selinux: sparse fix: fix several warnings in the security server cod
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/ext2_fs.h>
32 #include <linux/sched.h>
33 #include <linux/security.h>
34 #include <linux/xattr.h>
35 #include <linux/capability.h>
36 #include <linux/unistd.h>
37 #include <linux/mm.h>
38 #include <linux/mman.h>
39 #include <linux/slab.h>
40 #include <linux/pagemap.h>
41 #include <linux/proc_fs.h>
42 #include <linux/swap.h>
43 #include <linux/spinlock.h>
44 #include <linux/syscalls.h>
45 #include <linux/dcache.h>
46 #include <linux/file.h>
47 #include <linux/fdtable.h>
48 #include <linux/namei.h>
49 #include <linux/mount.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>             /* for local_port_range[] */
55 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h>    /* for network interface checks */
64 #include <linux/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h>           /* for Unix socket types */
70 #include <net/af_unix.h>        /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83
84 #include "avc.h"
85 #include "objsec.h"
86 #include "netif.h"
87 #include "netnode.h"
88 #include "netport.h"
89 #include "xfrm.h"
90 #include "netlabel.h"
91 #include "audit.h"
92 #include "avc_ss.h"
93
94 #define NUM_SEL_MNT_OPTS 5
95
96 extern struct security_operations *security_ops;
97
98 /* SECMARK reference count */
99 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103
104 static int __init enforcing_setup(char *str)
105 {
106         unsigned long enforcing;
107         if (!strict_strtoul(str, 0, &enforcing))
108                 selinux_enforcing = enforcing ? 1 : 0;
109         return 1;
110 }
111 __setup("enforcing=", enforcing_setup);
112 #endif
113
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117 static int __init selinux_enabled_setup(char *str)
118 {
119         unsigned long enabled;
120         if (!strict_strtoul(str, 0, &enabled))
121                 selinux_enabled = enabled ? 1 : 0;
122         return 1;
123 }
124 __setup("selinux=", selinux_enabled_setup);
125 #else
126 int selinux_enabled = 1;
127 #endif
128
129 static struct kmem_cache *sel_inode_cache;
130
131 /**
132  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133  *
134  * Description:
135  * This function checks the SECMARK reference counter to see if any SECMARK
136  * targets are currently configured, if the reference counter is greater than
137  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
138  * enabled, false (0) if SECMARK is disabled.
139  *
140  */
141 static int selinux_secmark_enabled(void)
142 {
143         return (atomic_read(&selinux_secmark_refcount) > 0);
144 }
145
146 /*
147  * initialise the security for the init task
148  */
149 static void cred_init_security(void)
150 {
151         struct cred *cred = (struct cred *) current->real_cred;
152         struct task_security_struct *tsec;
153
154         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
155         if (!tsec)
156                 panic("SELinux:  Failed to initialize initial task.\n");
157
158         tsec->osid = tsec->sid = SECINITSID_KERNEL;
159         cred->security = tsec;
160 }
161
162 /*
163  * get the security ID of a set of credentials
164  */
165 static inline u32 cred_sid(const struct cred *cred)
166 {
167         const struct task_security_struct *tsec;
168
169         tsec = cred->security;
170         return tsec->sid;
171 }
172
173 /*
174  * get the objective security ID of a task
175  */
176 static inline u32 task_sid(const struct task_struct *task)
177 {
178         u32 sid;
179
180         rcu_read_lock();
181         sid = cred_sid(__task_cred(task));
182         rcu_read_unlock();
183         return sid;
184 }
185
186 /*
187  * get the subjective security ID of the current task
188  */
189 static inline u32 current_sid(void)
190 {
191         const struct task_security_struct *tsec = current_security();
192
193         return tsec->sid;
194 }
195
196 /* Allocate and free functions for each kind of security blob. */
197
198 static int inode_alloc_security(struct inode *inode)
199 {
200         struct inode_security_struct *isec;
201         u32 sid = current_sid();
202
203         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
204         if (!isec)
205                 return -ENOMEM;
206
207         mutex_init(&isec->lock);
208         INIT_LIST_HEAD(&isec->list);
209         isec->inode = inode;
210         isec->sid = SECINITSID_UNLABELED;
211         isec->sclass = SECCLASS_FILE;
212         isec->task_sid = sid;
213         inode->i_security = isec;
214
215         return 0;
216 }
217
218 static void inode_free_security(struct inode *inode)
219 {
220         struct inode_security_struct *isec = inode->i_security;
221         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
222
223         spin_lock(&sbsec->isec_lock);
224         if (!list_empty(&isec->list))
225                 list_del_init(&isec->list);
226         spin_unlock(&sbsec->isec_lock);
227
228         inode->i_security = NULL;
229         kmem_cache_free(sel_inode_cache, isec);
230 }
231
232 static int file_alloc_security(struct file *file)
233 {
234         struct file_security_struct *fsec;
235         u32 sid = current_sid();
236
237         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
238         if (!fsec)
239                 return -ENOMEM;
240
241         fsec->sid = sid;
242         fsec->fown_sid = sid;
243         file->f_security = fsec;
244
245         return 0;
246 }
247
248 static void file_free_security(struct file *file)
249 {
250         struct file_security_struct *fsec = file->f_security;
251         file->f_security = NULL;
252         kfree(fsec);
253 }
254
255 static int superblock_alloc_security(struct super_block *sb)
256 {
257         struct superblock_security_struct *sbsec;
258
259         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
260         if (!sbsec)
261                 return -ENOMEM;
262
263         mutex_init(&sbsec->lock);
264         INIT_LIST_HEAD(&sbsec->isec_head);
265         spin_lock_init(&sbsec->isec_lock);
266         sbsec->sb = sb;
267         sbsec->sid = SECINITSID_UNLABELED;
268         sbsec->def_sid = SECINITSID_FILE;
269         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
270         sb->s_security = sbsec;
271
272         return 0;
273 }
274
275 static void superblock_free_security(struct super_block *sb)
276 {
277         struct superblock_security_struct *sbsec = sb->s_security;
278         sb->s_security = NULL;
279         kfree(sbsec);
280 }
281
282 /* The file system's label must be initialized prior to use. */
283
284 static const char *labeling_behaviors[6] = {
285         "uses xattr",
286         "uses transition SIDs",
287         "uses task SIDs",
288         "uses genfs_contexts",
289         "not configured for labeling",
290         "uses mountpoint labeling",
291 };
292
293 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
294
295 static inline int inode_doinit(struct inode *inode)
296 {
297         return inode_doinit_with_dentry(inode, NULL);
298 }
299
300 enum {
301         Opt_error = -1,
302         Opt_context = 1,
303         Opt_fscontext = 2,
304         Opt_defcontext = 3,
305         Opt_rootcontext = 4,
306         Opt_labelsupport = 5,
307 };
308
309 static const match_table_t tokens = {
310         {Opt_context, CONTEXT_STR "%s"},
311         {Opt_fscontext, FSCONTEXT_STR "%s"},
312         {Opt_defcontext, DEFCONTEXT_STR "%s"},
313         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
314         {Opt_labelsupport, LABELSUPP_STR},
315         {Opt_error, NULL},
316 };
317
318 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
319
320 static int may_context_mount_sb_relabel(u32 sid,
321                         struct superblock_security_struct *sbsec,
322                         const struct cred *cred)
323 {
324         const struct task_security_struct *tsec = cred->security;
325         int rc;
326
327         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
328                           FILESYSTEM__RELABELFROM, NULL);
329         if (rc)
330                 return rc;
331
332         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
333                           FILESYSTEM__RELABELTO, NULL);
334         return rc;
335 }
336
337 static int may_context_mount_inode_relabel(u32 sid,
338                         struct superblock_security_struct *sbsec,
339                         const struct cred *cred)
340 {
341         const struct task_security_struct *tsec = cred->security;
342         int rc;
343         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
344                           FILESYSTEM__RELABELFROM, NULL);
345         if (rc)
346                 return rc;
347
348         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
349                           FILESYSTEM__ASSOCIATE, NULL);
350         return rc;
351 }
352
353 static int sb_finish_set_opts(struct super_block *sb)
354 {
355         struct superblock_security_struct *sbsec = sb->s_security;
356         struct dentry *root = sb->s_root;
357         struct inode *root_inode = root->d_inode;
358         int rc = 0;
359
360         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
361                 /* Make sure that the xattr handler exists and that no
362                    error other than -ENODATA is returned by getxattr on
363                    the root directory.  -ENODATA is ok, as this may be
364                    the first boot of the SELinux kernel before we have
365                    assigned xattr values to the filesystem. */
366                 if (!root_inode->i_op->getxattr) {
367                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
368                                "xattr support\n", sb->s_id, sb->s_type->name);
369                         rc = -EOPNOTSUPP;
370                         goto out;
371                 }
372                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
373                 if (rc < 0 && rc != -ENODATA) {
374                         if (rc == -EOPNOTSUPP)
375                                 printk(KERN_WARNING "SELinux: (dev %s, type "
376                                        "%s) has no security xattr handler\n",
377                                        sb->s_id, sb->s_type->name);
378                         else
379                                 printk(KERN_WARNING "SELinux: (dev %s, type "
380                                        "%s) getxattr errno %d\n", sb->s_id,
381                                        sb->s_type->name, -rc);
382                         goto out;
383                 }
384         }
385
386         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
387
388         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
389                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
390                        sb->s_id, sb->s_type->name);
391         else
392                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
393                        sb->s_id, sb->s_type->name,
394                        labeling_behaviors[sbsec->behavior-1]);
395
396         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
397             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
398             sbsec->behavior == SECURITY_FS_USE_NONE ||
399             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
400                 sbsec->flags &= ~SE_SBLABELSUPP;
401
402         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
403         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
404                 sbsec->flags |= SE_SBLABELSUPP;
405
406         /* Initialize the root inode. */
407         rc = inode_doinit_with_dentry(root_inode, root);
408
409         /* Initialize any other inodes associated with the superblock, e.g.
410            inodes created prior to initial policy load or inodes created
411            during get_sb by a pseudo filesystem that directly
412            populates itself. */
413         spin_lock(&sbsec->isec_lock);
414 next_inode:
415         if (!list_empty(&sbsec->isec_head)) {
416                 struct inode_security_struct *isec =
417                                 list_entry(sbsec->isec_head.next,
418                                            struct inode_security_struct, list);
419                 struct inode *inode = isec->inode;
420                 spin_unlock(&sbsec->isec_lock);
421                 inode = igrab(inode);
422                 if (inode) {
423                         if (!IS_PRIVATE(inode))
424                                 inode_doinit(inode);
425                         iput(inode);
426                 }
427                 spin_lock(&sbsec->isec_lock);
428                 list_del_init(&isec->list);
429                 goto next_inode;
430         }
431         spin_unlock(&sbsec->isec_lock);
432 out:
433         return rc;
434 }
435
436 /*
437  * This function should allow an FS to ask what it's mount security
438  * options were so it can use those later for submounts, displaying
439  * mount options, or whatever.
440  */
441 static int selinux_get_mnt_opts(const struct super_block *sb,
442                                 struct security_mnt_opts *opts)
443 {
444         int rc = 0, i;
445         struct superblock_security_struct *sbsec = sb->s_security;
446         char *context = NULL;
447         u32 len;
448         char tmp;
449
450         security_init_mnt_opts(opts);
451
452         if (!(sbsec->flags & SE_SBINITIALIZED))
453                 return -EINVAL;
454
455         if (!ss_initialized)
456                 return -EINVAL;
457
458         tmp = sbsec->flags & SE_MNTMASK;
459         /* count the number of mount options for this sb */
460         for (i = 0; i < 8; i++) {
461                 if (tmp & 0x01)
462                         opts->num_mnt_opts++;
463                 tmp >>= 1;
464         }
465         /* Check if the Label support flag is set */
466         if (sbsec->flags & SE_SBLABELSUPP)
467                 opts->num_mnt_opts++;
468
469         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
470         if (!opts->mnt_opts) {
471                 rc = -ENOMEM;
472                 goto out_free;
473         }
474
475         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
476         if (!opts->mnt_opts_flags) {
477                 rc = -ENOMEM;
478                 goto out_free;
479         }
480
481         i = 0;
482         if (sbsec->flags & FSCONTEXT_MNT) {
483                 rc = security_sid_to_context(sbsec->sid, &context, &len);
484                 if (rc)
485                         goto out_free;
486                 opts->mnt_opts[i] = context;
487                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
488         }
489         if (sbsec->flags & CONTEXT_MNT) {
490                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
491                 if (rc)
492                         goto out_free;
493                 opts->mnt_opts[i] = context;
494                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
495         }
496         if (sbsec->flags & DEFCONTEXT_MNT) {
497                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
498                 if (rc)
499                         goto out_free;
500                 opts->mnt_opts[i] = context;
501                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
502         }
503         if (sbsec->flags & ROOTCONTEXT_MNT) {
504                 struct inode *root = sbsec->sb->s_root->d_inode;
505                 struct inode_security_struct *isec = root->i_security;
506
507                 rc = security_sid_to_context(isec->sid, &context, &len);
508                 if (rc)
509                         goto out_free;
510                 opts->mnt_opts[i] = context;
511                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
512         }
513         if (sbsec->flags & SE_SBLABELSUPP) {
514                 opts->mnt_opts[i] = NULL;
515                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
516         }
517
518         BUG_ON(i != opts->num_mnt_opts);
519
520         return 0;
521
522 out_free:
523         security_free_mnt_opts(opts);
524         return rc;
525 }
526
527 static int bad_option(struct superblock_security_struct *sbsec, char flag,
528                       u32 old_sid, u32 new_sid)
529 {
530         char mnt_flags = sbsec->flags & SE_MNTMASK;
531
532         /* check if the old mount command had the same options */
533         if (sbsec->flags & SE_SBINITIALIZED)
534                 if (!(sbsec->flags & flag) ||
535                     (old_sid != new_sid))
536                         return 1;
537
538         /* check if we were passed the same options twice,
539          * aka someone passed context=a,context=b
540          */
541         if (!(sbsec->flags & SE_SBINITIALIZED))
542                 if (mnt_flags & flag)
543                         return 1;
544         return 0;
545 }
546
547 /*
548  * Allow filesystems with binary mount data to explicitly set mount point
549  * labeling information.
550  */
551 static int selinux_set_mnt_opts(struct super_block *sb,
552                                 struct security_mnt_opts *opts)
553 {
554         const struct cred *cred = current_cred();
555         int rc = 0, i;
556         struct superblock_security_struct *sbsec = sb->s_security;
557         const char *name = sb->s_type->name;
558         struct inode *inode = sbsec->sb->s_root->d_inode;
559         struct inode_security_struct *root_isec = inode->i_security;
560         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
561         u32 defcontext_sid = 0;
562         char **mount_options = opts->mnt_opts;
563         int *flags = opts->mnt_opts_flags;
564         int num_opts = opts->num_mnt_opts;
565
566         mutex_lock(&sbsec->lock);
567
568         if (!ss_initialized) {
569                 if (!num_opts) {
570                         /* Defer initialization until selinux_complete_init,
571                            after the initial policy is loaded and the security
572                            server is ready to handle calls. */
573                         goto out;
574                 }
575                 rc = -EINVAL;
576                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
577                         "before the security server is initialized\n");
578                 goto out;
579         }
580
581         /*
582          * Binary mount data FS will come through this function twice.  Once
583          * from an explicit call and once from the generic calls from the vfs.
584          * Since the generic VFS calls will not contain any security mount data
585          * we need to skip the double mount verification.
586          *
587          * This does open a hole in which we will not notice if the first
588          * mount using this sb set explict options and a second mount using
589          * this sb does not set any security options.  (The first options
590          * will be used for both mounts)
591          */
592         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
593             && (num_opts == 0))
594                 goto out;
595
596         /*
597          * parse the mount options, check if they are valid sids.
598          * also check if someone is trying to mount the same sb more
599          * than once with different security options.
600          */
601         for (i = 0; i < num_opts; i++) {
602                 u32 sid;
603
604                 if (flags[i] == SE_SBLABELSUPP)
605                         continue;
606                 rc = security_context_to_sid(mount_options[i],
607                                              strlen(mount_options[i]), &sid);
608                 if (rc) {
609                         printk(KERN_WARNING "SELinux: security_context_to_sid"
610                                "(%s) failed for (dev %s, type %s) errno=%d\n",
611                                mount_options[i], sb->s_id, name, rc);
612                         goto out;
613                 }
614                 switch (flags[i]) {
615                 case FSCONTEXT_MNT:
616                         fscontext_sid = sid;
617
618                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
619                                         fscontext_sid))
620                                 goto out_double_mount;
621
622                         sbsec->flags |= FSCONTEXT_MNT;
623                         break;
624                 case CONTEXT_MNT:
625                         context_sid = sid;
626
627                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
628                                         context_sid))
629                                 goto out_double_mount;
630
631                         sbsec->flags |= CONTEXT_MNT;
632                         break;
633                 case ROOTCONTEXT_MNT:
634                         rootcontext_sid = sid;
635
636                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
637                                         rootcontext_sid))
638                                 goto out_double_mount;
639
640                         sbsec->flags |= ROOTCONTEXT_MNT;
641
642                         break;
643                 case DEFCONTEXT_MNT:
644                         defcontext_sid = sid;
645
646                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
647                                         defcontext_sid))
648                                 goto out_double_mount;
649
650                         sbsec->flags |= DEFCONTEXT_MNT;
651
652                         break;
653                 default:
654                         rc = -EINVAL;
655                         goto out;
656                 }
657         }
658
659         if (sbsec->flags & SE_SBINITIALIZED) {
660                 /* previously mounted with options, but not on this attempt? */
661                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
662                         goto out_double_mount;
663                 rc = 0;
664                 goto out;
665         }
666
667         if (strcmp(sb->s_type->name, "proc") == 0)
668                 sbsec->flags |= SE_SBPROC;
669
670         /* Determine the labeling behavior to use for this filesystem type. */
671         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
672         if (rc) {
673                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674                        __func__, sb->s_type->name, rc);
675                 goto out;
676         }
677
678         /* sets the context of the superblock for the fs being mounted. */
679         if (fscontext_sid) {
680                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
681                 if (rc)
682                         goto out;
683
684                 sbsec->sid = fscontext_sid;
685         }
686
687         /*
688          * Switch to using mount point labeling behavior.
689          * sets the label used on all file below the mountpoint, and will set
690          * the superblock context if not already set.
691          */
692         if (context_sid) {
693                 if (!fscontext_sid) {
694                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
695                                                           cred);
696                         if (rc)
697                                 goto out;
698                         sbsec->sid = context_sid;
699                 } else {
700                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
701                                                              cred);
702                         if (rc)
703                                 goto out;
704                 }
705                 if (!rootcontext_sid)
706                         rootcontext_sid = context_sid;
707
708                 sbsec->mntpoint_sid = context_sid;
709                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
710         }
711
712         if (rootcontext_sid) {
713                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
714                                                      cred);
715                 if (rc)
716                         goto out;
717
718                 root_isec->sid = rootcontext_sid;
719                 root_isec->initialized = 1;
720         }
721
722         if (defcontext_sid) {
723                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
724                         rc = -EINVAL;
725                         printk(KERN_WARNING "SELinux: defcontext option is "
726                                "invalid for this filesystem type\n");
727                         goto out;
728                 }
729
730                 if (defcontext_sid != sbsec->def_sid) {
731                         rc = may_context_mount_inode_relabel(defcontext_sid,
732                                                              sbsec, cred);
733                         if (rc)
734                                 goto out;
735                 }
736
737                 sbsec->def_sid = defcontext_sid;
738         }
739
740         rc = sb_finish_set_opts(sb);
741 out:
742         mutex_unlock(&sbsec->lock);
743         return rc;
744 out_double_mount:
745         rc = -EINVAL;
746         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
747                "security settings for (dev %s, type %s)\n", sb->s_id, name);
748         goto out;
749 }
750
751 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
752                                         struct super_block *newsb)
753 {
754         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
755         struct superblock_security_struct *newsbsec = newsb->s_security;
756
757         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
758         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
759         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
760
761         /*
762          * if the parent was able to be mounted it clearly had no special lsm
763          * mount options.  thus we can safely deal with this superblock later
764          */
765         if (!ss_initialized)
766                 return;
767
768         /* how can we clone if the old one wasn't set up?? */
769         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
770
771         /* if fs is reusing a sb, just let its options stand... */
772         if (newsbsec->flags & SE_SBINITIALIZED)
773                 return;
774
775         mutex_lock(&newsbsec->lock);
776
777         newsbsec->flags = oldsbsec->flags;
778
779         newsbsec->sid = oldsbsec->sid;
780         newsbsec->def_sid = oldsbsec->def_sid;
781         newsbsec->behavior = oldsbsec->behavior;
782
783         if (set_context) {
784                 u32 sid = oldsbsec->mntpoint_sid;
785
786                 if (!set_fscontext)
787                         newsbsec->sid = sid;
788                 if (!set_rootcontext) {
789                         struct inode *newinode = newsb->s_root->d_inode;
790                         struct inode_security_struct *newisec = newinode->i_security;
791                         newisec->sid = sid;
792                 }
793                 newsbsec->mntpoint_sid = sid;
794         }
795         if (set_rootcontext) {
796                 const struct inode *oldinode = oldsb->s_root->d_inode;
797                 const struct inode_security_struct *oldisec = oldinode->i_security;
798                 struct inode *newinode = newsb->s_root->d_inode;
799                 struct inode_security_struct *newisec = newinode->i_security;
800
801                 newisec->sid = oldisec->sid;
802         }
803
804         sb_finish_set_opts(newsb);
805         mutex_unlock(&newsbsec->lock);
806 }
807
808 static int selinux_parse_opts_str(char *options,
809                                   struct security_mnt_opts *opts)
810 {
811         char *p;
812         char *context = NULL, *defcontext = NULL;
813         char *fscontext = NULL, *rootcontext = NULL;
814         int rc, num_mnt_opts = 0;
815
816         opts->num_mnt_opts = 0;
817
818         /* Standard string-based options. */
819         while ((p = strsep(&options, "|")) != NULL) {
820                 int token;
821                 substring_t args[MAX_OPT_ARGS];
822
823                 if (!*p)
824                         continue;
825
826                 token = match_token(p, tokens, args);
827
828                 switch (token) {
829                 case Opt_context:
830                         if (context || defcontext) {
831                                 rc = -EINVAL;
832                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
833                                 goto out_err;
834                         }
835                         context = match_strdup(&args[0]);
836                         if (!context) {
837                                 rc = -ENOMEM;
838                                 goto out_err;
839                         }
840                         break;
841
842                 case Opt_fscontext:
843                         if (fscontext) {
844                                 rc = -EINVAL;
845                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
846                                 goto out_err;
847                         }
848                         fscontext = match_strdup(&args[0]);
849                         if (!fscontext) {
850                                 rc = -ENOMEM;
851                                 goto out_err;
852                         }
853                         break;
854
855                 case Opt_rootcontext:
856                         if (rootcontext) {
857                                 rc = -EINVAL;
858                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
859                                 goto out_err;
860                         }
861                         rootcontext = match_strdup(&args[0]);
862                         if (!rootcontext) {
863                                 rc = -ENOMEM;
864                                 goto out_err;
865                         }
866                         break;
867
868                 case Opt_defcontext:
869                         if (context || defcontext) {
870                                 rc = -EINVAL;
871                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
872                                 goto out_err;
873                         }
874                         defcontext = match_strdup(&args[0]);
875                         if (!defcontext) {
876                                 rc = -ENOMEM;
877                                 goto out_err;
878                         }
879                         break;
880                 case Opt_labelsupport:
881                         break;
882                 default:
883                         rc = -EINVAL;
884                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
885                         goto out_err;
886
887                 }
888         }
889
890         rc = -ENOMEM;
891         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
892         if (!opts->mnt_opts)
893                 goto out_err;
894
895         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
896         if (!opts->mnt_opts_flags) {
897                 kfree(opts->mnt_opts);
898                 goto out_err;
899         }
900
901         if (fscontext) {
902                 opts->mnt_opts[num_mnt_opts] = fscontext;
903                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
904         }
905         if (context) {
906                 opts->mnt_opts[num_mnt_opts] = context;
907                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
908         }
909         if (rootcontext) {
910                 opts->mnt_opts[num_mnt_opts] = rootcontext;
911                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
912         }
913         if (defcontext) {
914                 opts->mnt_opts[num_mnt_opts] = defcontext;
915                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
916         }
917
918         opts->num_mnt_opts = num_mnt_opts;
919         return 0;
920
921 out_err:
922         kfree(context);
923         kfree(defcontext);
924         kfree(fscontext);
925         kfree(rootcontext);
926         return rc;
927 }
928 /*
929  * string mount options parsing and call set the sbsec
930  */
931 static int superblock_doinit(struct super_block *sb, void *data)
932 {
933         int rc = 0;
934         char *options = data;
935         struct security_mnt_opts opts;
936
937         security_init_mnt_opts(&opts);
938
939         if (!data)
940                 goto out;
941
942         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
943
944         rc = selinux_parse_opts_str(options, &opts);
945         if (rc)
946                 goto out_err;
947
948 out:
949         rc = selinux_set_mnt_opts(sb, &opts);
950
951 out_err:
952         security_free_mnt_opts(&opts);
953         return rc;
954 }
955
956 static void selinux_write_opts(struct seq_file *m,
957                                struct security_mnt_opts *opts)
958 {
959         int i;
960         char *prefix;
961
962         for (i = 0; i < opts->num_mnt_opts; i++) {
963                 char *has_comma;
964
965                 if (opts->mnt_opts[i])
966                         has_comma = strchr(opts->mnt_opts[i], ',');
967                 else
968                         has_comma = NULL;
969
970                 switch (opts->mnt_opts_flags[i]) {
971                 case CONTEXT_MNT:
972                         prefix = CONTEXT_STR;
973                         break;
974                 case FSCONTEXT_MNT:
975                         prefix = FSCONTEXT_STR;
976                         break;
977                 case ROOTCONTEXT_MNT:
978                         prefix = ROOTCONTEXT_STR;
979                         break;
980                 case DEFCONTEXT_MNT:
981                         prefix = DEFCONTEXT_STR;
982                         break;
983                 case SE_SBLABELSUPP:
984                         seq_putc(m, ',');
985                         seq_puts(m, LABELSUPP_STR);
986                         continue;
987                 default:
988                         BUG();
989                         return;
990                 };
991                 /* we need a comma before each option */
992                 seq_putc(m, ',');
993                 seq_puts(m, prefix);
994                 if (has_comma)
995                         seq_putc(m, '\"');
996                 seq_puts(m, opts->mnt_opts[i]);
997                 if (has_comma)
998                         seq_putc(m, '\"');
999         }
1000 }
1001
1002 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1003 {
1004         struct security_mnt_opts opts;
1005         int rc;
1006
1007         rc = selinux_get_mnt_opts(sb, &opts);
1008         if (rc) {
1009                 /* before policy load we may get EINVAL, don't show anything */
1010                 if (rc == -EINVAL)
1011                         rc = 0;
1012                 return rc;
1013         }
1014
1015         selinux_write_opts(m, &opts);
1016
1017         security_free_mnt_opts(&opts);
1018
1019         return rc;
1020 }
1021
1022 static inline u16 inode_mode_to_security_class(umode_t mode)
1023 {
1024         switch (mode & S_IFMT) {
1025         case S_IFSOCK:
1026                 return SECCLASS_SOCK_FILE;
1027         case S_IFLNK:
1028                 return SECCLASS_LNK_FILE;
1029         case S_IFREG:
1030                 return SECCLASS_FILE;
1031         case S_IFBLK:
1032                 return SECCLASS_BLK_FILE;
1033         case S_IFDIR:
1034                 return SECCLASS_DIR;
1035         case S_IFCHR:
1036                 return SECCLASS_CHR_FILE;
1037         case S_IFIFO:
1038                 return SECCLASS_FIFO_FILE;
1039
1040         }
1041
1042         return SECCLASS_FILE;
1043 }
1044
1045 static inline int default_protocol_stream(int protocol)
1046 {
1047         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1048 }
1049
1050 static inline int default_protocol_dgram(int protocol)
1051 {
1052         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1053 }
1054
1055 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1056 {
1057         switch (family) {
1058         case PF_UNIX:
1059                 switch (type) {
1060                 case SOCK_STREAM:
1061                 case SOCK_SEQPACKET:
1062                         return SECCLASS_UNIX_STREAM_SOCKET;
1063                 case SOCK_DGRAM:
1064                         return SECCLASS_UNIX_DGRAM_SOCKET;
1065                 }
1066                 break;
1067         case PF_INET:
1068         case PF_INET6:
1069                 switch (type) {
1070                 case SOCK_STREAM:
1071                         if (default_protocol_stream(protocol))
1072                                 return SECCLASS_TCP_SOCKET;
1073                         else
1074                                 return SECCLASS_RAWIP_SOCKET;
1075                 case SOCK_DGRAM:
1076                         if (default_protocol_dgram(protocol))
1077                                 return SECCLASS_UDP_SOCKET;
1078                         else
1079                                 return SECCLASS_RAWIP_SOCKET;
1080                 case SOCK_DCCP:
1081                         return SECCLASS_DCCP_SOCKET;
1082                 default:
1083                         return SECCLASS_RAWIP_SOCKET;
1084                 }
1085                 break;
1086         case PF_NETLINK:
1087                 switch (protocol) {
1088                 case NETLINK_ROUTE:
1089                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1090                 case NETLINK_FIREWALL:
1091                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1092                 case NETLINK_INET_DIAG:
1093                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1094                 case NETLINK_NFLOG:
1095                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1096                 case NETLINK_XFRM:
1097                         return SECCLASS_NETLINK_XFRM_SOCKET;
1098                 case NETLINK_SELINUX:
1099                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1100                 case NETLINK_AUDIT:
1101                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1102                 case NETLINK_IP6_FW:
1103                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1104                 case NETLINK_DNRTMSG:
1105                         return SECCLASS_NETLINK_DNRT_SOCKET;
1106                 case NETLINK_KOBJECT_UEVENT:
1107                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1108                 default:
1109                         return SECCLASS_NETLINK_SOCKET;
1110                 }
1111         case PF_PACKET:
1112                 return SECCLASS_PACKET_SOCKET;
1113         case PF_KEY:
1114                 return SECCLASS_KEY_SOCKET;
1115         case PF_APPLETALK:
1116                 return SECCLASS_APPLETALK_SOCKET;
1117         }
1118
1119         return SECCLASS_SOCKET;
1120 }
1121
1122 #ifdef CONFIG_PROC_FS
1123 static int selinux_proc_get_sid(struct dentry *dentry,
1124                                 u16 tclass,
1125                                 u32 *sid)
1126 {
1127         int rc;
1128         char *buffer, *path;
1129
1130         buffer = (char *)__get_free_page(GFP_KERNEL);
1131         if (!buffer)
1132                 return -ENOMEM;
1133
1134         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1135         if (IS_ERR(path))
1136                 rc = PTR_ERR(path);
1137         else {
1138                 /* each process gets a /proc/PID/ entry. Strip off the
1139                  * PID part to get a valid selinux labeling.
1140                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1141                 while (path[1] >= '0' && path[1] <= '9') {
1142                         path[1] = '/';
1143                         path++;
1144                 }
1145                 rc = security_genfs_sid("proc", path, tclass, sid);
1146         }
1147         free_page((unsigned long)buffer);
1148         return rc;
1149 }
1150 #else
1151 static int selinux_proc_get_sid(struct dentry *dentry,
1152                                 u16 tclass,
1153                                 u32 *sid)
1154 {
1155         return -EINVAL;
1156 }
1157 #endif
1158
1159 /* The inode's security attributes must be initialized before first use. */
1160 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1161 {
1162         struct superblock_security_struct *sbsec = NULL;
1163         struct inode_security_struct *isec = inode->i_security;
1164         u32 sid;
1165         struct dentry *dentry;
1166 #define INITCONTEXTLEN 255
1167         char *context = NULL;
1168         unsigned len = 0;
1169         int rc = 0;
1170
1171         if (isec->initialized)
1172                 goto out;
1173
1174         mutex_lock(&isec->lock);
1175         if (isec->initialized)
1176                 goto out_unlock;
1177
1178         sbsec = inode->i_sb->s_security;
1179         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1180                 /* Defer initialization until selinux_complete_init,
1181                    after the initial policy is loaded and the security
1182                    server is ready to handle calls. */
1183                 spin_lock(&sbsec->isec_lock);
1184                 if (list_empty(&isec->list))
1185                         list_add(&isec->list, &sbsec->isec_head);
1186                 spin_unlock(&sbsec->isec_lock);
1187                 goto out_unlock;
1188         }
1189
1190         switch (sbsec->behavior) {
1191         case SECURITY_FS_USE_XATTR:
1192                 if (!inode->i_op->getxattr) {
1193                         isec->sid = sbsec->def_sid;
1194                         break;
1195                 }
1196
1197                 /* Need a dentry, since the xattr API requires one.
1198                    Life would be simpler if we could just pass the inode. */
1199                 if (opt_dentry) {
1200                         /* Called from d_instantiate or d_splice_alias. */
1201                         dentry = dget(opt_dentry);
1202                 } else {
1203                         /* Called from selinux_complete_init, try to find a dentry. */
1204                         dentry = d_find_alias(inode);
1205                 }
1206                 if (!dentry) {
1207                         /*
1208                          * this is can be hit on boot when a file is accessed
1209                          * before the policy is loaded.  When we load policy we
1210                          * may find inodes that have no dentry on the
1211                          * sbsec->isec_head list.  No reason to complain as these
1212                          * will get fixed up the next time we go through
1213                          * inode_doinit with a dentry, before these inodes could
1214                          * be used again by userspace.
1215                          */
1216                         goto out_unlock;
1217                 }
1218
1219                 len = INITCONTEXTLEN;
1220                 context = kmalloc(len+1, GFP_NOFS);
1221                 if (!context) {
1222                         rc = -ENOMEM;
1223                         dput(dentry);
1224                         goto out_unlock;
1225                 }
1226                 context[len] = '\0';
1227                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1228                                            context, len);
1229                 if (rc == -ERANGE) {
1230                         kfree(context);
1231
1232                         /* Need a larger buffer.  Query for the right size. */
1233                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1234                                                    NULL, 0);
1235                         if (rc < 0) {
1236                                 dput(dentry);
1237                                 goto out_unlock;
1238                         }
1239                         len = rc;
1240                         context = kmalloc(len+1, GFP_NOFS);
1241                         if (!context) {
1242                                 rc = -ENOMEM;
1243                                 dput(dentry);
1244                                 goto out_unlock;
1245                         }
1246                         context[len] = '\0';
1247                         rc = inode->i_op->getxattr(dentry,
1248                                                    XATTR_NAME_SELINUX,
1249                                                    context, len);
1250                 }
1251                 dput(dentry);
1252                 if (rc < 0) {
1253                         if (rc != -ENODATA) {
1254                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1255                                        "%d for dev=%s ino=%ld\n", __func__,
1256                                        -rc, inode->i_sb->s_id, inode->i_ino);
1257                                 kfree(context);
1258                                 goto out_unlock;
1259                         }
1260                         /* Map ENODATA to the default file SID */
1261                         sid = sbsec->def_sid;
1262                         rc = 0;
1263                 } else {
1264                         rc = security_context_to_sid_default(context, rc, &sid,
1265                                                              sbsec->def_sid,
1266                                                              GFP_NOFS);
1267                         if (rc) {
1268                                 char *dev = inode->i_sb->s_id;
1269                                 unsigned long ino = inode->i_ino;
1270
1271                                 if (rc == -EINVAL) {
1272                                         if (printk_ratelimit())
1273                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1274                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1275                                                         "filesystem in question.\n", ino, dev, context);
1276                                 } else {
1277                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1278                                                "returned %d for dev=%s ino=%ld\n",
1279                                                __func__, context, -rc, dev, ino);
1280                                 }
1281                                 kfree(context);
1282                                 /* Leave with the unlabeled SID */
1283                                 rc = 0;
1284                                 break;
1285                         }
1286                 }
1287                 kfree(context);
1288                 isec->sid = sid;
1289                 break;
1290         case SECURITY_FS_USE_TASK:
1291                 isec->sid = isec->task_sid;
1292                 break;
1293         case SECURITY_FS_USE_TRANS:
1294                 /* Default to the fs SID. */
1295                 isec->sid = sbsec->sid;
1296
1297                 /* Try to obtain a transition SID. */
1298                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1299                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1300                                              isec->sclass, NULL, &sid);
1301                 if (rc)
1302                         goto out_unlock;
1303                 isec->sid = sid;
1304                 break;
1305         case SECURITY_FS_USE_MNTPOINT:
1306                 isec->sid = sbsec->mntpoint_sid;
1307                 break;
1308         default:
1309                 /* Default to the fs superblock SID. */
1310                 isec->sid = sbsec->sid;
1311
1312                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1313                         if (opt_dentry) {
1314                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1315                                 rc = selinux_proc_get_sid(opt_dentry,
1316                                                           isec->sclass,
1317                                                           &sid);
1318                                 if (rc)
1319                                         goto out_unlock;
1320                                 isec->sid = sid;
1321                         }
1322                 }
1323                 break;
1324         }
1325
1326         isec->initialized = 1;
1327
1328 out_unlock:
1329         mutex_unlock(&isec->lock);
1330 out:
1331         if (isec->sclass == SECCLASS_FILE)
1332                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333         return rc;
1334 }
1335
1336 /* Convert a Linux signal to an access vector. */
1337 static inline u32 signal_to_av(int sig)
1338 {
1339         u32 perm = 0;
1340
1341         switch (sig) {
1342         case SIGCHLD:
1343                 /* Commonly granted from child to parent. */
1344                 perm = PROCESS__SIGCHLD;
1345                 break;
1346         case SIGKILL:
1347                 /* Cannot be caught or ignored */
1348                 perm = PROCESS__SIGKILL;
1349                 break;
1350         case SIGSTOP:
1351                 /* Cannot be caught or ignored */
1352                 perm = PROCESS__SIGSTOP;
1353                 break;
1354         default:
1355                 /* All other signals. */
1356                 perm = PROCESS__SIGNAL;
1357                 break;
1358         }
1359
1360         return perm;
1361 }
1362
1363 /*
1364  * Check permission between a pair of credentials
1365  * fork check, ptrace check, etc.
1366  */
1367 static int cred_has_perm(const struct cred *actor,
1368                          const struct cred *target,
1369                          u32 perms)
1370 {
1371         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1372
1373         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1374 }
1375
1376 /*
1377  * Check permission between a pair of tasks, e.g. signal checks,
1378  * fork check, ptrace check, etc.
1379  * tsk1 is the actor and tsk2 is the target
1380  * - this uses the default subjective creds of tsk1
1381  */
1382 static int task_has_perm(const struct task_struct *tsk1,
1383                          const struct task_struct *tsk2,
1384                          u32 perms)
1385 {
1386         const struct task_security_struct *__tsec1, *__tsec2;
1387         u32 sid1, sid2;
1388
1389         rcu_read_lock();
1390         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1391         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1392         rcu_read_unlock();
1393         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1394 }
1395
1396 /*
1397  * Check permission between current and another task, e.g. signal checks,
1398  * fork check, ptrace check, etc.
1399  * current is the actor and tsk2 is the target
1400  * - this uses current's subjective creds
1401  */
1402 static int current_has_perm(const struct task_struct *tsk,
1403                             u32 perms)
1404 {
1405         u32 sid, tsid;
1406
1407         sid = current_sid();
1408         tsid = task_sid(tsk);
1409         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1410 }
1411
1412 #if CAP_LAST_CAP > 63
1413 #error Fix SELinux to handle capabilities > 63.
1414 #endif
1415
1416 /* Check whether a task is allowed to use a capability. */
1417 static int task_has_capability(struct task_struct *tsk,
1418                                const struct cred *cred,
1419                                int cap, int audit)
1420 {
1421         struct common_audit_data ad;
1422         struct av_decision avd;
1423         u16 sclass;
1424         u32 sid = cred_sid(cred);
1425         u32 av = CAP_TO_MASK(cap);
1426         int rc;
1427
1428         COMMON_AUDIT_DATA_INIT(&ad, CAP);
1429         ad.tsk = tsk;
1430         ad.u.cap = cap;
1431
1432         switch (CAP_TO_INDEX(cap)) {
1433         case 0:
1434                 sclass = SECCLASS_CAPABILITY;
1435                 break;
1436         case 1:
1437                 sclass = SECCLASS_CAPABILITY2;
1438                 break;
1439         default:
1440                 printk(KERN_ERR
1441                        "SELinux:  out of range capability %d\n", cap);
1442                 BUG();
1443                 return -EINVAL;
1444         }
1445
1446         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1447         if (audit == SECURITY_CAP_AUDIT) {
1448                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1449                 if (rc2)
1450                         return rc2;
1451         }
1452         return rc;
1453 }
1454
1455 /* Check whether a task is allowed to use a system operation. */
1456 static int task_has_system(struct task_struct *tsk,
1457                            u32 perms)
1458 {
1459         u32 sid = task_sid(tsk);
1460
1461         return avc_has_perm(sid, SECINITSID_KERNEL,
1462                             SECCLASS_SYSTEM, perms, NULL);
1463 }
1464
1465 /* Check whether a task has a particular permission to an inode.
1466    The 'adp' parameter is optional and allows other audit
1467    data to be passed (e.g. the dentry). */
1468 static int inode_has_perm(const struct cred *cred,
1469                           struct inode *inode,
1470                           u32 perms,
1471                           struct common_audit_data *adp,
1472                           unsigned flags)
1473 {
1474         struct inode_security_struct *isec;
1475         u32 sid;
1476
1477         validate_creds(cred);
1478
1479         if (unlikely(IS_PRIVATE(inode)))
1480                 return 0;
1481
1482         sid = cred_sid(cred);
1483         isec = inode->i_security;
1484
1485         return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1486 }
1487
1488 static int inode_has_perm_noadp(const struct cred *cred,
1489                                 struct inode *inode,
1490                                 u32 perms,
1491                                 unsigned flags)
1492 {
1493         struct common_audit_data ad;
1494
1495         COMMON_AUDIT_DATA_INIT(&ad, INODE);
1496         ad.u.inode = inode;
1497         return inode_has_perm(cred, inode, perms, &ad, flags);
1498 }
1499
1500 /* Same as inode_has_perm, but pass explicit audit data containing
1501    the dentry to help the auditing code to more easily generate the
1502    pathname if needed. */
1503 static inline int dentry_has_perm(const struct cred *cred,
1504                                   struct dentry *dentry,
1505                                   u32 av)
1506 {
1507         struct inode *inode = dentry->d_inode;
1508         struct common_audit_data ad;
1509
1510         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1511         ad.u.dentry = dentry;
1512         return inode_has_perm(cred, inode, av, &ad, 0);
1513 }
1514
1515 /* Same as inode_has_perm, but pass explicit audit data containing
1516    the path to help the auditing code to more easily generate the
1517    pathname if needed. */
1518 static inline int path_has_perm(const struct cred *cred,
1519                                 struct path *path,
1520                                 u32 av)
1521 {
1522         struct inode *inode = path->dentry->d_inode;
1523         struct common_audit_data ad;
1524
1525         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1526         ad.u.path = *path;
1527         return inode_has_perm(cred, inode, av, &ad, 0);
1528 }
1529
1530 /* Check whether a task can use an open file descriptor to
1531    access an inode in a given way.  Check access to the
1532    descriptor itself, and then use dentry_has_perm to
1533    check a particular permission to the file.
1534    Access to the descriptor is implicitly granted if it
1535    has the same SID as the process.  If av is zero, then
1536    access to the file is not checked, e.g. for cases
1537    where only the descriptor is affected like seek. */
1538 static int file_has_perm(const struct cred *cred,
1539                          struct file *file,
1540                          u32 av)
1541 {
1542         struct file_security_struct *fsec = file->f_security;
1543         struct inode *inode = file->f_path.dentry->d_inode;
1544         struct common_audit_data ad;
1545         u32 sid = cred_sid(cred);
1546         int rc;
1547
1548         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1549         ad.u.path = file->f_path;
1550
1551         if (sid != fsec->sid) {
1552                 rc = avc_has_perm(sid, fsec->sid,
1553                                   SECCLASS_FD,
1554                                   FD__USE,
1555                                   &ad);
1556                 if (rc)
1557                         goto out;
1558         }
1559
1560         /* av is zero if only checking access to the descriptor. */
1561         rc = 0;
1562         if (av)
1563                 rc = inode_has_perm(cred, inode, av, &ad, 0);
1564
1565 out:
1566         return rc;
1567 }
1568
1569 /* Check whether a task can create a file. */
1570 static int may_create(struct inode *dir,
1571                       struct dentry *dentry,
1572                       u16 tclass)
1573 {
1574         const struct task_security_struct *tsec = current_security();
1575         struct inode_security_struct *dsec;
1576         struct superblock_security_struct *sbsec;
1577         u32 sid, newsid;
1578         struct common_audit_data ad;
1579         int rc;
1580
1581         dsec = dir->i_security;
1582         sbsec = dir->i_sb->s_security;
1583
1584         sid = tsec->sid;
1585         newsid = tsec->create_sid;
1586
1587         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1588         ad.u.dentry = dentry;
1589
1590         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1591                           DIR__ADD_NAME | DIR__SEARCH,
1592                           &ad);
1593         if (rc)
1594                 return rc;
1595
1596         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1597                 rc = security_transition_sid(sid, dsec->sid, tclass,
1598                                              &dentry->d_name, &newsid);
1599                 if (rc)
1600                         return rc;
1601         }
1602
1603         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1604         if (rc)
1605                 return rc;
1606
1607         return avc_has_perm(newsid, sbsec->sid,
1608                             SECCLASS_FILESYSTEM,
1609                             FILESYSTEM__ASSOCIATE, &ad);
1610 }
1611
1612 /* Check whether a task can create a key. */
1613 static int may_create_key(u32 ksid,
1614                           struct task_struct *ctx)
1615 {
1616         u32 sid = task_sid(ctx);
1617
1618         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1619 }
1620
1621 #define MAY_LINK        0
1622 #define MAY_UNLINK      1
1623 #define MAY_RMDIR       2
1624
1625 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1626 static int may_link(struct inode *dir,
1627                     struct dentry *dentry,
1628                     int kind)
1629
1630 {
1631         struct inode_security_struct *dsec, *isec;
1632         struct common_audit_data ad;
1633         u32 sid = current_sid();
1634         u32 av;
1635         int rc;
1636
1637         dsec = dir->i_security;
1638         isec = dentry->d_inode->i_security;
1639
1640         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1641         ad.u.dentry = dentry;
1642
1643         av = DIR__SEARCH;
1644         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1645         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1646         if (rc)
1647                 return rc;
1648
1649         switch (kind) {
1650         case MAY_LINK:
1651                 av = FILE__LINK;
1652                 break;
1653         case MAY_UNLINK:
1654                 av = FILE__UNLINK;
1655                 break;
1656         case MAY_RMDIR:
1657                 av = DIR__RMDIR;
1658                 break;
1659         default:
1660                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1661                         __func__, kind);
1662                 return 0;
1663         }
1664
1665         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1666         return rc;
1667 }
1668
1669 static inline int may_rename(struct inode *old_dir,
1670                              struct dentry *old_dentry,
1671                              struct inode *new_dir,
1672                              struct dentry *new_dentry)
1673 {
1674         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1675         struct common_audit_data ad;
1676         u32 sid = current_sid();
1677         u32 av;
1678         int old_is_dir, new_is_dir;
1679         int rc;
1680
1681         old_dsec = old_dir->i_security;
1682         old_isec = old_dentry->d_inode->i_security;
1683         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1684         new_dsec = new_dir->i_security;
1685
1686         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1687
1688         ad.u.dentry = old_dentry;
1689         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1690                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1691         if (rc)
1692                 return rc;
1693         rc = avc_has_perm(sid, old_isec->sid,
1694                           old_isec->sclass, FILE__RENAME, &ad);
1695         if (rc)
1696                 return rc;
1697         if (old_is_dir && new_dir != old_dir) {
1698                 rc = avc_has_perm(sid, old_isec->sid,
1699                                   old_isec->sclass, DIR__REPARENT, &ad);
1700                 if (rc)
1701                         return rc;
1702         }
1703
1704         ad.u.dentry = new_dentry;
1705         av = DIR__ADD_NAME | DIR__SEARCH;
1706         if (new_dentry->d_inode)
1707                 av |= DIR__REMOVE_NAME;
1708         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1709         if (rc)
1710                 return rc;
1711         if (new_dentry->d_inode) {
1712                 new_isec = new_dentry->d_inode->i_security;
1713                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1714                 rc = avc_has_perm(sid, new_isec->sid,
1715                                   new_isec->sclass,
1716                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1717                 if (rc)
1718                         return rc;
1719         }
1720
1721         return 0;
1722 }
1723
1724 /* Check whether a task can perform a filesystem operation. */
1725 static int superblock_has_perm(const struct cred *cred,
1726                                struct super_block *sb,
1727                                u32 perms,
1728                                struct common_audit_data *ad)
1729 {
1730         struct superblock_security_struct *sbsec;
1731         u32 sid = cred_sid(cred);
1732
1733         sbsec = sb->s_security;
1734         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1735 }
1736
1737 /* Convert a Linux mode and permission mask to an access vector. */
1738 static inline u32 file_mask_to_av(int mode, int mask)
1739 {
1740         u32 av = 0;
1741
1742         if ((mode & S_IFMT) != S_IFDIR) {
1743                 if (mask & MAY_EXEC)
1744                         av |= FILE__EXECUTE;
1745                 if (mask & MAY_READ)
1746                         av |= FILE__READ;
1747
1748                 if (mask & MAY_APPEND)
1749                         av |= FILE__APPEND;
1750                 else if (mask & MAY_WRITE)
1751                         av |= FILE__WRITE;
1752
1753         } else {
1754                 if (mask & MAY_EXEC)
1755                         av |= DIR__SEARCH;
1756                 if (mask & MAY_WRITE)
1757                         av |= DIR__WRITE;
1758                 if (mask & MAY_READ)
1759                         av |= DIR__READ;
1760         }
1761
1762         return av;
1763 }
1764
1765 /* Convert a Linux file to an access vector. */
1766 static inline u32 file_to_av(struct file *file)
1767 {
1768         u32 av = 0;
1769
1770         if (file->f_mode & FMODE_READ)
1771                 av |= FILE__READ;
1772         if (file->f_mode & FMODE_WRITE) {
1773                 if (file->f_flags & O_APPEND)
1774                         av |= FILE__APPEND;
1775                 else
1776                         av |= FILE__WRITE;
1777         }
1778         if (!av) {
1779                 /*
1780                  * Special file opened with flags 3 for ioctl-only use.
1781                  */
1782                 av = FILE__IOCTL;
1783         }
1784
1785         return av;
1786 }
1787
1788 /*
1789  * Convert a file to an access vector and include the correct open
1790  * open permission.
1791  */
1792 static inline u32 open_file_to_av(struct file *file)
1793 {
1794         u32 av = file_to_av(file);
1795
1796         if (selinux_policycap_openperm)
1797                 av |= FILE__OPEN;
1798
1799         return av;
1800 }
1801
1802 /* Hook functions begin here. */
1803
1804 static int selinux_ptrace_access_check(struct task_struct *child,
1805                                      unsigned int mode)
1806 {
1807         int rc;
1808
1809         rc = cap_ptrace_access_check(child, mode);
1810         if (rc)
1811                 return rc;
1812
1813         if (mode == PTRACE_MODE_READ) {
1814                 u32 sid = current_sid();
1815                 u32 csid = task_sid(child);
1816                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1817         }
1818
1819         return current_has_perm(child, PROCESS__PTRACE);
1820 }
1821
1822 static int selinux_ptrace_traceme(struct task_struct *parent)
1823 {
1824         int rc;
1825
1826         rc = cap_ptrace_traceme(parent);
1827         if (rc)
1828                 return rc;
1829
1830         return task_has_perm(parent, current, PROCESS__PTRACE);
1831 }
1832
1833 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1834                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1835 {
1836         int error;
1837
1838         error = current_has_perm(target, PROCESS__GETCAP);
1839         if (error)
1840                 return error;
1841
1842         return cap_capget(target, effective, inheritable, permitted);
1843 }
1844
1845 static int selinux_capset(struct cred *new, const struct cred *old,
1846                           const kernel_cap_t *effective,
1847                           const kernel_cap_t *inheritable,
1848                           const kernel_cap_t *permitted)
1849 {
1850         int error;
1851
1852         error = cap_capset(new, old,
1853                                       effective, inheritable, permitted);
1854         if (error)
1855                 return error;
1856
1857         return cred_has_perm(old, new, PROCESS__SETCAP);
1858 }
1859
1860 /*
1861  * (This comment used to live with the selinux_task_setuid hook,
1862  * which was removed).
1863  *
1864  * Since setuid only affects the current process, and since the SELinux
1865  * controls are not based on the Linux identity attributes, SELinux does not
1866  * need to control this operation.  However, SELinux does control the use of
1867  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1868  */
1869
1870 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1871                            struct user_namespace *ns, int cap, int audit)
1872 {
1873         int rc;
1874
1875         rc = cap_capable(tsk, cred, ns, cap, audit);
1876         if (rc)
1877                 return rc;
1878
1879         return task_has_capability(tsk, cred, cap, audit);
1880 }
1881
1882 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1883 {
1884         const struct cred *cred = current_cred();
1885         int rc = 0;
1886
1887         if (!sb)
1888                 return 0;
1889
1890         switch (cmds) {
1891         case Q_SYNC:
1892         case Q_QUOTAON:
1893         case Q_QUOTAOFF:
1894         case Q_SETINFO:
1895         case Q_SETQUOTA:
1896                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1897                 break;
1898         case Q_GETFMT:
1899         case Q_GETINFO:
1900         case Q_GETQUOTA:
1901                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1902                 break;
1903         default:
1904                 rc = 0;  /* let the kernel handle invalid cmds */
1905                 break;
1906         }
1907         return rc;
1908 }
1909
1910 static int selinux_quota_on(struct dentry *dentry)
1911 {
1912         const struct cred *cred = current_cred();
1913
1914         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1915 }
1916
1917 static int selinux_syslog(int type)
1918 {
1919         int rc;
1920
1921         switch (type) {
1922         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1923         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1924                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1925                 break;
1926         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1927         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1928         /* Set level of messages printed to console */
1929         case SYSLOG_ACTION_CONSOLE_LEVEL:
1930                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1931                 break;
1932         case SYSLOG_ACTION_CLOSE:       /* Close log */
1933         case SYSLOG_ACTION_OPEN:        /* Open log */
1934         case SYSLOG_ACTION_READ:        /* Read from log */
1935         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1936         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1937         default:
1938                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1939                 break;
1940         }
1941         return rc;
1942 }
1943
1944 /*
1945  * Check that a process has enough memory to allocate a new virtual
1946  * mapping. 0 means there is enough memory for the allocation to
1947  * succeed and -ENOMEM implies there is not.
1948  *
1949  * Do not audit the selinux permission check, as this is applied to all
1950  * processes that allocate mappings.
1951  */
1952 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1953 {
1954         int rc, cap_sys_admin = 0;
1955
1956         rc = selinux_capable(current, current_cred(),
1957                              &init_user_ns, CAP_SYS_ADMIN,
1958                              SECURITY_CAP_NOAUDIT);
1959         if (rc == 0)
1960                 cap_sys_admin = 1;
1961
1962         return __vm_enough_memory(mm, pages, cap_sys_admin);
1963 }
1964
1965 /* binprm security operations */
1966
1967 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1968 {
1969         const struct task_security_struct *old_tsec;
1970         struct task_security_struct *new_tsec;
1971         struct inode_security_struct *isec;
1972         struct common_audit_data ad;
1973         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1974         int rc;
1975
1976         rc = cap_bprm_set_creds(bprm);
1977         if (rc)
1978                 return rc;
1979
1980         /* SELinux context only depends on initial program or script and not
1981          * the script interpreter */
1982         if (bprm->cred_prepared)
1983                 return 0;
1984
1985         old_tsec = current_security();
1986         new_tsec = bprm->cred->security;
1987         isec = inode->i_security;
1988
1989         /* Default to the current task SID. */
1990         new_tsec->sid = old_tsec->sid;
1991         new_tsec->osid = old_tsec->sid;
1992
1993         /* Reset fs, key, and sock SIDs on execve. */
1994         new_tsec->create_sid = 0;
1995         new_tsec->keycreate_sid = 0;
1996         new_tsec->sockcreate_sid = 0;
1997
1998         if (old_tsec->exec_sid) {
1999                 new_tsec->sid = old_tsec->exec_sid;
2000                 /* Reset exec SID on execve. */
2001                 new_tsec->exec_sid = 0;
2002         } else {
2003                 /* Check for a default transition on this program. */
2004                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2005                                              SECCLASS_PROCESS, NULL,
2006                                              &new_tsec->sid);
2007                 if (rc)
2008                         return rc;
2009         }
2010
2011         COMMON_AUDIT_DATA_INIT(&ad, PATH);
2012         ad.u.path = bprm->file->f_path;
2013
2014         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2015                 new_tsec->sid = old_tsec->sid;
2016
2017         if (new_tsec->sid == old_tsec->sid) {
2018                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2019                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2020                 if (rc)
2021                         return rc;
2022         } else {
2023                 /* Check permissions for the transition. */
2024                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2025                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2026                 if (rc)
2027                         return rc;
2028
2029                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2030                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2031                 if (rc)
2032                         return rc;
2033
2034                 /* Check for shared state */
2035                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2036                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2037                                           SECCLASS_PROCESS, PROCESS__SHARE,
2038                                           NULL);
2039                         if (rc)
2040                                 return -EPERM;
2041                 }
2042
2043                 /* Make sure that anyone attempting to ptrace over a task that
2044                  * changes its SID has the appropriate permit */
2045                 if (bprm->unsafe &
2046                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2047                         struct task_struct *tracer;
2048                         struct task_security_struct *sec;
2049                         u32 ptsid = 0;
2050
2051                         rcu_read_lock();
2052                         tracer = ptrace_parent(current);
2053                         if (likely(tracer != NULL)) {
2054                                 sec = __task_cred(tracer)->security;
2055                                 ptsid = sec->sid;
2056                         }
2057                         rcu_read_unlock();
2058
2059                         if (ptsid != 0) {
2060                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2061                                                   SECCLASS_PROCESS,
2062                                                   PROCESS__PTRACE, NULL);
2063                                 if (rc)
2064                                         return -EPERM;
2065                         }
2066                 }
2067
2068                 /* Clear any possibly unsafe personality bits on exec: */
2069                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2070         }
2071
2072         return 0;
2073 }
2074
2075 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2076 {
2077         const struct task_security_struct *tsec = current_security();
2078         u32 sid, osid;
2079         int atsecure = 0;
2080
2081         sid = tsec->sid;
2082         osid = tsec->osid;
2083
2084         if (osid != sid) {
2085                 /* Enable secure mode for SIDs transitions unless
2086                    the noatsecure permission is granted between
2087                    the two SIDs, i.e. ahp returns 0. */
2088                 atsecure = avc_has_perm(osid, sid,
2089                                         SECCLASS_PROCESS,
2090                                         PROCESS__NOATSECURE, NULL);
2091         }
2092
2093         return (atsecure || cap_bprm_secureexec(bprm));
2094 }
2095
2096 /* Derived from fs/exec.c:flush_old_files. */
2097 static inline void flush_unauthorized_files(const struct cred *cred,
2098                                             struct files_struct *files)
2099 {
2100         struct common_audit_data ad;
2101         struct file *file, *devnull = NULL;
2102         struct tty_struct *tty;
2103         struct fdtable *fdt;
2104         long j = -1;
2105         int drop_tty = 0;
2106
2107         tty = get_current_tty();
2108         if (tty) {
2109                 spin_lock(&tty_files_lock);
2110                 if (!list_empty(&tty->tty_files)) {
2111                         struct tty_file_private *file_priv;
2112                         struct inode *inode;
2113
2114                         /* Revalidate access to controlling tty.
2115                            Use inode_has_perm on the tty inode directly rather
2116                            than using file_has_perm, as this particular open
2117                            file may belong to another process and we are only
2118                            interested in the inode-based check here. */
2119                         file_priv = list_first_entry(&tty->tty_files,
2120                                                 struct tty_file_private, list);
2121                         file = file_priv->file;
2122                         inode = file->f_path.dentry->d_inode;
2123                         if (inode_has_perm_noadp(cred, inode,
2124                                            FILE__READ | FILE__WRITE, 0)) {
2125                                 drop_tty = 1;
2126                         }
2127                 }
2128                 spin_unlock(&tty_files_lock);
2129                 tty_kref_put(tty);
2130         }
2131         /* Reset controlling tty. */
2132         if (drop_tty)
2133                 no_tty();
2134
2135         /* Revalidate access to inherited open files. */
2136
2137         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2138
2139         spin_lock(&files->file_lock);
2140         for (;;) {
2141                 unsigned long set, i;
2142                 int fd;
2143
2144                 j++;
2145                 i = j * __NFDBITS;
2146                 fdt = files_fdtable(files);
2147                 if (i >= fdt->max_fds)
2148                         break;
2149                 set = fdt->open_fds->fds_bits[j];
2150                 if (!set)
2151                         continue;
2152                 spin_unlock(&files->file_lock);
2153                 for ( ; set ; i++, set >>= 1) {
2154                         if (set & 1) {
2155                                 file = fget(i);
2156                                 if (!file)
2157                                         continue;
2158                                 if (file_has_perm(cred,
2159                                                   file,
2160                                                   file_to_av(file))) {
2161                                         sys_close(i);
2162                                         fd = get_unused_fd();
2163                                         if (fd != i) {
2164                                                 if (fd >= 0)
2165                                                         put_unused_fd(fd);
2166                                                 fput(file);
2167                                                 continue;
2168                                         }
2169                                         if (devnull) {
2170                                                 get_file(devnull);
2171                                         } else {
2172                                                 devnull = dentry_open(
2173                                                         dget(selinux_null),
2174                                                         mntget(selinuxfs_mount),
2175                                                         O_RDWR, cred);
2176                                                 if (IS_ERR(devnull)) {
2177                                                         devnull = NULL;
2178                                                         put_unused_fd(fd);
2179                                                         fput(file);
2180                                                         continue;
2181                                                 }
2182                                         }
2183                                         fd_install(fd, devnull);
2184                                 }
2185                                 fput(file);
2186                         }
2187                 }
2188                 spin_lock(&files->file_lock);
2189
2190         }
2191         spin_unlock(&files->file_lock);
2192 }
2193
2194 /*
2195  * Prepare a process for imminent new credential changes due to exec
2196  */
2197 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2198 {
2199         struct task_security_struct *new_tsec;
2200         struct rlimit *rlim, *initrlim;
2201         int rc, i;
2202
2203         new_tsec = bprm->cred->security;
2204         if (new_tsec->sid == new_tsec->osid)
2205                 return;
2206
2207         /* Close files for which the new task SID is not authorized. */
2208         flush_unauthorized_files(bprm->cred, current->files);
2209
2210         /* Always clear parent death signal on SID transitions. */
2211         current->pdeath_signal = 0;
2212
2213         /* Check whether the new SID can inherit resource limits from the old
2214          * SID.  If not, reset all soft limits to the lower of the current
2215          * task's hard limit and the init task's soft limit.
2216          *
2217          * Note that the setting of hard limits (even to lower them) can be
2218          * controlled by the setrlimit check.  The inclusion of the init task's
2219          * soft limit into the computation is to avoid resetting soft limits
2220          * higher than the default soft limit for cases where the default is
2221          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2222          */
2223         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2224                           PROCESS__RLIMITINH, NULL);
2225         if (rc) {
2226                 /* protect against do_prlimit() */
2227                 task_lock(current);
2228                 for (i = 0; i < RLIM_NLIMITS; i++) {
2229                         rlim = current->signal->rlim + i;
2230                         initrlim = init_task.signal->rlim + i;
2231                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2232                 }
2233                 task_unlock(current);
2234                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2235         }
2236 }
2237
2238 /*
2239  * Clean up the process immediately after the installation of new credentials
2240  * due to exec
2241  */
2242 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2243 {
2244         const struct task_security_struct *tsec = current_security();
2245         struct itimerval itimer;
2246         u32 osid, sid;
2247         int rc, i;
2248
2249         osid = tsec->osid;
2250         sid = tsec->sid;
2251
2252         if (sid == osid)
2253                 return;
2254
2255         /* Check whether the new SID can inherit signal state from the old SID.
2256          * If not, clear itimers to avoid subsequent signal generation and
2257          * flush and unblock signals.
2258          *
2259          * This must occur _after_ the task SID has been updated so that any
2260          * kill done after the flush will be checked against the new SID.
2261          */
2262         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2263         if (rc) {
2264                 memset(&itimer, 0, sizeof itimer);
2265                 for (i = 0; i < 3; i++)
2266                         do_setitimer(i, &itimer, NULL);
2267                 spin_lock_irq(&current->sighand->siglock);
2268                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2269                         __flush_signals(current);
2270                         flush_signal_handlers(current, 1);
2271                         sigemptyset(&current->blocked);
2272                 }
2273                 spin_unlock_irq(&current->sighand->siglock);
2274         }
2275
2276         /* Wake up the parent if it is waiting so that it can recheck
2277          * wait permission to the new task SID. */
2278         read_lock(&tasklist_lock);
2279         __wake_up_parent(current, current->real_parent);
2280         read_unlock(&tasklist_lock);
2281 }
2282
2283 /* superblock security operations */
2284
2285 static int selinux_sb_alloc_security(struct super_block *sb)
2286 {
2287         return superblock_alloc_security(sb);
2288 }
2289
2290 static void selinux_sb_free_security(struct super_block *sb)
2291 {
2292         superblock_free_security(sb);
2293 }
2294
2295 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2296 {
2297         if (plen > olen)
2298                 return 0;
2299
2300         return !memcmp(prefix, option, plen);
2301 }
2302
2303 static inline int selinux_option(char *option, int len)
2304 {
2305         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2306                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2307                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2308                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2309                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2310 }
2311
2312 static inline void take_option(char **to, char *from, int *first, int len)
2313 {
2314         if (!*first) {
2315                 **to = ',';
2316                 *to += 1;
2317         } else
2318                 *first = 0;
2319         memcpy(*to, from, len);
2320         *to += len;
2321 }
2322
2323 static inline void take_selinux_option(char **to, char *from, int *first,
2324                                        int len)
2325 {
2326         int current_size = 0;
2327
2328         if (!*first) {
2329                 **to = '|';
2330                 *to += 1;
2331         } else
2332                 *first = 0;
2333
2334         while (current_size < len) {
2335                 if (*from != '"') {
2336                         **to = *from;
2337                         *to += 1;
2338                 }
2339                 from += 1;
2340                 current_size += 1;
2341         }
2342 }
2343
2344 static int selinux_sb_copy_data(char *orig, char *copy)
2345 {
2346         int fnosec, fsec, rc = 0;
2347         char *in_save, *in_curr, *in_end;
2348         char *sec_curr, *nosec_save, *nosec;
2349         int open_quote = 0;
2350
2351         in_curr = orig;
2352         sec_curr = copy;
2353
2354         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2355         if (!nosec) {
2356                 rc = -ENOMEM;
2357                 goto out;
2358         }
2359
2360         nosec_save = nosec;
2361         fnosec = fsec = 1;
2362         in_save = in_end = orig;
2363
2364         do {
2365                 if (*in_end == '"')
2366                         open_quote = !open_quote;
2367                 if ((*in_end == ',' && open_quote == 0) ||
2368                                 *in_end == '\0') {
2369                         int len = in_end - in_curr;
2370
2371                         if (selinux_option(in_curr, len))
2372                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2373                         else
2374                                 take_option(&nosec, in_curr, &fnosec, len);
2375
2376                         in_curr = in_end + 1;
2377                 }
2378         } while (*in_end++);
2379
2380         strcpy(in_save, nosec_save);
2381         free_page((unsigned long)nosec_save);
2382 out:
2383         return rc;
2384 }
2385
2386 static int selinux_sb_remount(struct super_block *sb, void *data)
2387 {
2388         int rc, i, *flags;
2389         struct security_mnt_opts opts;
2390         char *secdata, **mount_options;
2391         struct superblock_security_struct *sbsec = sb->s_security;
2392
2393         if (!(sbsec->flags & SE_SBINITIALIZED))
2394                 return 0;
2395
2396         if (!data)
2397                 return 0;
2398
2399         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2400                 return 0;
2401
2402         security_init_mnt_opts(&opts);
2403         secdata = alloc_secdata();
2404         if (!secdata)
2405                 return -ENOMEM;
2406         rc = selinux_sb_copy_data(data, secdata);
2407         if (rc)
2408                 goto out_free_secdata;
2409
2410         rc = selinux_parse_opts_str(secdata, &opts);
2411         if (rc)
2412                 goto out_free_secdata;
2413
2414         mount_options = opts.mnt_opts;
2415         flags = opts.mnt_opts_flags;
2416
2417         for (i = 0; i < opts.num_mnt_opts; i++) {
2418                 u32 sid;
2419                 size_t len;
2420
2421                 if (flags[i] == SE_SBLABELSUPP)
2422                         continue;
2423                 len = strlen(mount_options[i]);
2424                 rc = security_context_to_sid(mount_options[i], len, &sid);
2425                 if (rc) {
2426                         printk(KERN_WARNING "SELinux: security_context_to_sid"
2427                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2428                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2429                         goto out_free_opts;
2430                 }
2431                 rc = -EINVAL;
2432                 switch (flags[i]) {
2433                 case FSCONTEXT_MNT:
2434                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2435                                 goto out_bad_option;
2436                         break;
2437                 case CONTEXT_MNT:
2438                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2439                                 goto out_bad_option;
2440                         break;
2441                 case ROOTCONTEXT_MNT: {
2442                         struct inode_security_struct *root_isec;
2443                         root_isec = sb->s_root->d_inode->i_security;
2444
2445                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2446                                 goto out_bad_option;
2447                         break;
2448                 }
2449                 case DEFCONTEXT_MNT:
2450                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2451                                 goto out_bad_option;
2452                         break;
2453                 default:
2454                         goto out_free_opts;
2455                 }
2456         }
2457
2458         rc = 0;
2459 out_free_opts:
2460         security_free_mnt_opts(&opts);
2461 out_free_secdata:
2462         free_secdata(secdata);
2463         return rc;
2464 out_bad_option:
2465         printk(KERN_WARNING "SELinux: unable to change security options "
2466                "during remount (dev %s, type=%s)\n", sb->s_id,
2467                sb->s_type->name);
2468         goto out_free_opts;
2469 }
2470
2471 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2472 {
2473         const struct cred *cred = current_cred();
2474         struct common_audit_data ad;
2475         int rc;
2476
2477         rc = superblock_doinit(sb, data);
2478         if (rc)
2479                 return rc;
2480
2481         /* Allow all mounts performed by the kernel */
2482         if (flags & MS_KERNMOUNT)
2483                 return 0;
2484
2485         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2486         ad.u.dentry = sb->s_root;
2487         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2488 }
2489
2490 static int selinux_sb_statfs(struct dentry *dentry)
2491 {
2492         const struct cred *cred = current_cred();
2493         struct common_audit_data ad;
2494
2495         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2496         ad.u.dentry = dentry->d_sb->s_root;
2497         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2498 }
2499
2500 static int selinux_mount(char *dev_name,
2501                          struct path *path,
2502                          char *type,
2503                          unsigned long flags,
2504                          void *data)
2505 {
2506         const struct cred *cred = current_cred();
2507
2508         if (flags & MS_REMOUNT)
2509                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2510                                            FILESYSTEM__REMOUNT, NULL);
2511         else
2512                 return path_has_perm(cred, path, FILE__MOUNTON);
2513 }
2514
2515 static int selinux_umount(struct vfsmount *mnt, int flags)
2516 {
2517         const struct cred *cred = current_cred();
2518
2519         return superblock_has_perm(cred, mnt->mnt_sb,
2520                                    FILESYSTEM__UNMOUNT, NULL);
2521 }
2522
2523 /* inode security operations */
2524
2525 static int selinux_inode_alloc_security(struct inode *inode)
2526 {
2527         return inode_alloc_security(inode);
2528 }
2529
2530 static void selinux_inode_free_security(struct inode *inode)
2531 {
2532         inode_free_security(inode);
2533 }
2534
2535 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2536                                        const struct qstr *qstr, char **name,
2537                                        void **value, size_t *len)
2538 {
2539         const struct task_security_struct *tsec = current_security();
2540         struct inode_security_struct *dsec;
2541         struct superblock_security_struct *sbsec;
2542         u32 sid, newsid, clen;
2543         int rc;
2544         char *namep = NULL, *context;
2545
2546         dsec = dir->i_security;
2547         sbsec = dir->i_sb->s_security;
2548
2549         sid = tsec->sid;
2550         newsid = tsec->create_sid;
2551
2552         if ((sbsec->flags & SE_SBINITIALIZED) &&
2553             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2554                 newsid = sbsec->mntpoint_sid;
2555         else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2556                 rc = security_transition_sid(sid, dsec->sid,
2557                                              inode_mode_to_security_class(inode->i_mode),
2558                                              qstr, &newsid);
2559                 if (rc) {
2560                         printk(KERN_WARNING "%s:  "
2561                                "security_transition_sid failed, rc=%d (dev=%s "
2562                                "ino=%ld)\n",
2563                                __func__,
2564                                -rc, inode->i_sb->s_id, inode->i_ino);
2565                         return rc;
2566                 }
2567         }
2568
2569         /* Possibly defer initialization to selinux_complete_init. */
2570         if (sbsec->flags & SE_SBINITIALIZED) {
2571                 struct inode_security_struct *isec = inode->i_security;
2572                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2573                 isec->sid = newsid;
2574                 isec->initialized = 1;
2575         }
2576
2577         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2578                 return -EOPNOTSUPP;
2579
2580         if (name) {
2581                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2582                 if (!namep)
2583                         return -ENOMEM;
2584                 *name = namep;
2585         }
2586
2587         if (value && len) {
2588                 rc = security_sid_to_context_force(newsid, &context, &clen);
2589                 if (rc) {
2590                         kfree(namep);
2591                         return rc;
2592                 }
2593                 *value = context;
2594                 *len = clen;
2595         }
2596
2597         return 0;
2598 }
2599
2600 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2601 {
2602         return may_create(dir, dentry, SECCLASS_FILE);
2603 }
2604
2605 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2606 {
2607         return may_link(dir, old_dentry, MAY_LINK);
2608 }
2609
2610 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2611 {
2612         return may_link(dir, dentry, MAY_UNLINK);
2613 }
2614
2615 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2616 {
2617         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2618 }
2619
2620 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2621 {
2622         return may_create(dir, dentry, SECCLASS_DIR);
2623 }
2624
2625 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2626 {
2627         return may_link(dir, dentry, MAY_RMDIR);
2628 }
2629
2630 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2631 {
2632         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2633 }
2634
2635 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2636                                 struct inode *new_inode, struct dentry *new_dentry)
2637 {
2638         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2639 }
2640
2641 static int selinux_inode_readlink(struct dentry *dentry)
2642 {
2643         const struct cred *cred = current_cred();
2644
2645         return dentry_has_perm(cred, dentry, FILE__READ);
2646 }
2647
2648 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2649 {
2650         const struct cred *cred = current_cred();
2651
2652         return dentry_has_perm(cred, dentry, FILE__READ);
2653 }
2654
2655 static int selinux_inode_permission(struct inode *inode, int mask)
2656 {
2657         const struct cred *cred = current_cred();
2658         struct common_audit_data ad;
2659         u32 perms;
2660         bool from_access;
2661         unsigned flags = mask & MAY_NOT_BLOCK;
2662
2663         from_access = mask & MAY_ACCESS;
2664         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2665
2666         /* No permission to check.  Existence test. */
2667         if (!mask)
2668                 return 0;
2669
2670         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2671         ad.u.inode = inode;
2672
2673         if (from_access)
2674                 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2675
2676         perms = file_mask_to_av(inode->i_mode, mask);
2677
2678         return inode_has_perm(cred, inode, perms, &ad, flags);
2679 }
2680
2681 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2682 {
2683         const struct cred *cred = current_cred();
2684         unsigned int ia_valid = iattr->ia_valid;
2685
2686         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2687         if (ia_valid & ATTR_FORCE) {
2688                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2689                               ATTR_FORCE);
2690                 if (!ia_valid)
2691                         return 0;
2692         }
2693
2694         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2695                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2696                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2697
2698         return dentry_has_perm(cred, dentry, FILE__WRITE);
2699 }
2700
2701 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2702 {
2703         const struct cred *cred = current_cred();
2704         struct path path;
2705
2706         path.dentry = dentry;
2707         path.mnt = mnt;
2708
2709         return path_has_perm(cred, &path, FILE__GETATTR);
2710 }
2711
2712 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2713 {
2714         const struct cred *cred = current_cred();
2715
2716         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2717                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2718                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2719                         if (!capable(CAP_SETFCAP))
2720                                 return -EPERM;
2721                 } else if (!capable(CAP_SYS_ADMIN)) {
2722                         /* A different attribute in the security namespace.
2723                            Restrict to administrator. */
2724                         return -EPERM;
2725                 }
2726         }
2727
2728         /* Not an attribute we recognize, so just check the
2729            ordinary setattr permission. */
2730         return dentry_has_perm(cred, dentry, FILE__SETATTR);
2731 }
2732
2733 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2734                                   const void *value, size_t size, int flags)
2735 {
2736         struct inode *inode = dentry->d_inode;
2737         struct inode_security_struct *isec = inode->i_security;
2738         struct superblock_security_struct *sbsec;
2739         struct common_audit_data ad;
2740         u32 newsid, sid = current_sid();
2741         int rc = 0;
2742
2743         if (strcmp(name, XATTR_NAME_SELINUX))
2744                 return selinux_inode_setotherxattr(dentry, name);
2745
2746         sbsec = inode->i_sb->s_security;
2747         if (!(sbsec->flags & SE_SBLABELSUPP))
2748                 return -EOPNOTSUPP;
2749
2750         if (!inode_owner_or_capable(inode))
2751                 return -EPERM;
2752
2753         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2754         ad.u.dentry = dentry;
2755
2756         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2757                           FILE__RELABELFROM, &ad);
2758         if (rc)
2759                 return rc;
2760
2761         rc = security_context_to_sid(value, size, &newsid);
2762         if (rc == -EINVAL) {
2763                 if (!capable(CAP_MAC_ADMIN))
2764                         return rc;
2765                 rc = security_context_to_sid_force(value, size, &newsid);
2766         }
2767         if (rc)
2768                 return rc;
2769
2770         rc = avc_has_perm(sid, newsid, isec->sclass,
2771                           FILE__RELABELTO, &ad);
2772         if (rc)
2773                 return rc;
2774
2775         rc = security_validate_transition(isec->sid, newsid, sid,
2776                                           isec->sclass);
2777         if (rc)
2778                 return rc;
2779
2780         return avc_has_perm(newsid,
2781                             sbsec->sid,
2782                             SECCLASS_FILESYSTEM,
2783                             FILESYSTEM__ASSOCIATE,
2784                             &ad);
2785 }
2786
2787 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2788                                         const void *value, size_t size,
2789                                         int flags)
2790 {
2791         struct inode *inode = dentry->d_inode;
2792         struct inode_security_struct *isec = inode->i_security;
2793         u32 newsid;
2794         int rc;
2795
2796         if (strcmp(name, XATTR_NAME_SELINUX)) {
2797                 /* Not an attribute we recognize, so nothing to do. */
2798                 return;
2799         }
2800
2801         rc = security_context_to_sid_force(value, size, &newsid);
2802         if (rc) {
2803                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2804                        "for (%s, %lu), rc=%d\n",
2805                        inode->i_sb->s_id, inode->i_ino, -rc);
2806                 return;
2807         }
2808
2809         isec->sid = newsid;
2810         return;
2811 }
2812
2813 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2814 {
2815         const struct cred *cred = current_cred();
2816
2817         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2818 }
2819
2820 static int selinux_inode_listxattr(struct dentry *dentry)
2821 {
2822         const struct cred *cred = current_cred();
2823
2824         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2825 }
2826
2827 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2828 {
2829         if (strcmp(name, XATTR_NAME_SELINUX))
2830                 return selinux_inode_setotherxattr(dentry, name);
2831
2832         /* No one is allowed to remove a SELinux security label.
2833            You can change the label, but all data must be labeled. */
2834         return -EACCES;
2835 }
2836
2837 /*
2838  * Copy the inode security context value to the user.
2839  *
2840  * Permission check is handled by selinux_inode_getxattr hook.
2841  */
2842 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2843 {
2844         u32 size;
2845         int error;
2846         char *context = NULL;
2847         struct inode_security_struct *isec = inode->i_security;
2848
2849         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2850                 return -EOPNOTSUPP;
2851
2852         /*
2853          * If the caller has CAP_MAC_ADMIN, then get the raw context
2854          * value even if it is not defined by current policy; otherwise,
2855          * use the in-core value under current policy.
2856          * Use the non-auditing forms of the permission checks since
2857          * getxattr may be called by unprivileged processes commonly
2858          * and lack of permission just means that we fall back to the
2859          * in-core context value, not a denial.
2860          */
2861         error = selinux_capable(current, current_cred(),
2862                                 &init_user_ns, CAP_MAC_ADMIN,
2863                                 SECURITY_CAP_NOAUDIT);
2864         if (!error)
2865                 error = security_sid_to_context_force(isec->sid, &context,
2866                                                       &size);
2867         else
2868                 error = security_sid_to_context(isec->sid, &context, &size);
2869         if (error)
2870                 return error;
2871         error = size;
2872         if (alloc) {
2873                 *buffer = context;
2874                 goto out_nofree;
2875         }
2876         kfree(context);
2877 out_nofree:
2878         return error;
2879 }
2880
2881 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2882                                      const void *value, size_t size, int flags)
2883 {
2884         struct inode_security_struct *isec = inode->i_security;
2885         u32 newsid;
2886         int rc;
2887
2888         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2889                 return -EOPNOTSUPP;
2890
2891         if (!value || !size)
2892                 return -EACCES;
2893
2894         rc = security_context_to_sid((void *)value, size, &newsid);
2895         if (rc)
2896                 return rc;
2897
2898         isec->sid = newsid;
2899         isec->initialized = 1;
2900         return 0;
2901 }
2902
2903 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2904 {
2905         const int len = sizeof(XATTR_NAME_SELINUX);
2906         if (buffer && len <= buffer_size)
2907                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2908         return len;
2909 }
2910
2911 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2912 {
2913         struct inode_security_struct *isec = inode->i_security;
2914         *secid = isec->sid;
2915 }
2916
2917 /* file security operations */
2918
2919 static int selinux_revalidate_file_permission(struct file *file, int mask)
2920 {
2921         const struct cred *cred = current_cred();
2922         struct inode *inode = file->f_path.dentry->d_inode;
2923
2924         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2925         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2926                 mask |= MAY_APPEND;
2927
2928         return file_has_perm(cred, file,
2929                              file_mask_to_av(inode->i_mode, mask));
2930 }
2931
2932 static int selinux_file_permission(struct file *file, int mask)
2933 {
2934         struct inode *inode = file->f_path.dentry->d_inode;
2935         struct file_security_struct *fsec = file->f_security;
2936         struct inode_security_struct *isec = inode->i_security;
2937         u32 sid = current_sid();
2938
2939         if (!mask)
2940                 /* No permission to check.  Existence test. */
2941                 return 0;
2942
2943         if (sid == fsec->sid && fsec->isid == isec->sid &&
2944             fsec->pseqno == avc_policy_seqno())
2945                 /* No change since dentry_open check. */
2946                 return 0;
2947
2948         return selinux_revalidate_file_permission(file, mask);
2949 }
2950
2951 static int selinux_file_alloc_security(struct file *file)
2952 {
2953         return file_alloc_security(file);
2954 }
2955
2956 static void selinux_file_free_security(struct file *file)
2957 {
2958         file_free_security(file);
2959 }
2960
2961 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2962                               unsigned long arg)
2963 {
2964         const struct cred *cred = current_cred();
2965         int error = 0;
2966
2967         switch (cmd) {
2968         case FIONREAD:
2969         /* fall through */
2970         case FIBMAP:
2971         /* fall through */
2972         case FIGETBSZ:
2973         /* fall through */
2974         case EXT2_IOC_GETFLAGS:
2975         /* fall through */
2976         case EXT2_IOC_GETVERSION:
2977                 error = file_has_perm(cred, file, FILE__GETATTR);
2978                 break;
2979
2980         case EXT2_IOC_SETFLAGS:
2981         /* fall through */
2982         case EXT2_IOC_SETVERSION:
2983                 error = file_has_perm(cred, file, FILE__SETATTR);
2984                 break;
2985
2986         /* sys_ioctl() checks */
2987         case FIONBIO:
2988         /* fall through */
2989         case FIOASYNC:
2990                 error = file_has_perm(cred, file, 0);
2991                 break;
2992
2993         case KDSKBENT:
2994         case KDSKBSENT:
2995                 error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
2996                                         SECURITY_CAP_AUDIT);
2997                 break;
2998
2999         /* default case assumes that the command will go
3000          * to the file's ioctl() function.
3001          */
3002         default:
3003                 error = file_has_perm(cred, file, FILE__IOCTL);
3004         }
3005         return error;
3006 }
3007
3008 static int default_noexec;
3009
3010 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3011 {
3012         const struct cred *cred = current_cred();
3013         int rc = 0;
3014
3015         if (default_noexec &&
3016             (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3017                 /*
3018                  * We are making executable an anonymous mapping or a
3019                  * private file mapping that will also be writable.
3020                  * This has an additional check.
3021                  */
3022                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3023                 if (rc)
3024                         goto error;
3025         }
3026
3027         if (file) {
3028                 /* read access is always possible with a mapping */
3029                 u32 av = FILE__READ;
3030
3031                 /* write access only matters if the mapping is shared */
3032                 if (shared && (prot & PROT_WRITE))
3033                         av |= FILE__WRITE;
3034
3035                 if (prot & PROT_EXEC)
3036                         av |= FILE__EXECUTE;
3037
3038                 return file_has_perm(cred, file, av);
3039         }
3040
3041 error:
3042         return rc;
3043 }
3044
3045 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3046                              unsigned long prot, unsigned long flags,
3047                              unsigned long addr, unsigned long addr_only)
3048 {
3049         int rc = 0;
3050         u32 sid = current_sid();
3051
3052         /*
3053          * notice that we are intentionally putting the SELinux check before
3054          * the secondary cap_file_mmap check.  This is such a likely attempt
3055          * at bad behaviour/exploit that we always want to get the AVC, even
3056          * if DAC would have also denied the operation.
3057          */
3058         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3059                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3060                                   MEMPROTECT__MMAP_ZERO, NULL);
3061                 if (rc)
3062                         return rc;
3063         }
3064
3065         /* do DAC check on address space usage */
3066         rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3067         if (rc || addr_only)
3068                 return rc;
3069
3070         if (selinux_checkreqprot)
3071                 prot = reqprot;
3072
3073         return file_map_prot_check(file, prot,
3074                                    (flags & MAP_TYPE) == MAP_SHARED);
3075 }
3076
3077 static int selinux_file_mprotect(struct vm_area_struct *vma,
3078                                  unsigned long reqprot,
3079                                  unsigned long prot)
3080 {
3081         const struct cred *cred = current_cred();
3082
3083         if (selinux_checkreqprot)
3084                 prot = reqprot;
3085
3086         if (default_noexec &&
3087             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3088                 int rc = 0;
3089                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3090                     vma->vm_end <= vma->vm_mm->brk) {
3091                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3092                 } else if (!vma->vm_file &&
3093                            vma->vm_start <= vma->vm_mm->start_stack &&
3094                            vma->vm_end >= vma->vm_mm->start_stack) {
3095                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3096                 } else if (vma->vm_file && vma->anon_vma) {
3097                         /*
3098                          * We are making executable a file mapping that has
3099                          * had some COW done. Since pages might have been
3100                          * written, check ability to execute the possibly
3101                          * modified content.  This typically should only
3102                          * occur for text relocations.
3103                          */
3104                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3105                 }
3106                 if (rc)
3107                         return rc;
3108         }
3109
3110         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3111 }
3112
3113 static int selinux_file_lock(struct file *file, unsigned int cmd)
3114 {
3115         const struct cred *cred = current_cred();
3116
3117         return file_has_perm(cred, file, FILE__LOCK);
3118 }
3119
3120 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3121                               unsigned long arg)
3122 {
3123         const struct cred *cred = current_cred();
3124         int err = 0;
3125
3126         switch (cmd) {
3127         case F_SETFL:
3128                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3129                         err = -EINVAL;
3130                         break;
3131                 }
3132
3133                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3134                         err = file_has_perm(cred, file, FILE__WRITE);
3135                         break;
3136                 }
3137                 /* fall through */
3138         case F_SETOWN:
3139         case F_SETSIG:
3140         case F_GETFL:
3141         case F_GETOWN:
3142         case F_GETSIG:
3143                 /* Just check FD__USE permission */
3144                 err = file_has_perm(cred, file, 0);
3145                 break;
3146         case F_GETLK:
3147         case F_SETLK:
3148         case F_SETLKW:
3149 #if BITS_PER_LONG == 32
3150         case F_GETLK64:
3151         case F_SETLK64:
3152         case F_SETLKW64:
3153 #endif
3154                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3155                         err = -EINVAL;
3156                         break;
3157                 }
3158                 err = file_has_perm(cred, file, FILE__LOCK);
3159                 break;
3160         }
3161
3162         return err;
3163 }
3164
3165 static int selinux_file_set_fowner(struct file *file)
3166 {
3167         struct file_security_struct *fsec;
3168
3169         fsec = file->f_security;
3170         fsec->fown_sid = current_sid();
3171
3172         return 0;
3173 }
3174
3175 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3176                                        struct fown_struct *fown, int signum)
3177 {
3178         struct file *file;
3179         u32 sid = task_sid(tsk);
3180         u32 perm;
3181         struct file_security_struct *fsec;
3182
3183         /* struct fown_struct is never outside the context of a struct file */
3184         file = container_of(fown, struct file, f_owner);
3185
3186         fsec = file->f_security;
3187
3188         if (!signum)
3189                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3190         else
3191                 perm = signal_to_av(signum);
3192
3193         return avc_has_perm(fsec->fown_sid, sid,
3194                             SECCLASS_PROCESS, perm, NULL);
3195 }
3196
3197 static int selinux_file_receive(struct file *file)
3198 {
3199         const struct cred *cred = current_cred();
3200
3201         return file_has_perm(cred, file, file_to_av(file));
3202 }
3203
3204 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3205 {
3206         struct file_security_struct *fsec;
3207         struct inode *inode;
3208         struct inode_security_struct *isec;
3209
3210         inode = file->f_path.dentry->d_inode;
3211         fsec = file->f_security;
3212         isec = inode->i_security;
3213         /*
3214          * Save inode label and policy sequence number
3215          * at open-time so that selinux_file_permission
3216          * can determine whether revalidation is necessary.
3217          * Task label is already saved in the file security
3218          * struct as its SID.
3219          */
3220         fsec->isid = isec->sid;
3221         fsec->pseqno = avc_policy_seqno();
3222         /*
3223          * Since the inode label or policy seqno may have changed
3224          * between the selinux_inode_permission check and the saving
3225          * of state above, recheck that access is still permitted.
3226          * Otherwise, access might never be revalidated against the
3227          * new inode label or new policy.
3228          * This check is not redundant - do not remove.
3229          */
3230         return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0);
3231 }
3232
3233 /* task security operations */
3234
3235 static int selinux_task_create(unsigned long clone_flags)
3236 {
3237         return current_has_perm(current, PROCESS__FORK);
3238 }
3239
3240 /*
3241  * allocate the SELinux part of blank credentials
3242  */
3243 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3244 {
3245         struct task_security_struct *tsec;
3246
3247         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3248         if (!tsec)
3249                 return -ENOMEM;
3250
3251         cred->security = tsec;
3252         return 0;
3253 }
3254
3255 /*
3256  * detach and free the LSM part of a set of credentials
3257  */
3258 static void selinux_cred_free(struct cred *cred)
3259 {
3260         struct task_security_struct *tsec = cred->security;
3261
3262         /*
3263          * cred->security == NULL if security_cred_alloc_blank() or
3264          * security_prepare_creds() returned an error.
3265          */
3266         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3267         cred->security = (void *) 0x7UL;
3268         kfree(tsec);
3269 }
3270
3271 /*
3272  * prepare a new set of credentials for modification
3273  */
3274 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3275                                 gfp_t gfp)
3276 {
3277         const struct task_security_struct *old_tsec;
3278         struct task_security_struct *tsec;
3279