LSM: shrink sizeof LSM specific portion of common_audit_data
[~shefty/rdma-dev.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h>             /* for local_port_range[] */
54 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
55 #include <net/net_namespace.h>
56 #include <net/netlabel.h>
57 #include <linux/uaccess.h>
58 #include <asm/ioctls.h>
59 #include <linux/atomic.h>
60 #include <linux/bitops.h>
61 #include <linux/interrupt.h>
62 #include <linux/netdevice.h>    /* for network interface checks */
63 #include <linux/netlink.h>
64 #include <linux/tcp.h>
65 #include <linux/udp.h>
66 #include <linux/dccp.h>
67 #include <linux/quota.h>
68 #include <linux/un.h>           /* for Unix socket types */
69 #include <net/af_unix.h>        /* for Unix socket types */
70 #include <linux/parser.h>
71 #include <linux/nfs_mount.h>
72 #include <net/ipv6.h>
73 #include <linux/hugetlb.h>
74 #include <linux/personality.h>
75 #include <linux/audit.h>
76 #include <linux/string.h>
77 #include <linux/selinux.h>
78 #include <linux/mutex.h>
79 #include <linux/posix-timers.h>
80 #include <linux/syslog.h>
81 #include <linux/user_namespace.h>
82 #include <linux/export.h>
83 #include <linux/msg.h>
84 #include <linux/shm.h>
85
86 #include "avc.h"
87 #include "objsec.h"
88 #include "netif.h"
89 #include "netnode.h"
90 #include "netport.h"
91 #include "xfrm.h"
92 #include "netlabel.h"
93 #include "audit.h"
94 #include "avc_ss.h"
95
96 #define NUM_SEL_MNT_OPTS 5
97
98 extern struct security_operations *security_ops;
99
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
105
106 static int __init enforcing_setup(char *str)
107 {
108         unsigned long enforcing;
109         if (!strict_strtoul(str, 0, &enforcing))
110                 selinux_enforcing = enforcing ? 1 : 0;
111         return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119 static int __init selinux_enabled_setup(char *str)
120 {
121         unsigned long enabled;
122         if (!strict_strtoul(str, 0, &enabled))
123                 selinux_enabled = enabled ? 1 : 0;
124         return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130
131 static struct kmem_cache *sel_inode_cache;
132
133 /**
134  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135  *
136  * Description:
137  * This function checks the SECMARK reference counter to see if any SECMARK
138  * targets are currently configured, if the reference counter is greater than
139  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
140  * enabled, false (0) if SECMARK is disabled.
141  *
142  */
143 static int selinux_secmark_enabled(void)
144 {
145         return (atomic_read(&selinux_secmark_refcount) > 0);
146 }
147
148 /*
149  * initialise the security for the init task
150  */
151 static void cred_init_security(void)
152 {
153         struct cred *cred = (struct cred *) current->real_cred;
154         struct task_security_struct *tsec;
155
156         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
157         if (!tsec)
158                 panic("SELinux:  Failed to initialize initial task.\n");
159
160         tsec->osid = tsec->sid = SECINITSID_KERNEL;
161         cred->security = tsec;
162 }
163
164 /*
165  * get the security ID of a set of credentials
166  */
167 static inline u32 cred_sid(const struct cred *cred)
168 {
169         const struct task_security_struct *tsec;
170
171         tsec = cred->security;
172         return tsec->sid;
173 }
174
175 /*
176  * get the objective security ID of a task
177  */
178 static inline u32 task_sid(const struct task_struct *task)
179 {
180         u32 sid;
181
182         rcu_read_lock();
183         sid = cred_sid(__task_cred(task));
184         rcu_read_unlock();
185         return sid;
186 }
187
188 /*
189  * get the subjective security ID of the current task
190  */
191 static inline u32 current_sid(void)
192 {
193         const struct task_security_struct *tsec = current_security();
194
195         return tsec->sid;
196 }
197
198 /* Allocate and free functions for each kind of security blob. */
199
200 static int inode_alloc_security(struct inode *inode)
201 {
202         struct inode_security_struct *isec;
203         u32 sid = current_sid();
204
205         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
206         if (!isec)
207                 return -ENOMEM;
208
209         mutex_init(&isec->lock);
210         INIT_LIST_HEAD(&isec->list);
211         isec->inode = inode;
212         isec->sid = SECINITSID_UNLABELED;
213         isec->sclass = SECCLASS_FILE;
214         isec->task_sid = sid;
215         inode->i_security = isec;
216
217         return 0;
218 }
219
220 static void inode_free_security(struct inode *inode)
221 {
222         struct inode_security_struct *isec = inode->i_security;
223         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
224
225         spin_lock(&sbsec->isec_lock);
226         if (!list_empty(&isec->list))
227                 list_del_init(&isec->list);
228         spin_unlock(&sbsec->isec_lock);
229
230         inode->i_security = NULL;
231         kmem_cache_free(sel_inode_cache, isec);
232 }
233
234 static int file_alloc_security(struct file *file)
235 {
236         struct file_security_struct *fsec;
237         u32 sid = current_sid();
238
239         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
240         if (!fsec)
241                 return -ENOMEM;
242
243         fsec->sid = sid;
244         fsec->fown_sid = sid;
245         file->f_security = fsec;
246
247         return 0;
248 }
249
250 static void file_free_security(struct file *file)
251 {
252         struct file_security_struct *fsec = file->f_security;
253         file->f_security = NULL;
254         kfree(fsec);
255 }
256
257 static int superblock_alloc_security(struct super_block *sb)
258 {
259         struct superblock_security_struct *sbsec;
260
261         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
262         if (!sbsec)
263                 return -ENOMEM;
264
265         mutex_init(&sbsec->lock);
266         INIT_LIST_HEAD(&sbsec->isec_head);
267         spin_lock_init(&sbsec->isec_lock);
268         sbsec->sb = sb;
269         sbsec->sid = SECINITSID_UNLABELED;
270         sbsec->def_sid = SECINITSID_FILE;
271         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
272         sb->s_security = sbsec;
273
274         return 0;
275 }
276
277 static void superblock_free_security(struct super_block *sb)
278 {
279         struct superblock_security_struct *sbsec = sb->s_security;
280         sb->s_security = NULL;
281         kfree(sbsec);
282 }
283
284 /* The file system's label must be initialized prior to use. */
285
286 static const char *labeling_behaviors[6] = {
287         "uses xattr",
288         "uses transition SIDs",
289         "uses task SIDs",
290         "uses genfs_contexts",
291         "not configured for labeling",
292         "uses mountpoint labeling",
293 };
294
295 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
296
297 static inline int inode_doinit(struct inode *inode)
298 {
299         return inode_doinit_with_dentry(inode, NULL);
300 }
301
302 enum {
303         Opt_error = -1,
304         Opt_context = 1,
305         Opt_fscontext = 2,
306         Opt_defcontext = 3,
307         Opt_rootcontext = 4,
308         Opt_labelsupport = 5,
309 };
310
311 static const match_table_t tokens = {
312         {Opt_context, CONTEXT_STR "%s"},
313         {Opt_fscontext, FSCONTEXT_STR "%s"},
314         {Opt_defcontext, DEFCONTEXT_STR "%s"},
315         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
316         {Opt_labelsupport, LABELSUPP_STR},
317         {Opt_error, NULL},
318 };
319
320 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
321
322 static int may_context_mount_sb_relabel(u32 sid,
323                         struct superblock_security_struct *sbsec,
324                         const struct cred *cred)
325 {
326         const struct task_security_struct *tsec = cred->security;
327         int rc;
328
329         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
330                           FILESYSTEM__RELABELFROM, NULL);
331         if (rc)
332                 return rc;
333
334         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
335                           FILESYSTEM__RELABELTO, NULL);
336         return rc;
337 }
338
339 static int may_context_mount_inode_relabel(u32 sid,
340                         struct superblock_security_struct *sbsec,
341                         const struct cred *cred)
342 {
343         const struct task_security_struct *tsec = cred->security;
344         int rc;
345         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
346                           FILESYSTEM__RELABELFROM, NULL);
347         if (rc)
348                 return rc;
349
350         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
351                           FILESYSTEM__ASSOCIATE, NULL);
352         return rc;
353 }
354
355 static int sb_finish_set_opts(struct super_block *sb)
356 {
357         struct superblock_security_struct *sbsec = sb->s_security;
358         struct dentry *root = sb->s_root;
359         struct inode *root_inode = root->d_inode;
360         int rc = 0;
361
362         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
363                 /* Make sure that the xattr handler exists and that no
364                    error other than -ENODATA is returned by getxattr on
365                    the root directory.  -ENODATA is ok, as this may be
366                    the first boot of the SELinux kernel before we have
367                    assigned xattr values to the filesystem. */
368                 if (!root_inode->i_op->getxattr) {
369                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
370                                "xattr support\n", sb->s_id, sb->s_type->name);
371                         rc = -EOPNOTSUPP;
372                         goto out;
373                 }
374                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
375                 if (rc < 0 && rc != -ENODATA) {
376                         if (rc == -EOPNOTSUPP)
377                                 printk(KERN_WARNING "SELinux: (dev %s, type "
378                                        "%s) has no security xattr handler\n",
379                                        sb->s_id, sb->s_type->name);
380                         else
381                                 printk(KERN_WARNING "SELinux: (dev %s, type "
382                                        "%s) getxattr errno %d\n", sb->s_id,
383                                        sb->s_type->name, -rc);
384                         goto out;
385                 }
386         }
387
388         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
389
390         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
391                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
392                        sb->s_id, sb->s_type->name);
393         else
394                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
395                        sb->s_id, sb->s_type->name,
396                        labeling_behaviors[sbsec->behavior-1]);
397
398         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
399             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
400             sbsec->behavior == SECURITY_FS_USE_NONE ||
401             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
402                 sbsec->flags &= ~SE_SBLABELSUPP;
403
404         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
405         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
406                 sbsec->flags |= SE_SBLABELSUPP;
407
408         /* Initialize the root inode. */
409         rc = inode_doinit_with_dentry(root_inode, root);
410
411         /* Initialize any other inodes associated with the superblock, e.g.
412            inodes created prior to initial policy load or inodes created
413            during get_sb by a pseudo filesystem that directly
414            populates itself. */
415         spin_lock(&sbsec->isec_lock);
416 next_inode:
417         if (!list_empty(&sbsec->isec_head)) {
418                 struct inode_security_struct *isec =
419                                 list_entry(sbsec->isec_head.next,
420                                            struct inode_security_struct, list);
421                 struct inode *inode = isec->inode;
422                 spin_unlock(&sbsec->isec_lock);
423                 inode = igrab(inode);
424                 if (inode) {
425                         if (!IS_PRIVATE(inode))
426                                 inode_doinit(inode);
427                         iput(inode);
428                 }
429                 spin_lock(&sbsec->isec_lock);
430                 list_del_init(&isec->list);
431                 goto next_inode;
432         }
433         spin_unlock(&sbsec->isec_lock);
434 out:
435         return rc;
436 }
437
438 /*
439  * This function should allow an FS to ask what it's mount security
440  * options were so it can use those later for submounts, displaying
441  * mount options, or whatever.
442  */
443 static int selinux_get_mnt_opts(const struct super_block *sb,
444                                 struct security_mnt_opts *opts)
445 {
446         int rc = 0, i;
447         struct superblock_security_struct *sbsec = sb->s_security;
448         char *context = NULL;
449         u32 len;
450         char tmp;
451
452         security_init_mnt_opts(opts);
453
454         if (!(sbsec->flags & SE_SBINITIALIZED))
455                 return -EINVAL;
456
457         if (!ss_initialized)
458                 return -EINVAL;
459
460         tmp = sbsec->flags & SE_MNTMASK;
461         /* count the number of mount options for this sb */
462         for (i = 0; i < 8; i++) {
463                 if (tmp & 0x01)
464                         opts->num_mnt_opts++;
465                 tmp >>= 1;
466         }
467         /* Check if the Label support flag is set */
468         if (sbsec->flags & SE_SBLABELSUPP)
469                 opts->num_mnt_opts++;
470
471         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
472         if (!opts->mnt_opts) {
473                 rc = -ENOMEM;
474                 goto out_free;
475         }
476
477         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
478         if (!opts->mnt_opts_flags) {
479                 rc = -ENOMEM;
480                 goto out_free;
481         }
482
483         i = 0;
484         if (sbsec->flags & FSCONTEXT_MNT) {
485                 rc = security_sid_to_context(sbsec->sid, &context, &len);
486                 if (rc)
487                         goto out_free;
488                 opts->mnt_opts[i] = context;
489                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
490         }
491         if (sbsec->flags & CONTEXT_MNT) {
492                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
493                 if (rc)
494                         goto out_free;
495                 opts->mnt_opts[i] = context;
496                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
497         }
498         if (sbsec->flags & DEFCONTEXT_MNT) {
499                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
500                 if (rc)
501                         goto out_free;
502                 opts->mnt_opts[i] = context;
503                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
504         }
505         if (sbsec->flags & ROOTCONTEXT_MNT) {
506                 struct inode *root = sbsec->sb->s_root->d_inode;
507                 struct inode_security_struct *isec = root->i_security;
508
509                 rc = security_sid_to_context(isec->sid, &context, &len);
510                 if (rc)
511                         goto out_free;
512                 opts->mnt_opts[i] = context;
513                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
514         }
515         if (sbsec->flags & SE_SBLABELSUPP) {
516                 opts->mnt_opts[i] = NULL;
517                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
518         }
519
520         BUG_ON(i != opts->num_mnt_opts);
521
522         return 0;
523
524 out_free:
525         security_free_mnt_opts(opts);
526         return rc;
527 }
528
529 static int bad_option(struct superblock_security_struct *sbsec, char flag,
530                       u32 old_sid, u32 new_sid)
531 {
532         char mnt_flags = sbsec->flags & SE_MNTMASK;
533
534         /* check if the old mount command had the same options */
535         if (sbsec->flags & SE_SBINITIALIZED)
536                 if (!(sbsec->flags & flag) ||
537                     (old_sid != new_sid))
538                         return 1;
539
540         /* check if we were passed the same options twice,
541          * aka someone passed context=a,context=b
542          */
543         if (!(sbsec->flags & SE_SBINITIALIZED))
544                 if (mnt_flags & flag)
545                         return 1;
546         return 0;
547 }
548
549 /*
550  * Allow filesystems with binary mount data to explicitly set mount point
551  * labeling information.
552  */
553 static int selinux_set_mnt_opts(struct super_block *sb,
554                                 struct security_mnt_opts *opts)
555 {
556         const struct cred *cred = current_cred();
557         int rc = 0, i;
558         struct superblock_security_struct *sbsec = sb->s_security;
559         const char *name = sb->s_type->name;
560         struct inode *inode = sbsec->sb->s_root->d_inode;
561         struct inode_security_struct *root_isec = inode->i_security;
562         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
563         u32 defcontext_sid = 0;
564         char **mount_options = opts->mnt_opts;
565         int *flags = opts->mnt_opts_flags;
566         int num_opts = opts->num_mnt_opts;
567
568         mutex_lock(&sbsec->lock);
569
570         if (!ss_initialized) {
571                 if (!num_opts) {
572                         /* Defer initialization until selinux_complete_init,
573                            after the initial policy is loaded and the security
574                            server is ready to handle calls. */
575                         goto out;
576                 }
577                 rc = -EINVAL;
578                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
579                         "before the security server is initialized\n");
580                 goto out;
581         }
582
583         /*
584          * Binary mount data FS will come through this function twice.  Once
585          * from an explicit call and once from the generic calls from the vfs.
586          * Since the generic VFS calls will not contain any security mount data
587          * we need to skip the double mount verification.
588          *
589          * This does open a hole in which we will not notice if the first
590          * mount using this sb set explict options and a second mount using
591          * this sb does not set any security options.  (The first options
592          * will be used for both mounts)
593          */
594         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
595             && (num_opts == 0))
596                 goto out;
597
598         /*
599          * parse the mount options, check if they are valid sids.
600          * also check if someone is trying to mount the same sb more
601          * than once with different security options.
602          */
603         for (i = 0; i < num_opts; i++) {
604                 u32 sid;
605
606                 if (flags[i] == SE_SBLABELSUPP)
607                         continue;
608                 rc = security_context_to_sid(mount_options[i],
609                                              strlen(mount_options[i]), &sid);
610                 if (rc) {
611                         printk(KERN_WARNING "SELinux: security_context_to_sid"
612                                "(%s) failed for (dev %s, type %s) errno=%d\n",
613                                mount_options[i], sb->s_id, name, rc);
614                         goto out;
615                 }
616                 switch (flags[i]) {
617                 case FSCONTEXT_MNT:
618                         fscontext_sid = sid;
619
620                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
621                                         fscontext_sid))
622                                 goto out_double_mount;
623
624                         sbsec->flags |= FSCONTEXT_MNT;
625                         break;
626                 case CONTEXT_MNT:
627                         context_sid = sid;
628
629                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
630                                         context_sid))
631                                 goto out_double_mount;
632
633                         sbsec->flags |= CONTEXT_MNT;
634                         break;
635                 case ROOTCONTEXT_MNT:
636                         rootcontext_sid = sid;
637
638                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
639                                         rootcontext_sid))
640                                 goto out_double_mount;
641
642                         sbsec->flags |= ROOTCONTEXT_MNT;
643
644                         break;
645                 case DEFCONTEXT_MNT:
646                         defcontext_sid = sid;
647
648                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
649                                         defcontext_sid))
650                                 goto out_double_mount;
651
652                         sbsec->flags |= DEFCONTEXT_MNT;
653
654                         break;
655                 default:
656                         rc = -EINVAL;
657                         goto out;
658                 }
659         }
660
661         if (sbsec->flags & SE_SBINITIALIZED) {
662                 /* previously mounted with options, but not on this attempt? */
663                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
664                         goto out_double_mount;
665                 rc = 0;
666                 goto out;
667         }
668
669         if (strcmp(sb->s_type->name, "proc") == 0)
670                 sbsec->flags |= SE_SBPROC;
671
672         /* Determine the labeling behavior to use for this filesystem type. */
673         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
674         if (rc) {
675                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
676                        __func__, sb->s_type->name, rc);
677                 goto out;
678         }
679
680         /* sets the context of the superblock for the fs being mounted. */
681         if (fscontext_sid) {
682                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
683                 if (rc)
684                         goto out;
685
686                 sbsec->sid = fscontext_sid;
687         }
688
689         /*
690          * Switch to using mount point labeling behavior.
691          * sets the label used on all file below the mountpoint, and will set
692          * the superblock context if not already set.
693          */
694         if (context_sid) {
695                 if (!fscontext_sid) {
696                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
697                                                           cred);
698                         if (rc)
699                                 goto out;
700                         sbsec->sid = context_sid;
701                 } else {
702                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
703                                                              cred);
704                         if (rc)
705                                 goto out;
706                 }
707                 if (!rootcontext_sid)
708                         rootcontext_sid = context_sid;
709
710                 sbsec->mntpoint_sid = context_sid;
711                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
712         }
713
714         if (rootcontext_sid) {
715                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
716                                                      cred);
717                 if (rc)
718                         goto out;
719
720                 root_isec->sid = rootcontext_sid;
721                 root_isec->initialized = 1;
722         }
723
724         if (defcontext_sid) {
725                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
726                         rc = -EINVAL;
727                         printk(KERN_WARNING "SELinux: defcontext option is "
728                                "invalid for this filesystem type\n");
729                         goto out;
730                 }
731
732                 if (defcontext_sid != sbsec->def_sid) {
733                         rc = may_context_mount_inode_relabel(defcontext_sid,
734                                                              sbsec, cred);
735                         if (rc)
736                                 goto out;
737                 }
738
739                 sbsec->def_sid = defcontext_sid;
740         }
741
742         rc = sb_finish_set_opts(sb);
743 out:
744         mutex_unlock(&sbsec->lock);
745         return rc;
746 out_double_mount:
747         rc = -EINVAL;
748         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
749                "security settings for (dev %s, type %s)\n", sb->s_id, name);
750         goto out;
751 }
752
753 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
754                                         struct super_block *newsb)
755 {
756         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
757         struct superblock_security_struct *newsbsec = newsb->s_security;
758
759         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
760         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
761         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
762
763         /*
764          * if the parent was able to be mounted it clearly had no special lsm
765          * mount options.  thus we can safely deal with this superblock later
766          */
767         if (!ss_initialized)
768                 return;
769
770         /* how can we clone if the old one wasn't set up?? */
771         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
772
773         /* if fs is reusing a sb, just let its options stand... */
774         if (newsbsec->flags & SE_SBINITIALIZED)
775                 return;
776
777         mutex_lock(&newsbsec->lock);
778
779         newsbsec->flags = oldsbsec->flags;
780
781         newsbsec->sid = oldsbsec->sid;
782         newsbsec->def_sid = oldsbsec->def_sid;
783         newsbsec->behavior = oldsbsec->behavior;
784
785         if (set_context) {
786                 u32 sid = oldsbsec->mntpoint_sid;
787
788                 if (!set_fscontext)
789                         newsbsec->sid = sid;
790                 if (!set_rootcontext) {
791                         struct inode *newinode = newsb->s_root->d_inode;
792                         struct inode_security_struct *newisec = newinode->i_security;
793                         newisec->sid = sid;
794                 }
795                 newsbsec->mntpoint_sid = sid;
796         }
797         if (set_rootcontext) {
798                 const struct inode *oldinode = oldsb->s_root->d_inode;
799                 const struct inode_security_struct *oldisec = oldinode->i_security;
800                 struct inode *newinode = newsb->s_root->d_inode;
801                 struct inode_security_struct *newisec = newinode->i_security;
802
803                 newisec->sid = oldisec->sid;
804         }
805
806         sb_finish_set_opts(newsb);
807         mutex_unlock(&newsbsec->lock);
808 }
809
810 static int selinux_parse_opts_str(char *options,
811                                   struct security_mnt_opts *opts)
812 {
813         char *p;
814         char *context = NULL, *defcontext = NULL;
815         char *fscontext = NULL, *rootcontext = NULL;
816         int rc, num_mnt_opts = 0;
817
818         opts->num_mnt_opts = 0;
819
820         /* Standard string-based options. */
821         while ((p = strsep(&options, "|")) != NULL) {
822                 int token;
823                 substring_t args[MAX_OPT_ARGS];
824
825                 if (!*p)
826                         continue;
827
828                 token = match_token(p, tokens, args);
829
830                 switch (token) {
831                 case Opt_context:
832                         if (context || defcontext) {
833                                 rc = -EINVAL;
834                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
835                                 goto out_err;
836                         }
837                         context = match_strdup(&args[0]);
838                         if (!context) {
839                                 rc = -ENOMEM;
840                                 goto out_err;
841                         }
842                         break;
843
844                 case Opt_fscontext:
845                         if (fscontext) {
846                                 rc = -EINVAL;
847                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
848                                 goto out_err;
849                         }
850                         fscontext = match_strdup(&args[0]);
851                         if (!fscontext) {
852                                 rc = -ENOMEM;
853                                 goto out_err;
854                         }
855                         break;
856
857                 case Opt_rootcontext:
858                         if (rootcontext) {
859                                 rc = -EINVAL;
860                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
861                                 goto out_err;
862                         }
863                         rootcontext = match_strdup(&args[0]);
864                         if (!rootcontext) {
865                                 rc = -ENOMEM;
866                                 goto out_err;
867                         }
868                         break;
869
870                 case Opt_defcontext:
871                         if (context || defcontext) {
872                                 rc = -EINVAL;
873                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
874                                 goto out_err;
875                         }
876                         defcontext = match_strdup(&args[0]);
877                         if (!defcontext) {
878                                 rc = -ENOMEM;
879                                 goto out_err;
880                         }
881                         break;
882                 case Opt_labelsupport:
883                         break;
884                 default:
885                         rc = -EINVAL;
886                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
887                         goto out_err;
888
889                 }
890         }
891
892         rc = -ENOMEM;
893         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
894         if (!opts->mnt_opts)
895                 goto out_err;
896
897         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
898         if (!opts->mnt_opts_flags) {
899                 kfree(opts->mnt_opts);
900                 goto out_err;
901         }
902
903         if (fscontext) {
904                 opts->mnt_opts[num_mnt_opts] = fscontext;
905                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
906         }
907         if (context) {
908                 opts->mnt_opts[num_mnt_opts] = context;
909                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
910         }
911         if (rootcontext) {
912                 opts->mnt_opts[num_mnt_opts] = rootcontext;
913                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
914         }
915         if (defcontext) {
916                 opts->mnt_opts[num_mnt_opts] = defcontext;
917                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
918         }
919
920         opts->num_mnt_opts = num_mnt_opts;
921         return 0;
922
923 out_err:
924         kfree(context);
925         kfree(defcontext);
926         kfree(fscontext);
927         kfree(rootcontext);
928         return rc;
929 }
930 /*
931  * string mount options parsing and call set the sbsec
932  */
933 static int superblock_doinit(struct super_block *sb, void *data)
934 {
935         int rc = 0;
936         char *options = data;
937         struct security_mnt_opts opts;
938
939         security_init_mnt_opts(&opts);
940
941         if (!data)
942                 goto out;
943
944         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
945
946         rc = selinux_parse_opts_str(options, &opts);
947         if (rc)
948                 goto out_err;
949
950 out:
951         rc = selinux_set_mnt_opts(sb, &opts);
952
953 out_err:
954         security_free_mnt_opts(&opts);
955         return rc;
956 }
957
958 static void selinux_write_opts(struct seq_file *m,
959                                struct security_mnt_opts *opts)
960 {
961         int i;
962         char *prefix;
963
964         for (i = 0; i < opts->num_mnt_opts; i++) {
965                 char *has_comma;
966
967                 if (opts->mnt_opts[i])
968                         has_comma = strchr(opts->mnt_opts[i], ',');
969                 else
970                         has_comma = NULL;
971
972                 switch (opts->mnt_opts_flags[i]) {
973                 case CONTEXT_MNT:
974                         prefix = CONTEXT_STR;
975                         break;
976                 case FSCONTEXT_MNT:
977                         prefix = FSCONTEXT_STR;
978                         break;
979                 case ROOTCONTEXT_MNT:
980                         prefix = ROOTCONTEXT_STR;
981                         break;
982                 case DEFCONTEXT_MNT:
983                         prefix = DEFCONTEXT_STR;
984                         break;
985                 case SE_SBLABELSUPP:
986                         seq_putc(m, ',');
987                         seq_puts(m, LABELSUPP_STR);
988                         continue;
989                 default:
990                         BUG();
991                         return;
992                 };
993                 /* we need a comma before each option */
994                 seq_putc(m, ',');
995                 seq_puts(m, prefix);
996                 if (has_comma)
997                         seq_putc(m, '\"');
998                 seq_puts(m, opts->mnt_opts[i]);
999                 if (has_comma)
1000                         seq_putc(m, '\"');
1001         }
1002 }
1003
1004 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1005 {
1006         struct security_mnt_opts opts;
1007         int rc;
1008
1009         rc = selinux_get_mnt_opts(sb, &opts);
1010         if (rc) {
1011                 /* before policy load we may get EINVAL, don't show anything */
1012                 if (rc == -EINVAL)
1013                         rc = 0;
1014                 return rc;
1015         }
1016
1017         selinux_write_opts(m, &opts);
1018
1019         security_free_mnt_opts(&opts);
1020
1021         return rc;
1022 }
1023
1024 static inline u16 inode_mode_to_security_class(umode_t mode)
1025 {
1026         switch (mode & S_IFMT) {
1027         case S_IFSOCK:
1028                 return SECCLASS_SOCK_FILE;
1029         case S_IFLNK:
1030                 return SECCLASS_LNK_FILE;
1031         case S_IFREG:
1032                 return SECCLASS_FILE;
1033         case S_IFBLK:
1034                 return SECCLASS_BLK_FILE;
1035         case S_IFDIR:
1036                 return SECCLASS_DIR;
1037         case S_IFCHR:
1038                 return SECCLASS_CHR_FILE;
1039         case S_IFIFO:
1040                 return SECCLASS_FIFO_FILE;
1041
1042         }
1043
1044         return SECCLASS_FILE;
1045 }
1046
1047 static inline int default_protocol_stream(int protocol)
1048 {
1049         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1050 }
1051
1052 static inline int default_protocol_dgram(int protocol)
1053 {
1054         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1055 }
1056
1057 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1058 {
1059         switch (family) {
1060         case PF_UNIX:
1061                 switch (type) {
1062                 case SOCK_STREAM:
1063                 case SOCK_SEQPACKET:
1064                         return SECCLASS_UNIX_STREAM_SOCKET;
1065                 case SOCK_DGRAM:
1066                         return SECCLASS_UNIX_DGRAM_SOCKET;
1067                 }
1068                 break;
1069         case PF_INET:
1070         case PF_INET6:
1071                 switch (type) {
1072                 case SOCK_STREAM:
1073                         if (default_protocol_stream(protocol))
1074                                 return SECCLASS_TCP_SOCKET;
1075                         else
1076                                 return SECCLASS_RAWIP_SOCKET;
1077                 case SOCK_DGRAM:
1078                         if (default_protocol_dgram(protocol))
1079                                 return SECCLASS_UDP_SOCKET;
1080                         else
1081                                 return SECCLASS_RAWIP_SOCKET;
1082                 case SOCK_DCCP:
1083                         return SECCLASS_DCCP_SOCKET;
1084                 default:
1085                         return SECCLASS_RAWIP_SOCKET;
1086                 }
1087                 break;
1088         case PF_NETLINK:
1089                 switch (protocol) {
1090                 case NETLINK_ROUTE:
1091                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1092                 case NETLINK_FIREWALL:
1093                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1094                 case NETLINK_SOCK_DIAG:
1095                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1096                 case NETLINK_NFLOG:
1097                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1098                 case NETLINK_XFRM:
1099                         return SECCLASS_NETLINK_XFRM_SOCKET;
1100                 case NETLINK_SELINUX:
1101                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1102                 case NETLINK_AUDIT:
1103                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1104                 case NETLINK_IP6_FW:
1105                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1106                 case NETLINK_DNRTMSG:
1107                         return SECCLASS_NETLINK_DNRT_SOCKET;
1108                 case NETLINK_KOBJECT_UEVENT:
1109                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1110                 default:
1111                         return SECCLASS_NETLINK_SOCKET;
1112                 }
1113         case PF_PACKET:
1114                 return SECCLASS_PACKET_SOCKET;
1115         case PF_KEY:
1116                 return SECCLASS_KEY_SOCKET;
1117         case PF_APPLETALK:
1118                 return SECCLASS_APPLETALK_SOCKET;
1119         }
1120
1121         return SECCLASS_SOCKET;
1122 }
1123
1124 #ifdef CONFIG_PROC_FS
1125 static int selinux_proc_get_sid(struct dentry *dentry,
1126                                 u16 tclass,
1127                                 u32 *sid)
1128 {
1129         int rc;
1130         char *buffer, *path;
1131
1132         buffer = (char *)__get_free_page(GFP_KERNEL);
1133         if (!buffer)
1134                 return -ENOMEM;
1135
1136         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1137         if (IS_ERR(path))
1138                 rc = PTR_ERR(path);
1139         else {
1140                 /* each process gets a /proc/PID/ entry. Strip off the
1141                  * PID part to get a valid selinux labeling.
1142                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1143                 while (path[1] >= '0' && path[1] <= '9') {
1144                         path[1] = '/';
1145                         path++;
1146                 }
1147                 rc = security_genfs_sid("proc", path, tclass, sid);
1148         }
1149         free_page((unsigned long)buffer);
1150         return rc;
1151 }
1152 #else
1153 static int selinux_proc_get_sid(struct dentry *dentry,
1154                                 u16 tclass,
1155                                 u32 *sid)
1156 {
1157         return -EINVAL;
1158 }
1159 #endif
1160
1161 /* The inode's security attributes must be initialized before first use. */
1162 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1163 {
1164         struct superblock_security_struct *sbsec = NULL;
1165         struct inode_security_struct *isec = inode->i_security;
1166         u32 sid;
1167         struct dentry *dentry;
1168 #define INITCONTEXTLEN 255
1169         char *context = NULL;
1170         unsigned len = 0;
1171         int rc = 0;
1172
1173         if (isec->initialized)
1174                 goto out;
1175
1176         mutex_lock(&isec->lock);
1177         if (isec->initialized)
1178                 goto out_unlock;
1179
1180         sbsec = inode->i_sb->s_security;
1181         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1182                 /* Defer initialization until selinux_complete_init,
1183                    after the initial policy is loaded and the security
1184                    server is ready to handle calls. */
1185                 spin_lock(&sbsec->isec_lock);
1186                 if (list_empty(&isec->list))
1187                         list_add(&isec->list, &sbsec->isec_head);
1188                 spin_unlock(&sbsec->isec_lock);
1189                 goto out_unlock;
1190         }
1191
1192         switch (sbsec->behavior) {
1193         case SECURITY_FS_USE_XATTR:
1194                 if (!inode->i_op->getxattr) {
1195                         isec->sid = sbsec->def_sid;
1196                         break;
1197                 }
1198
1199                 /* Need a dentry, since the xattr API requires one.
1200                    Life would be simpler if we could just pass the inode. */
1201                 if (opt_dentry) {
1202                         /* Called from d_instantiate or d_splice_alias. */
1203                         dentry = dget(opt_dentry);
1204                 } else {
1205                         /* Called from selinux_complete_init, try to find a dentry. */
1206                         dentry = d_find_alias(inode);
1207                 }
1208                 if (!dentry) {
1209                         /*
1210                          * this is can be hit on boot when a file is accessed
1211                          * before the policy is loaded.  When we load policy we
1212                          * may find inodes that have no dentry on the
1213                          * sbsec->isec_head list.  No reason to complain as these
1214                          * will get fixed up the next time we go through
1215                          * inode_doinit with a dentry, before these inodes could
1216                          * be used again by userspace.
1217                          */
1218                         goto out_unlock;
1219                 }
1220
1221                 len = INITCONTEXTLEN;
1222                 context = kmalloc(len+1, GFP_NOFS);
1223                 if (!context) {
1224                         rc = -ENOMEM;
1225                         dput(dentry);
1226                         goto out_unlock;
1227                 }
1228                 context[len] = '\0';
1229                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1230                                            context, len);
1231                 if (rc == -ERANGE) {
1232                         kfree(context);
1233
1234                         /* Need a larger buffer.  Query for the right size. */
1235                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1236                                                    NULL, 0);
1237                         if (rc < 0) {
1238                                 dput(dentry);
1239                                 goto out_unlock;
1240                         }
1241                         len = rc;
1242                         context = kmalloc(len+1, GFP_NOFS);
1243                         if (!context) {
1244                                 rc = -ENOMEM;
1245                                 dput(dentry);
1246                                 goto out_unlock;
1247                         }
1248                         context[len] = '\0';
1249                         rc = inode->i_op->getxattr(dentry,
1250                                                    XATTR_NAME_SELINUX,
1251                                                    context, len);
1252                 }
1253                 dput(dentry);
1254                 if (rc < 0) {
1255                         if (rc != -ENODATA) {
1256                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1257                                        "%d for dev=%s ino=%ld\n", __func__,
1258                                        -rc, inode->i_sb->s_id, inode->i_ino);
1259                                 kfree(context);
1260                                 goto out_unlock;
1261                         }
1262                         /* Map ENODATA to the default file SID */
1263                         sid = sbsec->def_sid;
1264                         rc = 0;
1265                 } else {
1266                         rc = security_context_to_sid_default(context, rc, &sid,
1267                                                              sbsec->def_sid,
1268                                                              GFP_NOFS);
1269                         if (rc) {
1270                                 char *dev = inode->i_sb->s_id;
1271                                 unsigned long ino = inode->i_ino;
1272
1273                                 if (rc == -EINVAL) {
1274                                         if (printk_ratelimit())
1275                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1276                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1277                                                         "filesystem in question.\n", ino, dev, context);
1278                                 } else {
1279                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1280                                                "returned %d for dev=%s ino=%ld\n",
1281                                                __func__, context, -rc, dev, ino);
1282                                 }
1283                                 kfree(context);
1284                                 /* Leave with the unlabeled SID */
1285                                 rc = 0;
1286                                 break;
1287                         }
1288                 }
1289                 kfree(context);
1290                 isec->sid = sid;
1291                 break;
1292         case SECURITY_FS_USE_TASK:
1293                 isec->sid = isec->task_sid;
1294                 break;
1295         case SECURITY_FS_USE_TRANS:
1296                 /* Default to the fs SID. */
1297                 isec->sid = sbsec->sid;
1298
1299                 /* Try to obtain a transition SID. */
1300                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1301                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1302                                              isec->sclass, NULL, &sid);
1303                 if (rc)
1304                         goto out_unlock;
1305                 isec->sid = sid;
1306                 break;
1307         case SECURITY_FS_USE_MNTPOINT:
1308                 isec->sid = sbsec->mntpoint_sid;
1309                 break;
1310         default:
1311                 /* Default to the fs superblock SID. */
1312                 isec->sid = sbsec->sid;
1313
1314                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1315                         if (opt_dentry) {
1316                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1317                                 rc = selinux_proc_get_sid(opt_dentry,
1318                                                           isec->sclass,
1319                                                           &sid);
1320                                 if (rc)
1321                                         goto out_unlock;
1322                                 isec->sid = sid;
1323                         }
1324                 }
1325                 break;
1326         }
1327
1328         isec->initialized = 1;
1329
1330 out_unlock:
1331         mutex_unlock(&isec->lock);
1332 out:
1333         if (isec->sclass == SECCLASS_FILE)
1334                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1335         return rc;
1336 }
1337
1338 /* Convert a Linux signal to an access vector. */
1339 static inline u32 signal_to_av(int sig)
1340 {
1341         u32 perm = 0;
1342
1343         switch (sig) {
1344         case SIGCHLD:
1345                 /* Commonly granted from child to parent. */
1346                 perm = PROCESS__SIGCHLD;
1347                 break;
1348         case SIGKILL:
1349                 /* Cannot be caught or ignored */
1350                 perm = PROCESS__SIGKILL;
1351                 break;
1352         case SIGSTOP:
1353                 /* Cannot be caught or ignored */
1354                 perm = PROCESS__SIGSTOP;
1355                 break;
1356         default:
1357                 /* All other signals. */
1358                 perm = PROCESS__SIGNAL;
1359                 break;
1360         }
1361
1362         return perm;
1363 }
1364
1365 /*
1366  * Check permission between a pair of credentials
1367  * fork check, ptrace check, etc.
1368  */
1369 static int cred_has_perm(const struct cred *actor,
1370                          const struct cred *target,
1371                          u32 perms)
1372 {
1373         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1374
1375         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1376 }
1377
1378 /*
1379  * Check permission between a pair of tasks, e.g. signal checks,
1380  * fork check, ptrace check, etc.
1381  * tsk1 is the actor and tsk2 is the target
1382  * - this uses the default subjective creds of tsk1
1383  */
1384 static int task_has_perm(const struct task_struct *tsk1,
1385                          const struct task_struct *tsk2,
1386                          u32 perms)
1387 {
1388         const struct task_security_struct *__tsec1, *__tsec2;
1389         u32 sid1, sid2;
1390
1391         rcu_read_lock();
1392         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1393         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1394         rcu_read_unlock();
1395         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1396 }
1397
1398 /*
1399  * Check permission between current and another task, e.g. signal checks,
1400  * fork check, ptrace check, etc.
1401  * current is the actor and tsk2 is the target
1402  * - this uses current's subjective creds
1403  */
1404 static int current_has_perm(const struct task_struct *tsk,
1405                             u32 perms)
1406 {
1407         u32 sid, tsid;
1408
1409         sid = current_sid();
1410         tsid = task_sid(tsk);
1411         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1412 }
1413
1414 #if CAP_LAST_CAP > 63
1415 #error Fix SELinux to handle capabilities > 63.
1416 #endif
1417
1418 /* Check whether a task is allowed to use a capability. */
1419 static int cred_has_capability(const struct cred *cred,
1420                                int cap, int audit)
1421 {
1422         struct common_audit_data ad;
1423         struct selinux_audit_data sad = {0,};
1424         struct av_decision avd;
1425         u16 sclass;
1426         u32 sid = cred_sid(cred);
1427         u32 av = CAP_TO_MASK(cap);
1428         int rc;
1429
1430         COMMON_AUDIT_DATA_INIT(&ad, CAP);
1431         ad.selinux_audit_data = &sad;
1432         ad.tsk = current;
1433         ad.u.cap = cap;
1434
1435         switch (CAP_TO_INDEX(cap)) {
1436         case 0:
1437                 sclass = SECCLASS_CAPABILITY;
1438                 break;
1439         case 1:
1440                 sclass = SECCLASS_CAPABILITY2;
1441                 break;
1442         default:
1443                 printk(KERN_ERR
1444                        "SELinux:  out of range capability %d\n", cap);
1445                 BUG();
1446                 return -EINVAL;
1447         }
1448
1449         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1450         if (audit == SECURITY_CAP_AUDIT) {
1451                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1452                 if (rc2)
1453                         return rc2;
1454         }
1455         return rc;
1456 }
1457
1458 /* Check whether a task is allowed to use a system operation. */
1459 static int task_has_system(struct task_struct *tsk,
1460                            u32 perms)
1461 {
1462         u32 sid = task_sid(tsk);
1463
1464         return avc_has_perm(sid, SECINITSID_KERNEL,
1465                             SECCLASS_SYSTEM, perms, NULL);
1466 }
1467
1468 /* Check whether a task has a particular permission to an inode.
1469    The 'adp' parameter is optional and allows other audit
1470    data to be passed (e.g. the dentry). */
1471 static int inode_has_perm(const struct cred *cred,
1472                           struct inode *inode,
1473                           u32 perms,
1474                           struct common_audit_data *adp,
1475                           unsigned flags)
1476 {
1477         struct inode_security_struct *isec;
1478         u32 sid;
1479
1480         validate_creds(cred);
1481
1482         if (unlikely(IS_PRIVATE(inode)))
1483                 return 0;
1484
1485         sid = cred_sid(cred);
1486         isec = inode->i_security;
1487
1488         return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1489 }
1490
1491 static int inode_has_perm_noadp(const struct cred *cred,
1492                                 struct inode *inode,
1493                                 u32 perms,
1494                                 unsigned flags)
1495 {
1496         struct common_audit_data ad;
1497         struct selinux_audit_data sad = {0,};
1498
1499         COMMON_AUDIT_DATA_INIT(&ad, INODE);
1500         ad.u.inode = inode;
1501         ad.selinux_audit_data = &sad;
1502         return inode_has_perm(cred, inode, perms, &ad, flags);
1503 }
1504
1505 /* Same as inode_has_perm, but pass explicit audit data containing
1506    the dentry to help the auditing code to more easily generate the
1507    pathname if needed. */
1508 static inline int dentry_has_perm(const struct cred *cred,
1509                                   struct dentry *dentry,
1510                                   u32 av)
1511 {
1512         struct inode *inode = dentry->d_inode;
1513         struct common_audit_data ad;
1514         struct selinux_audit_data sad = {0,};
1515
1516         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1517         ad.u.dentry = dentry;
1518         ad.selinux_audit_data = &sad;
1519         return inode_has_perm(cred, inode, av, &ad, 0);
1520 }
1521
1522 /* Same as inode_has_perm, but pass explicit audit data containing
1523    the path to help the auditing code to more easily generate the
1524    pathname if needed. */
1525 static inline int path_has_perm(const struct cred *cred,
1526                                 struct path *path,
1527                                 u32 av)
1528 {
1529         struct inode *inode = path->dentry->d_inode;
1530         struct common_audit_data ad;
1531         struct selinux_audit_data sad = {0,};
1532
1533         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1534         ad.u.path = *path;
1535         ad.selinux_audit_data = &sad;
1536         return inode_has_perm(cred, inode, av, &ad, 0);
1537 }
1538
1539 /* Check whether a task can use an open file descriptor to
1540    access an inode in a given way.  Check access to the
1541    descriptor itself, and then use dentry_has_perm to
1542    check a particular permission to the file.
1543    Access to the descriptor is implicitly granted if it
1544    has the same SID as the process.  If av is zero, then
1545    access to the file is not checked, e.g. for cases
1546    where only the descriptor is affected like seek. */
1547 static int file_has_perm(const struct cred *cred,
1548                          struct file *file,
1549                          u32 av)
1550 {
1551         struct file_security_struct *fsec = file->f_security;
1552         struct inode *inode = file->f_path.dentry->d_inode;
1553         struct common_audit_data ad;
1554         struct selinux_audit_data sad = {0,};
1555         u32 sid = cred_sid(cred);
1556         int rc;
1557
1558         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1559         ad.u.path = file->f_path;
1560         ad.selinux_audit_data = &sad;
1561
1562         if (sid != fsec->sid) {
1563                 rc = avc_has_perm(sid, fsec->sid,
1564                                   SECCLASS_FD,
1565                                   FD__USE,
1566                                   &ad);
1567                 if (rc)
1568                         goto out;
1569         }
1570
1571         /* av is zero if only checking access to the descriptor. */
1572         rc = 0;
1573         if (av)
1574                 rc = inode_has_perm(cred, inode, av, &ad, 0);
1575
1576 out:
1577         return rc;
1578 }
1579
1580 /* Check whether a task can create a file. */
1581 static int may_create(struct inode *dir,
1582                       struct dentry *dentry,
1583                       u16 tclass)
1584 {
1585         const struct task_security_struct *tsec = current_security();
1586         struct inode_security_struct *dsec;
1587         struct superblock_security_struct *sbsec;
1588         u32 sid, newsid;
1589         struct common_audit_data ad;
1590         struct selinux_audit_data sad = {0,};
1591         int rc;
1592
1593         dsec = dir->i_security;
1594         sbsec = dir->i_sb->s_security;
1595
1596         sid = tsec->sid;
1597         newsid = tsec->create_sid;
1598
1599         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1600         ad.u.dentry = dentry;
1601         ad.selinux_audit_data = &sad;
1602
1603         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1604                           DIR__ADD_NAME | DIR__SEARCH,
1605                           &ad);
1606         if (rc)
1607                 return rc;
1608
1609         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1610                 rc = security_transition_sid(sid, dsec->sid, tclass,
1611                                              &dentry->d_name, &newsid);
1612                 if (rc)
1613                         return rc;
1614         }
1615
1616         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1617         if (rc)
1618                 return rc;
1619
1620         return avc_has_perm(newsid, sbsec->sid,
1621                             SECCLASS_FILESYSTEM,
1622                             FILESYSTEM__ASSOCIATE, &ad);
1623 }
1624
1625 /* Check whether a task can create a key. */
1626 static int may_create_key(u32 ksid,
1627                           struct task_struct *ctx)
1628 {
1629         u32 sid = task_sid(ctx);
1630
1631         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1632 }
1633
1634 #define MAY_LINK        0
1635 #define MAY_UNLINK      1
1636 #define MAY_RMDIR       2
1637
1638 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1639 static int may_link(struct inode *dir,
1640                     struct dentry *dentry,
1641                     int kind)
1642
1643 {
1644         struct inode_security_struct *dsec, *isec;
1645         struct common_audit_data ad;
1646         struct selinux_audit_data sad = {0,};
1647         u32 sid = current_sid();
1648         u32 av;
1649         int rc;
1650
1651         dsec = dir->i_security;
1652         isec = dentry->d_inode->i_security;
1653
1654         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1655         ad.u.dentry = dentry;
1656         ad.selinux_audit_data = &sad;
1657
1658         av = DIR__SEARCH;
1659         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1660         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1661         if (rc)
1662                 return rc;
1663
1664         switch (kind) {
1665         case MAY_LINK:
1666                 av = FILE__LINK;
1667                 break;
1668         case MAY_UNLINK:
1669                 av = FILE__UNLINK;
1670                 break;
1671         case MAY_RMDIR:
1672                 av = DIR__RMDIR;
1673                 break;
1674         default:
1675                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1676                         __func__, kind);
1677                 return 0;
1678         }
1679
1680         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1681         return rc;
1682 }
1683
1684 static inline int may_rename(struct inode *old_dir,
1685                              struct dentry *old_dentry,
1686                              struct inode *new_dir,
1687                              struct dentry *new_dentry)
1688 {
1689         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1690         struct common_audit_data ad;
1691         struct selinux_audit_data sad = {0,};
1692         u32 sid = current_sid();
1693         u32 av;
1694         int old_is_dir, new_is_dir;
1695         int rc;
1696
1697         old_dsec = old_dir->i_security;
1698         old_isec = old_dentry->d_inode->i_security;
1699         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1700         new_dsec = new_dir->i_security;
1701
1702         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1703         ad.selinux_audit_data = &sad;
1704
1705         ad.u.dentry = old_dentry;
1706         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1707                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1708         if (rc)
1709                 return rc;
1710         rc = avc_has_perm(sid, old_isec->sid,
1711                           old_isec->sclass, FILE__RENAME, &ad);
1712         if (rc)
1713                 return rc;
1714         if (old_is_dir && new_dir != old_dir) {
1715                 rc = avc_has_perm(sid, old_isec->sid,
1716                                   old_isec->sclass, DIR__REPARENT, &ad);
1717                 if (rc)
1718                         return rc;
1719         }
1720
1721         ad.u.dentry = new_dentry;
1722         av = DIR__ADD_NAME | DIR__SEARCH;
1723         if (new_dentry->d_inode)
1724                 av |= DIR__REMOVE_NAME;
1725         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1726         if (rc)
1727                 return rc;
1728         if (new_dentry->d_inode) {
1729                 new_isec = new_dentry->d_inode->i_security;
1730                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1731                 rc = avc_has_perm(sid, new_isec->sid,
1732                                   new_isec->sclass,
1733                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1734                 if (rc)
1735                         return rc;
1736         }
1737
1738         return 0;
1739 }
1740
1741 /* Check whether a task can perform a filesystem operation. */
1742 static int superblock_has_perm(const struct cred *cred,
1743                                struct super_block *sb,
1744                                u32 perms,
1745                                struct common_audit_data *ad)
1746 {
1747         struct superblock_security_struct *sbsec;
1748         u32 sid = cred_sid(cred);
1749
1750         sbsec = sb->s_security;
1751         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1752 }
1753
1754 /* Convert a Linux mode and permission mask to an access vector. */
1755 static inline u32 file_mask_to_av(int mode, int mask)
1756 {
1757         u32 av = 0;
1758
1759         if (!S_ISDIR(mode)) {
1760                 if (mask & MAY_EXEC)
1761                         av |= FILE__EXECUTE;
1762                 if (mask & MAY_READ)
1763                         av |= FILE__READ;
1764
1765                 if (mask & MAY_APPEND)
1766                         av |= FILE__APPEND;
1767                 else if (mask & MAY_WRITE)
1768                         av |= FILE__WRITE;
1769
1770         } else {
1771                 if (mask & MAY_EXEC)
1772                         av |= DIR__SEARCH;
1773                 if (mask & MAY_WRITE)
1774                         av |= DIR__WRITE;
1775                 if (mask & MAY_READ)
1776                         av |= DIR__READ;
1777         }
1778
1779         return av;
1780 }
1781
1782 /* Convert a Linux file to an access vector. */
1783 static inline u32 file_to_av(struct file *file)
1784 {
1785         u32 av = 0;
1786
1787         if (file->f_mode & FMODE_READ)
1788                 av |= FILE__READ;
1789         if (file->f_mode & FMODE_WRITE) {
1790                 if (file->f_flags & O_APPEND)
1791                         av |= FILE__APPEND;
1792                 else
1793                         av |= FILE__WRITE;
1794         }
1795         if (!av) {
1796                 /*
1797                  * Special file opened with flags 3 for ioctl-only use.
1798                  */
1799                 av = FILE__IOCTL;
1800         }
1801
1802         return av;
1803 }
1804
1805 /*
1806  * Convert a file to an access vector and include the correct open
1807  * open permission.
1808  */
1809 static inline u32 open_file_to_av(struct file *file)
1810 {
1811         u32 av = file_to_av(file);
1812
1813         if (selinux_policycap_openperm)
1814                 av |= FILE__OPEN;
1815
1816         return av;
1817 }
1818
1819 /* Hook functions begin here. */
1820
1821 static int selinux_ptrace_access_check(struct task_struct *child,
1822                                      unsigned int mode)
1823 {
1824         int rc;
1825
1826         rc = cap_ptrace_access_check(child, mode);
1827         if (rc)
1828                 return rc;
1829
1830         if (mode & PTRACE_MODE_READ) {
1831                 u32 sid = current_sid();
1832                 u32 csid = task_sid(child);
1833                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1834         }
1835
1836         return current_has_perm(child, PROCESS__PTRACE);
1837 }
1838
1839 static int selinux_ptrace_traceme(struct task_struct *parent)
1840 {
1841         int rc;
1842
1843         rc = cap_ptrace_traceme(parent);
1844         if (rc)
1845                 return rc;
1846
1847         return task_has_perm(parent, current, PROCESS__PTRACE);
1848 }
1849
1850 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1851                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1852 {
1853         int error;
1854
1855         error = current_has_perm(target, PROCESS__GETCAP);
1856         if (error)
1857                 return error;
1858
1859         return cap_capget(target, effective, inheritable, permitted);
1860 }
1861
1862 static int selinux_capset(struct cred *new, const struct cred *old,
1863                           const kernel_cap_t *effective,
1864                           const kernel_cap_t *inheritable,
1865                           const kernel_cap_t *permitted)
1866 {
1867         int error;
1868
1869         error = cap_capset(new, old,
1870                                       effective, inheritable, permitted);
1871         if (error)
1872                 return error;
1873
1874         return cred_has_perm(old, new, PROCESS__SETCAP);
1875 }
1876
1877 /*
1878  * (This comment used to live with the selinux_task_setuid hook,
1879  * which was removed).
1880  *
1881  * Since setuid only affects the current process, and since the SELinux
1882  * controls are not based on the Linux identity attributes, SELinux does not
1883  * need to control this operation.  However, SELinux does control the use of
1884  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1885  */
1886
1887 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1888                            int cap, int audit)
1889 {
1890         int rc;
1891
1892         rc = cap_capable(cred, ns, cap, audit);
1893         if (rc)
1894                 return rc;
1895
1896         return cred_has_capability(cred, cap, audit);
1897 }
1898
1899 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1900 {
1901         const struct cred *cred = current_cred();
1902         int rc = 0;
1903
1904         if (!sb)
1905                 return 0;
1906
1907         switch (cmds) {
1908         case Q_SYNC:
1909         case Q_QUOTAON:
1910         case Q_QUOTAOFF:
1911         case Q_SETINFO:
1912         case Q_SETQUOTA:
1913                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1914                 break;
1915         case Q_GETFMT:
1916         case Q_GETINFO:
1917         case Q_GETQUOTA:
1918                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1919                 break;
1920         default:
1921                 rc = 0;  /* let the kernel handle invalid cmds */
1922                 break;
1923         }
1924         return rc;
1925 }
1926
1927 static int selinux_quota_on(struct dentry *dentry)
1928 {
1929         const struct cred *cred = current_cred();
1930
1931         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1932 }
1933
1934 static int selinux_syslog(int type)
1935 {
1936         int rc;
1937
1938         switch (type) {
1939         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1940         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1941                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1942                 break;
1943         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1944         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1945         /* Set level of messages printed to console */
1946         case SYSLOG_ACTION_CONSOLE_LEVEL:
1947                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1948                 break;
1949         case SYSLOG_ACTION_CLOSE:       /* Close log */
1950         case SYSLOG_ACTION_OPEN:        /* Open log */
1951         case SYSLOG_ACTION_READ:        /* Read from log */
1952         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1953         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1954         default:
1955                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1956                 break;
1957         }
1958         return rc;
1959 }
1960
1961 /*
1962  * Check that a process has enough memory to allocate a new virtual
1963  * mapping. 0 means there is enough memory for the allocation to
1964  * succeed and -ENOMEM implies there is not.
1965  *
1966  * Do not audit the selinux permission check, as this is applied to all
1967  * processes that allocate mappings.
1968  */
1969 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1970 {
1971         int rc, cap_sys_admin = 0;
1972
1973         rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1974                              SECURITY_CAP_NOAUDIT);
1975         if (rc == 0)
1976                 cap_sys_admin = 1;
1977
1978         return __vm_enough_memory(mm, pages, cap_sys_admin);
1979 }
1980
1981 /* binprm security operations */
1982
1983 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1984 {
1985         const struct task_security_struct *old_tsec;
1986         struct task_security_struct *new_tsec;
1987         struct inode_security_struct *isec;
1988         struct common_audit_data ad;
1989         struct selinux_audit_data sad = {0,};
1990         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1991         int rc;
1992
1993         rc = cap_bprm_set_creds(bprm);
1994         if (rc)
1995                 return rc;
1996
1997         /* SELinux context only depends on initial program or script and not
1998          * the script interpreter */
1999         if (bprm->cred_prepared)
2000                 return 0;
2001
2002         old_tsec = current_security();
2003         new_tsec = bprm->cred->security;
2004         isec = inode->i_security;
2005
2006         /* Default to the current task SID. */
2007         new_tsec->sid = old_tsec->sid;
2008         new_tsec->osid = old_tsec->sid;
2009
2010         /* Reset fs, key, and sock SIDs on execve. */
2011         new_tsec->create_sid = 0;
2012         new_tsec->keycreate_sid = 0;
2013         new_tsec->sockcreate_sid = 0;
2014
2015         if (old_tsec->exec_sid) {
2016                 new_tsec->sid = old_tsec->exec_sid;
2017                 /* Reset exec SID on execve. */
2018                 new_tsec->exec_sid = 0;
2019         } else {
2020                 /* Check for a default transition on this program. */
2021                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2022                                              SECCLASS_PROCESS, NULL,
2023                                              &new_tsec->sid);
2024                 if (rc)
2025                         return rc;
2026         }
2027
2028         COMMON_AUDIT_DATA_INIT(&ad, PATH);
2029         ad.selinux_audit_data = &sad;
2030         ad.u.path = bprm->file->f_path;
2031
2032         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2033                 new_tsec->sid = old_tsec->sid;
2034
2035         if (new_tsec->sid == old_tsec->sid) {
2036                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2037                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2038                 if (rc)
2039                         return rc;
2040         } else {
2041                 /* Check permissions for the transition. */
2042                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2043                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2044                 if (rc)
2045                         return rc;
2046
2047                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2048                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2049                 if (rc)
2050                         return rc;
2051
2052                 /* Check for shared state */
2053                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2054                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2055                                           SECCLASS_PROCESS, PROCESS__SHARE,
2056                                           NULL);
2057                         if (rc)
2058                                 return -EPERM;
2059                 }
2060
2061                 /* Make sure that anyone attempting to ptrace over a task that
2062                  * changes its SID has the appropriate permit */
2063                 if (bprm->unsafe &
2064                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2065                         struct task_struct *tracer;
2066                         struct task_security_struct *sec;
2067                         u32 ptsid = 0;
2068
2069                         rcu_read_lock();
2070                         tracer = ptrace_parent(current);
2071                         if (likely(tracer != NULL)) {
2072                                 sec = __task_cred(tracer)->security;
2073                                 ptsid = sec->sid;
2074                         }
2075                         rcu_read_unlock();
2076
2077                         if (ptsid != 0) {
2078                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2079                                                   SECCLASS_PROCESS,
2080                                                   PROCESS__PTRACE, NULL);
2081                                 if (rc)
2082                                         return -EPERM;
2083                         }
2084                 }
2085
2086                 /* Clear any possibly unsafe personality bits on exec: */
2087                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2088         }
2089
2090         return 0;
2091 }
2092
2093 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2094 {
2095         const struct task_security_struct *tsec = current_security();
2096         u32 sid, osid;
2097         int atsecure = 0;
2098
2099         sid = tsec->sid;
2100         osid = tsec->osid;
2101
2102         if (osid != sid) {
2103                 /* Enable secure mode for SIDs transitions unless
2104                    the noatsecure permission is granted between
2105                    the two SIDs, i.e. ahp returns 0. */
2106                 atsecure = avc_has_perm(osid, sid,
2107                                         SECCLASS_PROCESS,
2108                                         PROCESS__NOATSECURE, NULL);
2109         }
2110
2111         return (atsecure || cap_bprm_secureexec(bprm));
2112 }
2113
2114 /* Derived from fs/exec.c:flush_old_files. */
2115 static inline void flush_unauthorized_files(const struct cred *cred,
2116                                             struct files_struct *files)
2117 {
2118         struct common_audit_data ad;
2119         struct selinux_audit_data sad = {0,};
2120         struct file *file, *devnull = NULL;
2121         struct tty_struct *tty;
2122         struct fdtable *fdt;
2123         long j = -1;
2124         int drop_tty = 0;
2125
2126         tty = get_current_tty();
2127         if (tty) {
2128                 spin_lock(&tty_files_lock);
2129                 if (!list_empty(&tty->tty_files)) {
2130                         struct tty_file_private *file_priv;
2131                         struct inode *inode;
2132
2133                         /* Revalidate access to controlling tty.
2134                            Use inode_has_perm on the tty inode directly rather
2135                            than using file_has_perm, as this particular open
2136                            file may belong to another process and we are only
2137                            interested in the inode-based check here. */
2138                         file_priv = list_first_entry(&tty->tty_files,
2139                                                 struct tty_file_private, list);
2140                         file = file_priv->file;
2141                         inode = file->f_path.dentry->d_inode;
2142                         if (inode_has_perm_noadp(cred, inode,
2143                                            FILE__READ | FILE__WRITE, 0)) {
2144                                 drop_tty = 1;
2145                         }
2146                 }
2147                 spin_unlock(&tty_files_lock);
2148                 tty_kref_put(tty);
2149         }
2150         /* Reset controlling tty. */
2151         if (drop_tty)
2152                 no_tty();
2153
2154         /* Revalidate access to inherited open files. */
2155
2156         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2157         ad.selinux_audit_data = &sad;
2158
2159         spin_lock(&files->file_lock);
2160         for (;;) {
2161                 unsigned long set, i;
2162                 int fd;
2163
2164                 j++;
2165                 i = j * __NFDBITS;
2166                 fdt = files_fdtable(files);
2167                 if (i >= fdt->max_fds)
2168                         break;
2169                 set = fdt->open_fds[j];
2170                 if (!set)
2171                         continue;
2172                 spin_unlock(&files->file_lock);
2173                 for ( ; set ; i++, set >>= 1) {
2174                         if (set & 1) {
2175                                 file = fget(i);
2176                                 if (!file)
2177                                         continue;
2178                                 if (file_has_perm(cred,
2179                                                   file,
2180                                                   file_to_av(file))) {
2181                                         sys_close(i);
2182                                         fd = get_unused_fd();
2183                                         if (fd != i) {
2184                                                 if (fd >= 0)
2185                                                         put_unused_fd(fd);
2186                                                 fput(file);
2187                                                 continue;
2188                                         }
2189                                         if (devnull) {
2190                                                 get_file(devnull);
2191                                         } else {
2192                                                 devnull = dentry_open(
2193                                                         dget(selinux_null),
2194                                                         mntget(selinuxfs_mount),
2195                                                         O_RDWR, cred);
2196                                                 if (IS_ERR(devnull)) {
2197                                                         devnull = NULL;
2198                                                         put_unused_fd(fd);
2199                                                         fput(file);
2200                                                         continue;
2201                                                 }
2202                                         }
2203                                         fd_install(fd, devnull);
2204                                 }
2205                                 fput(file);
2206                         }
2207                 }
2208                 spin_lock(&files->file_lock);
2209
2210         }
2211         spin_unlock(&files->file_lock);
2212 }
2213
2214 /*
2215  * Prepare a process for imminent new credential changes due to exec
2216  */
2217 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2218 {
2219         struct task_security_struct *new_tsec;
2220         struct rlimit *rlim, *initrlim;
2221         int rc, i;
2222
2223         new_tsec = bprm->cred->security;
2224         if (new_tsec->sid == new_tsec->osid)
2225                 return;
2226
2227         /* Close files for which the new task SID is not authorized. */
2228         flush_unauthorized_files(bprm->cred, current->files);
2229
2230         /* Always clear parent death signal on SID transitions. */
2231         current->pdeath_signal = 0;
2232
2233         /* Check whether the new SID can inherit resource limits from the old
2234          * SID.  If not, reset all soft limits to the lower of the current
2235          * task's hard limit and the init task's soft limit.
2236          *
2237          * Note that the setting of hard limits (even to lower them) can be
2238          * controlled by the setrlimit check.  The inclusion of the init task's
2239          * soft limit into the computation is to avoid resetting soft limits
2240          * higher than the default soft limit for cases where the default is
2241          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2242          */
2243         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2244                           PROCESS__RLIMITINH, NULL);
2245         if (rc) {
2246                 /* protect against do_prlimit() */
2247                 task_lock(current);
2248                 for (i = 0; i < RLIM_NLIMITS; i++) {
2249                         rlim = current->signal->rlim + i;
2250                         initrlim = init_task.signal->rlim + i;
2251                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2252                 }
2253                 task_unlock(current);
2254                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2255         }
2256 }
2257
2258 /*
2259  * Clean up the process immediately after the installation of new credentials
2260  * due to exec
2261  */
2262 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2263 {
2264         const struct task_security_struct *tsec = current_security();
2265         struct itimerval itimer;
2266         u32 osid, sid;
2267         int rc, i;
2268
2269         osid = tsec->osid;
2270         sid = tsec->sid;
2271
2272         if (sid == osid)
2273                 return;
2274
2275         /* Check whether the new SID can inherit signal state from the old SID.
2276          * If not, clear itimers to avoid subsequent signal generation and
2277          * flush and unblock signals.
2278          *
2279          * This must occur _after_ the task SID has been updated so that any
2280          * kill done after the flush will be checked against the new SID.
2281          */
2282         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2283         if (rc) {
2284                 memset(&itimer, 0, sizeof itimer);
2285                 for (i = 0; i < 3; i++)
2286                         do_setitimer(i, &itimer, NULL);
2287                 spin_lock_irq(&current->sighand->siglock);
2288                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2289                         __flush_signals(current);
2290                         flush_signal_handlers(current, 1);
2291                         sigemptyset(&current->blocked);
2292                 }
2293                 spin_unlock_irq(&current->sighand->siglock);
2294         }
2295
2296         /* Wake up the parent if it is waiting so that it can recheck
2297          * wait permission to the new task SID. */
2298         read_lock(&tasklist_lock);
2299         __wake_up_parent(current, current->real_parent);
2300         read_unlock(&tasklist_lock);
2301 }
2302
2303 /* superblock security operations */
2304
2305 static int selinux_sb_alloc_security(struct super_block *sb)
2306 {
2307         return superblock_alloc_security(sb);
2308 }
2309
2310 static void selinux_sb_free_security(struct super_block *sb)
2311 {
2312         superblock_free_security(sb);
2313 }
2314
2315 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2316 {
2317         if (plen > olen)
2318                 return 0;
2319
2320         return !memcmp(prefix, option, plen);
2321 }
2322
2323 static inline int selinux_option(char *option, int len)
2324 {
2325         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2326                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2327                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2328                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2329                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2330 }
2331
2332 static inline void take_option(char **to, char *from, int *first, int len)
2333 {
2334         if (!*first) {
2335                 **to = ',';
2336                 *to += 1;
2337         } else
2338                 *first = 0;
2339         memcpy(*to, from, len);
2340         *to += len;
2341 }
2342
2343 static inline void take_selinux_option(char **to, char *from, int *first,
2344                                        int len)
2345 {
2346         int current_size = 0;
2347
2348         if (!*first) {
2349                 **to = '|';
2350                 *to += 1;
2351         } else
2352                 *first = 0;
2353
2354         while (current_size < len) {
2355                 if (*from != '"') {
2356                         **to = *from;
2357                         *to += 1;
2358                 }
2359                 from += 1;
2360                 current_size += 1;
2361         }
2362 }
2363
2364 static int selinux_sb_copy_data(char *orig, char *copy)
2365 {
2366         int fnosec, fsec, rc = 0;
2367         char *in_save, *in_curr, *in_end;
2368         char *sec_curr, *nosec_save, *nosec;
2369         int open_quote = 0;
2370
2371         in_curr = orig;
2372         sec_curr = copy;
2373
2374         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2375         if (!nosec) {
2376                 rc = -ENOMEM;
2377                 goto out;
2378         }
2379
2380         nosec_save = nosec;
2381         fnosec = fsec = 1;
2382         in_save = in_end = orig;
2383
2384         do {
2385                 if (*in_end == '"')
2386                         open_quote = !open_quote;
2387                 if ((*in_end == ',' && open_quote == 0) ||
2388                                 *in_end == '\0') {
2389                         int len = in_end - in_curr;
2390
2391                         if (selinux_option(in_curr, len))
2392                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2393                         else
2394                                 take_option(&nosec, in_curr, &fnosec, len);
2395
2396                         in_curr = in_end + 1;
2397                 }
2398         } while (*in_end++);
2399
2400         strcpy(in_save, nosec_save);
2401         free_page((unsigned long)nosec_save);
2402 out:
2403         return rc;
2404 }
2405
2406 static int selinux_sb_remount(struct super_block *sb, void *data)
2407 {
2408         int rc, i, *flags;
2409         struct security_mnt_opts opts;
2410         char *secdata, **mount_options;
2411         struct superblock_security_struct *sbsec = sb->s_security;
2412
2413         if (!(sbsec->flags & SE_SBINITIALIZED))
2414                 return 0;
2415
2416         if (!data)
2417                 return 0;
2418
2419         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2420                 return 0;
2421
2422         security_init_mnt_opts(&opts);
2423         secdata = alloc_secdata();
2424         if (!secdata)
2425                 return -ENOMEM;
2426         rc = selinux_sb_copy_data(data, secdata);
2427         if (rc)
2428                 goto out_free_secdata;
2429
2430         rc = selinux_parse_opts_str(secdata, &opts);
2431         if (rc)
2432                 goto out_free_secdata;
2433
2434         mount_options = opts.mnt_opts;
2435         flags = opts.mnt_opts_flags;
2436
2437         for (i = 0; i < opts.num_mnt_opts; i++) {
2438                 u32 sid;
2439                 size_t len;
2440
2441                 if (flags[i] == SE_SBLABELSUPP)
2442                         continue;
2443                 len = strlen(mount_options[i]);
2444                 rc = security_context_to_sid(mount_options[i], len, &sid);
2445                 if (rc) {
2446                         printk(KERN_WARNING "SELinux: security_context_to_sid"
2447                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2448                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2449                         goto out_free_opts;
2450                 }
2451                 rc = -EINVAL;
2452                 switch (flags[i]) {
2453                 case FSCONTEXT_MNT:
2454                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2455                                 goto out_bad_option;
2456                         break;
2457                 case CONTEXT_MNT:
2458                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2459                                 goto out_bad_option;
2460                         break;
2461                 case ROOTCONTEXT_MNT: {
2462                         struct inode_security_struct *root_isec;
2463                         root_isec = sb->s_root->d_inode->i_security;
2464
2465                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2466                                 goto out_bad_option;
2467                         break;
2468                 }
2469                 case DEFCONTEXT_MNT:
2470                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2471                                 goto out_bad_option;
2472                         break;
2473                 default:
2474                         goto out_free_opts;
2475                 }
2476         }
2477
2478         rc = 0;
2479 out_free_opts:
2480         security_free_mnt_opts(&opts);
2481 out_free_secdata:
2482         free_secdata(secdata);
2483         return rc;
2484 out_bad_option:
2485         printk(KERN_WARNING "SELinux: unable to change security options "
2486                "during remount (dev %s, type=%s)\n", sb->s_id,
2487                sb->s_type->name);
2488         goto out_free_opts;
2489 }
2490
2491 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2492 {
2493         const struct cred *cred = current_cred();
2494         struct common_audit_data ad;
2495         struct selinux_audit_data sad = {0,};
2496         int rc;
2497
2498         rc = superblock_doinit(sb, data);
2499         if (rc)
2500                 return rc;
2501
2502         /* Allow all mounts performed by the kernel */
2503         if (flags & MS_KERNMOUNT)
2504                 return 0;
2505
2506         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2507         ad.selinux_audit_data = &sad;
2508         ad.u.dentry = sb->s_root;
2509         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2510 }
2511
2512 static int selinux_sb_statfs(struct dentry *dentry)
2513 {
2514         const struct cred *cred = current_cred();
2515         struct common_audit_data ad;
2516         struct selinux_audit_data sad = {0,};
2517
2518         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2519         ad.selinux_audit_data = &sad;
2520         ad.u.dentry = dentry->d_sb->s_root;
2521         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2522 }
2523
2524 static int selinux_mount(char *dev_name,
2525                          struct path *path,
2526                          char *type,
2527                          unsigned long flags,
2528                          void *data)
2529 {
2530         const struct cred *cred = current_cred();
2531
2532         if (flags & MS_REMOUNT)
2533                 return superblock_has_perm(cred, path->dentry->d_sb,
2534                                            FILESYSTEM__REMOUNT, NULL);
2535         else
2536                 return path_has_perm(cred, path, FILE__MOUNTON);
2537 }
2538
2539 static int selinux_umount(struct vfsmount *mnt, int flags)
2540 {
2541         const struct cred *cred = current_cred();
2542
2543         return superblock_has_perm(cred, mnt->mnt_sb,
2544                                    FILESYSTEM__UNMOUNT, NULL);
2545 }
2546
2547 /* inode security operations */
2548
2549 static int selinux_inode_alloc_security(struct inode *inode)
2550 {
2551         return inode_alloc_security(inode);
2552 }
2553
2554 static void selinux_inode_free_security(struct inode *inode)
2555 {
2556         inode_free_security(inode);
2557 }
2558
2559 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2560                                        const struct qstr *qstr, char **name,
2561                                        void **value, size_t *len)
2562 {
2563         const struct task_security_struct *tsec = current_security();
2564         struct inode_security_struct *dsec;
2565         struct superblock_security_struct *sbsec;
2566         u32 sid, newsid, clen;
2567         int rc;
2568         char *namep = NULL, *context;
2569
2570         dsec = dir->i_security;
2571         sbsec = dir->i_sb->s_security;
2572
2573         sid = tsec->sid;
2574         newsid = tsec->create_sid;
2575
2576         if ((sbsec->flags & SE_SBINITIALIZED) &&
2577             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2578                 newsid = sbsec->mntpoint_sid;
2579         else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2580                 rc = security_transition_sid(sid, dsec->sid,
2581                                              inode_mode_to_security_class(inode->i_mode),
2582                                              qstr, &newsid);
2583                 if (rc) {
2584                         printk(KERN_WARNING "%s:  "
2585                                "security_transition_sid failed, rc=%d (dev=%s "
2586                                "ino=%ld)\n",
2587                                __func__,
2588                                -rc, inode->i_sb->s_id, inode->i_ino);
2589                         return rc;
2590                 }
2591         }
2592
2593         /* Possibly defer initialization to selinux_complete_init. */
2594         if (sbsec->flags & SE_SBINITIALIZED) {
2595                 struct inode_security_struct *isec = inode->i_security;
2596                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2597                 isec->sid = newsid;
2598                 isec->initialized = 1;
2599         }
2600
2601         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2602                 return -EOPNOTSUPP;
2603
2604         if (name) {
2605                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2606                 if (!namep)
2607                         return -ENOMEM;
2608                 *name = namep;
2609         }
2610
2611         if (value && len) {
2612                 rc = security_sid_to_context_force(newsid, &context, &clen);
2613                 if (rc) {
2614                         kfree(namep);
2615                         return rc;
2616                 }
2617                 *value = context;
2618                 *len = clen;
2619         }
2620
2621         return 0;
2622 }
2623
2624 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2625 {
2626         return may_create(dir, dentry, SECCLASS_FILE);
2627 }
2628
2629 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2630 {
2631         return may_link(dir, old_dentry, MAY_LINK);
2632 }
2633
2634 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2635 {
2636         return may_link(dir, dentry, MAY_UNLINK);
2637 }
2638
2639 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2640 {
2641         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2642 }
2643
2644 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2645 {
2646         return may_create(dir, dentry, SECCLASS_DIR);
2647 }
2648
2649 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2650 {
2651         return may_link(dir, dentry, MAY_RMDIR);
2652 }
2653
2654 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2655 {
2656         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2657 }
2658
2659 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2660                                 struct inode *new_inode, struct dentry *new_dentry)
2661 {
2662         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2663 }
2664
2665 static int selinux_inode_readlink(struct dentry *dentry)
2666 {
2667         const struct cred *cred = current_cred();
2668
2669         return dentry_has_perm(cred, dentry, FILE__READ);
2670 }
2671
2672 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2673 {
2674         const struct cred *cred = current_cred();
2675
2676         return dentry_has_perm(cred, dentry, FILE__READ);
2677 }
2678
2679 static int selinux_inode_permission(struct inode *inode, int mask)
2680 {
2681         const struct cred *cred = current_cred();
2682         struct common_audit_data ad;
2683         struct selinux_audit_data sad = {0,};
2684         u32 perms;
2685         bool from_access;
2686         unsigned flags = mask & MAY_NOT_BLOCK;
2687
2688         from_access = mask & MAY_ACCESS;
2689         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2690
2691         /* No permission to check.  Existence test. */
2692         if (!mask)
2693                 return 0;
2694
2695         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2696         ad.selinux_audit_data = &sad;
2697         ad.u.inode = inode;
2698
2699         if (from_access)
2700                 ad.selinux_audit_data->auditdeny |= FILE__AUDIT_ACCESS;
2701
2702         perms = file_mask_to_av(inode->i_mode, mask);
2703
2704         return inode_has_perm(cred, inode, perms, &ad, flags);
2705 }
2706
2707 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2708 {
2709         const struct cred *cred = current_cred();
2710         unsigned int ia_valid = iattr->ia_valid;
2711
2712         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2713         if (ia_valid & ATTR_FORCE) {
2714                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2715                               ATTR_FORCE);
2716                 if (!ia_valid)
2717                         return 0;
2718         }
2719
2720         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2721                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2722                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2723
2724         return dentry_has_perm(cred, dentry, FILE__WRITE);
2725 }
2726
2727 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2728 {
2729         const struct cred *cred = current_cred();
2730         struct path path;
2731
2732         path.dentry = dentry;
2733         path.mnt = mnt;
2734
2735         return path_has_perm(cred, &path, FILE__GETATTR);
2736 }
2737
2738 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2739 {
2740         const struct cred *cred = current_cred();
2741
2742         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2743                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2744                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2745                         if (!capable(CAP_SETFCAP))
2746                                 return -EPERM;
2747                 } else if (!capable(CAP_SYS_ADMIN)) {
2748                         /* A different attribute in the security namespace.
2749                            Restrict to administrator. */
2750                         return -EPERM;
2751                 }
2752         }
2753
2754         /* Not an attribute we recognize, so just check the
2755            ordinary setattr permission. */
2756         return dentry_has_perm(cred, dentry, FILE__SETATTR);
2757 }
2758
2759 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2760                                   const void *value, size_t size, int flags)
2761 {
2762         struct inode *inode = dentry->d_inode;
2763         struct inode_security_struct *isec = inode->i_security;
2764         struct superblock_security_struct *sbsec;
2765         struct common_audit_data ad;
2766         struct selinux_audit_data sad = {0,};
2767         u32 newsid, sid = current_sid();
2768         int rc = 0;
2769
2770         if (strcmp(name, XATTR_NAME_SELINUX))
2771                 return selinux_inode_setotherxattr(dentry, name);
2772
2773         sbsec = inode->i_sb->s_security;
2774         if (!(sbsec->flags & SE_SBLABELSUPP))
2775                 return -EOPNOTSUPP;
2776
2777         if (!inode_owner_or_capable(inode))
2778                 return -EPERM;
2779
2780         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2781         ad.selinux_audit_data = &sad;
2782         ad.u.dentry = dentry;
2783
2784         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2785                           FILE__RELABELFROM, &ad);
2786         if (rc)
2787                 return rc;
2788
2789         rc = security_context_to_sid(value, size, &newsid);
2790         if (rc == -EINVAL) {
2791                 if (!capable(CAP_MAC_ADMIN))
2792                         return rc;
2793                 rc = security_context_to_sid_force(value, size, &newsid);
2794         }
2795         if (rc)
2796                 return rc;
2797
2798         rc = avc_has_perm(sid, newsid, isec->sclass,
2799                           FILE__RELABELTO, &ad);
2800         if (rc)
2801                 return rc;
2802
2803         rc = security_validate_transition(isec->sid, newsid, sid,
2804                                           isec->sclass);
2805         if (rc)
2806                 return rc;
2807
2808         return avc_has_perm(newsid,
2809                             sbsec->sid,
2810                             SECCLASS_FILESYSTEM,
2811                             FILESYSTEM__ASSOCIATE,
2812                             &ad);
2813 }
2814
2815 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2816                                         const void *value, size_t size,
2817                                         int flags)
2818 {
2819         struct inode *inode = dentry->d_inode;
2820         struct inode_security_struct *isec = inode->i_security;
2821         u32 newsid;
2822         int rc;
2823
2824         if (strcmp(name, XATTR_NAME_SELINUX)) {
2825                 /* Not an attribute we recognize, so nothing to do. */
2826                 return;
2827         }
2828
2829         rc = security_context_to_sid_force(value, size, &newsid);
2830         if (rc) {
2831                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2832                        "for (%s, %lu), rc=%d\n",
2833                        inode->i_sb->s_id, inode->i_ino, -rc);
2834                 return;
2835         }
2836
2837         isec->sid = newsid;
2838         return;
2839 }
2840
2841 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2842 {
2843         const struct cred *cred = current_cred();
2844
2845         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2846 }
2847
2848 static int selinux_inode_listxattr(struct dentry *dentry)
2849 {
2850         const struct cred *cred = current_cred();
2851
2852         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2853 }
2854
2855 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2856 {
2857         if (strcmp(name, XATTR_NAME_SELINUX))
2858                 return selinux_inode_setotherxattr(dentry, name);
2859
2860         /* No one is allowed to remove a SELinux security label.
2861            You can change the label, but all data must be labeled. */
2862         return -EACCES;
2863 }
2864
2865 /*
2866  * Copy the inode security context value to the user.
2867  *
2868  * Permission check is handled by selinux_inode_getxattr hook.
2869  */
2870 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2871 {
2872         u32 size;
2873         int error;
2874         char *context = NULL;
2875         struct inode_security_struct *isec = inode->i_security;
2876
2877         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2878                 return -EOPNOTSUPP;
2879
2880         /*
2881          * If the caller has CAP_MAC_ADMIN, then get the raw context
2882          * value even if it is not defined by current policy; otherwise,
2883          * use the in-core value under current policy.
2884          * Use the non-auditing forms of the permission checks since
2885          * getxattr may be called by unprivileged processes commonly
2886          * and lack of permission just means that we fall back to the
2887          * in-core context value, not a denial.
2888          */
2889         error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2890                                 SECURITY_CAP_NOAUDIT);
2891         if (!error)
2892                 error = security_sid_to_context_force(isec->sid, &context,
2893                                                       &size);
2894         else
2895                 error = security_sid_to_context(isec->sid, &context, &size);
2896         if (error)
2897                 return error;
2898         error = size;
2899         if (alloc) {
2900                 *buffer = context;
2901                 goto out_nofree;
2902         }
2903         kfree(context);
2904 out_nofree:
2905         return error;
2906 }
2907
2908 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2909                                      const void *value, size_t size, int flags)
2910 {
2911         struct inode_security_struct *isec = inode->i_security;
2912         u32 newsid;
2913         int rc;
2914
2915         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2916                 return -EOPNOTSUPP;
2917
2918         if (!value || !size)
2919                 return -EACCES;
2920
2921         rc = security_context_to_sid((void *)value, size, &newsid);
2922         if (rc)
2923                 return rc;
2924
2925         isec->sid = newsid;
2926         isec->initialized = 1;
2927         return 0;
2928 }
2929
2930 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2931 {
2932         const int len = sizeof(XATTR_NAME_SELINUX);
2933         if (buffer && len <= buffer_size)
2934                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2935         return len;
2936 }
2937
2938 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2939 {
2940         struct inode_security_struct *isec = inode->i_security;
2941         *secid = isec->sid;
2942 }
2943
2944 /* file security operations */
2945
2946 static int selinux_revalidate_file_permission(struct file *file, int mask)
2947 {
2948         const struct cred *cred = current_cred();
2949         struct inode *inode = file->f_path.dentry->d_inode;
2950
2951         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2952         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2953                 mask |= MAY_APPEND;
2954
2955         return file_has_perm(cred, file,
2956                              file_mask_to_av(inode->i_mode, mask));
2957 }
2958
2959 static int selinux_file_permission(struct file *file, int mask)
2960 {
2961         struct inode *inode = file->f_path.dentry->d_inode;
2962         struct file_security_struct *fsec = file->f_security;
2963         struct inode_security_struct *isec = inode->i_security;
2964         u32 sid = current_sid();
2965
2966         if (!mask)
2967                 /* No permission to check.  Existence test. */
2968                 return 0;
2969
2970         if (sid == fsec->sid && fsec->isid == isec->sid &&
2971             fsec->pseqno == avc_policy_seqno())
2972                 /* No change since dentry_open check. */
2973                 return 0;
2974
2975         return selinux_revalidate_file_permission(file, mask);
2976 }
2977
2978 static int selinux_file_alloc_security(struct file *file)
2979 {
2980         return file_alloc_security(file);
2981 }
2982
2983 static void selinux_file_free_security(struct file *file)
2984 {
2985         file_free_security(file);
2986 }
2987
2988 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2989                               unsigned long arg)
2990 {
2991         const struct cred *cred = current_cred();
2992         int error = 0;
2993
2994         switch (cmd) {
2995         case FIONREAD:
2996         /* fall through */
2997         case FIBMAP:
2998         /* fall through */
2999         case FIGETBSZ:
3000         /* fall through */
3001         case FS_IOC_GETFLAGS:
3002         /* fall through */
3003         case FS_IOC_GETVERSION:
3004                 error = file_has_perm(cred, file, FILE__GETATTR);
3005                 break;
3006
3007         case FS_IOC_SETFLAGS:
3008         /* fall through */
3009         case FS_IOC_SETVERSION:
3010                 error = file_has_perm(cred, file, FILE__SETATTR);
3011                 break;
3012
3013         /* sys_ioctl() checks */
3014         case FIONBIO:
3015         /* fall through */
3016         case FIOASYNC:
3017                 error = file_has_perm(cred, file, 0);
3018                 break;
3019
3020         case KDSKBENT:
3021         case KDSKBSENT:
3022                 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3023                                             SECURITY_CAP_AUDIT);
3024                 break;
3025
3026         /* default case assumes that the command will go
3027          * to the file's ioctl() function.
3028          */
3029         default:
3030                 error = file_has_perm(cred, file, FILE__IOCTL);
3031         }
3032         return error;
3033 }
3034
3035 static int default_noexec;
3036
3037 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3038 {
3039         const struct cred *cred = current_cred();
3040         int rc = 0;
3041
3042         if (default_noexec &&
3043             (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3044                 /*
3045                  * We are making executable an anonymous mapping or a
3046                  * private file mapping that will also be writable.
3047                  * This has an additional check.
3048                  */
3049                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3050                 if (rc)
3051                         goto error;
3052         }
3053
3054         if (file) {
3055                 /* read access is always possible with a mapping */
3056                 u32 av = FILE__READ;
3057
3058                 /* write access only matters if the mapping is shared */
3059                 if (shared && (prot & PROT_WRITE))
3060                         av |= FILE__WRITE;
3061
3062                 if (prot & PROT_EXEC)
3063                         av |= FILE__EXECUTE;
3064
3065                 return file_has_perm(cred, file, av);
3066         }
3067
3068 error:
3069         return rc;
3070 }
3071
3072 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3073                              unsigned long prot, unsigned long flags,
3074                              unsigned long addr, unsigned long addr_only)
3075 {
3076         int rc = 0;
3077         u32 sid = current_sid();
3078
3079         /*
3080          * notice that we are intentionally putting the SELinux check before
3081          * the secondary cap_file_mmap check.  This is such a likely attempt
3082          * at bad behaviour/exploit that we always want to get the AVC, even
3083          * if DAC would have also denied the operation.
3084          */
3085         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3086                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3087                                   MEMPROTECT__MMAP_ZERO, NULL);
3088                 if (rc)
3089                         return rc;
3090         }
3091
3092         /* do DAC check on address space usage */
3093         rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3094         if (rc || addr_only)
3095                 return rc;
3096
3097         if (selinux_checkreqprot)
3098                 prot = reqprot;
3099
3100         return file_map_prot_check(file, prot,
3101                                    (flags & MAP_TYPE) == MAP_SHARED);
3102 }
3103
3104 static int selinux_file_mprotect(struct vm_area_struct *vma,
3105                                  unsigned long reqprot,
3106                                  unsigned long prot)
3107 {
3108         const struct cred *cred = current_cred();
3109
3110         if (selinux_checkreqprot)
3111                 prot = reqprot;
3112
3113         if (default_noexec &&
3114             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3115                 int rc = 0;
3116                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3117                     vma->vm_end <= vma->vm_mm->brk) {
3118                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3119                 } else if (!vma->vm_file &&
3120                            vma->vm_start <= vma->vm_mm->start_stack &&
3121                            vma->vm_end >= vma->vm_mm->start_stack) {
3122                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3123                 } else if (vma->vm_file && vma->anon_vma) {
3124                         /*
3125                          * We are making executable a file mapping that has
3126                          * had some COW done. Since pages might have been
3127                          * written, check ability to execute the possibly
3128                          * modified content.  This typically should only
3129                          * occur for text relocations.
3130                          */
3131                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3132                 }
3133                 if (rc)
3134                         return rc;
3135         }
3136
3137         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3138 }
3139
3140 static int selinux_file_lock(struct file *file, unsigned int cmd)
3141 {
3142         const struct cred *cred = current_cred();
3143
3144         return file_has_perm(cred, file, FILE__LOCK);
3145 }
3146
3147 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3148                               unsigned long arg)
3149 {
3150         const struct cred *cred = current_cred();
3151         int err = 0;
3152
3153         switch (cmd) {
3154         case F_SETFL:
3155                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3156                         err = -EINVAL;
3157                         break;
3158                 }
3159
3160                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3161                         err = file_has_perm(cred, file, FILE__WRITE);
3162                         break;
3163                 }
3164                 /* fall through */
3165         case F_SETOWN:
3166         case F_SETSIG:
3167         case F_GETFL:
3168         case F_GETOWN:
3169         case F_GETSIG:
3170                 /* Just check FD__USE permission */
3171                 err = file_has_perm(cred, file, 0);
3172                 break;
3173         case F_GETLK:
3174         case F_SETLK:
3175         case F_SETLKW:
3176 #if BITS_PER_LONG == 32
3177         case F_GETLK64:
3178         case F_SETLK64:
3179         case F_SETLKW64:
3180 #endif
3181                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3182                         err = -EINVAL;
3183                         break;
3184                 }
3185                 err = file_has_perm(cred, file, FILE__LOCK);
3186                 break;
3187         }
3188
3189         return err;
3190 }
3191
3192 static int selinux_file_set_fowner(struct file *file)
3193 {
3194         struct file_security_struct *fsec;
3195
3196         fsec = file->f_security;
3197         fsec->fown_sid = current_sid();
3198
3199         return 0;
3200 }
3201
3202 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3203                                        struct fown_struct *fown, int signum)
3204 {
3205         struct file *file;
3206         u32 sid = task_sid(tsk);
3207         u32 perm;
3208         struct file_security_struct *fsec;
3209
3210         /* struct fown_struct is never outside the context of a struct file */
3211         file = container_of(fown, struct file, f_owner);
3212
3213         fsec = file->f_security;
3214
3215         if (!signum)
3216                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3217         else
3218                 perm = signal_to_av(signum);
3219
3220         return avc_has_perm(fsec->fown_sid, sid,
3221                             SECCLASS_PROCESS, perm, NULL);
3222 }
3223
3224 static int selinux_file_receive(struct file *file)
3225 {
3226         const struct cred *cred = current_cred();
3227
3228         return file_has_perm(cred, file, file_to_av(file));
3229 }
3230
3231 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3232 {
3233         struct file_security_struct *fsec;
3234         struct inode *inode;
3235         struct inode_security_struct *isec;
3236
3237         inode = file->f_path.dentry->d_inode;
3238         fsec = file->f_security;
3239         isec = inode->i_security;
3240         /*
3241          * Save inode label and policy sequence number
3242          * at open-time so that selinux_file_permission
3243          * can determine whether revalidation is necessary.
3244          * Task label is already saved in the file security
3245          * struct as its SID.
3246          */
3247         fsec->isid = isec->sid;
3248         fsec->pseqno = avc_policy_seqno();
3249         /*
3250          * Since the inode label or policy seqno may have changed
3251          * between the selinux_inode_permission check and the saving
3252          * of state above, recheck that access is still permitted.
3253          * Otherwise, access might never be revalidated against the
3254          * new inode label or new policy.
3255          * This check is not redundant - do not remove.
3256          */
3257         return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0);
3258 }
3259
3260 /* task security operations */
3261
3262 static int selinux_task_create(unsigned long clone_flags)
3263 {
3264         return current_has_perm(current, PROCESS__FORK);
3265 }
3266
3267 /*
3268  * allocate the SELinux part of blank credentials
3269  */
3270 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3271 {
3272         struct task_security_struct *tsec;
3273
3274         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3275         if (!tsec)
3276                 return -ENOMEM;
3277
3278         cred->security = tsec;
3279         return 0;
3280 }
3281
3282 /*
3283  * detach and free the LSM part of a set of credentials
3284  */
3285 static void selinux_cred_free(struct cred *cred)
3286 {
3287         struct task_security_struct *tsec = cred->security;
3288
3289         /*