projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into next
[deliverable/linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4
PM		 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4 30#include <linux/errno.h>
0b24dcb7 31#include <linux/ext2_fs.h>
1da177e4
LT		 32#include <linux/sched.h>
33#include <linux/security.h>
34#include <linux/xattr.h>
35#include <linux/capability.h>
36#include <linux/unistd.h>
37#include <linux/mm.h>
38#include <linux/mman.h>
39#include <linux/slab.h>
40#include <linux/pagemap.h>
0b24dcb7 41#include <linux/proc_fs.h>
1da177e4 42#include <linux/swap.h>
1da177e4
LT		 43#include <linux/spinlock.h>
44#include <linux/syscalls.h>
2a7dba39 45#include <linux/dcache.h>
1da177e4 46#include <linux/file.h>
9f3acc31 47#include <linux/fdtable.h>
1da177e4
LT		 48#include <linux/namei.h>
49#include <linux/mount.h>
1da177e4
LT		 50#include <linux/netfilter_ipv4.h>
51#include <linux/netfilter_ipv6.h>
52#include <linux/tty.h>
53#include <net/icmp.h>
227b60f5 54#include <net/ip.h> /* for local_port_range[] */
1da177e4 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
d621d35e 60#include <asm/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
64#include <linux/netlink.h>
65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
1da177e4
LT		 82
83#include "avc.h"
84#include "objsec.h"
85#include "netif.h"
224dfbd8 86#include "netnode.h"
3e112172 87#include "netport.h"
d28d1e08 88#include "xfrm.h"
c60475bf 89#include "netlabel.h"
9d57a7f9 90#include "audit.h"
1da177e4 91
11689d47 92#define NUM_SEL_MNT_OPTS 5
c9180a57 93
1da177e4 94extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
20510f2f 95extern struct security_operations *security_ops;
1da177e4 96
d621d35e
PM		 97/* SECMARK reference count */
98atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
1da177e4 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 101int selinux_enforcing;
1da177e4
LT		 102
103static int __init enforcing_setup(char *str)
104{
f5269710
EP		 105 unsigned long enforcing;
106 if (!strict_strtoul(str, 0, &enforcing))
107 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 108 return 1;
109}
110__setup("enforcing=", enforcing_setup);
111#endif
112
113#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116static int __init selinux_enabled_setup(char *str)
117{
f5269710
EP		 118 unsigned long enabled;
119 if (!strict_strtoul(str, 0, &enabled))
120 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 121 return 1;
122}
123__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 124#else
125int selinux_enabled = 1;
1da177e4
LT		 126#endif
127
e18b890b 128static struct kmem_cache *sel_inode_cache;
7cae7e26 129
d621d35e
PM		 130/**
131 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
132 *
133 * Description:
134 * This function checks the SECMARK reference counter to see if any SECMARK
135 * targets are currently configured, if the reference counter is greater than
136 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
137 * enabled, false (0) if SECMARK is disabled.
138 *
139 */
140static int selinux_secmark_enabled(void)
141{
142 return (atomic_read(&selinux_secmark_refcount) > 0);
143}
144
d84f4f99
DH		 145/*
146 * initialise the security for the init task
147 */
148static void cred_init_security(void)
1da177e4 149{
3b11a1de 150 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 151 struct task_security_struct *tsec;
152
89d155ef 153 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 154 if (!tsec)
d84f4f99 155 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 156
d84f4f99 157 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 158 cred->security = tsec;
1da177e4
LT		 159}
160
88e67f3b
DH		 161/*
162 * get the security ID of a set of credentials
163 */
164static inline u32 cred_sid(const struct cred *cred)
165{
166 const struct task_security_struct *tsec;
167
168 tsec = cred->security;
169 return tsec->sid;
170}
171
275bb41e 172/*
3b11a1de 173 * get the objective security ID of a task
275bb41e
DH		 174 */
175static inline u32 task_sid(const struct task_struct *task)
176{
275bb41e
DH		 177 u32 sid;
178
179 rcu_read_lock();
88e67f3b 180 sid = cred_sid(__task_cred(task));
275bb41e
DH		 181 rcu_read_unlock();
182 return sid;
183}
184
185/*
3b11a1de 186 * get the subjective security ID of the current task
275bb41e
DH		 187 */
188static inline u32 current_sid(void)
189{
5fb49870 190 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 191
192 return tsec->sid;
193}
194
88e67f3b
DH		 195/* Allocate and free functions for each kind of security blob. */
196
1da177e4
LT		 197static int inode_alloc_security(struct inode *inode)
198{
1da177e4 199 struct inode_security_struct *isec;
275bb41e 200 u32 sid = current_sid();
1da177e4 201
a02fe132 202 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 203 if (!isec)
204 return -ENOMEM;
205
23970741 206 mutex_init(&isec->lock);
1da177e4 207 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 208 isec->inode = inode;
209 isec->sid = SECINITSID_UNLABELED;
210 isec->sclass = SECCLASS_FILE;
275bb41e 211 isec->task_sid = sid;
1da177e4
LT		 212 inode->i_security = isec;
213
214 return 0;
215}
216
217static void inode_free_security(struct inode *inode)
218{
219 struct inode_security_struct *isec = inode->i_security;
220 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
221
1da177e4
LT		 222 spin_lock(&sbsec->isec_lock);
223 if (!list_empty(&isec->list))
224 list_del_init(&isec->list);
225 spin_unlock(&sbsec->isec_lock);
226
227 inode->i_security = NULL;
7cae7e26 228 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 229}
230
231static int file_alloc_security(struct file *file)
232{
1da177e4 233 struct file_security_struct *fsec;
275bb41e 234 u32 sid = current_sid();
1da177e4 235
26d2a4be 236 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 237 if (!fsec)
238 return -ENOMEM;
239
275bb41e
DH		 240 fsec->sid = sid;
241 fsec->fown_sid = sid;
1da177e4
LT		 242 file->f_security = fsec;
243
244 return 0;
245}
246
247static void file_free_security(struct file *file)
248{
249 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 250 file->f_security = NULL;
251 kfree(fsec);
252}
253
254static int superblock_alloc_security(struct super_block *sb)
255{
256 struct superblock_security_struct *sbsec;
257
89d155ef 258 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 259 if (!sbsec)
260 return -ENOMEM;
261
bc7e982b 262 mutex_init(&sbsec->lock);
1da177e4
LT		 263 INIT_LIST_HEAD(&sbsec->isec_head);
264 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 265 sbsec->sb = sb;
266 sbsec->sid = SECINITSID_UNLABELED;
267 sbsec->def_sid = SECINITSID_FILE;
c312feb2 268 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 269 sb->s_security = sbsec;
270
271 return 0;
272}
273
274static void superblock_free_security(struct super_block *sb)
275{
276 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 277 sb->s_security = NULL;
278 kfree(sbsec);
279}
280
1da177e4
LT		 281/* The security server must be initialized before
282 any labeling or access decisions can be provided. */
283extern int ss_initialized;
284
285/* The file system's label must be initialized prior to use. */
286
634a539e 287static const char *labeling_behaviors[6] = {
1da177e4
LT		 288 "uses xattr",
289 "uses transition SIDs",
290 "uses task SIDs",
291 "uses genfs_contexts",
292 "not configured for labeling",
293 "uses mountpoint labeling",
294};
295
296static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
297
298static inline int inode_doinit(struct inode *inode)
299{
300 return inode_doinit_with_dentry(inode, NULL);
301}
302
303enum {
31e87930 304 Opt_error = -1,
1da177e4
LT		 305 Opt_context = 1,
306 Opt_fscontext = 2,
c9180a57
EP		 307 Opt_defcontext = 3,
308 Opt_rootcontext = 4,
11689d47 309 Opt_labelsupport = 5,
1da177e4
LT		 310};
311
a447c093 312static const match_table_t tokens = {
832cbd9a
EP		 313 {Opt_context, CONTEXT_STR "%s"},
314 {Opt_fscontext, FSCONTEXT_STR "%s"},
315 {Opt_defcontext, DEFCONTEXT_STR "%s"},
316 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 317 {Opt_labelsupport, LABELSUPP_STR},
31e87930 318 {Opt_error, NULL},
1da177e4
LT		 319};
320
321#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
322
c312feb2
EP		 323static int may_context_mount_sb_relabel(u32 sid,
324 struct superblock_security_struct *sbsec,
275bb41e 325 const struct cred *cred)
c312feb2 326{
275bb41e 327 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 328 int rc;
329
330 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
331 FILESYSTEM__RELABELFROM, NULL);
332 if (rc)
333 return rc;
334
335 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
336 FILESYSTEM__RELABELTO, NULL);
337 return rc;
338}
339
0808925e
EP		 340static int may_context_mount_inode_relabel(u32 sid,
341 struct superblock_security_struct *sbsec,
275bb41e 342 const struct cred *cred)
0808925e 343{
275bb41e 344 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 345 int rc;
346 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
347 FILESYSTEM__RELABELFROM, NULL);
348 if (rc)
349 return rc;
350
351 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
352 FILESYSTEM__ASSOCIATE, NULL);
353 return rc;
354}
355
c9180a57 356static int sb_finish_set_opts(struct super_block *sb)
1da177e4 357{
1da177e4 358 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 359 struct dentry *root = sb->s_root;
360 struct inode *root_inode = root->d_inode;
361 int rc = 0;
1da177e4 362
c9180a57
EP		 363 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
364 /* Make sure that the xattr handler exists and that no
365 error other than -ENODATA is returned by getxattr on
366 the root directory. -ENODATA is ok, as this may be
367 the first boot of the SELinux kernel before we have
368 assigned xattr values to the filesystem. */
369 if (!root_inode->i_op->getxattr) {
370 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
371 "xattr support\n", sb->s_id, sb->s_type->name);
372 rc = -EOPNOTSUPP;
373 goto out;
374 }
375 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
376 if (rc < 0 && rc != -ENODATA) {
377 if (rc == -EOPNOTSUPP)
378 printk(KERN_WARNING "SELinux: (dev %s, type "
379 "%s) has no security xattr handler\n",
380 sb->s_id, sb->s_type->name);
381 else
382 printk(KERN_WARNING "SELinux: (dev %s, type "
383 "%s) getxattr errno %d\n", sb->s_id,
384 sb->s_type->name, -rc);
385 goto out;
386 }
387 }
1da177e4 388
11689d47 389 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
1da177e4 390
c9180a57
EP		 391 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
392 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
393 sb->s_id, sb->s_type->name);
394 else
395 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
396 sb->s_id, sb->s_type->name,
397 labeling_behaviors[sbsec->behavior-1]);
1da177e4 398
11689d47
DQ		 399 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
400 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
401 sbsec->behavior == SECURITY_FS_USE_NONE ||
402 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 sbsec->flags &= ~SE_SBLABELSUPP;
404
ddd29ec6
DQ		 405 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
406 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
407 sbsec->flags |= SE_SBLABELSUPP;
408
c9180a57
EP		 409 /* Initialize the root inode. */
410 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 411
c9180a57
EP		 412 /* Initialize any other inodes associated with the superblock, e.g.
413 inodes created prior to initial policy load or inodes created
414 during get_sb by a pseudo filesystem that directly
415 populates itself. */
416 spin_lock(&sbsec->isec_lock);
417next_inode:
418 if (!list_empty(&sbsec->isec_head)) {
419 struct inode_security_struct *isec =
420 list_entry(sbsec->isec_head.next,
421 struct inode_security_struct, list);
422 struct inode *inode = isec->inode;
423 spin_unlock(&sbsec->isec_lock);
424 inode = igrab(inode);
425 if (inode) {
426 if (!IS_PRIVATE(inode))
427 inode_doinit(inode);
428 iput(inode);
429 }
430 spin_lock(&sbsec->isec_lock);
431 list_del_init(&isec->list);
432 goto next_inode;
433 }
434 spin_unlock(&sbsec->isec_lock);
435out:
436 return rc;
437}
1da177e4 438
c9180a57
EP		 439/*
440 * This function should allow an FS to ask what it's mount security
441 * options were so it can use those later for submounts, displaying
442 * mount options, or whatever.
443 */
444static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 445 struct security_mnt_opts *opts)
c9180a57
EP		 446{
447 int rc = 0, i;
448 struct superblock_security_struct *sbsec = sb->s_security;
449 char *context = NULL;
450 u32 len;
451 char tmp;
1da177e4 452
e0007529 453 security_init_mnt_opts(opts);
1da177e4 454
0d90a7ec 455 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 456 return -EINVAL;
1da177e4 457
c9180a57
EP		 458 if (!ss_initialized)
459 return -EINVAL;
1da177e4 460
0d90a7ec 461 tmp = sbsec->flags & SE_MNTMASK;
c9180a57
EP		 462 /* count the number of mount options for this sb */
463 for (i = 0; i < 8; i++) {
464 if (tmp & 0x01)
e0007529 465 opts->num_mnt_opts++;
c9180a57
EP		 466 tmp >>= 1;
467 }
11689d47
DQ		 468 /* Check if the Label support flag is set */
469 if (sbsec->flags & SE_SBLABELSUPP)
470 opts->num_mnt_opts++;
1da177e4 471
e0007529
EP		 472 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
473 if (!opts->mnt_opts) {
c9180a57
EP		 474 rc = -ENOMEM;
475 goto out_free;
476 }
1da177e4 477
e0007529
EP		 478 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
479 if (!opts->mnt_opts_flags) {
c9180a57
EP		 480 rc = -ENOMEM;
481 goto out_free;
482 }
1da177e4 483
c9180a57
EP		 484 i = 0;
485 if (sbsec->flags & FSCONTEXT_MNT) {
486 rc = security_sid_to_context(sbsec->sid, &context, &len);
487 if (rc)
488 goto out_free;
e0007529
EP		 489 opts->mnt_opts[i] = context;
490 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 491 }
492 if (sbsec->flags & CONTEXT_MNT) {
493 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
494 if (rc)
495 goto out_free;
e0007529
EP		 496 opts->mnt_opts[i] = context;
497 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 498 }
499 if (sbsec->flags & DEFCONTEXT_MNT) {
500 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
501 if (rc)
502 goto out_free;
e0007529
EP		 503 opts->mnt_opts[i] = context;
504 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 505 }
506 if (sbsec->flags & ROOTCONTEXT_MNT) {
507 struct inode *root = sbsec->sb->s_root->d_inode;
508 struct inode_security_struct *isec = root->i_security;
0808925e 509
c9180a57
EP		 510 rc = security_sid_to_context(isec->sid, &context, &len);
511 if (rc)
512 goto out_free;
e0007529
EP		 513 opts->mnt_opts[i] = context;
514 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 515 }
11689d47
DQ		 516 if (sbsec->flags & SE_SBLABELSUPP) {
517 opts->mnt_opts[i] = NULL;
518 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
519 }
1da177e4 520
e0007529 521 BUG_ON(i != opts->num_mnt_opts);
1da177e4 522
c9180a57
EP		 523 return 0;
524
525out_free:
e0007529 526 security_free_mnt_opts(opts);
c9180a57
EP		 527 return rc;
528}
1da177e4 529
c9180a57
EP		 530static int bad_option(struct superblock_security_struct *sbsec, char flag,
531 u32 old_sid, u32 new_sid)
532{
0d90a7ec
DQ		 533 char mnt_flags = sbsec->flags & SE_MNTMASK;
534
c9180a57 535 /* check if the old mount command had the same options */
0d90a7ec 536 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 537 if (!(sbsec->flags & flag) ||
538 (old_sid != new_sid))
539 return 1;
540
541 /* check if we were passed the same options twice,
542 * aka someone passed context=a,context=b
543 */
0d90a7ec
DQ		 544 if (!(sbsec->flags & SE_SBINITIALIZED))
545 if (mnt_flags & flag)
c9180a57
EP		 546 return 1;
547 return 0;
548}
e0007529 549
c9180a57
EP		 550/*
551 * Allow filesystems with binary mount data to explicitly set mount point
552 * labeling information.
553 */
e0007529
EP		 554static int selinux_set_mnt_opts(struct super_block *sb,
555 struct security_mnt_opts *opts)
c9180a57 556{
275bb41e 557 const struct cred *cred = current_cred();
c9180a57 558 int rc = 0, i;
c9180a57
EP		 559 struct superblock_security_struct *sbsec = sb->s_security;
560 const char *name = sb->s_type->name;
089be43e
JM		 561 struct inode *inode = sbsec->sb->s_root->d_inode;
562 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 563 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
564 u32 defcontext_sid = 0;
e0007529
EP		 565 char **mount_options = opts->mnt_opts;
566 int *flags = opts->mnt_opts_flags;
567 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 568
569 mutex_lock(&sbsec->lock);
570
571 if (!ss_initialized) {
572 if (!num_opts) {
573 /* Defer initialization until selinux_complete_init,
574 after the initial policy is loaded and the security
575 server is ready to handle calls. */
c9180a57
EP		 576 goto out;
577 }
578 rc = -EINVAL;
744ba35e
EP		 579 printk(KERN_WARNING "SELinux: Unable to set superblock options "
580 "before the security server is initialized\n");
1da177e4 581 goto out;
c9180a57 582 }
1da177e4 583
e0007529
EP		 584 /*
585 * Binary mount data FS will come through this function twice. Once
586 * from an explicit call and once from the generic calls from the vfs.
587 * Since the generic VFS calls will not contain any security mount data
588 * we need to skip the double mount verification.
589 *
590 * This does open a hole in which we will not notice if the first
591 * mount using this sb set explict options and a second mount using
592 * this sb does not set any security options. (The first options
593 * will be used for both mounts)
594 */
0d90a7ec 595 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 596 && (num_opts == 0))
f5269710 597 goto out;
e0007529 598
c9180a57
EP		 599 /*
600 * parse the mount options, check if they are valid sids.
601 * also check if someone is trying to mount the same sb more
602 * than once with different security options.
603 */
604 for (i = 0; i < num_opts; i++) {
605 u32 sid;
11689d47
DQ		 606
607 if (flags[i] == SE_SBLABELSUPP)
608 continue;
c9180a57
EP		 609 rc = security_context_to_sid(mount_options[i],
610 strlen(mount_options[i]), &sid);
1da177e4
LT		 611 if (rc) {
612 printk(KERN_WARNING "SELinux: security_context_to_sid"
613 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 614 mount_options[i], sb->s_id, name, rc);
615 goto out;
616 }
617 switch (flags[i]) {
618 case FSCONTEXT_MNT:
619 fscontext_sid = sid;
620
621 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
622 fscontext_sid))
623 goto out_double_mount;
624
625 sbsec->flags |= FSCONTEXT_MNT;
626 break;
627 case CONTEXT_MNT:
628 context_sid = sid;
629
630 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
631 context_sid))
632 goto out_double_mount;
633
634 sbsec->flags |= CONTEXT_MNT;
635 break;
636 case ROOTCONTEXT_MNT:
637 rootcontext_sid = sid;
638
639 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
640 rootcontext_sid))
641 goto out_double_mount;
642
643 sbsec->flags |= ROOTCONTEXT_MNT;
644
645 break;
646 case DEFCONTEXT_MNT:
647 defcontext_sid = sid;
648
649 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
650 defcontext_sid))
651 goto out_double_mount;
652
653 sbsec->flags |= DEFCONTEXT_MNT;
654
655 break;
656 default:
657 rc = -EINVAL;
658 goto out;
1da177e4 659 }
c9180a57
EP		 660 }
661
0d90a7ec 662 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 663 /* previously mounted with options, but not on this attempt? */
0d90a7ec 664 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 665 goto out_double_mount;
666 rc = 0;
667 goto out;
668 }
669
089be43e 670 if (strcmp(sb->s_type->name, "proc") == 0)
0d90a7ec 671 sbsec->flags |= SE_SBPROC;
c9180a57
EP		 672
673 /* Determine the labeling behavior to use for this filesystem type. */
0d90a7ec 674 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
c9180a57
EP		 675 if (rc) {
676 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
089be43e 677 __func__, sb->s_type->name, rc);
c9180a57
EP		 678 goto out;
679 }
1da177e4 680
c9180a57
EP		 681 /* sets the context of the superblock for the fs being mounted. */
682 if (fscontext_sid) {
275bb41e 683 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 684 if (rc)
c9180a57 685 goto out;
1da177e4 686
c9180a57 687 sbsec->sid = fscontext_sid;
c312feb2
EP		 688 }
689
690 /*
691 * Switch to using mount point labeling behavior.
692 * sets the label used on all file below the mountpoint, and will set
693 * the superblock context if not already set.
694 */
c9180a57
EP		 695 if (context_sid) {
696 if (!fscontext_sid) {
275bb41e
DH		 697 rc = may_context_mount_sb_relabel(context_sid, sbsec,
698 cred);
b04ea3ce 699 if (rc)
c9180a57
EP		 700 goto out;
701 sbsec->sid = context_sid;
b04ea3ce 702 } else {
275bb41e
DH		 703 rc = may_context_mount_inode_relabel(context_sid, sbsec,
704 cred);
b04ea3ce 705 if (rc)
c9180a57 706 goto out;
b04ea3ce 707 }
c9180a57
EP		 708 if (!rootcontext_sid)
709 rootcontext_sid = context_sid;
1da177e4 710
c9180a57 711 sbsec->mntpoint_sid = context_sid;
c312feb2 712 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 713 }
714
c9180a57 715 if (rootcontext_sid) {
275bb41e
DH		 716 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
717 cred);
0808925e 718 if (rc)
c9180a57 719 goto out;
0808925e 720
c9180a57
EP		 721 root_isec->sid = rootcontext_sid;
722 root_isec->initialized = 1;
0808925e
EP		 723 }
724
c9180a57
EP		 725 if (defcontext_sid) {
726 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
727 rc = -EINVAL;
728 printk(KERN_WARNING "SELinux: defcontext option is "
729 "invalid for this filesystem type\n");
730 goto out;
1da177e4
LT		 731 }
732
c9180a57
EP		 733 if (defcontext_sid != sbsec->def_sid) {
734 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 735 sbsec, cred);
c9180a57
EP		 736 if (rc)
737 goto out;
738 }
1da177e4 739
c9180a57 740 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 741 }
742
c9180a57 743 rc = sb_finish_set_opts(sb);
1da177e4 744out:
c9180a57 745 mutex_unlock(&sbsec->lock);
1da177e4 746 return rc;
c9180a57
EP		 747out_double_mount:
748 rc = -EINVAL;
749 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
750 "security settings for (dev %s, type %s)\n", sb->s_id, name);
751 goto out;
1da177e4
LT		 752}
753
c9180a57
EP		 754static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
755 struct super_block *newsb)
1da177e4 756{
c9180a57
EP		 757 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
758 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 759
c9180a57
EP		 760 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
761 int set_context = (oldsbsec->flags & CONTEXT_MNT);
762 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 763
0f5e6420
EP		 764 /*
765 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 766 * mount options. thus we can safely deal with this superblock later
0f5e6420 767 */
e8c26255 768 if (!ss_initialized)
0f5e6420 769 return;
c9180a57 770
c9180a57 771 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 772 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 773
5a552617 774 /* if fs is reusing a sb, just let its options stand... */
0d90a7ec 775 if (newsbsec->flags & SE_SBINITIALIZED)
5a552617
EP		 776 return;
777
c9180a57
EP		 778 mutex_lock(&newsbsec->lock);
779
780 newsbsec->flags = oldsbsec->flags;
781
782 newsbsec->sid = oldsbsec->sid;
783 newsbsec->def_sid = oldsbsec->def_sid;
784 newsbsec->behavior = oldsbsec->behavior;
785
786 if (set_context) {
787 u32 sid = oldsbsec->mntpoint_sid;
788
789 if (!set_fscontext)
790 newsbsec->sid = sid;
791 if (!set_rootcontext) {
792 struct inode *newinode = newsb->s_root->d_inode;
793 struct inode_security_struct *newisec = newinode->i_security;
794 newisec->sid = sid;
795 }
796 newsbsec->mntpoint_sid = sid;
1da177e4 797 }
c9180a57
EP		 798 if (set_rootcontext) {
799 const struct inode *oldinode = oldsb->s_root->d_inode;
800 const struct inode_security_struct *oldisec = oldinode->i_security;
801 struct inode *newinode = newsb->s_root->d_inode;
802 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 803
c9180a57 804 newisec->sid = oldisec->sid;
1da177e4
LT		 805 }
806
c9180a57
EP		 807 sb_finish_set_opts(newsb);
808 mutex_unlock(&newsbsec->lock);
809}
810
2e1479d9
AB		 811static int selinux_parse_opts_str(char *options,
812 struct security_mnt_opts *opts)
c9180a57 813{
e0007529 814 char *p;
c9180a57
EP		 815 char *context = NULL, *defcontext = NULL;
816 char *fscontext = NULL, *rootcontext = NULL;
e0007529 817 int rc, num_mnt_opts = 0;
1da177e4 818
e0007529 819 opts->num_mnt_opts = 0;
1da177e4 820
c9180a57
EP		 821 /* Standard string-based options. */
822 while ((p = strsep(&options, "|")) != NULL) {
823 int token;
824 substring_t args[MAX_OPT_ARGS];
1da177e4 825
c9180a57
EP		 826 if (!*p)
827 continue;
1da177e4 828
c9180a57 829 token = match_token(p, tokens, args);
1da177e4 830
c9180a57
EP		 831 switch (token) {
832 case Opt_context:
833 if (context || defcontext) {
834 rc = -EINVAL;
835 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
836 goto out_err;
837 }
838 context = match_strdup(&args[0]);
839 if (!context) {
840 rc = -ENOMEM;
841 goto out_err;
842 }
843 break;
844
845 case Opt_fscontext:
846 if (fscontext) {
847 rc = -EINVAL;
848 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
849 goto out_err;
850 }
851 fscontext = match_strdup(&args[0]);
852 if (!fscontext) {
853 rc = -ENOMEM;
854 goto out_err;
855 }
856 break;
857
858 case Opt_rootcontext:
859 if (rootcontext) {
860 rc = -EINVAL;
861 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
862 goto out_err;
863 }
864 rootcontext = match_strdup(&args[0]);
865 if (!rootcontext) {
866 rc = -ENOMEM;
867 goto out_err;
868 }
869 break;
870
871 case Opt_defcontext:
872 if (context || defcontext) {
873 rc = -EINVAL;
874 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
875 goto out_err;
876 }
877 defcontext = match_strdup(&args[0]);
878 if (!defcontext) {
879 rc = -ENOMEM;
880 goto out_err;
881 }
882 break;
11689d47
DQ		 883 case Opt_labelsupport:
884 break;
c9180a57
EP		 885 default:
886 rc = -EINVAL;
887 printk(KERN_WARNING "SELinux: unknown mount option\n");
888 goto out_err;
1da177e4 889
1da177e4 890 }
1da177e4 891 }
c9180a57 892
e0007529
EP		 893 rc = -ENOMEM;
894 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
895 if (!opts->mnt_opts)
896 goto out_err;
897
898 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
899 if (!opts->mnt_opts_flags) {
900 kfree(opts->mnt_opts);
901 goto out_err;
902 }
903
c9180a57 904 if (fscontext) {
e0007529
EP		 905 opts->mnt_opts[num_mnt_opts] = fscontext;
906 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 907 }
908 if (context) {
e0007529
EP		 909 opts->mnt_opts[num_mnt_opts] = context;
910 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 911 }
912 if (rootcontext) {
e0007529
EP		 913 opts->mnt_opts[num_mnt_opts] = rootcontext;
914 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 915 }
916 if (defcontext) {
e0007529
EP		 917 opts->mnt_opts[num_mnt_opts] = defcontext;
918 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 919 }
920
e0007529
EP		 921 opts->num_mnt_opts = num_mnt_opts;
922 return 0;
923
c9180a57
EP		 924out_err:
925 kfree(context);
926 kfree(defcontext);
927 kfree(fscontext);
928 kfree(rootcontext);
1da177e4
LT		 929 return rc;
930}
e0007529
EP		 931/*
932 * string mount options parsing and call set the sbsec
933 */
934static int superblock_doinit(struct super_block *sb, void *data)
935{
936 int rc = 0;
937 char *options = data;
938 struct security_mnt_opts opts;
939
940 security_init_mnt_opts(&opts);
941
942 if (!data)
943 goto out;
944
945 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
946
947 rc = selinux_parse_opts_str(options, &opts);
948 if (rc)
949 goto out_err;
950
951out:
952 rc = selinux_set_mnt_opts(sb, &opts);
953
954out_err:
955 security_free_mnt_opts(&opts);
956 return rc;
957}
1da177e4 958
3583a711
AB		 959static void selinux_write_opts(struct seq_file *m,
960 struct security_mnt_opts *opts)
2069f457
EP		 961{
962 int i;
963 char *prefix;
964
965 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 966 char *has_comma;
967
968 if (opts->mnt_opts[i])
969 has_comma = strchr(opts->mnt_opts[i], ',');
970 else
971 has_comma = NULL;
2069f457
EP		 972
973 switch (opts->mnt_opts_flags[i]) {
974 case CONTEXT_MNT:
975 prefix = CONTEXT_STR;
976 break;
977 case FSCONTEXT_MNT:
978 prefix = FSCONTEXT_STR;
979 break;
980 case ROOTCONTEXT_MNT:
981 prefix = ROOTCONTEXT_STR;
982 break;
983 case DEFCONTEXT_MNT:
984 prefix = DEFCONTEXT_STR;
985 break;
11689d47
DQ		 986 case SE_SBLABELSUPP:
987 seq_putc(m, ',');
988 seq_puts(m, LABELSUPP_STR);
989 continue;
2069f457
EP		 990 default:
991 BUG();
992 };
993 /* we need a comma before each option */
994 seq_putc(m, ',');
995 seq_puts(m, prefix);
996 if (has_comma)
997 seq_putc(m, '\"');
998 seq_puts(m, opts->mnt_opts[i]);
999 if (has_comma)
1000 seq_putc(m, '\"');
1001 }
1002}
1003
1004static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1005{
1006 struct security_mnt_opts opts;
1007 int rc;
1008
1009 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1010 if (rc) {
1011 /* before policy load we may get EINVAL, don't show anything */
1012 if (rc == -EINVAL)
1013 rc = 0;
2069f457 1014 return rc;
383795c2 1015 }
2069f457
EP		 1016
1017 selinux_write_opts(m, &opts);
1018
1019 security_free_mnt_opts(&opts);
1020
1021 return rc;
1022}
1023
1da177e4
LT		 1024static inline u16 inode_mode_to_security_class(umode_t mode)
1025{
1026 switch (mode & S_IFMT) {
1027 case S_IFSOCK:
1028 return SECCLASS_SOCK_FILE;
1029 case S_IFLNK:
1030 return SECCLASS_LNK_FILE;
1031 case S_IFREG:
1032 return SECCLASS_FILE;
1033 case S_IFBLK:
1034 return SECCLASS_BLK_FILE;
1035 case S_IFDIR:
1036 return SECCLASS_DIR;
1037 case S_IFCHR:
1038 return SECCLASS_CHR_FILE;
1039 case S_IFIFO:
1040 return SECCLASS_FIFO_FILE;
1041
1042 }
1043
1044 return SECCLASS_FILE;
1045}
1046
13402580
JM		 1047static inline int default_protocol_stream(int protocol)
1048{
1049 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1050}
1051
1052static inline int default_protocol_dgram(int protocol)
1053{
1054 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1055}
1056
1da177e4
LT		 1057static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1058{
1059 switch (family) {
1060 case PF_UNIX:
1061 switch (type) {
1062 case SOCK_STREAM:
1063 case SOCK_SEQPACKET:
1064 return SECCLASS_UNIX_STREAM_SOCKET;
1065 case SOCK_DGRAM:
1066 return SECCLASS_UNIX_DGRAM_SOCKET;
1067 }
1068 break;
1069 case PF_INET:
1070 case PF_INET6:
1071 switch (type) {
1072 case SOCK_STREAM:
13402580
JM		 1073 if (default_protocol_stream(protocol))
1074 return SECCLASS_TCP_SOCKET;
1075 else
1076 return SECCLASS_RAWIP_SOCKET;
1da177e4 1077 case SOCK_DGRAM:
13402580
JM		 1078 if (default_protocol_dgram(protocol))
1079 return SECCLASS_UDP_SOCKET;
1080 else
1081 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1082 case SOCK_DCCP:
1083 return SECCLASS_DCCP_SOCKET;
13402580 1084 default:
1da177e4
LT		 1085 return SECCLASS_RAWIP_SOCKET;
1086 }
1087 break;
1088 case PF_NETLINK:
1089 switch (protocol) {
1090 case NETLINK_ROUTE:
1091 return SECCLASS_NETLINK_ROUTE_SOCKET;
1092 case NETLINK_FIREWALL:
1093 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1094 case NETLINK_INET_DIAG:
1da177e4
LT		 1095 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1096 case NETLINK_NFLOG:
1097 return SECCLASS_NETLINK_NFLOG_SOCKET;
1098 case NETLINK_XFRM:
1099 return SECCLASS_NETLINK_XFRM_SOCKET;
1100 case NETLINK_SELINUX:
1101 return SECCLASS_NETLINK_SELINUX_SOCKET;
1102 case NETLINK_AUDIT:
1103 return SECCLASS_NETLINK_AUDIT_SOCKET;
1104 case NETLINK_IP6_FW:
1105 return SECCLASS_NETLINK_IP6FW_SOCKET;
1106 case NETLINK_DNRTMSG:
1107 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1108 case NETLINK_KOBJECT_UEVENT:
1109 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1110 default:
1111 return SECCLASS_NETLINK_SOCKET;
1112 }
1113 case PF_PACKET:
1114 return SECCLASS_PACKET_SOCKET;
1115 case PF_KEY:
1116 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1117 case PF_APPLETALK:
1118 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1119 }
1120
1121 return SECCLASS_SOCKET;
1122}
1123
1124#ifdef CONFIG_PROC_FS
8e6c9693 1125static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1126 u16 tclass,
1127 u32 *sid)
1128{
8e6c9693
LAG		 1129 int rc;
1130 char *buffer, *path;
1da177e4 1131
828dfe1d 1132 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1133 if (!buffer)
1134 return -ENOMEM;
1135
8e6c9693
LAG		 1136 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1137 if (IS_ERR(path))
1138 rc = PTR_ERR(path);
1139 else {
1140 /* each process gets a /proc/PID/ entry. Strip off the
1141 * PID part to get a valid selinux labeling.
1142 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1143 while (path[1] >= '0' && path[1] <= '9') {
1144 path[1] = '/';
1145 path++;
1146 }
1147 rc = security_genfs_sid("proc", path, tclass, sid);
1da177e4 1148 }
1da177e4
LT		 1149 free_page((unsigned long)buffer);
1150 return rc;
1151}
1152#else
8e6c9693 1153static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1154 u16 tclass,
1155 u32 *sid)
1156{
1157 return -EINVAL;
1158}
1159#endif
1160
1161/* The inode's security attributes must be initialized before first use. */
1162static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1163{
1164 struct superblock_security_struct *sbsec = NULL;
1165 struct inode_security_struct *isec = inode->i_security;
1166 u32 sid;
1167 struct dentry *dentry;
1168#define INITCONTEXTLEN 255
1169 char *context = NULL;
1170 unsigned len = 0;
1171 int rc = 0;
1da177e4
LT		 1172
1173 if (isec->initialized)
1174 goto out;
1175
23970741 1176 mutex_lock(&isec->lock);
1da177e4 1177 if (isec->initialized)
23970741 1178 goto out_unlock;
1da177e4
LT		 1179
1180 sbsec = inode->i_sb->s_security;
0d90a7ec 1181 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1182 /* Defer initialization until selinux_complete_init,
1183 after the initial policy is loaded and the security
1184 server is ready to handle calls. */
1185 spin_lock(&sbsec->isec_lock);
1186 if (list_empty(&isec->list))
1187 list_add(&isec->list, &sbsec->isec_head);
1188 spin_unlock(&sbsec->isec_lock);
23970741 1189 goto out_unlock;
1da177e4
LT		 1190 }
1191
1192 switch (sbsec->behavior) {
1193 case SECURITY_FS_USE_XATTR:
1194 if (!inode->i_op->getxattr) {
1195 isec->sid = sbsec->def_sid;
1196 break;
1197 }
1198
1199 /* Need a dentry, since the xattr API requires one.
1200 Life would be simpler if we could just pass the inode. */
1201 if (opt_dentry) {
1202 /* Called from d_instantiate or d_splice_alias. */
1203 dentry = dget(opt_dentry);
1204 } else {
1205 /* Called from selinux_complete_init, try to find a dentry. */
1206 dentry = d_find_alias(inode);
1207 }
1208 if (!dentry) {
df7f54c0
EP		 1209 /*
1210 * this is can be hit on boot when a file is accessed
1211 * before the policy is loaded. When we load policy we
1212 * may find inodes that have no dentry on the
1213 * sbsec->isec_head list. No reason to complain as these
1214 * will get fixed up the next time we go through
1215 * inode_doinit with a dentry, before these inodes could
1216 * be used again by userspace.
1217 */
23970741 1218 goto out_unlock;
1da177e4
LT		 1219 }
1220
1221 len = INITCONTEXTLEN;
4cb912f1 1222 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1223 if (!context) {
1224 rc = -ENOMEM;
1225 dput(dentry);
23970741 1226 goto out_unlock;
1da177e4 1227 }
4cb912f1 1228 context[len] = '\0';
1da177e4
LT		 1229 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1230 context, len);
1231 if (rc == -ERANGE) {
314dabb8
JM		 1232 kfree(context);
1233
1da177e4
LT		 1234 /* Need a larger buffer. Query for the right size. */
1235 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1236 NULL, 0);
1237 if (rc < 0) {
1238 dput(dentry);
23970741 1239 goto out_unlock;
1da177e4 1240 }
1da177e4 1241 len = rc;
4cb912f1 1242 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1243 if (!context) {
1244 rc = -ENOMEM;
1245 dput(dentry);
23970741 1246 goto out_unlock;
1da177e4 1247 }
4cb912f1 1248 context[len] = '\0';
1da177e4
LT		 1249 rc = inode->i_op->getxattr(dentry,
1250 XATTR_NAME_SELINUX,
1251 context, len);
1252 }
1253 dput(dentry);
1254 if (rc < 0) {
1255 if (rc != -ENODATA) {
744ba35e 1256 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1257 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1258 -rc, inode->i_sb->s_id, inode->i_ino);
1259 kfree(context);
23970741 1260 goto out_unlock;
1da177e4
LT		 1261 }
1262 /* Map ENODATA to the default file SID */
1263 sid = sbsec->def_sid;
1264 rc = 0;
1265 } else {
f5c1d5b2 1266 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1267 sbsec->def_sid,
1268 GFP_NOFS);
1da177e4 1269 if (rc) {
4ba0a8ad
EP		 1270 char *dev = inode->i_sb->s_id;
1271 unsigned long ino = inode->i_ino;
1272
1273 if (rc == -EINVAL) {
1274 if (printk_ratelimit())
1275 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1276 "context=%s. This indicates you may need to relabel the inode or the "
1277 "filesystem in question.\n", ino, dev, context);
1278 } else {
1279 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1280 "returned %d for dev=%s ino=%ld\n",
1281 __func__, context, -rc, dev, ino);
1282 }
1da177e4
LT		 1283 kfree(context);
1284 /* Leave with the unlabeled SID */
1285 rc = 0;
1286 break;
1287 }
1288 }
1289 kfree(context);
1290 isec->sid = sid;
1291 break;
1292 case SECURITY_FS_USE_TASK:
1293 isec->sid = isec->task_sid;
1294 break;
1295 case SECURITY_FS_USE_TRANS:
1296 /* Default to the fs SID. */
1297 isec->sid = sbsec->sid;
1298
1299 /* Try to obtain a transition SID. */
1300 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1301 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1302 isec->sclass, NULL, &sid);
1da177e4 1303 if (rc)
23970741 1304 goto out_unlock;
1da177e4
LT		 1305 isec->sid = sid;
1306 break;
c312feb2
EP		 1307 case SECURITY_FS_USE_MNTPOINT:
1308 isec->sid = sbsec->mntpoint_sid;
1309 break;
1da177e4 1310 default:
c312feb2 1311 /* Default to the fs superblock SID. */
1da177e4
LT		 1312 isec->sid = sbsec->sid;
1313
0d90a7ec 1314 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
8e6c9693 1315 if (opt_dentry) {
1da177e4 1316 isec->sclass = inode_mode_to_security_class(inode->i_mode);
8e6c9693 1317 rc = selinux_proc_get_sid(opt_dentry,
1da177e4
LT		 1318 isec->sclass,
1319 &sid);
1320 if (rc)
23970741 1321 goto out_unlock;
1da177e4
LT		 1322 isec->sid = sid;
1323 }
1324 }
1325 break;
1326 }
1327
1328 isec->initialized = 1;
1329
23970741
EP		 1330out_unlock:
1331 mutex_unlock(&isec->lock);
1da177e4
LT		 1332out:
1333 if (isec->sclass == SECCLASS_FILE)
1334 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1335 return rc;
1336}
1337
1338/* Convert a Linux signal to an access vector. */
1339static inline u32 signal_to_av(int sig)
1340{
1341 u32 perm = 0;
1342
1343 switch (sig) {
1344 case SIGCHLD:
1345 /* Commonly granted from child to parent. */
1346 perm = PROCESS__SIGCHLD;
1347 break;
1348 case SIGKILL:
1349 /* Cannot be caught or ignored */
1350 perm = PROCESS__SIGKILL;
1351 break;
1352 case SIGSTOP:
1353 /* Cannot be caught or ignored */
1354 perm = PROCESS__SIGSTOP;
1355 break;
1356 default:
1357 /* All other signals. */
1358 perm = PROCESS__SIGNAL;
1359 break;
1360 }
1361
1362 return perm;
1363}
1364
d84f4f99
DH		 1365/*
1366 * Check permission between a pair of credentials
1367 * fork check, ptrace check, etc.
1368 */
1369static int cred_has_perm(const struct cred *actor,
1370 const struct cred *target,
1371 u32 perms)
1372{
1373 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1374
1375 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1376}
1377
275bb41e 1378/*
88e67f3b 1379 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1380 * fork check, ptrace check, etc.
1381 * tsk1 is the actor and tsk2 is the target
3b11a1de 1382 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1383 */
1384static int task_has_perm(const struct task_struct *tsk1,
1385 const struct task_struct *tsk2,
1da177e4
LT		 1386 u32 perms)
1387{
275bb41e
DH		 1388 const struct task_security_struct *__tsec1, *__tsec2;
1389 u32 sid1, sid2;
1da177e4 1390
275bb41e
DH		 1391 rcu_read_lock();
1392 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1393 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1394 rcu_read_unlock();
1395 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1396}
1397
3b11a1de
DH		 1398/*
1399 * Check permission between current and another task, e.g. signal checks,
1400 * fork check, ptrace check, etc.
1401 * current is the actor and tsk2 is the target
1402 * - this uses current's subjective creds
1403 */
1404static int current_has_perm(const struct task_struct *tsk,
1405 u32 perms)
1406{
1407 u32 sid, tsid;
1408
1409 sid = current_sid();
1410 tsid = task_sid(tsk);
1411 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1412}
1413
b68e418c
SS		 1414#if CAP_LAST_CAP > 63
1415#error Fix SELinux to handle capabilities > 63.
1416#endif
1417
1da177e4
LT		 1418/* Check whether a task is allowed to use a capability. */
1419static int task_has_capability(struct task_struct *tsk,
3699c53c 1420 const struct cred *cred,
06112163 1421 int cap, int audit)
1da177e4 1422{
2bf49690 1423 struct common_audit_data ad;
06112163 1424 struct av_decision avd;
b68e418c 1425 u16 sclass;
3699c53c 1426 u32 sid = cred_sid(cred);
b68e418c 1427 u32 av = CAP_TO_MASK(cap);
06112163 1428 int rc;
1da177e4 1429
2bf49690 1430 COMMON_AUDIT_DATA_INIT(&ad, CAP);
1da177e4
LT		 1431 ad.tsk = tsk;
1432 ad.u.cap = cap;
1433
b68e418c
SS		 1434 switch (CAP_TO_INDEX(cap)) {
1435 case 0:
1436 sclass = SECCLASS_CAPABILITY;
1437 break;
1438 case 1:
1439 sclass = SECCLASS_CAPABILITY2;
1440 break;
1441 default:
1442 printk(KERN_ERR
1443 "SELinux: out of range capability %d\n", cap);
1444 BUG();
1445 }
06112163 1446
275bb41e 1447 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
06112163 1448 if (audit == SECURITY_CAP_AUDIT)
275bb41e 1449 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
06112163 1450 return rc;
1da177e4
LT		 1451}
1452
1453/* Check whether a task is allowed to use a system operation. */
1454static int task_has_system(struct task_struct *tsk,
1455 u32 perms)
1456{
275bb41e 1457 u32 sid = task_sid(tsk);
1da177e4 1458
275bb41e 1459 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1460 SECCLASS_SYSTEM, perms, NULL);
1461}
1462
1463/* Check whether a task has a particular permission to an inode.
1464 The 'adp' parameter is optional and allows other audit
1465 data to be passed (e.g. the dentry). */
88e67f3b 1466static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1467 struct inode *inode,
1468 u32 perms,
2bf49690 1469 struct common_audit_data *adp)
1da177e4 1470{
1da177e4 1471 struct inode_security_struct *isec;
2bf49690 1472 struct common_audit_data ad;
275bb41e 1473 u32 sid;
1da177e4 1474
e0e81739
DH		 1475 validate_creds(cred);
1476
828dfe1d 1477 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1478 return 0;
1479
88e67f3b 1480 sid = cred_sid(cred);
1da177e4
LT		 1481 isec = inode->i_security;
1482
1483 if (!adp) {
1484 adp = &ad;
2bf49690 1485 COMMON_AUDIT_DATA_INIT(&ad, FS);
1da177e4
LT		 1486 ad.u.fs.inode = inode;
1487 }
1488
275bb41e 1489 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1490}
1491
1492/* Same as inode_has_perm, but pass explicit audit data containing
1493 the dentry to help the auditing code to more easily generate the
1494 pathname if needed. */
88e67f3b 1495static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1496 struct vfsmount *mnt,
1497 struct dentry *dentry,
1498 u32 av)
1499{
1500 struct inode *inode = dentry->d_inode;
2bf49690 1501 struct common_audit_data ad;
88e67f3b 1502
2bf49690 1503 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf
JB		 1504 ad.u.fs.path.mnt = mnt;
1505 ad.u.fs.path.dentry = dentry;
88e67f3b 1506 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1507}
1508
1509/* Check whether a task can use an open file descriptor to
1510 access an inode in a given way. Check access to the
1511 descriptor itself, and then use dentry_has_perm to
1512 check a particular permission to the file.
1513 Access to the descriptor is implicitly granted if it
1514 has the same SID as the process. If av is zero, then
1515 access to the file is not checked, e.g. for cases
1516 where only the descriptor is affected like seek. */
88e67f3b
DH		 1517static int file_has_perm(const struct cred *cred,
1518 struct file *file,
1519 u32 av)
1da177e4 1520{
1da177e4 1521 struct file_security_struct *fsec = file->f_security;
44707fdf 1522 struct inode *inode = file->f_path.dentry->d_inode;
2bf49690 1523 struct common_audit_data ad;
88e67f3b 1524 u32 sid = cred_sid(cred);
1da177e4
LT		 1525 int rc;
1526
2bf49690 1527 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1528 ad.u.fs.path = file->f_path;
1da177e4 1529
275bb41e
DH		 1530 if (sid != fsec->sid) {
1531 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1532 SECCLASS_FD,
1533 FD__USE,
1534 &ad);
1535 if (rc)
88e67f3b 1536 goto out;
1da177e4
LT		 1537 }
1538
1539 /* av is zero if only checking access to the descriptor. */
88e67f3b 1540 rc = 0;
1da177e4 1541 if (av)
88e67f3b 1542 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1543
88e67f3b
DH		 1544out:
1545 return rc;
1da177e4
LT		 1546}
1547
1548/* Check whether a task can create a file. */
1549static int may_create(struct inode *dir,
1550 struct dentry *dentry,
1551 u16 tclass)
1552{
5fb49870 1553 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1554 struct inode_security_struct *dsec;
1555 struct superblock_security_struct *sbsec;
275bb41e 1556 u32 sid, newsid;
2bf49690 1557 struct common_audit_data ad;
1da177e4
LT		 1558 int rc;
1559
1da177e4
LT		 1560 dsec = dir->i_security;
1561 sbsec = dir->i_sb->s_security;
1562
275bb41e
DH		 1563 sid = tsec->sid;
1564 newsid = tsec->create_sid;
1565
2bf49690 1566 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1567 ad.u.fs.path.dentry = dentry;
1da177e4 1568
275bb41e 1569 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1570 DIR__ADD_NAME | DIR__SEARCH,
1571 &ad);
1572 if (rc)
1573 return rc;
1574
cd89596f 1575 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
652bb9b0 1576 rc = security_transition_sid(sid, dsec->sid, tclass, NULL, &newsid);
1da177e4
LT		 1577 if (rc)
1578 return rc;
1579 }
1580
275bb41e 1581 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1582 if (rc)
1583 return rc;
1584
1585 return avc_has_perm(newsid, sbsec->sid,
1586 SECCLASS_FILESYSTEM,
1587 FILESYSTEM__ASSOCIATE, &ad);
1588}
1589
4eb582cf
ML		 1590/* Check whether a task can create a key. */
1591static int may_create_key(u32 ksid,
1592 struct task_struct *ctx)
1593{
275bb41e 1594 u32 sid = task_sid(ctx);
4eb582cf 1595
275bb41e 1596 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1597}
1598
828dfe1d
EP		 1599#define MAY_LINK 0
1600#define MAY_UNLINK 1
1601#define MAY_RMDIR 2
1da177e4
LT		 1602
1603/* Check whether a task can link, unlink, or rmdir a file/directory. */
1604static int may_link(struct inode *dir,
1605 struct dentry *dentry,
1606 int kind)
1607
1608{
1da177e4 1609 struct inode_security_struct *dsec, *isec;
2bf49690 1610 struct common_audit_data ad;
275bb41e 1611 u32 sid = current_sid();
1da177e4
LT		 1612 u32 av;
1613 int rc;
1614
1da177e4
LT		 1615 dsec = dir->i_security;
1616 isec = dentry->d_inode->i_security;
1617
2bf49690 1618 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1619 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1620
1621 av = DIR__SEARCH;
1622 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1623 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1624 if (rc)
1625 return rc;
1626
1627 switch (kind) {
1628 case MAY_LINK:
1629 av = FILE__LINK;
1630 break;
1631 case MAY_UNLINK:
1632 av = FILE__UNLINK;
1633 break;
1634 case MAY_RMDIR:
1635 av = DIR__RMDIR;
1636 break;
1637 default:
744ba35e
EP		 1638 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1639 __func__, kind);
1da177e4
LT		 1640 return 0;
1641 }
1642
275bb41e 1643 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1644 return rc;
1645}
1646
1647static inline int may_rename(struct inode *old_dir,
1648 struct dentry *old_dentry,
1649 struct inode *new_dir,
1650 struct dentry *new_dentry)
1651{
1da177e4 1652 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1653 struct common_audit_data ad;
275bb41e 1654 u32 sid = current_sid();
1da177e4
LT		 1655 u32 av;
1656 int old_is_dir, new_is_dir;
1657 int rc;
1658
1da177e4
LT		 1659 old_dsec = old_dir->i_security;
1660 old_isec = old_dentry->d_inode->i_security;
1661 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1662 new_dsec = new_dir->i_security;
1663
2bf49690 1664 COMMON_AUDIT_DATA_INIT(&ad, FS);
1da177e4 1665
44707fdf 1666 ad.u.fs.path.dentry = old_dentry;
275bb41e 1667 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1668 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1669 if (rc)
1670 return rc;
275bb41e 1671 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1672 old_isec->sclass, FILE__RENAME, &ad);
1673 if (rc)
1674 return rc;
1675 if (old_is_dir && new_dir != old_dir) {
275bb41e 1676 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1677 old_isec->sclass, DIR__REPARENT, &ad);
1678 if (rc)
1679 return rc;
1680 }
1681
44707fdf 1682 ad.u.fs.path.dentry = new_dentry;
1da177e4
LT		 1683 av = DIR__ADD_NAME | DIR__SEARCH;
1684 if (new_dentry->d_inode)
1685 av |= DIR__REMOVE_NAME;
275bb41e 1686 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1687 if (rc)
1688 return rc;
1689 if (new_dentry->d_inode) {
1690 new_isec = new_dentry->d_inode->i_security;
1691 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
275bb41e 1692 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1693 new_isec->sclass,
1694 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1695 if (rc)
1696 return rc;
1697 }
1698
1699 return 0;
1700}
1701
1702/* Check whether a task can perform a filesystem operation. */
88e67f3b 1703static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1704 struct super_block *sb,
1705 u32 perms,
2bf49690 1706 struct common_audit_data *ad)
1da177e4 1707{
1da177e4 1708 struct superblock_security_struct *sbsec;
88e67f3b 1709 u32 sid = cred_sid(cred);
1da177e4 1710
1da177e4 1711 sbsec = sb->s_security;
275bb41e 1712 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1713}
1714
1715/* Convert a Linux mode and permission mask to an access vector. */
1716static inline u32 file_mask_to_av(int mode, int mask)
1717{
1718 u32 av = 0;
1719
1720 if ((mode & S_IFMT) != S_IFDIR) {
1721 if (mask & MAY_EXEC)
1722 av |= FILE__EXECUTE;
1723 if (mask & MAY_READ)
1724 av |= FILE__READ;
1725
1726 if (mask & MAY_APPEND)
1727 av |= FILE__APPEND;
1728 else if (mask & MAY_WRITE)
1729 av |= FILE__WRITE;
1730
1731 } else {
1732 if (mask & MAY_EXEC)
1733 av |= DIR__SEARCH;
1734 if (mask & MAY_WRITE)
1735 av |= DIR__WRITE;
1736 if (mask & MAY_READ)
1737 av |= DIR__READ;
1738 }
1739
1740 return av;
1741}
1742
8b6a5a37
EP		 1743/* Convert a Linux file to an access vector. */
1744static inline u32 file_to_av(struct file *file)
1745{
1746 u32 av = 0;
1747
1748 if (file->f_mode & FMODE_READ)
1749 av |= FILE__READ;
1750 if (file->f_mode & FMODE_WRITE) {
1751 if (file->f_flags & O_APPEND)
1752 av |= FILE__APPEND;
1753 else
1754 av |= FILE__WRITE;
1755 }
1756 if (!av) {
1757 /*
1758 * Special file opened with flags 3 for ioctl-only use.
1759 */
1760 av = FILE__IOCTL;
1761 }
1762
1763 return av;
1764}
1765
b0c636b9 1766/*
8b6a5a37 1767 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1768 * open permission.
1769 */
8b6a5a37 1770static inline u32 open_file_to_av(struct file *file)
b0c636b9 1771{
8b6a5a37 1772 u32 av = file_to_av(file);
b0c636b9 1773
49b7b8de
EP		 1774 if (selinux_policycap_openperm)
1775 av |= FILE__OPEN;
1776
b0c636b9
EP		 1777 return av;
1778}
1779
1da177e4
LT		 1780/* Hook functions begin here. */
1781
9e48858f 1782static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 1783 unsigned int mode)
1da177e4 1784{
1da177e4
LT		 1785 int rc;
1786
9e48858f 1787 rc = cap_ptrace_access_check(child, mode);
1da177e4
LT		 1788 if (rc)
1789 return rc;
1790
006ebb40 1791 if (mode == PTRACE_MODE_READ) {
275bb41e
DH		 1792 u32 sid = current_sid();
1793 u32 csid = task_sid(child);
1794 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 1795 }
1796
3b11a1de 1797 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 1798}
1799
1800static int selinux_ptrace_traceme(struct task_struct *parent)
1801{
1802 int rc;
1803
200ac532 1804 rc = cap_ptrace_traceme(parent);
5cd9c58f
DH		 1805 if (rc)
1806 return rc;
1807
1808 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 1809}
1810
1811static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1812 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1813{
1814 int error;
1815
3b11a1de 1816 error = current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 1817 if (error)
1818 return error;
1819
200ac532 1820 return cap_capget(target, effective, inheritable, permitted);
1da177e4
LT		 1821}
1822
d84f4f99
DH		 1823static int selinux_capset(struct cred *new, const struct cred *old,
1824 const kernel_cap_t *effective,
1825 const kernel_cap_t *inheritable,
1826 const kernel_cap_t *permitted)
1da177e4
LT		 1827{
1828 int error;
1829
200ac532 1830 error = cap_capset(new, old,
d84f4f99 1831 effective, inheritable, permitted);
1da177e4
LT		 1832 if (error)
1833 return error;
1834
d84f4f99 1835 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 1836}
1837
5626d3e8
JM		 1838/*
1839 * (This comment used to live with the selinux_task_setuid hook,
1840 * which was removed).
1841 *
1842 * Since setuid only affects the current process, and since the SELinux
1843 * controls are not based on the Linux identity attributes, SELinux does not
1844 * need to control this operation. However, SELinux does control the use of
1845 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1846 */
1847
3699c53c
DH		 1848static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1849 int cap, int audit)
1da177e4
LT		 1850{
1851 int rc;
1852
200ac532 1853 rc = cap_capable(tsk, cred, cap, audit);
1da177e4
LT		 1854 if (rc)
1855 return rc;
1856
3699c53c 1857 return task_has_capability(tsk, cred, cap, audit);
1da177e4
LT		 1858}
1859
1da177e4
LT		 1860static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1861{
88e67f3b 1862 const struct cred *cred = current_cred();
1da177e4
LT		 1863 int rc = 0;
1864
1865 if (!sb)
1866 return 0;
1867
1868 switch (cmds) {
828dfe1d
EP		 1869 case Q_SYNC:
1870 case Q_QUOTAON:
1871 case Q_QUOTAOFF:
1872 case Q_SETINFO:
1873 case Q_SETQUOTA:
88e67f3b 1874 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 1875 break;
1876 case Q_GETFMT:
1877 case Q_GETINFO:
1878 case Q_GETQUOTA:
88e67f3b 1879 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 1880 break;
1881 default:
1882 rc = 0; /* let the kernel handle invalid cmds */
1883 break;
1da177e4
LT		 1884 }
1885 return rc;
1886}
1887
1888static int selinux_quota_on(struct dentry *dentry)
1889{
88e67f3b
DH		 1890 const struct cred *cred = current_cred();
1891
1892 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1da177e4
LT		 1893}
1894
12b3052c 1895static int selinux_syslog(int type)
1da177e4
LT		 1896{
1897 int rc;
1898
1da177e4 1899 switch (type) {
d78ca3cd
KC		 1900 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1901 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 1902 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1903 break;
d78ca3cd
KC		 1904 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1905 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1906 /* Set level of messages printed to console */
1907 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 1908 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1909 break;
d78ca3cd
KC		 1910 case SYSLOG_ACTION_CLOSE: /* Close log */
1911 case SYSLOG_ACTION_OPEN: /* Open log */
1912 case SYSLOG_ACTION_READ: /* Read from log */
1913 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1914 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 1915 default:
1916 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1917 break;
1da177e4
LT		 1918 }
1919 return rc;
1920}
1921
1922/*
1923 * Check that a process has enough memory to allocate a new virtual
1924 * mapping. 0 means there is enough memory for the allocation to
1925 * succeed and -ENOMEM implies there is not.
1926 *
1da177e4
LT		 1927 * Do not audit the selinux permission check, as this is applied to all
1928 * processes that allocate mappings.
1929 */
34b4e4aa 1930static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1931{
1932 int rc, cap_sys_admin = 0;
1da177e4 1933
3699c53c
DH		 1934 rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
1935 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 1936 if (rc == 0)
1937 cap_sys_admin = 1;
1938
34b4e4aa 1939 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 1940}
1941
1942/* binprm security operations */
1943
a6f76f23 1944static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 1945{
a6f76f23
DH		 1946 const struct task_security_struct *old_tsec;
1947 struct task_security_struct *new_tsec;
1da177e4 1948 struct inode_security_struct *isec;
2bf49690 1949 struct common_audit_data ad;
a6f76f23 1950 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 1951 int rc;
1952
200ac532 1953 rc = cap_bprm_set_creds(bprm);
1da177e4
LT		 1954 if (rc)
1955 return rc;
1956
a6f76f23
DH		 1957 /* SELinux context only depends on initial program or script and not
1958 * the script interpreter */
1959 if (bprm->cred_prepared)
1da177e4
LT		 1960 return 0;
1961
a6f76f23
DH		 1962 old_tsec = current_security();
1963 new_tsec = bprm->cred->security;
1da177e4
LT		 1964 isec = inode->i_security;
1965
1966 /* Default to the current task SID. */
a6f76f23
DH		 1967 new_tsec->sid = old_tsec->sid;
1968 new_tsec->osid = old_tsec->sid;
1da177e4 1969
28eba5bf 1970 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 1971 new_tsec->create_sid = 0;
1972 new_tsec->keycreate_sid = 0;
1973 new_tsec->sockcreate_sid = 0;
1da177e4 1974
a6f76f23
DH		 1975 if (old_tsec->exec_sid) {
1976 new_tsec->sid = old_tsec->exec_sid;
1da177e4 1977 /* Reset exec SID on execve. */
a6f76f23 1978 new_tsec->exec_sid = 0;
1da177e4
LT		 1979 } else {
1980 /* Check for a default transition on this program. */
a6f76f23 1981 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 1982 SECCLASS_PROCESS, NULL,
1983 &new_tsec->sid);
1da177e4
LT		 1984 if (rc)
1985 return rc;
1986 }
1987
2bf49690 1988 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1989 ad.u.fs.path = bprm->file->f_path;
1da177e4 1990
3d5ff529 1991 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
a6f76f23 1992 new_tsec->sid = old_tsec->sid;
1da177e4 1993
a6f76f23
DH		 1994 if (new_tsec->sid == old_tsec->sid) {
1995 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 1996 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1997 if (rc)
1998 return rc;
1999 } else {
2000 /* Check permissions for the transition. */
a6f76f23 2001 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2002 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2003 if (rc)
2004 return rc;
2005
a6f76f23 2006 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2007 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2008 if (rc)
2009 return rc;
2010
a6f76f23
DH		 2011 /* Check for shared state */
2012 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2013 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2014 SECCLASS_PROCESS, PROCESS__SHARE,
2015 NULL);
2016 if (rc)
2017 return -EPERM;
2018 }
2019
2020 /* Make sure that anyone attempting to ptrace over a task that
2021 * changes its SID has the appropriate permit */
2022 if (bprm->unsafe &
2023 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2024 struct task_struct *tracer;
2025 struct task_security_struct *sec;
2026 u32 ptsid = 0;
2027
2028 rcu_read_lock();
2029 tracer = tracehook_tracer_task(current);
2030 if (likely(tracer != NULL)) {
2031 sec = __task_cred(tracer)->security;
2032 ptsid = sec->sid;
2033 }
2034 rcu_read_unlock();
2035
2036 if (ptsid != 0) {
2037 rc = avc_has_perm(ptsid, new_tsec->sid,
2038 SECCLASS_PROCESS,
2039 PROCESS__PTRACE, NULL);
2040 if (rc)
2041 return -EPERM;
2042 }
2043 }
1da177e4 2044
a6f76f23
DH		 2045 /* Clear any possibly unsafe personality bits on exec: */
2046 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2047 }
2048
1da177e4
LT		 2049 return 0;
2050}
2051
828dfe1d 2052static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2053{
5fb49870 2054 const struct task_security_struct *tsec = current_security();
275bb41e 2055 u32 sid, osid;
1da177e4
LT		 2056 int atsecure = 0;
2057
275bb41e
DH		 2058 sid = tsec->sid;
2059 osid = tsec->osid;
2060
2061 if (osid != sid) {
1da177e4
LT		 2062 /* Enable secure mode for SIDs transitions unless
2063 the noatsecure permission is granted between
2064 the two SIDs, i.e. ahp returns 0. */
275bb41e 2065 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2066 SECCLASS_PROCESS,
2067 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2068 }
2069
200ac532 2070 return (atsecure || cap_bprm_secureexec(bprm));
1da177e4
LT		 2071}
2072
1da177e4
LT		 2073extern struct vfsmount *selinuxfs_mount;
2074extern struct dentry *selinux_null;
2075
2076/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2077static inline void flush_unauthorized_files(const struct cred *cred,
2078 struct files_struct *files)
1da177e4 2079{
2bf49690 2080 struct common_audit_data ad;
1da177e4 2081 struct file *file, *devnull = NULL;
b20c8122 2082 struct tty_struct *tty;
badf1662 2083 struct fdtable *fdt;
1da177e4 2084 long j = -1;
24ec839c 2085 int drop_tty = 0;
1da177e4 2086
24ec839c 2087 tty = get_current_tty();
1da177e4 2088 if (tty) {
ee2ffa0d 2089 spin_lock(&tty_files_lock);
37dd0bd0 2090 if (!list_empty(&tty->tty_files)) {
d996b62a 2091 struct tty_file_private *file_priv;
37dd0bd0
EP		 2092 struct inode *inode;
2093
1da177e4
LT		 2094 /* Revalidate access to controlling tty.
2095 Use inode_has_perm on the tty inode directly rather
2096 than using file_has_perm, as this particular open
2097 file may belong to another process and we are only
2098 interested in the inode-based check here. */
d996b62a
NP		 2099 file_priv = list_first_entry(&tty->tty_files,
2100 struct tty_file_private, list);
2101 file = file_priv->file;
37dd0bd0 2102 inode = file->f_path.dentry->d_inode;
88e67f3b 2103 if (inode_has_perm(cred, inode,
1da177e4 2104 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2105 drop_tty = 1;
1da177e4
LT		 2106 }
2107 }
ee2ffa0d 2108 spin_unlock(&tty_files_lock);
452a00d2 2109 tty_kref_put(tty);
1da177e4 2110 }
98a27ba4
EB		 2111 /* Reset controlling tty. */
2112 if (drop_tty)
2113 no_tty();
1da177e4
LT		 2114
2115 /* Revalidate access to inherited open files. */
2116
2bf49690 2117 COMMON_AUDIT_DATA_INIT(&ad, FS);
1da177e4
LT		 2118
2119 spin_lock(&files->file_lock);
2120 for (;;) {
2121 unsigned long set, i;
2122 int fd;
2123
2124 j++;
2125 i = j * __NFDBITS;
badf1662 2126 fdt = files_fdtable(files);
bbea9f69 2127 if (i >= fdt->max_fds)
1da177e4 2128 break;
badf1662 2129 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2130 if (!set)
2131 continue;
2132 spin_unlock(&files->file_lock);
828dfe1d 2133 for ( ; set ; i++, set >>= 1) {
1da177e4
LT		 2134 if (set & 1) {
2135 file = fget(i);
2136 if (!file)
2137 continue;
88e67f3b 2138 if (file_has_perm(cred,
1da177e4
LT		 2139 file,
2140 file_to_av(file))) {
2141 sys_close(i);
2142 fd = get_unused_fd();
2143 if (fd != i) {
2144 if (fd >= 0)
2145 put_unused_fd(fd);
2146 fput(file);
2147 continue;
2148 }
2149 if (devnull) {
095975da 2150 get_file(devnull);
1da177e4 2151 } else {
745ca247
DH		 2152 devnull = dentry_open(
2153 dget(selinux_null),
2154 mntget(selinuxfs_mount),
2155 O_RDWR, cred);
fc5d81e6
AM		 2156 if (IS_ERR(devnull)) {
2157 devnull = NULL;
1da177e4
LT		 2158 put_unused_fd(fd);
2159 fput(file);
2160 continue;
2161 }
2162 }
2163 fd_install(fd, devnull);
2164 }
2165 fput(file);
2166 }
2167 }
2168 spin_lock(&files->file_lock);
2169
2170 }
2171 spin_unlock(&files->file_lock);
2172}
2173
a6f76f23
DH		 2174/*
2175 * Prepare a process for imminent new credential changes due to exec
2176 */
2177static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2178{
a6f76f23
DH		 2179 struct task_security_struct *new_tsec;
2180 struct rlimit *rlim, *initrlim;
2181 int rc, i;
d84f4f99 2182
a6f76f23
DH		 2183 new_tsec = bprm->cred->security;
2184 if (new_tsec->sid == new_tsec->osid)
2185 return;
1da177e4 2186
a6f76f23
DH		 2187 /* Close files for which the new task SID is not authorized. */
2188 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2189
a6f76f23
DH		 2190 /* Always clear parent death signal on SID transitions. */
2191 current->pdeath_signal = 0;
0356357c 2192
a6f76f23
DH		 2193 /* Check whether the new SID can inherit resource limits from the old
2194 * SID. If not, reset all soft limits to the lower of the current
2195 * task's hard limit and the init task's soft limit.
2196 *
2197 * Note that the setting of hard limits (even to lower them) can be
2198 * controlled by the setrlimit check. The inclusion of the init task's
2199 * soft limit into the computation is to avoid resetting soft limits
2200 * higher than the default soft limit for cases where the default is
2201 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2202 */
2203 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2204 PROCESS__RLIMITINH, NULL);
2205 if (rc) {
eb2d55a3
ON		 2206 /* protect against do_prlimit() */
2207 task_lock(current);
a6f76f23
DH		 2208 for (i = 0; i < RLIM_NLIMITS; i++) {
2209 rlim = current->signal->rlim + i;
2210 initrlim = init_task.signal->rlim + i;
2211 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2212 }
eb2d55a3
ON		 2213 task_unlock(current);
2214 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2215 }
2216}
2217
2218/*
a6f76f23
DH		 2219 * Clean up the process immediately after the installation of new credentials
2220 * due to exec
1da177e4 2221 */
a6f76f23 2222static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2223{
a6f76f23 2224 const struct task_security_struct *tsec = current_security();
1da177e4 2225 struct itimerval itimer;
a6f76f23 2226 u32 osid, sid;
1da177e4
LT		 2227 int rc, i;
2228
a6f76f23
DH		 2229 osid = tsec->osid;
2230 sid = tsec->sid;
2231
2232 if (sid == osid)
1da177e4
LT		 2233 return;
2234
a6f76f23
DH		 2235 /* Check whether the new SID can inherit signal state from the old SID.
2236 * If not, clear itimers to avoid subsequent signal generation and
2237 * flush and unblock signals.
2238 *
2239 * This must occur _after_ the task SID has been updated so that any
2240 * kill done after the flush will be checked against the new SID.
2241 */
2242 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2243 if (rc) {
2244 memset(&itimer, 0, sizeof itimer);
2245 for (i = 0; i < 3; i++)
2246 do_setitimer(i, &itimer, NULL);
1da177e4 2247 spin_lock_irq(&current->sighand->siglock);
3bcac026
DH		 2248 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2249 __flush_signals(current);
2250 flush_signal_handlers(current, 1);
2251 sigemptyset(&current->blocked);
2252 }
1da177e4
LT		 2253 spin_unlock_irq(&current->sighand->siglock);
2254 }
2255
a6f76f23
DH		 2256 /* Wake up the parent if it is waiting so that it can recheck
2257 * wait permission to the new task SID. */
ecd6de3c 2258 read_lock(&tasklist_lock);
0b7570e7 2259 __wake_up_parent(current, current->real_parent);
ecd6de3c 2260 read_unlock(&tasklist_lock);
1da177e4
LT		 2261}
2262
2263/* superblock security operations */
2264
2265static int selinux_sb_alloc_security(struct super_block *sb)
2266{
2267 return superblock_alloc_security(sb);
2268}
2269
2270static void selinux_sb_free_security(struct super_block *sb)
2271{
2272 superblock_free_security(sb);
2273}
2274
2275static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2276{
2277 if (plen > olen)
2278 return 0;
2279
2280 return !memcmp(prefix, option, plen);
2281}
2282
2283static inline int selinux_option(char *option, int len)
2284{
832cbd9a
EP		 2285 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2286 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2287 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2288 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2289 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2290}
2291
2292static inline void take_option(char **to, char *from, int *first, int len)
2293{
2294 if (!*first) {
2295 **to = ',';
2296 *to += 1;
3528a953 2297 } else
1da177e4
LT		 2298 *first = 0;
2299 memcpy(*to, from, len);
2300 *to += len;
2301}
2302
828dfe1d
EP		 2303static inline void take_selinux_option(char **to, char *from, int *first,
2304 int len)
3528a953
CO		 2305{
2306 int current_size = 0;
2307
2308 if (!*first) {
2309 **to = '|';
2310 *to += 1;
828dfe1d 2311 } else
3528a953
CO		 2312 *first = 0;
2313
2314 while (current_size < len) {
2315 if (*from != '"') {
2316 **to = *from;
2317 *to += 1;
2318 }
2319 from += 1;
2320 current_size += 1;
2321 }
2322}
2323
e0007529 2324static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2325{
2326 int fnosec, fsec, rc = 0;
2327 char *in_save, *in_curr, *in_end;
2328 char *sec_curr, *nosec_save, *nosec;
3528a953 2329 int open_quote = 0;
1da177e4
LT		 2330
2331 in_curr = orig;
2332 sec_curr = copy;
2333
1da177e4
LT		 2334 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2335 if (!nosec) {
2336 rc = -ENOMEM;
2337 goto out;
2338 }
2339
2340 nosec_save = nosec;
2341 fnosec = fsec = 1;
2342 in_save = in_end = orig;
2343
2344 do {
3528a953
CO		 2345 if (*in_end == '"')
2346 open_quote = !open_quote;
2347 if ((*in_end == ',' && open_quote == 0) ||
2348 *in_end == '\0') {
1da177e4
LT		 2349 int len = in_end - in_curr;
2350
2351 if (selinux_option(in_curr, len))
3528a953 2352 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2353 else
2354 take_option(&nosec, in_curr, &fnosec, len);
2355
2356 in_curr = in_end + 1;
2357 }
2358 } while (*in_end++);
2359
6931dfc9 2360 strcpy(in_save, nosec_save);
da3caa20 2361 free_page((unsigned long)nosec_save);
1da177e4
LT		 2362out:
2363 return rc;
2364}
2365
026eb167
EP		 2366static int selinux_sb_remount(struct super_block *sb, void *data)
2367{
2368 int rc, i, *flags;
2369 struct security_mnt_opts opts;
2370 char *secdata, **mount_options;
2371 struct superblock_security_struct *sbsec = sb->s_security;
2372
2373 if (!(sbsec->flags & SE_SBINITIALIZED))
2374 return 0;
2375
2376 if (!data)
2377 return 0;
2378
2379 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2380 return 0;
2381
2382 security_init_mnt_opts(&opts);
2383 secdata = alloc_secdata();
2384 if (!secdata)
2385 return -ENOMEM;
2386 rc = selinux_sb_copy_data(data, secdata);
2387 if (rc)
2388 goto out_free_secdata;
2389
2390 rc = selinux_parse_opts_str(secdata, &opts);
2391 if (rc)
2392 goto out_free_secdata;
2393
2394 mount_options = opts.mnt_opts;
2395 flags = opts.mnt_opts_flags;
2396
2397 for (i = 0; i < opts.num_mnt_opts; i++) {
2398 u32 sid;
2399 size_t len;
2400
2401 if (flags[i] == SE_SBLABELSUPP)
2402 continue;
2403 len = strlen(mount_options[i]);
2404 rc = security_context_to_sid(mount_options[i], len, &sid);
2405 if (rc) {
2406 printk(KERN_WARNING "SELinux: security_context_to_sid"
2407 "(%s) failed for (dev %s, type %s) errno=%d\n",
2408 mount_options[i], sb->s_id, sb->s_type->name, rc);
2409 goto out_free_opts;
2410 }
2411 rc = -EINVAL;
2412 switch (flags[i]) {
2413 case FSCONTEXT_MNT:
2414 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2415 goto out_bad_option;
2416 break;
2417 case CONTEXT_MNT:
2418 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2419 goto out_bad_option;
2420 break;
2421 case ROOTCONTEXT_MNT: {
2422 struct inode_security_struct *root_isec;
2423 root_isec = sb->s_root->d_inode->i_security;
2424
2425 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2426 goto out_bad_option;
2427 break;
2428 }
2429 case DEFCONTEXT_MNT:
2430 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2431 goto out_bad_option;
2432 break;
2433 default:
2434 goto out_free_opts;
2435 }
2436 }
2437
2438 rc = 0;
2439out_free_opts:
2440 security_free_mnt_opts(&opts);
2441out_free_secdata:
2442 free_secdata(secdata);
2443 return rc;
2444out_bad_option:
2445 printk(KERN_WARNING "SELinux: unable to change security options "
2446 "during remount (dev %s, type=%s)\n", sb->s_id,
2447 sb->s_type->name);
2448 goto out_free_opts;
2449}
2450
12204e24 2451static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2452{
88e67f3b 2453 const struct cred *cred = current_cred();
2bf49690 2454 struct common_audit_data ad;
1da177e4
LT		 2455 int rc;
2456
2457 rc = superblock_doinit(sb, data);
2458 if (rc)
2459 return rc;
2460
74192246
JM		 2461 /* Allow all mounts performed by the kernel */
2462 if (flags & MS_KERNMOUNT)
2463 return 0;
2464
2bf49690 2465 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2466 ad.u.fs.path.dentry = sb->s_root;
88e67f3b 2467 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2468}
2469
726c3342 2470static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2471{
88e67f3b 2472 const struct cred *cred = current_cred();
2bf49690 2473 struct common_audit_data ad;
1da177e4 2474
2bf49690 2475 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2476 ad.u.fs.path.dentry = dentry->d_sb->s_root;
88e67f3b 2477 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2478}
2479
828dfe1d 2480static int selinux_mount(char *dev_name,
b5266eb4 2481 struct path *path,
828dfe1d
EP		 2482 char *type,
2483 unsigned long flags,
2484 void *data)
1da177e4 2485{
88e67f3b 2486 const struct cred *cred = current_cred();
1da177e4
LT		 2487
2488 if (flags & MS_REMOUNT)
88e67f3b 2489 return superblock_has_perm(cred, path->mnt->mnt_sb,
828dfe1d 2490 FILESYSTEM__REMOUNT, NULL);
1da177e4 2491 else
88e67f3b 2492 return dentry_has_perm(cred, path->mnt, path->dentry,
828dfe1d 2493 FILE__MOUNTON);
1da177e4
LT		 2494}
2495
2496static int selinux_umount(struct vfsmount *mnt, int flags)
2497{
88e67f3b 2498 const struct cred *cred = current_cred();
1da177e4 2499
88e67f3b 2500 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2501 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2502}
2503
2504/* inode security operations */
2505
2506static int selinux_inode_alloc_security(struct inode *inode)
2507{
2508 return inode_alloc_security(inode);
2509}
2510
2511static void selinux_inode_free_security(struct inode *inode)
2512{
2513 inode_free_security(inode);
2514}
2515
5e41ff9e 2516static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2a7dba39
EP		 2517 const struct qstr *qstr, char **name,
2518 void **value, size_t *len)
5e41ff9e 2519{
5fb49870 2520 const struct task_security_struct *tsec = current_security();
5e41ff9e
SS		 2521 struct inode_security_struct *dsec;
2522 struct superblock_security_struct *sbsec;
275bb41e 2523 u32 sid, newsid, clen;
5e41ff9e 2524 int rc;
570bc1c2 2525 char *namep = NULL, *context;
5e41ff9e 2526
5e41ff9e
SS		 2527 dsec = dir->i_security;
2528 sbsec = dir->i_sb->s_security;
5e41ff9e 2529
275bb41e
DH		 2530 sid = tsec->sid;
2531 newsid = tsec->create_sid;
2532
415103f9
EP		 2533 if ((sbsec->flags & SE_SBINITIALIZED) &&
2534 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2535 newsid = sbsec->mntpoint_sid;
2536 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
275bb41e 2537 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e 2538 inode_mode_to_security_class(inode->i_mode),
652bb9b0 2539 qstr, &newsid);
5e41ff9e
SS		 2540 if (rc) {
2541 printk(KERN_WARNING "%s: "
2542 "security_transition_sid failed, rc=%d (dev=%s "
2543 "ino=%ld)\n",
dd6f953a 2544 __func__,
5e41ff9e
SS		 2545 -rc, inode->i_sb->s_id, inode->i_ino);
2546 return rc;
2547 }
2548 }
2549
296fddf7 2550 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2551 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2552 struct inode_security_struct *isec = inode->i_security;
2553 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2554 isec->sid = newsid;
2555 isec->initialized = 1;
2556 }
5e41ff9e 2557
cd89596f 2558 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
25a74f3b
SS		 2559 return -EOPNOTSUPP;
2560
570bc1c2 2561 if (name) {
a02fe132 2562 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2563 if (!namep)
2564 return -ENOMEM;
2565 *name = namep;
2566 }
5e41ff9e 2567
570bc1c2 2568 if (value && len) {
12b29f34 2569 rc = security_sid_to_context_force(newsid, &context, &clen);
570bc1c2
SS		 2570 if (rc) {
2571 kfree(namep);
2572 return rc;
2573 }
2574 *value = context;
2575 *len = clen;
5e41ff9e 2576 }
5e41ff9e 2577
5e41ff9e
SS		 2578 return 0;
2579}
2580
1da177e4
LT		 2581static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2582{
2583 return may_create(dir, dentry, SECCLASS_FILE);
2584}
2585
1da177e4
LT		 2586static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2587{
1da177e4
LT		 2588 return may_link(dir, old_dentry, MAY_LINK);
2589}
2590
1da177e4
LT		 2591static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2592{
1da177e4
LT		 2593 return may_link(dir, dentry, MAY_UNLINK);
2594}
2595
2596static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2597{
2598 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2599}
2600
1da177e4
LT		 2601static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2602{
2603 return may_create(dir, dentry, SECCLASS_DIR);
2604}
2605
1da177e4
LT		 2606static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2607{
2608 return may_link(dir, dentry, MAY_RMDIR);
2609}
2610
2611static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2612{
1da177e4
LT		 2613 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2614}
2615
1da177e4 2616static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2617 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2618{
2619 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2620}
2621
1da177e4
LT		 2622static int selinux_inode_readlink(struct dentry *dentry)
2623{
88e67f3b
DH		 2624 const struct cred *cred = current_cred();
2625
2626 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
1da177e4
LT		 2627}
2628
2629static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2630{
88e67f3b 2631 const struct cred *cred = current_cred();
1da177e4 2632
88e67f3b 2633 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
1da177e4
LT		 2634}
2635
b77b0646 2636static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2637{
88e67f3b 2638 const struct cred *cred = current_cred();
b782e0a6
EP		 2639 struct common_audit_data ad;
2640 u32 perms;
2641 bool from_access;
1da177e4 2642
b782e0a6 2643 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2644 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2645
b782e0a6
EP		 2646 /* No permission to check. Existence test. */
2647 if (!mask)
1da177e4 2648 return 0;
1da177e4 2649
b782e0a6
EP		 2650 COMMON_AUDIT_DATA_INIT(&ad, FS);
2651 ad.u.fs.inode = inode;
2652
2653 if (from_access)
2654 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2655
2656 perms = file_mask_to_av(inode->i_mode, mask);
2657
2658 return inode_has_perm(cred, inode, perms, &ad);
1da177e4
LT		 2659}
2660
2661static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2662{
88e67f3b 2663 const struct cred *cred = current_cred();
bc6a6008 2664 unsigned int ia_valid = iattr->ia_valid;
1da177e4 2665
bc6a6008
AW		 2666 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2667 if (ia_valid & ATTR_FORCE) {
2668 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2669 ATTR_FORCE);
2670 if (!ia_valid)
2671 return 0;
2672 }
1da177e4 2673
bc6a6008
AW		 2674 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2675 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
88e67f3b 2676 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
1da177e4 2677
88e67f3b 2678 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
1da177e4
LT		 2679}
2680
2681static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2682{
88e67f3b
DH		 2683 const struct cred *cred = current_cred();
2684
2685 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
1da177e4
LT		 2686}
2687
8f0cfa52 2688static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2689{
88e67f3b
DH		 2690 const struct cred *cred = current_cred();
2691
b5376771
SH		 2692 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2693 sizeof XATTR_SECURITY_PREFIX - 1)) {
2694 if (!strcmp(name, XATTR_NAME_CAPS)) {
2695 if (!capable(CAP_SETFCAP))
2696 return -EPERM;
2697 } else if (!capable(CAP_SYS_ADMIN)) {
2698 /* A different attribute in the security namespace.
2699 Restrict to administrator. */
2700 return -EPERM;
2701 }
2702 }
2703
2704 /* Not an attribute we recognize, so just check the
2705 ordinary setattr permission. */
88e67f3b 2706 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
b5376771
SH		 2707}
2708
8f0cfa52
DH		 2709static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2710 const void *value, size_t size, int flags)
1da177e4 2711{
1da177e4
LT		 2712 struct inode *inode = dentry->d_inode;
2713 struct inode_security_struct *isec = inode->i_security;
2714 struct superblock_security_struct *sbsec;
2bf49690 2715 struct common_audit_data ad;
275bb41e 2716 u32 newsid, sid = current_sid();
1da177e4
LT		 2717 int rc = 0;
2718
b5376771
SH		 2719 if (strcmp(name, XATTR_NAME_SELINUX))
2720 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2721
2722 sbsec = inode->i_sb->s_security;
cd89596f 2723 if (!(sbsec->flags & SE_SBLABELSUPP))
1da177e4
LT		 2724 return -EOPNOTSUPP;
2725
3bd858ab 2726 if (!is_owner_or_cap(inode))
1da177e4
LT		 2727 return -EPERM;
2728
2bf49690 2729 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2730 ad.u.fs.path.dentry = dentry;
1da177e4 2731
275bb41e 2732 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 2733 FILE__RELABELFROM, &ad);
2734 if (rc)
2735 return rc;
2736
2737 rc = security_context_to_sid(value, size, &newsid);
12b29f34
SS		 2738 if (rc == -EINVAL) {
2739 if (!capable(CAP_MAC_ADMIN))
2740 return rc;
2741 rc = security_context_to_sid_force(value, size, &newsid);
2742 }
1da177e4
LT		 2743 if (rc)
2744 return rc;
2745
275bb41e 2746 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 2747 FILE__RELABELTO, &ad);
2748 if (rc)
2749 return rc;
2750
275bb41e 2751 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 2752 isec->sclass);
1da177e4
LT		 2753 if (rc)
2754 return rc;
2755
2756 return avc_has_perm(newsid,
2757 sbsec->sid,
2758 SECCLASS_FILESYSTEM,
2759 FILESYSTEM__ASSOCIATE,
2760 &ad);
2761}
2762
8f0cfa52 2763static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 2764 const void *value, size_t size,
8f0cfa52 2765 int flags)
1da177e4
LT		 2766{
2767 struct inode *inode = dentry->d_inode;
2768 struct inode_security_struct *isec = inode->i_security;
2769 u32 newsid;
2770 int rc;
2771
2772 if (strcmp(name, XATTR_NAME_SELINUX)) {
2773 /* Not an attribute we recognize, so nothing to do. */
2774 return;
2775 }
2776
12b29f34 2777 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 2778 if (rc) {
12b29f34
SS		 2779 printk(KERN_ERR "SELinux: unable to map context to SID"
2780 "for (%s, %lu), rc=%d\n",
2781 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 2782 return;
2783 }
2784
2785 isec->sid = newsid;
2786 return;
2787}
2788
8f0cfa52 2789static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 2790{
88e67f3b
DH		 2791 const struct cred *cred = current_cred();
2792
2793 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
1da177e4
LT		 2794}
2795
828dfe1d 2796static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 2797{
88e67f3b
DH		 2798 const struct cred *cred = current_cred();
2799
2800 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
1da177e4
LT		 2801}
2802
8f0cfa52 2803static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 2804{
b5376771
SH		 2805 if (strcmp(name, XATTR_NAME_SELINUX))
2806 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2807
2808 /* No one is allowed to remove a SELinux security label.
2809 You can change the label, but all data must be labeled. */
2810 return -EACCES;
2811}
2812
d381d8a9 2813/*
abc69bb6 2814 * Copy the inode security context value to the user.
d381d8a9
JM		 2815 *
2816 * Permission check is handled by selinux_inode_getxattr hook.
2817 */
42492594 2818static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2819{
42492594
DQ		 2820 u32 size;
2821 int error;
2822 char *context = NULL;
1da177e4 2823 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2824
8c8570fb
DK		 2825 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2826 return -EOPNOTSUPP;
d381d8a9 2827
abc69bb6
SS		 2828 /*
2829 * If the caller has CAP_MAC_ADMIN, then get the raw context
2830 * value even if it is not defined by current policy; otherwise,
2831 * use the in-core value under current policy.
2832 * Use the non-auditing forms of the permission checks since
2833 * getxattr may be called by unprivileged processes commonly
2834 * and lack of permission just means that we fall back to the
2835 * in-core context value, not a denial.
2836 */
3699c53c
DH		 2837 error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2838 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 2839 if (!error)
2840 error = security_sid_to_context_force(isec->sid, &context,
2841 &size);
2842 else
2843 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 2844 if (error)
2845 return error;
2846 error = size;
2847 if (alloc) {
2848 *buffer = context;
2849 goto out_nofree;
2850 }
2851 kfree(context);
2852out_nofree:
2853 return error;
1da177e4
LT		 2854}
2855
2856static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 2857 const void *value, size_t size, int flags)
1da177e4
LT		 2858{
2859 struct inode_security_struct *isec = inode->i_security;
2860 u32 newsid;
2861 int rc;
2862
2863 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2864 return -EOPNOTSUPP;
2865
2866 if (!value || !size)
2867 return -EACCES;
2868
828dfe1d 2869 rc = security_context_to_sid((void *)value, size, &newsid);
1da177e4
LT		 2870 if (rc)
2871 return rc;
2872
2873 isec->sid = newsid;
ddd29ec6 2874 isec->initialized = 1;
1da177e4
LT		 2875 return 0;
2876}
2877
2878static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2879{
2880 const int len = sizeof(XATTR_NAME_SELINUX);
2881 if (buffer && len <= buffer_size)
2882 memcpy(buffer, XATTR_NAME_SELINUX, len);
2883 return len;
2884}
2885
713a04ae
AD		 2886static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2887{
2888 struct inode_security_struct *isec = inode->i_security;
2889 *secid = isec->sid;
2890}
2891
1da177e4
LT		 2892/* file security operations */
2893
788e7dd4 2894static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2895{
88e67f3b 2896 const struct cred *cred = current_cred();
3d5ff529 2897 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4 2898
1da177e4
LT		 2899 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2900 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2901 mask |= MAY_APPEND;
2902
389fb800
PM		 2903 return file_has_perm(cred, file,
2904 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 2905}
2906
788e7dd4
YN		 2907static int selinux_file_permission(struct file *file, int mask)
2908{
20dda18b
SS		 2909 struct inode *inode = file->f_path.dentry->d_inode;
2910 struct file_security_struct *fsec = file->f_security;
2911 struct inode_security_struct *isec = inode->i_security;
2912 u32 sid = current_sid();
2913
389fb800 2914 if (!mask)
788e7dd4
YN		 2915 /* No permission to check. Existence test. */
2916 return 0;
788e7dd4 2917
20dda18b
SS		 2918 if (sid == fsec->sid && fsec->isid == isec->sid &&
2919 fsec->pseqno == avc_policy_seqno())
2920 /* No change since dentry_open check. */
2921 return 0;
2922
788e7dd4
YN		 2923 return selinux_revalidate_file_permission(file, mask);
2924}
2925
1da177e4
LT		 2926static int selinux_file_alloc_security(struct file *file)
2927{
2928 return file_alloc_security(file);
2929}
2930
2931static void selinux_file_free_security(struct file *file)
2932{
2933 file_free_security(file);
2934}
2935
2936static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2937 unsigned long arg)
2938{
88e67f3b 2939 const struct cred *cred = current_cred();
0b24dcb7 2940 int error = 0;
1da177e4 2941
0b24dcb7
EP		 2942 switch (cmd) {
2943 case FIONREAD:
2944 /* fall through */
2945 case FIBMAP:
2946 /* fall through */
2947 case FIGETBSZ:
2948 /* fall through */
2949 case EXT2_IOC_GETFLAGS:
2950 /* fall through */
2951 case EXT2_IOC_GETVERSION:
2952 error = file_has_perm(cred, file, FILE__GETATTR);
2953 break;
1da177e4 2954
0b24dcb7
EP		 2955 case EXT2_IOC_SETFLAGS:
2956 /* fall through */
2957 case EXT2_IOC_SETVERSION:
2958 error = file_has_perm(cred, file, FILE__SETATTR);
2959 break;
2960
2961 /* sys_ioctl() checks */
2962 case FIONBIO:
2963 /* fall through */
2964 case FIOASYNC:
2965 error = file_has_perm(cred, file, 0);
2966 break;
1da177e4 2967
0b24dcb7
EP		 2968 case KDSKBENT:
2969 case KDSKBSENT:
2970 error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
2971 SECURITY_CAP_AUDIT);
2972 break;
2973
2974 /* default case assumes that the command will go
2975 * to the file's ioctl() function.
2976 */
2977 default:
2978 error = file_has_perm(cred, file, FILE__IOCTL);
2979 }
2980 return error;
1da177e4
LT		 2981}
2982
fcaaade1
SS		 2983static int default_noexec;
2984
1da177e4
LT		 2985static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2986{
88e67f3b 2987 const struct cred *cred = current_cred();
d84f4f99 2988 int rc = 0;
88e67f3b 2989
fcaaade1
SS		 2990 if (default_noexec &&
2991 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 2992 /*
2993 * We are making executable an anonymous mapping or a
2994 * private file mapping that will also be writable.
2995 * This has an additional check.
2996 */
d84f4f99 2997 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 2998 if (rc)
d84f4f99 2999 goto error;
1da177e4 3000 }
1da177e4
LT		 3001
3002 if (file) {
3003 /* read access is always possible with a mapping */
3004 u32 av = FILE__READ;
3005
3006 /* write access only matters if the mapping is shared */
3007 if (shared && (prot & PROT_WRITE))
3008 av |= FILE__WRITE;
3009
3010 if (prot & PROT_EXEC)
3011 av |= FILE__EXECUTE;
3012
88e67f3b 3013 return file_has_perm(cred, file, av);
1da177e4 3014 }
d84f4f99
DH		 3015
3016error:
3017 return rc;
1da177e4
LT		 3018}
3019
3020static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 3021 unsigned long prot, unsigned long flags,
3022 unsigned long addr, unsigned long addr_only)
1da177e4 3023{
ed032189 3024 int rc = 0;
275bb41e 3025 u32 sid = current_sid();
1da177e4 3026
84336d1a
EP		 3027 /*
3028 * notice that we are intentionally putting the SELinux check before
3029 * the secondary cap_file_mmap check. This is such a likely attempt
3030 * at bad behaviour/exploit that we always want to get the AVC, even
3031 * if DAC would have also denied the operation.
3032 */
a2551df7 3033 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
ed032189
EP		 3034 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3035 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3036 if (rc)
3037 return rc;
3038 }
3039
3040 /* do DAC check on address space usage */
3041 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
ed032189 3042 if (rc || addr_only)
1da177e4
LT		 3043 return rc;
3044
3045 if (selinux_checkreqprot)
3046 prot = reqprot;
3047
3048 return file_map_prot_check(file, prot,
3049 (flags & MAP_TYPE) == MAP_SHARED);
3050}
3051
3052static int selinux_file_mprotect(struct vm_area_struct *vma,
3053 unsigned long reqprot,
3054 unsigned long prot)
3055{
88e67f3b 3056 const struct cred *cred = current_cred();
1da177e4
LT		 3057
3058 if (selinux_checkreqprot)
3059 prot = reqprot;
3060
fcaaade1
SS		 3061 if (default_noexec &&
3062 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3063 int rc = 0;
db4c9641
SS		 3064 if (vma->vm_start >= vma->vm_mm->start_brk &&
3065 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3066 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3067 } else if (!vma->vm_file &&
3068 vma->vm_start <= vma->vm_mm->start_stack &&
3069 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3070 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3071 } else if (vma->vm_file && vma->anon_vma) {
3072 /*
3073 * We are making executable a file mapping that has
3074 * had some COW done. Since pages might have been
3075 * written, check ability to execute the possibly
3076 * modified content. This typically should only
3077 * occur for text relocations.
3078 */
d84f4f99 3079 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3080 }