projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
[deliverable/linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
3c4ed7bd 32#include <linux/lsm_hooks.h>
1da177e4
LT		 33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
1da177e4 54#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 55#include <net/inet_connection_sock.h>
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
60063497 60#include <linux/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
77954983 64#include <net/netlink.h>
1da177e4
LT		 65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
44fc7ea0 83#include <linux/export.h>
40401530
AV		 84#include <linux/msg.h>
85#include <linux/shm.h>
1da177e4
LT		 86
87#include "avc.h"
88#include "objsec.h"
89#include "netif.h"
224dfbd8 90#include "netnode.h"
3e112172 91#include "netport.h"
d28d1e08 92#include "xfrm.h"
c60475bf 93#include "netlabel.h"
9d57a7f9 94#include "audit.h"
7b98a585 95#include "avc_ss.h"
1da177e4 96
d621d35e 97/* SECMARK reference count */
56a4ca99 98static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 99
1da177e4 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 101int selinux_enforcing;
1da177e4
LT		 102
103static int __init enforcing_setup(char *str)
104{
f5269710 105 unsigned long enforcing;
29707b20 106 if (!kstrtoul(str, 0, &enforcing))
f5269710 107 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 108 return 1;
109}
110__setup("enforcing=", enforcing_setup);
111#endif
112
113#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116static int __init selinux_enabled_setup(char *str)
117{
f5269710 118 unsigned long enabled;
29707b20 119 if (!kstrtoul(str, 0, &enabled))
f5269710 120 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 121 return 1;
122}
123__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 124#else
125int selinux_enabled = 1;
1da177e4
LT		 126#endif
127
e18b890b 128static struct kmem_cache *sel_inode_cache;
63205654 129static struct kmem_cache *file_security_cache;
7cae7e26 130
d621d35e
PM		 131/**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 140 *
141 */
142static int selinux_secmark_enabled(void)
143{
2be4d74f
CP		 144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145}
146
147/**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157static int selinux_peerlbl_enabled(void)
158{
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 160}
161
615e51fd
PM		 162static int selinux_netcache_avc_callback(u32 event)
163{
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171}
172
d84f4f99
DH		 173/*
174 * initialise the security for the init task
175 */
176static void cred_init_security(void)
1da177e4 177{
3b11a1de 178 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 179 struct task_security_struct *tsec;
180
89d155ef 181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 182 if (!tsec)
d84f4f99 183 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 184
d84f4f99 185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 186 cred->security = tsec;
1da177e4
LT		 187}
188
88e67f3b
DH		 189/*
190 * get the security ID of a set of credentials
191 */
192static inline u32 cred_sid(const struct cred *cred)
193{
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198}
199
275bb41e 200/*
3b11a1de 201 * get the objective security ID of a task
275bb41e
DH		 202 */
203static inline u32 task_sid(const struct task_struct *task)
204{
275bb41e
DH		 205 u32 sid;
206
207 rcu_read_lock();
88e67f3b 208 sid = cred_sid(__task_cred(task));
275bb41e
DH		 209 rcu_read_unlock();
210 return sid;
211}
212
213/*
3b11a1de 214 * get the subjective security ID of the current task
275bb41e
DH		 215 */
216static inline u32 current_sid(void)
217{
5fb49870 218 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 219
220 return tsec->sid;
221}
222
88e67f3b
DH		 223/* Allocate and free functions for each kind of security blob. */
224
1da177e4
LT		 225static int inode_alloc_security(struct inode *inode)
226{
1da177e4 227 struct inode_security_struct *isec;
275bb41e 228 u32 sid = current_sid();
1da177e4 229
a02fe132 230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 231 if (!isec)
232 return -ENOMEM;
233
23970741 234 mutex_init(&isec->lock);
1da177e4 235 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
275bb41e 239 isec->task_sid = sid;
1da177e4
LT		 240 inode->i_security = isec;
241
242 return 0;
243}
244
5d226df4
AG		 245static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246
247/*
248 * Try reloading inode security labels that have been marked as invalid. The
249 * @may_sleep parameter indicates when sleeping and thus reloading labels is
250 * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is
251 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
252 * when no dentry is available, set it to NULL instead.
253 */
254static int __inode_security_revalidate(struct inode *inode,
255 struct dentry *opt_dentry,
256 bool may_sleep)
257{
258 struct inode_security_struct *isec = inode->i_security;
259
260 might_sleep_if(may_sleep);
261
1ac42476 262 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 263 if (!may_sleep)
264 return -ECHILD;
265
266 /*
267 * Try reloading the inode security label. This will fail if
268 * @opt_dentry is NULL and no dentry for this inode can be
269 * found; in that case, continue using the old label.
270 */
271 inode_doinit_with_dentry(inode, opt_dentry);
272 }
273 return 0;
274}
275
5d226df4
AG		 276static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277{
278 return inode->i_security;
279}
280
281static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282{
283 int error;
284
285 error = __inode_security_revalidate(inode, NULL, !rcu);
286 if (error)
287 return ERR_PTR(error);
288 return inode->i_security;
289}
290
83da53c5
AG		 291/*
292 * Get the security label of an inode.
293 */
294static struct inode_security_struct *inode_security(struct inode *inode)
295{
5d226df4 296 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 297 return inode->i_security;
298}
299
2c97165b
PM		 300static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301{
302 struct inode *inode = d_backing_inode(dentry);
303
304 return inode->i_security;
305}
306
83da53c5
AG		 307/*
308 * Get the security label of a dentry's backing inode.
309 */
310static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
311{
312 struct inode *inode = d_backing_inode(dentry);
313
5d226df4 314 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 315 return inode->i_security;
316}
317
3dc91d43
SR		 318static void inode_free_rcu(struct rcu_head *head)
319{
320 struct inode_security_struct *isec;
321
322 isec = container_of(head, struct inode_security_struct, rcu);
323 kmem_cache_free(sel_inode_cache, isec);
324}
325
1da177e4
LT		 326static void inode_free_security(struct inode *inode)
327{
328 struct inode_security_struct *isec = inode->i_security;
329 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
330
9629d04a
WL		 331 /*
332 * As not all inode security structures are in a list, we check for
333 * empty list outside of the lock to make sure that we won't waste
334 * time taking a lock doing nothing.
335 *
336 * The list_del_init() function can be safely called more than once.
337 * It should not be possible for this function to be called with
338 * concurrent list_add(), but for better safety against future changes
339 * in the code, we use list_empty_careful() here.
340 */
341 if (!list_empty_careful(&isec->list)) {
342 spin_lock(&sbsec->isec_lock);
1da177e4 343 list_del_init(&isec->list);
9629d04a
WL		 344 spin_unlock(&sbsec->isec_lock);
345 }
1da177e4 346
3dc91d43
SR		 347 /*
348 * The inode may still be referenced in a path walk and
349 * a call to selinux_inode_permission() can be made
350 * after inode_free_security() is called. Ideally, the VFS
351 * wouldn't do this, but fixing that is a much harder
352 * job. For now, simply free the i_security via RCU, and
353 * leave the current inode->i_security pointer intact.
354 * The inode will be freed after the RCU grace period too.
355 */
356 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 357}
358
359static int file_alloc_security(struct file *file)
360{
1da177e4 361 struct file_security_struct *fsec;
275bb41e 362 u32 sid = current_sid();
1da177e4 363
63205654 364 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 365 if (!fsec)
366 return -ENOMEM;
367
275bb41e
DH		 368 fsec->sid = sid;
369 fsec->fown_sid = sid;
1da177e4
LT		 370 file->f_security = fsec;
371
372 return 0;
373}
374
375static void file_free_security(struct file *file)
376{
377 struct file_security_struct *fsec = file->f_security;
1da177e4 378 file->f_security = NULL;
63205654 379 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 380}
381
382static int superblock_alloc_security(struct super_block *sb)
383{
384 struct superblock_security_struct *sbsec;
385
89d155ef 386 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 387 if (!sbsec)
388 return -ENOMEM;
389
bc7e982b 390 mutex_init(&sbsec->lock);
1da177e4
LT		 391 INIT_LIST_HEAD(&sbsec->isec_head);
392 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 393 sbsec->sb = sb;
394 sbsec->sid = SECINITSID_UNLABELED;
395 sbsec->def_sid = SECINITSID_FILE;
c312feb2 396 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 397 sb->s_security = sbsec;
398
399 return 0;
400}
401
402static void superblock_free_security(struct super_block *sb)
403{
404 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 405 sb->s_security = NULL;
406 kfree(sbsec);
407}
408
1da177e4
LT		 409/* The file system's label must be initialized prior to use. */
410
eb9ae686 411static const char *labeling_behaviors[7] = {
1da177e4
LT		 412 "uses xattr",
413 "uses transition SIDs",
414 "uses task SIDs",
415 "uses genfs_contexts",
416 "not configured for labeling",
417 "uses mountpoint labeling",
eb9ae686 418 "uses native labeling",
1da177e4
LT		 419};
420
1da177e4
LT		 421static inline int inode_doinit(struct inode *inode)
422{
423 return inode_doinit_with_dentry(inode, NULL);
424}
425
426enum {
31e87930 427 Opt_error = -1,
1da177e4
LT		 428 Opt_context = 1,
429 Opt_fscontext = 2,
c9180a57
EP		 430 Opt_defcontext = 3,
431 Opt_rootcontext = 4,
11689d47 432 Opt_labelsupport = 5,
d355987f 433 Opt_nextmntopt = 6,
1da177e4
LT		 434};
435
d355987f
EP		 436#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
437
a447c093 438static const match_table_t tokens = {
832cbd9a
EP		 439 {Opt_context, CONTEXT_STR "%s"},
440 {Opt_fscontext, FSCONTEXT_STR "%s"},
441 {Opt_defcontext, DEFCONTEXT_STR "%s"},
442 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 443 {Opt_labelsupport, LABELSUPP_STR},
31e87930 444 {Opt_error, NULL},
1da177e4
LT		 445};
446
447#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
448
c312feb2
EP		 449static int may_context_mount_sb_relabel(u32 sid,
450 struct superblock_security_struct *sbsec,
275bb41e 451 const struct cred *cred)
c312feb2 452{
275bb41e 453 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 454 int rc;
455
456 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
457 FILESYSTEM__RELABELFROM, NULL);
458 if (rc)
459 return rc;
460
461 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
462 FILESYSTEM__RELABELTO, NULL);
463 return rc;
464}
465
0808925e
EP		 466static int may_context_mount_inode_relabel(u32 sid,
467 struct superblock_security_struct *sbsec,
275bb41e 468 const struct cred *cred)
0808925e 469{
275bb41e 470 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 471 int rc;
472 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
473 FILESYSTEM__RELABELFROM, NULL);
474 if (rc)
475 return rc;
476
477 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__ASSOCIATE, NULL);
479 return rc;
480}
481
b43e725d
EP		 482static int selinux_is_sblabel_mnt(struct super_block *sb)
483{
484 struct superblock_security_struct *sbsec = sb->s_security;
485
d5f3a5f6
MS		 486 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
487 sbsec->behavior == SECURITY_FS_USE_TRANS ||
488 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 489 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 490 /* Special handling. Genfs but also in-core setxattr handler */
491 !strcmp(sb->s_type->name, "sysfs") ||
492 !strcmp(sb->s_type->name, "pstore") ||
493 !strcmp(sb->s_type->name, "debugfs") ||
494 !strcmp(sb->s_type->name, "rootfs");
b43e725d
EP		 495}
496
c9180a57 497static int sb_finish_set_opts(struct super_block *sb)
1da177e4 498{
1da177e4 499 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 500 struct dentry *root = sb->s_root;
c6f493d6 501 struct inode *root_inode = d_backing_inode(root);
c9180a57 502 int rc = 0;
1da177e4 503
c9180a57
EP		 504 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
505 /* Make sure that the xattr handler exists and that no
506 error other than -ENODATA is returned by getxattr on
507 the root directory. -ENODATA is ok, as this may be
508 the first boot of the SELinux kernel before we have
509 assigned xattr values to the filesystem. */
510 if (!root_inode->i_op->getxattr) {
29b1deb2
LT		 511 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
512 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 513 rc = -EOPNOTSUPP;
514 goto out;
515 }
ce23e640
AV		 516 rc = root_inode->i_op->getxattr(root, root_inode,
517 XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 518 if (rc < 0 && rc != -ENODATA) {
519 if (rc == -EOPNOTSUPP)
520 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 521 "%s) has no security xattr handler\n",
522 sb->s_id, sb->s_type->name);
c9180a57
EP		 523 else
524 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 525 "%s) getxattr errno %d\n", sb->s_id,
526 sb->s_type->name, -rc);
c9180a57
EP		 527 goto out;
528 }
529 }
1da177e4 530
c9180a57 531 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 532 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
533 sb->s_id, sb->s_type->name);
1da177e4 534
eadcabc6 535 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 536 if (selinux_is_sblabel_mnt(sb))
12f348b9 537 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 538
c9180a57
EP		 539 /* Initialize the root inode. */
540 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 541
c9180a57
EP		 542 /* Initialize any other inodes associated with the superblock, e.g.
543 inodes created prior to initial policy load or inodes created
544 during get_sb by a pseudo filesystem that directly
545 populates itself. */
546 spin_lock(&sbsec->isec_lock);
547next_inode:
548 if (!list_empty(&sbsec->isec_head)) {
549 struct inode_security_struct *isec =
550 list_entry(sbsec->isec_head.next,
551 struct inode_security_struct, list);
552 struct inode *inode = isec->inode;
923190d3 553 list_del_init(&isec->list);
c9180a57
EP		 554 spin_unlock(&sbsec->isec_lock);
555 inode = igrab(inode);
556 if (inode) {
557 if (!IS_PRIVATE(inode))
558 inode_doinit(inode);
559 iput(inode);
560 }
561 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 562 goto next_inode;
563 }
564 spin_unlock(&sbsec->isec_lock);
565out:
566 return rc;
567}
1da177e4 568
c9180a57
EP		 569/*
570 * This function should allow an FS to ask what it's mount security
571 * options were so it can use those later for submounts, displaying
572 * mount options, or whatever.
573 */
574static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 575 struct security_mnt_opts *opts)
c9180a57
EP		 576{
577 int rc = 0, i;
578 struct superblock_security_struct *sbsec = sb->s_security;
579 char *context = NULL;
580 u32 len;
581 char tmp;
1da177e4 582
e0007529 583 security_init_mnt_opts(opts);
1da177e4 584
0d90a7ec 585 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 586 return -EINVAL;
1da177e4 587
c9180a57
EP		 588 if (!ss_initialized)
589 return -EINVAL;
1da177e4 590
af8e50cc
EP		 591 /* make sure we always check enough bits to cover the mask */
592 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593
0d90a7ec 594 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 595 /* count the number of mount options for this sb */
af8e50cc 596 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 597 if (tmp & 0x01)
e0007529 598 opts->num_mnt_opts++;
c9180a57
EP		 599 tmp >>= 1;
600 }
11689d47 601 /* Check if the Label support flag is set */
0b4bdb35 602 if (sbsec->flags & SBLABEL_MNT)
11689d47 603 opts->num_mnt_opts++;
1da177e4 604
e0007529
EP		 605 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606 if (!opts->mnt_opts) {
c9180a57
EP		 607 rc = -ENOMEM;
608 goto out_free;
609 }
1da177e4 610
e0007529
EP		 611 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612 if (!opts->mnt_opts_flags) {
c9180a57
EP		 613 rc = -ENOMEM;
614 goto out_free;
615 }
1da177e4 616
c9180a57
EP		 617 i = 0;
618 if (sbsec->flags & FSCONTEXT_MNT) {
619 rc = security_sid_to_context(sbsec->sid, &context, &len);
620 if (rc)
621 goto out_free;
e0007529
EP		 622 opts->mnt_opts[i] = context;
623 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 624 }
625 if (sbsec->flags & CONTEXT_MNT) {
626 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627 if (rc)
628 goto out_free;
e0007529
EP		 629 opts->mnt_opts[i] = context;
630 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 631 }
632 if (sbsec->flags & DEFCONTEXT_MNT) {
633 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634 if (rc)
635 goto out_free;
e0007529
EP		 636 opts->mnt_opts[i] = context;
637 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 638 }
639 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 640 struct dentry *root = sbsec->sb->s_root;
641 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 642
c9180a57
EP		 643 rc = security_sid_to_context(isec->sid, &context, &len);
644 if (rc)
645 goto out_free;
e0007529
EP		 646 opts->mnt_opts[i] = context;
647 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 648 }
12f348b9 649 if (sbsec->flags & SBLABEL_MNT) {
11689d47 650 opts->mnt_opts[i] = NULL;
12f348b9 651 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 652 }
1da177e4 653
e0007529 654 BUG_ON(i != opts->num_mnt_opts);
1da177e4 655
c9180a57
EP		 656 return 0;
657
658out_free:
e0007529 659 security_free_mnt_opts(opts);
c9180a57
EP		 660 return rc;
661}
1da177e4 662
c9180a57
EP		 663static int bad_option(struct superblock_security_struct *sbsec, char flag,
664 u32 old_sid, u32 new_sid)
665{
0d90a7ec
DQ		 666 char mnt_flags = sbsec->flags & SE_MNTMASK;
667
c9180a57 668 /* check if the old mount command had the same options */
0d90a7ec 669 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 670 if (!(sbsec->flags & flag) ||
671 (old_sid != new_sid))
672 return 1;
673
674 /* check if we were passed the same options twice,
675 * aka someone passed context=a,context=b
676 */
0d90a7ec
DQ		 677 if (!(sbsec->flags & SE_SBINITIALIZED))
678 if (mnt_flags & flag)
c9180a57
EP		 679 return 1;
680 return 0;
681}
e0007529 682
c9180a57
EP		 683/*
684 * Allow filesystems with binary mount data to explicitly set mount point
685 * labeling information.
686 */
e0007529 687static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 688 struct security_mnt_opts *opts,
689 unsigned long kern_flags,
690 unsigned long *set_kern_flags)
c9180a57 691{
275bb41e 692 const struct cred *cred = current_cred();
c9180a57 693 int rc = 0, i;
c9180a57 694 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 695 const char *name = sb->s_type->name;
83da53c5 696 struct dentry *root = sbsec->sb->s_root;
2c97165b 697 struct inode_security_struct *root_isec;
c9180a57
EP		 698 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699 u32 defcontext_sid = 0;
e0007529
EP		 700 char **mount_options = opts->mnt_opts;
701 int *flags = opts->mnt_opts_flags;
702 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 703
704 mutex_lock(&sbsec->lock);
705
706 if (!ss_initialized) {
707 if (!num_opts) {
708 /* Defer initialization until selinux_complete_init,
709 after the initial policy is loaded and the security
710 server is ready to handle calls. */
c9180a57
EP		 711 goto out;
712 }
713 rc = -EINVAL;
744ba35e
EP		 714 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715 "before the security server is initialized\n");
1da177e4 716 goto out;
c9180a57 717 }
649f6e77
DQ		 718 if (kern_flags && !set_kern_flags) {
719 /* Specifying internal flags without providing a place to
720 * place the results is not allowed */
721 rc = -EINVAL;
722 goto out;
723 }
1da177e4 724
e0007529
EP		 725 /*
726 * Binary mount data FS will come through this function twice. Once
727 * from an explicit call and once from the generic calls from the vfs.
728 * Since the generic VFS calls will not contain any security mount data
729 * we need to skip the double mount verification.
730 *
731 * This does open a hole in which we will not notice if the first
732 * mount using this sb set explict options and a second mount using
733 * this sb does not set any security options. (The first options
734 * will be used for both mounts)
735 */
0d90a7ec 736 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 737 && (num_opts == 0))
f5269710 738 goto out;
e0007529 739
2c97165b
PM		 740 root_isec = backing_inode_security_novalidate(root);
741
c9180a57
EP		 742 /*
743 * parse the mount options, check if they are valid sids.
744 * also check if someone is trying to mount the same sb more
745 * than once with different security options.
746 */
747 for (i = 0; i < num_opts; i++) {
748 u32 sid;
11689d47 749
12f348b9 750 if (flags[i] == SBLABEL_MNT)
11689d47 751 continue;
44be2f65 752 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 753 if (rc) {
44be2f65 754 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 755 "(%s) failed for (dev %s, type %s) errno=%d\n",
756 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 757 goto out;
758 }
759 switch (flags[i]) {
760 case FSCONTEXT_MNT:
761 fscontext_sid = sid;
762
763 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764 fscontext_sid))
765 goto out_double_mount;
766
767 sbsec->flags |= FSCONTEXT_MNT;
768 break;
769 case CONTEXT_MNT:
770 context_sid = sid;
771
772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773 context_sid))
774 goto out_double_mount;
775
776 sbsec->flags |= CONTEXT_MNT;
777 break;
778 case ROOTCONTEXT_MNT:
779 rootcontext_sid = sid;
780
781 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782 rootcontext_sid))
783 goto out_double_mount;
784
785 sbsec->flags |= ROOTCONTEXT_MNT;
786
787 break;
788 case DEFCONTEXT_MNT:
789 defcontext_sid = sid;
790
791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792 defcontext_sid))
793 goto out_double_mount;
794
795 sbsec->flags |= DEFCONTEXT_MNT;
796
797 break;
798 default:
799 rc = -EINVAL;
800 goto out;
1da177e4 801 }
c9180a57
EP		 802 }
803
0d90a7ec 804 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 805 /* previously mounted with options, but not on this attempt? */
0d90a7ec 806 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 807 goto out_double_mount;
808 rc = 0;
809 goto out;
810 }
811
089be43e 812 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 813 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814
8e014720
SS		 815 if (!strcmp(sb->s_type->name, "debugfs") ||
816 !strcmp(sb->s_type->name, "sysfs") ||
817 !strcmp(sb->s_type->name, "pstore"))
134509d5 818 sbsec->flags |= SE_SBGENFS;
c9180a57 819
eb9ae686
DQ		 820 if (!sbsec->behavior) {
821 /*
822 * Determine the labeling behavior to use for this
823 * filesystem type.
824 */
98f700f3 825 rc = security_fs_use(sb);
eb9ae686
DQ		 826 if (rc) {
827 printk(KERN_WARNING
828 "%s: security_fs_use(%s) returned %d\n",
829 __func__, sb->s_type->name, rc);
830 goto out;
831 }
c9180a57 832 }
c9180a57
EP		 833 /* sets the context of the superblock for the fs being mounted. */
834 if (fscontext_sid) {
275bb41e 835 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 836 if (rc)
c9180a57 837 goto out;
1da177e4 838
c9180a57 839 sbsec->sid = fscontext_sid;
c312feb2
EP		 840 }
841
842 /*
843 * Switch to using mount point labeling behavior.
844 * sets the label used on all file below the mountpoint, and will set
845 * the superblock context if not already set.
846 */
eb9ae686
DQ		 847 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
848 sbsec->behavior = SECURITY_FS_USE_NATIVE;
849 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
850 }
851
c9180a57
EP		 852 if (context_sid) {
853 if (!fscontext_sid) {
275bb41e
DH		 854 rc = may_context_mount_sb_relabel(context_sid, sbsec,
855 cred);
b04ea3ce 856 if (rc)
c9180a57
EP		 857 goto out;
858 sbsec->sid = context_sid;
b04ea3ce 859 } else {
275bb41e
DH		 860 rc = may_context_mount_inode_relabel(context_sid, sbsec,
861 cred);
b04ea3ce 862 if (rc)
c9180a57 863 goto out;
b04ea3ce 864 }
c9180a57
EP		 865 if (!rootcontext_sid)
866 rootcontext_sid = context_sid;
1da177e4 867
c9180a57 868 sbsec->mntpoint_sid = context_sid;
c312feb2 869 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 870 }
871
c9180a57 872 if (rootcontext_sid) {
275bb41e
DH		 873 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
874 cred);
0808925e 875 if (rc)
c9180a57 876 goto out;
0808925e 877
c9180a57 878 root_isec->sid = rootcontext_sid;
6f3be9f5 879 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 880 }
881
c9180a57 882 if (defcontext_sid) {
eb9ae686
DQ		 883 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
884 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 885 rc = -EINVAL;
886 printk(KERN_WARNING "SELinux: defcontext option is "
887 "invalid for this filesystem type\n");
888 goto out;
1da177e4
LT		 889 }
890
c9180a57
EP		 891 if (defcontext_sid != sbsec->def_sid) {
892 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 893 sbsec, cred);
c9180a57
EP		 894 if (rc)
895 goto out;
896 }
1da177e4 897
c9180a57 898 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 899 }
900
c9180a57 901 rc = sb_finish_set_opts(sb);
1da177e4 902out:
c9180a57 903 mutex_unlock(&sbsec->lock);
1da177e4 904 return rc;
c9180a57
EP		 905out_double_mount:
906 rc = -EINVAL;
907 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 908 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 909 goto out;
1da177e4
LT		 910}
911
094f7b69
JL		 912static int selinux_cmp_sb_context(const struct super_block *oldsb,
913 const struct super_block *newsb)
914{
915 struct superblock_security_struct *old = oldsb->s_security;
916 struct superblock_security_struct *new = newsb->s_security;
917 char oldflags = old->flags & SE_MNTMASK;
918 char newflags = new->flags & SE_MNTMASK;
919
920 if (oldflags != newflags)
921 goto mismatch;
922 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
923 goto mismatch;
924 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
925 goto mismatch;
926 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
927 goto mismatch;
928 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 929 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
930 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 931 if (oldroot->sid != newroot->sid)
932 goto mismatch;
933 }
934 return 0;
935mismatch:
936 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
937 "different security settings for (dev %s, "
938 "type %s)\n", newsb->s_id, newsb->s_type->name);
939 return -EBUSY;
940}
941
942static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 943 struct super_block *newsb)
1da177e4 944{
c9180a57
EP		 945 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
946 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 947
c9180a57
EP		 948 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
949 int set_context = (oldsbsec->flags & CONTEXT_MNT);
950 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 951
0f5e6420
EP		 952 /*
953 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 954 * mount options. thus we can safely deal with this superblock later
0f5e6420 955 */
e8c26255 956 if (!ss_initialized)
094f7b69 957 return 0;
c9180a57 958
c9180a57 959 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 960 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 961
094f7b69 962 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 963 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 964 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 965
c9180a57
EP		 966 mutex_lock(&newsbsec->lock);
967
968 newsbsec->flags = oldsbsec->flags;
969
970 newsbsec->sid = oldsbsec->sid;
971 newsbsec->def_sid = oldsbsec->def_sid;
972 newsbsec->behavior = oldsbsec->behavior;
973
974 if (set_context) {
975 u32 sid = oldsbsec->mntpoint_sid;
976
977 if (!set_fscontext)
978 newsbsec->sid = sid;
979 if (!set_rootcontext) {
83da53c5 980 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 981 newisec->sid = sid;
982 }
983 newsbsec->mntpoint_sid = sid;
1da177e4 984 }
c9180a57 985 if (set_rootcontext) {
83da53c5
AG		 986 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
987 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 988
c9180a57 989 newisec->sid = oldisec->sid;
1da177e4
LT		 990 }
991
c9180a57
EP		 992 sb_finish_set_opts(newsb);
993 mutex_unlock(&newsbsec->lock);
094f7b69 994 return 0;
c9180a57
EP		 995}
996
2e1479d9
AB		 997static int selinux_parse_opts_str(char *options,
998 struct security_mnt_opts *opts)
c9180a57 999{
e0007529 1000 char *p;
c9180a57
EP		 1001 char *context = NULL, *defcontext = NULL;
1002 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1003 int rc, num_mnt_opts = 0;
1da177e4 1004
e0007529 1005 opts->num_mnt_opts = 0;
1da177e4 1006
c9180a57
EP		 1007 /* Standard string-based options. */
1008 while ((p = strsep(&options, "|")) != NULL) {
1009 int token;
1010 substring_t args[MAX_OPT_ARGS];
1da177e4 1011
c9180a57
EP		 1012 if (!*p)
1013 continue;
1da177e4 1014
c9180a57 1015 token = match_token(p, tokens, args);
1da177e4 1016
c9180a57
EP		 1017 switch (token) {
1018 case Opt_context:
1019 if (context || defcontext) {
1020 rc = -EINVAL;
1021 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1022 goto out_err;
1023 }
1024 context = match_strdup(&args[0]);
1025 if (!context) {
1026 rc = -ENOMEM;
1027 goto out_err;
1028 }
1029 break;
1030
1031 case Opt_fscontext:
1032 if (fscontext) {
1033 rc = -EINVAL;
1034 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1035 goto out_err;
1036 }
1037 fscontext = match_strdup(&args[0]);
1038 if (!fscontext) {
1039 rc = -ENOMEM;
1040 goto out_err;
1041 }
1042 break;
1043
1044 case Opt_rootcontext:
1045 if (rootcontext) {
1046 rc = -EINVAL;
1047 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1048 goto out_err;
1049 }
1050 rootcontext = match_strdup(&args[0]);
1051 if (!rootcontext) {
1052 rc = -ENOMEM;
1053 goto out_err;
1054 }
1055 break;
1056
1057 case Opt_defcontext:
1058 if (context || defcontext) {
1059 rc = -EINVAL;
1060 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1061 goto out_err;
1062 }
1063 defcontext = match_strdup(&args[0]);
1064 if (!defcontext) {
1065 rc = -ENOMEM;
1066 goto out_err;
1067 }
1068 break;
11689d47
DQ		 1069 case Opt_labelsupport:
1070 break;
c9180a57
EP		 1071 default:
1072 rc = -EINVAL;
1073 printk(KERN_WARNING "SELinux: unknown mount option\n");
1074 goto out_err;
1da177e4 1075
1da177e4 1076 }
1da177e4 1077 }
c9180a57 1078
e0007529
EP		 1079 rc = -ENOMEM;
1080 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1081 if (!opts->mnt_opts)
1082 goto out_err;
1083
1084 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1085 if (!opts->mnt_opts_flags) {
1086 kfree(opts->mnt_opts);
1087 goto out_err;
1088 }
1089
c9180a57 1090 if (fscontext) {
e0007529
EP		 1091 opts->mnt_opts[num_mnt_opts] = fscontext;
1092 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1093 }
1094 if (context) {
e0007529
EP		 1095 opts->mnt_opts[num_mnt_opts] = context;
1096 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1097 }
1098 if (rootcontext) {
e0007529
EP		 1099 opts->mnt_opts[num_mnt_opts] = rootcontext;
1100 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1101 }
1102 if (defcontext) {
e0007529
EP		 1103 opts->mnt_opts[num_mnt_opts] = defcontext;
1104 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1105 }
1106
e0007529
EP		 1107 opts->num_mnt_opts = num_mnt_opts;
1108 return 0;
1109
c9180a57
EP		 1110out_err:
1111 kfree(context);
1112 kfree(defcontext);
1113 kfree(fscontext);
1114 kfree(rootcontext);
1da177e4
LT		 1115 return rc;
1116}
e0007529
EP		 1117/*
1118 * string mount options parsing and call set the sbsec
1119 */
1120static int superblock_doinit(struct super_block *sb, void *data)
1121{
1122 int rc = 0;
1123 char *options = data;
1124 struct security_mnt_opts opts;
1125
1126 security_init_mnt_opts(&opts);
1127
1128 if (!data)
1129 goto out;
1130
1131 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1132
1133 rc = selinux_parse_opts_str(options, &opts);
1134 if (rc)
1135 goto out_err;
1136
1137out:
649f6e77 1138 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1139
1140out_err:
1141 security_free_mnt_opts(&opts);
1142 return rc;
1143}
1da177e4 1144
3583a711
AB		 1145static void selinux_write_opts(struct seq_file *m,
1146 struct security_mnt_opts *opts)
2069f457
EP		 1147{
1148 int i;
1149 char *prefix;
1150
1151 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1152 char *has_comma;
1153
1154 if (opts->mnt_opts[i])
1155 has_comma = strchr(opts->mnt_opts[i], ',');
1156 else
1157 has_comma = NULL;
2069f457
EP		 1158
1159 switch (opts->mnt_opts_flags[i]) {
1160 case CONTEXT_MNT:
1161 prefix = CONTEXT_STR;
1162 break;
1163 case FSCONTEXT_MNT:
1164 prefix = FSCONTEXT_STR;
1165 break;
1166 case ROOTCONTEXT_MNT:
1167 prefix = ROOTCONTEXT_STR;
1168 break;
1169 case DEFCONTEXT_MNT:
1170 prefix = DEFCONTEXT_STR;
1171 break;
12f348b9 1172 case SBLABEL_MNT:
11689d47
DQ		 1173 seq_putc(m, ',');
1174 seq_puts(m, LABELSUPP_STR);
1175 continue;
2069f457
EP		 1176 default:
1177 BUG();
a35c6c83 1178 return;
2069f457
EP		 1179 };
1180 /* we need a comma before each option */
1181 seq_putc(m, ',');
1182 seq_puts(m, prefix);
1183 if (has_comma)
1184 seq_putc(m, '\"');
a068acf2 1185 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1186 if (has_comma)
1187 seq_putc(m, '\"');
1188 }
1189}
1190
1191static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1192{
1193 struct security_mnt_opts opts;
1194 int rc;
1195
1196 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1197 if (rc) {
1198 /* before policy load we may get EINVAL, don't show anything */
1199 if (rc == -EINVAL)
1200 rc = 0;
2069f457 1201 return rc;
383795c2 1202 }
2069f457
EP		 1203
1204 selinux_write_opts(m, &opts);
1205
1206 security_free_mnt_opts(&opts);
1207
1208 return rc;
1209}
1210
1da177e4
LT		 1211static inline u16 inode_mode_to_security_class(umode_t mode)
1212{
1213 switch (mode & S_IFMT) {
1214 case S_IFSOCK:
1215 return SECCLASS_SOCK_FILE;
1216 case S_IFLNK:
1217 return SECCLASS_LNK_FILE;
1218 case S_IFREG:
1219 return SECCLASS_FILE;
1220 case S_IFBLK:
1221 return SECCLASS_BLK_FILE;
1222 case S_IFDIR:
1223 return SECCLASS_DIR;
1224 case S_IFCHR:
1225 return SECCLASS_CHR_FILE;
1226 case S_IFIFO:
1227 return SECCLASS_FIFO_FILE;
1228
1229 }
1230
1231 return SECCLASS_FILE;
1232}
1233
13402580
JM		 1234static inline int default_protocol_stream(int protocol)
1235{
1236 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1237}
1238
1239static inline int default_protocol_dgram(int protocol)
1240{
1241 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1242}
1243
1da177e4
LT		 1244static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1245{
1246 switch (family) {
1247 case PF_UNIX:
1248 switch (type) {
1249 case SOCK_STREAM:
1250 case SOCK_SEQPACKET:
1251 return SECCLASS_UNIX_STREAM_SOCKET;
1252 case SOCK_DGRAM:
1253 return SECCLASS_UNIX_DGRAM_SOCKET;
1254 }
1255 break;
1256 case PF_INET:
1257 case PF_INET6:
1258 switch (type) {
1259 case SOCK_STREAM:
13402580
JM		 1260 if (default_protocol_stream(protocol))
1261 return SECCLASS_TCP_SOCKET;
1262 else
1263 return SECCLASS_RAWIP_SOCKET;
1da177e4 1264 case SOCK_DGRAM:
13402580
JM		 1265 if (default_protocol_dgram(protocol))
1266 return SECCLASS_UDP_SOCKET;
1267 else
1268 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1269 case SOCK_DCCP:
1270 return SECCLASS_DCCP_SOCKET;
13402580 1271 default:
1da177e4
LT		 1272 return SECCLASS_RAWIP_SOCKET;
1273 }
1274 break;
1275 case PF_NETLINK:
1276 switch (protocol) {
1277 case NETLINK_ROUTE:
1278 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1279 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1280 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1281 case NETLINK_NFLOG:
1282 return SECCLASS_NETLINK_NFLOG_SOCKET;
1283 case NETLINK_XFRM:
1284 return SECCLASS_NETLINK_XFRM_SOCKET;
1285 case NETLINK_SELINUX:
1286 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1287 case NETLINK_ISCSI:
1288 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1289 case NETLINK_AUDIT:
1290 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1291 case NETLINK_FIB_LOOKUP:
1292 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1293 case NETLINK_CONNECTOR:
1294 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1295 case NETLINK_NETFILTER:
1296 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1297 case NETLINK_DNRTMSG:
1298 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1299 case NETLINK_KOBJECT_UEVENT:
1300 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1301 case NETLINK_GENERIC:
1302 return SECCLASS_NETLINK_GENERIC_SOCKET;
1303 case NETLINK_SCSITRANSPORT:
1304 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1305 case NETLINK_RDMA:
1306 return SECCLASS_NETLINK_RDMA_SOCKET;
1307 case NETLINK_CRYPTO:
1308 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1309 default:
1310 return SECCLASS_NETLINK_SOCKET;
1311 }
1312 case PF_PACKET:
1313 return SECCLASS_PACKET_SOCKET;
1314 case PF_KEY:
1315 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1316 case PF_APPLETALK:
1317 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1318 }
1319
1320 return SECCLASS_SOCKET;
1321}
1322
134509d5
SS		 1323static int selinux_genfs_get_sid(struct dentry *dentry,
1324 u16 tclass,
1325 u16 flags,
1326 u32 *sid)
1da177e4 1327{
8e6c9693 1328 int rc;
fc64005c 1329 struct super_block *sb = dentry->d_sb;
8e6c9693 1330 char *buffer, *path;
1da177e4 1331
828dfe1d 1332 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1333 if (!buffer)
1334 return -ENOMEM;
1335
8e6c9693
LAG		 1336 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1337 if (IS_ERR(path))
1338 rc = PTR_ERR(path);
1339 else {
134509d5
SS		 1340 if (flags & SE_SBPROC) {
1341 /* each process gets a /proc/PID/ entry. Strip off the
1342 * PID part to get a valid selinux labeling.
1343 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1344 while (path[1] >= '0' && path[1] <= '9') {
1345 path[1] = '/';
1346 path++;
1347 }
8e6c9693 1348 }
134509d5 1349 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1350 }
1da177e4
LT		 1351 free_page((unsigned long)buffer);
1352 return rc;
1353}
1da177e4
LT		 1354
1355/* The inode's security attributes must be initialized before first use. */
1356static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1357{
1358 struct superblock_security_struct *sbsec = NULL;
1359 struct inode_security_struct *isec = inode->i_security;
1360 u32 sid;
1361 struct dentry *dentry;
1362#define INITCONTEXTLEN 255
1363 char *context = NULL;
1364 unsigned len = 0;
1365 int rc = 0;
1da177e4 1366
6f3be9f5 1367 if (isec->initialized == LABEL_INITIALIZED)
1da177e4
LT		 1368 goto out;
1369
23970741 1370 mutex_lock(&isec->lock);
6f3be9f5 1371 if (isec->initialized == LABEL_INITIALIZED)
23970741 1372 goto out_unlock;
1da177e4
LT		 1373
1374 sbsec = inode->i_sb->s_security;
0d90a7ec 1375 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1376 /* Defer initialization until selinux_complete_init,
1377 after the initial policy is loaded and the security
1378 server is ready to handle calls. */
1379 spin_lock(&sbsec->isec_lock);
1380 if (list_empty(&isec->list))
1381 list_add(&isec->list, &sbsec->isec_head);
1382 spin_unlock(&sbsec->isec_lock);
23970741 1383 goto out_unlock;
1da177e4
LT		 1384 }
1385
1386 switch (sbsec->behavior) {
eb9ae686
DQ		 1387 case SECURITY_FS_USE_NATIVE:
1388 break;
1da177e4
LT		 1389 case SECURITY_FS_USE_XATTR:
1390 if (!inode->i_op->getxattr) {
1391 isec->sid = sbsec->def_sid;
1392 break;
1393 }
1394
1395 /* Need a dentry, since the xattr API requires one.
1396 Life would be simpler if we could just pass the inode. */
1397 if (opt_dentry) {
1398 /* Called from d_instantiate or d_splice_alias. */
1399 dentry = dget(opt_dentry);
1400 } else {
1401 /* Called from selinux_complete_init, try to find a dentry. */
1402 dentry = d_find_alias(inode);
1403 }
1404 if (!dentry) {
df7f54c0
EP		 1405 /*
1406 * this is can be hit on boot when a file is accessed
1407 * before the policy is loaded. When we load policy we
1408 * may find inodes that have no dentry on the
1409 * sbsec->isec_head list. No reason to complain as these
1410 * will get fixed up the next time we go through
1411 * inode_doinit with a dentry, before these inodes could
1412 * be used again by userspace.
1413 */
23970741 1414 goto out_unlock;
1da177e4
LT		 1415 }
1416
1417 len = INITCONTEXTLEN;
4cb912f1 1418 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1419 if (!context) {
1420 rc = -ENOMEM;
1421 dput(dentry);
23970741 1422 goto out_unlock;
1da177e4 1423 }
4cb912f1 1424 context[len] = '\0';
ce23e640 1425 rc = inode->i_op->getxattr(dentry, inode, XATTR_NAME_SELINUX,
1da177e4
LT		 1426 context, len);
1427 if (rc == -ERANGE) {
314dabb8
JM		 1428 kfree(context);
1429
1da177e4 1430 /* Need a larger buffer. Query for the right size. */
ce23e640 1431 rc = inode->i_op->getxattr(dentry, inode, XATTR_NAME_SELINUX,
1da177e4
LT		 1432 NULL, 0);
1433 if (rc < 0) {
1434 dput(dentry);
23970741 1435 goto out_unlock;
1da177e4 1436 }
1da177e4 1437 len = rc;
4cb912f1 1438 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1439 if (!context) {
1440 rc = -ENOMEM;
1441 dput(dentry);
23970741 1442 goto out_unlock;
1da177e4 1443 }
4cb912f1 1444 context[len] = '\0';
ce23e640 1445 rc = inode->i_op->getxattr(dentry, inode,
1da177e4
LT		 1446 XATTR_NAME_SELINUX,
1447 context, len);
1448 }
1449 dput(dentry);
1450 if (rc < 0) {
1451 if (rc != -ENODATA) {
744ba35e 1452 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1453 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1454 -rc, inode->i_sb->s_id, inode->i_ino);
1455 kfree(context);
23970741 1456 goto out_unlock;
1da177e4
LT		 1457 }
1458 /* Map ENODATA to the default file SID */
1459 sid = sbsec->def_sid;
1460 rc = 0;
1461 } else {
f5c1d5b2 1462 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1463 sbsec->def_sid,
1464 GFP_NOFS);
1da177e4 1465 if (rc) {
4ba0a8ad
EP		 1466 char *dev = inode->i_sb->s_id;
1467 unsigned long ino = inode->i_ino;
1468
1469 if (rc == -EINVAL) {
1470 if (printk_ratelimit())
1471 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1472 "context=%s. This indicates you may need to relabel the inode or the "
1473 "filesystem in question.\n", ino, dev, context);
1474 } else {
1475 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1476 "returned %d for dev=%s ino=%ld\n",
1477 __func__, context, -rc, dev, ino);
1478 }
1da177e4
LT		 1479 kfree(context);
1480 /* Leave with the unlabeled SID */
1481 rc = 0;
1482 break;
1483 }
1484 }
1485 kfree(context);
1486 isec->sid = sid;
1487 break;
1488 case SECURITY_FS_USE_TASK:
1489 isec->sid = isec->task_sid;
1490 break;
1491 case SECURITY_FS_USE_TRANS:
1492 /* Default to the fs SID. */
1493 isec->sid = sbsec->sid;
1494
1495 /* Try to obtain a transition SID. */
1496 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1497 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1498 isec->sclass, NULL, &sid);
1da177e4 1499 if (rc)
23970741 1500 goto out_unlock;
1da177e4
LT		 1501 isec->sid = sid;
1502 break;
c312feb2
EP		 1503 case SECURITY_FS_USE_MNTPOINT:
1504 isec->sid = sbsec->mntpoint_sid;
1505 break;
1da177e4 1506 default:
c312feb2 1507 /* Default to the fs superblock SID. */
1da177e4
LT		 1508 isec->sid = sbsec->sid;
1509
134509d5 1510 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1511 /* We must have a dentry to determine the label on
1512 * procfs inodes */
1513 if (opt_dentry)
1514 /* Called from d_instantiate or
1515 * d_splice_alias. */
1516 dentry = dget(opt_dentry);
1517 else
1518 /* Called from selinux_complete_init, try to
1519 * find a dentry. */
1520 dentry = d_find_alias(inode);
1521 /*
1522 * This can be hit on boot when a file is accessed
1523 * before the policy is loaded. When we load policy we
1524 * may find inodes that have no dentry on the
1525 * sbsec->isec_head list. No reason to complain as
1526 * these will get fixed up the next time we go through
1527 * inode_doinit() with a dentry, before these inodes
1528 * could be used again by userspace.
1529 */
1530 if (!dentry)
1531 goto out_unlock;
1532 isec->sclass = inode_mode_to_security_class(inode->i_mode);
134509d5
SS		 1533 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1534 sbsec->flags, &sid);
f64410ec
PM		 1535 dput(dentry);
1536 if (rc)
1537 goto out_unlock;
1538 isec->sid = sid;
1da177e4
LT		 1539 }
1540 break;
1541 }
1542
6f3be9f5 1543 isec->initialized = LABEL_INITIALIZED;
1da177e4 1544
23970741
EP		 1545out_unlock:
1546 mutex_unlock(&isec->lock);
1da177e4
LT		 1547out:
1548 if (isec->sclass == SECCLASS_FILE)
1549 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1550 return rc;
1551}
1552
1553/* Convert a Linux signal to an access vector. */
1554static inline u32 signal_to_av(int sig)
1555{
1556 u32 perm = 0;
1557
1558 switch (sig) {
1559 case SIGCHLD:
1560 /* Commonly granted from child to parent. */
1561 perm = PROCESS__SIGCHLD;
1562 break;
1563 case SIGKILL:
1564 /* Cannot be caught or ignored */
1565 perm = PROCESS__SIGKILL;
1566 break;
1567 case SIGSTOP:
1568 /* Cannot be caught or ignored */
1569 perm = PROCESS__SIGSTOP;
1570 break;
1571 default:
1572 /* All other signals. */
1573 perm = PROCESS__SIGNAL;
1574 break;
1575 }
1576
1577 return perm;
1578}
1579
d84f4f99
DH		 1580/*
1581 * Check permission between a pair of credentials
1582 * fork check, ptrace check, etc.
1583 */
1584static int cred_has_perm(const struct cred *actor,
1585 const struct cred *target,
1586 u32 perms)
1587{
1588 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1589
1590 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1591}
1592
275bb41e 1593/*
88e67f3b 1594 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1595 * fork check, ptrace check, etc.
1596 * tsk1 is the actor and tsk2 is the target
3b11a1de 1597 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1598 */
1599static int task_has_perm(const struct task_struct *tsk1,
1600 const struct task_struct *tsk2,
1da177e4
LT		 1601 u32 perms)
1602{
275bb41e
DH		 1603 const struct task_security_struct *__tsec1, *__tsec2;
1604 u32 sid1, sid2;
1da177e4 1605
275bb41e
DH		 1606 rcu_read_lock();
1607 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1608 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1609 rcu_read_unlock();
1610 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1611}
1612
3b11a1de
DH		 1613/*
1614 * Check permission between current and another task, e.g. signal checks,
1615 * fork check, ptrace check, etc.
1616 * current is the actor and tsk2 is the target
1617 * - this uses current's subjective creds
1618 */
1619static int current_has_perm(const struct task_struct *tsk,
1620 u32 perms)
1621{
1622 u32 sid, tsid;
1623
1624 sid = current_sid();
1625 tsid = task_sid(tsk);
1626 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1627}
1628
b68e418c
SS		 1629#if CAP_LAST_CAP > 63
1630#error Fix SELinux to handle capabilities > 63.
1631#endif
1632
1da177e4 1633/* Check whether a task is allowed to use a capability. */
6a9de491 1634static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1635 int cap, int audit, bool initns)
1da177e4 1636{
2bf49690 1637 struct common_audit_data ad;
06112163 1638 struct av_decision avd;
b68e418c 1639 u16 sclass;
3699c53c 1640 u32 sid = cred_sid(cred);
b68e418c 1641 u32 av = CAP_TO_MASK(cap);
06112163 1642 int rc;
1da177e4 1643
50c205f5 1644 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1645 ad.u.cap = cap;
1646
b68e418c
SS		 1647 switch (CAP_TO_INDEX(cap)) {
1648 case 0:
8e4ff6f2 1649 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1650 break;
1651 case 1:
8e4ff6f2 1652 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1653 break;
1654 default:
1655 printk(KERN_ERR
1656 "SELinux: out of range capability %d\n", cap);
1657 BUG();
a35c6c83 1658 return -EINVAL;
b68e418c 1659 }
06112163 1660
275bb41e 1661 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1662 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1663 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1664 if (rc2)
1665 return rc2;
1666 }
06112163 1667 return rc;
1da177e4
LT		 1668}
1669
1670/* Check whether a task is allowed to use a system operation. */
1671static int task_has_system(struct task_struct *tsk,
1672 u32 perms)
1673{
275bb41e 1674 u32 sid = task_sid(tsk);
1da177e4 1675
275bb41e 1676 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1677 SECCLASS_SYSTEM, perms, NULL);
1678}
1679
1680/* Check whether a task has a particular permission to an inode.
1681 The 'adp' parameter is optional and allows other audit
1682 data to be passed (e.g. the dentry). */
88e67f3b 1683static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1684 struct inode *inode,
1685 u32 perms,
19e49834 1686 struct common_audit_data *adp)
1da177e4 1687{
1da177e4 1688 struct inode_security_struct *isec;
275bb41e 1689 u32 sid;
1da177e4 1690
e0e81739
DH		 1691 validate_creds(cred);
1692
828dfe1d 1693 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1694 return 0;
1695
88e67f3b 1696 sid = cred_sid(cred);
1da177e4
LT		 1697 isec = inode->i_security;
1698
19e49834 1699 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1700}
1701
1702/* Same as inode_has_perm, but pass explicit audit data containing
1703 the dentry to help the auditing code to more easily generate the
1704 pathname if needed. */
88e67f3b 1705static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1706 struct dentry *dentry,
1707 u32 av)
1708{
c6f493d6 1709 struct inode *inode = d_backing_inode(dentry);
2bf49690 1710 struct common_audit_data ad;
88e67f3b 1711
50c205f5 1712 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1713 ad.u.dentry = dentry;
5d226df4 1714 __inode_security_revalidate(inode, dentry, true);
19e49834 1715 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1716}
1717
1718/* Same as inode_has_perm, but pass explicit audit data containing
1719 the path to help the auditing code to more easily generate the
1720 pathname if needed. */
1721static inline int path_has_perm(const struct cred *cred,
3f7036a0 1722 const struct path *path,
2875fa00
EP		 1723 u32 av)
1724{
c6f493d6 1725 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1726 struct common_audit_data ad;
1727
50c205f5 1728 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1729 ad.u.path = *path;
5d226df4 1730 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1731 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1732}
1733
13f8e981
DH		 1734/* Same as path_has_perm, but uses the inode from the file struct. */
1735static inline int file_path_has_perm(const struct cred *cred,
1736 struct file *file,
1737 u32 av)
1738{
1739 struct common_audit_data ad;
1740
1741 ad.type = LSM_AUDIT_DATA_PATH;
1742 ad.u.path = file->f_path;
19e49834 1743 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1744}
1745
1da177e4
LT		 1746/* Check whether a task can use an open file descriptor to
1747 access an inode in a given way. Check access to the
1748 descriptor itself, and then use dentry_has_perm to
1749 check a particular permission to the file.
1750 Access to the descriptor is implicitly granted if it
1751 has the same SID as the process. If av is zero, then
1752 access to the file is not checked, e.g. for cases
1753 where only the descriptor is affected like seek. */
88e67f3b
DH		 1754static int file_has_perm(const struct cred *cred,
1755 struct file *file,
1756 u32 av)
1da177e4 1757{
1da177e4 1758 struct file_security_struct *fsec = file->f_security;
496ad9aa 1759 struct inode *inode = file_inode(file);
2bf49690 1760 struct common_audit_data ad;
88e67f3b 1761 u32 sid = cred_sid(cred);
1da177e4
LT		 1762 int rc;
1763
50c205f5 1764 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 1765 ad.u.path = file->f_path;
1da177e4 1766
275bb41e
DH		 1767 if (sid != fsec->sid) {
1768 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1769 SECCLASS_FD,
1770 FD__USE,
1771 &ad);
1772 if (rc)
88e67f3b 1773 goto out;
1da177e4
LT		 1774 }
1775
1776 /* av is zero if only checking access to the descriptor. */
88e67f3b 1777 rc = 0;
1da177e4 1778 if (av)
19e49834 1779 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1780
88e67f3b
DH		 1781out:
1782 return rc;
1da177e4
LT		 1783}
1784
c3c188b2
DH		 1785/*
1786 * Determine the label for an inode that might be unioned.
1787 */
83da53c5 1788static int selinux_determine_inode_label(struct inode *dir,
c3c188b2
DH		 1789 const struct qstr *name,
1790 u16 tclass,
1791 u32 *_new_isid)
1792{
1793 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1794 const struct task_security_struct *tsec = current_security();
1795
1796 if ((sbsec->flags & SE_SBINITIALIZED) &&
1797 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1798 *_new_isid = sbsec->mntpoint_sid;
1799 } else if ((sbsec->flags & SBLABEL_MNT) &&
1800 tsec->create_sid) {
1801 *_new_isid = tsec->create_sid;
1802 } else {
20cdef8d 1803 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1804 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1805 name, _new_isid);
1806 }
1807
1808 return 0;
1809}
1810
1da177e4
LT		 1811/* Check whether a task can create a file. */
1812static int may_create(struct inode *dir,
1813 struct dentry *dentry,
1814 u16 tclass)
1815{
5fb49870 1816 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1817 struct inode_security_struct *dsec;
1818 struct superblock_security_struct *sbsec;
275bb41e 1819 u32 sid, newsid;
2bf49690 1820 struct common_audit_data ad;
1da177e4
LT		 1821 int rc;
1822
83da53c5 1823 dsec = inode_security(dir);
1da177e4
LT		 1824 sbsec = dir->i_sb->s_security;
1825
275bb41e 1826 sid = tsec->sid;
275bb41e 1827
50c205f5 1828 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1829 ad.u.dentry = dentry;
1da177e4 1830
275bb41e 1831 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1832 DIR__ADD_NAME | DIR__SEARCH,
1833 &ad);
1834 if (rc)
1835 return rc;
1836
c3c188b2
DH		 1837 rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
1838 &newsid);
1839 if (rc)
1840 return rc;
1da177e4 1841
275bb41e 1842 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1843 if (rc)
1844 return rc;
1845
1846 return avc_has_perm(newsid, sbsec->sid,
1847 SECCLASS_FILESYSTEM,
1848 FILESYSTEM__ASSOCIATE, &ad);
1849}
1850
4eb582cf
ML		 1851/* Check whether a task can create a key. */
1852static int may_create_key(u32 ksid,
1853 struct task_struct *ctx)
1854{
275bb41e 1855 u32 sid = task_sid(ctx);
4eb582cf 1856
275bb41e 1857 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1858}
1859
828dfe1d
EP		 1860#define MAY_LINK 0
1861#define MAY_UNLINK 1
1862#define MAY_RMDIR 2
1da177e4
LT		 1863
1864/* Check whether a task can link, unlink, or rmdir a file/directory. */
1865static int may_link(struct inode *dir,
1866 struct dentry *dentry,
1867 int kind)
1868
1869{
1da177e4 1870 struct inode_security_struct *dsec, *isec;
2bf49690 1871 struct common_audit_data ad;
275bb41e 1872 u32 sid = current_sid();
1da177e4
LT		 1873 u32 av;
1874 int rc;
1875
83da53c5
AG		 1876 dsec = inode_security(dir);
1877 isec = backing_inode_security(dentry);
1da177e4 1878
50c205f5 1879 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1880 ad.u.dentry = dentry;
1da177e4
LT		 1881
1882 av = DIR__SEARCH;
1883 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1884 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1885 if (rc)
1886 return rc;
1887
1888 switch (kind) {
1889 case MAY_LINK:
1890 av = FILE__LINK;
1891 break;
1892 case MAY_UNLINK:
1893 av = FILE__UNLINK;
1894 break;
1895 case MAY_RMDIR:
1896 av = DIR__RMDIR;
1897 break;
1898 default:
744ba35e
EP		 1899 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1900 __func__, kind);
1da177e4
LT		 1901 return 0;
1902 }
1903
275bb41e 1904 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1905 return rc;
1906}
1907
1908static inline int may_rename(struct inode *old_dir,
1909 struct dentry *old_dentry,
1910 struct inode *new_dir,
1911 struct dentry *new_dentry)
1912{
1da177e4 1913 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1914 struct common_audit_data ad;
275bb41e 1915 u32 sid = current_sid();
1da177e4
LT		 1916 u32 av;
1917 int old_is_dir, new_is_dir;
1918 int rc;
1919
83da53c5
AG		 1920 old_dsec = inode_security(old_dir);
1921 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1922 old_is_dir = d_is_dir(old_dentry);
83da53c5 1923 new_dsec = inode_security(new_dir);
1da177e4 1924
50c205f5 1925 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1926
a269434d 1927 ad.u.dentry = old_dentry;
275bb41e 1928 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1929 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1930 if (rc)
1931 return rc;
275bb41e 1932 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1933 old_isec->sclass, FILE__RENAME, &ad);
1934 if (rc)
1935 return rc;
1936 if (old_is_dir && new_dir != old_dir) {
275bb41e 1937 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1938 old_isec->sclass, DIR__REPARENT, &ad);
1939 if (rc)
1940 return rc;
1941 }
1942
a269434d 1943 ad.u.dentry = new_dentry;
1da177e4 1944 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1945 if (d_is_positive(new_dentry))
1da177e4 1946 av |= DIR__REMOVE_NAME;
275bb41e 1947 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1948 if (rc)
1949 return rc;
2c616d4d 1950 if (d_is_positive(new_dentry)) {
83da53c5 1951 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1952 new_is_dir = d_is_dir(new_dentry);
275bb41e 1953 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1954 new_isec->sclass,
1955 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1956 if (rc)
1957 return rc;
1958 }
1959
1960 return 0;
1961}
1962
1963/* Check whether a task can perform a filesystem operation. */
88e67f3b 1964static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1965 struct super_block *sb,
1966 u32 perms,
2bf49690 1967 struct common_audit_data *ad)
1da177e4 1968{
1da177e4 1969 struct superblock_security_struct *sbsec;
88e67f3b 1970 u32 sid = cred_sid(cred);
1da177e4 1971
1da177e4 1972 sbsec = sb->s_security;
275bb41e 1973 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1974}
1975
1976/* Convert a Linux mode and permission mask to an access vector. */
1977static inline u32 file_mask_to_av(int mode, int mask)
1978{
1979 u32 av = 0;
1980
dba19c60 1981 if (!S_ISDIR(mode)) {
1da177e4
LT		 1982 if (mask & MAY_EXEC)
1983 av |= FILE__EXECUTE;
1984 if (mask & MAY_READ)
1985 av |= FILE__READ;
1986
1987 if (mask & MAY_APPEND)
1988 av |= FILE__APPEND;
1989 else if (mask & MAY_WRITE)
1990 av |= FILE__WRITE;
1991
1992 } else {
1993 if (mask & MAY_EXEC)
1994 av |= DIR__SEARCH;
1995 if (mask & MAY_WRITE)
1996 av |= DIR__WRITE;
1997 if (mask & MAY_READ)
1998 av |= DIR__READ;
1999 }
2000
2001 return av;
2002}
2003
8b6a5a37
EP		 2004/* Convert a Linux file to an access vector. */
2005static inline u32 file_to_av(struct file *file)
2006{
2007 u32 av = 0;
2008
2009 if (file->f_mode & FMODE_READ)
2010 av |= FILE__READ;
2011 if (file->f_mode & FMODE_WRITE) {
2012 if (file->f_flags & O_APPEND)
2013 av |= FILE__APPEND;
2014 else
2015 av |= FILE__WRITE;
2016 }
2017 if (!av) {
2018 /*
2019 * Special file opened with flags 3 for ioctl-only use.
2020 */
2021 av = FILE__IOCTL;
2022 }
2023
2024 return av;
2025}
2026
b0c636b9 2027/*
8b6a5a37 2028 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2029 * open permission.
2030 */
8b6a5a37 2031static inline u32 open_file_to_av(struct file *file)
b0c636b9 2032{
8b6a5a37 2033 u32 av = file_to_av(file);
b0c636b9 2034
49b7b8de
EP		 2035 if (selinux_policycap_openperm)
2036 av |= FILE__OPEN;
2037
b0c636b9
EP		 2038 return av;
2039}
2040
1da177e4
LT		 2041/* Hook functions begin here. */
2042
79af7307
SS		 2043static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2044{
2045 u32 mysid = current_sid();
2046 u32 mgrsid = task_sid(mgr);
2047
2048 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2049 BINDER__SET_CONTEXT_MGR, NULL);
2050}
2051
2052static int selinux_binder_transaction(struct task_struct *from,
2053 struct task_struct *to)
2054{
2055 u32 mysid = current_sid();
2056 u32 fromsid = task_sid(from);
2057 u32 tosid = task_sid(to);
2058 int rc;
2059
2060 if (mysid != fromsid) {
2061 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2062 BINDER__IMPERSONATE, NULL);
2063 if (rc)
2064 return rc;
2065 }
2066
2067 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2068 NULL);
2069}
2070
2071static int selinux_binder_transfer_binder(struct task_struct *from,
2072 struct task_struct *to)
2073{
2074 u32 fromsid = task_sid(from);
2075 u32 tosid = task_sid(to);
2076
2077 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2078 NULL);
2079}
2080
2081static int selinux_binder_transfer_file(struct task_struct *from,
2082 struct task_struct *to,
2083 struct file *file)
2084{
2085 u32 sid = task_sid(to);
2086 struct file_security_struct *fsec = file->f_security;
83da53c5 2087 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2088 struct inode_security_struct *isec;
79af7307
SS		 2089 struct common_audit_data ad;
2090 int rc;
2091
2092 ad.type = LSM_AUDIT_DATA_PATH;
2093 ad.u.path = file->f_path;
2094
2095 if (sid != fsec->sid) {
2096 rc = avc_has_perm(sid, fsec->sid,
2097 SECCLASS_FD,
2098 FD__USE,
2099 &ad);
2100 if (rc)
2101 return rc;
2102 }
2103
83da53c5 2104 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2105 return 0;
2106
20cdef8d 2107 isec = backing_inode_security(dentry);
79af7307
SS		 2108 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2109 &ad);
2110}
2111
9e48858f 2112static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2113 unsigned int mode)
1da177e4 2114{
69f594a3 2115 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 2116 u32 sid = current_sid();
2117 u32 csid = task_sid(child);
2118 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 2119 }
2120
3b11a1de 2121 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 2122}
2123
2124static int selinux_ptrace_traceme(struct task_struct *parent)
2125{
5cd9c58f 2126 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 2127}
2128
2129static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2130 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2131{
b1d9e6b0 2132 return current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 2133}
2134
d84f4f99
DH		 2135static int selinux_capset(struct cred *new, const struct cred *old,
2136 const kernel_cap_t *effective,
2137 const kernel_cap_t *inheritable,
2138 const kernel_cap_t *permitted)
1da177e4 2139{
d84f4f99 2140 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 2141}
2142
5626d3e8
JM		 2143/*
2144 * (This comment used to live with the selinux_task_setuid hook,
2145 * which was removed).
2146 *
2147 * Since setuid only affects the current process, and since the SELinux
2148 * controls are not based on the Linux identity attributes, SELinux does not
2149 * need to control this operation. However, SELinux does control the use of
2150 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2151 */
2152
6a9de491
EP		 2153static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2154 int cap, int audit)
1da177e4 2155{
8e4ff6f2 2156 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2157}
2158
1da177e4
LT		 2159static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2160{
88e67f3b 2161 const struct cred *cred = current_cred();
1da177e4
LT		 2162 int rc = 0;
2163
2164 if (!sb)
2165 return 0;
2166
2167 switch (cmds) {
828dfe1d
EP		 2168 case Q_SYNC:
2169 case Q_QUOTAON:
2170 case Q_QUOTAOFF:
2171 case Q_SETINFO:
2172 case Q_SETQUOTA:
88e67f3b 2173 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2174 break;
2175 case Q_GETFMT:
2176 case Q_GETINFO:
2177 case Q_GETQUOTA:
88e67f3b 2178 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2179 break;
2180 default:
2181 rc = 0; /* let the kernel handle invalid cmds */
2182 break;
1da177e4
LT		 2183 }
2184 return rc;
2185}
2186
2187static int selinux_quota_on(struct dentry *dentry)
2188{
88e67f3b
DH		 2189 const struct cred *cred = current_cred();
2190
2875fa00 2191 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2192}
2193
12b3052c 2194static int selinux_syslog(int type)
1da177e4
LT		 2195{
2196 int rc;
2197
1da177e4 2198 switch (type) {
d78ca3cd
KC		 2199 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2200 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2201 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2202 break;
d78ca3cd
KC		 2203 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2204 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2205 /* Set level of messages printed to console */
2206 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2207 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2208 break;
d78ca3cd
KC		 2209 case SYSLOG_ACTION_CLOSE: /* Close log */
2210 case SYSLOG_ACTION_OPEN: /* Open log */
2211 case SYSLOG_ACTION_READ: /* Read from log */
2212 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2213 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2214 default:
2215 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2216 break;
1da177e4
LT		 2217 }
2218 return rc;
2219}
2220
2221/*
2222 * Check that a process has enough memory to allocate a new virtual
2223 * mapping. 0 means there is enough memory for the allocation to
2224 * succeed and -ENOMEM implies there is not.
2225 *
1da177e4
LT		 2226 * Do not audit the selinux permission check, as this is applied to all
2227 * processes that allocate mappings.
2228 */
34b4e4aa 2229static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2230{
2231 int rc, cap_sys_admin = 0;
1da177e4 2232
b1d9e6b0 2233 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2234 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2235 if (rc == 0)
2236 cap_sys_admin = 1;
2237
b1d9e6b0 2238 return cap_sys_admin;
1da177e4
LT		 2239}
2240
2241/* binprm security operations */
2242
0c6181cb
PM		 2243static u32 ptrace_parent_sid(struct task_struct *task)
2244{
2245 u32 sid = 0;
2246 struct task_struct *tracer;
2247
2248 rcu_read_lock();
2249 tracer = ptrace_parent(task);
2250 if (tracer)
2251 sid = task_sid(tracer);
2252 rcu_read_unlock();
2253
2254 return sid;
2255}
2256
7b0d0b40
SS		 2257static int check_nnp_nosuid(const struct linux_binprm *bprm,
2258 const struct task_security_struct *old_tsec,
2259 const struct task_security_struct *new_tsec)
2260{
2261 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2262 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2263 int rc;
2264
2265 if (!nnp && !nosuid)
2266 return 0; /* neither NNP nor nosuid */
2267
2268 if (new_tsec->sid == old_tsec->sid)
2269 return 0; /* No change in credentials */
2270
2271 /*
2272 * The only transitions we permit under NNP or nosuid
2273 * are transitions to bounded SIDs, i.e. SIDs that are
2274 * guaranteed to only be allowed a subset of the permissions
2275 * of the current SID.
2276 */
2277 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2278 if (rc) {
2279 /*
2280 * On failure, preserve the errno values for NNP vs nosuid.
2281 * NNP: Operation not permitted for caller.
2282 * nosuid: Permission denied to file.
2283 */
2284 if (nnp)
2285 return -EPERM;
2286 else
2287 return -EACCES;
2288 }
2289 return 0;
2290}
2291
a6f76f23 2292static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2293{
a6f76f23
DH		 2294 const struct task_security_struct *old_tsec;
2295 struct task_security_struct *new_tsec;
1da177e4 2296 struct inode_security_struct *isec;
2bf49690 2297 struct common_audit_data ad;
496ad9aa 2298 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2299 int rc;
2300
a6f76f23
DH		 2301 /* SELinux context only depends on initial program or script and not
2302 * the script interpreter */
2303 if (bprm->cred_prepared)
1da177e4
LT		 2304 return 0;
2305
a6f76f23
DH		 2306 old_tsec = current_security();
2307 new_tsec = bprm->cred->security;
83da53c5 2308 isec = inode_security(inode);
1da177e4
LT		 2309
2310 /* Default to the current task SID. */
a6f76f23
DH		 2311 new_tsec->sid = old_tsec->sid;
2312 new_tsec->osid = old_tsec->sid;
1da177e4 2313
28eba5bf 2314 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2315 new_tsec->create_sid = 0;
2316 new_tsec->keycreate_sid = 0;
2317 new_tsec->sockcreate_sid = 0;
1da177e4 2318
a6f76f23
DH		 2319 if (old_tsec->exec_sid) {
2320 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2321 /* Reset exec SID on execve. */
a6f76f23 2322 new_tsec->exec_sid = 0;
259e5e6c 2323
7b0d0b40
SS		 2324 /* Fail on NNP or nosuid if not an allowed transition. */
2325 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2326 if (rc)
2327 return rc;
1da177e4
LT		 2328 } else {
2329 /* Check for a default transition on this program. */
a6f76f23 2330 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2331 SECCLASS_PROCESS, NULL,
2332 &new_tsec->sid);
1da177e4
LT		 2333 if (rc)
2334 return rc;
7b0d0b40
SS		 2335
2336 /*
2337 * Fallback to old SID on NNP or nosuid if not an allowed
2338 * transition.
2339 */
2340 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2341 if (rc)
2342 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2343 }
2344
50c205f5 2345 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 2346 ad.u.path = bprm->file->f_path;
1da177e4 2347
a6f76f23
DH		 2348 if (new_tsec->sid == old_tsec->sid) {
2349 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2350 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2351 if (rc)
2352 return rc;
2353 } else {
2354 /* Check permissions for the transition. */
a6f76f23 2355 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2356 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2357 if (rc)
2358 return rc;
2359
a6f76f23 2360 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2361 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2362 if (rc)
2363 return rc;
2364
a6f76f23
DH		 2365 /* Check for shared state */
2366 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2367 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2368 SECCLASS_PROCESS, PROCESS__SHARE,
2369 NULL);
2370 if (rc)
2371 return -EPERM;
2372 }
2373
2374 /* Make sure that anyone attempting to ptrace over a task that
2375 * changes its SID has the appropriate permit */
2376 if (bprm->unsafe &
2377 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
0c6181cb 2378 u32 ptsid = ptrace_parent_sid(current);
a6f76f23
DH		 2379 if (ptsid != 0) {
2380 rc = avc_has_perm(ptsid, new_tsec->sid,
2381 SECCLASS_PROCESS,
2382 PROCESS__PTRACE, NULL);
2383 if (rc)
2384 return -EPERM;
2385 }
2386 }
1da177e4 2387
a6f76f23
DH		 2388 /* Clear any possibly unsafe personality bits on exec: */
2389 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2390 }
2391
1da177e4
LT		 2392 return 0;
2393}
2394
828dfe1d 2395static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2396{
5fb49870 2397 const struct task_security_struct *tsec = current_security();
275bb41e 2398 u32 sid, osid;
1da177e4
LT		 2399 int atsecure = 0;
2400
275bb41e
DH		 2401 sid = tsec->sid;
2402 osid = tsec->osid;
2403
2404 if (osid != sid) {
1da177e4
LT		 2405 /* Enable secure mode for SIDs transitions unless
2406 the noatsecure permission is granted between
2407 the two SIDs, i.e. ahp returns 0. */
275bb41e 2408 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2409 SECCLASS_PROCESS,
2410 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2411 }
2412
b1d9e6b0 2413 return !!atsecure;
1da177e4
LT		 2414}
2415
c3c073f8
AV		 2416static int match_file(const void *p, struct file *file, unsigned fd)
2417{
2418 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2419}
2420
1da177e4 2421/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2422static inline void flush_unauthorized_files(const struct cred *cred,
2423 struct files_struct *files)
1da177e4 2424{
1da177e4 2425 struct file *file, *devnull = NULL;
b20c8122 2426 struct tty_struct *tty;
24ec839c 2427 int drop_tty = 0;
c3c073f8 2428 unsigned n;
1da177e4 2429
24ec839c 2430 tty = get_current_tty();
1da177e4 2431 if (tty) {
4a510969 2432 spin_lock(&tty->files_lock);
37dd0bd0 2433 if (!list_empty(&tty->tty_files)) {
d996b62a 2434 struct tty_file_private *file_priv;
37dd0bd0 2435
1da177e4 2436 /* Revalidate access to controlling tty.
13f8e981
DH		 2437 Use file_path_has_perm on the tty path directly
2438 rather than using file_has_perm, as this particular
2439 open file may belong to another process and we are
2440 only interested in the inode-based check here. */
d996b62a
NP		 2441 file_priv = list_first_entry(&tty->tty_files,
2442 struct tty_file_private, list);
2443 file = file_priv->file;
13f8e981 2444 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2445 drop_tty = 1;
1da177e4 2446 }
4a510969 2447 spin_unlock(&tty->files_lock);
452a00d2 2448 tty_kref_put(tty);
1da177e4 2449 }
98a27ba4
EB		 2450 /* Reset controlling tty. */
2451 if (drop_tty)
2452 no_tty();
1da177e4
LT		 2453
2454 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2455 n = iterate_fd(files, 0, match_file, cred);
2456 if (!n) /* none found? */
2457 return;
1da177e4 2458
c3c073f8 2459 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2460 if (IS_ERR(devnull))
2461 devnull = NULL;
2462 /* replace all the matching ones with this */
2463 do {
2464 replace_fd(n - 1, devnull, 0);
2465 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2466 if (devnull)
c3c073f8 2467 fput(devnull);
1da177e4
LT		 2468}
2469
a6f76f23
DH		 2470/*
2471 * Prepare a process for imminent new credential changes due to exec
2472 */
2473static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2474{
a6f76f23
DH		 2475 struct task_security_struct *new_tsec;
2476 struct rlimit *rlim, *initrlim;
2477 int rc, i;
d84f4f99 2478
a6f76f23
DH		 2479 new_tsec = bprm->cred->security;
2480 if (new_tsec->sid == new_tsec->osid)
2481 return;
1da177e4 2482
a6f76f23
DH		 2483 /* Close files for which the new task SID is not authorized. */
2484 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2485
a6f76f23
DH		 2486 /* Always clear parent death signal on SID transitions. */
2487 current->pdeath_signal = 0;
0356357c 2488
a6f76f23
DH		 2489 /* Check whether the new SID can inherit resource limits from the old
2490 * SID. If not, reset all soft limits to the lower of the current
2491 * task's hard limit and the init task's soft limit.
2492 *
2493 * Note that the setting of hard limits (even to lower them) can be
2494 * controlled by the setrlimit check. The inclusion of the init task's
2495 * soft limit into the computation is to avoid resetting soft limits
2496 * higher than the default soft limit for cases where the default is
2497 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2498 */
2499 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2500 PROCESS__RLIMITINH, NULL);
2501 if (rc) {
eb2d55a3
ON		 2502 /* protect against do_prlimit() */
2503 task_lock(current);
a6f76f23
DH		 2504 for (i = 0; i < RLIM_NLIMITS; i++) {
2505 rlim = current->signal->rlim + i;
2506 initrlim = init_task.signal->rlim + i;
2507 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2508 }
eb2d55a3
ON		 2509 task_unlock(current);
2510 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2511 }
2512}
2513
2514/*
a6f76f23
DH		 2515 * Clean up the process immediately after the installation of new credentials
2516 * due to exec
1da177e4 2517 */
a6f76f23 2518static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2519{
a6f76f23 2520 const struct task_security_struct *tsec = current_security();
1da177e4 2521 struct itimerval itimer;
a6f76f23 2522 u32 osid, sid;
1da177e4
LT		 2523 int rc, i;
2524
a6f76f23
DH		 2525 osid = tsec->osid;
2526 sid = tsec->sid;
2527
2528 if (sid == osid)
1da177e4
LT		 2529 return;
2530
a6f76f23
DH		 2531 /* Check whether the new SID can inherit signal state from the old SID.
2532 * If not, clear itimers to avoid subsequent signal generation and
2533 * flush and unblock signals.
2534 *
2535 * This must occur _after_ the task SID has been updated so that any
2536 * kill done after the flush will be checked against the new SID.
2537 */
2538 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2539 if (rc) {
2540 memset(&itimer, 0, sizeof itimer);
2541 for (i = 0; i < 3; i++)
2542 do_setitimer(i, &itimer, NULL);
1da177e4 2543 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2544 if (!fatal_signal_pending(current)) {
2545 flush_sigqueue(&current->pending);
2546 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2547 flush_signal_handlers(current, 1);
2548 sigemptyset(&current->blocked);
9e7c8f8c 2549 recalc_sigpending();
3bcac026 2550 }
1da177e4
LT		 2551 spin_unlock_irq(&current->sighand->siglock);
2552 }
2553
a6f76f23
DH		 2554 /* Wake up the parent if it is waiting so that it can recheck
2555 * wait permission to the new task SID. */
ecd6de3c 2556 read_lock(&tasklist_lock);
0b7570e7 2557 __wake_up_parent(current, current->real_parent);
ecd6de3c 2558 read_unlock(&tasklist_lock);
1da177e4
LT		 2559}
2560
2561/* superblock security operations */
2562
2563static int selinux_sb_alloc_security(struct super_block *sb)
2564{
2565 return superblock_alloc_security(sb);
2566}
2567
2568static void selinux_sb_free_security(struct super_block *sb)
2569{
2570 superblock_free_security(sb);
2571}
2572
2573static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2574{
2575 if (plen > olen)
2576 return 0;
2577
2578 return !memcmp(prefix, option, plen);
2579}
2580
2581static inline int selinux_option(char *option, int len)
2582{
832cbd9a
EP		 2583 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2584 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2585 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2586 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2587 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2588}
2589
2590static inline void take_option(char **to, char *from, int *first, int len)
2591{
2592 if (!*first) {
2593 **to = ',';
2594 *to += 1;
3528a953 2595 } else
1da177e4
LT		 2596 *first = 0;
2597 memcpy(*to, from, len);
2598 *to += len;
2599}
2600
828dfe1d
EP		 2601static inline void take_selinux_option(char **to, char *from, int *first,
2602 int len)
3528a953
CO		 2603{
2604 int current_size = 0;
2605
2606 if (!*first) {
2607 **to = '|';
2608 *to += 1;
828dfe1d 2609 } else
3528a953
CO		 2610 *first = 0;
2611
2612 while (current_size < len) {
2613 if (*from != '"') {
2614 **to = *from;
2615 *to += 1;
2616 }
2617 from += 1;
2618 current_size += 1;
2619 }
2620}
2621
e0007529 2622static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2623{
2624 int fnosec, fsec, rc = 0;
2625 char *in_save, *in_curr, *in_end;
2626 char *sec_curr, *nosec_save, *nosec;
3528a953 2627 int open_quote = 0;
1da177e4
LT		 2628
2629 in_curr = orig;
2630 sec_curr = copy;
2631
1da177e4
LT		 2632 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2633 if (!nosec) {
2634 rc = -ENOMEM;
2635 goto out;
2636 }
2637
2638 nosec_save = nosec;
2639 fnosec = fsec = 1;
2640 in_save = in_end = orig;
2641
2642 do {
3528a953
CO		 2643 if (*in_end == '"')
2644 open_quote = !open_quote;
2645 if ((*in_end == ',' && open_quote == 0) ||
2646 *in_end == '\0') {
1da177e4
LT		 2647 int len = in_end - in_curr;
2648
2649 if (selinux_option(in_curr, len))
3528a953 2650 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2651 else
2652 take_option(&nosec, in_curr, &fnosec, len);
2653
2654 in_curr = in_end + 1;
2655 }
2656 } while (*in_end++);
2657
6931dfc9 2658 strcpy(in_save, nosec_save);
da3caa20 2659 free_page((unsigned long)nosec_save);
1da177e4
LT		 2660out:
2661 return rc;
2662}
2663
026eb167
EP		 2664static int selinux_sb_remount(struct super_block *sb, void *data)
2665{
2666 int rc, i, *flags;
2667 struct security_mnt_opts opts;
2668 char *secdata, **mount_options;
2669 struct superblock_security_struct *sbsec = sb->s_security;
2670
2671 if (!(sbsec->flags & SE_SBINITIALIZED))
2672 return 0;
2673
2674 if (!data)
2675 return 0;
2676
2677 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2678 return 0;
2679
2680 security_init_mnt_opts(&opts);
2681 secdata = alloc_secdata();
2682 if (!secdata)
2683 return -ENOMEM;
2684 rc = selinux_sb_copy_data(data, secdata);
2685 if (rc)
2686 goto out_free_secdata;
2687
2688 rc = selinux_parse_opts_str(secdata, &opts);
2689 if (rc)
2690 goto out_free_secdata;
2691
2692 mount_options = opts.mnt_opts;
2693 flags = opts.mnt_opts_flags;
2694
2695 for (i = 0; i < opts.num_mnt_opts; i++) {
2696 u32 sid;
026eb167 2697
12f348b9 2698 if (flags[i] == SBLABEL_MNT)
026eb167 2699 continue;
44be2f65 2700 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2701 if (rc) {
44be2f65 2702 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2703 "(%s) failed for (dev %s, type %s) errno=%d\n",
2704 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2705 goto out_free_opts;
2706 }
2707 rc = -EINVAL;
2708 switch (flags[i]) {
2709 case FSCONTEXT_MNT:
2710 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2711 goto out_bad_option;
2712 break;
2713 case CONTEXT_MNT:
2714 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2715 goto out_bad_option;
2716 break;
2717 case ROOTCONTEXT_MNT: {
2718 struct inode_security_struct *root_isec;
83da53c5 2719 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2720
2721 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2722 goto out_bad_option;
2723 break;
2724 }
2725 case DEFCONTEXT_MNT:
2726 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2727 goto out_bad_option;
2728 break;
2729 default:
2730 goto out_free_opts;
2731 }
2732 }
2733
2734 rc = 0;
2735out_free_opts:
2736 security_free_mnt_opts(&opts);
2737out_free_secdata:
2738 free_secdata(secdata);
2739 return rc;
2740out_bad_option:
2741 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2742 "during remount (dev %s, type=%s)\n", sb->s_id,
2743 sb->s_type->name);
026eb167
EP		 2744 goto out_free_opts;
2745}
2746
12204e24 2747static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2748{
88e67f3b 2749 const struct cred *cred = current_cred();
2bf49690 2750 struct common_audit_data ad;
1da177e4
LT		 2751 int rc;
2752
2753 rc = superblock_doinit(sb, data);
2754 if (rc)
2755 return rc;
2756
74192246
JM		 2757 /* Allow all mounts performed by the kernel */
2758 if (flags & MS_KERNMOUNT)
2759 return 0;
2760
50c205f5 2761 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2762 ad.u.dentry = sb->s_root;
88e67f3b 2763 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2764}
2765
726c3342 2766static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2767{
88e67f3b 2768 const struct cred *cred = current_cred();
2bf49690 2769 struct common_audit_data ad;
1da177e4 2770
50c205f5 2771 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2772 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2773 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2774}
2775
808d4e3c 2776static int selinux_mount(const char *dev_name,
8a04c43b 2777 const struct path *path,
808d4e3c 2778 const char *type,
828dfe1d
EP		 2779 unsigned long flags,
2780 void *data)
1da177e4 2781{
88e67f3b 2782 const struct cred *cred = current_cred();
1da177e4
LT		 2783
2784 if (flags & MS_REMOUNT)
d8c9584e 2785 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2786 FILESYSTEM__REMOUNT, NULL);
1da177e4 2787 else
2875fa00 2788 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2789}
2790
2791static int selinux_umount(struct vfsmount *mnt, int flags)
2792{
88e67f3b 2793 const struct cred *cred = current_cred();
1da177e4 2794
88e67f3b 2795 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2796 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2797}
2798
2799/* inode security operations */
2800
2801static int selinux_inode_alloc_security(struct inode *inode)
2802{
2803 return inode_alloc_security(inode);
2804}
2805
2806static void selinux_inode_free_security(struct inode *inode)
2807{
2808 inode_free_security(inode);
2809}
2810
d47be3df
DQ		 2811static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2812 struct qstr *name, void **ctx,
2813 u32 *ctxlen)
2814{
d47be3df
DQ		 2815 u32 newsid;
2816 int rc;
2817
c3c188b2
DH		 2818 rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
2819 inode_mode_to_security_class(mode),
2820 &newsid);
2821 if (rc)
2822 return rc;
d47be3df
DQ		 2823
2824 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2825}
2826
5e41ff9e 2827static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2828 const struct qstr *qstr,
2829 const char **name,
2a7dba39 2830 void **value, size_t *len)
5e41ff9e 2831{
5fb49870 2832 const struct task_security_struct *tsec = current_security();
5e41ff9e 2833 struct superblock_security_struct *sbsec;
275bb41e 2834 u32 sid, newsid, clen;
5e41ff9e 2835 int rc;
9548906b 2836 char *context;
5e41ff9e 2837
5e41ff9e 2838 sbsec = dir->i_sb->s_security;
5e41ff9e 2839
275bb41e
DH		 2840 sid = tsec->sid;
2841 newsid = tsec->create_sid;
2842
c3c188b2
DH		 2843 rc = selinux_determine_inode_label(
2844 dir, qstr,
2845 inode_mode_to_security_class(inode->i_mode),
2846 &newsid);
2847 if (rc)
2848 return rc;
5e41ff9e 2849
296fddf7 2850 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2851 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2852 struct inode_security_struct *isec = inode->i_security;
2853 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2854 isec->sid = newsid;
6f3be9f5 2855 isec->initialized = LABEL_INITIALIZED;
296fddf7 2856 }
5e41ff9e 2857
12f348b9 2858 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2859 return -EOPNOTSUPP;
2860
9548906b
TH		 2861 if (name)
2862 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2863
570bc1c2 2864 if (value && len) {
12b29f34 2865 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2866 if (rc)
570bc1c2 2867 return rc;
570bc1c2
SS		 2868 *value = context;
2869 *len = clen;
5e41ff9e 2870 }
5e41ff9e 2871
5e41ff9e
SS		 2872 return 0;
2873}
2874
4acdaf27 2875static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2876{
2877 return may_create(dir, dentry, SECCLASS_FILE);
2878}
2879
1da177e4
LT		 2880static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2881{
1da177e4
LT		 2882 return may_link(dir, old_dentry, MAY_LINK);
2883}
2884
1da177e4
LT		 2885static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2886{
1da177e4
LT		 2887 return may_link(dir, dentry, MAY_UNLINK);
2888}
2889
2890static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2891{
2892 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2893}
2894
18bb1db3 2895static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2896{
2897 return may_create(dir, dentry, SECCLASS_DIR);
2898}
2899
1da177e4
LT		 2900static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2901{
2902 return may_link(dir, dentry, MAY_RMDIR);
2903}
2904
1a67aafb 2905static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2906{
1da177e4
LT		 2907 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2908}
2909
1da177e4 2910static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2911 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2912{
2913 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2914}
2915
1da177e4
LT		 2916static int selinux_inode_readlink(struct dentry *dentry)
2917{
88e67f3b
DH		 2918 const struct cred *cred = current_cred();
2919
2875fa00 2920 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2921}
2922
bda0be7a
N		 2923static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2924 bool rcu)
1da177e4 2925{
88e67f3b 2926 const struct cred *cred = current_cred();
bda0be7a
N		 2927 struct common_audit_data ad;
2928 struct inode_security_struct *isec;
2929 u32 sid;
1da177e4 2930
bda0be7a
N		 2931 validate_creds(cred);
2932
2933 ad.type = LSM_AUDIT_DATA_DENTRY;
2934 ad.u.dentry = dentry;
2935 sid = cred_sid(cred);
5d226df4
AG		 2936 isec = inode_security_rcu(inode, rcu);
2937 if (IS_ERR(isec))
2938 return PTR_ERR(isec);
bda0be7a
N		 2939
2940 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2941 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 2942}
2943
d4cf970d
EP		 2944static noinline int audit_inode_permission(struct inode *inode,
2945 u32 perms, u32 audited, u32 denied,
626b9740 2946 int result,
d4cf970d 2947 unsigned flags)
1da177e4 2948{
b782e0a6 2949 struct common_audit_data ad;
d4cf970d
EP		 2950 struct inode_security_struct *isec = inode->i_security;
2951 int rc;
2952
50c205f5 2953 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2954 ad.u.inode = inode;
2955
2956 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 2957 audited, denied, result, &ad, flags);
d4cf970d
EP		 2958 if (rc)
2959 return rc;
2960 return 0;
2961}
2962
e74f71eb 2963static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2964{
88e67f3b 2965 const struct cred *cred = current_cred();
b782e0a6
EP		 2966 u32 perms;
2967 bool from_access;
cf1dd1da 2968 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2969 struct inode_security_struct *isec;
2970 u32 sid;
2971 struct av_decision avd;
2972 int rc, rc2;
2973 u32 audited, denied;
1da177e4 2974
b782e0a6 2975 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2976 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2977
b782e0a6
EP		 2978 /* No permission to check. Existence test. */
2979 if (!mask)
1da177e4 2980 return 0;
1da177e4 2981
2e334057 2982 validate_creds(cred);
b782e0a6 2983
2e334057
EP		 2984 if (unlikely(IS_PRIVATE(inode)))
2985 return 0;
b782e0a6
EP		 2986
2987 perms = file_mask_to_av(inode->i_mode, mask);
2988
2e334057 2989 sid = cred_sid(cred);
5d226df4
AG		 2990 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
2991 if (IS_ERR(isec))
2992 return PTR_ERR(isec);
2e334057
EP		 2993
2994 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2995 audited = avc_audit_required(perms, &avd, rc,
2996 from_access ? FILE__AUDIT_ACCESS : 0,
2997 &denied);
2998 if (likely(!audited))
2999 return rc;
3000
626b9740 3001 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3002 if (rc2)
3003 return rc2;
3004 return rc;
1da177e4
LT		 3005}
3006
3007static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3008{
88e67f3b 3009 const struct cred *cred = current_cred();
bc6a6008 3010 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3011 __u32 av = FILE__WRITE;
1da177e4 3012
bc6a6008
AW		 3013 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3014 if (ia_valid & ATTR_FORCE) {
3015 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3016 ATTR_FORCE);
3017 if (!ia_valid)
3018 return 0;
3019 }
1da177e4 3020
bc6a6008
AW		 3021 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3022 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3023 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3024
44d37ad3
JVS		 3025 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3026 && !(ia_valid & ATTR_FILE))
95dbf739
EP		 3027 av |= FILE__OPEN;
3028
3029 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3030}
3031
3f7036a0 3032static int selinux_inode_getattr(const struct path *path)
1da177e4 3033{
3f7036a0 3034 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3035}
3036
8f0cfa52 3037static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 3038{
88e67f3b
DH		 3039 const struct cred *cred = current_cred();
3040
b5376771
SH		 3041 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3042 sizeof XATTR_SECURITY_PREFIX - 1)) {
3043 if (!strcmp(name, XATTR_NAME_CAPS)) {
3044 if (!capable(CAP_SETFCAP))
3045 return -EPERM;
3046 } else if (!capable(CAP_SYS_ADMIN)) {
3047 /* A different attribute in the security namespace.
3048 Restrict to administrator. */
3049 return -EPERM;
3050 }
3051 }
3052
3053 /* Not an attribute we recognize, so just check the
3054 ordinary setattr permission. */
2875fa00 3055 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 3056}
3057
8f0cfa52
DH		 3058static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3059 const void *value, size_t size, int flags)
1da177e4 3060{
c6f493d6 3061 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3062 struct inode_security_struct *isec;
1da177e4 3063 struct superblock_security_struct *sbsec;
2bf49690 3064 struct common_audit_data ad;
275bb41e 3065 u32 newsid, sid = current_sid();
1da177e4
LT		 3066 int rc = 0;
3067
b5376771
SH		 3068 if (strcmp(name, XATTR_NAME_SELINUX))
3069 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3070
3071 sbsec = inode->i_sb->s_security;
12f348b9 3072 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3073 return -EOPNOTSUPP;
3074
2e149670 3075 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3076 return -EPERM;
3077
50c205f5 3078 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3079 ad.u.dentry = dentry;
1da177e4 3080
20cdef8d 3081 isec = backing_inode_security(dentry);
275bb41e 3082 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3083 FILE__RELABELFROM, &ad);
3084 if (rc)
3085 return rc;
3086
52a4c640 3087 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3088 if (rc == -EINVAL) {
d6ea83ec
EP		 3089 if (!capable(CAP_MAC_ADMIN)) {
3090 struct audit_buffer *ab;
3091 size_t audit_size;
3092 const char *str;
3093
3094 /* We strip a nul only if it is at the end, otherwise the
3095 * context contains a nul and we should audit that */
e3fea3f7
AV		 3096 if (value) {
3097 str = value;
3098 if (str[size - 1] == '\0')
3099 audit_size = size - 1;
3100 else
3101 audit_size = size;
3102 } else {
3103 str = "";
3104 audit_size = 0;
3105 }
d6ea83ec
EP		 3106 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3107 audit_log_format(ab, "op=setxattr invalid_context=");
3108 audit_log_n_untrustedstring(ab, value, audit_size);
3109 audit_log_end(ab);
3110
12b29f34 3111 return rc;
d6ea83ec 3112 }
12b29f34
SS		 3113 rc = security_context_to_sid_force(value, size, &newsid);
3114 }
1da177e4
LT		 3115 if (rc)
3116 return rc;
3117
275bb41e 3118 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3119 FILE__RELABELTO, &ad);
3120 if (rc)
3121 return rc;
3122
275bb41e 3123 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3124 isec->sclass);
1da177e4
LT		 3125 if (rc)
3126 return rc;
3127
3128 return avc_has_perm(newsid,
3129 sbsec->sid,
3130 SECCLASS_FILESYSTEM,
3131 FILESYSTEM__ASSOCIATE,
3132 &ad);
3133}
3134
8f0cfa52 3135static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3136 const void *value, size_t size,
8f0cfa52 3137 int flags)
1da177e4 3138{
c6f493d6 3139 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3140 struct inode_security_struct *isec;
1da177e4
LT		 3141 u32 newsid;
3142 int rc;
3143
3144 if (strcmp(name, XATTR_NAME_SELINUX)) {
3145 /* Not an attribute we recognize, so nothing to do. */
3146 return;
3147 }
3148
12b29f34 3149 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3150 if (rc) {
12b29f34
SS		 3151 printk(KERN_ERR "SELinux: unable to map context to SID"
3152 "for (%s, %lu), rc=%d\n",
3153 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3154 return;
3155 }
3156
20cdef8d 3157 isec = backing_inode_security(dentry);
aa9c2669 3158 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3159 isec->sid = newsid;
6f3be9f5 3160 isec->initialized = LABEL_INITIALIZED;
aa9c2669 3161
1da177e4
LT		 3162 return;
3163}
3164
8f0cfa52 3165static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3166{
88e67f3b
DH		 3167 const struct cred *cred = current_cred();
3168
2875fa00 3169 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3170}
3171
828dfe1d 3172static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3173{
88e67f3b
DH		 3174 const struct cred *cred = current_cred();
3175
2875fa00 3176 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3177}
3178
8f0cfa52 3179static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3180{
b5376771
SH		 3181 if (strcmp(name, XATTR_NAME_SELINUX))
3182 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3183
3184 /* No one is allowed to remove a SELinux security label.
3185 You can change the label, but all data must be labeled. */
3186 return -EACCES;
3187}
3188
d381d8a9 3189/*
abc69bb6 3190 * Copy the inode security context value to the user.
d381d8a9
JM		 3191 *
3192 * Permission check is handled by selinux_inode_getxattr hook.
3193 */
ea861dfd 3194static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3195{
42492594
DQ		 3196 u32 size;
3197 int error;
3198 char *context = NULL;
20cdef8d 3199 struct inode_security_struct *isec;
d381d8a9 3200
8c8570fb
DK		 3201 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3202 return -EOPNOTSUPP;
d381d8a9 3203
abc69bb6
SS		 3204 /*
3205 * If the caller has CAP_MAC_ADMIN, then get the raw context
3206 * value even if it is not defined by current policy; otherwise,
3207 * use the in-core value under current policy.
3208 * Use the non-auditing forms of the permission checks since
3209 * getxattr may be called by unprivileged processes commonly
3210 * and lack of permission just means that we fall back to the
3211 * in-core context value, not a denial.
3212 */
b1d9e6b0
CS		 3213 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3214 SECURITY_CAP_NOAUDIT);
3215 if (!error)
3216 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
8e4ff6f2 3217 SECURITY_CAP_NOAUDIT, true);
20cdef8d 3218 isec = inode_security(inode);
abc69bb6
SS		 3219 if (!error)
3220 error = security_sid_to_context_force(isec->sid, &context,
3221 &size);
3222 else
3223 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3224 if (error)
3225 return error;
3226 error = size;
3227 if (alloc) {
3228 *buffer = context;
3229 goto out_nofree;
3230 }
3231 kfree(context);
3232out_nofree:
3233 return error;
1da177e4
LT		 3234}
3235
3236static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3237 const void *value, size_t size, int flags)
1da177e4 3238{
2c97165b 3239 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3240 u32 newsid;
3241 int rc;
3242
3243 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3244 return -EOPNOTSUPP;
3245
3246 if (!value || !size)
3247 return -EACCES;
3248
20ba96ae 3249 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3250 if (rc)
3251 return rc;
3252
aa9c2669 3253 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3254 isec->sid = newsid;
6f3be9f5 3255 isec->initialized = LABEL_INITIALIZED;
1da177e4
LT		 3256 return 0;
3257}
3258
3259static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3260{
3261 const int len = sizeof(XATTR_NAME_SELINUX);
3262 if (buffer && len <= buffer_size)
3263 memcpy(buffer, XATTR_NAME_SELINUX, len);
3264 return len;
3265}
3266
d6335d77 3267static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3268{
e817c2f3 3269 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3270 *secid = isec->sid;
3271}
3272
1da177e4
LT		 3273/* file security operations */
3274
788e7dd4 3275static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3276{
88e67f3b 3277 const struct cred *cred = current_cred();
496ad9aa 3278 struct inode *inode = file_inode(file);
1da177e4 3279
1da177e4
LT		 3280 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3281 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3282 mask |= MAY_APPEND;
3283
389fb800
PM		 3284 return file_has_perm(cred, file,
3285 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3286}
3287
788e7dd4
YN		 3288static int selinux_file_permission(struct file *file, int mask)
3289{
496ad9aa 3290 struct inode *inode = file_inode(file);
20dda18b 3291 struct file_security_struct *fsec = file->f_security;
b197367e 3292 struct inode_security_struct *isec;
20dda18b
SS		 3293 u32 sid = current_sid();
3294
389fb800 3295 if (!mask)
788e7dd4
YN		 3296 /* No permission to check. Existence test. */
3297 return 0;
788e7dd4 3298
b197367e 3299 isec = inode_security(inode);
20dda18b
SS		 3300 if (sid == fsec->sid && fsec->isid == isec->sid &&
3301 fsec->pseqno == avc_policy_seqno())
83d49856 3302 /* No change since file_open check. */
20dda18b
SS		 3303 return 0;
3304
788e7dd4
YN		 3305 return selinux_revalidate_file_permission(file, mask);
3306}
3307
1da177e4
LT		 3308static int selinux_file_alloc_security(struct file *file)
3309{
3310 return file_alloc_security(file);
3311}
3312
3313static void selinux_file_free_security(struct file *file)
3314{
3315 file_free_security(file);
3316}
3317
fa1aa143
JVS		 3318/*
3319 * Check whether a task has the ioctl permission and cmd
3320 * operation to an inode.
3321 */
1d2a168a 3322static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3323 u32 requested, u16 cmd)
3324{
3325 struct common_audit_data ad;
3326 struct file_security_struct *fsec = file->f_security;
3327 struct inode *inode = file_inode(file);
20cdef8d 3328 struct inode_security_struct *isec;
fa1aa143
JVS		 3329 struct lsm_ioctlop_audit ioctl;
3330 u32 ssid = cred_sid(cred);
3331 int rc;
3332 u8 driver = cmd >> 8;
3333 u8 xperm = cmd & 0xff;
3334
3335 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3336 ad.u.op = &ioctl;
3337 ad.u.op->cmd = cmd;
3338 ad.u.op->path = file->f_path;
3339
3340 if (ssid != fsec->sid) {
3341 rc = avc_has_perm(ssid, fsec->sid,
3342 SECCLASS_FD,
3343 FD__USE,
3344 &ad);
3345 if (rc)
3346 goto out;
3347 }
3348
3349 if (unlikely(IS_PRIVATE(inode)))
3350 return 0;
3351
20cdef8d 3352 isec = inode_security(inode);
fa1aa143
JVS		 3353 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3354 requested, driver, xperm, &ad);
3355out:
3356 return rc;
3357}
3358
1da177e4
LT		 3359static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3360 unsigned long arg)
3361{
88e67f3b 3362 const struct cred *cred = current_cred();
0b24dcb7 3363 int error = 0;
1da177e4 3364
0b24dcb7
EP		 3365 switch (cmd) {
3366 case FIONREAD:
3367 /* fall through */
3368 case FIBMAP:
3369 /* fall through */
3370 case FIGETBSZ:
3371 /* fall through */
2f99c369 3372 case FS_IOC_GETFLAGS:
0b24dcb7 3373 /* fall through */
2f99c369 3374 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3375 error = file_has_perm(cred, file, FILE__GETATTR);
3376 break;
1da177e4 3377
2f99c369 3378 case FS_IOC_SETFLAGS:
0b24dcb7 3379 /* fall through */
2f99c369 3380 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3381 error = file_has_perm(cred, file, FILE__SETATTR);
3382 break;
3383
3384 /* sys_ioctl() checks */
3385 case FIONBIO:
3386 /* fall through */
3387 case FIOASYNC:
3388 error = file_has_perm(cred, file, 0);
3389 break;
1da177e4 3390
0b24dcb7
EP		 3391 case KDSKBENT:
3392 case KDSKBSENT:
6a9de491 3393 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3394 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3395 break;
3396
3397 /* default case assumes that the command will go
3398 * to the file's ioctl() function.
3399 */
3400 default:
fa1aa143 3401 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3402 }
3403 return error;
1da177e4
LT		 3404}
3405
fcaaade1
SS		 3406static int default_noexec;
3407
1da177e4
LT		 3408static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3409{
88e67f3b 3410 const struct cred *cred = current_cred();
d84f4f99 3411 int rc = 0;
88e67f3b 3412
fcaaade1 3413 if (default_noexec &&
892e8cac
SS		 3414 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3415 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3416 /*
3417 * We are making executable an anonymous mapping or a
3418 * private file mapping that will also be writable.
3419 * This has an additional check.
3420 */
d84f4f99 3421 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3422 if (rc)
d84f4f99 3423 goto error;
1da177e4 3424 }
1da177e4
LT		 3425
3426 if (file) {
3427 /* read access is always possible with a mapping */
3428 u32 av = FILE__READ;
3429
3430 /* write access only matters if the mapping is shared */
3431 if (shared && (prot & PROT_WRITE))
3432 av |= FILE__WRITE;
3433
3434 if (prot & PROT_EXEC)
3435 av |= FILE__EXECUTE;
3436
88e67f3b 3437 return file_has_perm(cred, file, av);
1da177e4 3438 }
d84f4f99
DH		 3439
3440error:
3441 return rc;
1da177e4
LT		 3442}
3443
e5467859 3444static int selinux_mmap_addr(unsigned long addr)
1da177e4 3445{
b1d9e6b0 3446 int rc = 0;
1da177e4 3447
a2551df7 3448 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3449 u32 sid = current_sid();
ed032189
EP		 3450 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3451 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3452 }
3453
98883bfd 3454 return rc;
e5467859 3455}
1da177e4 3456
e5467859
AV		 3457static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3458 unsigned long prot, unsigned long flags)
3459{
1da177e4
LT		 3460 if (selinux_checkreqprot)
3461 prot = reqprot;
3462
3463 return file_map_prot_check(file, prot,
3464 (flags & MAP_TYPE) == MAP_SHARED);
3465}
3466
3467static int selinux_file_mprotect(struct vm_area_struct *vma,
3468 unsigned long reqprot,
3469 unsigned long prot)
3470{
88e67f3b 3471 const struct cred *cred = current_cred();
1da177e4
LT		 3472
3473 if (selinux_checkreqprot)
3474 prot = reqprot;
3475
fcaaade1
SS		 3476 if (default_noexec &&
3477 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3478 int rc = 0;
db4c9641
SS		 3479 if (vma->vm_start >= vma->vm_mm->start_brk &&
3480 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3481 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641 3482 } else if (!vma->vm_file &&
c2316dbf
SS		 3483 ((vma->vm_start <= vma->vm_mm->start_stack &&
3484 vma->vm_end >= vma->vm_mm->start_stack) ||
3485 vma_is_stack_for_task(vma, current))) {
3b11a1de 3486 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3487 } else if (vma->vm_file && vma->anon_vma) {
3488 /*
3489 * We are making executable a file mapping that has
3490 * had some COW done. Since pages might have been
3491 * written, check ability to execute the possibly
3492 * modified content. This typically should only
3493 * occur for text relocations.
3494 */
d84f4f99 3495 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3496 }