_revalidate(inode, NULL, !rcu);
286 if (error)
287 return ERR_PTR(error);
288 return inode->i_security;
289}
290
83da53c5
AG		 291/*
292 * Get the security label of an inode.
293 */
294static struct inode_security_struct *inode_security(struct inode *inode)
295{
5d226df4 296 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 297 return inode->i_security;
298}
299
300/*
301 * Get the security label of a dentry's backing inode.
302 */
303static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
304{
305 struct inode *inode = d_backing_inode(dentry);
306
5d226df4 307 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 308 return inode->i_security;
309}
310
3dc91d43
SR		 311static void inode_free_rcu(struct rcu_head *head)
312{
313 struct inode_security_struct *isec;
314
315 isec = container_of(head, struct inode_security_struct, rcu);
316 kmem_cache_free(sel_inode_cache, isec);
317}
318
1da177e4
LT		 319static void inode_free_security(struct inode *inode)
320{
321 struct inode_security_struct *isec = inode->i_security;
322 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
323
9629d04a
WL		 324 /*
325 * As not all inode security structures are in a list, we check for
326 * empty list outside of the lock to make sure that we won't waste
327 * time taking a lock doing nothing.
328 *
329 * The list_del_init() function can be safely called more than once.
330 * It should not be possible for this function to be called with
331 * concurrent list_add(), but for better safety against future changes
332 * in the code, we use list_empty_careful() here.
333 */
334 if (!list_empty_careful(&isec->list)) {
335 spin_lock(&sbsec->isec_lock);
1da177e4 336 list_del_init(&isec->list);
9629d04a
WL		 337 spin_unlock(&sbsec->isec_lock);
338 }
1da177e4 339
3dc91d43
SR		 340 /*
341 * The inode may still be referenced in a path walk and
342 * a call to selinux_inode_permission() can be made
343 * after inode_free_security() is called. Ideally, the VFS
344 * wouldn't do this, but fixing that is a much harder
345 * job. For now, simply free the i_security via RCU, and
346 * leave the current inode->i_security pointer intact.
347 * The inode will be freed after the RCU grace period too.
348 */
349 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 350}
351
352static int file_alloc_security(struct file *file)
353{
1da177e4 354 struct file_security_struct *fsec;
275bb41e 355 u32 sid = current_sid();
1da177e4 356
63205654 357 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 358 if (!fsec)
359 return -ENOMEM;
360
275bb41e
DH		 361 fsec->sid = sid;
362 fsec->fown_sid = sid;
1da177e4
LT		 363 file->f_security = fsec;
364
365 return 0;
366}
367
368static void file_free_security(struct file *file)
369{
370 struct file_security_struct *fsec = file->f_security;
1da177e4 371 file->f_security = NULL;
63205654 372 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 373}
374
375static int superblock_alloc_security(struct super_block *sb)
376{
377 struct superblock_security_struct *sbsec;
378
89d155ef 379 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 380 if (!sbsec)
381 return -ENOMEM;
382
bc7e982b 383 mutex_init(&sbsec->lock);
1da177e4
LT		 384 INIT_LIST_HEAD(&sbsec->isec_head);
385 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 386 sbsec->sb = sb;
387 sbsec->sid = SECINITSID_UNLABELED;
388 sbsec->def_sid = SECINITSID_FILE;
c312feb2 389 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 390 sb->s_security = sbsec;
391
392 return 0;
393}
394
395static void superblock_free_security(struct super_block *sb)
396{
397 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 398 sb->s_security = NULL;
399 kfree(sbsec);
400}
401
1da177e4
LT		 402/* The file system's label must be initialized prior to use. */
403
eb9ae686 404static const char *labeling_behaviors[7] = {
1da177e4
LT		 405 "uses xattr",
406 "uses transition SIDs",
407 "uses task SIDs",
408 "uses genfs_contexts",
409 "not configured for labeling",
410 "uses mountpoint labeling",
eb9ae686 411 "uses native labeling",
1da177e4
LT		 412};
413
1da177e4
LT		 414static inline int inode_doinit(struct inode *inode)
415{
416 return inode_doinit_with_dentry(inode, NULL);
417}
418
419enum {
31e87930 420 Opt_error = -1,
1da177e4
LT		 421 Opt_context = 1,
422 Opt_fscontext = 2,
c9180a57
EP		 423 Opt_defcontext = 3,
424 Opt_rootcontext = 4,
11689d47 425 Opt_labelsupport = 5,
d355987f 426 Opt_nextmntopt = 6,
1da177e4
LT		 427};
428
d355987f
EP		 429#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
430
a447c093 431static const match_table_t tokens = {
832cbd9a
EP		 432 {Opt_context, CONTEXT_STR "%s"},
433 {Opt_fscontext, FSCONTEXT_STR "%s"},
434 {Opt_defcontext, DEFCONTEXT_STR "%s"},
435 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 436 {Opt_labelsupport, LABELSUPP_STR},
31e87930 437 {Opt_error, NULL},
1da177e4
LT		 438};
439
440#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
441
c312feb2
EP		 442static int may_context_mount_sb_relabel(u32 sid,
443 struct superblock_security_struct *sbsec,
275bb41e 444 const struct cred *cred)
c312feb2 445{
275bb41e 446 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 447 int rc;
448
449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450 FILESYSTEM__RELABELFROM, NULL);
451 if (rc)
452 return rc;
453
454 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
455 FILESYSTEM__RELABELTO, NULL);
456 return rc;
457}
458
0808925e
EP		 459static int may_context_mount_inode_relabel(u32 sid,
460 struct superblock_security_struct *sbsec,
275bb41e 461 const struct cred *cred)
0808925e 462{
275bb41e 463 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 464 int rc;
465 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
466 FILESYSTEM__RELABELFROM, NULL);
467 if (rc)
468 return rc;
469
470 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
471 FILESYSTEM__ASSOCIATE, NULL);
472 return rc;
473}
474
b43e725d
EP		 475static int selinux_is_sblabel_mnt(struct super_block *sb)
476{
477 struct superblock_security_struct *sbsec = sb->s_security;
478
d5f3a5f6
MS		 479 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
480 sbsec->behavior == SECURITY_FS_USE_TRANS ||
481 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 482 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 483 /* Special handling. Genfs but also in-core setxattr handler */
484 !strcmp(sb->s_type->name, "sysfs") ||
485 !strcmp(sb->s_type->name, "pstore") ||
486 !strcmp(sb->s_type->name, "debugfs") ||
487 !strcmp(sb->s_type->name, "rootfs");
b43e725d
EP		 488}
489
c9180a57 490static int sb_finish_set_opts(struct super_block *sb)
1da177e4 491{
1da177e4 492 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 493 struct dentry *root = sb->s_root;
c6f493d6 494 struct inode *root_inode = d_backing_inode(root);
c9180a57 495 int rc = 0;
1da177e4 496
c9180a57
EP		 497 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
498 /* Make sure that the xattr handler exists and that no
499 error other than -ENODATA is returned by getxattr on
500 the root directory. -ENODATA is ok, as this may be
501 the first boot of the SELinux kernel before we have
502 assigned xattr values to the filesystem. */
503 if (!root_inode->i_op->getxattr) {
29b1deb2
LT		 504 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
505 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 506 rc = -EOPNOTSUPP;
507 goto out;
508 }
509 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
510 if (rc < 0 && rc != -ENODATA) {
511 if (rc == -EOPNOTSUPP)
512 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 513 "%s) has no security xattr handler\n",
514 sb->s_id, sb->s_type->name);
c9180a57
EP		 515 else
516 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 517 "%s) getxattr errno %d\n", sb->s_id,
518 sb->s_type->name, -rc);
c9180a57
EP		 519 goto out;
520 }
521 }
1da177e4 522
c9180a57 523 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 524 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
525 sb->s_id, sb->s_type->name);
1da177e4 526
eadcabc6 527 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 528 if (selinux_is_sblabel_mnt(sb))
12f348b9 529 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 530
c9180a57
EP		 531 /* Initialize the root inode. */
532 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 533
c9180a57
EP		 534 /* Initialize any other inodes associated with the superblock, e.g.
535 inodes created prior to initial policy load or inodes created
536 during get_sb by a pseudo filesystem that directly
537 populates itself. */
538 spin_lock(&sbsec->isec_lock);
539next_inode:
540 if (!list_empty(&sbsec->isec_head)) {
541 struct inode_security_struct *isec =
542 list_entry(sbsec->isec_head.next,
543 struct inode_security_struct, list);
544 struct inode *inode = isec->inode;
923190d3 545 list_del_init(&isec->list);
c9180a57
EP		 546 spin_unlock(&sbsec->isec_lock);
547 inode = igrab(inode);
548 if (inode) {
549 if (!IS_PRIVATE(inode))
550 inode_doinit(inode);
551 iput(inode);
552 }
553 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 554 goto next_inode;
555 }
556 spin_unlock(&sbsec->isec_lock);
557out:
558 return rc;
559}
1da177e4 560
c9180a57
EP		 561/*
562 * This function should allow an FS to ask what it's mount security
563 * options were so it can use those later for submounts, displaying
564 * mount options, or whatever.
565 */
566static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 567 struct security_mnt_opts *opts)
c9180a57
EP		 568{
569 int rc = 0, i;
570 struct superblock_security_struct *sbsec = sb->s_security;
571 char *context = NULL;
572 u32 len;
573 char tmp;
1da177e4 574
e0007529 575 security_init_mnt_opts(opts);
1da177e4 576
0d90a7ec 577 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 578 return -EINVAL;
1da177e4 579
c9180a57
EP		 580 if (!ss_initialized)
581 return -EINVAL;
1da177e4 582
af8e50cc
EP		 583 /* make sure we always check enough bits to cover the mask */
584 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
585
0d90a7ec 586 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 587 /* count the number of mount options for this sb */
af8e50cc 588 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 589 if (tmp & 0x01)
e0007529 590 opts->num_mnt_opts++;
c9180a57
EP		 591 tmp >>= 1;
592 }
11689d47 593 /* Check if the Label support flag is set */
0b4bdb35 594 if (sbsec->flags & SBLABEL_MNT)
11689d47 595 opts->num_mnt_opts++;
1da177e4 596
e0007529
EP		 597 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
598 if (!opts->mnt_opts) {
c9180a57
EP		 599 rc = -ENOMEM;
600 goto out_free;
601 }
1da177e4 602
e0007529
EP		 603 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
604 if (!opts->mnt_opts_flags) {
c9180a57
EP		 605 rc = -ENOMEM;
606 goto out_free;
607 }
1da177e4 608
c9180a57
EP		 609 i = 0;
610 if (sbsec->flags & FSCONTEXT_MNT) {
611 rc = security_sid_to_context(sbsec->sid, &context, &len);
612 if (rc)
613 goto out_free;
e0007529
EP		 614 opts->mnt_opts[i] = context;
615 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 616 }
617 if (sbsec->flags & CONTEXT_MNT) {
618 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
619 if (rc)
620 goto out_free;
e0007529
EP		 621 opts->mnt_opts[i] = context;
622 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 623 }
624 if (sbsec->flags & DEFCONTEXT_MNT) {
625 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
626 if (rc)
627 goto out_free;
e0007529
EP		 628 opts->mnt_opts[i] = context;
629 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 630 }
631 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 632 struct dentry *root = sbsec->sb->s_root;
633 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 634
c9180a57
EP		 635 rc = security_sid_to_context(isec->sid, &context, &len);
636 if (rc)
637 goto out_free;
e0007529
EP		 638 opts->mnt_opts[i] = context;
639 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 640 }
12f348b9 641 if (sbsec->flags & SBLABEL_MNT) {
11689d47 642 opts->mnt_opts[i] = NULL;
12f348b9 643 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 644 }
1da177e4 645
e0007529 646 BUG_ON(i != opts->num_mnt_opts);
1da177e4 647
c9180a57
EP		 648 return 0;
649
650out_free:
e0007529 651 security_free_mnt_opts(opts);
c9180a57
EP		 652 return rc;
653}
1da177e4 654
c9180a57
EP		 655static int bad_option(struct superblock_security_struct *sbsec, char flag,
656 u32 old_sid, u32 new_sid)
657{
0d90a7ec
DQ		 658 char mnt_flags = sbsec->flags & SE_MNTMASK;
659
c9180a57 660 /* check if the old mount command had the same options */
0d90a7ec 661 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 662 if (!(sbsec->flags & flag) ||
663 (old_sid != new_sid))
664 return 1;
665
666 /* check if we were passed the same options twice,
667 * aka someone passed context=a,context=b
668 */
0d90a7ec
DQ		 669 if (!(sbsec->flags & SE_SBINITIALIZED))
670 if (mnt_flags & flag)
c9180a57
EP		 671 return 1;
672 return 0;
673}
e0007529 674
c9180a57
EP		 675/*
676 * Allow filesystems with binary mount data to explicitly set mount point
677 * labeling information.
678 */
e0007529 679static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 680 struct security_mnt_opts *opts,
681 unsigned long kern_flags,
682 unsigned long *set_kern_flags)
c9180a57 683{
275bb41e 684 const struct cred *cred = current_cred();
c9180a57 685 int rc = 0, i;
c9180a57 686 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 687 const char *name = sb->s_type->name;
83da53c5
AG		 688 struct dentry *root = sbsec->sb->s_root;
689 struct inode_security_struct *root_isec = backing_inode_security(root);
c9180a57
EP		 690 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
691 u32 defcontext_sid = 0;
e0007529
EP		 692 char **mount_options = opts->mnt_opts;
693 int *flags = opts->mnt_opts_flags;
694 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 695
696 mutex_lock(&sbsec->lock);
697
698 if (!ss_initialized) {
699 if (!num_opts) {
700 /* Defer initialization until selinux_complete_init,
701 after the initial policy is loaded and the security
702 server is ready to handle calls. */
c9180a57
EP		 703 goto out;
704 }
705 rc = -EINVAL;
744ba35e
EP		 706 printk(KERN_WARNING "SELinux: Unable to set superblock options "
707 "before the security server is initialized\n");
1da177e4 708 goto out;
c9180a57 709 }
649f6e77
DQ		 710 if (kern_flags && !set_kern_flags) {
711 /* Specifying internal flags without providing a place to
712 * place the results is not allowed */
713 rc = -EINVAL;
714 goto out;
715 }
1da177e4 716
e0007529
EP		 717 /*
718 * Binary mount data FS will come through this function twice. Once
719 * from an explicit call and once from the generic calls from the vfs.
720 * Since the generic VFS calls will not contain any security mount data
721 * we need to skip the double mount verification.
722 *
723 * This does open a hole in which we will not notice if the first
724 * mount using this sb set explict options and a second mount using
725 * this sb does not set any security options. (The first options
726 * will be used for both mounts)
727 */
0d90a7ec 728 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 729 && (num_opts == 0))
f5269710 730 goto out;
e0007529 731
c9180a57
EP		 732 /*
733 * parse the mount options, check if they are valid sids.
734 * also check if someone is trying to mount the same sb more
735 * than once with different security options.
736 */
737 for (i = 0; i < num_opts; i++) {
738 u32 sid;
11689d47 739
12f348b9 740 if (flags[i] == SBLABEL_MNT)
11689d47 741 continue;
44be2f65 742 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 743 if (rc) {
44be2f65 744 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 745 "(%s) failed for (dev %s, type %s) errno=%d\n",
746 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 747 goto out;
748 }
749 switch (flags[i]) {
750 case FSCONTEXT_MNT:
751 fscontext_sid = sid;
752
753 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
754 fscontext_sid))
755 goto out_double_mount;
756
757 sbsec->flags |= FSCONTEXT_MNT;
758 break;
759 case CONTEXT_MNT:
760 context_sid = sid;
761
762 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
763 context_sid))
764 goto out_double_mount;
765
766 sbsec->flags |= CONTEXT_MNT;
767 break;
768 case ROOTCONTEXT_MNT:
769 rootcontext_sid = sid;
770
771 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
772 rootcontext_sid))
773 goto out_double_mount;
774
775 sbsec->flags |= ROOTCONTEXT_MNT;
776
777 break;
778 case DEFCONTEXT_MNT:
779 defcontext_sid = sid;
780
781 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
782 defcontext_sid))
783 goto out_double_mount;
784
785 sbsec->flags |= DEFCONTEXT_MNT;
786
787 break;
788 default:
789 rc = -EINVAL;
790 goto out;
1da177e4 791 }
c9180a57
EP		 792 }
793
0d90a7ec 794 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 795 /* previously mounted with options, but not on this attempt? */
0d90a7ec 796 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 797 goto out_double_mount;
798 rc = 0;
799 goto out;
800 }
801
089be43e 802 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 803 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
804
8e014720
SS		 805 if (!strcmp(sb->s_type->name, "debugfs") ||
806 !strcmp(sb->s_type->name, "sysfs") ||
807 !strcmp(sb->s_type->name, "pstore"))
134509d5 808 sbsec->flags |= SE_SBGENFS;
c9180a57 809
eb9ae686
DQ		 810 if (!sbsec->behavior) {
811 /*
812 * Determine the labeling behavior to use for this
813 * filesystem type.
814 */
98f700f3 815 rc = security_fs_use(sb);
eb9ae686
DQ		 816 if (rc) {
817 printk(KERN_WARNING
818 "%s: security_fs_use(%s) returned %d\n",
819 __func__, sb->s_type->name, rc);
820 goto out;
821 }
c9180a57 822 }
c9180a57
EP		 823 /* sets the context of the superblock for the fs being mounted. */
824 if (fscontext_sid) {
275bb41e 825 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 826 if (rc)
c9180a57 827 goto out;
1da177e4 828
c9180a57 829 sbsec->sid = fscontext_sid;
c312feb2
EP		 830 }
831
832 /*
833 * Switch to using mount point labeling behavior.
834 * sets the label used on all file below the mountpoint, and will set
835 * the superblock context if not already set.
836 */
eb9ae686
DQ		 837 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
838 sbsec->behavior = SECURITY_FS_USE_NATIVE;
839 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
840 }
841
c9180a57
EP		 842 if (context_sid) {
843 if (!fscontext_sid) {
275bb41e
DH		 844 rc = may_context_mount_sb_relabel(context_sid, sbsec,
845 cred);
b04ea3ce 846 if (rc)
c9180a57
EP		 847 goto out;
848 sbsec->sid = context_sid;
b04ea3ce 849 } else {
275bb41e
DH		 850 rc = may_context_mount_inode_relabel(context_sid, sbsec,
851 cred);
b04ea3ce 852 if (rc)
c9180a57 853 goto out;
b04ea3ce 854 }
c9180a57
EP		 855 if (!rootcontext_sid)
856 rootcontext_sid = context_sid;
1da177e4 857
c9180a57 858 sbsec->mntpoint_sid = context_sid;
c312feb2 859 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 860 }
861
c9180a57 862 if (rootcontext_sid) {
275bb41e
DH		 863 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
864 cred);
0808925e 865 if (rc)
c9180a57 866 goto out;
0808925e 867
c9180a57 868 root_isec->sid = rootcontext_sid;
6f3be9f5 869 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 870 }
871
c9180a57 872 if (defcontext_sid) {
eb9ae686
DQ		 873 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
874 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 875 rc = -EINVAL;
876 printk(KERN_WARNING "SELinux: defcontext option is "
877 "invalid for this filesystem type\n");
878 goto out;
1da177e4
LT		 879 }
880
c9180a57
EP		 881 if (defcontext_sid != sbsec->def_sid) {
882 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 883 sbsec, cred);
c9180a57
EP		 884 if (rc)
885 goto out;
886 }
1da177e4 887
c9180a57 888 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 889 }
890
c9180a57 891 rc = sb_finish_set_opts(sb);
1da177e4 892out:
c9180a57 893 mutex_unlock(&sbsec->lock);
1da177e4 894 return rc;
c9180a57
EP		 895out_double_mount:
896 rc = -EINVAL;
897 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 898 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 899 goto out;
1da177e4
LT		 900}
901
094f7b69
JL		 902static int selinux_cmp_sb_context(const struct super_block *oldsb,
903 const struct super_block *newsb)
904{
905 struct superblock_security_struct *old = oldsb->s_security;
906 struct superblock_security_struct *new = newsb->s_security;
907 char oldflags = old->flags & SE_MNTMASK;
908 char newflags = new->flags & SE_MNTMASK;
909
910 if (oldflags != newflags)
911 goto mismatch;
912 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
913 goto mismatch;
914 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
915 goto mismatch;
916 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
917 goto mismatch;
918 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 919 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
920 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 921 if (oldroot->sid != newroot->sid)
922 goto mismatch;
923 }
924 return 0;
925mismatch:
926 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
927 "different security settings for (dev %s, "
928 "type %s)\n", newsb->s_id, newsb->s_type->name);
929 return -EBUSY;
930}
931
932static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 933 struct super_block *newsb)
1da177e4 934{
c9180a57
EP		 935 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
936 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 937
c9180a57
EP		 938 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
939 int set_context = (oldsbsec->flags & CONTEXT_MNT);
940 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 941
0f5e6420
EP		 942 /*
943 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 944 * mount options. thus we can safely deal with this superblock later
0f5e6420 945 */
e8c26255 946 if (!ss_initialized)
094f7b69 947 return 0;
c9180a57 948
c9180a57 949 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 950 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 951
094f7b69 952 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 953 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 954 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 955
c9180a57
EP		 956 mutex_lock(&newsbsec->lock);
957
958 newsbsec->flags = oldsbsec->flags;
959
960 newsbsec->sid = oldsbsec->sid;
961 newsbsec->def_sid = oldsbsec->def_sid;
962 newsbsec->behavior = oldsbsec->behavior;
963
964 if (set_context) {
965 u32 sid = oldsbsec->mntpoint_sid;
966
967 if (!set_fscontext)
968 newsbsec->sid = sid;
969 if (!set_rootcontext) {
83da53c5 970 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 971 newisec->sid = sid;
972 }
973 newsbsec->mntpoint_sid = sid;
1da177e4 974 }
c9180a57 975 if (set_rootcontext) {
83da53c5
AG		 976 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
977 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 978
c9180a57 979 newisec->sid = oldisec->sid;
1da177e4
LT		 980 }
981
c9180a57
EP		 982 sb_finish_set_opts(newsb);
983 mutex_unlock(&newsbsec->lock);
094f7b69 984 return 0;
c9180a57
EP		 985}
986
2e1479d9
AB		 987static int selinux_parse_opts_str(char *options,
988 struct security_mnt_opts *opts)
c9180a57 989{
e0007529 990 char *p;
c9180a57
EP		 991 char *context = NULL, *defcontext = NULL;
992 char *fscontext = NULL, *rootcontext = NULL;
e0007529 993 int rc, num_mnt_opts = 0;
1da177e4 994
e0007529 995 opts->num_mnt_opts = 0;
1da177e4 996
c9180a57
EP		 997 /* Standard string-based options. */
998 while ((p = strsep(&options, "|")) != NULL) {
999 int token;
1000 substring_t args[MAX_OPT_ARGS];
1da177e4 1001
c9180a57
EP		 1002 if (!*p)
1003 continue;
1da177e4 1004
c9180a57 1005 token = match_token(p, tokens, args);
1da177e4 1006
c9180a57
EP		 1007 switch (token) {
1008 case Opt_context:
1009 if (context || defcontext) {
1010 rc = -EINVAL;
1011 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1012 goto out_err;
1013 }
1014 context = match_strdup(&args[0]);
1015 if (!context) {
1016 rc = -ENOMEM;
1017 goto out_err;
1018 }
1019 break;
1020
1021 case Opt_fscontext:
1022 if (fscontext) {
1023 rc = -EINVAL;
1024 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1025 goto out_err;
1026 }
1027 fscontext = match_strdup(&args[0]);
1028 if (!fscontext) {
1029 rc = -ENOMEM;
1030 goto out_err;
1031 }
1032 break;
1033
1034 case Opt_rootcontext:
1035 if (rootcontext) {
1036 rc = -EINVAL;
1037 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1038 goto out_err;
1039 }
1040 rootcontext = match_strdup(&args[0]);
1041 if (!rootcontext) {
1042 rc = -ENOMEM;
1043 goto out_err;
1044 }
1045 break;
1046
1047 case Opt_defcontext:
1048 if (context || defcontext) {
1049 rc = -EINVAL;
1050 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1051 goto out_err;
1052 }
1053 defcontext = match_strdup(&args[0]);
1054 if (!defcontext) {
1055 rc = -ENOMEM;
1056 goto out_err;
1057 }
1058 break;
11689d47
DQ		 1059 case Opt_labelsupport:
1060 break;
c9180a57
EP		 1061 default:
1062 rc = -EINVAL;
1063 printk(KERN_WARNING "SELinux: unknown mount option\n");
1064 goto out_err;
1da177e4 1065
1da177e4 1066 }
1da177e4 1067 }
c9180a57 1068
e0007529
EP		 1069 rc = -ENOMEM;
1070 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1071 if (!opts->mnt_opts)
1072 goto out_err;
1073
1074 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1075 if (!opts->mnt_opts_flags) {
1076 kfree(opts->mnt_opts);
1077 goto out_err;
1078 }
1079
c9180a57 1080 if (fscontext) {
e0007529
EP		 1081 opts->mnt_opts[num_mnt_opts] = fscontext;
1082 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1083 }
1084 if (context) {
e0007529
EP		 1085 opts->mnt_opts[num_mnt_opts] = context;
1086 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1087 }
1088 if (rootcontext) {
e0007529
EP		 1089 opts->mnt_opts[num_mnt_opts] = rootcontext;
1090 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1091 }
1092 if (defcontext) {
e0007529
EP		 1093 opts->mnt_opts[num_mnt_opts] = defcontext;
1094 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1095 }
1096
e0007529
EP		 1097 opts->num_mnt_opts = num_mnt_opts;
1098 return 0;
1099
c9180a57
EP		 1100out_err:
1101 kfree(context);
1102 kfree(defcontext);
1103 kfree(fscontext);
1104 kfree(rootcontext);
1da177e4
LT		 1105 return rc;
1106}
e0007529
EP		 1107/*
1108 * string mount options parsing and call set the sbsec
1109 */
1110static int superblock_doinit(struct super_block *sb, void *data)
1111{
1112 int rc = 0;
1113 char *options = data;
1114 struct security_mnt_opts opts;
1115
1116 security_init_mnt_opts(&opts);
1117
1118 if (!data)
1119 goto out;
1120
1121 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1122
1123 rc = selinux_parse_opts_str(options, &opts);
1124 if (rc)
1125 goto out_err;
1126
1127out:
649f6e77 1128 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1129
1130out_err:
1131 security_free_mnt_opts(&opts);
1132 return rc;
1133}
1da177e4 1134
3583a711
AB		 1135static void selinux_write_opts(struct seq_file *m,
1136 struct security_mnt_opts *opts)
2069f457
EP		 1137{
1138 int i;
1139 char *prefix;
1140
1141 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1142 char *has_comma;
1143
1144 if (opts->mnt_opts[i])
1145 has_comma = strchr(opts->mnt_opts[i], ',');
1146 else
1147 has_comma = NULL;
2069f457
EP		 1148
1149 switch (opts->mnt_opts_flags[i]) {
1150 case CONTEXT_MNT:
1151 prefix = CONTEXT_STR;
1152 break;
1153 case FSCONTEXT_MNT:
1154 prefix = FSCONTEXT_STR;
1155 break;
1156 case ROOTCONTEXT_MNT:
1157 prefix = ROOTCONTEXT_STR;
1158 break;
1159 case DEFCONTEXT_MNT:
1160 prefix = DEFCONTEXT_STR;
1161 break;
12f348b9 1162 case SBLABEL_MNT:
11689d47
DQ		 1163 seq_putc(m, ',');
1164 seq_puts(m, LABELSUPP_STR);
1165 continue;
2069f457
EP		 1166 default:
1167 BUG();
a35c6c83 1168 return;
2069f457
EP		 1169 };
1170 /* we need a comma before each option */
1171 seq_putc(m, ',');
1172 seq_puts(m, prefix);
1173 if (has_comma)
1174 seq_putc(m, '\"');
a068acf2 1175 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1176 if (has_comma)
1177 seq_putc(m, '\"');
1178 }
1179}
1180
1181static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1182{
1183 struct security_mnt_opts opts;
1184 int rc;
1185
1186 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1187 if (rc) {
1188 /* before policy load we may get EINVAL, don't show anything */
1189 if (rc == -EINVAL)
1190 rc = 0;
2069f457 1191 return rc;
383795c2 1192 }
2069f457
EP		 1193
1194 selinux_write_opts(m, &opts);
1195
1196 security_free_mnt_opts(&opts);
1197
1198 return rc;
1199}
1200
1da177e4
LT		 1201static inline u16 inode_mode_to_security_class(umode_t mode)
1202{
1203 switch (mode & S_IFMT) {
1204 case S_IFSOCK:
1205 return SECCLASS_SOCK_FILE;
1206 case S_IFLNK:
1207 return SECCLASS_LNK_FILE;
1208 case S_IFREG:
1209 return SECCLASS_FILE;
1210 case S_IFBLK:
1211 return SECCLASS_BLK_FILE;
1212 case S_IFDIR:
1213 return SECCLASS_DIR;
1214 case S_IFCHR:
1215 return SECCLASS_CHR_FILE;
1216 case S_IFIFO:
1217 return SECCLASS_FIFO_FILE;
1218
1219 }
1220
1221 return SECCLASS_FILE;
1222}
1223
13402580
JM		 1224static inline int default_protocol_stream(int protocol)
1225{
1226 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1227}
1228
1229static inline int default_protocol_dgram(int protocol)
1230{
1231 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1232}
1233
1da177e4
LT		 1234static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1235{
1236 switch (family) {
1237 case PF_UNIX:
1238 switch (type) {
1239 case SOCK_STREAM:
1240 case SOCK_SEQPACKET:
1241 return SECCLASS_UNIX_STREAM_SOCKET;
1242 case SOCK_DGRAM:
1243 return SECCLASS_UNIX_DGRAM_SOCKET;
1244 }
1245 break;
1246 case PF_INET:
1247 case PF_INET6:
1248 switch (type) {
1249 case SOCK_STREAM:
13402580
JM		 1250 if (default_protocol_stream(protocol))
1251 return SECCLASS_TCP_SOCKET;
1252 else
1253 return SECCLASS_RAWIP_SOCKET;
1da177e4 1254 case SOCK_DGRAM:
13402580
JM		 1255 if (default_protocol_dgram(protocol))
1256 return SECCLASS_UDP_SOCKET;
1257 else
1258 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1259 case SOCK_DCCP:
1260 return SECCLASS_DCCP_SOCKET;
13402580 1261 default:
1da177e4
LT		 1262 return SECCLASS_RAWIP_SOCKET;
1263 }
1264 break;
1265 case PF_NETLINK:
1266 switch (protocol) {
1267 case NETLINK_ROUTE:
1268 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1269 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1270 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1271 case NETLINK_NFLOG:
1272 return SECCLASS_NETLINK_NFLOG_SOCKET;
1273 case NETLINK_XFRM:
1274 return SECCLASS_NETLINK_XFRM_SOCKET;
1275 case NETLINK_SELINUX:
1276 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1277 case NETLINK_ISCSI:
1278 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1279 case NETLINK_AUDIT:
1280 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1281 case NETLINK_FIB_LOOKUP:
1282 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1283 case NETLINK_CONNECTOR:
1284 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1285 case NETLINK_NETFILTER:
1286 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1287 case NETLINK_DNRTMSG:
1288 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1289 case NETLINK_KOBJECT_UEVENT:
1290 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1291 case NETLINK_GENERIC:
1292 return SECCLASS_NETLINK_GENERIC_SOCKET;
1293 case NETLINK_SCSITRANSPORT:
1294 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1295 case NETLINK_RDMA:
1296 return SECCLASS_NETLINK_RDMA_SOCKET;
1297 case NETLINK_CRYPTO:
1298 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1299 default:
1300 return SECCLASS_NETLINK_SOCKET;
1301 }
1302 case PF_PACKET:
1303 return SECCLASS_PACKET_SOCKET;
1304 case PF_KEY:
1305 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1306 case PF_APPLETALK:
1307 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1308 }
1309
1310 return SECCLASS_SOCKET;
1311}
1312
134509d5
SS		 1313static int selinux_genfs_get_sid(struct dentry *dentry,
1314 u16 tclass,
1315 u16 flags,
1316 u32 *sid)
1da177e4 1317{
8e6c9693 1318 int rc;
134509d5 1319 struct super_block *sb = dentry->d_inode->i_sb;
8e6c9693 1320 char *buffer, *path;
1da177e4 1321
828dfe1d 1322 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1323 if (!buffer)
1324 return -ENOMEM;
1325
8e6c9693
LAG		 1326 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1327 if (IS_ERR(path))
1328 rc = PTR_ERR(path);
1329 else {
134509d5
SS		 1330 if (flags & SE_SBPROC) {
1331 /* each process gets a /proc/PID/ entry. Strip off the
1332 * PID part to get a valid selinux labeling.
1333 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1334 while (path[1] >= '0' && path[1] <= '9') {
1335 path[1] = '/';
1336 path++;
1337 }
8e6c9693 1338 }
134509d5 1339 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1340 }
1da177e4
LT		 1341 free_page((unsigned long)buffer);
1342 return rc;
1343}
1da177e4
LT		 1344
1345/* The inode's security attributes must be initialized before first use. */
1346static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1347{
1348 struct superblock_security_struct *sbsec = NULL;
1349 struct inode_security_struct *isec = inode->i_security;
1350 u32 sid;
1351 struct dentry *dentry;
1352#define INITCONTEXTLEN 255
1353 char *context = NULL;
1354 unsigned len = 0;
1355 int rc = 0;
1da177e4 1356
6f3be9f5 1357 if (isec->initialized == LABEL_INITIALIZED)
1da177e4
LT		 1358 goto out;
1359
23970741 1360 mutex_lock(&isec->lock);
6f3be9f5 1361 if (isec->initialized == LABEL_INITIALIZED)
23970741 1362 goto out_unlock;
1da177e4
LT		 1363
1364 sbsec = inode->i_sb->s_security;
0d90a7ec 1365 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1366 /* Defer initialization until selinux_complete_init,
1367 after the initial policy is loaded and the security
1368 server is ready to handle calls. */
1369 spin_lock(&sbsec->isec_lock);
1370 if (list_empty(&isec->list))
1371 list_add(&isec->list, &sbsec->isec_head);
1372 spin_unlock(&sbsec->isec_lock);
23970741 1373 goto out_unlock;
1da177e4
LT		 1374 }
1375
1376 switch (sbsec->behavior) {
eb9ae686
DQ		 1377 case SECURITY_FS_USE_NATIVE:
1378 break;
1da177e4
LT		 1379 case SECURITY_FS_USE_XATTR:
1380 if (!inode->i_op->getxattr) {
1381 isec->sid = sbsec->def_sid;
1382 break;
1383 }
1384
1385 /* Need a dentry, since the xattr API requires one.
1386 Life would be simpler if we could just pass the inode. */
1387 if (opt_dentry) {
1388 /* Called from d_instantiate or d_splice_alias. */
1389 dentry = dget(opt_dentry);
1390 } else {
1391 /* Called from selinux_complete_init, try to find a dentry. */
1392 dentry = d_find_alias(inode);
1393 }
1394 if (!dentry) {
df7f54c0
EP		 1395 /*
1396 * this is can be hit on boot when a file is accessed
1397 * before the policy is loaded. When we load policy we
1398 * may find inodes that have no dentry on the
1399 * sbsec->isec_head list. No reason to complain as these
1400 * will get fixed up the next time we go through
1401 * inode_doinit with a dentry, before these inodes could
1402 * be used again by userspace.
1403 */
23970741 1404 goto out_unlock;
1da177e4
LT		 1405 }
1406
1407 len = INITCONTEXTLEN;
4cb912f1 1408 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1409 if (!context) {
1410 rc = -ENOMEM;
1411 dput(dentry);
23970741 1412 goto out_unlock;
1da177e4 1413 }
4cb912f1 1414 context[len] = '\0';
1da177e4
LT		 1415 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1416 context, len);
1417 if (rc == -ERANGE) {
314dabb8
JM		 1418 kfree(context);
1419
1da177e4
LT		 1420 /* Need a larger buffer. Query for the right size. */
1421 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1422 NULL, 0);
1423 if (rc < 0) {
1424 dput(dentry);
23970741 1425 goto out_unlock;
1da177e4 1426 }
1da177e4 1427 len = rc;
4cb912f1 1428 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1429 if (!context) {
1430 rc = -ENOMEM;
1431 dput(dentry);
23970741 1432 goto out_unlock;
1da177e4 1433 }
4cb912f1 1434 context[len] = '\0';
1da177e4
LT		 1435 rc = inode->i_op->getxattr(dentry,
1436 XATTR_NAME_SELINUX,
1437 context, len);
1438 }
1439 dput(dentry);
1440 if (rc < 0) {
1441 if (rc != -ENODATA) {
744ba35e 1442 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1443 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1444 -rc, inode->i_sb->s_id, inode->i_ino);
1445 kfree(context);
23970741 1446 goto out_unlock;
1da177e4
LT		 1447 }
1448 /* Map ENODATA to the default file SID */
1449 sid = sbsec->def_sid;
1450 rc = 0;
1451 } else {
f5c1d5b2 1452 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1453 sbsec->def_sid,
1454 GFP_NOFS);
1da177e4 1455 if (rc) {
4ba0a8ad
EP		 1456 char *dev = inode->i_sb->s_id;
1457 unsigned long ino = inode->i_ino;
1458
1459 if (rc == -EINVAL) {
1460 if (printk_ratelimit())
1461 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1462 "context=%s. This indicates you may need to relabel the inode or the "
1463 "filesystem in question.\n", ino, dev, context);
1464 } else {
1465 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1466 "returned %d for dev=%s ino=%ld\n",
1467 __func__, context, -rc, dev, ino);
1468 }
1da177e4
LT		 1469 kfree(context);
1470 /* Leave with the unlabeled SID */
1471 rc = 0;
1472 break;
1473 }
1474 }
1475 kfree(context);
1476 isec->sid = sid;
1477 break;
1478 case SECURITY_FS_USE_TASK:
1479 isec->sid = isec->task_sid;
1480 break;
1481 case SECURITY_FS_USE_TRANS:
1482 /* Default to the fs SID. */
1483 isec->sid = sbsec->sid;
1484
1485 /* Try to obtain a transition SID. */
1486 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1487 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1488 isec->sclass, NULL, &sid);
1da177e4 1489 if (rc)
23970741 1490 goto out_unlock;
1da177e4
LT		 1491 isec->sid = sid;
1492 break;
c312feb2
EP		 1493 case SECURITY_FS_USE_MNTPOINT:
1494 isec->sid = sbsec->mntpoint_sid;
1495 break;
1da177e4 1496 default:
c312feb2 1497 /* Default to the fs superblock SID. */
1da177e4
LT		 1498 isec->sid = sbsec->sid;
1499
134509d5 1500 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1501 /* We must have a dentry to determine the label on
1502 * procfs inodes */
1503 if (opt_dentry)
1504 /* Called from d_instantiate or
1505 * d_splice_alias. */
1506 dentry = dget(opt_dentry);
1507 else
1508 /* Called from selinux_complete_init, try to
1509 * find a dentry. */
1510 dentry = d_find_alias(inode);
1511 /*
1512 * This can be hit on boot when a file is accessed
1513 * before the policy is loaded. When we load policy we
1514 * may find inodes that have no dentry on the
1515 * sbsec->isec_head list. No reason to complain as
1516 * these will get fixed up the next time we go through
1517 * inode_doinit() with a dentry, before these inodes
1518 * could be used again by userspace.
1519 */
1520 if (!dentry)
1521 goto out_unlock;
1522 isec->sclass = inode_mode_to_security_class(inode->i_mode);
134509d5
SS		 1523 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1524 sbsec->flags, &sid);
f64410ec
PM		 1525 dput(dentry);
1526 if (rc)
1527 goto out_unlock;
1528 isec->sid = sid;
1da177e4
LT		 1529 }
1530 break;
1531 }
1532
6f3be9f5 1533 isec->initialized = LABEL_INITIALIZED;
1da177e4 1534
23970741
EP		 1535out_unlock:
1536 mutex_unlock(&isec->lock);
1da177e4
LT		 1537out:
1538 if (isec->sclass == SECCLASS_FILE)
1539 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1540 return rc;
1541}
1542
1543/* Convert a Linux signal to an access vector. */
1544static inline u32 signal_to_av(int sig)
1545{
1546 u32 perm = 0;
1547
1548 switch (sig) {
1549 case SIGCHLD:
1550 /* Commonly granted from child to parent. */
1551 perm = PROCESS__SIGCHLD;
1552 break;
1553 case SIGKILL:
1554 /* Cannot be caught or ignored */
1555 perm = PROCESS__SIGKILL;
1556 break;
1557 case SIGSTOP:
1558 /* Cannot be caught or ignored */
1559 perm = PROCESS__SIGSTOP;
1560 break;
1561 default:
1562 /* All other signals. */
1563 perm = PROCESS__SIGNAL;
1564 break;
1565 }
1566
1567 return perm;
1568}
1569
d84f4f99
DH		 1570/*
1571 * Check permission between a pair of credentials
1572 * fork check, ptrace check, etc.
1573 */
1574static int cred_has_perm(const struct cred *actor,
1575 const struct cred *target,
1576 u32 perms)
1577{
1578 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1579
1580 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1581}
1582
275bb41e 1583/*
88e67f3b 1584 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1585 * fork check, ptrace check, etc.
1586 * tsk1 is the actor and tsk2 is the target
3b11a1de 1587 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1588 */
1589static int task_has_perm(const struct task_struct *tsk1,
1590 const struct task_struct *tsk2,
1da177e4
LT		 1591 u32 perms)
1592{
275bb41e
DH		 1593 const struct task_security_struct *__tsec1, *__tsec2;
1594 u32 sid1, sid2;
1da177e4 1595
275bb41e
DH		 1596 rcu_read_lock();
1597 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1598 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1599 rcu_read_unlock();
1600 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1601}
1602
3b11a1de
DH		 1603/*
1604 * Check permission between current and another task, e.g. signal checks,
1605 * fork check, ptrace check, etc.
1606 * current is the actor and tsk2 is the target
1607 * - this uses current's subjective creds
1608 */
1609static int current_has_perm(const struct task_struct *tsk,
1610 u32 perms)
1611{
1612 u32 sid, tsid;
1613
1614 sid = current_sid();
1615 tsid = task_sid(tsk);
1616 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1617}
1618
b68e418c
SS		 1619#if CAP_LAST_CAP > 63
1620#error Fix SELinux to handle capabilities > 63.
1621#endif
1622
1da177e4 1623/* Check whether a task is allowed to use a capability. */
6a9de491 1624static int cred_has_capability(const struct cred *cred,
06112163 1625 int cap, int audit)
1da177e4 1626{
2bf49690 1627 struct common_audit_data ad;
06112163 1628 struct av_decision avd;
b68e418c 1629 u16 sclass;
3699c53c 1630 u32 sid = cred_sid(cred);
b68e418c 1631 u32 av = CAP_TO_MASK(cap);
06112163 1632 int rc;
1da177e4 1633
50c205f5 1634 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1635 ad.u.cap = cap;
1636
b68e418c
SS		 1637 switch (CAP_TO_INDEX(cap)) {
1638 case 0:
1639 sclass = SECCLASS_CAPABILITY;
1640 break;
1641 case 1:
1642 sclass = SECCLASS_CAPABILITY2;
1643 break;
1644 default:
1645 printk(KERN_ERR
1646 "SELinux: out of range capability %d\n", cap);
1647 BUG();
a35c6c83 1648 return -EINVAL;
b68e418c 1649 }
06112163 1650
275bb41e 1651 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1652 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1653 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1654 if (rc2)
1655 return rc2;
1656 }
06112163 1657 return rc;
1da177e4
LT		 1658}
1659
1660/* Check whether a task is allowed to use a system operation. */
1661static int task_has_system(struct task_struct *tsk,
1662 u32 perms)
1663{
275bb41e 1664 u32 sid = task_sid(tsk);
1da177e4 1665
275bb41e 1666 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1667 SECCLASS_SYSTEM, perms, NULL);
1668}
1669
1670/* Check whether a task has a particular permission to an inode.
1671 The 'adp' parameter is optional and allows other audit
1672 data to be passed (e.g. the dentry). */
88e67f3b 1673static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1674 struct inode *inode,
1675 u32 perms,
19e49834 1676 struct common_audit_data *adp)
1da177e4 1677{
1da177e4 1678 struct inode_security_struct *isec;
275bb41e 1679 u32 sid;
1da177e4 1680
e0e81739
DH		 1681 validate_creds(cred);
1682
828dfe1d 1683 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1684 return 0;
1685
88e67f3b 1686 sid = cred_sid(cred);
1da177e4
LT		 1687 isec = inode->i_security;
1688
19e49834 1689 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1690}
1691
1692/* Same as inode_has_perm, but pass explicit audit data containing
1693 the dentry to help the auditing code to more easily generate the
1694 pathname if needed. */
88e67f3b 1695static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1696 struct dentry *dentry,
1697 u32 av)
1698{
c6f493d6 1699 struct inode *inode = d_backing_inode(dentry);
2bf49690 1700 struct common_audit_data ad;
88e67f3b 1701
50c205f5 1702 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1703 ad.u.dentry = dentry;
5d226df4 1704 __inode_security_revalidate(inode, dentry, true);
19e49834 1705 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1706}
1707
1708/* Same as inode_has_perm, but pass explicit audit data containing
1709 the path to help the auditing code to more easily generate the
1710 pathname if needed. */
1711static inline int path_has_perm(const struct cred *cred,
3f7036a0 1712 const struct path *path,
2875fa00
EP		 1713 u32 av)
1714{
c6f493d6 1715 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1716 struct common_audit_data ad;
1717
50c205f5 1718 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1719 ad.u.path = *path;
5d226df4 1720 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1721 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1722}
1723
13f8e981
DH		 1724/* Same as path_has_perm, but uses the inode from the file struct. */
1725static inline int file_path_has_perm(const struct cred *cred,
1726 struct file *file,
1727 u32 av)
1728{
1729 struct common_audit_data ad;
1730
1731 ad.type = LSM_AUDIT_DATA_PATH;
1732 ad.u.path = file->f_path;
19e49834 1733 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1734}
1735
1da177e4
LT		 1736/* Check whether a task can use an open file descriptor to
1737 access an inode in a given way. Check access to the
1738 descriptor itself, and then use dentry_has_perm to
1739 check a particular permission to the file.
1740 Access to the descriptor is implicitly granted if it
1741 has the same SID as the process. If av is zero, then
1742 access to the file is not checked, e.g. for cases
1743 where only the descriptor is affected like seek. */
88e67f3b
DH		 1744static int file_has_perm(const struct cred *cred,
1745 struct file *file,
1746 u32 av)
1da177e4 1747{
1da177e4 1748 struct file_security_struct *fsec = file->f_security;
496ad9aa 1749 struct inode *inode = file_inode(file);
2bf49690 1750 struct common_audit_data ad;
88e67f3b 1751 u32 sid = cred_sid(cred);
1da177e4
LT		 1752 int rc;
1753
50c205f5 1754 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 1755 ad.u.path = file->f_path;
1da177e4 1756
275bb41e
DH		 1757 if (sid != fsec->sid) {
1758 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1759 SECCLASS_FD,
1760 FD__USE,
1761 &ad);
1762 if (rc)
88e67f3b 1763 goto out;
1da177e4
LT		 1764 }
1765
1766 /* av is zero if only checking access to the descriptor. */
88e67f3b 1767 rc = 0;
1da177e4 1768 if (av)
19e49834 1769 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1770
88e67f3b
DH		 1771out:
1772 return rc;
1da177e4
LT		 1773}
1774
c3c188b2
DH		 1775/*
1776 * Determine the label for an inode that might be unioned.
1777 */
83da53c5 1778static int selinux_determine_inode_label(struct inode *dir,
c3c188b2
DH		 1779 const struct qstr *name,
1780 u16 tclass,
1781 u32 *_new_isid)
1782{
1783 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
83da53c5 1784 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1785 const struct task_security_struct *tsec = current_security();
1786
1787 if ((sbsec->flags & SE_SBINITIALIZED) &&
1788 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1789 *_new_isid = sbsec->mntpoint_sid;
1790 } else if ((sbsec->flags & SBLABEL_MNT) &&
1791 tsec->create_sid) {
1792 *_new_isid = tsec->create_sid;
1793 } else {
1794 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1795 name, _new_isid);
1796 }
1797
1798 return 0;
1799}
1800
1da177e4
LT		 1801/* Check whether a task can create a file. */
1802static int may_create(struct inode *dir,
1803 struct dentry *dentry,
1804 u16 tclass)
1805{
5fb49870 1806 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1807 struct inode_security_struct *dsec;
1808 struct superblock_security_struct *sbsec;
275bb41e 1809 u32 sid, newsid;
2bf49690 1810 struct common_audit_data ad;
1da177e4
LT		 1811 int rc;
1812
83da53c5 1813 dsec = inode_security(dir);
1da177e4
LT		 1814 sbsec = dir->i_sb->s_security;
1815
275bb41e 1816 sid = tsec->sid;
275bb41e 1817
50c205f5 1818 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1819 ad.u.dentry = dentry;
1da177e4 1820
275bb41e 1821 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1822 DIR__ADD_NAME | DIR__SEARCH,
1823 &ad);
1824 if (rc)
1825 return rc;
1826
c3c188b2
DH		 1827 rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
1828 &newsid);
1829 if (rc)
1830 return rc;
1da177e4 1831
275bb41e 1832 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1833 if (rc)
1834 return rc;
1835
1836 return avc_has_perm(newsid, sbsec->sid,
1837 SECCLASS_FILESYSTEM,
1838 FILESYSTEM__ASSOCIATE, &ad);
1839}
1840
4eb582cf
ML		 1841/* Check whether a task can create a key. */
1842static int may_create_key(u32 ksid,
1843 struct task_struct *ctx)
1844{
275bb41e 1845 u32 sid = task_sid(ctx);
4eb582cf 1846
275bb41e 1847 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1848}
1849
828dfe1d
EP		 1850#define MAY_LINK 0
1851#define MAY_UNLINK 1
1852#define MAY_RMDIR 2
1da177e4
LT		 1853
1854/* Check whether a task can link, unlink, or rmdir a file/directory. */
1855static int may_link(struct inode *dir,
1856 struct dentry *dentry,
1857 int kind)
1858
1859{
1da177e4 1860 struct inode_security_struct *dsec, *isec;
2bf49690 1861 struct common_audit_data ad;
275bb41e 1862 u32 sid = current_sid();
1da177e4
LT		 1863 u32 av;
1864 int rc;
1865
83da53c5
AG		 1866 dsec = inode_security(dir);
1867 isec = backing_inode_security(dentry);
1da177e4 1868
50c205f5 1869 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1870 ad.u.dentry = dentry;
1da177e4
LT		 1871
1872 av = DIR__SEARCH;
1873 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1874 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1875 if (rc)
1876 return rc;
1877
1878 switch (kind) {
1879 case MAY_LINK:
1880 av = FILE__LINK;
1881 break;
1882 case MAY_UNLINK:
1883 av = FILE__UNLINK;
1884 break;
1885 case MAY_RMDIR:
1886 av = DIR__RMDIR;
1887 break;
1888 default:
744ba35e
EP		 1889 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1890 __func__, kind);
1da177e4
LT		 1891 return 0;
1892 }
1893
275bb41e 1894 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1895 return rc;
1896}
1897
1898static inline int may_rename(struct inode *old_dir,
1899 struct dentry *old_dentry,
1900 struct inode *new_dir,
1901 struct dentry *new_dentry)
1902{
1da177e4 1903 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1904 struct common_audit_data ad;
275bb41e 1905 u32 sid = current_sid();
1da177e4
LT		 1906 u32 av;
1907 int old_is_dir, new_is_dir;
1908 int rc;
1909
83da53c5
AG		 1910 old_dsec = inode_security(old_dir);
1911 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1912 old_is_dir = d_is_dir(old_dentry);
83da53c5 1913 new_dsec = inode_security(new_dir);
1da177e4 1914
50c205f5 1915 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1916
a269434d 1917 ad.u.dentry = old_dentry;
275bb41e 1918 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1919 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1920 if (rc)
1921 return rc;
275bb41e 1922 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1923 old_isec->sclass, FILE__RENAME, &ad);
1924 if (rc)
1925 return rc;
1926 if (old_is_dir && new_dir != old_dir) {
275bb41e 1927 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1928 old_isec->sclass, DIR__REPARENT, &ad);
1929 if (rc)
1930 return rc;
1931 }
1932
a269434d 1933 ad.u.dentry = new_dentry;
1da177e4 1934 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1935 if (d_is_positive(new_dentry))
1da177e4 1936 av |= DIR__REMOVE_NAME;
275bb41e 1937 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1938 if (rc)
1939 return rc;
2c616d4d 1940 if (d_is_positive(new_dentry)) {
83da53c5 1941 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1942 new_is_dir = d_is_dir(new_dentry);
275bb41e 1943 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1944 new_isec->sclass,
1945 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1946 if (rc)
1947 return rc;
1948 }
1949
1950 return 0;
1951}
1952
1953/* Check whether a task can perform a filesystem operation. */
88e67f3b 1954static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1955 struct super_block *sb,
1956 u32 perms,
2bf49690 1957 struct common_audit_data *ad)
1da177e4 1958{
1da177e4 1959 struct superblock_security_struct *sbsec;
88e67f3b 1960 u32 sid = cred_sid(cred);
1da177e4 1961
1da177e4 1962 sbsec = sb->s_security;
275bb41e 1963 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1964}
1965
1966/* Convert a Linux mode and permission mask to an access vector. */
1967static inline u32 file_mask_to_av(int mode, int mask)
1968{
1969 u32 av = 0;
1970
dba19c60 1971 if (!S_ISDIR(mode)) {
1da177e4
LT		 1972 if (mask & MAY_EXEC)
1973 av |= FILE__EXECUTE;
1974 if (mask & MAY_READ)
1975 av |= FILE__READ;
1976
1977 if (mask & MAY_APPEND)
1978 av |= FILE__APPEND;
1979 else if (mask & MAY_WRITE)
1980 av |= FILE__WRITE;
1981
1982 } else {
1983 if (mask & MAY_EXEC)
1984 av |= DIR__SEARCH;
1985 if (mask & MAY_WRITE)
1986 av |= DIR__WRITE;
1987 if (mask & MAY_READ)
1988 av |= DIR__READ;
1989 }
1990
1991 return av;
1992}
1993
8b6a5a37
EP		 1994/* Convert a Linux file to an access vector. */
1995static inline u32 file_to_av(struct file *file)
1996{
1997 u32 av = 0;
1998
1999 if (file->f_mode & FMODE_READ)
2000 av |= FILE__READ;
2001 if (file->f_mode & FMODE_WRITE) {
2002 if (file->f_flags & O_APPEND)
2003 av |= FILE__APPEND;
2004 else
2005 av |= FILE__WRITE;
2006 }
2007 if (!av) {
2008 /*
2009 * Special file opened with flags 3 for ioctl-only use.
2010 */
2011 av = FILE__IOCTL;
2012 }
2013
2014 return av;
2015}
2016
b0c636b9 2017/*
8b6a5a37 2018 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2019 * open permission.
2020 */
8b6a5a37 2021static inline u32 open_file_to_av(struct file *file)
b0c636b9 2022{
8b6a5a37 2023 u32 av = file_to_av(file);
b0c636b9 2024
49b7b8de
EP		 2025 if (selinux_policycap_openperm)
2026 av |= FILE__OPEN;
2027
b0c636b9
EP		 2028 return av;
2029}
2030
1da177e4
LT		 2031/* Hook functions begin here. */
2032
79af7307
SS		 2033static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2034{
2035 u32 mysid = current_sid();
2036 u32 mgrsid = task_sid(mgr);
2037
2038 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2039 BINDER__SET_CONTEXT_MGR, NULL);
2040}
2041
2042static int selinux_binder_transaction(struct task_struct *from,
2043 struct task_struct *to)
2044{
2045 u32 mysid = current_sid();
2046 u32 fromsid = task_sid(from);
2047 u32 tosid = task_sid(to);
2048 int rc;
2049
2050 if (mysid != fromsid) {
2051 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2052 BINDER__IMPERSONATE, NULL);
2053 if (rc)
2054 return rc;
2055 }
2056
2057 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2058 NULL);
2059}
2060
2061static int selinux_binder_transfer_binder(struct task_struct *from,
2062 struct task_struct *to)
2063{
2064 u32 fromsid = task_sid(from);
2065 u32 tosid = task_sid(to);
2066
2067 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2068 NULL);
2069}
2070
2071static int selinux_binder_transfer_file(struct task_struct *from,
2072 struct task_struct *to,
2073 struct file *file)
2074{
2075 u32 sid = task_sid(to);
2076 struct file_security_struct *fsec = file->f_security;
83da53c5
AG		 2077 struct dentry *dentry = file->f_path.dentry;
2078 struct inode_security_struct *isec = backing_inode_security(dentry);
79af7307
SS		 2079 struct common_audit_data ad;
2080 int rc;
2081
2082 ad.type = LSM_AUDIT_DATA_PATH;
2083 ad.u.path = file->f_path;
2084
2085 if (sid != fsec->sid) {
2086 rc = avc_has_perm(sid, fsec->sid,
2087 SECCLASS_FD,
2088 FD__USE,
2089 &ad);
2090 if (rc)
2091 return rc;
2092 }
2093
83da53c5 2094 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2095 return 0;
2096
2097 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2098 &ad);
2099}
2100
9e48858f 2101static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2102 unsigned int mode)
1da177e4 2103{
69f594a3 2104 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 2105 u32 sid = current_sid();
2106 u32 csid = task_sid(child);
2107 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 2108 }
2109
3b11a1de 2110 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 2111}
2112
2113static int selinux_ptrace_traceme(struct task_struct *parent)
2114{
5cd9c58f 2115 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 2116}
2117
2118static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2119 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2120{
b1d9e6b0 2121 return current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 2122}
2123
d84f4f99
DH		 2124static int selinux_capset(struct cred *new, const struct cred *old,
2125 const kernel_cap_t *effective,
2126 const kernel_cap_t *inheritable,
2127 const kernel_cap_t *permitted)
1da177e4 2128{
d84f4f99 2129 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 2130}
2131
5626d3e8
JM		 2132/*
2133 * (This comment used to live with the selinux_task_setuid hook,
2134 * which was removed).
2135 *
2136 * Since setuid only affects the current process, and since the SELinux
2137 * controls are not based on the Linux identity attributes, SELinux does not
2138 * need to control this operation. However, SELinux does control the use of
2139 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2140 */
2141
6a9de491
EP		 2142static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2143 int cap, int audit)
1da177e4 2144{
6a9de491 2145 return cred_has_capability(cred, cap, audit);
1da177e4
LT		 2146}
2147
1da177e4
LT		 2148static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2149{
88e67f3b 2150 const struct cred *cred = current_cred();
1da177e4
LT		 2151 int rc = 0;
2152
2153 if (!sb)
2154 return 0;
2155
2156 switch (cmds) {
828dfe1d
EP		 2157 case Q_SYNC:
2158 case Q_QUOTAON:
2159 case Q_QUOTAOFF:
2160 case Q_SETINFO:
2161 case Q_SETQUOTA:
88e67f3b 2162 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2163 break;
2164 case Q_GETFMT:
2165 case Q_GETINFO:
2166 case Q_GETQUOTA:
88e67f3b 2167 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2168 break;
2169 default:
2170 rc = 0; /* let the kernel handle invalid cmds */
2171 break;
1da177e4
LT		 2172 }
2173 return rc;
2174}
2175
2176static int selinux_quota_on(struct dentry *dentry)
2177{
88e67f3b
DH		 2178 const struct cred *cred = current_cred();
2179
2875fa00 2180 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2181}
2182
12b3052c 2183static int selinux_syslog(int type)
1da177e4
LT		 2184{
2185 int rc;
2186
1da177e4 2187 switch (type) {
d78ca3cd
KC		 2188 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2189 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2190 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2191 break;
d78ca3cd
KC		 2192 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2193 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2194 /* Set level of messages printed to console */
2195 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2196 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2197 break;
d78ca3cd
KC		 2198 case SYSLOG_ACTION_CLOSE: /* Close log */
2199 case SYSLOG_ACTION_OPEN: /* Open log */
2200 case SYSLOG_ACTION_READ: /* Read from log */
2201 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2202 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2203 default:
2204 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2205 break;
1da177e4
LT		 2206 }
2207 return rc;
2208}
2209
2210/*
2211 * Check that a process has enough memory to allocate a new virtual
2212 * mapping. 0 means there is enough memory for the allocation to
2213 * succeed and -ENOMEM implies there is not.
2214 *
1da177e4
LT		 2215 * Do not audit the selinux permission check, as this is applied to all
2216 * processes that allocate mappings.
2217 */
34b4e4aa 2218static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2219{
2220 int rc, cap_sys_admin = 0;
1da177e4 2221
b1d9e6b0
CS		 2222 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2223 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2224 if (rc == 0)
2225 cap_sys_admin = 1;
2226
b1d9e6b0 2227 return cap_sys_admin;
1da177e4
LT		 2228}
2229
2230/* binprm security operations */
2231
7b0d0b40
SS		 2232static int check_nnp_nosuid(const struct linux_binprm *bprm,
2233 const struct task_security_struct *old_tsec,
2234 const struct task_security_struct *new_tsec)
2235{
2236 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2237 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2238 int rc;
2239
2240 if (!nnp && !nosuid)
2241 return 0; /* neither NNP nor nosuid */
2242
2243 if (new_tsec->sid == old_tsec->sid)
2244 return 0; /* No change in credentials */
2245
2246 /*
2247 * The only transitions we permit under NNP or nosuid
2248 * are transitions to bounded SIDs, i.e. SIDs that are
2249 * guaranteed to only be allowed a subset of the permissions
2250 * of the current SID.
2251 */
2252 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2253 if (rc) {
2254 /*
2255 * On failure, preserve the errno values for NNP vs nosuid.
2256 * NNP: Operation not permitted for caller.
2257 * nosuid: Permission denied to file.
2258 */
2259 if (nnp)
2260 return -EPERM;
2261 else
2262 return -EACCES;
2263 }
2264 return 0;
2265}
2266
a6f76f23 2267static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2268{
a6f76f23
DH		 2269 const struct task_security_struct *old_tsec;
2270 struct task_security_struct *new_tsec;
1da177e4 2271 struct inode_security_struct *isec;
2bf49690 2272 struct common_audit_data ad;
496ad9aa 2273 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2274 int rc;
2275
a6f76f23
DH		 2276 /* SELinux context only depends on initial program or script and not
2277 * the script interpreter */
2278 if (bprm->cred_prepared)
1da177e4
LT		 2279 return 0;
2280
a6f76f23
DH		 2281 old_tsec = current_security();
2282 new_tsec = bprm->cred->security;
83da53c5 2283 isec = inode_security(inode);
1da177e4
LT		 2284
2285 /* Default to the current task SID. */
a6f76f23
DH		 2286 new_tsec->sid = old_tsec->sid;
2287 new_tsec->osid = old_tsec->sid;
1da177e4 2288
28eba5bf 2289 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2290 new_tsec->create_sid = 0;
2291 new_tsec->keycreate_sid = 0;
2292 new_tsec->sockcreate_sid = 0;
1da177e4 2293
a6f76f23
DH		 2294 if (old_tsec->exec_sid) {
2295 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2296 /* Reset exec SID on execve. */
a6f76f23 2297 new_tsec->exec_sid = 0;
259e5e6c 2298
7b0d0b40
SS		 2299 /* Fail on NNP or nosuid if not an allowed transition. */
2300 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2301 if (rc)
2302 return rc;
1da177e4
LT		 2303 } else {
2304 /* Check for a default transition on this program. */
a6f76f23 2305 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2306 SECCLASS_PROCESS, NULL,
2307 &new_tsec->sid);
1da177e4
LT		 2308 if (rc)
2309 return rc;
7b0d0b40
SS		 2310
2311 /*
2312 * Fallback to old SID on NNP or nosuid if not an allowed
2313 * transition.
2314 */
2315 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2316 if (rc)
2317 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2318 }
2319
50c205f5 2320 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 2321 ad.u.path = bprm->file->f_path;
1da177e4 2322
a6f76f23
DH		 2323 if (new_tsec->sid == old_tsec->sid) {
2324 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2325 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2326 if (rc)
2327 return rc;
2328 } else {
2329 /* Check permissions for the transition. */
a6f76f23 2330 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2331 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2332 if (rc)
2333 return rc;
2334
a6f76f23 2335 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2336 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2337 if (rc)
2338 return rc;
2339
a6f76f23
DH		 2340 /* Check for shared state */
2341 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2342 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2343 SECCLASS_PROCESS, PROCESS__SHARE,
2344 NULL);
2345 if (rc)
2346 return -EPERM;
2347 }
2348
2349 /* Make sure that anyone attempting to ptrace over a task that
2350 * changes its SID has the appropriate permit */
2351 if (bprm->unsafe &
2352 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2353 struct task_struct *tracer;
2354 struct task_security_struct *sec;
2355 u32 ptsid = 0;
2356
2357 rcu_read_lock();
06d98473 2358 tracer = ptrace_parent(current);
a6f76f23
DH		 2359 if (likely(tracer != NULL)) {
2360 sec = __task_cred(tracer)->security;
2361 ptsid = sec->sid;
2362 }
2363 rcu_read_unlock();
2364
2365 if (ptsid != 0) {
2366 rc = avc_has_perm(ptsid, new_tsec->sid,
2367 SECCLASS_PROCESS,
2368 PROCESS__PTRACE, NULL);
2369 if (rc)
2370 return -EPERM;
2371 }
2372 }
1da177e4 2373
a6f76f23
DH		 2374 /* Clear any possibly unsafe personality bits on exec: */
2375 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2376 }
2377
1da177e4
LT		 2378 return 0;
2379}
2380
828dfe1d 2381static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2382{
5fb49870 2383 const struct task_security_struct *tsec = current_security();
275bb41e 2384 u32 sid, osid;
1da177e4
LT		 2385 int atsecure = 0;
2386
275bb41e
DH		 2387 sid = tsec->sid;
2388 osid = tsec->osid;
2389
2390 if (osid != sid) {
1da177e4
LT		 2391 /* Enable secure mode for SIDs transitions unless
2392 the noatsecure permission is granted between
2393 the two SIDs, i.e. ahp returns 0. */
275bb41e 2394 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2395 SECCLASS_PROCESS,
2396 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2397 }
2398
b1d9e6b0 2399 return !!atsecure;
1da177e4
LT		 2400}
2401
c3c073f8
AV		 2402static int match_file(const void *p, struct file *file, unsigned fd)
2403{
2404 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2405}
2406
1da177e4 2407/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2408static inline void flush_unauthorized_files(const struct cred *cred,
2409 struct files_struct *files)
1da177e4 2410{
1da177e4 2411 struct file *file, *devnull = NULL;
b20c8122 2412 struct tty_struct *tty;
24ec839c 2413 int drop_tty = 0;
c3c073f8 2414 unsigned n;
1da177e4 2415
24ec839c 2416 tty = get_current_tty();
1da177e4 2417 if (tty) {
ee2ffa0d 2418 spin_lock(&tty_files_lock);
37dd0bd0 2419 if (!list_empty(&tty->tty_files)) {
d996b62a 2420 struct tty_file_private *file_priv;
37dd0bd0 2421
1da177e4 2422 /* Revalidate access to controlling tty.
13f8e981
DH		 2423 Use file_path_has_perm on the tty path directly
2424 rather than using file_has_perm, as this particular
2425 open file may belong to another process and we are
2426 only interested in the inode-based check here. */
d996b62a
NP		 2427 file_priv = list_first_entry(&tty->tty_files,
2428 struct tty_file_private, list);
2429 file = file_priv->file;
13f8e981 2430 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2431 drop_tty = 1;
1da177e4 2432 }
ee2ffa0d 2433 spin_unlock(&tty_files_lock);
452a00d2 2434 tty_kref_put(tty);
1da177e4 2435 }
98a27ba4
EB		 2436 /* Reset controlling tty. */
2437 if (drop_tty)
2438 no_tty();
1da177e4
LT		 2439
2440 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2441 n = iterate_fd(files, 0, match_file, cred);
2442 if (!n) /* none found? */
2443 return;
1da177e4 2444
c3c073f8 2445 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2446 if (IS_ERR(devnull))
2447 devnull = NULL;
2448 /* replace all the matching ones with this */
2449 do {
2450 replace_fd(n - 1, devnull, 0);
2451 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2452 if (devnull)
c3c073f8 2453 fput(devnull);
1da177e4
LT		 2454}
2455
a6f76f23
DH		 2456/*
2457 * Prepare a process for imminent new credential changes due to exec
2458 */
2459static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2460{
a6f76f23
DH		 2461 struct task_security_struct *new_tsec;
2462 struct rlimit *rlim, *initrlim;
2463 int rc, i;
d84f4f99 2464
a6f76f23
DH		 2465 new_tsec = bprm->cred->security;
2466 if (new_tsec->sid == new_tsec->osid)
2467 return;
1da177e4 2468
a6f76f23
DH		 2469 /* Close files for which the new task SID is not authorized. */
2470 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2471
a6f76f23
DH		 2472 /* Always clear parent death signal on SID transitions. */
2473 current->pdeath_signal = 0;
0356357c 2474
a6f76f23
DH		 2475 /* Check whether the new SID can inherit resource limits from the old
2476 * SID. If not, reset all soft limits to the lower of the current
2477 * task's hard limit and the init task's soft limit.
2478 *
2479 * Note that the setting of hard limits (even to lower them) can be
2480 * controlled by the setrlimit check. The inclusion of the init task's
2481 * soft limit into the computation is to avoid resetting soft limits
2482 * higher than the default soft limit for cases where the default is
2483 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2484 */
2485 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2486 PROCESS__RLIMITINH, NULL);
2487 if (rc) {
eb2d55a3
ON		 2488 /* protect against do_prlimit() */
2489 task_lock(current);
a6f76f23
DH		 2490 for (i = 0; i < RLIM_NLIMITS; i++) {
2491 rlim = current->signal->rlim + i;
2492 initrlim = init_task.signal->rlim + i;
2493 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2494 }
eb2d55a3
ON		 2495 task_unlock(current);
2496 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2497 }
2498}
2499
2500/*
a6f76f23
DH		 2501 * Clean up the process immediately after the installation of new credentials
2502 * due to exec
1da177e4 2503 */
a6f76f23 2504static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2505{
a6f76f23 2506 const struct task_security_struct *tsec = current_security();
1da177e4 2507 struct itimerval itimer;
a6f76f23 2508 u32 osid, sid;
1da177e4
LT		 2509 int rc, i;
2510
a6f76f23
DH		 2511 osid = tsec->osid;
2512 sid = tsec->sid;
2513
2514 if (sid == osid)
1da177e4
LT		 2515 return;
2516
a6f76f23
DH		 2517 /* Check whether the new SID can inherit signal state from the old SID.
2518 * If not, clear itimers to avoid subsequent signal generation and
2519 * flush and unblock signals.
2520 *
2521 * This must occur _after_ the task SID has been updated so that any
2522 * kill done after the flush will be checked against the new SID.
2523 */
2524 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2525 if (rc) {
2526 memset(&itimer, 0, sizeof itimer);
2527 for (i = 0; i < 3; i++)
2528 do_setitimer(i, &itimer, NULL);
1da177e4 2529 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2530 if (!fatal_signal_pending(current)) {
2531 flush_sigqueue(&current->pending);
2532 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2533 flush_signal_handlers(current, 1);
2534 sigemptyset(&current->blocked);
9e7c8f8c 2535 recalc_sigpending();
3bcac026 2536 }
1da177e4
LT		 2537 spin_unlock_irq(&current->sighand->siglock);
2538 }
2539
a6f76f23
DH		 2540 /* Wake up the parent if it is waiting so that it can recheck
2541 * wait permission to the new task SID. */
ecd6de3c 2542 read_lock(&tasklist_lock);
0b7570e7 2543 __wake_up_parent(current, current->real_parent);
ecd6de3c 2544 read_unlock(&tasklist_lock);
1da177e4
LT		 2545}
2546
2547/* superblock security operations */
2548
2549static int selinux_sb_alloc_security(struct super_block *sb)
2550{
2551 return superblock_alloc_security(sb);
2552}
2553
2554static void selinux_sb_free_security(struct super_block *sb)
2555{
2556 superblock_free_security(sb);
2557}
2558
2559static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2560{
2561 if (plen > olen)
2562 return 0;
2563
2564 return !memcmp(prefix, option, plen);
2565}
2566
2567static inline int selinux_option(char *option, int len)
2568{
832cbd9a
EP		 2569 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2570 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2571 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2572 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2573 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2574}
2575
2576static inline void take_option(char **to, char *from, int *first, int len)
2577{
2578 if (!*first) {
2579 **to = ',';
2580 *to += 1;
3528a953 2581 } else
1da177e4
LT		 2582 *first = 0;
2583 memcpy(*to, from, len);
2584 *to += len;
2585}
2586
828dfe1d
EP		 2587static inline void take_selinux_option(char **to, char *from, int *first,
2588 int len)
3528a953
CO		 2589{
2590 int current_size = 0;
2591
2592 if (!*first) {
2593 **to = '|';
2594 *to += 1;
828dfe1d 2595 } else
3528a953
CO		 2596 *first = 0;
2597
2598 while (current_size < len) {
2599 if (*from != '"') {
2600 **to = *from;
2601 *to += 1;
2602 }
2603 from += 1;
2604 current_size += 1;
2605 }
2606}
2607
e0007529 2608static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2609{
2610 int fnosec, fsec, rc = 0;
2611 char *in_save, *in_curr, *in_end;
2612 char *sec_curr, *nosec_save, *nosec;
3528a953 2613 int open_quote = 0;
1da177e4
LT		 2614
2615 in_curr = orig;
2616 sec_curr = copy;
2617
1da177e4
LT		 2618 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2619 if (!nosec) {
2620 rc = -ENOMEM;
2621 goto out;
2622 }
2623
2624 nosec_save = nosec;
2625 fnosec = fsec = 1;
2626 in_save = in_end = orig;
2627
2628 do {
3528a953
CO		 2629 if (*in_end == '"')
2630 open_quote = !open_quote;
2631 if ((*in_end == ',' && open_quote == 0) ||
2632 *in_end == '\0') {
1da177e4
LT		 2633 int len = in_end - in_curr;
2634
2635 if (selinux_option(in_curr, len))
3528a953 2636 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2637 else
2638 take_option(&nosec, in_curr, &fnosec, len);
2639
2640 in_curr = in_end + 1;
2641 }
2642 } while (*in_end++);
2643
6931dfc9 2644 strcpy(in_save, nosec_save);
da3caa20 2645 free_page((unsigned long)nosec_save);
1da177e4
LT		 2646out:
2647 return rc;
2648}
2649
026eb167
EP		 2650static int selinux_sb_remount(struct super_block *sb, void *data)
2651{
2652 int rc, i, *flags;
2653 struct security_mnt_opts opts;
2654 char *secdata, **mount_options;
2655 struct superblock_security_struct *sbsec = sb->s_security;
2656
2657 if (!(sbsec->flags & SE_SBINITIALIZED))
2658 return 0;
2659
2660 if (!data)
2661 return 0;
2662
2663 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2664 return 0;
2665
2666 security_init_mnt_opts(&opts);
2667 secdata = alloc_secdata();
2668 if (!secdata)
2669 return -ENOMEM;
2670 rc = selinux_sb_copy_data(data, secdata);
2671 if (rc)
2672 goto out_free_secdata;
2673
2674 rc = selinux_parse_opts_str(secdata, &opts);
2675 if (rc)
2676 goto out_free_secdata;
2677
2678 mount_options = opts.mnt_opts;
2679 flags = opts.mnt_opts_flags;
2680
2681 for (i = 0; i < opts.num_mnt_opts; i++) {
2682 u32 sid;
026eb167 2683
12f348b9 2684 if (flags[i] == SBLABEL_MNT)
026eb167 2685 continue;
44be2f65 2686 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2687 if (rc) {
44be2f65 2688 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2689 "(%s) failed for (dev %s, type %s) errno=%d\n",
2690 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2691 goto out_free_opts;
2692 }
2693 rc = -EINVAL;
2694 switch (flags[i]) {
2695 case FSCONTEXT_MNT:
2696 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2697 goto out_bad_option;
2698 break;
2699 case CONTEXT_MNT:
2700 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2701 goto out_bad_option;
2702 break;
2703 case ROOTCONTEXT_MNT: {
2704 struct inode_security_struct *root_isec;
83da53c5 2705 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2706
2707 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2708 goto out_bad_option;
2709 break;
2710 }
2711 case DEFCONTEXT_MNT:
2712 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2713 goto out_bad_option;
2714 break;
2715 default:
2716 goto out_free_opts;
2717 }
2718 }
2719
2720 rc = 0;
2721out_free_opts:
2722 security_free_mnt_opts(&opts);
2723out_free_secdata:
2724 free_secdata(secdata);
2725 return rc;
2726out_bad_option:
2727 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2728 "during remount (dev %s, type=%s)\n", sb->s_id,
2729 sb->s_type->name);
026eb167
EP		 2730 goto out_free_opts;
2731}
2732
12204e24 2733static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2734{
88e67f3b 2735 const struct cred *cred = current_cred();
2bf49690 2736 struct common_audit_data ad;
1da177e4
LT		 2737 int rc;
2738
2739 rc = superblock_doinit(sb, data);
2740 if (rc)
2741 return rc;
2742
74192246
JM		 2743 /* Allow all mounts performed by the kernel */
2744 if (flags & MS_KERNMOUNT)
2745 return 0;
2746
50c205f5 2747 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2748 ad.u.dentry = sb->s_root;
88e67f3b 2749 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2750}
2751
726c3342 2752static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2753{
88e67f3b 2754 const struct cred *cred = current_cred();
2bf49690 2755 struct common_audit_data ad;
1da177e4 2756
50c205f5 2757 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2758 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2759 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2760}
2761
808d4e3c 2762static int selinux_mount(const char *dev_name,
b5266eb4 2763 struct path *path,
808d4e3c 2764 const char *type,
828dfe1d
EP		 2765 unsigned long flags,
2766 void *data)
1da177e4 2767{
88e67f3b 2768 const struct cred *cred = current_cred();
1da177e4
LT		 2769
2770 if (flags & MS_REMOUNT)
d8c9584e 2771 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2772 FILESYSTEM__REMOUNT, NULL);
1da177e4 2773 else
2875fa00 2774 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2775}
2776
2777static int selinux_umount(struct vfsmount *mnt, int flags)
2778{
88e67f3b 2779 const struct cred *cred = current_cred();
1da177e4 2780
88e67f3b 2781 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2782 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2783}
2784
2785/* inode security operations */
2786
2787static int selinux_inode_alloc_security(struct inode *inode)
2788{
2789 return inode_alloc_security(inode);
2790}
2791
2792static void selinux_inode_free_security(struct inode *inode)
2793{
2794 inode_free_security(inode);
2795}
2796
d47be3df
DQ		 2797static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2798 struct qstr *name, void **ctx,
2799 u32 *ctxlen)
2800{
d47be3df
DQ		 2801 u32 newsid;
2802 int rc;
2803
c3c188b2
DH		 2804 rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
2805 inode_mode_to_security_class(mode),
2806 &newsid);
2807 if (rc)
2808 return rc;
d47be3df
DQ		 2809
2810 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2811}
2812
5e41ff9e 2813static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2814 const struct qstr *qstr,
2815 const char **name,
2a7dba39 2816 void **value, size_t *len)
5e41ff9e 2817{
5fb49870 2818 const struct task_security_struct *tsec = current_security();
5e41ff9e 2819 struct superblock_security_struct *sbsec;
275bb41e 2820 u32 sid, newsid, clen;
5e41ff9e 2821 int rc;
9548906b 2822 char *context;
5e41ff9e 2823
5e41ff9e 2824 sbsec = dir->i_sb->s_security;
5e41ff9e 2825
275bb41e
DH		 2826 sid = tsec->sid;
2827 newsid = tsec->create_sid;
2828
c3c188b2
DH		 2829 rc = selinux_determine_inode_label(
2830 dir, qstr,
2831 inode_mode_to_security_class(inode->i_mode),
2832 &newsid);
2833 if (rc)
2834 return rc;
5e41ff9e 2835
296fddf7 2836 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2837 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2838 struct inode_security_struct *isec = inode->i_security;
2839 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2840 isec->sid = newsid;
6f3be9f5 2841 isec->initialized = LABEL_INITIALIZED;
296fddf7 2842 }
5e41ff9e 2843
12f348b9 2844 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2845 return -EOPNOTSUPP;
2846
9548906b
TH		 2847 if (name)
2848 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2849
570bc1c2 2850 if (value && len) {
12b29f34 2851 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2852 if (rc)
570bc1c2 2853 return rc;
570bc1c2
SS		 2854 *value = context;
2855 *len = clen;
5e41ff9e 2856 }
5e41ff9e 2857
5e41ff9e
SS		 2858 return 0;
2859}
2860
4acdaf27 2861static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2862{
2863 return may_create(dir, dentry, SECCLASS_FILE);
2864}
2865
1da177e4
LT		 2866static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2867{
1da177e4
LT		 2868 return may_link(dir, old_dentry, MAY_LINK);
2869}
2870
1da177e4
LT		 2871static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2872{
1da177e4
LT		 2873 return may_link(dir, dentry, MAY_UNLINK);
2874}
2875
2876static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2877{
2878 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2879}
2880
18bb1db3 2881static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2882{
2883 return may_create(dir, dentry, SECCLASS_DIR);
2884}
2885
1da177e4
LT		 2886static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2887{
2888 return may_link(dir, dentry, MAY_RMDIR);
2889}
2890
1a67aafb 2891static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2892{
1da177e4
LT		 2893 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2894}
2895
1da177e4 2896static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2897 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2898{
2899 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2900}
2901
1da177e4
LT		 2902static int selinux_inode_readlink(struct dentry *dentry)
2903{
88e67f3b
DH		 2904 const struct cred *cred = current_cred();
2905
2875fa00 2906 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2907}
2908
bda0be7a
N		 2909static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2910 bool rcu)
1da177e4 2911{
88e67f3b 2912 const struct cred *cred = current_cred();
bda0be7a
N		 2913 struct common_audit_data ad;
2914 struct inode_security_struct *isec;
2915 u32 sid;
1da177e4 2916
bda0be7a
N		 2917 validate_creds(cred);
2918
2919 ad.type = LSM_AUDIT_DATA_DENTRY;
2920 ad.u.dentry = dentry;
2921 sid = cred_sid(cred);
5d226df4
AG		 2922 isec = inode_security_rcu(inode, rcu);
2923 if (IS_ERR(isec))
2924 return PTR_ERR(isec);
bda0be7a
N		 2925
2926 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2927 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 2928}
2929
d4cf970d
EP		 2930static noinline int audit_inode_permission(struct inode *inode,
2931 u32 perms, u32 audited, u32 denied,
626b9740 2932 int result,
d4cf970d 2933 unsigned flags)
1da177e4 2934{
b782e0a6 2935 struct common_audit_data ad;
d4cf970d
EP		 2936 struct inode_security_struct *isec = inode->i_security;
2937 int rc;
2938
50c205f5 2939 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2940 ad.u.inode = inode;
2941
2942 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 2943 audited, denied, result, &ad, flags);
d4cf970d
EP		 2944 if (rc)
2945 return rc;
2946 return 0;
2947}
2948
e74f71eb 2949static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2950{
88e67f3b 2951 const struct cred *cred = current_cred();
b782e0a6
EP		 2952 u32 perms;
2953 bool from_access;
cf1dd1da 2954 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2955 struct inode_security_struct *isec;
2956 u32 sid;
2957 struct av_decision avd;
2958 int rc, rc2;
2959 u32 audited, denied;
1da177e4 2960
b782e0a6 2961 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2962 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2963
b782e0a6
EP		 2964 /* No permission to check. Existence test. */
2965 if (!mask)
1da177e4 2966 return 0;
1da177e4 2967
2e334057 2968 validate_creds(cred);
b782e0a6 2969
2e334057
EP		 2970 if (unlikely(IS_PRIVATE(inode)))
2971 return 0;
b782e0a6
EP		 2972
2973 perms = file_mask_to_av(inode->i_mode, mask);
2974
2e334057 2975 sid = cred_sid(cred);
5d226df4
AG		 2976 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
2977 if (IS_ERR(isec))
2978 return PTR_ERR(isec);
2e334057
EP		 2979
2980 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2981 audited = avc_audit_required(perms, &avd, rc,
2982 from_access ? FILE__AUDIT_ACCESS : 0,
2983 &denied);
2984 if (likely(!audited))
2985 return rc;
2986
626b9740 2987 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 2988 if (rc2)
2989 return rc2;
2990 return rc;
1da177e4
LT		 2991}
2992
2993static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2994{
88e67f3b 2995 const struct cred *cred = current_cred();
bc6a6008 2996 unsigned int ia_valid = iattr->ia_valid;
95dbf739 2997 __u32 av = FILE__WRITE;
1da177e4 2998
bc6a6008
AW		 2999 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3000 if (ia_valid & ATTR_FORCE) {
3001 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3002 ATTR_FORCE);
3003 if (!ia_valid)
3004 return 0;
3005 }
1da177e4 3006
bc6a6008
AW		 3007 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3008 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3009 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3010
44d37ad3
JVS		 3011 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3012 && !(ia_valid & ATTR_FILE))
95dbf739
EP		 3013 av |= FILE__OPEN;
3014
3015 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3016}
3017
3f7036a0 3018static int selinux_inode_getattr(const struct path *path)
1da177e4 3019{
3f7036a0 3020 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3021}
3022
8f0cfa52 3023static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 3024{
88e67f3b
DH		 3025 const struct cred *cred = current_cred();
3026
b5376771
SH		 3027 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3028 sizeof XATTR_SECURITY_PREFIX - 1)) {
3029 if (!strcmp(name, XATTR_NAME_CAPS)) {
3030 if (!capable(CAP_SETFCAP))
3031 return -EPERM;
3032 } else if (!capable(CAP_SYS_ADMIN)) {
3033 /* A different attribute in the security namespace.
3034 Restrict to administrator. */
3035 return -EPERM;
3036 }
3037 }
3038
3039 /* Not an attribute we recognize, so just check the
3040 ordinary setattr permission. */
2875fa00 3041 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 3042}
3043
8f0cfa52
DH		 3044static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3045 const void *value, size_t size, int flags)
1da177e4 3046{
c6f493d6 3047 struct inode *inode = d_backing_inode(dentry);
83da53c5 3048 struct inode_security_struct *isec = backing_inode_security(dentry);
1da177e4 3049 struct superblock_security_struct *sbsec;
2bf49690 3050 struct common_audit_data ad;
275bb41e 3051 u32 newsid, sid = current_sid();
1da177e4
LT		 3052 int rc = 0;
3053
b5376771
SH		 3054 if (strcmp(name, XATTR_NAME_SELINUX))
3055 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3056
3057 sbsec = inode->i_sb->s_security;
12f348b9 3058 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3059 return -EOPNOTSUPP;
3060
2e149670 3061 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3062 return -EPERM;
3063
50c205f5 3064 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3065 ad.u.dentry = dentry;
1da177e4 3066
275bb41e 3067 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3068 FILE__RELABELFROM, &ad);
3069 if (rc)
3070 return rc;
3071
52a4c640 3072 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3073 if (rc == -EINVAL) {
d6ea83ec
EP		 3074 if (!capable(CAP_MAC_ADMIN)) {
3075 struct audit_buffer *ab;
3076 size_t audit_size;
3077 const char *str;
3078
3079 /* We strip a nul only if it is at the end, otherwise the
3080 * context contains a nul and we should audit that */
e3fea3f7
AV		 3081 if (value) {
3082 str = value;
3083 if (str[size - 1] == '\0')
3084 audit_size = size - 1;
3085 else
3086 audit_size = size;
3087 } else {
3088 str = "";
3089 audit_size = 0;
3090 }
d6ea83ec
EP		 3091 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3092 audit_log_format(ab, "op=setxattr invalid_context=");
3093 audit_log_n_untrustedstring(ab, value, audit_size);
3094 audit_log_end(ab);
3095
12b29f34 3096 return rc;
d6ea83ec 3097 }
12b29f34
SS		 3098 rc = security_context_to_sid_force(value, size, &newsid);
3099 }
1da177e4
LT		 3100 if (rc)
3101 return rc;
3102
275bb41e 3103 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3104 FILE__RELABELTO, &ad);
3105 if (rc)
3106 return rc;
3107
275bb41e 3108 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3109 isec->sclass);
1da177e4
LT		 3110 if (rc)
3111 return rc;
3112
3113 return avc_has_perm(newsid,
3114 sbsec->sid,
3115 SECCLASS_FILESYSTEM,
3116 FILESYSTEM__ASSOCIATE,
3117 &ad);
3118}
3119
8f0cfa52 3120static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3121 const void *value, size_t size,
8f0cfa52 3122 int flags)
1da177e4 3123{
c6f493d6 3124 struct inode *inode = d_backing_inode(dentry);
83da53c5 3125 struct inode_security_struct *isec = backing_inode_security(dentry);
1da177e4
LT		 3126 u32 newsid;
3127 int rc;
3128
3129 if (strcmp(name, XATTR_NAME_SELINUX)) {
3130 /* Not an attribute we recognize, so nothing to do. */
3131 return;
3132 }
3133
12b29f34 3134 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3135 if (rc) {
12b29f34
SS		 3136 printk(KERN_ERR "SELinux: unable to map context to SID"
3137 "for (%s, %lu), rc=%d\n",
3138 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3139 return;
3140 }
3141
aa9c2669 3142 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3143 isec->sid = newsid;
6f3be9f5 3144 isec->initialized = LABEL_INITIALIZED;
aa9c2669 3145
1da177e4
LT		 3146 return;
3147}
3148
8f0cfa52 3149static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3150{
88e67f3b
DH		 3151 const struct cred *cred = current_cred();
3152
2875fa00 3153 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3154}
3155
828dfe1d 3156static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3157{
88e67f3b
DH		 3158 const struct cred *cred = current_cred();
3159
2875fa00 3160 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3161}
3162
8f0cfa52 3163static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3164{
b5376771
SH		 3165 if (strcmp(name, XATTR_NAME_SELINUX))
3166 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3167
3168 /* No one is allowed to remove a SELinux security label.
3169 You can change the label, but all data must be labeled. */
3170 return -EACCES;
3171}
3172
d381d8a9 3173/*
abc69bb6 3174 * Copy the inode security context value to the user.
d381d8a9
JM		 3175 *
3176 * Permission check is handled by selinux_inode_getxattr hook.
3177 */
ea861dfd 3178static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3179{
42492594
DQ		 3180 u32 size;
3181 int error;
3182 char *context = NULL;
83da53c5 3183 struct inode_security_struct *isec = inode_security(inode);
d381d8a9 3184
8c8570fb
DK		 3185 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3186 return -EOPNOTSUPP;
d381d8a9 3187
abc69bb6
SS		 3188 /*
3189 * If the caller has CAP_MAC_ADMIN, then get the raw context
3190 * value even if it is not defined by current policy; otherwise,
3191 * use the in-core value under current policy.
3192 * Use the non-auditing forms of the permission checks since
3193 * getxattr may be called by unprivileged processes commonly
3194 * and lack of permission just means that we fall back to the
3195 * in-core context value, not a denial.
3196 */
b1d9e6b0
CS		 3197 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3198 SECURITY_CAP_NOAUDIT);
3199 if (!error)
3200 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3201 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 3202 if (!error)
3203 error = security_sid_to_context_force(isec->sid, &context,
3204 &size);
3205 else
3206 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3207 if (error)
3208 return error;
3209 error = size;
3210 if (alloc) {
3211 *buffer = context;
3212 goto out_nofree;
3213 }
3214 kfree(context);
3215out_nofree:
3216 return error;
1da177e4
LT		 3217}
3218
3219static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3220 const void *value, size_t size, int flags)
1da177e4 3221{
83da53c5 3222 struct inode_security_struct *isec = inode_security(inode);
1da177e4
LT		 3223 u32 newsid;
3224 int rc;
3225
3226 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3227 return -EOPNOTSUPP;
3228
3229 if (!value || !size)
3230 return -EACCES;
3231
20ba96ae 3232 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3233 if (rc)
3234 return rc;
3235
aa9c2669 3236 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3237 isec->sid = newsid;
6f3be9f5 3238 isec->initialized = LABEL_INITIALIZED;
1da177e4
LT		 3239 return 0;
3240}
3241
3242static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3243{
3244 const int len = sizeof(XATTR_NAME_SELINUX);
3245 if (buffer && len <= buffer_size)
3246 memcpy(buffer, XATTR_NAME_SELINUX, len);
3247 return len;
3248}
3249
d6335d77 3250static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3251{
83da53c5 3252 struct inode_security_struct *isec = inode_security(inode);
713a04ae
AD		 3253 *secid = isec->sid;
3254}
3255
1da177e4
LT		 3256/* file security operations */
3257
788e7dd4 3258static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3259{
88e67f3b 3260 const struct cred *cred = current_cred();
496ad9aa 3261 struct inode *inode = file_inode(file);
1da177e4 3262
1da177e4
LT		 3263 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3264 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3265 mask |= MAY_APPEND;
3266
389fb800
PM		 3267 return file_has_perm(cred, file,
3268 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3269}
3270
788e7dd4
YN		 3271static int selinux_file_permission(struct file *file, int mask)
3272{
496ad9aa 3273 struct inode *inode = file_inode(file);
20dda18b 3274 struct file_security_struct *fsec = file->f_security;
b197367e 3275 struct inode_security_struct *isec;
20dda18b
SS		 3276 u32 sid = current_sid();
3277
389fb800 3278 if (!mask)
788e7dd4
YN		 3279 /* No permission to check. Existence test. */
3280 return 0;
788e7dd4 3281
b197367e 3282 isec = inode_security(inode);
20dda18b
SS		 3283 if (sid == fsec->sid && fsec->isid == isec->sid &&
3284 fsec->pseqno == avc_policy_seqno())
83d49856 3285 /* No change since file_open check. */
20dda18b
SS		 3286 return 0;
3287
788e7dd4
YN		 3288 return selinux_revalidate_file_permission(file, mask);
3289}
3290
1da177e4
LT		 3291static int selinux_file_alloc_security(struct file *file)
3292{
3293 return file_alloc_security(file);
3294}
3295
3296static void selinux_file_free_security(struct file *file)
3297{
3298 file_free_security(file);
3299}
3300
fa1aa143
JVS		 3301/*
3302 * Check whether a task has the ioctl permission and cmd
3303 * operation to an inode.
3304 */
1d2a168a 3305static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3306 u32 requested, u16 cmd)
3307{
3308 struct common_audit_data ad;
3309 struct file_security_struct *fsec = file->f_security;
3310 struct inode *inode = file_inode(file);
83da53c5 3311 struct inode_security_struct *isec = inode_security(inode);
fa1aa143
JVS		 3312 struct lsm_ioctlop_audit ioctl;
3313 u32 ssid = cred_sid(cred);
3314 int rc;
3315 u8 driver = cmd >> 8;
3316 u8 xperm = cmd & 0xff;
3317
3318 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3319 ad.u.op = &ioctl;
3320 ad.u.op->cmd = cmd;
3321 ad.u.op->path = file->f_path;
3322
3323 if (ssid != fsec->sid) {
3324 rc = avc_has_perm(ssid, fsec->sid,
3325 SECCLASS_FD,
3326 FD__USE,
3327 &ad);
3328 if (rc)
3329 goto out;
3330 }
3331
3332 if (unlikely(IS_PRIVATE(inode)))
3333 return 0;
3334
3335 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3336 requested, driver, xperm, &ad);
3337out:
3338 return rc;
3339}
3340
1da177e4
LT		 3341static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3342 unsigned long arg)
3343{
88e67f3b 3344 const struct cred *cred = current_cred();
0b24dcb7 3345 int error = 0;
1da177e4 3346
0b24dcb7
EP		 3347 switch (cmd) {
3348 case FIONREAD:
3349 /* fall through */
3350 case FIBMAP:
3351 /* fall through */
3352 case FIGETBSZ:
3353 /* fall through */
2f99c369 3354 case FS_IOC_GETFLAGS:
0b24dcb7 3355 /* fall through */
2f99c369 3356 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3357 error = file_has_perm(cred, file, FILE__GETATTR);
3358 break;
1da177e4 3359
2f99c369 3360 case FS_IOC_SETFLAGS:
0b24dcb7 3361 /* fall through */
2f99c369 3362 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3363 error = file_has_perm(cred, file, FILE__SETATTR);
3364 break;
3365
3366 /* sys_ioctl() checks */
3367 case FIONBIO:
3368 /* fall through */
3369 case FIOASYNC:
3370 error = file_has_perm(cred, file, 0);
3371 break;
1da177e4 3372
0b24dcb7
EP		 3373 case KDSKBENT:
3374 case KDSKBSENT:
6a9de491
EP		 3375 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3376 SECURITY_CAP_AUDIT);
0b24dcb7
EP		 3377 break;
3378
3379 /* default case assumes that the command will go
3380 * to the file's ioctl() function.
3381 */
3382 default:
fa1aa143 3383 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3384 }
3385 return error;
1da177e4
LT		 3386}
3387
fcaaade1
SS		 3388static int default_noexec;
3389
1da177e4
LT		 3390static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3391{
88e67f3b 3392 const struct cred *cred = current_cred();
d84f4f99 3393 int rc = 0;
88e67f3b 3394
fcaaade1 3395 if (default_noexec &&
892e8cac
SS		 3396 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3397 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3398 /*
3399 * We are making executable an anonymous mapping or a
3400 * private file mapping that will also be writable.
3401 * This has an additional check.
3402 */
d84f4f99 3403 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3404 if (rc)
d84f4f99 3405 goto error;
1da177e4 3406 }
1da177e4
LT		 3407
3408 if (file) {
3409 /* read access is always possible with a mapping */
3410 u32 av = FILE__READ;
3411
3412 /* write access only matters if the mapping is shared */
3413 if (shared && (prot & PROT_WRITE))
3414 av |= FILE__WRITE;
3415
3416 if (prot & PROT_EXEC)
3417 av |= FILE__EXECUTE;
3418
88e67f3b 3419 return file_has_perm(cred, file, av);
1da177e4 3420 }
d84f4f99
DH		 3421
3422error:
3423 return rc;
1da177e4
LT		 3424}
3425
e5467859 3426static int selinux_mmap_addr(unsigned long addr)
1da177e4 3427{
b1d9e6b0 3428 int rc = 0;
1da177e4 3429
a2551df7 3430 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3431 u32 sid = current_sid();
ed032189
EP		 3432 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3433 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3434 }
3435
98883bfd 3436 return rc;
e5467859 3437}
1da177e4 3438
e5467859
AV		 3439static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3440 unsigned long prot, unsigned long flags)
3441{
1da177e4
LT		 3442 if (selinux_checkreqprot)
3443 prot = reqprot;
3444
3445 return file_map_prot_check(file, prot,
3446 (flags & MAP_TYPE) == MAP_SHARED);
3447}
3448
3449static int selinux_file_mprotect(struct vm_area_struct *vma,
3450 unsigned long reqprot,
3451 unsigned long prot)
3452{
88e67f3b 3453 const struct cred *cred = current_cred();
1da177e4
LT		 3454
3455 if (selinux_checkreqprot)
3456 prot = reqprot;
3457
fcaaade1
SS		 3458 if (default_noexec &&
3459 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3460 int rc = 0;
db4c9641
SS		 3461 if (vma->vm_start >= vma->vm_mm->start_brk &&
3462 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3463 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3464 } else if (!vma->vm_file &&
3465 vma->vm_start <= vma->vm_mm->start_stack &&
3466 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3467 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3468 } else if (vma->vm_file && vma->anon_vma) {
3469 /*
3470 * We are making executable a file mapping that has
3471 * had some COW done. Since pages might have been
3472 * written, check ability to execute the possibly
3473 * modified content. This typically should only
3474 * occur for text relocations.
3475 */
d84f4f99 3476 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3477 }