projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
[SELINUX]: security/selinux/hooks.c: Make 4 functions static.
[deliverable/linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
7420ed23
VY		 15 * Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
16 * Paul Moore, <paul.moore@hp.com>
1da177e4
LT		 17 *
18 * This program is free software; you can redistribute it and/or modify
19 * it under the terms of the GNU General Public License version 2,
20 * as published by the Free Software Foundation.
21 */
22
1da177e4
LT		 23#include <linux/module.h>
24#include <linux/init.h>
25#include <linux/kernel.h>
26#include <linux/ptrace.h>
27#include <linux/errno.h>
28#include <linux/sched.h>
29#include <linux/security.h>
30#include <linux/xattr.h>
31#include <linux/capability.h>
32#include <linux/unistd.h>
33#include <linux/mm.h>
34#include <linux/mman.h>
35#include <linux/slab.h>
36#include <linux/pagemap.h>
37#include <linux/swap.h>
38#include <linux/smp_lock.h>
39#include <linux/spinlock.h>
40#include <linux/syscalls.h>
41#include <linux/file.h>
42#include <linux/namei.h>
43#include <linux/mount.h>
44#include <linux/ext2_fs.h>
45#include <linux/proc_fs.h>
46#include <linux/kd.h>
47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
51#include <net/ip.h> /* for sysctl_local_port_range[] */
52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53#include <asm/uaccess.h>
54#include <asm/semaphore.h>
55#include <asm/ioctls.h>
56#include <linux/bitops.h>
57#include <linux/interrupt.h>
58#include <linux/netdevice.h> /* for network interface checks */
59#include <linux/netlink.h>
60#include <linux/tcp.h>
61#include <linux/udp.h>
62#include <linux/quota.h>
63#include <linux/un.h> /* for Unix socket types */
64#include <net/af_unix.h> /* for Unix socket types */
65#include <linux/parser.h>
66#include <linux/nfs_mount.h>
67#include <net/ipv6.h>
68#include <linux/hugetlb.h>
69#include <linux/personality.h>
70#include <linux/sysctl.h>
71#include <linux/audit.h>
6931dfc9 72#include <linux/string.h>
877ce7c1 73#include <linux/selinux.h>
1da177e4
LT		 74
75#include "avc.h"
76#include "objsec.h"
77#include "netif.h"
d28d1e08 78#include "xfrm.h"
7420ed23 79#include "selinux_netlabel.h"
1da177e4
LT		 80
81#define XATTR_SELINUX_SUFFIX "selinux"
82#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
83
84extern unsigned int policydb_loaded_version;
85extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 86extern int selinux_compat_net;
1da177e4
LT		 87
88#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
89int selinux_enforcing = 0;
90
91static int __init enforcing_setup(char *str)
92{
93 selinux_enforcing = simple_strtol(str,NULL,0);
94 return 1;
95}
96__setup("enforcing=", enforcing_setup);
97#endif
98
99#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
100int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
101
102static int __init selinux_enabled_setup(char *str)
103{
104 selinux_enabled = simple_strtol(str, NULL, 0);
105 return 1;
106}
107__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 108#else
109int selinux_enabled = 1;
1da177e4
LT		 110#endif
111
112/* Original (dummy) security module. */
113static struct security_operations *original_ops = NULL;
114
115/* Minimal support for a secondary security module,
116 just to allow the use of the dummy or capability modules.
117 The owlsm module can alternatively be used as a secondary
118 module as long as CONFIG_OWLSM_FD is not enabled. */
119static struct security_operations *secondary_ops = NULL;
120
121/* Lists of inode and superblock security structures initialized
122 before the policy was loaded. */
123static LIST_HEAD(superblock_security_head);
124static DEFINE_SPINLOCK(sb_security_lock);
125
7cae7e26
JM		 126static kmem_cache_t *sel_inode_cache;
127
8c8570fb
DK		 128/* Return security context for a given sid or just the context
129 length if the buffer is null or length is 0 */
130static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
131{
132 char *context;
133 unsigned len;
134 int rc;
135
136 rc = security_sid_to_context(sid, &context, &len);
137 if (rc)
138 return rc;
139
140 if (!buffer || !size)
141 goto getsecurity_exit;
142
143 if (size < len) {
144 len = -ERANGE;
145 goto getsecurity_exit;
146 }
147 memcpy(buffer, context, len);
148
149getsecurity_exit:
150 kfree(context);
151 return len;
152}
153
1da177e4
LT		 154/* Allocate and free functions for each kind of security blob. */
155
156static int task_alloc_security(struct task_struct *task)
157{
158 struct task_security_struct *tsec;
159
89d155ef 160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 161 if (!tsec)
162 return -ENOMEM;
163
1da177e4
LT		 164 tsec->task = task;
165 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166 task->security = tsec;
167
168 return 0;
169}
170
171static void task_free_security(struct task_struct *task)
172{
173 struct task_security_struct *tsec = task->security;
1da177e4
LT		 174 task->security = NULL;
175 kfree(tsec);
176}
177
178static int inode_alloc_security(struct inode *inode)
179{
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
182
7cae7e26 183 isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
1da177e4
LT		 184 if (!isec)
185 return -ENOMEM;
186
7cae7e26 187 memset(isec, 0, sizeof(*isec));
1da177e4
LT		 188 init_MUTEX(&isec->sem);
189 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 190 isec->inode = inode;
191 isec->sid = SECINITSID_UNLABELED;
192 isec->sclass = SECCLASS_FILE;
9ac49d22 193 isec->task_sid = tsec->sid;
1da177e4
LT		 194 inode->i_security = isec;
195
196 return 0;
197}
198
199static void inode_free_security(struct inode *inode)
200{
201 struct inode_security_struct *isec = inode->i_security;
202 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
203
1da177e4
LT		 204 spin_lock(&sbsec->isec_lock);
205 if (!list_empty(&isec->list))
206 list_del_init(&isec->list);
207 spin_unlock(&sbsec->isec_lock);
208
209 inode->i_security = NULL;
7cae7e26 210 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 211}
212
213static int file_alloc_security(struct file *file)
214{
215 struct task_security_struct *tsec = current->security;
216 struct file_security_struct *fsec;
217
26d2a4be 218 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 219 if (!fsec)
220 return -ENOMEM;
221
1da177e4 222 fsec->file = file;
9ac49d22
SS		 223 fsec->sid = tsec->sid;
224 fsec->fown_sid = tsec->sid;
1da177e4
LT		 225 file->f_security = fsec;
226
227 return 0;
228}
229
230static void file_free_security(struct file *file)
231{
232 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 233 file->f_security = NULL;
234 kfree(fsec);
235}
236
237static int superblock_alloc_security(struct super_block *sb)
238{
239 struct superblock_security_struct *sbsec;
240
89d155ef 241 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 242 if (!sbsec)
243 return -ENOMEM;
244
1da177e4
LT		 245 init_MUTEX(&sbsec->sem);
246 INIT_LIST_HEAD(&sbsec->list);
247 INIT_LIST_HEAD(&sbsec->isec_head);
248 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 249 sbsec->sb = sb;
250 sbsec->sid = SECINITSID_UNLABELED;
251 sbsec->def_sid = SECINITSID_FILE;
c312feb2 252 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 253 sb->s_security = sbsec;
254
255 return 0;
256}
257
258static void superblock_free_security(struct super_block *sb)
259{
260 struct superblock_security_struct *sbsec = sb->s_security;
261
1da177e4
LT		 262 spin_lock(&sb_security_lock);
263 if (!list_empty(&sbsec->list))
264 list_del_init(&sbsec->list);
265 spin_unlock(&sb_security_lock);
266
267 sb->s_security = NULL;
268 kfree(sbsec);
269}
270
7d877f3b 271static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 272{
273 struct sk_security_struct *ssec;
274
89d155ef 275 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 276 if (!ssec)
277 return -ENOMEM;
278
1da177e4
LT		 279 ssec->sk = sk;
280 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 281 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 282 sk->sk_security = ssec;
283
284 return 0;
285}
286
287static void sk_free_security(struct sock *sk)
288{
289 struct sk_security_struct *ssec = sk->sk_security;
290
1da177e4
LT		 291 sk->sk_security = NULL;
292 kfree(ssec);
293}
1da177e4
LT		 294
295/* The security server must be initialized before
296 any labeling or access decisions can be provided. */
297extern int ss_initialized;
298
299/* The file system's label must be initialized prior to use. */
300
301static char *labeling_behaviors[6] = {
302 "uses xattr",
303 "uses transition SIDs",
304 "uses task SIDs",
305 "uses genfs_contexts",
306 "not configured for labeling",
307 "uses mountpoint labeling",
308};
309
310static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
311
312static inline int inode_doinit(struct inode *inode)
313{
314 return inode_doinit_with_dentry(inode, NULL);
315}
316
317enum {
318 Opt_context = 1,
319 Opt_fscontext = 2,
320 Opt_defcontext = 4,
0808925e 321 Opt_rootcontext = 8,
1da177e4
LT		 322};
323
324static match_table_t tokens = {
325 {Opt_context, "context=%s"},
326 {Opt_fscontext, "fscontext=%s"},
327 {Opt_defcontext, "defcontext=%s"},
0808925e 328 {Opt_rootcontext, "rootcontext=%s"},
1da177e4
LT		 329};
330
331#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
332
c312feb2
EP		 333static int may_context_mount_sb_relabel(u32 sid,
334 struct superblock_security_struct *sbsec,
335 struct task_security_struct *tsec)
336{
337 int rc;
338
339 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
340 FILESYSTEM__RELABELFROM, NULL);
341 if (rc)
342 return rc;
343
344 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
345 FILESYSTEM__RELABELTO, NULL);
346 return rc;
347}
348
0808925e
EP		 349static int may_context_mount_inode_relabel(u32 sid,
350 struct superblock_security_struct *sbsec,
351 struct task_security_struct *tsec)
352{
353 int rc;
354 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
355 FILESYSTEM__RELABELFROM, NULL);
356 if (rc)
357 return rc;
358
359 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
360 FILESYSTEM__ASSOCIATE, NULL);
361 return rc;
362}
363
1da177e4
LT		 364static int try_context_mount(struct super_block *sb, void *data)
365{
366 char *context = NULL, *defcontext = NULL;
0808925e 367 char *fscontext = NULL, *rootcontext = NULL;
1da177e4
LT		 368 const char *name;
369 u32 sid;
370 int alloc = 0, rc = 0, seen = 0;
371 struct task_security_struct *tsec = current->security;
372 struct superblock_security_struct *sbsec = sb->s_security;
373
374 if (!data)
375 goto out;
376
377 name = sb->s_type->name;
378
379 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
380
381 /* NFS we understand. */
382 if (!strcmp(name, "nfs")) {
383 struct nfs_mount_data *d = data;
384
385 if (d->version < NFS_MOUNT_VERSION)
386 goto out;
387
388 if (d->context[0]) {
389 context = d->context;
390 seen |= Opt_context;
391 }
392 } else
393 goto out;
394
395 } else {
396 /* Standard string-based options. */
397 char *p, *options = data;
398
399 while ((p = strsep(&options, ",")) != NULL) {
400 int token;
401 substring_t args[MAX_OPT_ARGS];
402
403 if (!*p)
404 continue;
405
406 token = match_token(p, tokens, args);
407
408 switch (token) {
409 case Opt_context:
c312feb2 410 if (seen & (Opt_context|Opt_defcontext)) {
1da177e4
LT		 411 rc = -EINVAL;
412 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
413 goto out_free;
414 }
415 context = match_strdup(&args[0]);
416 if (!context) {
417 rc = -ENOMEM;
418 goto out_free;
419 }
420 if (!alloc)
421 alloc = 1;
422 seen |= Opt_context;
423 break;
424
425 case Opt_fscontext:
c312feb2 426 if (seen & Opt_fscontext) {
1da177e4
LT		 427 rc = -EINVAL;
428 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
429 goto out_free;
430 }
c312feb2
EP		 431 fscontext = match_strdup(&args[0]);
432 if (!fscontext) {
1da177e4
LT		 433 rc = -ENOMEM;
434 goto out_free;
435 }
436 if (!alloc)
437 alloc = 1;
438 seen |= Opt_fscontext;
439 break;
440
0808925e
EP		 441 case Opt_rootcontext:
442 if (seen & Opt_rootcontext) {
443 rc = -EINVAL;
444 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
445 goto out_free;
446 }
447 rootcontext = match_strdup(&args[0]);
448 if (!rootcontext) {
449 rc = -ENOMEM;
450 goto out_free;
451 }
452 if (!alloc)
453 alloc = 1;
454 seen |= Opt_rootcontext;
455 break;
456
1da177e4
LT		 457 case Opt_defcontext:
458 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
459 rc = -EINVAL;
460 printk(KERN_WARNING "SELinux: "
461 "defcontext option is invalid "
462 "for this filesystem type\n");
463 goto out_free;
464 }
465 if (seen & (Opt_context|Opt_defcontext)) {
466 rc = -EINVAL;
467 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
468 goto out_free;
469 }
470 defcontext = match_strdup(&args[0]);
471 if (!defcontext) {
472 rc = -ENOMEM;
473 goto out_free;
474 }
475 if (!alloc)
476 alloc = 1;
477 seen |= Opt_defcontext;
478 break;
479
480 default:
481 rc = -EINVAL;
482 printk(KERN_WARNING "SELinux: unknown mount "
483 "option\n");
484 goto out_free;
485
486 }
487 }
488 }
489
490 if (!seen)
491 goto out;
492
c312feb2
EP		 493 /* sets the context of the superblock for the fs being mounted. */
494 if (fscontext) {
495 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
1da177e4
LT		 496 if (rc) {
497 printk(KERN_WARNING "SELinux: security_context_to_sid"
498 "(%s) failed for (dev %s, type %s) errno=%d\n",
c312feb2 499 fscontext, sb->s_id, name, rc);
1da177e4
LT		 500 goto out_free;
501 }
502
c312feb2 503 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
1da177e4
LT		 504 if (rc)
505 goto out_free;
506
c312feb2
EP		 507 sbsec->sid = sid;
508 }
509
510 /*
511 * Switch to using mount point labeling behavior.
512 * sets the label used on all file below the mountpoint, and will set
513 * the superblock context if not already set.
514 */
515 if (context) {
516 rc = security_context_to_sid(context, strlen(context), &sid);
517 if (rc) {
518 printk(KERN_WARNING "SELinux: security_context_to_sid"
519 "(%s) failed for (dev %s, type %s) errno=%d\n",
520 context, sb->s_id, name, rc);
521 goto out_free;
522 }
523
b04ea3ce
EP		 524 if (!fscontext) {
525 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
526 if (rc)
527 goto out_free;
c312feb2 528 sbsec->sid = sid;
b04ea3ce
EP		 529 } else {
530 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
531 if (rc)
532 goto out_free;
533 }
c312feb2 534 sbsec->mntpoint_sid = sid;
1da177e4 535
c312feb2 536 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 537 }
538
0808925e
EP		 539 if (rootcontext) {
540 struct inode *inode = sb->s_root->d_inode;
541 struct inode_security_struct *isec = inode->i_security;
542 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
543 if (rc) {
544 printk(KERN_WARNING "SELinux: security_context_to_sid"
545 "(%s) failed for (dev %s, type %s) errno=%d\n",
546 rootcontext, sb->s_id, name, rc);
547 goto out_free;
548 }
549
550 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
551 if (rc)
552 goto out_free;
553
554 isec->sid = sid;
555 isec->initialized = 1;
556 }
557
1da177e4
LT		 558 if (defcontext) {
559 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
560 if (rc) {
561 printk(KERN_WARNING "SELinux: security_context_to_sid"
562 "(%s) failed for (dev %s, type %s) errno=%d\n",
563 defcontext, sb->s_id, name, rc);
564 goto out_free;
565 }
566
567 if (sid == sbsec->def_sid)
568 goto out_free;
569
0808925e 570 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
1da177e4
LT		 571 if (rc)
572 goto out_free;
573
574 sbsec->def_sid = sid;
575 }
576
577out_free:
578 if (alloc) {
579 kfree(context);
580 kfree(defcontext);
c312feb2 581 kfree(fscontext);
0808925e 582 kfree(rootcontext);
1da177e4
LT		 583 }
584out:
585 return rc;
586}
587
588static int superblock_doinit(struct super_block *sb, void *data)
589{
590 struct superblock_security_struct *sbsec = sb->s_security;
591 struct dentry *root = sb->s_root;
592 struct inode *inode = root->d_inode;
593 int rc = 0;
594
595 down(&sbsec->sem);
596 if (sbsec->initialized)
597 goto out;
598
599 if (!ss_initialized) {
600 /* Defer initialization until selinux_complete_init,
601 after the initial policy is loaded and the security
602 server is ready to handle calls. */
603 spin_lock(&sb_security_lock);
604 if (list_empty(&sbsec->list))
605 list_add(&sbsec->list, &superblock_security_head);
606 spin_unlock(&sb_security_lock);
607 goto out;
608 }
609
610 /* Determine the labeling behavior to use for this filesystem type. */
611 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
612 if (rc) {
613 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
614 __FUNCTION__, sb->s_type->name, rc);
615 goto out;
616 }
617
618 rc = try_context_mount(sb, data);
619 if (rc)
620 goto out;
621
622 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
623 /* Make sure that the xattr handler exists and that no
624 error other than -ENODATA is returned by getxattr on
625 the root directory. -ENODATA is ok, as this may be
626 the first boot of the SELinux kernel before we have
627 assigned xattr values to the filesystem. */
628 if (!inode->i_op->getxattr) {
629 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
630 "xattr support\n", sb->s_id, sb->s_type->name);
631 rc = -EOPNOTSUPP;
632 goto out;
633 }
634 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
635 if (rc < 0 && rc != -ENODATA) {
636 if (rc == -EOPNOTSUPP)
637 printk(KERN_WARNING "SELinux: (dev %s, type "
638 "%s) has no security xattr handler\n",
639 sb->s_id, sb->s_type->name);
640 else
641 printk(KERN_WARNING "SELinux: (dev %s, type "
642 "%s) getxattr errno %d\n", sb->s_id,
643 sb->s_type->name, -rc);
644 goto out;
645 }
646 }
647
648 if (strcmp(sb->s_type->name, "proc") == 0)
649 sbsec->proc = 1;
650
651 sbsec->initialized = 1;
652
653 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
654 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
655 sb->s_id, sb->s_type->name);
656 }
657 else {
658 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
659 sb->s_id, sb->s_type->name,
660 labeling_behaviors[sbsec->behavior-1]);
661 }
662
663 /* Initialize the root inode. */
664 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
665
666 /* Initialize any other inodes associated with the superblock, e.g.
667 inodes created prior to initial policy load or inodes created
668 during get_sb by a pseudo filesystem that directly
669 populates itself. */
670 spin_lock(&sbsec->isec_lock);
671next_inode:
672 if (!list_empty(&sbsec->isec_head)) {
673 struct inode_security_struct *isec =
674 list_entry(sbsec->isec_head.next,
675 struct inode_security_struct, list);
676 struct inode *inode = isec->inode;
677 spin_unlock(&sbsec->isec_lock);
678 inode = igrab(inode);
679 if (inode) {
680 if (!IS_PRIVATE (inode))
681 inode_doinit(inode);
682 iput(inode);
683 }
684 spin_lock(&sbsec->isec_lock);
685 list_del_init(&isec->list);
686 goto next_inode;
687 }
688 spin_unlock(&sbsec->isec_lock);
689out:
690 up(&sbsec->sem);
691 return rc;
692}
693
694static inline u16 inode_mode_to_security_class(umode_t mode)
695{
696 switch (mode & S_IFMT) {
697 case S_IFSOCK:
698 return SECCLASS_SOCK_FILE;
699 case S_IFLNK:
700 return SECCLASS_LNK_FILE;
701 case S_IFREG:
702 return SECCLASS_FILE;
703 case S_IFBLK:
704 return SECCLASS_BLK_FILE;
705 case S_IFDIR:
706 return SECCLASS_DIR;
707 case S_IFCHR:
708 return SECCLASS_CHR_FILE;
709 case S_IFIFO:
710 return SECCLASS_FIFO_FILE;
711
712 }
713
714 return SECCLASS_FILE;
715}
716
13402580
JM		 717static inline int default_protocol_stream(int protocol)
718{
719 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
720}
721
722static inline int default_protocol_dgram(int protocol)
723{
724 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
725}
726
1da177e4
LT		 727static inline u16 socket_type_to_security_class(int family, int type, int protocol)
728{
729 switch (family) {
730 case PF_UNIX:
731 switch (type) {
732 case SOCK_STREAM:
733 case SOCK_SEQPACKET:
734 return SECCLASS_UNIX_STREAM_SOCKET;
735 case SOCK_DGRAM:
736 return SECCLASS_UNIX_DGRAM_SOCKET;
737 }
738 break;
739 case PF_INET:
740 case PF_INET6:
741 switch (type) {
742 case SOCK_STREAM:
13402580
JM		 743 if (default_protocol_stream(protocol))
744 return SECCLASS_TCP_SOCKET;
745 else
746 return SECCLASS_RAWIP_SOCKET;
1da177e4 747 case SOCK_DGRAM:
13402580
JM		 748 if (default_protocol_dgram(protocol))
749 return SECCLASS_UDP_SOCKET;
750 else
751 return SECCLASS_RAWIP_SOCKET;
752 default:
1da177e4
LT		 753 return SECCLASS_RAWIP_SOCKET;
754 }
755 break;
756 case PF_NETLINK:
757 switch (protocol) {
758 case NETLINK_ROUTE:
759 return SECCLASS_NETLINK_ROUTE_SOCKET;
760 case NETLINK_FIREWALL:
761 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 762 case NETLINK_INET_DIAG:
1da177e4
LT		 763 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
764 case NETLINK_NFLOG:
765 return SECCLASS_NETLINK_NFLOG_SOCKET;
766 case NETLINK_XFRM:
767 return SECCLASS_NETLINK_XFRM_SOCKET;
768 case NETLINK_SELINUX:
769 return SECCLASS_NETLINK_SELINUX_SOCKET;
770 case NETLINK_AUDIT:
771 return SECCLASS_NETLINK_AUDIT_SOCKET;
772 case NETLINK_IP6_FW:
773 return SECCLASS_NETLINK_IP6FW_SOCKET;
774 case NETLINK_DNRTMSG:
775 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 776 case NETLINK_KOBJECT_UEVENT:
777 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 778 default:
779 return SECCLASS_NETLINK_SOCKET;
780 }
781 case PF_PACKET:
782 return SECCLASS_PACKET_SOCKET;
783 case PF_KEY:
784 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 785 case PF_APPLETALK:
786 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 787 }
788
789 return SECCLASS_SOCKET;
790}
791
792#ifdef CONFIG_PROC_FS
793static int selinux_proc_get_sid(struct proc_dir_entry *de,
794 u16 tclass,
795 u32 *sid)
796{
797 int buflen, rc;
798 char *buffer, *path, *end;
799
800 buffer = (char*)__get_free_page(GFP_KERNEL);
801 if (!buffer)
802 return -ENOMEM;
803
804 buflen = PAGE_SIZE;
805 end = buffer+buflen;
806 *--end = '\0';
807 buflen--;
808 path = end-1;
809 *path = '/';
810 while (de && de != de->parent) {
811 buflen -= de->namelen + 1;
812 if (buflen < 0)
813 break;
814 end -= de->namelen;
815 memcpy(end, de->name, de->namelen);
816 *--end = '/';
817 path = end;
818 de = de->parent;
819 }
820 rc = security_genfs_sid("proc", path, tclass, sid);
821 free_page((unsigned long)buffer);
822 return rc;
823}
824#else
825static int selinux_proc_get_sid(struct proc_dir_entry *de,
826 u16 tclass,
827 u32 *sid)
828{
829 return -EINVAL;
830}
831#endif
832
833/* The inode's security attributes must be initialized before first use. */
834static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
835{
836 struct superblock_security_struct *sbsec = NULL;
837 struct inode_security_struct *isec = inode->i_security;
838 u32 sid;
839 struct dentry *dentry;
840#define INITCONTEXTLEN 255
841 char *context = NULL;
842 unsigned len = 0;
843 int rc = 0;
844 int hold_sem = 0;
845
846 if (isec->initialized)
847 goto out;
848
849 down(&isec->sem);
850 hold_sem = 1;
851 if (isec->initialized)
852 goto out;
853
854 sbsec = inode->i_sb->s_security;
855 if (!sbsec->initialized) {
856 /* Defer initialization until selinux_complete_init,
857 after the initial policy is loaded and the security
858 server is ready to handle calls. */
859 spin_lock(&sbsec->isec_lock);
860 if (list_empty(&isec->list))
861 list_add(&isec->list, &sbsec->isec_head);
862 spin_unlock(&sbsec->isec_lock);
863 goto out;
864 }
865
866 switch (sbsec->behavior) {
867 case SECURITY_FS_USE_XATTR:
868 if (!inode->i_op->getxattr) {
869 isec->sid = sbsec->def_sid;
870 break;
871 }
872
873 /* Need a dentry, since the xattr API requires one.
874 Life would be simpler if we could just pass the inode. */
875 if (opt_dentry) {
876 /* Called from d_instantiate or d_splice_alias. */
877 dentry = dget(opt_dentry);
878 } else {
879 /* Called from selinux_complete_init, try to find a dentry. */
880 dentry = d_find_alias(inode);
881 }
882 if (!dentry) {
883 printk(KERN_WARNING "%s: no dentry for dev=%s "
884 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
885 inode->i_ino);
886 goto out;
887 }
888
889 len = INITCONTEXTLEN;
890 context = kmalloc(len, GFP_KERNEL);
891 if (!context) {
892 rc = -ENOMEM;
893 dput(dentry);
894 goto out;
895 }
896 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
897 context, len);
898 if (rc == -ERANGE) {
899 /* Need a larger buffer. Query for the right size. */
900 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
901 NULL, 0);
902 if (rc < 0) {
903 dput(dentry);
904 goto out;
905 }
906 kfree(context);
907 len = rc;
908 context = kmalloc(len, GFP_KERNEL);
909 if (!context) {
910 rc = -ENOMEM;
911 dput(dentry);
912 goto out;
913 }
914 rc = inode->i_op->getxattr(dentry,
915 XATTR_NAME_SELINUX,
916 context, len);
917 }
918 dput(dentry);
919 if (rc < 0) {
920 if (rc != -ENODATA) {
921 printk(KERN_WARNING "%s: getxattr returned "
922 "%d for dev=%s ino=%ld\n", __FUNCTION__,
923 -rc, inode->i_sb->s_id, inode->i_ino);
924 kfree(context);
925 goto out;
926 }
927 /* Map ENODATA to the default file SID */
928 sid = sbsec->def_sid;
929 rc = 0;
930 } else {
f5c1d5b2
JM		 931 rc = security_context_to_sid_default(context, rc, &sid,
932 sbsec->def_sid);
1da177e4
LT		 933 if (rc) {
934 printk(KERN_WARNING "%s: context_to_sid(%s) "
935 "returned %d for dev=%s ino=%ld\n",
936 __FUNCTION__, context, -rc,
937 inode->i_sb->s_id, inode->i_ino);
938 kfree(context);
939 /* Leave with the unlabeled SID */
940 rc = 0;
941 break;
942 }
943 }
944 kfree(context);
945 isec->sid = sid;
946 break;
947 case SECURITY_FS_USE_TASK:
948 isec->sid = isec->task_sid;
949 break;
950 case SECURITY_FS_USE_TRANS:
951 /* Default to the fs SID. */
952 isec->sid = sbsec->sid;
953
954 /* Try to obtain a transition SID. */
955 isec->sclass = inode_mode_to_security_class(inode->i_mode);
956 rc = security_transition_sid(isec->task_sid,
957 sbsec->sid,
958 isec->sclass,
959 &sid);
960 if (rc)
961 goto out;
962 isec->sid = sid;
963 break;
c312feb2
EP		 964 case SECURITY_FS_USE_MNTPOINT:
965 isec->sid = sbsec->mntpoint_sid;
966 break;
1da177e4 967 default:
c312feb2 968 /* Default to the fs superblock SID. */
1da177e4
LT		 969 isec->sid = sbsec->sid;
970
971 if (sbsec->proc) {
972 struct proc_inode *proci = PROC_I(inode);
973 if (proci->pde) {
974 isec->sclass = inode_mode_to_security_class(inode->i_mode);
975 rc = selinux_proc_get_sid(proci->pde,
976 isec->sclass,
977 &sid);
978 if (rc)
979 goto out;
980 isec->sid = sid;
981 }
982 }
983 break;
984 }
985
986 isec->initialized = 1;
987
988out:
989 if (isec->sclass == SECCLASS_FILE)
990 isec->sclass = inode_mode_to_security_class(inode->i_mode);
991
992 if (hold_sem)
993 up(&isec->sem);
994 return rc;
995}
996
997/* Convert a Linux signal to an access vector. */
998static inline u32 signal_to_av(int sig)
999{
1000 u32 perm = 0;
1001
1002 switch (sig) {
1003 case SIGCHLD:
1004 /* Commonly granted from child to parent. */
1005 perm = PROCESS__SIGCHLD;
1006 break;
1007 case SIGKILL:
1008 /* Cannot be caught or ignored */
1009 perm = PROCESS__SIGKILL;
1010 break;
1011 case SIGSTOP:
1012 /* Cannot be caught or ignored */
1013 perm = PROCESS__SIGSTOP;
1014 break;
1015 default:
1016 /* All other signals. */
1017 perm = PROCESS__SIGNAL;
1018 break;
1019 }
1020
1021 return perm;
1022}
1023
1024/* Check permission betweeen a pair of tasks, e.g. signal checks,
1025 fork check, ptrace check, etc. */
1026static int task_has_perm(struct task_struct *tsk1,
1027 struct task_struct *tsk2,
1028 u32 perms)
1029{
1030 struct task_security_struct *tsec1, *tsec2;
1031
1032 tsec1 = tsk1->security;
1033 tsec2 = tsk2->security;
1034 return avc_has_perm(tsec1->sid, tsec2->sid,
1035 SECCLASS_PROCESS, perms, NULL);
1036}
1037
1038/* Check whether a task is allowed to use a capability. */
1039static int task_has_capability(struct task_struct *tsk,
1040 int cap)
1041{
1042 struct task_security_struct *tsec;
1043 struct avc_audit_data ad;
1044
1045 tsec = tsk->security;
1046
1047 AVC_AUDIT_DATA_INIT(&ad,CAP);
1048 ad.tsk = tsk;
1049 ad.u.cap = cap;
1050
1051 return avc_has_perm(tsec->sid, tsec->sid,
1052 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1053}
1054
1055/* Check whether a task is allowed to use a system operation. */
1056static int task_has_system(struct task_struct *tsk,
1057 u32 perms)
1058{
1059 struct task_security_struct *tsec;
1060
1061 tsec = tsk->security;
1062
1063 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1064 SECCLASS_SYSTEM, perms, NULL);
1065}
1066
1067/* Check whether a task has a particular permission to an inode.
1068 The 'adp' parameter is optional and allows other audit
1069 data to be passed (e.g. the dentry). */
1070static int inode_has_perm(struct task_struct *tsk,
1071 struct inode *inode,
1072 u32 perms,
1073 struct avc_audit_data *adp)
1074{
1075 struct task_security_struct *tsec;
1076 struct inode_security_struct *isec;
1077 struct avc_audit_data ad;
1078
1079 tsec = tsk->security;
1080 isec = inode->i_security;
1081
1082 if (!adp) {
1083 adp = &ad;
1084 AVC_AUDIT_DATA_INIT(&ad, FS);
1085 ad.u.fs.inode = inode;
1086 }
1087
1088 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1089}
1090
1091/* Same as inode_has_perm, but pass explicit audit data containing
1092 the dentry to help the auditing code to more easily generate the
1093 pathname if needed. */
1094static inline int dentry_has_perm(struct task_struct *tsk,
1095 struct vfsmount *mnt,
1096 struct dentry *dentry,
1097 u32 av)
1098{
1099 struct inode *inode = dentry->d_inode;
1100 struct avc_audit_data ad;
1101 AVC_AUDIT_DATA_INIT(&ad,FS);
1102 ad.u.fs.mnt = mnt;
1103 ad.u.fs.dentry = dentry;
1104 return inode_has_perm(tsk, inode, av, &ad);
1105}
1106
1107/* Check whether a task can use an open file descriptor to
1108 access an inode in a given way. Check access to the
1109 descriptor itself, and then use dentry_has_perm to
1110 check a particular permission to the file.
1111 Access to the descriptor is implicitly granted if it
1112 has the same SID as the process. If av is zero, then
1113 access to the file is not checked, e.g. for cases
1114 where only the descriptor is affected like seek. */
858119e1 1115static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1116 struct file *file,
1117 u32 av)
1118{
1119 struct task_security_struct *tsec = tsk->security;
1120 struct file_security_struct *fsec = file->f_security;
1121 struct vfsmount *mnt = file->f_vfsmnt;
1122 struct dentry *dentry = file->f_dentry;
1123 struct inode *inode = dentry->d_inode;
1124 struct avc_audit_data ad;
1125 int rc;
1126
1127 AVC_AUDIT_DATA_INIT(&ad, FS);
1128 ad.u.fs.mnt = mnt;
1129 ad.u.fs.dentry = dentry;
1130
1131 if (tsec->sid != fsec->sid) {
1132 rc = avc_has_perm(tsec->sid, fsec->sid,
1133 SECCLASS_FD,
1134 FD__USE,
1135 &ad);
1136 if (rc)
1137 return rc;
1138 }
1139
1140 /* av is zero if only checking access to the descriptor. */
1141 if (av)
1142 return inode_has_perm(tsk, inode, av, &ad);
1143
1144 return 0;
1145}
1146
1147/* Check whether a task can create a file. */
1148static int may_create(struct inode *dir,
1149 struct dentry *dentry,
1150 u16 tclass)
1151{
1152 struct task_security_struct *tsec;
1153 struct inode_security_struct *dsec;
1154 struct superblock_security_struct *sbsec;
1155 u32 newsid;
1156 struct avc_audit_data ad;
1157 int rc;
1158
1159 tsec = current->security;
1160 dsec = dir->i_security;
1161 sbsec = dir->i_sb->s_security;
1162
1163 AVC_AUDIT_DATA_INIT(&ad, FS);
1164 ad.u.fs.dentry = dentry;
1165
1166 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1167 DIR__ADD_NAME | DIR__SEARCH,
1168 &ad);
1169 if (rc)
1170 return rc;
1171
1172 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1173 newsid = tsec->create_sid;
1174 } else {
1175 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1176 &newsid);
1177 if (rc)
1178 return rc;
1179 }
1180
1181 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1182 if (rc)
1183 return rc;
1184
1185 return avc_has_perm(newsid, sbsec->sid,
1186 SECCLASS_FILESYSTEM,
1187 FILESYSTEM__ASSOCIATE, &ad);
1188}
1189
4eb582cf
ML		 1190/* Check whether a task can create a key. */
1191static int may_create_key(u32 ksid,
1192 struct task_struct *ctx)
1193{
1194 struct task_security_struct *tsec;
1195
1196 tsec = ctx->security;
1197
1198 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1199}
1200
1da177e4
LT		 1201#define MAY_LINK 0
1202#define MAY_UNLINK 1
1203#define MAY_RMDIR 2
1204
1205/* Check whether a task can link, unlink, or rmdir a file/directory. */
1206static int may_link(struct inode *dir,
1207 struct dentry *dentry,
1208 int kind)
1209
1210{
1211 struct task_security_struct *tsec;
1212 struct inode_security_struct *dsec, *isec;
1213 struct avc_audit_data ad;
1214 u32 av;
1215 int rc;
1216
1217 tsec = current->security;
1218 dsec = dir->i_security;
1219 isec = dentry->d_inode->i_security;
1220
1221 AVC_AUDIT_DATA_INIT(&ad, FS);
1222 ad.u.fs.dentry = dentry;
1223
1224 av = DIR__SEARCH;
1225 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1226 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1227 if (rc)
1228 return rc;
1229
1230 switch (kind) {
1231 case MAY_LINK:
1232 av = FILE__LINK;
1233 break;
1234 case MAY_UNLINK:
1235 av = FILE__UNLINK;
1236 break;
1237 case MAY_RMDIR:
1238 av = DIR__RMDIR;
1239 break;
1240 default:
1241 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1242 return 0;
1243 }
1244
1245 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1246 return rc;
1247}
1248
1249static inline int may_rename(struct inode *old_dir,
1250 struct dentry *old_dentry,
1251 struct inode *new_dir,
1252 struct dentry *new_dentry)
1253{
1254 struct task_security_struct *tsec;
1255 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1256 struct avc_audit_data ad;
1257 u32 av;
1258 int old_is_dir, new_is_dir;
1259 int rc;
1260
1261 tsec = current->security;
1262 old_dsec = old_dir->i_security;
1263 old_isec = old_dentry->d_inode->i_security;
1264 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1265 new_dsec = new_dir->i_security;
1266
1267 AVC_AUDIT_DATA_INIT(&ad, FS);
1268
1269 ad.u.fs.dentry = old_dentry;
1270 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1271 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1272 if (rc)
1273 return rc;
1274 rc = avc_has_perm(tsec->sid, old_isec->sid,
1275 old_isec->sclass, FILE__RENAME, &ad);
1276 if (rc)
1277 return rc;
1278 if (old_is_dir && new_dir != old_dir) {
1279 rc = avc_has_perm(tsec->sid, old_isec->sid,
1280 old_isec->sclass, DIR__REPARENT, &ad);
1281 if (rc)
1282 return rc;
1283 }
1284
1285 ad.u.fs.dentry = new_dentry;
1286 av = DIR__ADD_NAME | DIR__SEARCH;
1287 if (new_dentry->d_inode)
1288 av |= DIR__REMOVE_NAME;
1289 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1290 if (rc)
1291 return rc;
1292 if (new_dentry->d_inode) {
1293 new_isec = new_dentry->d_inode->i_security;
1294 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1295 rc = avc_has_perm(tsec->sid, new_isec->sid,
1296 new_isec->sclass,
1297 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1298 if (rc)
1299 return rc;
1300 }
1301
1302 return 0;
1303}
1304
1305/* Check whether a task can perform a filesystem operation. */
1306static int superblock_has_perm(struct task_struct *tsk,
1307 struct super_block *sb,
1308 u32 perms,
1309 struct avc_audit_data *ad)
1310{
1311 struct task_security_struct *tsec;
1312 struct superblock_security_struct *sbsec;
1313
1314 tsec = tsk->security;
1315 sbsec = sb->s_security;
1316 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1317 perms, ad);
1318}
1319
1320/* Convert a Linux mode and permission mask to an access vector. */
1321static inline u32 file_mask_to_av(int mode, int mask)
1322{
1323 u32 av = 0;
1324
1325 if ((mode & S_IFMT) != S_IFDIR) {
1326 if (mask & MAY_EXEC)
1327 av |= FILE__EXECUTE;
1328 if (mask & MAY_READ)
1329 av |= FILE__READ;
1330
1331 if (mask & MAY_APPEND)
1332 av |= FILE__APPEND;
1333 else if (mask & MAY_WRITE)
1334 av |= FILE__WRITE;
1335
1336 } else {
1337 if (mask & MAY_EXEC)
1338 av |= DIR__SEARCH;
1339 if (mask & MAY_WRITE)
1340 av |= DIR__WRITE;
1341 if (mask & MAY_READ)
1342 av |= DIR__READ;
1343 }
1344
1345 return av;
1346}
1347
1348/* Convert a Linux file to an access vector. */
1349static inline u32 file_to_av(struct file *file)
1350{
1351 u32 av = 0;
1352
1353 if (file->f_mode & FMODE_READ)
1354 av |= FILE__READ;
1355 if (file->f_mode & FMODE_WRITE) {
1356 if (file->f_flags & O_APPEND)
1357 av |= FILE__APPEND;
1358 else
1359 av |= FILE__WRITE;
1360 }
1361
1362 return av;
1363}
1364
1365/* Set an inode's SID to a specified value. */
1366static int inode_security_set_sid(struct inode *inode, u32 sid)
1367{
1368 struct inode_security_struct *isec = inode->i_security;
1369 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1370
1371 if (!sbsec->initialized) {
1372 /* Defer initialization to selinux_complete_init. */
1373 return 0;
1374 }
1375
1376 down(&isec->sem);
1377 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1378 isec->sid = sid;
1379 isec->initialized = 1;
1380 up(&isec->sem);
1381 return 0;
1382}
1383
1da177e4
LT		 1384/* Hook functions begin here. */
1385
1386static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1387{
1388 struct task_security_struct *psec = parent->security;
1389 struct task_security_struct *csec = child->security;
1390 int rc;
1391
1392 rc = secondary_ops->ptrace(parent,child);
1393 if (rc)
1394 return rc;
1395
1396 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1397 /* Save the SID of the tracing process for later use in apply_creds. */
341c2d80 1398 if (!(child->ptrace & PT_PTRACED) && !rc)
1da177e4
LT		 1399 csec->ptrace_sid = psec->sid;
1400 return rc;
1401}
1402
1403static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1404 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1405{
1406 int error;
1407
1408 error = task_has_perm(current, target, PROCESS__GETCAP);
1409 if (error)
1410 return error;
1411
1412 return secondary_ops->capget(target, effective, inheritable, permitted);
1413}
1414
1415static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1416 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1417{
1418 int error;
1419
1420 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1421 if (error)
1422 return error;
1423
1424 return task_has_perm(current, target, PROCESS__SETCAP);
1425}
1426
1427static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1428 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1429{
1430 secondary_ops->capset_set(target, effective, inheritable, permitted);
1431}
1432
1433static int selinux_capable(struct task_struct *tsk, int cap)
1434{
1435 int rc;
1436
1437 rc = secondary_ops->capable(tsk, cap);
1438 if (rc)
1439 return rc;
1440
1441 return task_has_capability(tsk,cap);
1442}
1443
1444static int selinux_sysctl(ctl_table *table, int op)
1445{
1446 int error = 0;
1447 u32 av;
1448 struct task_security_struct *tsec;
1449 u32 tsid;
1450 int rc;
1451
1452 rc = secondary_ops->sysctl(table, op);
1453 if (rc)
1454 return rc;
1455
1456 tsec = current->security;
1457
1458 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1459 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1460 if (rc) {
1461 /* Default to the well-defined sysctl SID. */
1462 tsid = SECINITSID_SYSCTL;
1463 }
1464
1465 /* The op values are "defined" in sysctl.c, thereby creating
1466 * a bad coupling between this module and sysctl.c */
1467 if(op == 001) {
1468 error = avc_has_perm(tsec->sid, tsid,
1469 SECCLASS_DIR, DIR__SEARCH, NULL);
1470 } else {
1471 av = 0;
1472 if (op & 004)
1473 av |= FILE__READ;
1474 if (op & 002)
1475 av |= FILE__WRITE;
1476 if (av)
1477 error = avc_has_perm(tsec->sid, tsid,
1478 SECCLASS_FILE, av, NULL);
1479 }
1480
1481 return error;
1482}
1483
1484static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1485{
1486 int rc = 0;
1487
1488 if (!sb)
1489 return 0;
1490
1491 switch (cmds) {
1492 case Q_SYNC:
1493 case Q_QUOTAON:
1494 case Q_QUOTAOFF:
1495 case Q_SETINFO:
1496 case Q_SETQUOTA:
1497 rc = superblock_has_perm(current,
1498 sb,
1499 FILESYSTEM__QUOTAMOD, NULL);
1500 break;
1501 case Q_GETFMT:
1502 case Q_GETINFO:
1503 case Q_GETQUOTA:
1504 rc = superblock_has_perm(current,
1505 sb,
1506 FILESYSTEM__QUOTAGET, NULL);
1507 break;
1508 default:
1509 rc = 0; /* let the kernel handle invalid cmds */
1510 break;
1511 }
1512 return rc;
1513}
1514
1515static int selinux_quota_on(struct dentry *dentry)
1516{
1517 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1518}
1519
1520static int selinux_syslog(int type)
1521{
1522 int rc;
1523
1524 rc = secondary_ops->syslog(type);
1525 if (rc)
1526 return rc;
1527
1528 switch (type) {
1529 case 3: /* Read last kernel messages */
1530 case 10: /* Return size of the log buffer */
1531 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1532 break;
1533 case 6: /* Disable logging to console */
1534 case 7: /* Enable logging to console */
1535 case 8: /* Set level of messages printed to console */
1536 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1537 break;
1538 case 0: /* Close log */
1539 case 1: /* Open log */
1540 case 2: /* Read from log */
1541 case 4: /* Read/clear last kernel messages */
1542 case 5: /* Clear ring buffer */
1543 default:
1544 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1545 break;
1546 }
1547 return rc;
1548}
1549
1550/*
1551 * Check that a process has enough memory to allocate a new virtual
1552 * mapping. 0 means there is enough memory for the allocation to
1553 * succeed and -ENOMEM implies there is not.
1554 *
1555 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1556 * if the capability is granted, but __vm_enough_memory requires 1 if
1557 * the capability is granted.
1558 *
1559 * Do not audit the selinux permission check, as this is applied to all
1560 * processes that allocate mappings.
1561 */
1562static int selinux_vm_enough_memory(long pages)
1563{
1564 int rc, cap_sys_admin = 0;
1565 struct task_security_struct *tsec = current->security;
1566
1567 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1568 if (rc == 0)
1569 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1570 SECCLASS_CAPABILITY,
1571 CAP_TO_MASK(CAP_SYS_ADMIN),
1572 NULL);
1573
1574 if (rc == 0)
1575 cap_sys_admin = 1;
1576
1577 return __vm_enough_memory(pages, cap_sys_admin);
1578}
1579
1580/* binprm security operations */
1581
1582static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1583{
1584 struct bprm_security_struct *bsec;
1585
89d155ef 1586 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1587 if (!bsec)
1588 return -ENOMEM;
1589
1da177e4
LT		 1590 bsec->bprm = bprm;
1591 bsec->sid = SECINITSID_UNLABELED;
1592 bsec->set = 0;
1593
1594 bprm->security = bsec;
1595 return 0;
1596}
1597
1598static int selinux_bprm_set_security(struct linux_binprm *bprm)
1599{
1600 struct task_security_struct *tsec;
1601 struct inode *inode = bprm->file->f_dentry->d_inode;
1602 struct inode_security_struct *isec;
1603 struct bprm_security_struct *bsec;
1604 u32 newsid;
1605 struct avc_audit_data ad;
1606 int rc;
1607
1608 rc = secondary_ops->bprm_set_security(bprm);
1609 if (rc)
1610 return rc;
1611
1612 bsec = bprm->security;
1613
1614 if (bsec->set)
1615 return 0;
1616
1617 tsec = current->security;
1618 isec = inode->i_security;
1619
1620 /* Default to the current task SID. */
1621 bsec->sid = tsec->sid;
1622
28eba5bf 1623 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1624 tsec->create_sid = 0;
28eba5bf 1625 tsec->keycreate_sid = 0;
42c3e03e 1626 tsec->sockcreate_sid = 0;
1da177e4
LT		 1627
1628 if (tsec->exec_sid) {
1629 newsid = tsec->exec_sid;
1630 /* Reset exec SID on execve. */
1631 tsec->exec_sid = 0;
1632 } else {
1633 /* Check for a default transition on this program. */
1634 rc = security_transition_sid(tsec->sid, isec->sid,
1635 SECCLASS_PROCESS, &newsid);
1636 if (rc)
1637 return rc;
1638 }
1639
1640 AVC_AUDIT_DATA_INIT(&ad, FS);
1641 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1642 ad.u.fs.dentry = bprm->file->f_dentry;
1643
1644 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1645 newsid = tsec->sid;
1646
1647 if (tsec->sid == newsid) {
1648 rc = avc_has_perm(tsec->sid, isec->sid,
1649 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1650 if (rc)
1651 return rc;
1652 } else {
1653 /* Check permissions for the transition. */
1654 rc = avc_has_perm(tsec->sid, newsid,
1655 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1656 if (rc)
1657 return rc;
1658
1659 rc = avc_has_perm(newsid, isec->sid,
1660 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1661 if (rc)
1662 return rc;
1663
1664 /* Clear any possibly unsafe personality bits on exec: */
1665 current->personality &= ~PER_CLEAR_ON_SETID;
1666
1667 /* Set the security field to the new SID. */
1668 bsec->sid = newsid;
1669 }
1670
1671 bsec->set = 1;
1672 return 0;
1673}
1674
1675static int selinux_bprm_check_security (struct linux_binprm *bprm)
1676{
1677 return secondary_ops->bprm_check_security(bprm);
1678}
1679
1680
1681static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1682{
1683 struct task_security_struct *tsec = current->security;
1684 int atsecure = 0;
1685
1686 if (tsec->osid != tsec->sid) {
1687 /* Enable secure mode for SIDs transitions unless
1688 the noatsecure permission is granted between
1689 the two SIDs, i.e. ahp returns 0. */
1690 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1691 SECCLASS_PROCESS,
1692 PROCESS__NOATSECURE, NULL);
1693 }
1694
1695 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1696}
1697
1698static void selinux_bprm_free_security(struct linux_binprm *bprm)
1699{
9a5f04bf 1700 kfree(bprm->security);
1da177e4 1701 bprm->security = NULL;
1da177e4
LT		 1702}
1703
1704extern struct vfsmount *selinuxfs_mount;
1705extern struct dentry *selinux_null;
1706
1707/* Derived from fs/exec.c:flush_old_files. */
1708static inline void flush_unauthorized_files(struct files_struct * files)
1709{
1710 struct avc_audit_data ad;
1711 struct file *file, *devnull = NULL;
1712 struct tty_struct *tty = current->signal->tty;
badf1662 1713 struct fdtable *fdt;
1da177e4
LT		 1714 long j = -1;
1715
1716 if (tty) {
1717 file_list_lock();
2f512016 1718 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 1719 if (file) {
1720 /* Revalidate access to controlling tty.
1721 Use inode_has_perm on the tty inode directly rather
1722 than using file_has_perm, as this particular open
1723 file may belong to another process and we are only
1724 interested in the inode-based check here. */
1725 struct inode *inode = file->f_dentry->d_inode;
1726 if (inode_has_perm(current, inode,
1727 FILE__READ | FILE__WRITE, NULL)) {
1728 /* Reset controlling tty. */
1729 current->signal->tty = NULL;
1730 current->signal->tty_old_pgrp = 0;
1731 }
1732 }
1733 file_list_unlock();
1734 }
1735
1736 /* Revalidate access to inherited open files. */
1737
1738 AVC_AUDIT_DATA_INIT(&ad,FS);
1739
1740 spin_lock(&files->file_lock);
1741 for (;;) {
1742 unsigned long set, i;
1743 int fd;
1744
1745 j++;
1746 i = j * __NFDBITS;
badf1662
DS		 1747 fdt = files_fdtable(files);
1748 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1da177e4 1749 break;
badf1662 1750 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 1751 if (!set)
1752 continue;
1753 spin_unlock(&files->file_lock);
1754 for ( ; set ; i++,set >>= 1) {
1755 if (set & 1) {
1756 file = fget(i);
1757 if (!file)
1758 continue;
1759 if (file_has_perm(current,
1760 file,
1761 file_to_av(file))) {
1762 sys_close(i);
1763 fd = get_unused_fd();
1764 if (fd != i) {
1765 if (fd >= 0)
1766 put_unused_fd(fd);
1767 fput(file);
1768 continue;
1769 }
1770 if (devnull) {
095975da 1771 get_file(devnull);
1da177e4
LT		 1772 } else {
1773 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1774 if (!devnull) {
1775 put_unused_fd(fd);
1776 fput(file);
1777 continue;
1778 }
1779 }
1780 fd_install(fd, devnull);
1781 }
1782 fput(file);
1783 }
1784 }
1785 spin_lock(&files->file_lock);
1786
1787 }
1788 spin_unlock(&files->file_lock);
1789}
1790
1791static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1792{
1793 struct task_security_struct *tsec;
1794 struct bprm_security_struct *bsec;
1795 u32 sid;
1796 int rc;
1797
1798 secondary_ops->bprm_apply_creds(bprm, unsafe);
1799
1800 tsec = current->security;
1801
1802 bsec = bprm->security;
1803 sid = bsec->sid;
1804
1805 tsec->osid = tsec->sid;
1806 bsec->unsafe = 0;
1807 if (tsec->sid != sid) {
1808 /* Check for shared state. If not ok, leave SID
1809 unchanged and kill. */
1810 if (unsafe & LSM_UNSAFE_SHARE) {
1811 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1812 PROCESS__SHARE, NULL);
1813 if (rc) {
1814 bsec->unsafe = 1;
1815 return;
1816 }
1817 }
1818
1819 /* Check for ptracing, and update the task SID if ok.
1820 Otherwise, leave SID unchanged and kill. */
1821 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1822 rc = avc_has_perm(tsec->ptrace_sid, sid,
1823 SECCLASS_PROCESS, PROCESS__PTRACE,
1824 NULL);
1825 if (rc) {
1826 bsec->unsafe = 1;
1827 return;
1828 }
1829 }
1830 tsec->sid = sid;
1831 }
1832}
1833
1834/*
1835 * called after apply_creds without the task lock held
1836 */
1837static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1838{
1839 struct task_security_struct *tsec;
1840 struct rlimit *rlim, *initrlim;
1841 struct itimerval itimer;
1842 struct bprm_security_struct *bsec;
1843 int rc, i;
1844
1845 tsec = current->security;
1846 bsec = bprm->security;
1847
1848 if (bsec->unsafe) {
1849 force_sig_specific(SIGKILL, current);
1850 return;
1851 }
1852 if (tsec->osid == tsec->sid)
1853 return;
1854
1855 /* Close files for which the new task SID is not authorized. */
1856 flush_unauthorized_files(current->files);
1857
1858 /* Check whether the new SID can inherit signal state
1859 from the old SID. If not, clear itimers to avoid
1860 subsequent signal generation and flush and unblock
1861 signals. This must occur _after_ the task SID has
1862 been updated so that any kill done after the flush
1863 will be checked against the new SID. */
1864 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1865 PROCESS__SIGINH, NULL);
1866 if (rc) {
1867 memset(&itimer, 0, sizeof itimer);
1868 for (i = 0; i < 3; i++)
1869 do_setitimer(i, &itimer, NULL);
1870 flush_signals(current);
1871 spin_lock_irq(&current->sighand->siglock);
1872 flush_signal_handlers(current, 1);
1873 sigemptyset(&current->blocked);
1874 recalc_sigpending();
1875 spin_unlock_irq(&current->sighand->siglock);
1876 }
1877
1878 /* Check whether the new SID can inherit resource limits
1879 from the old SID. If not, reset all soft limits to
1880 the lower of the current task's hard limit and the init
1881 task's soft limit. Note that the setting of hard limits
1882 (even to lower them) can be controlled by the setrlimit
1883 check. The inclusion of the init task's soft limit into
1884 the computation is to avoid resetting soft limits higher
1885 than the default soft limit for cases where the default
1886 is lower than the hard limit, e.g. RLIMIT_CORE or
1887 RLIMIT_STACK.*/
1888 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1889 PROCESS__RLIMITINH, NULL);
1890 if (rc) {
1891 for (i = 0; i < RLIM_NLIMITS; i++) {
1892 rlim = current->signal->rlim + i;
1893 initrlim = init_task.signal->rlim+i;
1894 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1895 }
1896 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1897 /*
1898 * This will cause RLIMIT_CPU calculations
1899 * to be refigured.
1900 */
1901 current->it_prof_expires = jiffies_to_cputime(1);
1902 }
1903 }
1904
1905 /* Wake up the parent if it is waiting so that it can
1906 recheck wait permission to the new task SID. */
1907 wake_up_interruptible(&current->parent->signal->wait_chldexit);
1908}
1909
1910/* superblock security operations */
1911
1912static int selinux_sb_alloc_security(struct super_block *sb)
1913{
1914 return superblock_alloc_security(sb);
1915}
1916
1917static void selinux_sb_free_security(struct super_block *sb)
1918{
1919 superblock_free_security(sb);
1920}
1921
1922static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1923{
1924 if (plen > olen)
1925 return 0;
1926
1927 return !memcmp(prefix, option, plen);
1928}
1929
1930static inline int selinux_option(char *option, int len)
1931{
1932 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1933 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
0808925e
EP		 1934 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1935 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1da177e4
LT		 1936}
1937
1938static inline void take_option(char **to, char *from, int *first, int len)
1939{
1940 if (!*first) {
1941 **to = ',';
1942 *to += 1;
1943 }
1944 else
1945 *first = 0;
1946 memcpy(*to, from, len);
1947 *to += len;
1948}
1949
1950static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1951{
1952 int fnosec, fsec, rc = 0;
1953 char *in_save, *in_curr, *in_end;
1954 char *sec_curr, *nosec_save, *nosec;
1955
1956 in_curr = orig;
1957 sec_curr = copy;
1958
1959 /* Binary mount data: just copy */
1960 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1961 copy_page(sec_curr, in_curr);
1962 goto out;
1963 }
1964
1965 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1966 if (!nosec) {
1967 rc = -ENOMEM;
1968 goto out;
1969 }
1970
1971 nosec_save = nosec;
1972 fnosec = fsec = 1;
1973 in_save = in_end = orig;
1974
1975 do {
1976 if (*in_end == ',' || *in_end == '\0') {
1977 int len = in_end - in_curr;
1978
1979 if (selinux_option(in_curr, len))
1980 take_option(&sec_curr, in_curr, &fsec, len);
1981 else
1982 take_option(&nosec, in_curr, &fnosec, len);
1983
1984 in_curr = in_end + 1;
1985 }
1986 } while (*in_end++);
1987
6931dfc9 1988 strcpy(in_save, nosec_save);
da3caa20 1989 free_page((unsigned long)nosec_save);
1da177e4
LT		 1990out:
1991 return rc;
1992}
1993
1994static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1995{
1996 struct avc_audit_data ad;
1997 int rc;
1998
1999 rc = superblock_doinit(sb, data);
2000 if (rc)
2001 return rc;
2002
2003 AVC_AUDIT_DATA_INIT(&ad,FS);
2004 ad.u.fs.dentry = sb->s_root;
2005 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2006}
2007
726c3342 2008static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2009{
2010 struct avc_audit_data ad;
2011
2012 AVC_AUDIT_DATA_INIT(&ad,FS);
726c3342
DH		 2013 ad.u.fs.dentry = dentry->d_sb->s_root;
2014 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2015}
2016
2017static int selinux_mount(char * dev_name,
2018 struct nameidata *nd,
2019 char * type,
2020 unsigned long flags,
2021 void * data)
2022{
2023 int rc;
2024
2025 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2026 if (rc)
2027 return rc;
2028
2029 if (flags & MS_REMOUNT)
2030 return superblock_has_perm(current, nd->mnt->mnt_sb,
2031 FILESYSTEM__REMOUNT, NULL);
2032 else
2033 return dentry_has_perm(current, nd->mnt, nd->dentry,
2034 FILE__MOUNTON);
2035}
2036
2037static int selinux_umount(struct vfsmount *mnt, int flags)
2038{
2039 int rc;
2040
2041 rc = secondary_ops->sb_umount(mnt, flags);
2042 if (rc)
2043 return rc;
2044
2045 return superblock_has_perm(current,mnt->mnt_sb,
2046 FILESYSTEM__UNMOUNT,NULL);
2047}
2048
2049/* inode security operations */
2050
2051static int selinux_inode_alloc_security(struct inode *inode)
2052{
2053 return inode_alloc_security(inode);
2054}
2055
2056static void selinux_inode_free_security(struct inode *inode)
2057{
2058 inode_free_security(inode);
2059}
2060
5e41ff9e
SS		 2061static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2062 char **name, void **value,
2063 size_t *len)
2064{
2065 struct task_security_struct *tsec;
2066 struct inode_security_struct *dsec;
2067 struct superblock_security_struct *sbsec;
570bc1c2 2068 u32 newsid, clen;
5e41ff9e 2069 int rc;
570bc1c2 2070 char *namep = NULL, *context;
5e41ff9e
SS		 2071
2072 tsec = current->security;
2073 dsec = dir->i_security;
2074 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2075
2076 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2077 newsid = tsec->create_sid;
2078 } else {
2079 rc = security_transition_sid(tsec->sid, dsec->sid,
2080 inode_mode_to_security_class(inode->i_mode),
2081 &newsid);
2082 if (rc) {
2083 printk(KERN_WARNING "%s: "
2084 "security_transition_sid failed, rc=%d (dev=%s "
2085 "ino=%ld)\n",
2086 __FUNCTION__,
2087 -rc, inode->i_sb->s_id, inode->i_ino);
2088 return rc;
2089 }
2090 }
2091
2092 inode_security_set_sid(inode, newsid);
2093
8aad3875 2094 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2095 return -EOPNOTSUPP;
2096
570bc1c2
SS		 2097 if (name) {
2098 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2099 if (!namep)
2100 return -ENOMEM;
2101 *name = namep;
2102 }
5e41ff9e 2103
570bc1c2
SS		 2104 if (value && len) {
2105 rc = security_sid_to_context(newsid, &context, &clen);
2106 if (rc) {
2107 kfree(namep);
2108 return rc;
2109 }
2110 *value = context;
2111 *len = clen;
5e41ff9e 2112 }
5e41ff9e 2113
5e41ff9e
SS		 2114 return 0;
2115}
2116
1da177e4
LT		 2117static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2118{
2119 return may_create(dir, dentry, SECCLASS_FILE);
2120}
2121
1da177e4
LT		 2122static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2123{
2124 int rc;
2125
2126 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2127 if (rc)
2128 return rc;
2129 return may_link(dir, old_dentry, MAY_LINK);
2130}
2131
1da177e4
LT		 2132static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2133{
2134 int rc;
2135
2136 rc = secondary_ops->inode_unlink(dir, dentry);
2137 if (rc)
2138 return rc;
2139 return may_link(dir, dentry, MAY_UNLINK);
2140}
2141
2142static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2143{
2144 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2145}
2146
1da177e4
LT		 2147static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2148{
2149 return may_create(dir, dentry, SECCLASS_DIR);
2150}
2151
1da177e4
LT		 2152static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2153{
2154 return may_link(dir, dentry, MAY_RMDIR);
2155}
2156
2157static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2158{
2159 int rc;
2160
2161 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2162 if (rc)
2163 return rc;
2164
2165 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2166}
2167
1da177e4
LT		 2168static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2169 struct inode *new_inode, struct dentry *new_dentry)
2170{
2171 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2172}
2173
1da177e4
LT		 2174static int selinux_inode_readlink(struct dentry *dentry)
2175{
2176 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2177}
2178
2179static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2180{
2181 int rc;
2182
2183 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2184 if (rc)
2185 return rc;
2186 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2187}
2188
2189static int selinux_inode_permission(struct inode *inode, int mask,
2190 struct nameidata *nd)
2191{
2192 int rc;
2193
2194 rc = secondary_ops->inode_permission(inode, mask, nd);
2195 if (rc)
2196 return rc;
2197
2198 if (!mask) {
2199 /* No permission to check. Existence test. */
2200 return 0;
2201 }
2202
2203 return inode_has_perm(current, inode,
2204 file_mask_to_av(inode->i_mode, mask), NULL);
2205}
2206
2207static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2208{
2209 int rc;
2210
2211 rc = secondary_ops->inode_setattr(dentry, iattr);
2212 if (rc)
2213 return rc;
2214
2215 if (iattr->ia_valid & ATTR_FORCE)
2216 return 0;
2217
2218 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2219 ATTR_ATIME_SET | ATTR_MTIME_SET))
2220 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2221
2222 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2223}
2224
2225static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2226{
2227 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2228}
2229
2230static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2231{
2232 struct task_security_struct *tsec = current->security;
2233 struct inode *inode = dentry->d_inode;
2234 struct inode_security_struct *isec = inode->i_security;
2235 struct superblock_security_struct *sbsec;
2236 struct avc_audit_data ad;
2237 u32 newsid;
2238 int rc = 0;
2239
2240 if (strcmp(name, XATTR_NAME_SELINUX)) {
2241 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2242 sizeof XATTR_SECURITY_PREFIX - 1) &&
2243 !capable(CAP_SYS_ADMIN)) {
2244 /* A different attribute in the security namespace.
2245 Restrict to administrator. */
2246 return -EPERM;
2247 }
2248
2249 /* Not an attribute we recognize, so just check the
2250 ordinary setattr permission. */
2251 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2252 }
2253
2254 sbsec = inode->i_sb->s_security;
2255 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2256 return -EOPNOTSUPP;
2257
2258 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2259 return -EPERM;
2260
2261 AVC_AUDIT_DATA_INIT(&ad,FS);
2262 ad.u.fs.dentry = dentry;
2263
2264 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2265 FILE__RELABELFROM, &ad);
2266 if (rc)
2267 return rc;
2268
2269 rc = security_context_to_sid(value, size, &newsid);
2270 if (rc)
2271 return rc;
2272
2273 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2274 FILE__RELABELTO, &ad);
2275 if (rc)
2276 return rc;
2277
2278 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2279 isec->sclass);
2280 if (rc)
2281 return rc;
2282
2283 return avc_has_perm(newsid,
2284 sbsec->sid,
2285 SECCLASS_FILESYSTEM,
2286 FILESYSTEM__ASSOCIATE,
2287 &ad);
2288}
2289
2290static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2291 void *value, size_t size, int flags)
2292{
2293 struct inode *inode = dentry->d_inode;
2294 struct inode_security_struct *isec = inode->i_security;
2295 u32 newsid;
2296 int rc;
2297
2298 if (strcmp(name, XATTR_NAME_SELINUX)) {
2299 /* Not an attribute we recognize, so nothing to do. */
2300 return;
2301 }
2302
2303 rc = security_context_to_sid(value, size, &newsid);
2304 if (rc) {
2305 printk(KERN_WARNING "%s: unable to obtain SID for context "
2306 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2307 return;
2308 }
2309
2310 isec->sid = newsid;
2311 return;
2312}
2313
2314static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2315{
1da177e4
LT		 2316 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2317}
2318
2319static int selinux_inode_listxattr (struct dentry *dentry)
2320{
2321 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2322}
2323
2324static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2325{
2326 if (strcmp(name, XATTR_NAME_SELINUX)) {
2327 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2328 sizeof XATTR_SECURITY_PREFIX - 1) &&
2329 !capable(CAP_SYS_ADMIN)) {
2330 /* A different attribute in the security namespace.
2331 Restrict to administrator. */
2332 return -EPERM;
2333 }
2334
2335 /* Not an attribute we recognize, so just check the
2336 ordinary setattr permission. Might want a separate
2337 permission for removexattr. */
2338 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2339 }
2340
2341 /* No one is allowed to remove a SELinux security label.
2342 You can change the label, but all data must be labeled. */
2343 return -EACCES;
2344}
2345
8c8570fb
DK		 2346static const char *selinux_inode_xattr_getsuffix(void)
2347{
2348 return XATTR_SELINUX_SUFFIX;
2349}
2350
d381d8a9
JM		 2351/*
2352 * Copy the in-core inode security context value to the user. If the
2353 * getxattr() prior to this succeeded, check to see if we need to
2354 * canonicalize the value to be finally returned to the user.
2355 *
2356 * Permission check is handled by selinux_inode_getxattr hook.
2357 */
7306a0b9 2358static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
1da177e4
LT		 2359{
2360 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2361
8c8570fb
DK		 2362 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2363 return -EOPNOTSUPP;
d381d8a9 2364
8c8570fb 2365 return selinux_getsecurity(isec->sid, buffer, size);
1da177e4
LT		 2366}
2367
2368static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2369 const void *value, size_t size, int flags)
2370{
2371 struct inode_security_struct *isec = inode->i_security;
2372 u32 newsid;
2373 int rc;
2374
2375 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2376 return -EOPNOTSUPP;
2377
2378 if (!value || !size)
2379 return -EACCES;
2380
2381 rc = security_context_to_sid((void*)value, size, &newsid);
2382 if (rc)
2383 return rc;
2384
2385 isec->sid = newsid;
2386 return 0;
2387}
2388
2389static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2390{
2391 const int len = sizeof(XATTR_NAME_SELINUX);
2392 if (buffer && len <= buffer_size)
2393 memcpy(buffer, XATTR_NAME_SELINUX, len);
2394 return len;
2395}
2396
2397/* file security operations */
2398
2399static int selinux_file_permission(struct file *file, int mask)
2400{
7420ed23 2401 int rc;
1da177e4
LT		 2402 struct inode *inode = file->f_dentry->d_inode;
2403
2404 if (!mask) {
2405 /* No permission to check. Existence test. */
2406 return 0;
2407 }
2408
2409 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2410 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2411 mask |= MAY_APPEND;
2412
7420ed23
VY		 2413 rc = file_has_perm(current, file,
2414 file_mask_to_av(inode->i_mode, mask));
2415 if (rc)
2416 return rc;
2417
2418 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2419}
2420
2421static int selinux_file_alloc_security(struct file *file)
2422{
2423 return file_alloc_security(file);
2424}
2425
2426static void selinux_file_free_security(struct file *file)
2427{
2428 file_free_security(file);
2429}
2430
2431static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2432 unsigned long arg)
2433{
2434 int error = 0;
2435
2436 switch (cmd) {
2437 case FIONREAD:
2438 /* fall through */
2439 case FIBMAP:
2440 /* fall through */
2441 case FIGETBSZ:
2442 /* fall through */
2443 case EXT2_IOC_GETFLAGS:
2444 /* fall through */
2445 case EXT2_IOC_GETVERSION:
2446 error = file_has_perm(current, file, FILE__GETATTR);
2447 break;
2448
2449 case EXT2_IOC_SETFLAGS:
2450 /* fall through */
2451 case EXT2_IOC_SETVERSION:
2452 error = file_has_perm(current, file, FILE__SETATTR);
2453 break;
2454
2455 /* sys_ioctl() checks */
2456 case FIONBIO:
2457 /* fall through */
2458 case FIOASYNC:
2459 error = file_has_perm(current, file, 0);
2460 break;
2461
2462 case KDSKBENT:
2463 case KDSKBSENT:
2464 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2465 break;
2466
2467 /* default case assumes that the command will go
2468 * to the file's ioctl() function.
2469 */
2470 default:
2471 error = file_has_perm(current, file, FILE__IOCTL);
2472
2473 }
2474 return error;
2475}
2476
2477static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2478{
2479#ifndef CONFIG_PPC32
2480 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2481 /*
2482 * We are making executable an anonymous mapping or a
2483 * private file mapping that will also be writable.
2484 * This has an additional check.
2485 */
2486 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2487 if (rc)
2488 return rc;
2489 }
2490#endif
2491
2492 if (file) {
2493 /* read access is always possible with a mapping */
2494 u32 av = FILE__READ;
2495
2496 /* write access only matters if the mapping is shared */
2497 if (shared && (prot & PROT_WRITE))
2498 av |= FILE__WRITE;
2499
2500 if (prot & PROT_EXEC)
2501 av |= FILE__EXECUTE;
2502
2503 return file_has_perm(current, file, av);
2504 }
2505 return 0;
2506}
2507
2508static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2509 unsigned long prot, unsigned long flags)
2510{
2511 int rc;
2512
2513 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2514 if (rc)
2515 return rc;
2516
2517 if (selinux_checkreqprot)
2518 prot = reqprot;
2519
2520 return file_map_prot_check(file, prot,
2521 (flags & MAP_TYPE) == MAP_SHARED);
2522}
2523
2524static int selinux_file_mprotect(struct vm_area_struct *vma,
2525 unsigned long reqprot,
2526 unsigned long prot)
2527{
2528 int rc;
2529
2530 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2531 if (rc)
2532 return rc;
2533
2534 if (selinux_checkreqprot)
2535 prot = reqprot;
2536
2537#ifndef CONFIG_PPC32
db4c9641
SS		 2538 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2539 rc = 0;
2540 if (vma->vm_start >= vma->vm_mm->start_brk &&
2541 vma->vm_end <= vma->vm_mm->brk) {
2542 rc = task_has_perm(current, current,
2543 PROCESS__EXECHEAP);
2544 } else if (!vma->vm_file &&
2545 vma->vm_start <= vma->vm_mm->start_stack &&
2546 vma->vm_end >= vma->vm_mm->start_stack) {
2547 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2548 } else if (vma->vm_file && vma->anon_vma) {
2549 /*
2550 * We are making executable a file mapping that has
2551 * had some COW done. Since pages might have been
2552 * written, check ability to execute the possibly
2553 * modified content. This typically should only
2554 * occur for text relocations.
2555 */
2556 rc = file_has_perm(current, vma->vm_file,
2557 FILE__EXECMOD);
2558 }