SELinux: Add network port SID cache
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16  *                Paul Moore <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "netport.h"
84 #include "xfrm.h"
85 #include "netlabel.h"
86
87 #define XATTR_SELINUX_SUFFIX "selinux"
88 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
89
90 #define NUM_SEL_MNT_OPTS 4
91
92 extern unsigned int policydb_loaded_version;
93 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
94 extern int selinux_compat_net;
95 extern struct security_operations *security_ops;
96
97 /* SECMARK reference count */
98 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing = 0;
102
103 static int __init enforcing_setup(char *str)
104 {
105         selinux_enforcing = simple_strtol(str,NULL,0);
106         return 1;
107 }
108 __setup("enforcing=", enforcing_setup);
109 #endif
110
111 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
112 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
113
114 static int __init selinux_enabled_setup(char *str)
115 {
116         selinux_enabled = simple_strtol(str, NULL, 0);
117         return 1;
118 }
119 __setup("selinux=", selinux_enabled_setup);
120 #else
121 int selinux_enabled = 1;
122 #endif
123
124 /* Original (dummy) security module. */
125 static struct security_operations *original_ops = NULL;
126
127 /* Minimal support for a secondary security module,
128    just to allow the use of the dummy or capability modules.
129    The owlsm module can alternatively be used as a secondary
130    module as long as CONFIG_OWLSM_FD is not enabled. */
131 static struct security_operations *secondary_ops = NULL;
132
133 /* Lists of inode and superblock security structures initialized
134    before the policy was loaded. */
135 static LIST_HEAD(superblock_security_head);
136 static DEFINE_SPINLOCK(sb_security_lock);
137
138 static struct kmem_cache *sel_inode_cache;
139
140 /**
141  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
142  *
143  * Description:
144  * This function checks the SECMARK reference counter to see if any SECMARK
145  * targets are currently configured, if the reference counter is greater than
146  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
147  * enabled, false (0) if SECMARK is disabled.
148  *
149  */
150 static int selinux_secmark_enabled(void)
151 {
152         return (atomic_read(&selinux_secmark_refcount) > 0);
153 }
154
155 /* Allocate and free functions for each kind of security blob. */
156
157 static int task_alloc_security(struct task_struct *task)
158 {
159         struct task_security_struct *tsec;
160
161         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
162         if (!tsec)
163                 return -ENOMEM;
164
165         tsec->osid = tsec->sid = SECINITSID_UNLABELED;
166         task->security = tsec;
167
168         return 0;
169 }
170
171 static void task_free_security(struct task_struct *task)
172 {
173         struct task_security_struct *tsec = task->security;
174         task->security = NULL;
175         kfree(tsec);
176 }
177
178 static int inode_alloc_security(struct inode *inode)
179 {
180         struct task_security_struct *tsec = current->security;
181         struct inode_security_struct *isec;
182
183         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
184         if (!isec)
185                 return -ENOMEM;
186
187         mutex_init(&isec->lock);
188         INIT_LIST_HEAD(&isec->list);
189         isec->inode = inode;
190         isec->sid = SECINITSID_UNLABELED;
191         isec->sclass = SECCLASS_FILE;
192         isec->task_sid = tsec->sid;
193         inode->i_security = isec;
194
195         return 0;
196 }
197
198 static void inode_free_security(struct inode *inode)
199 {
200         struct inode_security_struct *isec = inode->i_security;
201         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
203         spin_lock(&sbsec->isec_lock);
204         if (!list_empty(&isec->list))
205                 list_del_init(&isec->list);
206         spin_unlock(&sbsec->isec_lock);
207
208         inode->i_security = NULL;
209         kmem_cache_free(sel_inode_cache, isec);
210 }
211
212 static int file_alloc_security(struct file *file)
213 {
214         struct task_security_struct *tsec = current->security;
215         struct file_security_struct *fsec;
216
217         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
218         if (!fsec)
219                 return -ENOMEM;
220
221         fsec->sid = tsec->sid;
222         fsec->fown_sid = tsec->sid;
223         file->f_security = fsec;
224
225         return 0;
226 }
227
228 static void file_free_security(struct file *file)
229 {
230         struct file_security_struct *fsec = file->f_security;
231         file->f_security = NULL;
232         kfree(fsec);
233 }
234
235 static int superblock_alloc_security(struct super_block *sb)
236 {
237         struct superblock_security_struct *sbsec;
238
239         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
240         if (!sbsec)
241                 return -ENOMEM;
242
243         mutex_init(&sbsec->lock);
244         INIT_LIST_HEAD(&sbsec->list);
245         INIT_LIST_HEAD(&sbsec->isec_head);
246         spin_lock_init(&sbsec->isec_lock);
247         sbsec->sb = sb;
248         sbsec->sid = SECINITSID_UNLABELED;
249         sbsec->def_sid = SECINITSID_FILE;
250         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
251         sb->s_security = sbsec;
252
253         return 0;
254 }
255
256 static void superblock_free_security(struct super_block *sb)
257 {
258         struct superblock_security_struct *sbsec = sb->s_security;
259
260         spin_lock(&sb_security_lock);
261         if (!list_empty(&sbsec->list))
262                 list_del_init(&sbsec->list);
263         spin_unlock(&sb_security_lock);
264
265         sb->s_security = NULL;
266         kfree(sbsec);
267 }
268
269 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
270 {
271         struct sk_security_struct *ssec;
272
273         ssec = kzalloc(sizeof(*ssec), priority);
274         if (!ssec)
275                 return -ENOMEM;
276
277         ssec->peer_sid = SECINITSID_UNLABELED;
278         ssec->sid = SECINITSID_UNLABELED;
279         sk->sk_security = ssec;
280
281         selinux_netlbl_sk_security_reset(ssec, family);
282
283         return 0;
284 }
285
286 static void sk_free_security(struct sock *sk)
287 {
288         struct sk_security_struct *ssec = sk->sk_security;
289
290         sk->sk_security = NULL;
291         kfree(ssec);
292 }
293
294 /* The security server must be initialized before
295    any labeling or access decisions can be provided. */
296 extern int ss_initialized;
297
298 /* The file system's label must be initialized prior to use. */
299
300 static char *labeling_behaviors[6] = {
301         "uses xattr",
302         "uses transition SIDs",
303         "uses task SIDs",
304         "uses genfs_contexts",
305         "not configured for labeling",
306         "uses mountpoint labeling",
307 };
308
309 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
310
311 static inline int inode_doinit(struct inode *inode)
312 {
313         return inode_doinit_with_dentry(inode, NULL);
314 }
315
316 enum {
317         Opt_error = -1,
318         Opt_context = 1,
319         Opt_fscontext = 2,
320         Opt_defcontext = 3,
321         Opt_rootcontext = 4,
322 };
323
324 static match_table_t tokens = {
325         {Opt_context, CONTEXT_STR "%s"},
326         {Opt_fscontext, FSCONTEXT_STR "%s"},
327         {Opt_defcontext, DEFCONTEXT_STR "%s"},
328         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
329         {Opt_error, NULL},
330 };
331
332 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
333
334 static int may_context_mount_sb_relabel(u32 sid,
335                         struct superblock_security_struct *sbsec,
336                         struct task_security_struct *tsec)
337 {
338         int rc;
339
340         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
341                           FILESYSTEM__RELABELFROM, NULL);
342         if (rc)
343                 return rc;
344
345         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
346                           FILESYSTEM__RELABELTO, NULL);
347         return rc;
348 }
349
350 static int may_context_mount_inode_relabel(u32 sid,
351                         struct superblock_security_struct *sbsec,
352                         struct task_security_struct *tsec)
353 {
354         int rc;
355         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
356                           FILESYSTEM__RELABELFROM, NULL);
357         if (rc)
358                 return rc;
359
360         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
361                           FILESYSTEM__ASSOCIATE, NULL);
362         return rc;
363 }
364
365 static int sb_finish_set_opts(struct super_block *sb)
366 {
367         struct superblock_security_struct *sbsec = sb->s_security;
368         struct dentry *root = sb->s_root;
369         struct inode *root_inode = root->d_inode;
370         int rc = 0;
371
372         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
373                 /* Make sure that the xattr handler exists and that no
374                    error other than -ENODATA is returned by getxattr on
375                    the root directory.  -ENODATA is ok, as this may be
376                    the first boot of the SELinux kernel before we have
377                    assigned xattr values to the filesystem. */
378                 if (!root_inode->i_op->getxattr) {
379                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
380                                "xattr support\n", sb->s_id, sb->s_type->name);
381                         rc = -EOPNOTSUPP;
382                         goto out;
383                 }
384                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
385                 if (rc < 0 && rc != -ENODATA) {
386                         if (rc == -EOPNOTSUPP)
387                                 printk(KERN_WARNING "SELinux: (dev %s, type "
388                                        "%s) has no security xattr handler\n",
389                                        sb->s_id, sb->s_type->name);
390                         else
391                                 printk(KERN_WARNING "SELinux: (dev %s, type "
392                                        "%s) getxattr errno %d\n", sb->s_id,
393                                        sb->s_type->name, -rc);
394                         goto out;
395                 }
396         }
397
398         sbsec->initialized = 1;
399
400         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
401                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
402                        sb->s_id, sb->s_type->name);
403         else
404                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
405                        sb->s_id, sb->s_type->name,
406                        labeling_behaviors[sbsec->behavior-1]);
407
408         /* Initialize the root inode. */
409         rc = inode_doinit_with_dentry(root_inode, root);
410
411         /* Initialize any other inodes associated with the superblock, e.g.
412            inodes created prior to initial policy load or inodes created
413            during get_sb by a pseudo filesystem that directly
414            populates itself. */
415         spin_lock(&sbsec->isec_lock);
416 next_inode:
417         if (!list_empty(&sbsec->isec_head)) {
418                 struct inode_security_struct *isec =
419                                 list_entry(sbsec->isec_head.next,
420                                            struct inode_security_struct, list);
421                 struct inode *inode = isec->inode;
422                 spin_unlock(&sbsec->isec_lock);
423                 inode = igrab(inode);
424                 if (inode) {
425                         if (!IS_PRIVATE(inode))
426                                 inode_doinit(inode);
427                         iput(inode);
428                 }
429                 spin_lock(&sbsec->isec_lock);
430                 list_del_init(&isec->list);
431                 goto next_inode;
432         }
433         spin_unlock(&sbsec->isec_lock);
434 out:
435         return rc;
436 }
437
438 /*
439  * This function should allow an FS to ask what it's mount security
440  * options were so it can use those later for submounts, displaying
441  * mount options, or whatever.
442  */
443 static int selinux_get_mnt_opts(const struct super_block *sb,
444                                 struct security_mnt_opts *opts)
445 {
446         int rc = 0, i;
447         struct superblock_security_struct *sbsec = sb->s_security;
448         char *context = NULL;
449         u32 len;
450         char tmp;
451
452         security_init_mnt_opts(opts);
453
454         if (!sbsec->initialized)
455                 return -EINVAL;
456
457         if (!ss_initialized)
458                 return -EINVAL;
459
460         /*
461          * if we ever use sbsec flags for anything other than tracking mount
462          * settings this is going to need a mask
463          */
464         tmp = sbsec->flags;
465         /* count the number of mount options for this sb */
466         for (i = 0; i < 8; i++) {
467                 if (tmp & 0x01)
468                         opts->num_mnt_opts++;
469                 tmp >>= 1;
470         }
471
472         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
473         if (!opts->mnt_opts) {
474                 rc = -ENOMEM;
475                 goto out_free;
476         }
477
478         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
479         if (!opts->mnt_opts_flags) {
480                 rc = -ENOMEM;
481                 goto out_free;
482         }
483
484         i = 0;
485         if (sbsec->flags & FSCONTEXT_MNT) {
486                 rc = security_sid_to_context(sbsec->sid, &context, &len);
487                 if (rc)
488                         goto out_free;
489                 opts->mnt_opts[i] = context;
490                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
491         }
492         if (sbsec->flags & CONTEXT_MNT) {
493                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
494                 if (rc)
495                         goto out_free;
496                 opts->mnt_opts[i] = context;
497                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
498         }
499         if (sbsec->flags & DEFCONTEXT_MNT) {
500                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
501                 if (rc)
502                         goto out_free;
503                 opts->mnt_opts[i] = context;
504                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
505         }
506         if (sbsec->flags & ROOTCONTEXT_MNT) {
507                 struct inode *root = sbsec->sb->s_root->d_inode;
508                 struct inode_security_struct *isec = root->i_security;
509
510                 rc = security_sid_to_context(isec->sid, &context, &len);
511                 if (rc)
512                         goto out_free;
513                 opts->mnt_opts[i] = context;
514                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
515         }
516
517         BUG_ON(i != opts->num_mnt_opts);
518
519         return 0;
520
521 out_free:
522         security_free_mnt_opts(opts);
523         return rc;
524 }
525
526 static int bad_option(struct superblock_security_struct *sbsec, char flag,
527                       u32 old_sid, u32 new_sid)
528 {
529         /* check if the old mount command had the same options */
530         if (sbsec->initialized)
531                 if (!(sbsec->flags & flag) ||
532                     (old_sid != new_sid))
533                         return 1;
534
535         /* check if we were passed the same options twice,
536          * aka someone passed context=a,context=b
537          */
538         if (!sbsec->initialized)
539                 if (sbsec->flags & flag)
540                         return 1;
541         return 0;
542 }
543
544 /*
545  * Allow filesystems with binary mount data to explicitly set mount point
546  * labeling information.
547  */
548 static int selinux_set_mnt_opts(struct super_block *sb,
549                                 struct security_mnt_opts *opts)
550 {
551         int rc = 0, i;
552         struct task_security_struct *tsec = current->security;
553         struct superblock_security_struct *sbsec = sb->s_security;
554         const char *name = sb->s_type->name;
555         struct inode *inode = sbsec->sb->s_root->d_inode;
556         struct inode_security_struct *root_isec = inode->i_security;
557         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
558         u32 defcontext_sid = 0;
559         char **mount_options = opts->mnt_opts;
560         int *flags = opts->mnt_opts_flags;
561         int num_opts = opts->num_mnt_opts;
562
563         mutex_lock(&sbsec->lock);
564
565         if (!ss_initialized) {
566                 if (!num_opts) {
567                         /* Defer initialization until selinux_complete_init,
568                            after the initial policy is loaded and the security
569                            server is ready to handle calls. */
570                         spin_lock(&sb_security_lock);
571                         if (list_empty(&sbsec->list))
572                                 list_add(&sbsec->list, &superblock_security_head);
573                         spin_unlock(&sb_security_lock);
574                         goto out;
575                 }
576                 rc = -EINVAL;
577                 printk(KERN_WARNING "Unable to set superblock options before "
578                        "the security server is initialized\n");
579                 goto out;
580         }
581
582         /*
583          * Binary mount data FS will come through this function twice.  Once
584          * from an explicit call and once from the generic calls from the vfs.
585          * Since the generic VFS calls will not contain any security mount data
586          * we need to skip the double mount verification.
587          *
588          * This does open a hole in which we will not notice if the first
589          * mount using this sb set explict options and a second mount using
590          * this sb does not set any security options.  (The first options
591          * will be used for both mounts)
592          */
593         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
594             && (num_opts == 0))
595                 goto out;
596
597         /*
598          * parse the mount options, check if they are valid sids.
599          * also check if someone is trying to mount the same sb more
600          * than once with different security options.
601          */
602         for (i = 0; i < num_opts; i++) {
603                 u32 sid;
604                 rc = security_context_to_sid(mount_options[i],
605                                              strlen(mount_options[i]), &sid);
606                 if (rc) {
607                         printk(KERN_WARNING "SELinux: security_context_to_sid"
608                                "(%s) failed for (dev %s, type %s) errno=%d\n",
609                                mount_options[i], sb->s_id, name, rc);
610                         goto out;
611                 }
612                 switch (flags[i]) {
613                 case FSCONTEXT_MNT:
614                         fscontext_sid = sid;
615
616                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
617                                         fscontext_sid))
618                                 goto out_double_mount;
619
620                         sbsec->flags |= FSCONTEXT_MNT;
621                         break;
622                 case CONTEXT_MNT:
623                         context_sid = sid;
624
625                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
626                                         context_sid))
627                                 goto out_double_mount;
628
629                         sbsec->flags |= CONTEXT_MNT;
630                         break;
631                 case ROOTCONTEXT_MNT:
632                         rootcontext_sid = sid;
633
634                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
635                                         rootcontext_sid))
636                                 goto out_double_mount;
637
638                         sbsec->flags |= ROOTCONTEXT_MNT;
639
640                         break;
641                 case DEFCONTEXT_MNT:
642                         defcontext_sid = sid;
643
644                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
645                                         defcontext_sid))
646                                 goto out_double_mount;
647
648                         sbsec->flags |= DEFCONTEXT_MNT;
649
650                         break;
651                 default:
652                         rc = -EINVAL;
653                         goto out;
654                 }
655         }
656
657         if (sbsec->initialized) {
658                 /* previously mounted with options, but not on this attempt? */
659                 if (sbsec->flags && !num_opts)
660                         goto out_double_mount;
661                 rc = 0;
662                 goto out;
663         }
664
665         if (strcmp(sb->s_type->name, "proc") == 0)
666                 sbsec->proc = 1;
667
668         /* Determine the labeling behavior to use for this filesystem type. */
669         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
670         if (rc) {
671                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
672                        __func__, sb->s_type->name, rc);
673                 goto out;
674         }
675
676         /* sets the context of the superblock for the fs being mounted. */
677         if (fscontext_sid) {
678
679                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
680                 if (rc)
681                         goto out;
682
683                 sbsec->sid = fscontext_sid;
684         }
685
686         /*
687          * Switch to using mount point labeling behavior.
688          * sets the label used on all file below the mountpoint, and will set
689          * the superblock context if not already set.
690          */
691         if (context_sid) {
692                 if (!fscontext_sid) {
693                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
694                         if (rc)
695                                 goto out;
696                         sbsec->sid = context_sid;
697                 } else {
698                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
699                         if (rc)
700                                 goto out;
701                 }
702                 if (!rootcontext_sid)
703                         rootcontext_sid = context_sid;
704
705                 sbsec->mntpoint_sid = context_sid;
706                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
707         }
708
709         if (rootcontext_sid) {
710                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
711                 if (rc)
712                         goto out;
713
714                 root_isec->sid = rootcontext_sid;
715                 root_isec->initialized = 1;
716         }
717
718         if (defcontext_sid) {
719                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
720                         rc = -EINVAL;
721                         printk(KERN_WARNING "SELinux: defcontext option is "
722                                "invalid for this filesystem type\n");
723                         goto out;
724                 }
725
726                 if (defcontext_sid != sbsec->def_sid) {
727                         rc = may_context_mount_inode_relabel(defcontext_sid,
728                                                              sbsec, tsec);
729                         if (rc)
730                                 goto out;
731                 }
732
733                 sbsec->def_sid = defcontext_sid;
734         }
735
736         rc = sb_finish_set_opts(sb);
737 out:
738         mutex_unlock(&sbsec->lock);
739         return rc;
740 out_double_mount:
741         rc = -EINVAL;
742         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
743                "security settings for (dev %s, type %s)\n", sb->s_id, name);
744         goto out;
745 }
746
747 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
748                                         struct super_block *newsb)
749 {
750         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
751         struct superblock_security_struct *newsbsec = newsb->s_security;
752
753         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
754         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
755         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
756
757         /* we can't error, we can't save the info, this shouldn't get called
758          * this early in the boot process. */
759         BUG_ON(!ss_initialized);
760
761         /* how can we clone if the old one wasn't set up?? */
762         BUG_ON(!oldsbsec->initialized);
763
764         /* if fs is reusing a sb, just let its options stand... */
765         if (newsbsec->initialized)
766                 return;
767
768         mutex_lock(&newsbsec->lock);
769
770         newsbsec->flags = oldsbsec->flags;
771
772         newsbsec->sid = oldsbsec->sid;
773         newsbsec->def_sid = oldsbsec->def_sid;
774         newsbsec->behavior = oldsbsec->behavior;
775
776         if (set_context) {
777                 u32 sid = oldsbsec->mntpoint_sid;
778
779                 if (!set_fscontext)
780                         newsbsec->sid = sid;
781                 if (!set_rootcontext) {
782                         struct inode *newinode = newsb->s_root->d_inode;
783                         struct inode_security_struct *newisec = newinode->i_security;
784                         newisec->sid = sid;
785                 }
786                 newsbsec->mntpoint_sid = sid;
787         }
788         if (set_rootcontext) {
789                 const struct inode *oldinode = oldsb->s_root->d_inode;
790                 const struct inode_security_struct *oldisec = oldinode->i_security;
791                 struct inode *newinode = newsb->s_root->d_inode;
792                 struct inode_security_struct *newisec = newinode->i_security;
793
794                 newisec->sid = oldisec->sid;
795         }
796
797         sb_finish_set_opts(newsb);
798         mutex_unlock(&newsbsec->lock);
799 }
800
801 static int selinux_parse_opts_str(char *options,
802                                   struct security_mnt_opts *opts)
803 {
804         char *p;
805         char *context = NULL, *defcontext = NULL;
806         char *fscontext = NULL, *rootcontext = NULL;
807         int rc, num_mnt_opts = 0;
808
809         opts->num_mnt_opts = 0;
810
811         /* Standard string-based options. */
812         while ((p = strsep(&options, "|")) != NULL) {
813                 int token;
814                 substring_t args[MAX_OPT_ARGS];
815
816                 if (!*p)
817                         continue;
818
819                 token = match_token(p, tokens, args);
820
821                 switch (token) {
822                 case Opt_context:
823                         if (context || defcontext) {
824                                 rc = -EINVAL;
825                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
826                                 goto out_err;
827                         }
828                         context = match_strdup(&args[0]);
829                         if (!context) {
830                                 rc = -ENOMEM;
831                                 goto out_err;
832                         }
833                         break;
834
835                 case Opt_fscontext:
836                         if (fscontext) {
837                                 rc = -EINVAL;
838                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
839                                 goto out_err;
840                         }
841                         fscontext = match_strdup(&args[0]);
842                         if (!fscontext) {
843                                 rc = -ENOMEM;
844                                 goto out_err;
845                         }
846                         break;
847
848                 case Opt_rootcontext:
849                         if (rootcontext) {
850                                 rc = -EINVAL;
851                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
852                                 goto out_err;
853                         }
854                         rootcontext = match_strdup(&args[0]);
855                         if (!rootcontext) {
856                                 rc = -ENOMEM;
857                                 goto out_err;
858                         }
859                         break;
860
861                 case Opt_defcontext:
862                         if (context || defcontext) {
863                                 rc = -EINVAL;
864                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
865                                 goto out_err;
866                         }
867                         defcontext = match_strdup(&args[0]);
868                         if (!defcontext) {
869                                 rc = -ENOMEM;
870                                 goto out_err;
871                         }
872                         break;
873
874                 default:
875                         rc = -EINVAL;
876                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
877                         goto out_err;
878
879                 }
880         }
881
882         rc = -ENOMEM;
883         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
884         if (!opts->mnt_opts)
885                 goto out_err;
886
887         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
888         if (!opts->mnt_opts_flags) {
889                 kfree(opts->mnt_opts);
890                 goto out_err;
891         }
892
893         if (fscontext) {
894                 opts->mnt_opts[num_mnt_opts] = fscontext;
895                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
896         }
897         if (context) {
898                 opts->mnt_opts[num_mnt_opts] = context;
899                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
900         }
901         if (rootcontext) {
902                 opts->mnt_opts[num_mnt_opts] = rootcontext;
903                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
904         }
905         if (defcontext) {
906                 opts->mnt_opts[num_mnt_opts] = defcontext;
907                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
908         }
909
910         opts->num_mnt_opts = num_mnt_opts;
911         return 0;
912
913 out_err:
914         kfree(context);
915         kfree(defcontext);
916         kfree(fscontext);
917         kfree(rootcontext);
918         return rc;
919 }
920 /*
921  * string mount options parsing and call set the sbsec
922  */
923 static int superblock_doinit(struct super_block *sb, void *data)
924 {
925         int rc = 0;
926         char *options = data;
927         struct security_mnt_opts opts;
928
929         security_init_mnt_opts(&opts);
930
931         if (!data)
932                 goto out;
933
934         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
935
936         rc = selinux_parse_opts_str(options, &opts);
937         if (rc)
938                 goto out_err;
939
940 out:
941         rc = selinux_set_mnt_opts(sb, &opts);
942
943 out_err:
944         security_free_mnt_opts(&opts);
945         return rc;
946 }
947
948 static inline u16 inode_mode_to_security_class(umode_t mode)
949 {
950         switch (mode & S_IFMT) {
951         case S_IFSOCK:
952                 return SECCLASS_SOCK_FILE;
953         case S_IFLNK:
954                 return SECCLASS_LNK_FILE;
955         case S_IFREG:
956                 return SECCLASS_FILE;
957         case S_IFBLK:
958                 return SECCLASS_BLK_FILE;
959         case S_IFDIR:
960                 return SECCLASS_DIR;
961         case S_IFCHR:
962                 return SECCLASS_CHR_FILE;
963         case S_IFIFO:
964                 return SECCLASS_FIFO_FILE;
965
966         }
967
968         return SECCLASS_FILE;
969 }
970
971 static inline int default_protocol_stream(int protocol)
972 {
973         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
974 }
975
976 static inline int default_protocol_dgram(int protocol)
977 {
978         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
979 }
980
981 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
982 {
983         switch (family) {
984         case PF_UNIX:
985                 switch (type) {
986                 case SOCK_STREAM:
987                 case SOCK_SEQPACKET:
988                         return SECCLASS_UNIX_STREAM_SOCKET;
989                 case SOCK_DGRAM:
990                         return SECCLASS_UNIX_DGRAM_SOCKET;
991                 }
992                 break;
993         case PF_INET:
994         case PF_INET6:
995                 switch (type) {
996                 case SOCK_STREAM:
997                         if (default_protocol_stream(protocol))
998                                 return SECCLASS_TCP_SOCKET;
999                         else
1000                                 return SECCLASS_RAWIP_SOCKET;
1001                 case SOCK_DGRAM:
1002                         if (default_protocol_dgram(protocol))
1003                                 return SECCLASS_UDP_SOCKET;
1004                         else
1005                                 return SECCLASS_RAWIP_SOCKET;
1006                 case SOCK_DCCP:
1007                         return SECCLASS_DCCP_SOCKET;
1008                 default:
1009                         return SECCLASS_RAWIP_SOCKET;
1010                 }
1011                 break;
1012         case PF_NETLINK:
1013                 switch (protocol) {
1014                 case NETLINK_ROUTE:
1015                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1016                 case NETLINK_FIREWALL:
1017                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1018                 case NETLINK_INET_DIAG:
1019                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1020                 case NETLINK_NFLOG:
1021                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1022                 case NETLINK_XFRM:
1023                         return SECCLASS_NETLINK_XFRM_SOCKET;
1024                 case NETLINK_SELINUX:
1025                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1026                 case NETLINK_AUDIT:
1027                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1028                 case NETLINK_IP6_FW:
1029                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1030                 case NETLINK_DNRTMSG:
1031                         return SECCLASS_NETLINK_DNRT_SOCKET;
1032                 case NETLINK_KOBJECT_UEVENT:
1033                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1034                 default:
1035                         return SECCLASS_NETLINK_SOCKET;
1036                 }
1037         case PF_PACKET:
1038                 return SECCLASS_PACKET_SOCKET;
1039         case PF_KEY:
1040                 return SECCLASS_KEY_SOCKET;
1041         case PF_APPLETALK:
1042                 return SECCLASS_APPLETALK_SOCKET;
1043         }
1044
1045         return SECCLASS_SOCKET;
1046 }
1047
1048 #ifdef CONFIG_PROC_FS
1049 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1050                                 u16 tclass,
1051                                 u32 *sid)
1052 {
1053         int buflen, rc;
1054         char *buffer, *path, *end;
1055
1056         buffer = (char*)__get_free_page(GFP_KERNEL);
1057         if (!buffer)
1058                 return -ENOMEM;
1059
1060         buflen = PAGE_SIZE;
1061         end = buffer+buflen;
1062         *--end = '\0';
1063         buflen--;
1064         path = end-1;
1065         *path = '/';
1066         while (de && de != de->parent) {
1067                 buflen -= de->namelen + 1;
1068                 if (buflen < 0)
1069                         break;
1070                 end -= de->namelen;
1071                 memcpy(end, de->name, de->namelen);
1072                 *--end = '/';
1073                 path = end;
1074                 de = de->parent;
1075         }
1076         rc = security_genfs_sid("proc", path, tclass, sid);
1077         free_page((unsigned long)buffer);
1078         return rc;
1079 }
1080 #else
1081 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1082                                 u16 tclass,
1083                                 u32 *sid)
1084 {
1085         return -EINVAL;
1086 }
1087 #endif
1088
1089 /* The inode's security attributes must be initialized before first use. */
1090 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1091 {
1092         struct superblock_security_struct *sbsec = NULL;
1093         struct inode_security_struct *isec = inode->i_security;
1094         u32 sid;
1095         struct dentry *dentry;
1096 #define INITCONTEXTLEN 255
1097         char *context = NULL;
1098         unsigned len = 0;
1099         int rc = 0;
1100
1101         if (isec->initialized)
1102                 goto out;
1103
1104         mutex_lock(&isec->lock);
1105         if (isec->initialized)
1106                 goto out_unlock;
1107
1108         sbsec = inode->i_sb->s_security;
1109         if (!sbsec->initialized) {
1110                 /* Defer initialization until selinux_complete_init,
1111                    after the initial policy is loaded and the security
1112                    server is ready to handle calls. */
1113                 spin_lock(&sbsec->isec_lock);
1114                 if (list_empty(&isec->list))
1115                         list_add(&isec->list, &sbsec->isec_head);
1116                 spin_unlock(&sbsec->isec_lock);
1117                 goto out_unlock;
1118         }
1119
1120         switch (sbsec->behavior) {
1121         case SECURITY_FS_USE_XATTR:
1122                 if (!inode->i_op->getxattr) {
1123                         isec->sid = sbsec->def_sid;
1124                         break;
1125                 }
1126
1127                 /* Need a dentry, since the xattr API requires one.
1128                    Life would be simpler if we could just pass the inode. */
1129                 if (opt_dentry) {
1130                         /* Called from d_instantiate or d_splice_alias. */
1131                         dentry = dget(opt_dentry);
1132                 } else {
1133                         /* Called from selinux_complete_init, try to find a dentry. */
1134                         dentry = d_find_alias(inode);
1135                 }
1136                 if (!dentry) {
1137                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
1138                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1139                                inode->i_ino);
1140                         goto out_unlock;
1141                 }
1142
1143                 len = INITCONTEXTLEN;
1144                 context = kmalloc(len, GFP_NOFS);
1145                 if (!context) {
1146                         rc = -ENOMEM;
1147                         dput(dentry);
1148                         goto out_unlock;
1149                 }
1150                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1151                                            context, len);
1152                 if (rc == -ERANGE) {
1153                         /* Need a larger buffer.  Query for the right size. */
1154                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1155                                                    NULL, 0);
1156                         if (rc < 0) {
1157                                 dput(dentry);
1158                                 goto out_unlock;
1159                         }
1160                         kfree(context);
1161                         len = rc;
1162                         context = kmalloc(len, GFP_NOFS);
1163                         if (!context) {
1164                                 rc = -ENOMEM;
1165                                 dput(dentry);
1166                                 goto out_unlock;
1167                         }
1168                         rc = inode->i_op->getxattr(dentry,
1169                                                    XATTR_NAME_SELINUX,
1170                                                    context, len);
1171                 }
1172                 dput(dentry);
1173                 if (rc < 0) {
1174                         if (rc != -ENODATA) {
1175                                 printk(KERN_WARNING "%s:  getxattr returned "
1176                                        "%d for dev=%s ino=%ld\n", __func__,
1177                                        -rc, inode->i_sb->s_id, inode->i_ino);
1178                                 kfree(context);
1179                                 goto out_unlock;
1180                         }
1181                         /* Map ENODATA to the default file SID */
1182                         sid = sbsec->def_sid;
1183                         rc = 0;
1184                 } else {
1185                         rc = security_context_to_sid_default(context, rc, &sid,
1186                                                              sbsec->def_sid,
1187                                                              GFP_NOFS);
1188                         if (rc) {
1189                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
1190                                        "returned %d for dev=%s ino=%ld\n",
1191                                        __func__, context, -rc,
1192                                        inode->i_sb->s_id, inode->i_ino);
1193                                 kfree(context);
1194                                 /* Leave with the unlabeled SID */
1195                                 rc = 0;
1196                                 break;
1197                         }
1198                 }
1199                 kfree(context);
1200                 isec->sid = sid;
1201                 break;
1202         case SECURITY_FS_USE_TASK:
1203                 isec->sid = isec->task_sid;
1204                 break;
1205         case SECURITY_FS_USE_TRANS:
1206                 /* Default to the fs SID. */
1207                 isec->sid = sbsec->sid;
1208
1209                 /* Try to obtain a transition SID. */
1210                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1211                 rc = security_transition_sid(isec->task_sid,
1212                                              sbsec->sid,
1213                                              isec->sclass,
1214                                              &sid);
1215                 if (rc)
1216                         goto out_unlock;
1217                 isec->sid = sid;
1218                 break;
1219         case SECURITY_FS_USE_MNTPOINT:
1220                 isec->sid = sbsec->mntpoint_sid;
1221                 break;
1222         default:
1223                 /* Default to the fs superblock SID. */
1224                 isec->sid = sbsec->sid;
1225
1226                 if (sbsec->proc) {
1227                         struct proc_inode *proci = PROC_I(inode);
1228                         if (proci->pde) {
1229                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1230                                 rc = selinux_proc_get_sid(proci->pde,
1231                                                           isec->sclass,
1232                                                           &sid);
1233                                 if (rc)
1234                                         goto out_unlock;
1235                                 isec->sid = sid;
1236                         }
1237                 }
1238                 break;
1239         }
1240
1241         isec->initialized = 1;
1242
1243 out_unlock:
1244         mutex_unlock(&isec->lock);
1245 out:
1246         if (isec->sclass == SECCLASS_FILE)
1247                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1248         return rc;
1249 }
1250
1251 /* Convert a Linux signal to an access vector. */
1252 static inline u32 signal_to_av(int sig)
1253 {
1254         u32 perm = 0;
1255
1256         switch (sig) {
1257         case SIGCHLD:
1258                 /* Commonly granted from child to parent. */
1259                 perm = PROCESS__SIGCHLD;
1260                 break;
1261         case SIGKILL:
1262                 /* Cannot be caught or ignored */
1263                 perm = PROCESS__SIGKILL;
1264                 break;
1265         case SIGSTOP:
1266                 /* Cannot be caught or ignored */
1267                 perm = PROCESS__SIGSTOP;
1268                 break;
1269         default:
1270                 /* All other signals. */
1271                 perm = PROCESS__SIGNAL;
1272                 break;
1273         }
1274
1275         return perm;
1276 }
1277
1278 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1279    fork check, ptrace check, etc. */
1280 static int task_has_perm(struct task_struct *tsk1,
1281                          struct task_struct *tsk2,
1282                          u32 perms)
1283 {
1284         struct task_security_struct *tsec1, *tsec2;
1285
1286         tsec1 = tsk1->security;
1287         tsec2 = tsk2->security;
1288         return avc_has_perm(tsec1->sid, tsec2->sid,
1289                             SECCLASS_PROCESS, perms, NULL);
1290 }
1291
1292 #if CAP_LAST_CAP > 63
1293 #error Fix SELinux to handle capabilities > 63.
1294 #endif
1295
1296 /* Check whether a task is allowed to use a capability. */
1297 static int task_has_capability(struct task_struct *tsk,
1298                                int cap)
1299 {
1300         struct task_security_struct *tsec;
1301         struct avc_audit_data ad;
1302         u16 sclass;
1303         u32 av = CAP_TO_MASK(cap);
1304
1305         tsec = tsk->security;
1306
1307         AVC_AUDIT_DATA_INIT(&ad,CAP);
1308         ad.tsk = tsk;
1309         ad.u.cap = cap;
1310
1311         switch (CAP_TO_INDEX(cap)) {
1312         case 0:
1313                 sclass = SECCLASS_CAPABILITY;
1314                 break;
1315         case 1:
1316                 sclass = SECCLASS_CAPABILITY2;
1317                 break;
1318         default:
1319                 printk(KERN_ERR
1320                        "SELinux:  out of range capability %d\n", cap);
1321                 BUG();
1322         }
1323         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1324 }
1325
1326 /* Check whether a task is allowed to use a system operation. */
1327 static int task_has_system(struct task_struct *tsk,
1328                            u32 perms)
1329 {
1330         struct task_security_struct *tsec;
1331
1332         tsec = tsk->security;
1333
1334         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1335                             SECCLASS_SYSTEM, perms, NULL);
1336 }
1337
1338 /* Check whether a task has a particular permission to an inode.
1339    The 'adp' parameter is optional and allows other audit
1340    data to be passed (e.g. the dentry). */
1341 static int inode_has_perm(struct task_struct *tsk,
1342                           struct inode *inode,
1343                           u32 perms,
1344                           struct avc_audit_data *adp)
1345 {
1346         struct task_security_struct *tsec;
1347         struct inode_security_struct *isec;
1348         struct avc_audit_data ad;
1349
1350         if (unlikely (IS_PRIVATE (inode)))
1351                 return 0;
1352
1353         tsec = tsk->security;
1354         isec = inode->i_security;
1355
1356         if (!adp) {
1357                 adp = &ad;
1358                 AVC_AUDIT_DATA_INIT(&ad, FS);
1359                 ad.u.fs.inode = inode;
1360         }
1361
1362         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1363 }
1364
1365 /* Same as inode_has_perm, but pass explicit audit data containing
1366    the dentry to help the auditing code to more easily generate the
1367    pathname if needed. */
1368 static inline int dentry_has_perm(struct task_struct *tsk,
1369                                   struct vfsmount *mnt,
1370                                   struct dentry *dentry,
1371                                   u32 av)
1372 {
1373         struct inode *inode = dentry->d_inode;
1374         struct avc_audit_data ad;
1375         AVC_AUDIT_DATA_INIT(&ad,FS);
1376         ad.u.fs.path.mnt = mnt;
1377         ad.u.fs.path.dentry = dentry;
1378         return inode_has_perm(tsk, inode, av, &ad);
1379 }
1380
1381 /* Check whether a task can use an open file descriptor to
1382    access an inode in a given way.  Check access to the
1383    descriptor itself, and then use dentry_has_perm to
1384    check a particular permission to the file.
1385    Access to the descriptor is implicitly granted if it
1386    has the same SID as the process.  If av is zero, then
1387    access to the file is not checked, e.g. for cases
1388    where only the descriptor is affected like seek. */
1389 static int file_has_perm(struct task_struct *tsk,
1390                                 struct file *file,
1391                                 u32 av)
1392 {
1393         struct task_security_struct *tsec = tsk->security;
1394         struct file_security_struct *fsec = file->f_security;
1395         struct inode *inode = file->f_path.dentry->d_inode;
1396         struct avc_audit_data ad;
1397         int rc;
1398
1399         AVC_AUDIT_DATA_INIT(&ad, FS);
1400         ad.u.fs.path = file->f_path;
1401
1402         if (tsec->sid != fsec->sid) {
1403                 rc = avc_has_perm(tsec->sid, fsec->sid,
1404                                   SECCLASS_FD,
1405                                   FD__USE,
1406                                   &ad);
1407                 if (rc)
1408                         return rc;
1409         }
1410
1411         /* av is zero if only checking access to the descriptor. */
1412         if (av)
1413                 return inode_has_perm(tsk, inode, av, &ad);
1414
1415         return 0;
1416 }
1417
1418 /* Check whether a task can create a file. */
1419 static int may_create(struct inode *dir,
1420                       struct dentry *dentry,
1421                       u16 tclass)
1422 {
1423         struct task_security_struct *tsec;
1424         struct inode_security_struct *dsec;
1425         struct superblock_security_struct *sbsec;
1426         u32 newsid;
1427         struct avc_audit_data ad;
1428         int rc;
1429
1430         tsec = current->security;
1431         dsec = dir->i_security;
1432         sbsec = dir->i_sb->s_security;
1433
1434         AVC_AUDIT_DATA_INIT(&ad, FS);
1435         ad.u.fs.path.dentry = dentry;
1436
1437         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1438                           DIR__ADD_NAME | DIR__SEARCH,
1439                           &ad);
1440         if (rc)
1441                 return rc;
1442
1443         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1444                 newsid = tsec->create_sid;
1445         } else {
1446                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1447                                              &newsid);
1448                 if (rc)
1449                         return rc;
1450         }
1451
1452         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1453         if (rc)
1454                 return rc;
1455
1456         return avc_has_perm(newsid, sbsec->sid,
1457                             SECCLASS_FILESYSTEM,
1458                             FILESYSTEM__ASSOCIATE, &ad);
1459 }
1460
1461 /* Check whether a task can create a key. */
1462 static int may_create_key(u32 ksid,
1463                           struct task_struct *ctx)
1464 {
1465         struct task_security_struct *tsec;
1466
1467         tsec = ctx->security;
1468
1469         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1470 }
1471
1472 #define MAY_LINK   0
1473 #define MAY_UNLINK 1
1474 #define MAY_RMDIR  2
1475
1476 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1477 static int may_link(struct inode *dir,
1478                     struct dentry *dentry,
1479                     int kind)
1480
1481 {
1482         struct task_security_struct *tsec;
1483         struct inode_security_struct *dsec, *isec;
1484         struct avc_audit_data ad;
1485         u32 av;
1486         int rc;
1487
1488         tsec = current->security;
1489         dsec = dir->i_security;
1490         isec = dentry->d_inode->i_security;
1491
1492         AVC_AUDIT_DATA_INIT(&ad, FS);
1493         ad.u.fs.path.dentry = dentry;
1494
1495         av = DIR__SEARCH;
1496         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1497         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1498         if (rc)
1499                 return rc;
1500
1501         switch (kind) {
1502         case MAY_LINK:
1503                 av = FILE__LINK;
1504                 break;
1505         case MAY_UNLINK:
1506                 av = FILE__UNLINK;
1507                 break;
1508         case MAY_RMDIR:
1509                 av = DIR__RMDIR;
1510                 break;
1511         default:
1512                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1513                 return 0;
1514         }
1515
1516         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1517         return rc;
1518 }
1519
1520 static inline int may_rename(struct inode *old_dir,
1521                              struct dentry *old_dentry,
1522                              struct inode *new_dir,
1523                              struct dentry *new_dentry)
1524 {
1525         struct task_security_struct *tsec;
1526         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1527         struct avc_audit_data ad;
1528         u32 av;
1529         int old_is_dir, new_is_dir;
1530         int rc;
1531
1532         tsec = current->security;
1533         old_dsec = old_dir->i_security;
1534         old_isec = old_dentry->d_inode->i_security;
1535         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1536         new_dsec = new_dir->i_security;
1537
1538         AVC_AUDIT_DATA_INIT(&ad, FS);
1539
1540         ad.u.fs.path.dentry = old_dentry;
1541         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1542                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1543         if (rc)
1544                 return rc;
1545         rc = avc_has_perm(tsec->sid, old_isec->sid,
1546                           old_isec->sclass, FILE__RENAME, &ad);
1547         if (rc)
1548                 return rc;
1549         if (old_is_dir && new_dir != old_dir) {
1550                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1551                                   old_isec->sclass, DIR__REPARENT, &ad);
1552                 if (rc)
1553                         return rc;
1554         }
1555
1556         ad.u.fs.path.dentry = new_dentry;
1557         av = DIR__ADD_NAME | DIR__SEARCH;
1558         if (new_dentry->d_inode)
1559                 av |= DIR__REMOVE_NAME;
1560         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1561         if (rc)
1562                 return rc;
1563         if (new_dentry->d_inode) {
1564                 new_isec = new_dentry->d_inode->i_security;
1565                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1566                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1567                                   new_isec->sclass,
1568                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1569                 if (rc)
1570                         return rc;
1571         }
1572
1573         return 0;
1574 }
1575
1576 /* Check whether a task can perform a filesystem operation. */
1577 static int superblock_has_perm(struct task_struct *tsk,
1578                                struct super_block *sb,
1579                                u32 perms,
1580                                struct avc_audit_data *ad)
1581 {
1582         struct task_security_struct *tsec;
1583         struct superblock_security_struct *sbsec;
1584
1585         tsec = tsk->security;
1586         sbsec = sb->s_security;
1587         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1588                             perms, ad);
1589 }
1590
1591 /* Convert a Linux mode and permission mask to an access vector. */
1592 static inline u32 file_mask_to_av(int mode, int mask)
1593 {
1594         u32 av = 0;
1595
1596         if ((mode & S_IFMT) != S_IFDIR) {
1597                 if (mask & MAY_EXEC)
1598                         av |= FILE__EXECUTE;
1599                 if (mask & MAY_READ)
1600                         av |= FILE__READ;
1601
1602                 if (mask & MAY_APPEND)
1603                         av |= FILE__APPEND;
1604                 else if (mask & MAY_WRITE)
1605                         av |= FILE__WRITE;
1606
1607         } else {
1608                 if (mask & MAY_EXEC)
1609                         av |= DIR__SEARCH;
1610                 if (mask & MAY_WRITE)
1611                         av |= DIR__WRITE;
1612                 if (mask & MAY_READ)
1613                         av |= DIR__READ;
1614         }
1615
1616         return av;
1617 }
1618
1619 /*
1620  * Convert a file mask to an access vector and include the correct open
1621  * open permission.
1622  */
1623 static inline u32 open_file_mask_to_av(int mode, int mask)
1624 {
1625         u32 av = file_mask_to_av(mode, mask);
1626
1627         if (selinux_policycap_openperm) {
1628                 /*
1629                  * lnk files and socks do not really have an 'open'
1630                  */
1631                 if (S_ISREG(mode))
1632                         av |= FILE__OPEN;
1633                 else if (S_ISCHR(mode))
1634                         av |= CHR_FILE__OPEN;
1635                 else if (S_ISBLK(mode))
1636                         av |= BLK_FILE__OPEN;
1637                 else if (S_ISFIFO(mode))
1638                         av |= FIFO_FILE__OPEN;
1639                 else if (S_ISDIR(mode))
1640                         av |= DIR__OPEN;
1641                 else
1642                         printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
1643                                 "with unknown mode:%x\n", mode);
1644         }
1645         return av;
1646 }
1647
1648 /* Convert a Linux file to an access vector. */
1649 static inline u32 file_to_av(struct file *file)
1650 {
1651         u32 av = 0;
1652
1653         if (file->f_mode & FMODE_READ)
1654                 av |= FILE__READ;
1655         if (file->f_mode & FMODE_WRITE) {
1656                 if (file->f_flags & O_APPEND)
1657                         av |= FILE__APPEND;
1658                 else
1659                         av |= FILE__WRITE;
1660         }
1661         if (!av) {
1662                 /*
1663                  * Special file opened with flags 3 for ioctl-only use.
1664                  */
1665                 av = FILE__IOCTL;
1666         }
1667
1668         return av;
1669 }
1670
1671 /* Hook functions begin here. */
1672
1673 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1674 {
1675         int rc;
1676
1677         rc = secondary_ops->ptrace(parent,child);
1678         if (rc)
1679                 return rc;
1680
1681         return task_has_perm(parent, child, PROCESS__PTRACE);
1682 }
1683
1684 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1685                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1686 {
1687         int error;
1688
1689         error = task_has_perm(current, target, PROCESS__GETCAP);
1690         if (error)
1691                 return error;
1692
1693         return secondary_ops->capget(target, effective, inheritable, permitted);
1694 }
1695
1696 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1697                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1698 {
1699         int error;
1700
1701         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1702         if (error)
1703                 return error;
1704
1705         return task_has_perm(current, target, PROCESS__SETCAP);
1706 }
1707
1708 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1709                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1710 {
1711         secondary_ops->capset_set(target, effective, inheritable, permitted);
1712 }
1713
1714 static int selinux_capable(struct task_struct *tsk, int cap)
1715 {
1716         int rc;
1717
1718         rc = secondary_ops->capable(tsk, cap);
1719         if (rc)
1720                 return rc;
1721
1722         return task_has_capability(tsk,cap);
1723 }
1724
1725 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1726 {
1727         int buflen, rc;
1728         char *buffer, *path, *end;
1729
1730         rc = -ENOMEM;
1731         buffer = (char*)__get_free_page(GFP_KERNEL);
1732         if (!buffer)
1733                 goto out;
1734
1735         buflen = PAGE_SIZE;
1736         end = buffer+buflen;
1737         *--end = '\0';
1738         buflen--;
1739         path = end-1;
1740         *path = '/';
1741         while (table) {
1742                 const char *name = table->procname;
1743                 size_t namelen = strlen(name);
1744                 buflen -= namelen + 1;
1745                 if (buflen < 0)
1746                         goto out_free;
1747                 end -= namelen;
1748                 memcpy(end, name, namelen);
1749                 *--end = '/';
1750                 path = end;
1751                 table = table->parent;
1752         }
1753         buflen -= 4;
1754         if (buflen < 0)
1755                 goto out_free;
1756         end -= 4;
1757         memcpy(end, "/sys", 4);
1758         path = end;
1759         rc = security_genfs_sid("proc", path, tclass, sid);
1760 out_free:
1761         free_page((unsigned long)buffer);
1762 out:
1763         return rc;
1764 }
1765
1766 static int selinux_sysctl(ctl_table *table, int op)
1767 {
1768         int error = 0;
1769         u32 av;
1770         struct task_security_struct *tsec;
1771         u32 tsid;
1772         int rc;
1773
1774         rc = secondary_ops->sysctl(table, op);
1775         if (rc)
1776                 return rc;
1777
1778         tsec = current->security;
1779
1780         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1781                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1782         if (rc) {
1783                 /* Default to the well-defined sysctl SID. */
1784                 tsid = SECINITSID_SYSCTL;
1785         }
1786
1787         /* The op values are "defined" in sysctl.c, thereby creating
1788          * a bad coupling between this module and sysctl.c */
1789         if(op == 001) {
1790                 error = avc_has_perm(tsec->sid, tsid,
1791                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1792         } else {
1793                 av = 0;
1794                 if (op & 004)
1795                         av |= FILE__READ;
1796                 if (op & 002)
1797                         av |= FILE__WRITE;
1798                 if (av)
1799                         error = avc_has_perm(tsec->sid, tsid,
1800                                              SECCLASS_FILE, av, NULL);
1801         }
1802
1803         return error;
1804 }
1805
1806 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1807 {
1808         int rc = 0;
1809
1810         if (!sb)
1811                 return 0;
1812
1813         switch (cmds) {
1814                 case Q_SYNC:
1815                 case Q_QUOTAON:
1816                 case Q_QUOTAOFF:
1817                 case Q_SETINFO:
1818                 case Q_SETQUOTA:
1819                         rc = superblock_has_perm(current,
1820                                                  sb,
1821                                                  FILESYSTEM__QUOTAMOD, NULL);
1822                         break;
1823                 case Q_GETFMT:
1824                 case Q_GETINFO:
1825                 case Q_GETQUOTA:
1826                         rc = superblock_has_perm(current,
1827                                                  sb,
1828                                                  FILESYSTEM__QUOTAGET, NULL);
1829                         break;
1830                 default:
1831                         rc = 0;  /* let the kernel handle invalid cmds */
1832                         break;
1833         }
1834         return rc;
1835 }
1836
1837 static int selinux_quota_on(struct dentry *dentry)
1838 {
1839         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1840 }
1841
1842 static int selinux_syslog(int type)
1843 {
1844         int rc;
1845
1846         rc = secondary_ops->syslog(type);
1847         if (rc)
1848                 return rc;
1849
1850         switch (type) {
1851                 case 3:         /* Read last kernel messages */
1852                 case 10:        /* Return size of the log buffer */
1853                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1854                         break;
1855                 case 6:         /* Disable logging to console */
1856                 case 7:         /* Enable logging to console */
1857                 case 8:         /* Set level of messages printed to console */
1858                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1859                         break;
1860                 case 0:         /* Close log */
1861                 case 1:         /* Open log */
1862                 case 2:         /* Read from log */
1863                 case 4:         /* Read/clear last kernel messages */
1864                 case 5:         /* Clear ring buffer */
1865                 default:
1866                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1867                         break;
1868         }
1869         return rc;
1870 }
1871
1872 /*
1873  * Check that a process has enough memory to allocate a new virtual
1874  * mapping. 0 means there is enough memory for the allocation to
1875  * succeed and -ENOMEM implies there is not.
1876  *
1877  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1878  * if the capability is granted, but __vm_enough_memory requires 1 if
1879  * the capability is granted.
1880  *
1881  * Do not audit the selinux permission check, as this is applied to all
1882  * processes that allocate mappings.
1883  */
1884 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1885 {
1886         int rc, cap_sys_admin = 0;
1887         struct task_security_struct *tsec = current->security;
1888
1889         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1890         if (rc == 0)
1891                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1892                                           SECCLASS_CAPABILITY,
1893                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1894                                           0,
1895                                           NULL);
1896
1897         if (rc == 0)
1898                 cap_sys_admin = 1;
1899
1900         return __vm_enough_memory(mm, pages, cap_sys_admin);
1901 }
1902
1903 /**
1904  * task_tracer_task - return the task that is tracing the given task
1905  * @task:               task to consider
1906  *
1907  * Returns NULL if noone is tracing @task, or the &struct task_struct
1908  * pointer to its tracer.
1909  *
1910  * Must be called under rcu_read_lock().
1911  */
1912 static struct task_struct *task_tracer_task(struct task_struct *task)
1913 {
1914         if (task->ptrace & PT_PTRACED)
1915                 return rcu_dereference(task->parent);
1916         return NULL;
1917 }
1918
1919 /* binprm security operations */
1920
1921 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1922 {
1923         struct bprm_security_struct *bsec;
1924
1925         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1926         if (!bsec)
1927                 return -ENOMEM;
1928
1929         bsec->sid = SECINITSID_UNLABELED;
1930         bsec->set = 0;
1931
1932         bprm->security = bsec;
1933         return 0;
1934 }
1935
1936 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1937 {
1938         struct task_security_struct *tsec;
1939         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1940         struct inode_security_struct *isec;
1941         struct bprm_security_struct *bsec;
1942         u32 newsid;
1943         struct avc_audit_data ad;
1944         int rc;
1945
1946         rc = secondary_ops->bprm_set_security(bprm);
1947         if (rc)
1948                 return rc;
1949
1950         bsec = bprm->security;
1951
1952         if (bsec->set)
1953                 return 0;
1954
1955         tsec = current->security;
1956         isec = inode->i_security;
1957
1958         /* Default to the current task SID. */
1959         bsec->sid = tsec->sid;
1960
1961         /* Reset fs, key, and sock SIDs on execve. */
1962         tsec->create_sid = 0;
1963         tsec->keycreate_sid = 0;
1964         tsec->sockcreate_sid = 0;
1965
1966         if (tsec->exec_sid) {
1967                 newsid = tsec->exec_sid;
1968                 /* Reset exec SID on execve. */
1969                 tsec->exec_sid = 0;
1970         } else {
1971                 /* Check for a default transition on this program. */
1972                 rc = security_transition_sid(tsec->sid, isec->sid,
1973                                              SECCLASS_PROCESS, &newsid);
1974                 if (rc)
1975                         return rc;
1976         }
1977
1978         AVC_AUDIT_DATA_INIT(&ad, FS);
1979         ad.u.fs.path = bprm->file->f_path;
1980
1981         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1982                 newsid = tsec->sid;
1983
1984         if (tsec->sid == newsid) {
1985                 rc = avc_has_perm(tsec->sid, isec->sid,
1986                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1987                 if (rc)
1988                         return rc;
1989         } else {
1990                 /* Check permissions for the transition. */
1991                 rc = avc_has_perm(tsec->sid, newsid,
1992                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1993                 if (rc)
1994                         return rc;
1995
1996                 rc = avc_has_perm(newsid, isec->sid,
1997                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1998                 if (rc)
1999                         return rc;
2000
2001                 /* Clear any possibly unsafe personality bits on exec: */
2002                 current->personality &= ~PER_CLEAR_ON_SETID;
2003
2004                 /* Set the security field to the new SID. */
2005                 bsec->sid = newsid;
2006         }
2007
2008         bsec->set = 1;
2009         return 0;
2010 }
2011
2012 static int selinux_bprm_check_security (struct linux_binprm *bprm)
2013 {
2014         return secondary_ops->bprm_check_security(bprm);
2015 }
2016
2017
2018 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
2019 {
2020         struct task_security_struct *tsec = current->security;
2021         int atsecure = 0;
2022
2023         if (tsec->osid != tsec->sid) {
2024                 /* Enable secure mode for SIDs transitions unless
2025                    the noatsecure permission is granted between
2026                    the two SIDs, i.e. ahp returns 0. */
2027                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2028                                          SECCLASS_PROCESS,
2029                                          PROCESS__NOATSECURE, NULL);
2030         }
2031
2032         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2033 }
2034
2035 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2036 {
2037         kfree(bprm->security);
2038         bprm->security = NULL;
2039 }
2040
2041 extern struct vfsmount *selinuxfs_mount;
2042 extern struct dentry *selinux_null;
2043
2044 /* Derived from fs/exec.c:flush_old_files. */
2045 static inline void flush_unauthorized_files(struct files_struct * files)
2046 {
2047         struct avc_audit_data ad;
2048         struct file *file, *devnull = NULL;
2049         struct tty_struct *tty;
2050         struct fdtable *fdt;
2051         long j = -1;
2052         int drop_tty = 0;
2053
2054         mutex_lock(&tty_mutex);
2055         tty = get_current_tty();
2056         if (tty) {
2057                 file_list_lock();
2058                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2059                 if (file) {
2060                         /* Revalidate access to controlling tty.
2061                            Use inode_has_perm on the tty inode directly rather
2062                            than using file_has_perm, as this particular open
2063                            file may belong to another process and we are only
2064                            interested in the inode-based check here. */
2065                         struct inode *inode = file->f_path.dentry->d_inode;
2066                         if (inode_has_perm(current, inode,
2067                                            FILE__READ | FILE__WRITE, NULL)) {
2068                                 drop_tty = 1;
2069                         }
2070                 }
2071                 file_list_unlock();
2072         }
2073         mutex_unlock(&tty_mutex);
2074         /* Reset controlling tty. */
2075         if (drop_tty)
2076                 no_tty();
2077
2078         /* Revalidate access to inherited open files. */
2079
2080         AVC_AUDIT_DATA_INIT(&ad,FS);
2081
2082         spin_lock(&files->file_lock);
2083         for (;;) {
2084                 unsigned long set, i;
2085                 int fd;
2086
2087                 j++;
2088                 i = j * __NFDBITS;
2089                 fdt = files_fdtable(files);
2090                 if (i >= fdt->max_fds)
2091                         break;
2092                 set = fdt->open_fds->fds_bits[j];
2093                 if (!set)
2094                         continue;
2095                 spin_unlock(&files->file_lock);
2096                 for ( ; set ; i++,set >>= 1) {
2097                         if (set & 1) {
2098                                 file = fget(i);
2099                                 if (!file)
2100                                         continue;
2101                                 if (file_has_perm(current,
2102                                                   file,
2103                                                   file_to_av(file))) {
2104                                         sys_close(i);
2105                                         fd = get_unused_fd();
2106                                         if (fd != i) {
2107                                                 if (fd >= 0)
2108                                                         put_unused_fd(fd);
2109                                                 fput(file);
2110                                                 continue;
2111                                         }
2112                                         if (devnull) {
2113                                                 get_file(devnull);
2114                                         } else {
2115                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2116                                                 if (IS_ERR(devnull)) {
2117                                                         devnull = NULL;
2118                                                         put_unused_fd(fd);
2119                                                         fput(file);
2120                                                         continue;
2121                                                 }
2122                                         }
2123                                         fd_install(fd, devnull);
2124                                 }
2125                                 fput(file);
2126                         }
2127                 }
2128                 spin_lock(&files->file_lock);
2129
2130         }
2131         spin_unlock(&files->file_lock);
2132 }
2133
2134 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2135 {
2136         struct task_security_struct *tsec;
2137         struct bprm_security_struct *bsec;
2138         u32 sid;
2139         int rc;
2140
2141         secondary_ops->bprm_apply_creds(bprm, unsafe);
2142
2143         tsec = current->security;
2144
2145         bsec = bprm->security;
2146         sid = bsec->sid;
2147
2148         tsec->osid = tsec->sid;
2149         bsec->unsafe = 0;
2150         if (tsec->sid != sid) {
2151                 /* Check for shared state.  If not ok, leave SID
2152                    unchanged and kill. */
2153                 if (unsafe & LSM_UNSAFE_SHARE) {
2154                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2155                                         PROCESS__SHARE, NULL);
2156                         if (rc) {
2157                                 bsec->unsafe = 1;
2158                                 return;
2159                         }
2160                 }
2161
2162                 /* Check for ptracing, and update the task SID if ok.
2163                    Otherwise, leave SID unchanged and kill. */
2164                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2165                         struct task_struct *tracer;
2166                         struct task_security_struct *sec;
2167                         u32 ptsid = 0;
2168
2169                         rcu_read_lock();
2170                         tracer = task_tracer_task(current);
2171                         if (likely(tracer != NULL)) {
2172                                 sec = tracer->security;
2173                                 ptsid = sec->sid;
2174                         }
2175                         rcu_read_unlock();
2176
2177                         if (ptsid != 0) {
2178                                 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2179                                                   PROCESS__PTRACE, NULL);
2180                                 if (rc) {
2181                                         bsec->unsafe = 1;
2182                                         return;
2183                                 }
2184                         }
2185                 }
2186                 tsec->sid = sid;
2187         }
2188 }
2189
2190 /*
2191  * called after apply_creds without the task lock held
2192  */
2193 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2194 {
2195         struct task_security_struct *tsec;
2196         struct rlimit *rlim, *initrlim;
2197         struct itimerval itimer;
2198         struct bprm_security_struct *bsec;
2199         int rc, i;
2200
2201         tsec = current->security;
2202         bsec = bprm->security;
2203
2204         if (bsec->unsafe) {
2205                 force_sig_specific(SIGKILL, current);
2206                 return;
2207         }
2208         if (tsec->osid == tsec->sid)
2209                 return;
2210
2211         /* Close files for which the new task SID is not authorized. */
2212         flush_unauthorized_files(current->files);
2213
2214         /* Check whether the new SID can inherit signal state
2215            from the old SID.  If not, clear itimers to avoid
2216            subsequent signal generation and flush and unblock
2217            signals. This must occur _after_ the task SID has
2218           been updated so that any kill done after the flush
2219           will be checked against the new SID. */
2220         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2221                           PROCESS__SIGINH, NULL);
2222         if (rc) {
2223                 memset(&itimer, 0, sizeof itimer);
2224                 for (i = 0; i < 3; i++)
2225                         do_setitimer(i, &itimer, NULL);
2226                 flush_signals(current);
2227                 spin_lock_irq(&current->sighand->siglock);
2228                 flush_signal_handlers(current, 1);
2229                 sigemptyset(&current->blocked);
2230                 recalc_sigpending();
2231                 spin_unlock_irq(&current->sighand->siglock);
2232         }
2233
2234         /* Always clear parent death signal on SID transitions. */
2235         current->pdeath_signal = 0;
2236
2237         /* Check whether the new SID can inherit resource limits
2238            from the old SID.  If not, reset all soft limits to
2239            the lower of the current task's hard limit and the init
2240            task's soft limit.  Note that the setting of hard limits
2241            (even to lower them) can be controlled by the setrlimit
2242            check. The inclusion of the init task's soft limit into
2243            the computation is to avoid resetting soft limits higher
2244            than the default soft limit for cases where the default
2245            is lower than the hard limit, e.g. RLIMIT_CORE or
2246            RLIMIT_STACK.*/
2247         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2248                           PROCESS__RLIMITINH, NULL);
2249         if (rc) {
2250                 for (i = 0; i < RLIM_NLIMITS; i++) {
2251                         rlim = current->signal->rlim + i;
2252                         initrlim = init_task.signal->rlim+i;
2253                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2254                 }
2255                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2256                         /*
2257                          * This will cause RLIMIT_CPU calculations
2258                          * to be refigured.
2259                          */
2260                         current->it_prof_expires = jiffies_to_cputime(1);
2261                 }
2262         }
2263
2264         /* Wake up the parent if it is waiting so that it can
2265            recheck wait permission to the new task SID. */
2266         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2267 }
2268
2269 /* superblock security operations */
2270
2271 static int selinux_sb_alloc_security(struct super_block *sb)
2272 {
2273         return superblock_alloc_security(sb);
2274 }
2275
2276 static void selinux_sb_free_security(struct super_block *sb)
2277 {
2278         superblock_free_security(sb);
2279 }
2280
2281 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2282 {
2283         if (plen > olen)
2284                 return 0;
2285
2286         return !memcmp(prefix, option, plen);
2287 }
2288
2289 static inline int selinux_option(char *option, int len)
2290 {
2291         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2292                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2293                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2294                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2295 }
2296
2297 static inline void take_option(char **to, char *from, int *first, int len)
2298 {
2299         if (!*first) {
2300                 **to = ',';
2301                 *to += 1;
2302         } else
2303                 *first = 0;
2304         memcpy(*to, from, len);
2305         *to += len;
2306 }
2307
2308 static inline void take_selinux_option(char **to, char *from, int *first, 
2309                                        int len)
2310 {
2311         int current_size = 0;
2312
2313         if (!*first) {
2314                 **to = '|';
2315                 *to += 1;
2316         }
2317         else
2318                 *first = 0;
2319
2320         while (current_size < len) {
2321                 if (*from != '"') {
2322                         **to = *from;
2323                         *to += 1;
2324                 }
2325                 from += 1;
2326                 current_size += 1;
2327         }
2328 }
2329
2330 static int selinux_sb_copy_data(char *orig, char *copy)
2331 {
2332         int fnosec, fsec, rc = 0;
2333         char *in_save, *in_curr, *in_end;
2334         char *sec_curr, *nosec_save, *nosec;
2335         int open_quote = 0;
2336
2337         in_curr = orig;
2338         sec_curr = copy;
2339
2340         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2341         if (!nosec) {
2342                 rc = -ENOMEM;
2343                 goto out;
2344         }
2345
2346         nosec_save = nosec;
2347         fnosec = fsec = 1;
2348         in_save = in_end = orig;
2349
2350         do {
2351                 if (*in_end == '"')
2352                         open_quote = !open_quote;
2353                 if ((*in_end == ',' && open_quote == 0) ||
2354                                 *in_end == '\0') {
2355                         int len = in_end - in_curr;
2356
2357                         if (selinux_option(in_curr, len))
2358                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2359                         else
2360                                 take_option(&nosec, in_curr, &fnosec, len);
2361
2362                         in_curr = in_end + 1;
2363                 }
2364         } while (*in_end++);
2365
2366         strcpy(in_save, nosec_save);
2367         free_page((unsigned long)nosec_save);
2368 out:
2369         return rc;
2370 }
2371
2372 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2373 {
2374         struct avc_audit_data ad;
2375         int rc;
2376
2377         rc = superblock_doinit(sb, data);
2378         if (rc)
2379                 return rc;
2380
2381         AVC_AUDIT_DATA_INIT(&ad,FS);
2382         ad.u.fs.path.dentry = sb->s_root;
2383         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2384 }
2385
2386 static int selinux_sb_statfs(struct dentry *dentry)
2387 {
2388         struct avc_audit_data ad;
2389
2390         AVC_AUDIT_DATA_INIT(&ad,FS);
2391         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2392         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2393 }
2394
2395 static int selinux_mount(char * dev_name,
2396                          struct nameidata *nd,
2397                          char * type,
2398                          unsigned long flags,
2399                          void * data)
2400 {
2401         int rc;
2402
2403         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2404         if (rc)
2405                 return rc;
2406
2407         if (flags & MS_REMOUNT)
2408                 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2409                                            FILESYSTEM__REMOUNT, NULL);
2410         else
2411                 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2412                                        FILE__MOUNTON);
2413 }
2414
2415 static int selinux_umount(struct vfsmount *mnt, int flags)
2416 {
2417         int rc;
2418
2419         rc = secondary_ops->sb_umount(mnt, flags);
2420         if (rc)
2421                 return rc;
2422
2423         return superblock_has_perm(current,mnt->mnt_sb,
2424                                    FILESYSTEM__UNMOUNT,NULL);
2425 }
2426
2427 /* inode security operations */
2428
2429 static int selinux_inode_alloc_security(struct inode *inode)
2430 {
2431         return inode_alloc_security(inode);
2432 }
2433
2434 static void selinux_inode_free_security(struct inode *inode)
2435 {
2436         inode_free_security(inode);
2437 }
2438
2439 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2440                                        char **name, void **value,
2441                                        size_t *len)
2442 {
2443         struct task_security_struct *tsec;
2444         struct inode_security_struct *dsec;
2445         struct superblock_security_struct *sbsec;
2446         u32 newsid, clen;
2447         int rc;
2448         char *namep = NULL, *context;
2449
2450         tsec = current->security;
2451         dsec = dir->i_security;
2452         sbsec = dir->i_sb->s_security;
2453
2454         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2455                 newsid = tsec->create_sid;
2456         } else {
2457                 rc = security_transition_sid(tsec->sid, dsec->sid,
2458                                              inode_mode_to_security_class(inode->i_mode),
2459                                              &newsid);
2460                 if (rc) {
2461                         printk(KERN_WARNING "%s:  "
2462                                "security_transition_sid failed, rc=%d (dev=%s "
2463                                "ino=%ld)\n",
2464                                __func__,
2465                                -rc, inode->i_sb->s_id, inode->i_ino);
2466                         return rc;
2467                 }
2468         }
2469
2470         /* Possibly defer initialization to selinux_complete_init. */
2471         if (sbsec->initialized) {
2472                 struct inode_security_struct *isec = inode->i_security;
2473                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2474                 isec->sid = newsid;
2475                 isec->initialized = 1;
2476         }
2477
2478         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2479                 return -EOPNOTSUPP;
2480
2481         if (name) {
2482                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2483                 if (!namep)
2484                         return -ENOMEM;
2485                 *name = namep;
2486         }
2487
2488         if (value && len) {
2489                 rc = security_sid_to_context(newsid, &context, &clen);
2490                 if (rc) {
2491                         kfree(namep);
2492                         return rc;
2493                 }
2494                 *value = context;
2495                 *len = clen;
2496         }
2497
2498         return 0;
2499 }
2500
2501 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2502 {
2503         return may_create(dir, dentry, SECCLASS_FILE);
2504 }
2505
2506 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2507 {
2508         int rc;
2509
2510         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2511         if (rc)
2512                 return rc;
2513         return may_link(dir, old_dentry, MAY_LINK);
2514 }
2515
2516 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2517 {
2518         int rc;
2519
2520         rc = secondary_ops->inode_unlink(dir, dentry);
2521         if (rc)
2522                 return rc;
2523         return may_link(dir, dentry, MAY_UNLINK);
2524 }
2525
2526 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2527 {
2528         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2529 }
2530
2531 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2532 {
2533         return may_create(dir, dentry, SECCLASS_DIR);
2534 }
2535
2536 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2537 {
2538         return may_link(dir, dentry, MAY_RMDIR);
2539 }
2540
2541 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2542 {
2543         int rc;
2544
2545         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2546         if (rc)
2547                 return rc;
2548
2549         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2550 }
2551
2552 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2553                                 struct inode *new_inode, struct dentry *new_dentry)
2554 {
2555         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2556 }
2557
2558 static int selinux_inode_readlink(struct dentry *dentry)
2559 {
2560         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2561 }
2562
2563 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2564 {
2565         int rc;
2566
2567         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2568         if (rc)
2569                 return rc;
2570         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2571 }
2572
2573 static int selinux_inode_permission(struct inode *inode, int mask,
2574                                     struct nameidata *nd)
2575 {
2576         int rc;
2577
2578         rc = secondary_ops->inode_permission(inode, mask, nd);
2579         if (rc)
2580                 return rc;
2581
2582         if (!mask) {
2583                 /* No permission to check.  Existence test. */
2584                 return 0;
2585         }
2586
2587         return inode_has_perm(current, inode,
2588                                open_file_mask_to_av(inode->i_mode, mask), NULL);
2589 }
2590
2591 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2592 {
2593         int rc;
2594
2595         rc = secondary_ops->inode_setattr(dentry, iattr);
2596         if (rc)
2597                 return rc;
2598
2599         if (iattr->ia_valid & ATTR_FORCE)
2600                 return 0;
2601
2602         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2603                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2604                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2605
2606         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2607 }
2608
2609 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2610 {
2611         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2612 }
2613
2614 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2615 {
2616         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2617                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2618                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2619                         if (!capable(CAP_SETFCAP))
2620                                 return -EPERM;
2621                 } else if (!capable(CAP_SYS_ADMIN)) {
2622                         /* A different attribute in the security namespace.
2623                            Restrict to administrator. */
2624                         return -EPERM;
2625                 }
2626         }
2627
2628         /* Not an attribute we recognize, so just check the
2629            ordinary setattr permission. */
2630         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2631 }
2632
2633 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2634 {
2635         struct task_security_struct *tsec = current->security;
2636         struct inode *inode = dentry->d_inode;
2637         struct inode_security_struct *isec = inode->i_security;
2638         struct superblock_security_struct *sbsec;
2639         struct avc_audit_data ad;
2640         u32 newsid;
2641         int rc = 0;
2642
2643         if (strcmp(name, XATTR_NAME_SELINUX))
2644                 return selinux_inode_setotherxattr(dentry, name);
2645
2646         sbsec = inode->i_sb->s_security;
2647         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2648                 return -EOPNOTSUPP;
2649
2650         if (!is_owner_or_cap(inode))
2651                 return -EPERM;
2652
2653         AVC_AUDIT_DATA_INIT(&ad,FS);
2654         ad.u.fs.path.dentry = dentry;
2655
2656         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2657                           FILE__RELABELFROM, &ad);
2658         if (rc)
2659                 return rc;
2660
2661         rc = security_context_to_sid(value, size, &newsid);
2662         if (rc)
2663                 return rc;
2664
2665         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2666                           FILE__RELABELTO, &ad);
2667         if (rc)
2668                 return rc;
2669
2670         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2671                                           isec->sclass);
2672         if (rc)
2673                 return rc;
2674
2675         return avc_has_perm(newsid,
2676                             sbsec->sid,
2677                             SECCLASS_FILESYSTEM,
2678                             FILESYSTEM__ASSOCIATE,
2679                             &ad);
2680 }
2681
2682 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2683                                         void *value, size_t size, int flags)
2684 {
2685         struct inode *inode = dentry->d_inode;
2686         struct inode_security_struct *isec = inode->i_security;
2687         u32 newsid;
2688         int rc;
2689
2690         if (strcmp(name, XATTR_NAME_SELINUX)) {
2691                 /* Not an attribute we recognize, so nothing to do. */
2692                 return;
2693         }
2694
2695         rc = security_context_to_sid(value, size, &newsid);
2696         if (rc) {
2697                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2698                        "%s, rc=%d\n", __func__, (char *)value, -rc);
2699                 return;
2700         }
2701
2702         isec->sid = newsid;
2703         return;
2704 }
2705
2706 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2707 {
2708         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2709 }
2710
2711 static int selinux_inode_listxattr (struct dentry *dentry)
2712 {
2713         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2714 }
2715
2716 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2717 {
2718         if (strcmp(name, XATTR_NAME_SELINUX))
2719                 return selinux_inode_setotherxattr(dentry, name);
2720
2721         /* No one is allowed to remove a SELinux security label.
2722            You can change the label, but all data must be labeled. */
2723         return -EACCES;
2724 }
2725
2726 /*
2727  * Copy the in-core inode security context value to the user.  If the
2728  * getxattr() prior to this succeeded, check to see if we need to
2729  * canonicalize the value to be finally returned to the user.
2730  *
2731  * Permission check is handled by selinux_inode_getxattr hook.
2732  */
2733 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2734 {
2735         u32 size;
2736         int error;
2737         char *context = NULL;
2738         struct inode_security_struct *isec = inode->i_security;
2739
2740         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2741                 return -EOPNOTSUPP;
2742
2743         error = security_sid_to_context(isec->sid, &context, &size);
2744         if (error)
2745                 return error;
2746         error = size;
2747         if (alloc) {
2748                 *buffer = context;
2749                 goto out_nofree;
2750         }
2751         kfree(context);
2752 out_nofree:
2753         return error;
2754 }
2755
2756 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2757                                      const void *value, size_t size, int flags)
2758 {
2759         struct inode_security_struct *isec = inode->i_security;
2760         u32 newsid;
2761         int rc;
2762
2763         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2764                 return -EOPNOTSUPP;
2765
2766         if (!value || !size)
2767                 return -EACCES;
2768
2769         rc = security_context_to_sid((void*)value, size, &newsid);
2770         if (rc)
2771                 return rc;
2772
2773         isec->sid = newsid;
2774         return 0;
2775 }
2776
2777 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2778 {
2779         const int len = sizeof(XATTR_NAME_SELINUX);
2780         if (buffer && len <= buffer_size)
2781                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2782         return len;
2783 }
2784
2785 static int selinux_inode_need_killpriv(struct dentry *dentry)
2786 {
2787         return secondary_ops->inode_need_killpriv(dentry);
2788 }
2789
2790 static int selinux_inode_killpriv(struct dentry *dentry)
2791 {
2792         return secondary_ops->inode_killpriv(dentry);
2793 }
2794
2795 /* file security operations */
2796
2797 static int selinux_revalidate_file_permission(struct file *file, int mask)
2798 {
2799         int rc;
2800         struct inode *inode = file->f_path.dentry->d_inode;
2801
2802         if (!mask) {
2803                 /* No permission to check.  Existence test. */
2804                 return 0;
2805         }
2806
2807         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2808         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2809                 mask |= MAY_APPEND;
2810
2811         rc = file_has_perm(current, file,
2812                            file_mask_to_av(inode->i_mode, mask));
2813         if (rc)
2814                 return rc;
2815
2816         return selinux_netlbl_inode_permission(inode, mask);
2817 }
2818
2819 static int selinux_file_permission(struct file *file, int mask)
2820 {
2821         struct inode *inode = file->f_path.dentry->d_inode;
2822         struct task_security_struct *tsec = current->security;
2823         struct file_security_struct *fsec = file->f_security;
2824         struct inode_security_struct *isec = inode->i_security;
2825
2826         if (!mask) {
2827                 /* No permission to check.  Existence test. */
2828                 return 0;
2829         }
2830
2831         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2832             && fsec->pseqno == avc_policy_seqno())
2833                 return selinux_netlbl_inode_permission(inode, mask);
2834
2835         return selinux_revalidate_file_permission(file, mask);
2836 }
2837
2838 static int selinux_file_alloc_security(struct file *file)
2839 {
2840         return file_alloc_security(file);
2841 }
2842
2843 static void selinux_file_free_security(struct file *file)
2844 {
2845         file_free_security(file);
2846 }
2847
2848 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2849                               unsigned long arg)
2850 {
2851         int error = 0;
2852
2853         switch (cmd) {
2854                 case FIONREAD:
2855                 /* fall through */
2856                 case FIBMAP:
2857                 /* fall through */
2858                 case FIGETBSZ:
2859                 /* fall through */
2860                 case EXT2_IOC_GETFLAGS:
2861                 /* fall through */
2862                 case EXT2_IOC_GETVERSION:
2863                         error = file_has_perm(current, file, FILE__GETATTR);
2864                         break;
2865
2866                 case EXT2_IOC_SETFLAGS:
2867                 /* fall through */
2868                 case EXT2_IOC_SETVERSION:
2869                         error = file_has_perm(current, file, FILE__SETATTR);
2870                         break;
2871
2872                 /* sys_ioctl() checks */
2873                 case FIONBIO:
2874                 /* fall through */
2875                 case FIOASYNC:
2876                         error = file_has_perm(current, file, 0);
2877                         break;
2878
2879                 case KDSKBENT:
2880                 case KDSKBSENT:
2881                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2882                         break;
2883
2884                 /* default case assumes that the command will go
2885                  * to the file's ioctl() function.
2886                  */
2887                 default:
2888                         error = file_has_perm(current, file, FILE__IOCTL);
2889
2890         }
2891         return error;
2892 }
2893
2894 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2895 {
2896 #ifndef CONFIG_PPC32
2897         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2898                 /*
2899                  * We are making executable an anonymous mapping or a
2900                  * private file mapping that will also be writable.
2901                  * This has an additional check.
2902                  */
2903                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2904                 if (rc)
2905                         return rc;
2906         }
2907 #endif
2908
2909         if (file) {
2910                 /* read access is always possible with a mapping */
2911                 u32 av = FILE__READ;
2912
2913                 /* write access only matters if the mapping is shared */
2914                 if (shared && (prot & PROT_WRITE))
2915                         av |= FILE__WRITE;
2916
2917                 if (prot & PROT_EXEC)
2918                         av |= FILE__EXECUTE;
2919
2920                 return file_has_perm(current, file, av);
2921         }
2922         return 0;
2923 }
2924
2925 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2926                              unsigned long prot, unsigned long flags,
2927                              unsigned long addr, unsigned long addr_only)
2928 {
2929         int rc = 0;
2930         u32 sid = ((struct task_security_struct*)(current->security))->sid;
2931
2932         if (addr < mmap_min_addr)
2933                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2934                                   MEMPROTECT__MMAP_ZERO, NULL);
2935         if (rc || addr_only)
2936                 return rc;
2937
2938         if (selinux_checkreqprot)
2939                 prot = reqprot;
2940
2941         return file_map_prot_check(file, prot,
2942                                    (flags & MAP_TYPE) == MAP_SHARED);
2943 }
2944
2945 static int selinux_file_mprotect(struct vm_area_struct *vma,
2946                                  unsigned long reqprot,
2947                                  unsigned long prot)
2948 {
2949         int rc;
2950
2951         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2952         if (rc)
2953                 return rc;
2954
2955         if (selinux_checkreqprot)
2956                 prot = reqprot;
2957
2958 #ifndef CONFIG_PPC32
2959         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2960                 rc = 0;
2961                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2962                     vma->vm_end <= vma->vm_mm->brk) {
2963                         rc = task_has_perm(current, current,
2964                                            PROCESS__EXECHEAP);
2965                 } else if (!vma->vm_file &&
2966                            vma->vm_start <= vma->vm_mm->start_stack &&
2967                            vma->vm_end >= vma->vm_mm->start_stack) {
2968                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2969                 } else if (vma->vm_file && vma->anon_vma) {
2970                         /*
2971                          * We are making executable a file mapping that has
2972                          * had some COW done. Since pages might have been
2973                          * written, check ability to execute the possibly
2974                          * modified content.  This typically should only
2975                          * occur for text relocations.
2976                          */
2977                         rc = file_has_perm(current, vma->vm_file,
2978                                            FILE__EXECMOD);
2979                 }
2980                 if (rc)
2981                         return rc;
2982         }
2983 #endif
2984
2985         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2986 }
2987
2988 static int selinux_file_lock(struct file *file, unsigned int cmd)
2989 {
2990         return file_has_perm(current, file, FILE__LOCK);
2991 }
2992
2993 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2994                               unsigned long arg)
2995 {
2996         int err = 0;
2997
2998         switch (cmd) {
2999                 case F_SETFL:
3000                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3001                                 err = -EINVAL;
3002                                 break;
3003                         }
3004
3005                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3006                                 err = file_has_perm(current, file,FILE__WRITE);
3007                                 break;
3008                         }
3009                         /* fall through */
3010                 case F_SETOWN:
3011                 case F_SETSIG:
3012                 case F_GETFL:
3013                 case F_GETOWN:
3014                 case F_GETSIG:
3015                         /* Just check FD__USE permission */
3016                         err = file_has_perm(current, file, 0);
3017                         break;
3018                 case F_GETLK:
3019                 case F_SETLK:
3020                 case F_SETLKW:
3021 #if BITS_PER_LONG == 32
3022                 case F_GETLK64:
3023                 case F_SETLK64:
3024                 case F_SETLKW64:
3025 #endif
3026                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3027                                 err = -EINVAL;
3028                                 break;
3029                         }
3030                         err = file_has_perm(current, file, FILE__LOCK);
3031                         break;
3032         }
3033
3034         return err;
3035 }
3036
3037 static int selinux_file_set_fowner(struct file *file)
3038 {
3039         struct task_security_struct *tsec;
3040         struct file_security_struct *fsec;
3041
3042         tsec = current->security;
3043         fsec = file->f_security;
3044         fsec->fown_sid = tsec->sid;
3045
3046         return 0;
3047 }
3048
3049 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3050                                        struct fown_struct *fown, int signum)
3051 {
3052         struct file *file;
3053         u32 perm;
3054         struct task_security_struct *tsec;
3055         struct file_security_struct *fsec;
3056
3057         /* struct fown_struct is never outside the context of a struct file */
3058         file = container_of(fown, struct file, f_owner);
3059
3060         tsec = tsk->security;
3061         fsec = file->f_security;
3062
3063         if (!signum)
3064                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3065         else
3066                 perm = signal_to_av(signum);
3067
3068         return avc_has_perm(fsec->fown_sid, tsec->sid,
3069                             SECCLASS_PROCESS, perm, NULL);
3070 }
3071
3072 static int selinux_file_receive(struct file *file)
3073 {
3074         return file_has_perm(current, file, file_to_av(file));
3075 }
3076
3077 static int selinux_dentry_open(struct file *file)
3078 {
3079         struct file_security_struct *fsec;
3080         struct inode *inode;
3081         struct inode_security_struct *isec;
3082         inode = file->f_path.dentry->d_inode;
3083         fsec = file->f_security;
3084         isec = inode->i_security;
3085         /*
3086          * Save inode label and policy sequence number
3087          * at open-time so that selinux_file_permission
3088          * can determine whether revalidation is necessary.
3089          * Task label is already saved in the file security
3090          * struct as its SID.
3091          */
3092         fsec->isid = isec->sid;
3093         fsec->pseqno = avc_policy_seqno();
3094         /*
3095          * Since the inode label or policy seqno may have changed
3096          * between the selinux_inode_permission check and the saving
3097          * of state above, recheck that access is still permitted.
3098          * Otherwise, access might never be revalidated against the
3099          * new inode label or new policy.
3100          * This check is not redundant - do not remove.
3101          */
3102         return inode_has_perm(current, inode, file_to_av(file), NULL);
3103 }
3104
3105 /* task security operations */
3106
3107 static int selinux_task_create(unsigned long clone_flags)
3108 {
3109         int rc;
3110
3111         rc = secondary_ops->task_create(clone_flags);
3112         if (rc)
3113                 return rc;
3114
3115         return task_has_perm(current, current, PROCESS__FORK);
3116 }
3117
3118 static int selinux_task_alloc_security(struct task_struct *tsk)
3119 {
3120         struct task_security_struct *tsec1, *tsec2;
3121         int rc;
3122
3123         tsec1 = current->security;
3124
3125         rc = task_alloc_security(tsk);
3126         if (rc)
3127                 return rc;
3128         tsec2 = tsk->security;
3129
3130         tsec2->osid = tsec1->osid;
3131         tsec2->sid = tsec1->sid;
3132
3133         /* Retain the exec, fs, key, and sock SIDs across fork */
3134         tsec2->exec_sid = tsec1->exec_sid;
3135         tsec2->create_sid = tsec1->create_sid;
3136         tsec2->keycreate_sid = tsec1->keycreate_sid;
3137         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3138
3139         return 0;
3140 }
3141
3142 static void selinux_task_free_security(struct task_struct *tsk)
3143 {
3144         task_free_security(tsk);
3145 }
3146
3147 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3148 {
3149         /* Since setuid only affects the current process, and
3150            since the SELinux controls are not based on the Linux
3151            identity attributes, SELinux does not need to control
3152            this operation.  However, SELinux does control the use
3153            of the CAP_SETUID and CAP_SETGID capabilities using the
3154            capable hook. */
3155         return 0;
3156 }
3157
3158 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3159 {
3160         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3161 }
3162
3163 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3164 {
3165         /* See the comment for setuid above. */
3166         return 0;
3167 }
3168
3169 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3170 {
3171         return task_has_perm(current, p, PROCESS__SETPGID);
3172 }
3173
3174 static int selinux_task_getpgid(struct task_struct *p)
3175 {
3176         return task_has_perm(current, p, PROCESS__GETPGID);
3177 }
3178
3179 static int selinux_task_getsid(struct task_struct *p)
3180 {
3181         return task_has_perm(current, p, PROCESS__GETSESSION);
3182 }
3183
3184 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3185 {
3186         selinux_get_task_sid(p, secid);
3187 }
3188
3189 static int selinux_task_setgroups(struct group_info *group_info)
3190 {
3191         /* See the comment for setuid above. */
3192         return 0;
3193 }
3194
3195 static int selinux_task_setnice(struct task_struct *p, int nice)
3196 {
3197         int rc;
3198
3199         rc = secondary_ops->task_setnice(p, nice);
3200         if (rc)
3201                 return rc;
3202
3203         return task_has_perm(current,p, PROCESS__SETSCHED);
3204 }
3205
3206 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3207 {
3208         int rc;
3209
3210         rc = secondary_ops->task_setioprio(p, ioprio);
3211         if (rc)
3212                 return rc;
3213
3214         return task_has_perm(current, p, PROCESS__SETSCHED);
3215 }
3216
3217 static int selinux_task_getioprio(struct task_struct *p)
3218 {
3219         return task_has_perm(current, p, PROCESS__GETSCHED);
3220 }
3221
3222 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3223 {
3224         struct rlimit *old_rlim = current->signal->rlim + resource;
3225         int rc;
3226
3227         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3228         if (rc)
3229                 return rc;
3230
3231         /* Control the ability to change the hard limit (whether
3232            lowering or raising it), so that the hard limit can
3233            later be used as a safe reset point for the soft limit
3234            upon context transitions. See selinux_bprm_apply_creds. */
3235         if (old_rlim->rlim_max != new_rlim->rlim_max)
3236                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3237
3238         return 0;
3239 }
3240
3241 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3242 {
3243         int rc;
3244
3245         rc = secondary_ops->task_setscheduler(p, policy, lp);
3246         if (rc)
3247                 return rc;
3248
3249         return task_has_perm(current, p, PROCESS__SETSCHED);
3250 }
3251
3252 static int selinux_task_getscheduler(struct task_struct *p)
3253 {
3254         return task_has_perm(current, p, PROCESS__GETSCHED);
3255 }
3256
3257 static int selinux_task_movememory(struct task_struct *p)
3258 {
3259         return task_has_perm(current, p, PROCESS__SETSCHED);
3260 }
3261
3262 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3263                                 int sig, u32 secid)
3264 {
3265         u32 perm;
3266         int rc;
3267         struct task_security_struct *tsec;
3268
3269         rc = secondary_ops->task_kill(p, info, sig, secid);
3270         if (rc)
3271                 return rc;
3272
3273         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3274                 return 0;
3275
3276         if (!sig)
3277                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3278         else
3279                 perm = signal_to_av(sig);
3280         tsec = p->security;
3281         if (secid)
3282                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3283         else
3284                 rc = task_has_perm(current, p, perm);
3285         return rc;
3286 }
3287
3288 static int selinux_task_prctl(int option,
3289                               unsigned long arg2,
3290                               unsigned long arg3,
3291                               unsigned long arg4,
3292                               unsigned long arg5)
3293 {
3294  &n