projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: Set the peer label correctly on connected UNIX domain sockets
[deliverable/linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4
PM		 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4
LT		 26#include <linux/init.h>
27#include <linux/kernel.h>
0d094efe 28#include <linux/tracehook.h>
1da177e4
LT		 29#include <linux/errno.h>
30#include <linux/sched.h>
31#include <linux/security.h>
32#include <linux/xattr.h>
33#include <linux/capability.h>
34#include <linux/unistd.h>
35#include <linux/mm.h>
36#include <linux/mman.h>
37#include <linux/slab.h>
38#include <linux/pagemap.h>
39#include <linux/swap.h>
1da177e4
LT		 40#include <linux/spinlock.h>
41#include <linux/syscalls.h>
42#include <linux/file.h>
9f3acc31 43#include <linux/fdtable.h>
1da177e4
LT		 44#include <linux/namei.h>
45#include <linux/mount.h>
1da177e4 46#include <linux/proc_fs.h>
1da177e4
LT		 47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 53#include <net/net_namespace.h>
d621d35e 54#include <net/netlabel.h>
f5269710 55#include <linux/uaccess.h>
1da177e4 56#include <asm/ioctls.h>
d621d35e 57#include <asm/atomic.h>
1da177e4
LT		 58#include <linux/bitops.h>
59#include <linux/interrupt.h>
60#include <linux/netdevice.h> /* for network interface checks */
61#include <linux/netlink.h>
62#include <linux/tcp.h>
63#include <linux/udp.h>
2ee92d46 64#include <linux/dccp.h>
1da177e4
LT		 65#include <linux/quota.h>
66#include <linux/un.h> /* for Unix socket types */
67#include <net/af_unix.h> /* for Unix socket types */
68#include <linux/parser.h>
69#include <linux/nfs_mount.h>
70#include <net/ipv6.h>
71#include <linux/hugetlb.h>
72#include <linux/personality.h>
73#include <linux/sysctl.h>
74#include <linux/audit.h>
6931dfc9 75#include <linux/string.h>
877ce7c1 76#include <linux/selinux.h>
23970741 77#include <linux/mutex.h>
f06febc9 78#include <linux/posix-timers.h>
00234592 79#include <linux/syslog.h>
1da177e4
LT		 80
81#include "avc.h"
82#include "objsec.h"
83#include "netif.h"
224dfbd8 84#include "netnode.h"
3e112172 85#include "netport.h"
d28d1e08 86#include "xfrm.h"
c60475bf 87#include "netlabel.h"
9d57a7f9 88#include "audit.h"
1da177e4
LT		 89
90#define XATTR_SELINUX_SUFFIX "selinux"
91#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
92
11689d47 93#define NUM_SEL_MNT_OPTS 5
c9180a57 94
1da177e4 95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
20510f2f 96extern struct security_operations *security_ops;
1da177e4 97
d621d35e
PM		 98/* SECMARK reference count */
99atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
1da177e4 101#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 102int selinux_enforcing;
1da177e4
LT		 103
104static int __init enforcing_setup(char *str)
105{
f5269710
EP		 106 unsigned long enforcing;
107 if (!strict_strtoul(str, 0, &enforcing))
108 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 109 return 1;
110}
111__setup("enforcing=", enforcing_setup);
112#endif
113
114#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117static int __init selinux_enabled_setup(char *str)
118{
f5269710
EP		 119 unsigned long enabled;
120 if (!strict_strtoul(str, 0, &enabled))
121 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 122 return 1;
123}
124__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 125#else
126int selinux_enabled = 1;
1da177e4
LT		 127#endif
128
e18b890b 129static struct kmem_cache *sel_inode_cache;
7cae7e26 130
d621d35e
PM		 131/**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled.
139 *
140 */
141static int selinux_secmark_enabled(void)
142{
143 return (atomic_read(&selinux_secmark_refcount) > 0);
144}
145
d84f4f99
DH		 146/*
147 * initialise the security for the init task
148 */
149static void cred_init_security(void)
1da177e4 150{
3b11a1de 151 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 152 struct task_security_struct *tsec;
153
89d155ef 154 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 155 if (!tsec)
d84f4f99 156 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 157
d84f4f99 158 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 159 cred->security = tsec;
1da177e4
LT		 160}
161
88e67f3b
DH		 162/*
163 * get the security ID of a set of credentials
164 */
165static inline u32 cred_sid(const struct cred *cred)
166{
167 const struct task_security_struct *tsec;
168
169 tsec = cred->security;
170 return tsec->sid;
171}
172
275bb41e 173/*
3b11a1de 174 * get the objective security ID of a task
275bb41e
DH		 175 */
176static inline u32 task_sid(const struct task_struct *task)
177{
275bb41e
DH		 178 u32 sid;
179
180 rcu_read_lock();
88e67f3b 181 sid = cred_sid(__task_cred(task));
275bb41e
DH		 182 rcu_read_unlock();
183 return sid;
184}
185
186/*
3b11a1de 187 * get the subjective security ID of the current task
275bb41e
DH		 188 */
189static inline u32 current_sid(void)
190{
191 const struct task_security_struct *tsec = current_cred()->security;
192
193 return tsec->sid;
194}
195
88e67f3b
DH		 196/* Allocate and free functions for each kind of security blob. */
197
1da177e4
LT		 198static int inode_alloc_security(struct inode *inode)
199{
1da177e4 200 struct inode_security_struct *isec;
275bb41e 201 u32 sid = current_sid();
1da177e4 202
a02fe132 203 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 204 if (!isec)
205 return -ENOMEM;
206
23970741 207 mutex_init(&isec->lock);
1da177e4 208 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 209 isec->inode = inode;
210 isec->sid = SECINITSID_UNLABELED;
211 isec->sclass = SECCLASS_FILE;
275bb41e 212 isec->task_sid = sid;
1da177e4
LT		 213 inode->i_security = isec;
214
215 return 0;
216}
217
218static void inode_free_security(struct inode *inode)
219{
220 struct inode_security_struct *isec = inode->i_security;
221 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
222
1da177e4
LT		 223 spin_lock(&sbsec->isec_lock);
224 if (!list_empty(&isec->list))
225 list_del_init(&isec->list);
226 spin_unlock(&sbsec->isec_lock);
227
228 inode->i_security = NULL;
7cae7e26 229 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 230}
231
232static int file_alloc_security(struct file *file)
233{
1da177e4 234 struct file_security_struct *fsec;
275bb41e 235 u32 sid = current_sid();
1da177e4 236
26d2a4be 237 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 238 if (!fsec)
239 return -ENOMEM;
240
275bb41e
DH		 241 fsec->sid = sid;
242 fsec->fown_sid = sid;
1da177e4
LT		 243 file->f_security = fsec;
244
245 return 0;
246}
247
248static void file_free_security(struct file *file)
249{
250 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 251 file->f_security = NULL;
252 kfree(fsec);
253}
254
255static int superblock_alloc_security(struct super_block *sb)
256{
257 struct superblock_security_struct *sbsec;
258
89d155ef 259 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 260 if (!sbsec)
261 return -ENOMEM;
262
bc7e982b 263 mutex_init(&sbsec->lock);
1da177e4
LT		 264 INIT_LIST_HEAD(&sbsec->isec_head);
265 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 266 sbsec->sb = sb;
267 sbsec->sid = SECINITSID_UNLABELED;
268 sbsec->def_sid = SECINITSID_FILE;
c312feb2 269 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 270 sb->s_security = sbsec;
271
272 return 0;
273}
274
275static void superblock_free_security(struct super_block *sb)
276{
277 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 278 sb->s_security = NULL;
279 kfree(sbsec);
280}
281
7d877f3b 282static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4 283{
dd3e7836 284 struct sk_security_struct *sksec;
1da177e4 285
dd3e7836
EP		 286 sksec = kzalloc(sizeof(*sksec), priority);
287 if (!sksec)
1da177e4
LT		 288 return -ENOMEM;
289
dd3e7836
EP		 290 sksec->peer_sid = SECINITSID_UNLABELED;
291 sksec->sid = SECINITSID_UNLABELED;
292 sk->sk_security = sksec;
1da177e4 293
dd3e7836 294 selinux_netlbl_sk_security_reset(sksec);
99f59ed0 295
1da177e4
LT		 296 return 0;
297}
298
299static void sk_free_security(struct sock *sk)
300{
dd3e7836 301 struct sk_security_struct *sksec = sk->sk_security;
1da177e4 302
1da177e4 303 sk->sk_security = NULL;
dd3e7836
EP		 304 selinux_netlbl_sk_security_free(sksec);
305 kfree(sksec);
1da177e4 306}
1da177e4
LT		 307
308/* The security server must be initialized before
309 any labeling or access decisions can be provided. */
310extern int ss_initialized;
311
312/* The file system's label must be initialized prior to use. */
313
634a539e 314static const char *labeling_behaviors[6] = {
1da177e4
LT		 315 "uses xattr",
316 "uses transition SIDs",
317 "uses task SIDs",
318 "uses genfs_contexts",
319 "not configured for labeling",
320 "uses mountpoint labeling",
321};
322
323static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
324
325static inline int inode_doinit(struct inode *inode)
326{
327 return inode_doinit_with_dentry(inode, NULL);
328}
329
330enum {
31e87930 331 Opt_error = -1,
1da177e4
LT		 332 Opt_context = 1,
333 Opt_fscontext = 2,
c9180a57
EP		 334 Opt_defcontext = 3,
335 Opt_rootcontext = 4,
11689d47 336 Opt_labelsupport = 5,
1da177e4
LT		 337};
338
a447c093 339static const match_table_t tokens = {
832cbd9a
EP		 340 {Opt_context, CONTEXT_STR "%s"},
341 {Opt_fscontext, FSCONTEXT_STR "%s"},
342 {Opt_defcontext, DEFCONTEXT_STR "%s"},
343 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 344 {Opt_labelsupport, LABELSUPP_STR},
31e87930 345 {Opt_error, NULL},
1da177e4
LT		 346};
347
348#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
349
c312feb2
EP		 350static int may_context_mount_sb_relabel(u32 sid,
351 struct superblock_security_struct *sbsec,
275bb41e 352 const struct cred *cred)
c312feb2 353{
275bb41e 354 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 355 int rc;
356
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
359 if (rc)
360 return rc;
361
362 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__RELABELTO, NULL);
364 return rc;
365}
366
0808925e
EP		 367static int may_context_mount_inode_relabel(u32 sid,
368 struct superblock_security_struct *sbsec,
275bb41e 369 const struct cred *cred)
0808925e 370{
275bb41e 371 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 372 int rc;
373 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
374 FILESYSTEM__RELABELFROM, NULL);
375 if (rc)
376 return rc;
377
378 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
379 FILESYSTEM__ASSOCIATE, NULL);
380 return rc;
381}
382
c9180a57 383static int sb_finish_set_opts(struct super_block *sb)
1da177e4 384{
1da177e4 385 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 386 struct dentry *root = sb->s_root;
387 struct inode *root_inode = root->d_inode;
388 int rc = 0;
1da177e4 389
c9180a57
EP		 390 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
391 /* Make sure that the xattr handler exists and that no
392 error other than -ENODATA is returned by getxattr on
393 the root directory. -ENODATA is ok, as this may be
394 the first boot of the SELinux kernel before we have
395 assigned xattr values to the filesystem. */
396 if (!root_inode->i_op->getxattr) {
397 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
398 "xattr support\n", sb->s_id, sb->s_type->name);
399 rc = -EOPNOTSUPP;
400 goto out;
401 }
402 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
403 if (rc < 0 && rc != -ENODATA) {
404 if (rc == -EOPNOTSUPP)
405 printk(KERN_WARNING "SELinux: (dev %s, type "
406 "%s) has no security xattr handler\n",
407 sb->s_id, sb->s_type->name);
408 else
409 printk(KERN_WARNING "SELinux: (dev %s, type "
410 "%s) getxattr errno %d\n", sb->s_id,
411 sb->s_type->name, -rc);
412 goto out;
413 }
414 }
1da177e4 415
11689d47 416 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
1da177e4 417
c9180a57
EP		 418 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
419 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
420 sb->s_id, sb->s_type->name);
421 else
422 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
423 sb->s_id, sb->s_type->name,
424 labeling_behaviors[sbsec->behavior-1]);
1da177e4 425
11689d47
DQ		 426 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
427 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
428 sbsec->behavior == SECURITY_FS_USE_NONE ||
429 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
430 sbsec->flags &= ~SE_SBLABELSUPP;
431
ddd29ec6
DQ		 432 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
433 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
434 sbsec->flags |= SE_SBLABELSUPP;
435
c9180a57
EP		 436 /* Initialize the root inode. */
437 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 438
c9180a57
EP		 439 /* Initialize any other inodes associated with the superblock, e.g.
440 inodes created prior to initial policy load or inodes created
441 during get_sb by a pseudo filesystem that directly
442 populates itself. */
443 spin_lock(&sbsec->isec_lock);
444next_inode:
445 if (!list_empty(&sbsec->isec_head)) {
446 struct inode_security_struct *isec =
447 list_entry(sbsec->isec_head.next,
448 struct inode_security_struct, list);
449 struct inode *inode = isec->inode;
450 spin_unlock(&sbsec->isec_lock);
451 inode = igrab(inode);
452 if (inode) {
453 if (!IS_PRIVATE(inode))
454 inode_doinit(inode);
455 iput(inode);
456 }
457 spin_lock(&sbsec->isec_lock);
458 list_del_init(&isec->list);
459 goto next_inode;
460 }
461 spin_unlock(&sbsec->isec_lock);
462out:
463 return rc;
464}
1da177e4 465
c9180a57
EP		 466/*
467 * This function should allow an FS to ask what it's mount security
468 * options were so it can use those later for submounts, displaying
469 * mount options, or whatever.
470 */
471static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 472 struct security_mnt_opts *opts)
c9180a57
EP		 473{
474 int rc = 0, i;
475 struct superblock_security_struct *sbsec = sb->s_security;
476 char *context = NULL;
477 u32 len;
478 char tmp;
1da177e4 479
e0007529 480 security_init_mnt_opts(opts);
1da177e4 481
0d90a7ec 482 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 483 return -EINVAL;
1da177e4 484
c9180a57
EP		 485 if (!ss_initialized)
486 return -EINVAL;
1da177e4 487
0d90a7ec 488 tmp = sbsec->flags & SE_MNTMASK;
c9180a57
EP		 489 /* count the number of mount options for this sb */
490 for (i = 0; i < 8; i++) {
491 if (tmp & 0x01)
e0007529 492 opts->num_mnt_opts++;
c9180a57
EP		 493 tmp >>= 1;
494 }
11689d47
DQ		 495 /* Check if the Label support flag is set */
496 if (sbsec->flags & SE_SBLABELSUPP)
497 opts->num_mnt_opts++;
1da177e4 498
e0007529
EP		 499 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
500 if (!opts->mnt_opts) {
c9180a57
EP		 501 rc = -ENOMEM;
502 goto out_free;
503 }
1da177e4 504
e0007529
EP		 505 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
506 if (!opts->mnt_opts_flags) {
c9180a57
EP		 507 rc = -ENOMEM;
508 goto out_free;
509 }
1da177e4 510
c9180a57
EP		 511 i = 0;
512 if (sbsec->flags & FSCONTEXT_MNT) {
513 rc = security_sid_to_context(sbsec->sid, &context, &len);
514 if (rc)
515 goto out_free;
e0007529
EP		 516 opts->mnt_opts[i] = context;
517 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 518 }
519 if (sbsec->flags & CONTEXT_MNT) {
520 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
521 if (rc)
522 goto out_free;
e0007529
EP		 523 opts->mnt_opts[i] = context;
524 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 525 }
526 if (sbsec->flags & DEFCONTEXT_MNT) {
527 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
528 if (rc)
529 goto out_free;
e0007529
EP		 530 opts->mnt_opts[i] = context;
531 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 532 }
533 if (sbsec->flags & ROOTCONTEXT_MNT) {
534 struct inode *root = sbsec->sb->s_root->d_inode;
535 struct inode_security_struct *isec = root->i_security;
0808925e 536
c9180a57
EP		 537 rc = security_sid_to_context(isec->sid, &context, &len);
538 if (rc)
539 goto out_free;
e0007529
EP		 540 opts->mnt_opts[i] = context;
541 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 542 }
11689d47
DQ		 543 if (sbsec->flags & SE_SBLABELSUPP) {
544 opts->mnt_opts[i] = NULL;
545 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
546 }
1da177e4 547
e0007529 548 BUG_ON(i != opts->num_mnt_opts);
1da177e4 549
c9180a57
EP		 550 return 0;
551
552out_free:
e0007529 553 security_free_mnt_opts(opts);
c9180a57
EP		 554 return rc;
555}
1da177e4 556
c9180a57
EP		 557static int bad_option(struct superblock_security_struct *sbsec, char flag,
558 u32 old_sid, u32 new_sid)
559{
0d90a7ec
DQ		 560 char mnt_flags = sbsec->flags & SE_MNTMASK;
561
c9180a57 562 /* check if the old mount command had the same options */
0d90a7ec 563 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 564 if (!(sbsec->flags & flag) ||
565 (old_sid != new_sid))
566 return 1;
567
568 /* check if we were passed the same options twice,
569 * aka someone passed context=a,context=b
570 */
0d90a7ec
DQ		 571 if (!(sbsec->flags & SE_SBINITIALIZED))
572 if (mnt_flags & flag)
c9180a57
EP		 573 return 1;
574 return 0;
575}
e0007529 576
c9180a57
EP		 577/*
578 * Allow filesystems with binary mount data to explicitly set mount point
579 * labeling information.
580 */
e0007529
EP		 581static int selinux_set_mnt_opts(struct super_block *sb,
582 struct security_mnt_opts *opts)
c9180a57 583{
275bb41e 584 const struct cred *cred = current_cred();
c9180a57 585 int rc = 0, i;
c9180a57
EP		 586 struct superblock_security_struct *sbsec = sb->s_security;
587 const char *name = sb->s_type->name;
089be43e
JM		 588 struct inode *inode = sbsec->sb->s_root->d_inode;
589 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 590 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
591 u32 defcontext_sid = 0;
e0007529
EP		 592 char **mount_options = opts->mnt_opts;
593 int *flags = opts->mnt_opts_flags;
594 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 595
596 mutex_lock(&sbsec->lock);
597
598 if (!ss_initialized) {
599 if (!num_opts) {
600 /* Defer initialization until selinux_complete_init,
601 after the initial policy is loaded and the security
602 server is ready to handle calls. */
c9180a57
EP		 603 goto out;
604 }
605 rc = -EINVAL;
744ba35e
EP		 606 printk(KERN_WARNING "SELinux: Unable to set superblock options "
607 "before the security server is initialized\n");
1da177e4 608 goto out;
c9180a57 609 }
1da177e4 610
e0007529
EP		 611 /*
612 * Binary mount data FS will come through this function twice. Once
613 * from an explicit call and once from the generic calls from the vfs.
614 * Since the generic VFS calls will not contain any security mount data
615 * we need to skip the double mount verification.
616 *
617 * This does open a hole in which we will not notice if the first
618 * mount using this sb set explict options and a second mount using
619 * this sb does not set any security options. (The first options
620 * will be used for both mounts)
621 */
0d90a7ec 622 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 623 && (num_opts == 0))
f5269710 624 goto out;
e0007529 625
c9180a57
EP		 626 /*
627 * parse the mount options, check if they are valid sids.
628 * also check if someone is trying to mount the same sb more
629 * than once with different security options.
630 */
631 for (i = 0; i < num_opts; i++) {
632 u32 sid;
11689d47
DQ		 633
634 if (flags[i] == SE_SBLABELSUPP)
635 continue;
c9180a57
EP		 636 rc = security_context_to_sid(mount_options[i],
637 strlen(mount_options[i]), &sid);
1da177e4
LT		 638 if (rc) {
639 printk(KERN_WARNING "SELinux: security_context_to_sid"
640 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 641 mount_options[i], sb->s_id, name, rc);
642 goto out;
643 }
644 switch (flags[i]) {
645 case FSCONTEXT_MNT:
646 fscontext_sid = sid;
647
648 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
649 fscontext_sid))
650 goto out_double_mount;
651
652 sbsec->flags |= FSCONTEXT_MNT;
653 break;
654 case CONTEXT_MNT:
655 context_sid = sid;
656
657 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
658 context_sid))
659 goto out_double_mount;
660
661 sbsec->flags |= CONTEXT_MNT;
662 break;
663 case ROOTCONTEXT_MNT:
664 rootcontext_sid = sid;
665
666 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
667 rootcontext_sid))
668 goto out_double_mount;
669
670 sbsec->flags |= ROOTCONTEXT_MNT;
671
672 break;
673 case DEFCONTEXT_MNT:
674 defcontext_sid = sid;
675
676 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
677 defcontext_sid))
678 goto out_double_mount;
679
680 sbsec->flags |= DEFCONTEXT_MNT;
681
682 break;
683 default:
684 rc = -EINVAL;
685 goto out;
1da177e4 686 }
c9180a57
EP		 687 }
688
0d90a7ec 689 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 690 /* previously mounted with options, but not on this attempt? */
0d90a7ec 691 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 692 goto out_double_mount;
693 rc = 0;
694 goto out;
695 }
696
089be43e 697 if (strcmp(sb->s_type->name, "proc") == 0)
0d90a7ec 698 sbsec->flags |= SE_SBPROC;
c9180a57
EP		 699
700 /* Determine the labeling behavior to use for this filesystem type. */
0d90a7ec 701 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
c9180a57
EP		 702 if (rc) {
703 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
089be43e 704 __func__, sb->s_type->name, rc);
c9180a57
EP		 705 goto out;
706 }
1da177e4 707
c9180a57
EP		 708 /* sets the context of the superblock for the fs being mounted. */
709 if (fscontext_sid) {
275bb41e 710 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 711 if (rc)
c9180a57 712 goto out;
1da177e4 713
c9180a57 714 sbsec->sid = fscontext_sid;
c312feb2
EP		 715 }
716
717 /*
718 * Switch to using mount point labeling behavior.
719 * sets the label used on all file below the mountpoint, and will set
720 * the superblock context if not already set.
721 */
c9180a57
EP		 722 if (context_sid) {
723 if (!fscontext_sid) {
275bb41e
DH		 724 rc = may_context_mount_sb_relabel(context_sid, sbsec,
725 cred);
b04ea3ce 726 if (rc)
c9180a57
EP		 727 goto out;
728 sbsec->sid = context_sid;
b04ea3ce 729 } else {
275bb41e
DH		 730 rc = may_context_mount_inode_relabel(context_sid, sbsec,
731 cred);
b04ea3ce 732 if (rc)
c9180a57 733 goto out;
b04ea3ce 734 }
c9180a57
EP		 735 if (!rootcontext_sid)
736 rootcontext_sid = context_sid;
1da177e4 737
c9180a57 738 sbsec->mntpoint_sid = context_sid;
c312feb2 739 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 740 }
741
c9180a57 742 if (rootcontext_sid) {
275bb41e
DH		 743 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
744 cred);
0808925e 745 if (rc)
c9180a57 746 goto out;
0808925e 747
c9180a57
EP		 748 root_isec->sid = rootcontext_sid;
749 root_isec->initialized = 1;
0808925e
EP		 750 }
751
c9180a57
EP		 752 if (defcontext_sid) {
753 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
754 rc = -EINVAL;
755 printk(KERN_WARNING "SELinux: defcontext option is "
756 "invalid for this filesystem type\n");
757 goto out;
1da177e4
LT		 758 }
759
c9180a57
EP		 760 if (defcontext_sid != sbsec->def_sid) {
761 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 762 sbsec, cred);
c9180a57
EP		 763 if (rc)
764 goto out;
765 }
1da177e4 766
c9180a57 767 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 768 }
769
c9180a57 770 rc = sb_finish_set_opts(sb);
1da177e4 771out:
c9180a57 772 mutex_unlock(&sbsec->lock);
1da177e4 773 return rc;
c9180a57
EP		 774out_double_mount:
775 rc = -EINVAL;
776 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
777 "security settings for (dev %s, type %s)\n", sb->s_id, name);
778 goto out;
1da177e4
LT		 779}
780
c9180a57
EP		 781static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
782 struct super_block *newsb)
1da177e4 783{
c9180a57
EP		 784 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
785 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 786
c9180a57
EP		 787 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
788 int set_context = (oldsbsec->flags & CONTEXT_MNT);
789 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 790
0f5e6420
EP		 791 /*
792 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 793 * mount options. thus we can safely deal with this superblock later
0f5e6420 794 */
e8c26255 795 if (!ss_initialized)
0f5e6420 796 return;
c9180a57 797
c9180a57 798 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 799 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 800
5a552617 801 /* if fs is reusing a sb, just let its options stand... */
0d90a7ec 802 if (newsbsec->flags & SE_SBINITIALIZED)
5a552617
EP		 803 return;
804
c9180a57
EP		 805 mutex_lock(&newsbsec->lock);
806
807 newsbsec->flags = oldsbsec->flags;
808
809 newsbsec->sid = oldsbsec->sid;
810 newsbsec->def_sid = oldsbsec->def_sid;
811 newsbsec->behavior = oldsbsec->behavior;
812
813 if (set_context) {
814 u32 sid = oldsbsec->mntpoint_sid;
815
816 if (!set_fscontext)
817 newsbsec->sid = sid;
818 if (!set_rootcontext) {
819 struct inode *newinode = newsb->s_root->d_inode;
820 struct inode_security_struct *newisec = newinode->i_security;
821 newisec->sid = sid;
822 }
823 newsbsec->mntpoint_sid = sid;
1da177e4 824 }
c9180a57
EP		 825 if (set_rootcontext) {
826 const struct inode *oldinode = oldsb->s_root->d_inode;
827 const struct inode_security_struct *oldisec = oldinode->i_security;
828 struct inode *newinode = newsb->s_root->d_inode;
829 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 830
c9180a57 831 newisec->sid = oldisec->sid;
1da177e4
LT		 832 }
833
c9180a57
EP		 834 sb_finish_set_opts(newsb);
835 mutex_unlock(&newsbsec->lock);
836}
837
2e1479d9
AB		 838static int selinux_parse_opts_str(char *options,
839 struct security_mnt_opts *opts)
c9180a57 840{
e0007529 841 char *p;
c9180a57
EP		 842 char *context = NULL, *defcontext = NULL;
843 char *fscontext = NULL, *rootcontext = NULL;
e0007529 844 int rc, num_mnt_opts = 0;
1da177e4 845
e0007529 846 opts->num_mnt_opts = 0;
1da177e4 847
c9180a57
EP		 848 /* Standard string-based options. */
849 while ((p = strsep(&options, "|")) != NULL) {
850 int token;
851 substring_t args[MAX_OPT_ARGS];
1da177e4 852
c9180a57
EP		 853 if (!*p)
854 continue;
1da177e4 855
c9180a57 856 token = match_token(p, tokens, args);
1da177e4 857
c9180a57
EP		 858 switch (token) {
859 case Opt_context:
860 if (context || defcontext) {
861 rc = -EINVAL;
862 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
863 goto out_err;
864 }
865 context = match_strdup(&args[0]);
866 if (!context) {
867 rc = -ENOMEM;
868 goto out_err;
869 }
870 break;
871
872 case Opt_fscontext:
873 if (fscontext) {
874 rc = -EINVAL;
875 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
876 goto out_err;
877 }
878 fscontext = match_strdup(&args[0]);
879 if (!fscontext) {
880 rc = -ENOMEM;
881 goto out_err;
882 }
883 break;
884
885 case Opt_rootcontext:
886 if (rootcontext) {
887 rc = -EINVAL;
888 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
889 goto out_err;
890 }
891 rootcontext = match_strdup(&args[0]);
892 if (!rootcontext) {
893 rc = -ENOMEM;
894 goto out_err;
895 }
896 break;
897
898 case Opt_defcontext:
899 if (context || defcontext) {
900 rc = -EINVAL;
901 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
902 goto out_err;
903 }
904 defcontext = match_strdup(&args[0]);
905 if (!defcontext) {
906 rc = -ENOMEM;
907 goto out_err;
908 }
909 break;
11689d47
DQ		 910 case Opt_labelsupport:
911 break;
c9180a57
EP		 912 default:
913 rc = -EINVAL;
914 printk(KERN_WARNING "SELinux: unknown mount option\n");
915 goto out_err;
1da177e4 916
1da177e4 917 }
1da177e4 918 }
c9180a57 919
e0007529
EP		 920 rc = -ENOMEM;
921 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
922 if (!opts->mnt_opts)
923 goto out_err;
924
925 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
926 if (!opts->mnt_opts_flags) {
927 kfree(opts->mnt_opts);
928 goto out_err;
929 }
930
c9180a57 931 if (fscontext) {
e0007529
EP		 932 opts->mnt_opts[num_mnt_opts] = fscontext;
933 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 934 }
935 if (context) {
e0007529
EP		 936 opts->mnt_opts[num_mnt_opts] = context;
937 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 938 }
939 if (rootcontext) {
e0007529
EP		 940 opts->mnt_opts[num_mnt_opts] = rootcontext;
941 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 942 }
943 if (defcontext) {
e0007529
EP		 944 opts->mnt_opts[num_mnt_opts] = defcontext;
945 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 946 }
947
e0007529
EP		 948 opts->num_mnt_opts = num_mnt_opts;
949 return 0;
950
c9180a57
EP		 951out_err:
952 kfree(context);
953 kfree(defcontext);
954 kfree(fscontext);
955 kfree(rootcontext);
1da177e4
LT		 956 return rc;
957}
e0007529
EP		 958/*
959 * string mount options parsing and call set the sbsec
960 */
961static int superblock_doinit(struct super_block *sb, void *data)
962{
963 int rc = 0;
964 char *options = data;
965 struct security_mnt_opts opts;
966
967 security_init_mnt_opts(&opts);
968
969 if (!data)
970 goto out;
971
972 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
973
974 rc = selinux_parse_opts_str(options, &opts);
975 if (rc)
976 goto out_err;
977
978out:
979 rc = selinux_set_mnt_opts(sb, &opts);
980
981out_err:
982 security_free_mnt_opts(&opts);
983 return rc;
984}
1da177e4 985
3583a711
AB		 986static void selinux_write_opts(struct seq_file *m,
987 struct security_mnt_opts *opts)
2069f457
EP		 988{
989 int i;
990 char *prefix;
991
992 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 993 char *has_comma;
994
995 if (opts->mnt_opts[i])
996 has_comma = strchr(opts->mnt_opts[i], ',');
997 else
998 has_comma = NULL;
2069f457
EP		 999
1000 switch (opts->mnt_opts_flags[i]) {
1001 case CONTEXT_MNT:
1002 prefix = CONTEXT_STR;
1003 break;
1004 case FSCONTEXT_MNT:
1005 prefix = FSCONTEXT_STR;
1006 break;
1007 case ROOTCONTEXT_MNT:
1008 prefix = ROOTCONTEXT_STR;
1009 break;
1010 case DEFCONTEXT_MNT:
1011 prefix = DEFCONTEXT_STR;
1012 break;
11689d47
DQ		 1013 case SE_SBLABELSUPP:
1014 seq_putc(m, ',');
1015 seq_puts(m, LABELSUPP_STR);
1016 continue;
2069f457
EP		 1017 default:
1018 BUG();
1019 };
1020 /* we need a comma before each option */
1021 seq_putc(m, ',');
1022 seq_puts(m, prefix);
1023 if (has_comma)
1024 seq_putc(m, '\"');
1025 seq_puts(m, opts->mnt_opts[i]);
1026 if (has_comma)
1027 seq_putc(m, '\"');
1028 }
1029}
1030
1031static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1032{
1033 struct security_mnt_opts opts;
1034 int rc;
1035
1036 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1037 if (rc) {
1038 /* before policy load we may get EINVAL, don't show anything */
1039 if (rc == -EINVAL)
1040 rc = 0;
2069f457 1041 return rc;
383795c2 1042 }
2069f457
EP		 1043
1044 selinux_write_opts(m, &opts);
1045
1046 security_free_mnt_opts(&opts);
1047
1048 return rc;
1049}
1050
1da177e4
LT		 1051static inline u16 inode_mode_to_security_class(umode_t mode)
1052{
1053 switch (mode & S_IFMT) {
1054 case S_IFSOCK:
1055 return SECCLASS_SOCK_FILE;
1056 case S_IFLNK:
1057 return SECCLASS_LNK_FILE;
1058 case S_IFREG:
1059 return SECCLASS_FILE;
1060 case S_IFBLK:
1061 return SECCLASS_BLK_FILE;
1062 case S_IFDIR:
1063 return SECCLASS_DIR;
1064 case S_IFCHR:
1065 return SECCLASS_CHR_FILE;
1066 case S_IFIFO:
1067 return SECCLASS_FIFO_FILE;
1068
1069 }
1070
1071 return SECCLASS_FILE;
1072}
1073
13402580
JM		 1074static inline int default_protocol_stream(int protocol)
1075{
1076 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1077}
1078
1079static inline int default_protocol_dgram(int protocol)
1080{
1081 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1082}
1083
1da177e4
LT		 1084static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1085{
1086 switch (family) {
1087 case PF_UNIX:
1088 switch (type) {
1089 case SOCK_STREAM:
1090 case SOCK_SEQPACKET:
1091 return SECCLASS_UNIX_STREAM_SOCKET;
1092 case SOCK_DGRAM:
1093 return SECCLASS_UNIX_DGRAM_SOCKET;
1094 }
1095 break;
1096 case PF_INET:
1097 case PF_INET6:
1098 switch (type) {
1099 case SOCK_STREAM:
13402580
JM		 1100 if (default_protocol_stream(protocol))
1101 return SECCLASS_TCP_SOCKET;
1102 else
1103 return SECCLASS_RAWIP_SOCKET;
1da177e4 1104 case SOCK_DGRAM:
13402580
JM		 1105 if (default_protocol_dgram(protocol))
1106 return SECCLASS_UDP_SOCKET;
1107 else
1108 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1109 case SOCK_DCCP:
1110 return SECCLASS_DCCP_SOCKET;
13402580 1111 default:
1da177e4
LT		 1112 return SECCLASS_RAWIP_SOCKET;
1113 }
1114 break;
1115 case PF_NETLINK:
1116 switch (protocol) {
1117 case NETLINK_ROUTE:
1118 return SECCLASS_NETLINK_ROUTE_SOCKET;
1119 case NETLINK_FIREWALL:
1120 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1121 case NETLINK_INET_DIAG:
1da177e4
LT		 1122 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1123 case NETLINK_NFLOG:
1124 return SECCLASS_NETLINK_NFLOG_SOCKET;
1125 case NETLINK_XFRM:
1126 return SECCLASS_NETLINK_XFRM_SOCKET;
1127 case NETLINK_SELINUX:
1128 return SECCLASS_NETLINK_SELINUX_SOCKET;
1129 case NETLINK_AUDIT:
1130 return SECCLASS_NETLINK_AUDIT_SOCKET;
1131 case NETLINK_IP6_FW:
1132 return SECCLASS_NETLINK_IP6FW_SOCKET;
1133 case NETLINK_DNRTMSG:
1134 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1135 case NETLINK_KOBJECT_UEVENT:
1136 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1137 default:
1138 return SECCLASS_NETLINK_SOCKET;
1139 }
1140 case PF_PACKET:
1141 return SECCLASS_PACKET_SOCKET;
1142 case PF_KEY:
1143 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1144 case PF_APPLETALK:
1145 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1146 }
1147
1148 return SECCLASS_SOCKET;
1149}
1150
1151#ifdef CONFIG_PROC_FS
1152static int selinux_proc_get_sid(struct proc_dir_entry *de,
1153 u16 tclass,
1154 u32 *sid)
1155{
1156 int buflen, rc;
1157 char *buffer, *path, *end;
1158
828dfe1d 1159 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1160 if (!buffer)
1161 return -ENOMEM;
1162
1163 buflen = PAGE_SIZE;
1164 end = buffer+buflen;
1165 *--end = '\0';
1166 buflen--;
1167 path = end-1;
1168 *path = '/';
1169 while (de && de != de->parent) {
1170 buflen -= de->namelen + 1;
1171 if (buflen < 0)
1172 break;
1173 end -= de->namelen;
1174 memcpy(end, de->name, de->namelen);
1175 *--end = '/';
1176 path = end;
1177 de = de->parent;
1178 }
1179 rc = security_genfs_sid("proc", path, tclass, sid);
1180 free_page((unsigned long)buffer);
1181 return rc;
1182}
1183#else
1184static int selinux_proc_get_sid(struct proc_dir_entry *de,
1185 u16 tclass,
1186 u32 *sid)
1187{
1188 return -EINVAL;
1189}
1190#endif
1191
1192/* The inode's security attributes must be initialized before first use. */
1193static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1194{
1195 struct superblock_security_struct *sbsec = NULL;
1196 struct inode_security_struct *isec = inode->i_security;
1197 u32 sid;
1198 struct dentry *dentry;
1199#define INITCONTEXTLEN 255
1200 char *context = NULL;
1201 unsigned len = 0;
1202 int rc = 0;
1da177e4
LT		 1203
1204 if (isec->initialized)
1205 goto out;
1206
23970741 1207 mutex_lock(&isec->lock);
1da177e4 1208 if (isec->initialized)
23970741 1209 goto out_unlock;
1da177e4
LT		 1210
1211 sbsec = inode->i_sb->s_security;
0d90a7ec 1212 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1213 /* Defer initialization until selinux_complete_init,
1214 after the initial policy is loaded and the security
1215 server is ready to handle calls. */
1216 spin_lock(&sbsec->isec_lock);
1217 if (list_empty(&isec->list))
1218 list_add(&isec->list, &sbsec->isec_head);
1219 spin_unlock(&sbsec->isec_lock);
23970741 1220 goto out_unlock;
1da177e4
LT		 1221 }
1222
1223 switch (sbsec->behavior) {
1224 case SECURITY_FS_USE_XATTR:
1225 if (!inode->i_op->getxattr) {
1226 isec->sid = sbsec->def_sid;
1227 break;
1228 }
1229
1230 /* Need a dentry, since the xattr API requires one.
1231 Life would be simpler if we could just pass the inode. */
1232 if (opt_dentry) {
1233 /* Called from d_instantiate or d_splice_alias. */
1234 dentry = dget(opt_dentry);
1235 } else {
1236 /* Called from selinux_complete_init, try to find a dentry. */
1237 dentry = d_find_alias(inode);
1238 }
1239 if (!dentry) {
df7f54c0
EP		 1240 /*
1241 * this is can be hit on boot when a file is accessed
1242 * before the policy is loaded. When we load policy we
1243 * may find inodes that have no dentry on the
1244 * sbsec->isec_head list. No reason to complain as these
1245 * will get fixed up the next time we go through
1246 * inode_doinit with a dentry, before these inodes could
1247 * be used again by userspace.
1248 */
23970741 1249 goto out_unlock;
1da177e4
LT		 1250 }
1251
1252 len = INITCONTEXTLEN;
4cb912f1 1253 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1254 if (!context) {
1255 rc = -ENOMEM;
1256 dput(dentry);
23970741 1257 goto out_unlock;
1da177e4 1258 }
4cb912f1 1259 context[len] = '\0';
1da177e4
LT		 1260 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1261 context, len);
1262 if (rc == -ERANGE) {
314dabb8
JM		 1263 kfree(context);
1264
1da177e4
LT		 1265 /* Need a larger buffer. Query for the right size. */
1266 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1267 NULL, 0);
1268 if (rc < 0) {
1269 dput(dentry);
23970741 1270 goto out_unlock;
1da177e4 1271 }
1da177e4 1272 len = rc;
4cb912f1 1273 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1274 if (!context) {
1275 rc = -ENOMEM;
1276 dput(dentry);
23970741 1277 goto out_unlock;
1da177e4 1278 }
4cb912f1 1279 context[len] = '\0';
1da177e4
LT		 1280 rc = inode->i_op->getxattr(dentry,
1281 XATTR_NAME_SELINUX,
1282 context, len);
1283 }
1284 dput(dentry);
1285 if (rc < 0) {
1286 if (rc != -ENODATA) {
744ba35e 1287 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1288 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1289 -rc, inode->i_sb->s_id, inode->i_ino);
1290 kfree(context);
23970741 1291 goto out_unlock;
1da177e4
LT		 1292 }
1293 /* Map ENODATA to the default file SID */
1294 sid = sbsec->def_sid;
1295 rc = 0;
1296 } else {
f5c1d5b2 1297 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1298 sbsec->def_sid,
1299 GFP_NOFS);
1da177e4 1300 if (rc) {
4ba0a8ad
EP		 1301 char *dev = inode->i_sb->s_id;
1302 unsigned long ino = inode->i_ino;
1303
1304 if (rc == -EINVAL) {
1305 if (printk_ratelimit())
1306 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1307 "context=%s. This indicates you may need to relabel the inode or the "
1308 "filesystem in question.\n", ino, dev, context);
1309 } else {
1310 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1311 "returned %d for dev=%s ino=%ld\n",
1312 __func__, context, -rc, dev, ino);
1313 }
1da177e4
LT		 1314 kfree(context);
1315 /* Leave with the unlabeled SID */
1316 rc = 0;
1317 break;
1318 }
1319 }
1320 kfree(context);
1321 isec->sid = sid;
1322 break;
1323 case SECURITY_FS_USE_TASK:
1324 isec->sid = isec->task_sid;
1325 break;
1326 case SECURITY_FS_USE_TRANS:
1327 /* Default to the fs SID. */
1328 isec->sid = sbsec->sid;
1329
1330 /* Try to obtain a transition SID. */
1331 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1332 rc = security_transition_sid(isec->task_sid,
1333 sbsec->sid,
1334 isec->sclass,
1335 &sid);
1336 if (rc)
23970741 1337 goto out_unlock;
1da177e4
LT		 1338 isec->sid = sid;
1339 break;
c312feb2
EP		 1340 case SECURITY_FS_USE_MNTPOINT:
1341 isec->sid = sbsec->mntpoint_sid;
1342 break;
1da177e4 1343 default:
c312feb2 1344 /* Default to the fs superblock SID. */
1da177e4
LT		 1345 isec->sid = sbsec->sid;
1346
0d90a7ec 1347 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1da177e4
LT		 1348 struct proc_inode *proci = PROC_I(inode);
1349 if (proci->pde) {
1350 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1351 rc = selinux_proc_get_sid(proci->pde,
1352 isec->sclass,
1353 &sid);
1354 if (rc)
23970741 1355 goto out_unlock;
1da177e4
LT		 1356 isec->sid = sid;
1357 }
1358 }
1359 break;
1360 }
1361
1362 isec->initialized = 1;
1363
23970741
EP		 1364out_unlock:
1365 mutex_unlock(&isec->lock);
1da177e4
LT		 1366out:
1367 if (isec->sclass == SECCLASS_FILE)
1368 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1369 return rc;
1370}
1371
1372/* Convert a Linux signal to an access vector. */
1373static inline u32 signal_to_av(int sig)
1374{
1375 u32 perm = 0;
1376
1377 switch (sig) {
1378 case SIGCHLD:
1379 /* Commonly granted from child to parent. */
1380 perm = PROCESS__SIGCHLD;
1381 break;
1382 case SIGKILL:
1383 /* Cannot be caught or ignored */
1384 perm = PROCESS__SIGKILL;
1385 break;
1386 case SIGSTOP:
1387 /* Cannot be caught or ignored */
1388 perm = PROCESS__SIGSTOP;
1389 break;
1390 default:
1391 /* All other signals. */
1392 perm = PROCESS__SIGNAL;
1393 break;
1394 }
1395
1396 return perm;
1397}
1398
d84f4f99
DH		 1399/*
1400 * Check permission between a pair of credentials
1401 * fork check, ptrace check, etc.
1402 */
1403static int cred_has_perm(const struct cred *actor,
1404 const struct cred *target,
1405 u32 perms)
1406{
1407 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1408
1409 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1410}
1411
275bb41e 1412/*
88e67f3b 1413 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1414 * fork check, ptrace check, etc.
1415 * tsk1 is the actor and tsk2 is the target
3b11a1de 1416 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1417 */
1418static int task_has_perm(const struct task_struct *tsk1,
1419 const struct task_struct *tsk2,
1da177e4
LT		 1420 u32 perms)
1421{
275bb41e
DH		 1422 const struct task_security_struct *__tsec1, *__tsec2;
1423 u32 sid1, sid2;
1da177e4 1424
275bb41e
DH		 1425 rcu_read_lock();
1426 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1427 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1428 rcu_read_unlock();
1429 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1430}
1431
3b11a1de
DH		 1432/*
1433 * Check permission between current and another task, e.g. signal checks,
1434 * fork check, ptrace check, etc.
1435 * current is the actor and tsk2 is the target
1436 * - this uses current's subjective creds
1437 */
1438static int current_has_perm(const struct task_struct *tsk,
1439 u32 perms)
1440{
1441 u32 sid, tsid;
1442
1443 sid = current_sid();
1444 tsid = task_sid(tsk);
1445 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1446}
1447
b68e418c
SS		 1448#if CAP_LAST_CAP > 63
1449#error Fix SELinux to handle capabilities > 63.
1450#endif
1451
1da177e4
LT		 1452/* Check whether a task is allowed to use a capability. */
1453static int task_has_capability(struct task_struct *tsk,
3699c53c 1454 const struct cred *cred,
06112163 1455 int cap, int audit)
1da177e4 1456{
2bf49690 1457 struct common_audit_data ad;
06112163 1458 struct av_decision avd;
b68e418c 1459 u16 sclass;
3699c53c 1460 u32 sid = cred_sid(cred);
b68e418c 1461 u32 av = CAP_TO_MASK(cap);
06112163 1462 int rc;
1da177e4 1463
2bf49690 1464 COMMON_AUDIT_DATA_INIT(&ad, CAP);
1da177e4
LT		 1465 ad.tsk = tsk;
1466 ad.u.cap = cap;
1467
b68e418c
SS		 1468 switch (CAP_TO_INDEX(cap)) {
1469 case 0:
1470 sclass = SECCLASS_CAPABILITY;
1471 break;
1472 case 1:
1473 sclass = SECCLASS_CAPABILITY2;
1474 break;
1475 default:
1476 printk(KERN_ERR
1477 "SELinux: out of range capability %d\n", cap);
1478 BUG();
1479 }
06112163 1480
275bb41e 1481 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
06112163 1482 if (audit == SECURITY_CAP_AUDIT)
275bb41e 1483 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
06112163 1484 return rc;
1da177e4
LT		 1485}
1486
1487/* Check whether a task is allowed to use a system operation. */
1488static int task_has_system(struct task_struct *tsk,
1489 u32 perms)
1490{
275bb41e 1491 u32 sid = task_sid(tsk);
1da177e4 1492
275bb41e 1493 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1494 SECCLASS_SYSTEM, perms, NULL);
1495}
1496
1497/* Check whether a task has a particular permission to an inode.
1498 The 'adp' parameter is optional and allows other audit
1499 data to be passed (e.g. the dentry). */
88e67f3b 1500static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1501 struct inode *inode,
1502 u32 perms,
2bf49690 1503 struct common_audit_data *adp)
1da177e4 1504{
1da177e4 1505 struct inode_security_struct *isec;
2bf49690 1506 struct common_audit_data ad;
275bb41e 1507 u32 sid;
1da177e4 1508
e0e81739
DH		 1509 validate_creds(cred);
1510
828dfe1d 1511 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1512 return 0;
1513
88e67f3b 1514 sid = cred_sid(cred);
1da177e4
LT		 1515 isec = inode->i_security;
1516
1517 if (!adp) {
1518 adp = &ad;
2bf49690 1519 COMMON_AUDIT_DATA_INIT(&ad, FS);
1da177e4
LT		 1520 ad.u.fs.inode = inode;
1521 }
1522
275bb41e 1523 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1524}
1525
1526/* Same as inode_has_perm, but pass explicit audit data containing
1527 the dentry to help the auditing code to more easily generate the
1528 pathname if needed. */
88e67f3b 1529static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1530 struct vfsmount *mnt,
1531 struct dentry *dentry,
1532 u32 av)
1533{
1534 struct inode *inode = dentry->d_inode;
2bf49690 1535 struct common_audit_data ad;
88e67f3b 1536
2bf49690 1537 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf
JB		 1538 ad.u.fs.path.mnt = mnt;
1539 ad.u.fs.path.dentry = dentry;
88e67f3b 1540 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1541}
1542
1543/* Check whether a task can use an open file descriptor to
1544 access an inode in a given way. Check access to the
1545 descriptor itself, and then use dentry_has_perm to
1546 check a particular permission to the file.
1547 Access to the descriptor is implicitly granted if it
1548 has the same SID as the process. If av is zero, then
1549 access to the file is not checked, e.g. for cases
1550 where only the descriptor is affected like seek. */
88e67f3b
DH		 1551static int file_has_perm(const struct cred *cred,
1552 struct file *file,
1553 u32 av)
1da177e4 1554{
1da177e4 1555 struct file_security_struct *fsec = file->f_security;
44707fdf 1556 struct inode *inode = file->f_path.dentry->d_inode;
2bf49690 1557 struct common_audit_data ad;
88e67f3b 1558 u32 sid = cred_sid(cred);
1da177e4
LT		 1559 int rc;
1560
2bf49690 1561 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1562 ad.u.fs.path = file->f_path;
1da177e4 1563
275bb41e
DH		 1564 if (sid != fsec->sid) {
1565 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1566 SECCLASS_FD,
1567 FD__USE,
1568 &ad);
1569 if (rc)
88e67f3b 1570 goto out;
1da177e4
LT		 1571 }
1572
1573 /* av is zero if only checking access to the descriptor. */
88e67f3b 1574 rc = 0;
1da177e4 1575 if (av)
88e67f3b 1576 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1577
88e67f3b
DH		 1578out:
1579 return rc;
1da177e4
LT		 1580}
1581
1582/* Check whether a task can create a file. */
1583static int may_create(struct inode *dir,
1584 struct dentry *dentry,
1585 u16 tclass)
1586{
275bb41e
DH		 1587 const struct cred *cred = current_cred();
1588 const struct task_security_struct *tsec = cred->security;
1da177e4
LT		 1589 struct inode_security_struct *dsec;
1590 struct superblock_security_struct *sbsec;
275bb41e 1591 u32 sid, newsid;
2bf49690 1592 struct common_audit_data ad;
1da177e4
LT		 1593 int rc;
1594
1da177e4
LT		 1595 dsec = dir->i_security;
1596 sbsec = dir->i_sb->s_security;
1597
275bb41e
DH		 1598 sid = tsec->sid;
1599 newsid = tsec->create_sid;
1600
2bf49690 1601 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1602 ad.u.fs.path.dentry = dentry;
1da177e4 1603
275bb41e 1604 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1605 DIR__ADD_NAME | DIR__SEARCH,
1606 &ad);
1607 if (rc)
1608 return rc;
1609
cd89596f 1610 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
275bb41e 1611 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1da177e4
LT		 1612 if (rc)
1613 return rc;
1614 }
1615
275bb41e 1616 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1617 if (rc)
1618 return rc;
1619
1620 return avc_has_perm(newsid, sbsec->sid,
1621 SECCLASS_FILESYSTEM,
1622 FILESYSTEM__ASSOCIATE, &ad);
1623}
1624
4eb582cf
ML		 1625/* Check whether a task can create a key. */
1626static int may_create_key(u32 ksid,
1627 struct task_struct *ctx)
1628{
275bb41e 1629 u32 sid = task_sid(ctx);
4eb582cf 1630
275bb41e 1631 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1632}
1633
828dfe1d
EP		 1634#define MAY_LINK 0
1635#define MAY_UNLINK 1
1636#define MAY_RMDIR 2
1da177e4
LT		 1637
1638/* Check whether a task can link, unlink, or rmdir a file/directory. */
1639static int may_link(struct inode *dir,
1640 struct dentry *dentry,
1641 int kind)
1642
1643{
1da177e4 1644 struct inode_security_struct *dsec, *isec;
2bf49690 1645 struct common_audit_data ad;
275bb41e 1646 u32 sid = current_sid();
1da177e4
LT		 1647 u32 av;
1648 int rc;
1649
1da177e4
LT		 1650 dsec = dir->i_security;
1651 isec = dentry->d_inode->i_security;
1652
2bf49690 1653 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1654 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1655
1656 av = DIR__SEARCH;
1657 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1658 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1659 if (rc)
1660 return rc;
1661
1662 switch (kind) {
1663 case MAY_LINK:
1664 av = FILE__LINK;
1665 break;
1666 case MAY_UNLINK:
1667 av = FILE__UNLINK;
1668 break;
1669 case MAY_RMDIR:
1670 av = DIR__RMDIR;
1671 break;
1672 default:
744ba35e
EP		 1673 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1674 __func__, kind);
1da177e4
LT		 1675 return 0;
1676 }
1677
275bb41e 1678 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1679 return rc;
1680}
1681
1682static inline int may_rename(struct inode *old_dir,
1683 struct dentry *old_dentry,
1684 struct inode *new_dir,
1685 struct dentry *new_dentry)
1686{
1da177e4 1687 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1688 struct common_audit_data ad;
275bb41e 1689 u32 sid = current_sid();
1da177e4
LT		 1690 u32 av;
1691 int old_is_dir, new_is_dir;
1692 int rc;
1693
1da177e4
LT		 1694 old_dsec = old_dir->i_security;
1695 old_isec = old_dentry->d_inode->i_security;
1696 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1697 new_dsec = new_dir->i_security;
1698
2bf49690 1699 COMMON_AUDIT_DATA_INIT(&ad, FS);
1da177e4 1700
44707fdf 1701 ad.u.fs.path.dentry = old_dentry;
275bb41e 1702 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1703 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1704 if (rc)
1705 return rc;
275bb41e 1706 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1707 old_isec->sclass, FILE__RENAME, &ad);
1708 if (rc)
1709 return rc;
1710 if (old_is_dir && new_dir != old_dir) {
275bb41e 1711 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1712 old_isec->sclass, DIR__REPARENT, &ad);
1713 if (rc)
1714 return rc;
1715 }
1716
44707fdf 1717 ad.u.fs.path.dentry = new_dentry;
1da177e4
LT		 1718 av = DIR__ADD_NAME | DIR__SEARCH;
1719 if (new_dentry->d_inode)
1720 av |= DIR__REMOVE_NAME;
275bb41e 1721 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1722 if (rc)
1723 return rc;
1724 if (new_dentry->d_inode) {
1725 new_isec = new_dentry->d_inode->i_security;
1726 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
275bb41e 1727 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1728 new_isec->sclass,
1729 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1730 if (rc)
1731 return rc;
1732 }
1733
1734 return 0;
1735}
1736
1737/* Check whether a task can perform a filesystem operation. */
88e67f3b 1738static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1739 struct super_block *sb,
1740 u32 perms,
2bf49690 1741 struct common_audit_data *ad)
1da177e4 1742{
1da177e4 1743 struct superblock_security_struct *sbsec;
88e67f3b 1744 u32 sid = cred_sid(cred);
1da177e4 1745
1da177e4 1746 sbsec = sb->s_security;
275bb41e 1747 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1748}
1749
1750/* Convert a Linux mode and permission mask to an access vector. */
1751static inline u32 file_mask_to_av(int mode, int mask)
1752{
1753 u32 av = 0;
1754
1755 if ((mode & S_IFMT) != S_IFDIR) {
1756 if (mask & MAY_EXEC)
1757 av |= FILE__EXECUTE;
1758 if (mask & MAY_READ)
1759 av |= FILE__READ;
1760
1761 if (mask & MAY_APPEND)
1762 av |= FILE__APPEND;
1763 else if (mask & MAY_WRITE)
1764 av |= FILE__WRITE;
1765
1766 } else {
1767 if (mask & MAY_EXEC)
1768 av |= DIR__SEARCH;
1769 if (mask & MAY_WRITE)
1770 av |= DIR__WRITE;
1771 if (mask & MAY_READ)
1772 av |= DIR__READ;
1773 }
1774
1775 return av;
1776}
1777
8b6a5a37
EP		 1778/* Convert a Linux file to an access vector. */
1779static inline u32 file_to_av(struct file *file)
1780{
1781 u32 av = 0;
1782
1783 if (file->f_mode & FMODE_READ)
1784 av |= FILE__READ;
1785 if (file->f_mode & FMODE_WRITE) {
1786 if (file->f_flags & O_APPEND)
1787 av |= FILE__APPEND;
1788 else
1789 av |= FILE__WRITE;
1790 }
1791 if (!av) {
1792 /*
1793 * Special file opened with flags 3 for ioctl-only use.
1794 */
1795 av = FILE__IOCTL;
1796 }
1797
1798 return av;
1799}
1800
b0c636b9 1801/*
8b6a5a37 1802 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1803 * open permission.
1804 */
8b6a5a37 1805static inline u32 open_file_to_av(struct file *file)
b0c636b9 1806{
8b6a5a37 1807 u32 av = file_to_av(file);
b0c636b9
EP		 1808
1809 if (selinux_policycap_openperm) {
8b6a5a37 1810 mode_t mode = file->f_path.dentry->d_inode->i_mode;
b0c636b9
EP		 1811 /*
1812 * lnk files and socks do not really have an 'open'
1813 */
1814 if (S_ISREG(mode))
1815 av |= FILE__OPEN;
1816 else if (S_ISCHR(mode))
1817 av |= CHR_FILE__OPEN;
1818 else if (S_ISBLK(mode))
1819 av |= BLK_FILE__OPEN;
1820 else if (S_ISFIFO(mode))
1821 av |= FIFO_FILE__OPEN;
1822 else if (S_ISDIR(mode))
1823 av |= DIR__OPEN;
6a25b27d
EP		 1824 else if (S_ISSOCK(mode))
1825 av |= SOCK_FILE__OPEN;
b0c636b9 1826 else
744ba35e 1827 printk(KERN_ERR "SELinux: WARNING: inside %s with "
8b6a5a37 1828 "unknown mode:%o\n", __func__, mode);
b0c636b9
EP		 1829 }
1830 return av;
1831}
1832
1da177e4
LT		 1833/* Hook functions begin here. */
1834
9e48858f 1835static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 1836 unsigned int mode)
1da177e4 1837{
1da177e4
LT		 1838 int rc;
1839
9e48858f 1840 rc = cap_ptrace_access_check(child, mode);
1da177e4
LT		 1841 if (rc)
1842 return rc;
1843
006ebb40 1844 if (mode == PTRACE_MODE_READ) {
275bb41e
DH		 1845 u32 sid = current_sid();
1846 u32 csid = task_sid(child);
1847 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 1848 }
1849
3b11a1de 1850 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 1851}
1852
1853static int selinux_ptrace_traceme(struct task_struct *parent)
1854{
1855 int rc;
1856
200ac532 1857 rc = cap_ptrace_traceme(parent);
5cd9c58f
DH		 1858 if (rc)
1859 return rc;
1860
1861 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 1862}
1863
1864static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1865 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1866{
1867 int error;
1868
3b11a1de 1869 error = current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 1870 if (error)
1871 return error;
1872
200ac532 1873 return cap_capget(target, effective, inheritable, permitted);
1da177e4
LT		 1874}
1875
d84f4f99
DH		 1876static int selinux_capset(struct cred *new, const struct cred *old,
1877 const kernel_cap_t *effective,
1878 const kernel_cap_t *inheritable,
1879 const kernel_cap_t *permitted)
1da177e4
LT		 1880{
1881 int error;
1882
200ac532 1883 error = cap_capset(new, old,
d84f4f99 1884 effective, inheritable, permitted);
1da177e4
LT		 1885 if (error)
1886 return error;
1887
d84f4f99 1888 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 1889}
1890
5626d3e8
JM		 1891/*
1892 * (This comment used to live with the selinux_task_setuid hook,
1893 * which was removed).
1894 *
1895 * Since setuid only affects the current process, and since the SELinux
1896 * controls are not based on the Linux identity attributes, SELinux does not
1897 * need to control this operation. However, SELinux does control the use of
1898 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1899 */
1900
3699c53c
DH		 1901static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1902 int cap, int audit)
1da177e4
LT		 1903{
1904 int rc;
1905
200ac532 1906 rc = cap_capable(tsk, cred, cap, audit);
1da177e4
LT		 1907 if (rc)
1908 return rc;
1909
3699c53c 1910 return task_has_capability(tsk, cred, cap, audit);
1da177e4
LT		 1911}
1912
3fbfa981
EB		 1913static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1914{
1915 int buflen, rc;
1916 char *buffer, *path, *end;
1917
1918 rc = -ENOMEM;
828dfe1d 1919 buffer = (char *)__get_free_page(GFP_KERNEL);
3fbfa981
EB		 1920 if (!buffer)
1921 goto out;
1922
1923 buflen = PAGE_SIZE;
1924 end = buffer+buflen;
1925 *--end = '\0';
1926 buflen--;
1927 path = end-1;
1928 *path = '/';
1929 while (table) {
1930 const char *name = table->procname;
1931 size_t namelen = strlen(name);
1932 buflen -= namelen + 1;
1933 if (buflen < 0)
1934 goto out_free;
1935 end -= namelen;
1936 memcpy(end, name, namelen);
1937 *--end = '/';
1938 path = end;
1939 table = table->parent;
1940 }
b599fdfd
EB		 1941 buflen -= 4;
1942 if (buflen < 0)
1943 goto out_free;
1944 end -= 4;
1945 memcpy(end, "/sys", 4);
1946 path = end;
3fbfa981
EB		 1947 rc = security_genfs_sid("proc", path, tclass, sid);
1948out_free:
1949 free_page((unsigned long)buffer);
1950out:
1951 return rc;
1952}
1953
1da177e4
LT		 1954static int selinux_sysctl(ctl_table *table, int op)
1955{
1956 int error = 0;
1957 u32 av;
275bb41e 1958 u32 tsid, sid;
1da177e4
LT		 1959 int rc;
1960
275bb41e 1961 sid = current_sid();
1da177e4 1962
3fbfa981
EB		 1963 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1964 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1965 if (rc) {
1966 /* Default to the well-defined sysctl SID. */
1967 tsid = SECINITSID_SYSCTL;
1968 }
1969
1970 /* The op values are "defined" in sysctl.c, thereby creating
1971 * a bad coupling between this module and sysctl.c */
828dfe1d 1972 if (op == 001) {
275bb41e 1973 error = avc_has_perm(sid, tsid,
1da177e4
LT		 1974 SECCLASS_DIR, DIR__SEARCH, NULL);
1975 } else {
1976 av = 0;
1977 if (op & 004)
1978 av |= FILE__READ;
1979 if (op & 002)
1980 av |= FILE__WRITE;
1981 if (av)
275bb41e 1982 error = avc_has_perm(sid, tsid,
1da177e4 1983 SECCLASS_FILE, av, NULL);
828dfe1d 1984 }
1da177e4
LT		 1985
1986 return error;
1987}
1988
1989static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1990{
88e67f3b 1991 const struct cred *cred = current_cred();
1da177e4
LT		 1992 int rc = 0;
1993
1994 if (!sb)
1995 return 0;
1996
1997 switch (cmds) {
828dfe1d
EP		 1998 case Q_SYNC:
1999 case Q_QUOTAON:
2000 case Q_QUOTAOFF:
2001 case Q_SETINFO:
2002 case Q_SETQUOTA:
88e67f3b 2003 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2004 break;
2005 case Q_GETFMT:
2006 case Q_GETINFO:
2007 case Q_GETQUOTA:
88e67f3b 2008 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2009 break;
2010 default:
2011 rc = 0; /* let the kernel handle invalid cmds */
2012 break;
1da177e4
LT		 2013 }
2014 return rc;
2015}
2016
2017static int selinux_quota_on(struct dentry *dentry)
2018{
88e67f3b
DH		 2019 const struct cred *cred = current_cred();
2020
2021 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1da177e4
LT		 2022}
2023
00234592 2024static int selinux_syslog(int type, bool from_file)
1da177e4
LT		 2025{
2026 int rc;
2027
00234592 2028 rc = cap_syslog(type, from_file);
1da177e4
LT		 2029 if (rc)
2030 return rc;
2031
2032 switch (type) {
d78ca3cd
KC		 2033 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2034 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2035 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2036 break;
d78ca3cd
KC		 2037 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2038 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2039 /* Set level of messages printed to console */
2040 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2041 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2042 break;
d78ca3cd
KC		 2043 case SYSLOG_ACTION_CLOSE: /* Close log */
2044 case SYSLOG_ACTION_OPEN: /* Open log */
2045 case SYSLOG_ACTION_READ: /* Read from log */
2046 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2047 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2048 default:
2049 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2050 break;
1da177e4
LT		 2051 }
2052 return rc;
2053}
2054
2055/*
2056 * Check that a process has enough memory to allocate a new virtual
2057 * mapping. 0 means there is enough memory for the allocation to
2058 * succeed and -ENOMEM implies there is not.
2059 *
1da177e4
LT		 2060 * Do not audit the selinux permission check, as this is applied to all
2061 * processes that allocate mappings.
2062 */
34b4e4aa 2063static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2064{
2065 int rc, cap_sys_admin = 0;
1da177e4 2066
3699c53c
DH		 2067 rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
2068 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2069 if (rc == 0)
2070 cap_sys_admin = 1;
2071
34b4e4aa 2072 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 2073}
2074
2075/* binprm security operations */
2076
a6f76f23 2077static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2078{
a6f76f23
DH		 2079 const struct task_security_struct *old_tsec;
2080 struct task_security_struct *new_tsec;
1da177e4 2081 struct inode_security_struct *isec;
2bf49690 2082 struct common_audit_data ad;
a6f76f23 2083 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 2084 int rc;
2085
200ac532 2086 rc = cap_bprm_set_creds(bprm);
1da177e4
LT		 2087 if (rc)
2088 return rc;
2089
a6f76f23
DH		 2090 /* SELinux context only depends on initial program or script and not
2091 * the script interpreter */
2092 if (bprm->cred_prepared)
1da177e4
LT		 2093 return 0;
2094
a6f76f23
DH		 2095 old_tsec = current_security();
2096 new_tsec = bprm->cred->security;
1da177e4
LT		 2097 isec = inode->i_security;
2098
2099 /* Default to the current task SID. */
a6f76f23
DH		 2100 new_tsec->sid = old_tsec->sid;
2101 new_tsec->osid = old_tsec->sid;
1da177e4 2102
28eba5bf 2103 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2104 new_tsec->create_sid = 0;
2105 new_tsec->keycreate_sid = 0;
2106 new_tsec->sockcreate_sid = 0;
1da177e4 2107
a6f76f23
DH		 2108 if (old_tsec->exec_sid) {
2109 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2110 /* Reset exec SID on execve. */
a6f76f23 2111 new_tsec->exec_sid = 0;
1da177e4
LT		 2112 } else {
2113 /* Check for a default transition on this program. */
a6f76f23
DH		 2114 rc = security_transition_sid(old_tsec->sid, isec->sid,
2115 SECCLASS_PROCESS, &new_tsec->sid);
1da177e4
LT		 2116 if (rc)
2117 return rc;
2118 }
2119
2bf49690 2120 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2121 ad.u.fs.path = bprm->file->f_path;
1da177e4 2122
3d5ff529 2123 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
a6f76f23 2124 new_tsec->sid = old_tsec->sid;
1da177e4 2125
a6f76f23
DH		 2126 if (new_tsec->sid == old_tsec->sid) {
2127 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2128 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2129 if (rc)
2130 return rc;
2131 } else {
2132 /* Check permissions for the transition. */
a6f76f23 2133 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2134 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2135 if (rc)
2136 return rc;
2137
a6f76f23 2138 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2139 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2140 if (rc)
2141 return rc;
2142
a6f76f23
DH		 2143 /* Check for shared state */
2144 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2145 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2146 SECCLASS_PROCESS, PROCESS__SHARE,
2147 NULL);
2148 if (rc)
2149 return -EPERM;
2150 }
2151
2152 /* Make sure that anyone attempting to ptrace over a task that
2153 * changes its SID has the appropriate permit */
2154 if (bprm->unsafe &
2155 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2156 struct task_struct *tracer;
2157 struct task_security_struct *sec;
2158 u32 ptsid = 0;
2159
2160 rcu_read_lock();
2161 tracer = tracehook_tracer_task(current);
2162 if (likely(tracer != NULL)) {
2163 sec = __task_cred(tracer)->security;
2164 ptsid = sec->sid;
2165 }
2166 rcu_read_unlock();
2167
2168 if (ptsid != 0) {
2169 rc = avc_has_perm(ptsid, new_tsec->sid,
2170 SECCLASS_PROCESS,
2171 PROCESS__PTRACE, NULL);
2172 if (rc)
2173 return -EPERM;
2174 }
2175 }
1da177e4 2176
a6f76f23
DH		 2177 /* Clear any possibly unsafe personality bits on exec: */
2178 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2179 }
2180
1da177e4
LT		 2181 return 0;
2182}
2183
828dfe1d 2184static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2185{
275bb41e
DH		 2186 const struct cred *cred = current_cred();
2187 const struct task_security_struct *tsec = cred->security;
2188 u32 sid, osid;
1da177e4
LT		 2189 int atsecure = 0;
2190
275bb41e
DH		 2191 sid = tsec->sid;
2192 osid = tsec->osid;
2193
2194 if (osid != sid) {
1da177e4
LT		 2195 /* Enable secure mode for SIDs transitions unless
2196 the noatsecure permission is granted between
2197 the two SIDs, i.e. ahp returns 0. */
275bb41e 2198 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2199 SECCLASS_PROCESS,
2200 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2201 }
2202
200ac532 2203 return (atsecure || cap_bprm_secureexec(bprm));
1da177e4
LT		 2204}
2205
1da177e4
LT		 2206extern struct vfsmount *selinuxfs_mount;
2207extern struct dentry *selinux_null;
2208
2209/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2210static inline void flush_unauthorized_files(const struct cred *cred,
2211 struct files_struct *files)
1da177e4 2212{
2bf49690 2213 struct common_audit_data ad;
1da177e4 2214 struct file *file, *devnull = NULL;
b20c8122 2215 struct tty_struct *tty;
badf1662 2216 struct fdtable *fdt;
1da177e4 2217 long j = -1;
24ec839c 2218 int drop_tty = 0;
1da177e4 2219
24ec839c 2220 tty = get_current_tty();
1da177e4
LT		 2221 if (tty) {
2222 file_list_lock();
37dd0bd0
EP		 2223 if (!list_empty(&tty->tty_files)) {
2224 struct inode *inode;
2225
1da177e4
LT		 2226 /* Revalidate access to controlling tty.
2227 Use inode_has_perm on the tty inode directly rather
2228 than using file_has_perm, as this particular open
2229 file may belong to another process and we are only
2230 interested in the inode-based check here. */
37dd0bd0
EP		 2231 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2232 inode = file->f_path.dentry->d_inode;
88e67f3b 2233 if (inode_has_perm(cred, inode,
1da177e4 2234 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2235 drop_tty = 1;
1da177e4
LT		 2236 }
2237 }
2238 file_list_unlock();
452a00d2 2239 tty_kref_put(tty);
1da177e4 2240 }
98a27ba4
EB		 2241 /* Reset controlling tty. */
2242 if (drop_tty)
2243 no_tty();
1da177e4
LT		 2244
2245 /* Revalidate access to inherited open files. */
2246
2bf49690 2247 COMMON_AUDIT_DATA_INIT(&ad, FS);
1da177e4
LT		 2248
2249 spin_lock(&files->file_lock);
2250 for (;;) {
2251 unsigned long set, i;
2252 int fd;
2253
2254 j++;
2255 i = j * __NFDBITS;
badf1662 2256 fdt = files_fdtable(files);
bbea9f69 2257 if (i >= fdt->max_fds)
1da177e4 2258 break;
badf1662 2259 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2260 if (!set)
2261 continue;
2262 spin_unlock(&files->file_lock);
828dfe1d 2263 for ( ; set ; i++, set >>= 1) {
1da177e4
LT		 2264 if (set & 1) {
2265 file = fget(i);
2266 if (!file)
2267 continue;
88e67f3b 2268 if (file_has_perm(cred,
1da177e4
LT		 2269 file,
2270 file_to_av(file))) {
2271 sys_close(i);
2272 fd = get_unused_fd();
2273 if (fd != i) {
2274 if (fd >= 0)
2275 put_unused_fd(fd);
2276 fput(file);
2277 continue;
2278 }
2279 if (devnull) {
095975da 2280 get_file(devnull);
1da177e4 2281 } else {
745ca247
DH		 2282 devnull = dentry_open(
2283 dget(selinux_null),
2284 mntget(selinuxfs_mount),
2285 O_RDWR, cred);
fc5d81e6
AM		 2286 if (IS_ERR(devnull)) {
2287 devnull = NULL;
1da177e4
LT		 2288 put_unused_fd(fd);
2289 fput(file);
2290 continue;
2291 }
2292 }
2293 fd_install(fd, devnull);
2294 }
2295 fput(file);
2296 }
2297 }
2298 spin_lock(&files->file_lock);
2299
2300 }
2301 spin_unlock(&files->file_lock);
2302}
2303
a6f76f23
DH		 2304/*
2305 * Prepare a process for imminent new credential changes due to exec
2306 */
2307static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2308{
a6f76f23
DH		 2309 struct task_security_struct *new_tsec;
2310 struct rlimit *rlim, *initrlim;
2311 int rc, i;
d84f4f99 2312
a6f76f23
DH		 2313 new_tsec = bprm->cred->security;
2314 if (new_tsec->sid == new_tsec->osid)
2315 return;
1da177e4 2316
a6f76f23
DH		 2317 /* Close files for which the new task SID is not authorized. */
2318 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2319
a6f76f23
DH		 2320 /* Always clear parent death signal on SID transitions. */
2321 current->pdeath_signal = 0;
0356357c 2322
a6f76f23
DH		 2323 /* Check whether the new SID can inherit resource limits from the old
2324 * SID. If not, reset all soft limits to the lower of the current
2325 * task's hard limit and the init task's soft limit.
2326 *
2327 * Note that the setting of hard limits (even to lower them) can be
2328 * controlled by the setrlimit check. The inclusion of the init task's
2329 * soft limit into the computation is to avoid resetting soft limits
2330 * higher than the default soft limit for cases where the default is
2331 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2332 */
2333 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2334 PROCESS__RLIMITINH, NULL);
2335 if (rc) {
2336 for (i = 0; i < RLIM_NLIMITS; i++) {
2337 rlim = current->signal->rlim + i;
2338 initrlim = init_task.signal->rlim + i;
2339 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2340 }
17740d89 2341 update_rlimit_cpu(current->signal->rlim[RLIMIT_CPU].rlim_cur);
1da177e4
LT		 2342 }
2343}
2344
2345/*
a6f76f23
DH		 2346 * Clean up the process immediately after the installation of new credentials
2347 * due to exec
1da177e4 2348 */
a6f76f23 2349static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2350{
a6f76f23 2351 const struct task_security_struct *tsec = current_security();
1da177e4 2352 struct itimerval itimer;
a6f76f23 2353 u32 osid, sid;
1da177e4
LT		 2354 int rc, i;
2355
a6f76f23
DH		 2356 osid = tsec->osid;
2357 sid = tsec->sid;
2358
2359 if (sid == osid)
1da177e4
LT		 2360 return;
2361
a6f76f23
DH		 2362 /* Check whether the new SID can inherit signal state from the old SID.
2363 * If not, clear itimers to avoid subsequent signal generation and
2364 * flush and unblock signals.
2365 *
2366 * This must occur _after_ the task SID has been updated so that any
2367 * kill done after the flush will be checked against the new SID.
2368 */
2369 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2370 if (rc) {
2371 memset(&itimer, 0, sizeof itimer);
2372 for (i = 0; i < 3; i++)
2373 do_setitimer(i, &itimer, NULL);
1da177e4 2374 spin_lock_irq(&current->sighand->siglock);
3bcac026
DH		 2375 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2376 __flush_signals(current);
2377 flush_signal_handlers(current, 1);
2378 sigemptyset(&current->blocked);
2379 }
1da177e4
LT		 2380 spin_unlock_irq(&current->sighand->siglock);
2381 }
2382
a6f76f23
DH		 2383 /* Wake up the parent if it is waiting so that it can recheck
2384 * wait permission to the new task SID. */
ecd6de3c 2385 read_lock(&tasklist_lock);
0b7570e7 2386 __wake_up_parent(current, current->real_parent);
ecd6de3c 2387 read_unlock(&tasklist_lock);
1da177e4
LT		 2388}
2389
2390/* superblock security operations */
2391
2392static int selinux_sb_alloc_security(struct super_block *sb)
2393{
2394 return superblock_alloc_security(sb);
2395}
2396
2397static void selinux_sb_free_security(struct super_block *sb)
2398{
2399 superblock_free_security(sb);
2400}
2401
2402static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2403{
2404 if (plen > olen)
2405 return 0;
2406
2407 return !memcmp(prefix, option, plen);
2408}
2409
2410static inline int selinux_option(char *option, int len)
2411{
832cbd9a
EP		 2412 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2413 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2414 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2415 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2416 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2417}
2418
2419static inline void take_option(char **to, char *from, int *first, int len)
2420{
2421 if (!*first) {
2422 **to = ',';
2423 *to += 1;
3528a953 2424 } else
1da177e4
LT		 2425 *first = 0;
2426 memcpy(*to, from, len);
2427 *to += len;
2428}
2429
828dfe1d
EP		 2430static inline void take_selinux_option(char **to, char *from, int *first,
2431 int len)
3528a953
CO		 2432{
2433 int current_size = 0;
2434
2435 if (!*first) {
2436 **to = '|';
2437 *to += 1;
828dfe1d 2438 } else
3528a953
CO		 2439 *first = 0;
2440
2441 while (current_size < len) {
2442 if (*from != '"') {
2443 **to = *from;
2444 *to += 1;
2445 }
2446 from += 1;
2447 current_size += 1;
2448 }
2449}
2450
e0007529 2451static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2452{
2453 int fnosec, fsec, rc = 0;
2454 char *in_save, *in_curr, *in_end;
2455 char *sec_curr, *nosec_save, *nosec;
3528a953 2456 int open_quote = 0;
1da177e4
LT		 2457
2458 in_curr = orig;
2459 sec_curr = copy;
2460
1da177e4
LT		 2461 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2462 if (!nosec) {
2463 rc = -ENOMEM;
2464 goto out;
2465 }
2466
2467 nosec_save = nosec;
2468 fnosec = fsec = 1;
2469 in_save = in_end = orig;
2470
2471 do {
3528a953
CO		 2472 if (*in_end == '"')
2473 open_quote = !open_quote;
2474 if ((*in_end == ',' && open_quote == 0) ||
2475 *in_end == '\0') {
1da177e4
LT		 2476 int len = in_end - in_curr;
2477
2478 if (selinux_option(in_curr, len))
3528a953 2479 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2480 else
2481 take_option(&nosec, in_curr, &fnosec, len);
2482
2483 in_curr = in_end + 1;
2484 }
2485 } while (*in_end++);
2486
6931dfc9 2487 strcpy(in_save, nosec_save);
da3caa20 2488 free_page((unsigned long)nosec_save);
1da177e4
LT		 2489out:
2490 return rc;
2491}
2492
12204e24 2493static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2494{
88e67f3b 2495 const struct cred *cred = current_cred();
2bf49690 2496 struct common_audit_data ad;
1da177e4
LT		 2497 int rc;
2498
2499 rc = superblock_doinit(sb, data);
2500 if (rc)
2501 return rc;
2502
74192246
JM		 2503 /* Allow all mounts performed by the kernel */
2504 if (flags & MS_KERNMOUNT)
2505 return 0;
2506
2bf49690 2507 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2508 ad.u.fs.path.dentry = sb->s_root;
88e67f3b 2509 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2510}
2511
726c3342 2512static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2513{
88e67f3b 2514 const struct cred *cred = current_cred();
2bf49690 2515 struct common_audit_data ad;
1da177e4 2516
2bf49690 2517 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2518 ad.u.fs.path.dentry = dentry->d_sb->s_root;
88e67f3b 2519 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2520}
2521
828dfe1d 2522static int selinux_mount(char *dev_name,
b5266eb4 2523 struct path *path,
828dfe1d
EP		 2524 char *type,
2525 unsigned long flags,
2526 void *data)
1da177e4 2527{
88e67f3b 2528 const struct cred *cred = current_cred();
1da177e4
LT		 2529
2530 if (flags & MS_REMOUNT)
88e67f3b 2531 return superblock_has_perm(cred, path->mnt->mnt_sb,
828dfe1d 2532 FILESYSTEM__REMOUNT, NULL);
1da177e4 2533 else
88e67f3b 2534 return dentry_has_perm(cred, path->mnt, path->dentry,
828dfe1d 2535 FILE__MOUNTON);
1da177e4
LT		 2536}
2537
2538static int selinux_umount(struct vfsmount *mnt, int flags)
2539{
88e67f3b 2540 const struct cred *cred = current_cred();
1da177e4 2541
88e67f3b 2542 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2543 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2544}
2545
2546/* inode security operations */
2547
2548static int selinux_inode_alloc_security(struct inode *inode)
2549{
2550 return inode_alloc_security(inode);
2551}
2552
2553static void selinux_inode_free_security(struct inode *inode)
2554{
2555 inode_free_security(inode);
2556}
2557
5e41ff9e
SS		 2558static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2559 char **name, void **value,
2560 size_t *len)
2561{
275bb41e
DH		 2562 const struct cred *cred = current_cred();
2563 const struct task_security_struct *tsec = cred->security;
5e41ff9e
SS		 2564 struct inode_security_struct *dsec;
2565 struct superblock_security_struct *sbsec;
275bb41e 2566 u32 sid, newsid, clen;
5e41ff9e 2567 int rc;
570bc1c2 2568 char *namep = NULL, *context;
5e41ff9e 2569
5e41ff9e
SS		 2570 dsec = dir->i_security;
2571 sbsec = dir->i_sb->s_security;
5e41ff9e 2572
275bb41e
DH		 2573 sid = tsec->sid;
2574 newsid = tsec->create_sid;
2575
cd89596f 2576 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
275bb41e 2577 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e
SS		 2578 inode_mode_to_security_class(inode->i_mode),
2579 &newsid);
2580 if (rc) {
2581 printk(KERN_WARNING "%s: "
2582 "security_transition_sid failed, rc=%d (dev=%s "
2583 "ino=%ld)\n",
dd6f953a 2584 __func__,
5e41ff9e
SS		 2585 -rc, inode->i_sb->s_id, inode->i_ino);
2586 return rc;
2587 }
2588 }
2589
296fddf7 2590 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2591 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2592 struct inode_security_struct *isec = inode->i_security;
2593 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2594 isec->sid = newsid;
2595 isec->initialized = 1;
2596 }
5e41ff9e 2597
cd89596f 2598 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
25a74f3b
SS		 2599 return -EOPNOTSUPP;
2600
570bc1c2 2601 if (name) {
a02fe132 2602 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2603 if (!namep)
2604 return -ENOMEM;
2605 *name = namep;
2606 }
5e41ff9e 2607
570bc1c2 2608 if (value && len) {
12b29f34 2609 rc = security_sid_to_context_force(newsid, &context, &clen);
570bc1c2
SS		 2610 if (rc) {
2611 kfree(namep);
2612 return rc;
2613 }
2614 *value = context;
2615 *len = clen;
5e41ff9e 2616 }
5e41ff9e 2617
5e41ff9e
SS		 2618 return 0;
2619}
2620
1da177e4
LT		 2621static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2622{
2623 return may_create(dir, dentry, SECCLASS_FILE);
2624}
2625
1da177e4
LT		 2626static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2627{
1da177e4
LT		 2628 return may_link(dir, old_dentry, MAY_LINK);
2629}
2630
1da177e4
LT		 2631static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2632{
1da177e4
LT		 2633 return may_link(dir, dentry, MAY_UNLINK);
2634}
2635
2636static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2637{
2638 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2639}
2640
1da177e4
LT		 2641static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2642{
2643 return may_create(dir, dentry, SECCLASS_DIR);
2644}
2645
1da177e4
LT		 2646static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2647{
2648 return may_link(dir, dentry, MAY_RMDIR);
2649}
2650
2651static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2652{
1da177e4
LT		 2653 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2654}
2655
1da177e4 2656static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2657 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2658{
2659 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2660}
2661
1da177e4
LT		 2662static int selinux_inode_readlink(struct dentry *dentry)
2663{
88e67f3b
DH		 2664 const struct cred *cred = current_cred();
2665
2666 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
1da177e4
LT		 2667}
2668
2669static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2670{
88e67f3b 2671 const struct cred *cred = current_cred();
1da177e4 2672
88e67f3b 2673 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
1da177e4
LT		 2674}
2675
b77b0646 2676static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2677{
88e67f3b 2678 const struct cred *cred = current_cred();
1da177e4
LT		 2679
2680 if (!mask) {
2681 /* No permission to check. Existence test. */
2682 return 0;
2683 }
2684
88e67f3b 2685 return inode_has_perm(cred, inode,
8b6a5a37 2686 file_mask_to_av(inode->i_mode, mask), NULL);
1da177e4
LT		 2687}
2688
2689static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2690{
88e67f3b 2691 const struct cred *cred = current_cred();
bc6a6008 2692 unsigned int ia_valid = iattr->ia_valid;
1da177e4 2693
bc6a6008
AW		 2694 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2695 if (ia_valid & ATTR_FORCE) {
2696 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2697 ATTR_FORCE);
2698 if (!ia_valid)
2699 return 0;
2700 }
1da177e4 2701
bc6a6008
AW		 2702 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2703 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
88e67f3b 2704 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
1da177e4 2705
88e67f3b 2706 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
1da177e4
LT		 2707}
2708
2709static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2710{
88e67f3b
DH		 2711 const struct cred *cred = current_cred();
2712
2713 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
1da177e4
LT		 2714}
2715
8f0cfa52 2716static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2717{
88e67f3b
DH		 2718 const struct cred *cred = current_cred();
2719
b5376771
SH		 2720 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2721 sizeof XATTR_SECURITY_PREFIX - 1)) {
2722 if (!strcmp(name, XATTR_NAME_CAPS)) {
2723 if (!capable(CAP_SETFCAP))
2724 return -EPERM;
2725 } else if (!capable(CAP_SYS_ADMIN)) {
2726 /* A different attribute in the security namespace.
2727 Restrict to administrator. */
2728 return -EPERM;
2729 }
2730 }
2731
2732 /* Not an attribute we recognize, so just check the
2733 ordinary setattr permission. */
88e67f3b 2734 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
b5376771
SH		 2735}
2736
8f0cfa52
DH		 2737static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2738 const void *value, size_t size, int flags)
1da177e4 2739{
1da177e4
LT		 2740 struct inode *inode = dentry->d_inode;
2741 struct inode_security_struct *isec = inode->i_security;
2742 struct superblock_security_struct *sbsec;
2bf49690 2743 struct common_audit_data ad;
275bb41e 2744 u32 newsid, sid = current_sid();
1da177e4
LT		 2745 int rc = 0;
2746
b5376771
SH		 2747 if (strcmp(name, XATTR_NAME_SELINUX))
2748 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2749
2750 sbsec = inode->i_sb->s_security;
cd89596f 2751 if (!(sbsec->flags & SE_SBLABELSUPP))
1da177e4
LT		 2752 return -EOPNOTSUPP;
2753
3bd858ab 2754 if (!is_owner_or_cap(inode))
1da177e4
LT		 2755 return -EPERM;
2756
2bf49690 2757 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2758 ad.u.fs.path.dentry = dentry;
1da177e4 2759
275bb41e 2760 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 2761 FILE__RELABELFROM, &ad);
2762 if (rc)
2763 return rc;
2764
2765 rc = security_context_to_sid(value, size, &newsid);
12b29f34
SS		 2766 if (rc == -EINVAL) {
2767 if (!capable(CAP_MAC_ADMIN))
2768 return rc;
2769 rc = security_context_to_sid_force(value, size, &newsid);
2770 }
1da177e4
LT		 2771 if (rc)
2772 return rc;
2773
275bb41e 2774 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 2775 FILE__RELABELTO, &ad);
2776 if (rc)
2777 return rc;
2778
275bb41e 2779 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 2780 isec->sclass);
1da177e4
LT		 2781 if (rc)
2782 return rc;
2783
2784 return avc_has_perm(newsid,
2785 sbsec->sid,
2786 SECCLASS_FILESYSTEM,
2787 FILESYSTEM__ASSOCIATE,
2788 &ad);
2789}
2790
8f0cfa52 2791static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 2792 const void *value, size_t size,
8f0cfa52 2793 int flags)
1da177e4
LT		 2794{
2795 struct inode *inode = dentry->d_inode;
2796 struct inode_security_struct *isec = inode->i_security;
2797 u32 newsid;
2798 int rc;
2799
2800 if (strcmp(name, XATTR_NAME_SELINUX)) {
2801 /* Not an attribute we recognize, so nothing to do. */
2802 return;
2803 }
2804
12b29f34 2805 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 2806 if (rc) {
12b29f34
SS		 2807 printk(KERN_ERR "SELinux: unable to map context to SID"
2808 "for (%s, %lu), rc=%d\n",
2809 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 2810 return;
2811 }
2812
2813 isec->sid = newsid;
2814 return;
2815}
2816
8f0cfa52 2817static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 2818{
88e67f3b
DH		 2819 const struct cred *cred = current_cred();
2820
2821 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
1da177e4
LT		 2822}
2823
828dfe1d 2824static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 2825{
88e67f3b
DH		 2826 const struct cred *cred = current_cred();
2827
2828 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
1da177e4
LT		 2829}
2830
8f0cfa52 2831static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 2832{
b5376771
SH		 2833 if (strcmp(name, XATTR_NAME_SELINUX))
2834 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2835
2836 /* No one is allowed to remove a SELinux security label.
2837 You can change the label, but all data must be labeled. */
2838 return -EACCES;
2839}
2840
d381d8a9 2841/*
abc69bb6 2842 * Copy the inode security context value to the user.
d381d8a9
JM		 2843 *
2844 * Permission check is handled by selinux_inode_getxattr hook.
2845 */
42492594 2846static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2847{
42492594
DQ		 2848 u32 size;
2849 int error;
2850 char *context = NULL;
1da177e4 2851 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2852
8c8570fb
DK		 2853 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2854 return -EOPNOTSUPP;
d381d8a9 2855
abc69bb6
SS		 2856 /*
2857 * If the caller has CAP_MAC_ADMIN, then get the raw context
2858 * value even if it is not defined by current policy; otherwise,
2859 * use the in-core value under current policy.
2860 * Use the non-auditing forms of the permission checks since
2861 * getxattr may be called by unprivileged processes commonly
2862 * and lack of permission just means that we fall back to the
2863 * in-core context value, not a denial.
2864 */
3699c53c
DH		 2865 error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2866 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 2867 if (!error)
2868 error = security_sid_to_context_force(isec->sid, &context,
2869 &size);
2870 else
2871 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 2872 if (error)
2873 return error;
2874 error = size;
2875 if (alloc) {
2876 *buffer = context;
2877 goto out_nofree;
2878 }
2879 kfree(context);
2880out_nofree:
2881 return error;
1da177e4
LT		 2882}
2883
2884static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 2885 const void *value, size_t size, int flags)
1da177e4
LT		 2886{
2887 struct inode_security_struct *isec = inode->i_security;
2888 u32 newsid;
2889 int rc;
2890
2891 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2892 return -EOPNOTSUPP;
2893
2894 if (!value || !size)
2895 return -EACCES;
2896
828dfe1d 2897 rc = security_context_to_sid((void *)value, size, &newsid);
1da177e4
LT		 2898 if (rc)
2899 return rc;
2900
2901 isec->sid = newsid;
ddd29ec6 2902 isec->initialized = 1;
1da177e4
LT		 2903 return 0;
2904}
2905
2906static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2907{
2908 const int len = sizeof(XATTR_NAME_SELINUX);
2909 if (buffer && len <= buffer_size)
2910 memcpy(buffer, XATTR_NAME_SELINUX, len);
2911 return len;
2912}
2913
713a04ae
AD		 2914static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2915{
2916 struct inode_security_struct *isec = inode->i_security;
2917 *secid = isec->sid;
2918}
2919
1da177e4
LT		 2920/* file security operations */
2921
788e7dd4 2922static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2923{
88e67f3b 2924 const struct cred *cred = current_cred();
3d5ff529 2925 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4 2926
1da177e4
LT		 2927 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2928 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2929 mask |= MAY_APPEND;
2930
389fb800
PM		 2931 return file_has_perm(cred, file,
2932 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 2933}
2934
788e7dd4
YN		 2935static int selinux_file_permission(struct file *file, int mask)
2936{
20dda18b
SS		 2937 struct inode *inode = file->f_path.dentry->d_inode;
2938 struct file_security_struct *fsec = file->f_security;
2939 struct inode_security_struct *isec = inode->i_security;
2940 u32 sid = current_sid();
2941
389fb800 2942 if (!mask)
788e7dd4
YN		 2943 /* No permission to check. Existence test. */
2944 return 0;
788e7dd4 2945
20dda18b
SS		 2946 if (sid == fsec->sid && fsec->isid == isec->sid &&
2947 fsec->pseqno == avc_policy_seqno())
2948 /* No change since dentry_open check. */
2949 return 0;
2950
788e7dd4
YN		 2951 return selinux_revalidate_file_permission(file, mask);
2952}
2953
1da177e4
LT		 2954static int selinux_file_alloc_security(struct file *file)
2955{
2956 return file_alloc_security(file);
2957}
2958
2959static void selinux_file_free_security(struct file *file)
2960{
2961 file_free_security(file);
2962}
2963
2964static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2965 unsigned long arg)
2966{
88e67f3b 2967 const struct cred *cred = current_cred();
242631c4 2968 u32 av = 0;
1da177e4 2969
242631c4
SS		 2970 if (_IOC_DIR(cmd) & _IOC_WRITE)
2971 av |= FILE__WRITE;
2972 if (_IOC_DIR(cmd) & _IOC_READ)
2973 av |= FILE__READ;
2974 if (!av)
2975 av = FILE__IOCTL;
1da177e4 2976
88e67f3b 2977 return file_has_perm(cred, file, av);
1da177e4
LT		 2978}
2979
fcaaade1
SS		 2980static int default_noexec;
2981
1da177e4
LT		 2982static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2983{
88e67f3b 2984 const struct cred *cred = current_cred();
d84f4f99 2985 int rc = 0;
88e67f3b 2986
fcaaade1
SS		 2987 if (default_noexec &&
2988 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 2989 /*
2990 * We are making executable an anonymous mapping or a
2991 * private file mapping that will also be writable.
2992 * This has an additional check.
2993 */
d84f4f99 2994 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 2995 if (rc)
d84f4f99 2996 goto error;
1da177e4 2997 }
1da177e4
LT		 2998
2999 if (file) {
3000 /* read access is always possible with a mapping */
3001 u32 av = FILE__READ;
3002
3003 /* write access only matters if the mapping is shared */
3004 if (shared && (prot & PROT_WRITE))
3005 av |= FILE__WRITE;
3006
3007 if (prot & PROT_EXEC)
3008 av |= FILE__EXECUTE;
3009
88e67f3b 3010 return file_has_perm(cred, file, av);
1da177e4 3011 }
d84f4f99
DH		 3012
3013error:
3014 return rc;
1da177e4
LT		 3015}
3016
3017static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 3018 unsigned long prot, unsigned long flags,
3019 unsigned long addr, unsigned long addr_only)
1da177e4 3020{
ed032189 3021 int rc = 0;
275bb41e 3022 u32 sid = current_sid();
1da177e4 3023
84336d1a
EP		 3024 /*
3025 * notice that we are intentionally putting the SELinux check before
3026 * the secondary cap_file_mmap check. This is such a likely attempt
3027 * at bad behaviour/exploit that we always want to get the AVC, even
3028 * if DAC would have also denied the operation.
3029 */
a2551df7 3030 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
ed032189
EP		 3031 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3032 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3033 if (rc)
3034 return rc;
3035 }
3036
3037 /* do DAC check on address space usage */
3038 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
ed032189 3039 if (rc || addr_only)
1da177e4
LT		 3040 return rc;
3041
3042 if (selinux_checkreqprot)
3043 prot = reqprot;
3044
3045 return file_map_prot_check(file, prot,
3046 (flags & MAP_TYPE) == MAP_SHARED);
3047}
3048
3049static int selinux_file_mprotect(struct vm_area_struct *vma,
3050 unsigned long reqprot,
3051 unsigned long prot)
3052{
88e67f3b 3053 const struct cred *cred = current_cred();
1da177e4
LT		 3054
3055 if (selinux_checkreqprot)
3056 prot = reqprot;
3057
fcaaade1
SS		 3058 if (default_noexec &&
3059 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3060 int rc = 0;
db4c9641
SS		 3061 if (vma->vm_start >= vma->vm_mm->start_brk &&
3062 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3063 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3064 } else if (!vma->vm_file &&
3065 vma->vm_start <= vma->vm_mm->start_stack &&
3066 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3067 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3068 } else if (vma->vm_file && vma->anon_vma) {
3069 /*
3070 * We are making executable a file mapping that has
3071 * had some COW done. Since pages might have been
3072 * written, check ability to execute the possibly
3073 * modified content. This typically should only
3074 * occur for text relocations.
3075 */
d84f4f99 3076 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3077 }