Linux 3.15
[sfrench/cifs-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h>             /* for local_port_range[] */
54 #include <net/sock.h>
55 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>    /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/quota.h>
70 #include <linux/un.h>           /* for Unix socket types */
71 #include <net/af_unix.h>        /* for Unix socket types */
72 #include <linux/parser.h>
73 #include <linux/nfs_mount.h>
74 #include <net/ipv6.h>
75 #include <linux/hugetlb.h>
76 #include <linux/personality.h>
77 #include <linux/audit.h>
78 #include <linux/string.h>
79 #include <linux/selinux.h>
80 #include <linux/mutex.h>
81 #include <linux/posix-timers.h>
82 #include <linux/syslog.h>
83 #include <linux/user_namespace.h>
84 #include <linux/export.h>
85 #include <linux/msg.h>
86 #include <linux/shm.h>
87
88 #include "avc.h"
89 #include "objsec.h"
90 #include "netif.h"
91 #include "netnode.h"
92 #include "netport.h"
93 #include "xfrm.h"
94 #include "netlabel.h"
95 #include "audit.h"
96 #include "avc_ss.h"
97
98 extern struct security_operations *security_ops;
99
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
105
106 static int __init enforcing_setup(char *str)
107 {
108         unsigned long enforcing;
109         if (!kstrtoul(str, 0, &enforcing))
110                 selinux_enforcing = enforcing ? 1 : 0;
111         return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119 static int __init selinux_enabled_setup(char *str)
120 {
121         unsigned long enabled;
122         if (!kstrtoul(str, 0, &enabled))
123                 selinux_enabled = enabled ? 1 : 0;
124         return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130
131 static struct kmem_cache *sel_inode_cache;
132
133 /**
134  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135  *
136  * Description:
137  * This function checks the SECMARK reference counter to see if any SECMARK
138  * targets are currently configured, if the reference counter is greater than
139  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
140  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
141  * policy capability is enabled, SECMARK is always considered enabled.
142  *
143  */
144 static int selinux_secmark_enabled(void)
145 {
146         return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
147 }
148
149 /**
150  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
151  *
152  * Description:
153  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
154  * (1) if any are enabled or false (0) if neither are enabled.  If the
155  * always_check_network policy capability is enabled, peer labeling
156  * is always considered enabled.
157  *
158  */
159 static int selinux_peerlbl_enabled(void)
160 {
161         return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
162 }
163
164 /*
165  * initialise the security for the init task
166  */
167 static void cred_init_security(void)
168 {
169         struct cred *cred = (struct cred *) current->real_cred;
170         struct task_security_struct *tsec;
171
172         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
173         if (!tsec)
174                 panic("SELinux:  Failed to initialize initial task.\n");
175
176         tsec->osid = tsec->sid = SECINITSID_KERNEL;
177         cred->security = tsec;
178 }
179
180 /*
181  * get the security ID of a set of credentials
182  */
183 static inline u32 cred_sid(const struct cred *cred)
184 {
185         const struct task_security_struct *tsec;
186
187         tsec = cred->security;
188         return tsec->sid;
189 }
190
191 /*
192  * get the objective security ID of a task
193  */
194 static inline u32 task_sid(const struct task_struct *task)
195 {
196         u32 sid;
197
198         rcu_read_lock();
199         sid = cred_sid(__task_cred(task));
200         rcu_read_unlock();
201         return sid;
202 }
203
204 /*
205  * get the subjective security ID of the current task
206  */
207 static inline u32 current_sid(void)
208 {
209         const struct task_security_struct *tsec = current_security();
210
211         return tsec->sid;
212 }
213
214 /* Allocate and free functions for each kind of security blob. */
215
216 static int inode_alloc_security(struct inode *inode)
217 {
218         struct inode_security_struct *isec;
219         u32 sid = current_sid();
220
221         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
222         if (!isec)
223                 return -ENOMEM;
224
225         mutex_init(&isec->lock);
226         INIT_LIST_HEAD(&isec->list);
227         isec->inode = inode;
228         isec->sid = SECINITSID_UNLABELED;
229         isec->sclass = SECCLASS_FILE;
230         isec->task_sid = sid;
231         inode->i_security = isec;
232
233         return 0;
234 }
235
236 static void inode_free_rcu(struct rcu_head *head)
237 {
238         struct inode_security_struct *isec;
239
240         isec = container_of(head, struct inode_security_struct, rcu);
241         kmem_cache_free(sel_inode_cache, isec);
242 }
243
244 static void inode_free_security(struct inode *inode)
245 {
246         struct inode_security_struct *isec = inode->i_security;
247         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
248
249         spin_lock(&sbsec->isec_lock);
250         if (!list_empty(&isec->list))
251                 list_del_init(&isec->list);
252         spin_unlock(&sbsec->isec_lock);
253
254         /*
255          * The inode may still be referenced in a path walk and
256          * a call to selinux_inode_permission() can be made
257          * after inode_free_security() is called. Ideally, the VFS
258          * wouldn't do this, but fixing that is a much harder
259          * job. For now, simply free the i_security via RCU, and
260          * leave the current inode->i_security pointer intact.
261          * The inode will be freed after the RCU grace period too.
262          */
263         call_rcu(&isec->rcu, inode_free_rcu);
264 }
265
266 static int file_alloc_security(struct file *file)
267 {
268         struct file_security_struct *fsec;
269         u32 sid = current_sid();
270
271         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
272         if (!fsec)
273                 return -ENOMEM;
274
275         fsec->sid = sid;
276         fsec->fown_sid = sid;
277         file->f_security = fsec;
278
279         return 0;
280 }
281
282 static void file_free_security(struct file *file)
283 {
284         struct file_security_struct *fsec = file->f_security;
285         file->f_security = NULL;
286         kfree(fsec);
287 }
288
289 static int superblock_alloc_security(struct super_block *sb)
290 {
291         struct superblock_security_struct *sbsec;
292
293         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
294         if (!sbsec)
295                 return -ENOMEM;
296
297         mutex_init(&sbsec->lock);
298         INIT_LIST_HEAD(&sbsec->isec_head);
299         spin_lock_init(&sbsec->isec_lock);
300         sbsec->sb = sb;
301         sbsec->sid = SECINITSID_UNLABELED;
302         sbsec->def_sid = SECINITSID_FILE;
303         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
304         sb->s_security = sbsec;
305
306         return 0;
307 }
308
309 static void superblock_free_security(struct super_block *sb)
310 {
311         struct superblock_security_struct *sbsec = sb->s_security;
312         sb->s_security = NULL;
313         kfree(sbsec);
314 }
315
316 /* The file system's label must be initialized prior to use. */
317
318 static const char *labeling_behaviors[7] = {
319         "uses xattr",
320         "uses transition SIDs",
321         "uses task SIDs",
322         "uses genfs_contexts",
323         "not configured for labeling",
324         "uses mountpoint labeling",
325         "uses native labeling",
326 };
327
328 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
329
330 static inline int inode_doinit(struct inode *inode)
331 {
332         return inode_doinit_with_dentry(inode, NULL);
333 }
334
335 enum {
336         Opt_error = -1,
337         Opt_context = 1,
338         Opt_fscontext = 2,
339         Opt_defcontext = 3,
340         Opt_rootcontext = 4,
341         Opt_labelsupport = 5,
342         Opt_nextmntopt = 6,
343 };
344
345 #define NUM_SEL_MNT_OPTS        (Opt_nextmntopt - 1)
346
347 static const match_table_t tokens = {
348         {Opt_context, CONTEXT_STR "%s"},
349         {Opt_fscontext, FSCONTEXT_STR "%s"},
350         {Opt_defcontext, DEFCONTEXT_STR "%s"},
351         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
352         {Opt_labelsupport, LABELSUPP_STR},
353         {Opt_error, NULL},
354 };
355
356 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
357
358 static int may_context_mount_sb_relabel(u32 sid,
359                         struct superblock_security_struct *sbsec,
360                         const struct cred *cred)
361 {
362         const struct task_security_struct *tsec = cred->security;
363         int rc;
364
365         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
366                           FILESYSTEM__RELABELFROM, NULL);
367         if (rc)
368                 return rc;
369
370         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
371                           FILESYSTEM__RELABELTO, NULL);
372         return rc;
373 }
374
375 static int may_context_mount_inode_relabel(u32 sid,
376                         struct superblock_security_struct *sbsec,
377                         const struct cred *cred)
378 {
379         const struct task_security_struct *tsec = cred->security;
380         int rc;
381         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
382                           FILESYSTEM__RELABELFROM, NULL);
383         if (rc)
384                 return rc;
385
386         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
387                           FILESYSTEM__ASSOCIATE, NULL);
388         return rc;
389 }
390
391 static int selinux_is_sblabel_mnt(struct super_block *sb)
392 {
393         struct superblock_security_struct *sbsec = sb->s_security;
394
395         if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
396             sbsec->behavior == SECURITY_FS_USE_TRANS ||
397             sbsec->behavior == SECURITY_FS_USE_TASK)
398                 return 1;
399
400         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
401         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
402                 return 1;
403
404         /*
405          * Special handling for rootfs. Is genfs but supports
406          * setting SELinux context on in-core inodes.
407          */
408         if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
409                 return 1;
410
411         return 0;
412 }
413
414 static int sb_finish_set_opts(struct super_block *sb)
415 {
416         struct superblock_security_struct *sbsec = sb->s_security;
417         struct dentry *root = sb->s_root;
418         struct inode *root_inode = root->d_inode;
419         int rc = 0;
420
421         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
422                 /* Make sure that the xattr handler exists and that no
423                    error other than -ENODATA is returned by getxattr on
424                    the root directory.  -ENODATA is ok, as this may be
425                    the first boot of the SELinux kernel before we have
426                    assigned xattr values to the filesystem. */
427                 if (!root_inode->i_op->getxattr) {
428                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
429                                "xattr support\n", sb->s_id, sb->s_type->name);
430                         rc = -EOPNOTSUPP;
431                         goto out;
432                 }
433                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
434                 if (rc < 0 && rc != -ENODATA) {
435                         if (rc == -EOPNOTSUPP)
436                                 printk(KERN_WARNING "SELinux: (dev %s, type "
437                                        "%s) has no security xattr handler\n",
438                                        sb->s_id, sb->s_type->name);
439                         else
440                                 printk(KERN_WARNING "SELinux: (dev %s, type "
441                                        "%s) getxattr errno %d\n", sb->s_id,
442                                        sb->s_type->name, -rc);
443                         goto out;
444                 }
445         }
446
447         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
448                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
449                        sb->s_id, sb->s_type->name);
450         else
451                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
452                        sb->s_id, sb->s_type->name,
453                        labeling_behaviors[sbsec->behavior-1]);
454
455         sbsec->flags |= SE_SBINITIALIZED;
456         if (selinux_is_sblabel_mnt(sb))
457                 sbsec->flags |= SBLABEL_MNT;
458
459         /* Initialize the root inode. */
460         rc = inode_doinit_with_dentry(root_inode, root);
461
462         /* Initialize any other inodes associated with the superblock, e.g.
463            inodes created prior to initial policy load or inodes created
464            during get_sb by a pseudo filesystem that directly
465            populates itself. */
466         spin_lock(&sbsec->isec_lock);
467 next_inode:
468         if (!list_empty(&sbsec->isec_head)) {
469                 struct inode_security_struct *isec =
470                                 list_entry(sbsec->isec_head.next,
471                                            struct inode_security_struct, list);
472                 struct inode *inode = isec->inode;
473                 spin_unlock(&sbsec->isec_lock);
474                 inode = igrab(inode);
475                 if (inode) {
476                         if (!IS_PRIVATE(inode))
477                                 inode_doinit(inode);
478                         iput(inode);
479                 }
480                 spin_lock(&sbsec->isec_lock);
481                 list_del_init(&isec->list);
482                 goto next_inode;
483         }
484         spin_unlock(&sbsec->isec_lock);
485 out:
486         return rc;
487 }
488
489 /*
490  * This function should allow an FS to ask what it's mount security
491  * options were so it can use those later for submounts, displaying
492  * mount options, or whatever.
493  */
494 static int selinux_get_mnt_opts(const struct super_block *sb,
495                                 struct security_mnt_opts *opts)
496 {
497         int rc = 0, i;
498         struct superblock_security_struct *sbsec = sb->s_security;
499         char *context = NULL;
500         u32 len;
501         char tmp;
502
503         security_init_mnt_opts(opts);
504
505         if (!(sbsec->flags & SE_SBINITIALIZED))
506                 return -EINVAL;
507
508         if (!ss_initialized)
509                 return -EINVAL;
510
511         /* make sure we always check enough bits to cover the mask */
512         BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
513
514         tmp = sbsec->flags & SE_MNTMASK;
515         /* count the number of mount options for this sb */
516         for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
517                 if (tmp & 0x01)
518                         opts->num_mnt_opts++;
519                 tmp >>= 1;
520         }
521         /* Check if the Label support flag is set */
522         if (sbsec->flags & SBLABEL_MNT)
523                 opts->num_mnt_opts++;
524
525         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
526         if (!opts->mnt_opts) {
527                 rc = -ENOMEM;
528                 goto out_free;
529         }
530
531         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
532         if (!opts->mnt_opts_flags) {
533                 rc = -ENOMEM;
534                 goto out_free;
535         }
536
537         i = 0;
538         if (sbsec->flags & FSCONTEXT_MNT) {
539                 rc = security_sid_to_context(sbsec->sid, &context, &len);
540                 if (rc)
541                         goto out_free;
542                 opts->mnt_opts[i] = context;
543                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
544         }
545         if (sbsec->flags & CONTEXT_MNT) {
546                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
547                 if (rc)
548                         goto out_free;
549                 opts->mnt_opts[i] = context;
550                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
551         }
552         if (sbsec->flags & DEFCONTEXT_MNT) {
553                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
554                 if (rc)
555                         goto out_free;
556                 opts->mnt_opts[i] = context;
557                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
558         }
559         if (sbsec->flags & ROOTCONTEXT_MNT) {
560                 struct inode *root = sbsec->sb->s_root->d_inode;
561                 struct inode_security_struct *isec = root->i_security;
562
563                 rc = security_sid_to_context(isec->sid, &context, &len);
564                 if (rc)
565                         goto out_free;
566                 opts->mnt_opts[i] = context;
567                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
568         }
569         if (sbsec->flags & SBLABEL_MNT) {
570                 opts->mnt_opts[i] = NULL;
571                 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
572         }
573
574         BUG_ON(i != opts->num_mnt_opts);
575
576         return 0;
577
578 out_free:
579         security_free_mnt_opts(opts);
580         return rc;
581 }
582
583 static int bad_option(struct superblock_security_struct *sbsec, char flag,
584                       u32 old_sid, u32 new_sid)
585 {
586         char mnt_flags = sbsec->flags & SE_MNTMASK;
587
588         /* check if the old mount command had the same options */
589         if (sbsec->flags & SE_SBINITIALIZED)
590                 if (!(sbsec->flags & flag) ||
591                     (old_sid != new_sid))
592                         return 1;
593
594         /* check if we were passed the same options twice,
595          * aka someone passed context=a,context=b
596          */
597         if (!(sbsec->flags & SE_SBINITIALIZED))
598                 if (mnt_flags & flag)
599                         return 1;
600         return 0;
601 }
602
603 /*
604  * Allow filesystems with binary mount data to explicitly set mount point
605  * labeling information.
606  */
607 static int selinux_set_mnt_opts(struct super_block *sb,
608                                 struct security_mnt_opts *opts,
609                                 unsigned long kern_flags,
610                                 unsigned long *set_kern_flags)
611 {
612         const struct cred *cred = current_cred();
613         int rc = 0, i;
614         struct superblock_security_struct *sbsec = sb->s_security;
615         const char *name = sb->s_type->name;
616         struct inode *inode = sbsec->sb->s_root->d_inode;
617         struct inode_security_struct *root_isec = inode->i_security;
618         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
619         u32 defcontext_sid = 0;
620         char **mount_options = opts->mnt_opts;
621         int *flags = opts->mnt_opts_flags;
622         int num_opts = opts->num_mnt_opts;
623
624         mutex_lock(&sbsec->lock);
625
626         if (!ss_initialized) {
627                 if (!num_opts) {
628                         /* Defer initialization until selinux_complete_init,
629                            after the initial policy is loaded and the security
630                            server is ready to handle calls. */
631                         goto out;
632                 }
633                 rc = -EINVAL;
634                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
635                         "before the security server is initialized\n");
636                 goto out;
637         }
638         if (kern_flags && !set_kern_flags) {
639                 /* Specifying internal flags without providing a place to
640                  * place the results is not allowed */
641                 rc = -EINVAL;
642                 goto out;
643         }
644
645         /*
646          * Binary mount data FS will come through this function twice.  Once
647          * from an explicit call and once from the generic calls from the vfs.
648          * Since the generic VFS calls will not contain any security mount data
649          * we need to skip the double mount verification.
650          *
651          * This does open a hole in which we will not notice if the first
652          * mount using this sb set explict options and a second mount using
653          * this sb does not set any security options.  (The first options
654          * will be used for both mounts)
655          */
656         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
657             && (num_opts == 0))
658                 goto out;
659
660         /*
661          * parse the mount options, check if they are valid sids.
662          * also check if someone is trying to mount the same sb more
663          * than once with different security options.
664          */
665         for (i = 0; i < num_opts; i++) {
666                 u32 sid;
667
668                 if (flags[i] == SBLABEL_MNT)
669                         continue;
670                 rc = security_context_to_sid(mount_options[i],
671                                              strlen(mount_options[i]), &sid, GFP_KERNEL);
672                 if (rc) {
673                         printk(KERN_WARNING "SELinux: security_context_to_sid"
674                                "(%s) failed for (dev %s, type %s) errno=%d\n",
675                                mount_options[i], sb->s_id, name, rc);
676                         goto out;
677                 }
678                 switch (flags[i]) {
679                 case FSCONTEXT_MNT:
680                         fscontext_sid = sid;
681
682                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
683                                         fscontext_sid))
684                                 goto out_double_mount;
685
686                         sbsec->flags |= FSCONTEXT_MNT;
687                         break;
688                 case CONTEXT_MNT:
689                         context_sid = sid;
690
691                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
692                                         context_sid))
693                                 goto out_double_mount;
694
695                         sbsec->flags |= CONTEXT_MNT;
696                         break;
697                 case ROOTCONTEXT_MNT:
698                         rootcontext_sid = sid;
699
700                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
701                                         rootcontext_sid))
702                                 goto out_double_mount;
703
704                         sbsec->flags |= ROOTCONTEXT_MNT;
705
706                         break;
707                 case DEFCONTEXT_MNT:
708                         defcontext_sid = sid;
709
710                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
711                                         defcontext_sid))
712                                 goto out_double_mount;
713
714                         sbsec->flags |= DEFCONTEXT_MNT;
715
716                         break;
717                 default:
718                         rc = -EINVAL;
719                         goto out;
720                 }
721         }
722
723         if (sbsec->flags & SE_SBINITIALIZED) {
724                 /* previously mounted with options, but not on this attempt? */
725                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
726                         goto out_double_mount;
727                 rc = 0;
728                 goto out;
729         }
730
731         if (strcmp(sb->s_type->name, "proc") == 0)
732                 sbsec->flags |= SE_SBPROC;
733
734         if (!sbsec->behavior) {
735                 /*
736                  * Determine the labeling behavior to use for this
737                  * filesystem type.
738                  */
739                 rc = security_fs_use(sb);
740                 if (rc) {
741                         printk(KERN_WARNING
742                                 "%s: security_fs_use(%s) returned %d\n",
743                                         __func__, sb->s_type->name, rc);
744                         goto out;
745                 }
746         }
747         /* sets the context of the superblock for the fs being mounted. */
748         if (fscontext_sid) {
749                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
750                 if (rc)
751                         goto out;
752
753                 sbsec->sid = fscontext_sid;
754         }
755
756         /*
757          * Switch to using mount point labeling behavior.
758          * sets the label used on all file below the mountpoint, and will set
759          * the superblock context if not already set.
760          */
761         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
762                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
763                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
764         }
765
766         if (context_sid) {
767                 if (!fscontext_sid) {
768                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
769                                                           cred);
770                         if (rc)
771                                 goto out;
772                         sbsec->sid = context_sid;
773                 } else {
774                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
775                                                              cred);
776                         if (rc)
777                                 goto out;
778                 }
779                 if (!rootcontext_sid)
780                         rootcontext_sid = context_sid;
781
782                 sbsec->mntpoint_sid = context_sid;
783                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
784         }
785
786         if (rootcontext_sid) {
787                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
788                                                      cred);
789                 if (rc)
790                         goto out;
791
792                 root_isec->sid = rootcontext_sid;
793                 root_isec->initialized = 1;
794         }
795
796         if (defcontext_sid) {
797                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
798                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
799                         rc = -EINVAL;
800                         printk(KERN_WARNING "SELinux: defcontext option is "
801                                "invalid for this filesystem type\n");
802                         goto out;
803                 }
804
805                 if (defcontext_sid != sbsec->def_sid) {
806                         rc = may_context_mount_inode_relabel(defcontext_sid,
807                                                              sbsec, cred);
808                         if (rc)
809                                 goto out;
810                 }
811
812                 sbsec->def_sid = defcontext_sid;
813         }
814
815         rc = sb_finish_set_opts(sb);
816 out:
817         mutex_unlock(&sbsec->lock);
818         return rc;
819 out_double_mount:
820         rc = -EINVAL;
821         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
822                "security settings for (dev %s, type %s)\n", sb->s_id, name);
823         goto out;
824 }
825
826 static int selinux_cmp_sb_context(const struct super_block *oldsb,
827                                     const struct super_block *newsb)
828 {
829         struct superblock_security_struct *old = oldsb->s_security;
830         struct superblock_security_struct *new = newsb->s_security;
831         char oldflags = old->flags & SE_MNTMASK;
832         char newflags = new->flags & SE_MNTMASK;
833
834         if (oldflags != newflags)
835                 goto mismatch;
836         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
837                 goto mismatch;
838         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
839                 goto mismatch;
840         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
841                 goto mismatch;
842         if (oldflags & ROOTCONTEXT_MNT) {
843                 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
844                 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
845                 if (oldroot->sid != newroot->sid)
846                         goto mismatch;
847         }
848         return 0;
849 mismatch:
850         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
851                             "different security settings for (dev %s, "
852                             "type %s)\n", newsb->s_id, newsb->s_type->name);
853         return -EBUSY;
854 }
855
856 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
857                                         struct super_block *newsb)
858 {
859         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
860         struct superblock_security_struct *newsbsec = newsb->s_security;
861
862         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
863         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
864         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
865
866         /*
867          * if the parent was able to be mounted it clearly had no special lsm
868          * mount options.  thus we can safely deal with this superblock later
869          */
870         if (!ss_initialized)
871                 return 0;
872
873         /* how can we clone if the old one wasn't set up?? */
874         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
875
876         /* if fs is reusing a sb, make sure that the contexts match */
877         if (newsbsec->flags & SE_SBINITIALIZED)
878                 return selinux_cmp_sb_context(oldsb, newsb);
879
880         mutex_lock(&newsbsec->lock);
881
882         newsbsec->flags = oldsbsec->flags;
883
884         newsbsec->sid = oldsbsec->sid;
885         newsbsec->def_sid = oldsbsec->def_sid;
886         newsbsec->behavior = oldsbsec->behavior;
887
888         if (set_context) {
889                 u32 sid = oldsbsec->mntpoint_sid;
890
891                 if (!set_fscontext)
892                         newsbsec->sid = sid;
893                 if (!set_rootcontext) {
894                         struct inode *newinode = newsb->s_root->d_inode;
895                         struct inode_security_struct *newisec = newinode->i_security;
896                         newisec->sid = sid;
897                 }
898                 newsbsec->mntpoint_sid = sid;
899         }
900         if (set_rootcontext) {
901                 const struct inode *oldinode = oldsb->s_root->d_inode;
902                 const struct inode_security_struct *oldisec = oldinode->i_security;
903                 struct inode *newinode = newsb->s_root->d_inode;
904                 struct inode_security_struct *newisec = newinode->i_security;
905
906                 newisec->sid = oldisec->sid;
907         }
908
909         sb_finish_set_opts(newsb);
910         mutex_unlock(&newsbsec->lock);
911         return 0;
912 }
913
914 static int selinux_parse_opts_str(char *options,
915                                   struct security_mnt_opts *opts)
916 {
917         char *p;
918         char *context = NULL, *defcontext = NULL;
919         char *fscontext = NULL, *rootcontext = NULL;
920         int rc, num_mnt_opts = 0;
921
922         opts->num_mnt_opts = 0;
923
924         /* Standard string-based options. */
925         while ((p = strsep(&options, "|")) != NULL) {
926                 int token;
927                 substring_t args[MAX_OPT_ARGS];
928
929                 if (!*p)
930                         continue;
931
932                 token = match_token(p, tokens, args);
933
934                 switch (token) {
935                 case Opt_context:
936                         if (context || defcontext) {
937                                 rc = -EINVAL;
938                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
939                                 goto out_err;
940                         }
941                         context = match_strdup(&args[0]);
942                         if (!context) {
943                                 rc = -ENOMEM;
944                                 goto out_err;
945                         }
946                         break;
947
948                 case Opt_fscontext:
949                         if (fscontext) {
950                                 rc = -EINVAL;
951                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
952                                 goto out_err;
953                         }
954                         fscontext = match_strdup(&args[0]);
955                         if (!fscontext) {
956                                 rc = -ENOMEM;
957                                 goto out_err;
958                         }
959                         break;
960
961                 case Opt_rootcontext:
962                         if (rootcontext) {
963                                 rc = -EINVAL;
964                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
965                                 goto out_err;
966                         }
967                         rootcontext = match_strdup(&args[0]);
968                         if (!rootcontext) {
969                                 rc = -ENOMEM;
970                                 goto out_err;
971                         }
972                         break;
973
974                 case Opt_defcontext:
975                         if (context || defcontext) {
976                                 rc = -EINVAL;
977                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
978                                 goto out_err;
979                         }
980                         defcontext = match_strdup(&args[0]);
981                         if (!defcontext) {
982                                 rc = -ENOMEM;
983                                 goto out_err;
984                         }
985                         break;
986                 case Opt_labelsupport:
987                         break;
988                 default:
989                         rc = -EINVAL;
990                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
991                         goto out_err;
992
993                 }
994         }
995
996         rc = -ENOMEM;
997         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
998         if (!opts->mnt_opts)
999                 goto out_err;
1000
1001         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1002         if (!opts->mnt_opts_flags) {
1003                 kfree(opts->mnt_opts);
1004                 goto out_err;
1005         }
1006
1007         if (fscontext) {
1008                 opts->mnt_opts[num_mnt_opts] = fscontext;
1009                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1010         }
1011         if (context) {
1012                 opts->mnt_opts[num_mnt_opts] = context;
1013                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1014         }
1015         if (rootcontext) {
1016                 opts->mnt_opts[num_mnt_opts] = rootcontext;
1017                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1018         }
1019         if (defcontext) {
1020                 opts->mnt_opts[num_mnt_opts] = defcontext;
1021                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1022         }
1023
1024         opts->num_mnt_opts = num_mnt_opts;
1025         return 0;
1026
1027 out_err:
1028         kfree(context);
1029         kfree(defcontext);
1030         kfree(fscontext);
1031         kfree(rootcontext);
1032         return rc;
1033 }
1034 /*
1035  * string mount options parsing and call set the sbsec
1036  */
1037 static int superblock_doinit(struct super_block *sb, void *data)
1038 {
1039         int rc = 0;
1040         char *options = data;
1041         struct security_mnt_opts opts;
1042
1043         security_init_mnt_opts(&opts);
1044
1045         if (!data)
1046                 goto out;
1047
1048         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1049
1050         rc = selinux_parse_opts_str(options, &opts);
1051         if (rc)
1052                 goto out_err;
1053
1054 out:
1055         rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1056
1057 out_err:
1058         security_free_mnt_opts(&opts);
1059         return rc;
1060 }
1061
1062 static void selinux_write_opts(struct seq_file *m,
1063                                struct security_mnt_opts *opts)
1064 {
1065         int i;
1066         char *prefix;
1067
1068         for (i = 0; i < opts->num_mnt_opts; i++) {
1069                 char *has_comma;
1070
1071                 if (opts->mnt_opts[i])
1072                         has_comma = strchr(opts->mnt_opts[i], ',');
1073                 else
1074                         has_comma = NULL;
1075
1076                 switch (opts->mnt_opts_flags[i]) {
1077                 case CONTEXT_MNT:
1078                         prefix = CONTEXT_STR;
1079                         break;
1080                 case FSCONTEXT_MNT:
1081                         prefix = FSCONTEXT_STR;
1082                         break;
1083                 case ROOTCONTEXT_MNT:
1084                         prefix = ROOTCONTEXT_STR;
1085                         break;
1086                 case DEFCONTEXT_MNT:
1087                         prefix = DEFCONTEXT_STR;
1088                         break;
1089                 case SBLABEL_MNT:
1090                         seq_putc(m, ',');
1091                         seq_puts(m, LABELSUPP_STR);
1092                         continue;
1093                 default:
1094                         BUG();
1095                         return;
1096                 };
1097                 /* we need a comma before each option */
1098                 seq_putc(m, ',');
1099                 seq_puts(m, prefix);
1100                 if (has_comma)
1101                         seq_putc(m, '\"');
1102                 seq_puts(m, opts->mnt_opts[i]);
1103                 if (has_comma)
1104                         seq_putc(m, '\"');
1105         }
1106 }
1107
1108 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1109 {
1110         struct security_mnt_opts opts;
1111         int rc;
1112
1113         rc = selinux_get_mnt_opts(sb, &opts);
1114         if (rc) {
1115                 /* before policy load we may get EINVAL, don't show anything */
1116                 if (rc == -EINVAL)
1117                         rc = 0;
1118                 return rc;
1119         }
1120
1121         selinux_write_opts(m, &opts);
1122
1123         security_free_mnt_opts(&opts);
1124
1125         return rc;
1126 }
1127
1128 static inline u16 inode_mode_to_security_class(umode_t mode)
1129 {
1130         switch (mode & S_IFMT) {
1131         case S_IFSOCK:
1132                 return SECCLASS_SOCK_FILE;
1133         case S_IFLNK:
1134                 return SECCLASS_LNK_FILE;
1135         case S_IFREG:
1136                 return SECCLASS_FILE;
1137         case S_IFBLK:
1138                 return SECCLASS_BLK_FILE;
1139         case S_IFDIR:
1140                 return SECCLASS_DIR;
1141         case S_IFCHR:
1142                 return SECCLASS_CHR_FILE;
1143         case S_IFIFO:
1144                 return SECCLASS_FIFO_FILE;
1145
1146         }
1147
1148         return SECCLASS_FILE;
1149 }
1150
1151 static inline int default_protocol_stream(int protocol)
1152 {
1153         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1154 }
1155
1156 static inline int default_protocol_dgram(int protocol)
1157 {
1158         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1159 }
1160
1161 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1162 {
1163         switch (family) {
1164         case PF_UNIX:
1165                 switch (type) {
1166                 case SOCK_STREAM:
1167                 case SOCK_SEQPACKET:
1168                         return SECCLASS_UNIX_STREAM_SOCKET;
1169                 case SOCK_DGRAM:
1170                         return SECCLASS_UNIX_DGRAM_SOCKET;
1171                 }
1172                 break;
1173         case PF_INET:
1174         case PF_INET6:
1175                 switch (type) {
1176                 case SOCK_STREAM:
1177                         if (default_protocol_stream(protocol))
1178                                 return SECCLASS_TCP_SOCKET;
1179                         else
1180                                 return SECCLASS_RAWIP_SOCKET;
1181                 case SOCK_DGRAM:
1182                         if (default_protocol_dgram(protocol))
1183                                 return SECCLASS_UDP_SOCKET;
1184                         else
1185                                 return SECCLASS_RAWIP_SOCKET;
1186                 case SOCK_DCCP:
1187                         return SECCLASS_DCCP_SOCKET;
1188                 default:
1189                         return SECCLASS_RAWIP_SOCKET;
1190                 }
1191                 break;
1192         case PF_NETLINK:
1193                 switch (protocol) {
1194                 case NETLINK_ROUTE:
1195                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1196                 case NETLINK_FIREWALL:
1197                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1198                 case NETLINK_SOCK_DIAG:
1199                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1200                 case NETLINK_NFLOG:
1201                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1202                 case NETLINK_XFRM:
1203                         return SECCLASS_NETLINK_XFRM_SOCKET;
1204                 case NETLINK_SELINUX:
1205                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1206                 case NETLINK_AUDIT:
1207                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1208                 case NETLINK_IP6_FW:
1209                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1210                 case NETLINK_DNRTMSG:
1211                         return SECCLASS_NETLINK_DNRT_SOCKET;
1212                 case NETLINK_KOBJECT_UEVENT:
1213                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1214                 default:
1215                         return SECCLASS_NETLINK_SOCKET;
1216                 }
1217         case PF_PACKET:
1218                 return SECCLASS_PACKET_SOCKET;
1219         case PF_KEY:
1220                 return SECCLASS_KEY_SOCKET;
1221         case PF_APPLETALK:
1222                 return SECCLASS_APPLETALK_SOCKET;
1223         }
1224
1225         return SECCLASS_SOCKET;
1226 }
1227
1228 #ifdef CONFIG_PROC_FS
1229 static int selinux_proc_get_sid(struct dentry *dentry,
1230                                 u16 tclass,
1231                                 u32 *sid)
1232 {
1233         int rc;
1234         char *buffer, *path;
1235
1236         buffer = (char *)__get_free_page(GFP_KERNEL);
1237         if (!buffer)
1238                 return -ENOMEM;
1239
1240         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1241         if (IS_ERR(path))
1242                 rc = PTR_ERR(path);
1243         else {
1244                 /* each process gets a /proc/PID/ entry. Strip off the
1245                  * PID part to get a valid selinux labeling.
1246                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1247                 while (path[1] >= '0' && path[1] <= '9') {
1248                         path[1] = '/';
1249                         path++;
1250                 }
1251                 rc = security_genfs_sid("proc", path, tclass, sid);
1252         }
1253         free_page((unsigned long)buffer);
1254         return rc;
1255 }
1256 #else
1257 static int selinux_proc_get_sid(struct dentry *dentry,
1258                                 u16 tclass,
1259                                 u32 *sid)
1260 {
1261         return -EINVAL;
1262 }
1263 #endif
1264
1265 /* The inode's security attributes must be initialized before first use. */
1266 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1267 {
1268         struct superblock_security_struct *sbsec = NULL;
1269         struct inode_security_struct *isec = inode->i_security;
1270         u32 sid;
1271         struct dentry *dentry;
1272 #define INITCONTEXTLEN 255
1273         char *context = NULL;
1274         unsigned len = 0;
1275         int rc = 0;
1276
1277         if (isec->initialized)
1278                 goto out;
1279
1280         mutex_lock(&isec->lock);
1281         if (isec->initialized)
1282                 goto out_unlock;
1283
1284         sbsec = inode->i_sb->s_security;
1285         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1286                 /* Defer initialization until selinux_complete_init,
1287                    after the initial policy is loaded and the security
1288                    server is ready to handle calls. */
1289                 spin_lock(&sbsec->isec_lock);
1290                 if (list_empty(&isec->list))
1291                         list_add(&isec->list, &sbsec->isec_head);
1292                 spin_unlock(&sbsec->isec_lock);
1293                 goto out_unlock;
1294         }
1295
1296         switch (sbsec->behavior) {
1297         case SECURITY_FS_USE_NATIVE:
1298                 break;
1299         case SECURITY_FS_USE_XATTR:
1300                 if (!inode->i_op->getxattr) {
1301                         isec->sid = sbsec->def_sid;
1302                         break;
1303                 }
1304
1305                 /* Need a dentry, since the xattr API requires one.
1306                    Life would be simpler if we could just pass the inode. */
1307                 if (opt_dentry) {
1308                         /* Called from d_instantiate or d_splice_alias. */
1309                         dentry = dget(opt_dentry);
1310                 } else {
1311                         /* Called from selinux_complete_init, try to find a dentry. */
1312                         dentry = d_find_alias(inode);
1313                 }
1314                 if (!dentry) {
1315                         /*
1316                          * this is can be hit on boot when a file is accessed
1317                          * before the policy is loaded.  When we load policy we
1318                          * may find inodes that have no dentry on the
1319                          * sbsec->isec_head list.  No reason to complain as these
1320                          * will get fixed up the next time we go through
1321                          * inode_doinit with a dentry, before these inodes could
1322                          * be used again by userspace.
1323                          */
1324                         goto out_unlock;
1325                 }
1326
1327                 len = INITCONTEXTLEN;
1328                 context = kmalloc(len+1, GFP_NOFS);
1329                 if (!context) {
1330                         rc = -ENOMEM;
1331                         dput(dentry);
1332                         goto out_unlock;
1333                 }
1334                 context[len] = '\0';
1335                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1336                                            context, len);
1337                 if (rc == -ERANGE) {
1338                         kfree(context);
1339
1340                         /* Need a larger buffer.  Query for the right size. */
1341                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1342                                                    NULL, 0);
1343                         if (rc < 0) {
1344                                 dput(dentry);
1345                                 goto out_unlock;
1346                         }
1347                         len = rc;
1348                         context = kmalloc(len+1, GFP_NOFS);
1349                         if (!context) {
1350                                 rc = -ENOMEM;
1351                                 dput(dentry);
1352                                 goto out_unlock;
1353                         }
1354                         context[len] = '\0';
1355                         rc = inode->i_op->getxattr(dentry,
1356                                                    XATTR_NAME_SELINUX,
1357                                                    context, len);
1358                 }
1359                 dput(dentry);
1360                 if (rc < 0) {
1361                         if (rc != -ENODATA) {
1362                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1363                                        "%d for dev=%s ino=%ld\n", __func__,
1364                                        -rc, inode->i_sb->s_id, inode->i_ino);
1365                                 kfree(context);
1366                                 goto out_unlock;
1367                         }
1368                         /* Map ENODATA to the default file SID */
1369                         sid = sbsec->def_sid;
1370                         rc = 0;
1371                 } else {
1372                         rc = security_context_to_sid_default(context, rc, &sid,
1373                                                              sbsec->def_sid,
1374                                                              GFP_NOFS);
1375                         if (rc) {
1376                                 char *dev = inode->i_sb->s_id;
1377                                 unsigned long ino = inode->i_ino;
1378
1379                                 if (rc == -EINVAL) {
1380                                         if (printk_ratelimit())
1381                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1382                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1383                                                         "filesystem in question.\n", ino, dev, context);
1384                                 } else {
1385                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1386                                                "returned %d for dev=%s ino=%ld\n",
1387                                                __func__, context, -rc, dev, ino);
1388                                 }
1389                                 kfree(context);
1390                                 /* Leave with the unlabeled SID */
1391                                 rc = 0;
1392                                 break;
1393                         }
1394                 }
1395                 kfree(context);
1396                 isec->sid = sid;
1397                 break;
1398         case SECURITY_FS_USE_TASK:
1399                 isec->sid = isec->task_sid;
1400                 break;
1401         case SECURITY_FS_USE_TRANS:
1402                 /* Default to the fs SID. */
1403                 isec->sid = sbsec->sid;
1404
1405                 /* Try to obtain a transition SID. */
1406                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1407                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1408                                              isec->sclass, NULL, &sid);
1409                 if (rc)
1410                         goto out_unlock;
1411                 isec->sid = sid;
1412                 break;
1413         case SECURITY_FS_USE_MNTPOINT:
1414                 isec->sid = sbsec->mntpoint_sid;
1415                 break;
1416         default:
1417                 /* Default to the fs superblock SID. */
1418                 isec->sid = sbsec->sid;
1419
1420                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1421                         /* We must have a dentry to determine the label on
1422                          * procfs inodes */
1423                         if (opt_dentry)
1424                                 /* Called from d_instantiate or
1425                                  * d_splice_alias. */
1426                                 dentry = dget(opt_dentry);
1427                         else
1428                                 /* Called from selinux_complete_init, try to
1429                                  * find a dentry. */
1430                                 dentry = d_find_alias(inode);
1431                         /*
1432                          * This can be hit on boot when a file is accessed
1433                          * before the policy is loaded.  When we load policy we
1434                          * may find inodes that have no dentry on the
1435                          * sbsec->isec_head list.  No reason to complain as
1436                          * these will get fixed up the next time we go through
1437                          * inode_doinit() with a dentry, before these inodes
1438                          * could be used again by userspace.
1439                          */
1440                         if (!dentry)
1441                                 goto out_unlock;
1442                         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1443                         rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1444                         dput(dentry);
1445                         if (rc)
1446                                 goto out_unlock;
1447                         isec->sid = sid;
1448                 }
1449                 break;
1450         }
1451
1452         isec->initialized = 1;
1453
1454 out_unlock:
1455         mutex_unlock(&isec->lock);
1456 out:
1457         if (isec->sclass == SECCLASS_FILE)
1458                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1459         return rc;
1460 }
1461
1462 /* Convert a Linux signal to an access vector. */
1463 static inline u32 signal_to_av(int sig)
1464 {
1465         u32 perm = 0;
1466
1467         switch (sig) {
1468         case SIGCHLD:
1469                 /* Commonly granted from child to parent. */
1470                 perm = PROCESS__SIGCHLD;
1471                 break;
1472         case SIGKILL:
1473                 /* Cannot be caught or ignored */
1474                 perm = PROCESS__SIGKILL;
1475                 break;
1476         case SIGSTOP:
1477                 /* Cannot be caught or ignored */
1478                 perm = PROCESS__SIGSTOP;
1479                 break;
1480         default:
1481                 /* All other signals. */
1482                 perm = PROCESS__SIGNAL;
1483                 break;
1484         }
1485
1486         return perm;
1487 }
1488
1489 /*
1490  * Check permission between a pair of credentials
1491  * fork check, ptrace check, etc.
1492  */
1493 static int cred_has_perm(const struct cred *actor,
1494                          const struct cred *target,
1495                          u32 perms)
1496 {
1497         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1498
1499         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1500 }
1501
1502 /*
1503  * Check permission between a pair of tasks, e.g. signal checks,
1504  * fork check, ptrace check, etc.
1505  * tsk1 is the actor and tsk2 is the target
1506  * - this uses the default subjective creds of tsk1
1507  */
1508 static int task_has_perm(const struct task_struct *tsk1,
1509                          const struct task_struct *tsk2,
1510                          u32 perms)
1511 {
1512         const struct task_security_struct *__tsec1, *__tsec2;
1513         u32 sid1, sid2;
1514
1515         rcu_read_lock();
1516         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1517         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1518         rcu_read_unlock();
1519         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1520 }
1521
1522 /*
1523  * Check permission between current and another task, e.g. signal checks,
1524  * fork check, ptrace check, etc.
1525  * current is the actor and tsk2 is the target
1526  * - this uses current's subjective creds
1527  */
1528 static int current_has_perm(const struct task_struct *tsk,
1529                             u32 perms)
1530 {
1531         u32 sid, tsid;
1532
1533         sid = current_sid();
1534         tsid = task_sid(tsk);
1535         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1536 }
1537
1538 #if CAP_LAST_CAP > 63
1539 #error Fix SELinux to handle capabilities > 63.
1540 #endif
1541
1542 /* Check whether a task is allowed to use a capability. */
1543 static int cred_has_capability(const struct cred *cred,
1544                                int cap, int audit)
1545 {
1546         struct common_audit_data ad;
1547         struct av_decision avd;
1548         u16 sclass;
1549         u32 sid = cred_sid(cred);
1550         u32 av = CAP_TO_MASK(cap);
1551         int rc;
1552
1553         ad.type = LSM_AUDIT_DATA_CAP;
1554         ad.u.cap = cap;
1555
1556         switch (CAP_TO_INDEX(cap)) {
1557         case 0:
1558                 sclass = SECCLASS_CAPABILITY;
1559                 break;
1560         case 1:
1561                 sclass = SECCLASS_CAPABILITY2;
1562                 break;
1563         default:
1564                 printk(KERN_ERR
1565                        "SELinux:  out of range capability %d\n", cap);
1566                 BUG();
1567                 return -EINVAL;
1568         }
1569
1570         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1571         if (audit == SECURITY_CAP_AUDIT) {
1572                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1573                 if (rc2)
1574                         return rc2;
1575         }
1576         return rc;
1577 }
1578
1579 /* Check whether a task is allowed to use a system operation. */
1580 static int task_has_system(struct task_struct *tsk,
1581                            u32 perms)
1582 {
1583         u32 sid = task_sid(tsk);
1584
1585         return avc_has_perm(sid, SECINITSID_KERNEL,
1586                             SECCLASS_SYSTEM, perms, NULL);
1587 }
1588
1589 /* Check whether a task has a particular permission to an inode.
1590    The 'adp' parameter is optional and allows other audit
1591    data to be passed (e.g. the dentry). */
1592 static int inode_has_perm(const struct cred *cred,
1593                           struct inode *inode,
1594                           u32 perms,
1595                           struct common_audit_data *adp)
1596 {
1597         struct inode_security_struct *isec;
1598         u32 sid;
1599
1600         validate_creds(cred);
1601
1602         if (unlikely(IS_PRIVATE(inode)))
1603                 return 0;
1604
1605         sid = cred_sid(cred);
1606         isec = inode->i_security;
1607
1608         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1609 }
1610
1611 /* Same as inode_has_perm, but pass explicit audit data containing
1612    the dentry to help the auditing code to more easily generate the
1613    pathname if needed. */
1614 static inline int dentry_has_perm(const struct cred *cred,
1615                                   struct dentry *dentry,
1616                                   u32 av)
1617 {
1618         struct inode *inode = dentry->d_inode;
1619         struct common_audit_data ad;
1620
1621         ad.type = LSM_AUDIT_DATA_DENTRY;
1622         ad.u.dentry = dentry;
1623         return inode_has_perm(cred, inode, av, &ad);
1624 }
1625
1626 /* Same as inode_has_perm, but pass explicit audit data containing
1627    the path to help the auditing code to more easily generate the
1628    pathname if needed. */
1629 static inline int path_has_perm(const struct cred *cred,
1630                                 struct path *path,
1631                                 u32 av)
1632 {
1633         struct inode *inode = path->dentry->d_inode;
1634         struct common_audit_data ad;
1635
1636         ad.type = LSM_AUDIT_DATA_PATH;
1637         ad.u.path = *path;
1638         return inode_has_perm(cred, inode, av, &ad);
1639 }
1640
1641 /* Same as path_has_perm, but uses the inode from the file struct. */
1642 static inline int file_path_has_perm(const struct cred *cred,
1643                                      struct file *file,
1644                                      u32 av)
1645 {
1646         struct common_audit_data ad;
1647
1648         ad.type = LSM_AUDIT_DATA_PATH;
1649         ad.u.path = file->f_path;
1650         return inode_has_perm(cred, file_inode(file), av, &ad);
1651 }
1652
1653 /* Check whether a task can use an open file descriptor to
1654    access an inode in a given way.  Check access to the
1655    descriptor itself, and then use dentry_has_perm to
1656    check a particular permission to the file.
1657    Access to the descriptor is implicitly granted if it
1658    has the same SID as the process.  If av is zero, then
1659    access to the file is not checked, e.g. for cases
1660    where only the descriptor is affected like seek. */
1661 static int file_has_perm(const struct cred *cred,
1662                          struct file *file,
1663                          u32 av)
1664 {
1665         struct file_security_struct *fsec = file->f_security;
1666         struct inode *inode = file_inode(file);
1667         struct common_audit_data ad;
1668         u32 sid = cred_sid(cred);
1669         int rc;
1670
1671         ad.type = LSM_AUDIT_DATA_PATH;
1672         ad.u.path = file->f_path;
1673
1674         if (sid != fsec->sid) {
1675                 rc = avc_has_perm(sid, fsec->sid,
1676                                   SECCLASS_FD,
1677                                   FD__USE,
1678                                   &ad);
1679                 if (rc)
1680                         goto out;
1681         }
1682
1683         /* av is zero if only checking access to the descriptor. */
1684         rc = 0;
1685         if (av)
1686                 rc = inode_has_perm(cred, inode, av, &ad);
1687
1688 out:
1689         return rc;
1690 }
1691
1692 /* Check whether a task can create a file. */
1693 static int may_create(struct inode *dir,
1694                       struct dentry *dentry,
1695                       u16 tclass)
1696 {
1697         const struct task_security_struct *tsec = current_security();
1698         struct inode_security_struct *dsec;
1699         struct superblock_security_struct *sbsec;
1700         u32 sid, newsid;
1701         struct common_audit_data ad;
1702         int rc;
1703
1704         dsec = dir->i_security;
1705         sbsec = dir->i_sb->s_security;
1706
1707         sid = tsec->sid;
1708         newsid = tsec->create_sid;
1709
1710         ad.type = LSM_AUDIT_DATA_DENTRY;
1711         ad.u.dentry = dentry;
1712
1713         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1714                           DIR__ADD_NAME | DIR__SEARCH,
1715                           &ad);
1716         if (rc)
1717                 return rc;
1718
1719         if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1720                 rc = security_transition_sid(sid, dsec->sid, tclass,
1721                                              &dentry->d_name, &newsid);
1722                 if (rc)
1723                         return rc;
1724         }
1725
1726         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1727         if (rc)
1728                 return rc;
1729
1730         return avc_has_perm(newsid, sbsec->sid,
1731                             SECCLASS_FILESYSTEM,
1732                             FILESYSTEM__ASSOCIATE, &ad);
1733 }
1734
1735 /* Check whether a task can create a key. */
1736 static int may_create_key(u32 ksid,
1737                           struct task_struct *ctx)
1738 {
1739         u32 sid = task_sid(ctx);
1740
1741         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1742 }
1743
1744 #define MAY_LINK        0
1745 #define MAY_UNLINK      1
1746 #define MAY_RMDIR       2
1747
1748 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1749 static int may_link(struct inode *dir,
1750                     struct dentry *dentry,
1751                     int kind)
1752
1753 {
1754         struct inode_security_struct *dsec, *isec;
1755         struct common_audit_data ad;
1756         u32 sid = current_sid();
1757         u32 av;
1758         int rc;
1759
1760         dsec = dir->i_security;
1761         isec = dentry->d_inode->i_security;
1762
1763         ad.type = LSM_AUDIT_DATA_DENTRY;
1764         ad.u.dentry = dentry;
1765
1766         av = DIR__SEARCH;
1767         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1768         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1769         if (rc)
1770                 return rc;
1771
1772         switch (kind) {
1773         case MAY_LINK:
1774                 av = FILE__LINK;
1775                 break;
1776         case MAY_UNLINK:
1777                 av = FILE__UNLINK;
1778                 break;
1779         case MAY_RMDIR:
1780                 av = DIR__RMDIR;
1781                 break;
1782         default:
1783                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1784                         __func__, kind);
1785                 return 0;
1786         }
1787
1788         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1789         return rc;
1790 }
1791
1792 static inline int may_rename(struct inode *old_dir,
1793                              struct dentry *old_dentry,
1794                              struct inode *new_dir,
1795                              struct dentry *new_dentry)
1796 {
1797         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1798         struct common_audit_data ad;
1799         u32 sid = current_sid();
1800         u32 av;
1801         int old_is_dir, new_is_dir;
1802         int rc;
1803
1804         old_dsec = old_dir->i_security;
1805         old_isec = old_dentry->d_inode->i_security;
1806         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1807         new_dsec = new_dir->i_security;
1808
1809         ad.type = LSM_AUDIT_DATA_DENTRY;
1810
1811         ad.u.dentry = old_dentry;
1812         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1813                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1814         if (rc)
1815                 return rc;
1816         rc = avc_has_perm(sid, old_isec->sid,
1817                           old_isec->sclass, FILE__RENAME, &ad);
1818         if (rc)
1819                 return rc;
1820         if (old_is_dir && new_dir != old_dir) {
1821                 rc = avc_has_perm(sid, old_isec->sid,
1822                                   old_isec->sclass, DIR__REPARENT, &ad);
1823                 if (rc)
1824                         return rc;
1825         }
1826
1827         ad.u.dentry = new_dentry;
1828         av = DIR__ADD_NAME | DIR__SEARCH;
1829         if (new_dentry->d_inode)
1830                 av |= DIR__REMOVE_NAME;
1831         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1832         if (rc)
1833                 return rc;
1834         if (new_dentry->d_inode) {
1835                 new_isec = new_dentry->d_inode->i_security;
1836                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1837                 rc = avc_has_perm(sid, new_isec->sid,
1838                                   new_isec->sclass,
1839                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1840                 if (rc)
1841                         return rc;
1842         }
1843
1844         return 0;
1845 }
1846
1847 /* Check whether a task can perform a filesystem operation. */
1848 static int superblock_has_perm(const struct cred *cred,
1849                                struct super_block *sb,
1850                                u32 perms,
1851                                struct common_audit_data *ad)
1852 {
1853         struct superblock_security_struct *sbsec;
1854         u32 sid = cred_sid(cred);
1855
1856         sbsec = sb->s_security;
1857         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1858 }
1859
1860 /* Convert a Linux mode and permission mask to an access vector. */
1861 static inline u32 file_mask_to_av(int mode, int mask)
1862 {
1863         u32 av = 0;
1864
1865         if (!S_ISDIR(mode)) {
1866                 if (mask & MAY_EXEC)
1867                         av |= FILE__EXECUTE;
1868                 if (mask & MAY_READ)
1869                         av |= FILE__READ;
1870
1871                 if (mask & MAY_APPEND)
1872                         av |= FILE__APPEND;
1873                 else if (mask & MAY_WRITE)
1874                         av |= FILE__WRITE;
1875
1876         } else {
1877                 if (mask & MAY_EXEC)
1878                         av |= DIR__SEARCH;
1879                 if (mask & MAY_WRITE)
1880                         av |= DIR__WRITE;
1881                 if (mask & MAY_READ)
1882                         av |= DIR__READ;
1883         }
1884
1885         return av;
1886 }
1887
1888 /* Convert a Linux file to an access vector. */
1889 static inline u32 file_to_av(struct file *file)
1890 {
1891         u32 av = 0;
1892
1893         if (file->f_mode & FMODE_READ)
1894                 av |= FILE__READ;
1895         if (file->f_mode & FMODE_WRITE) {
1896                 if (file->f_flags & O_APPEND)
1897                         av |= FILE__APPEND;
1898                 else
1899                         av |= FILE__WRITE;
1900         }
1901         if (!av) {
1902                 /*
1903                  * Special file opened with flags 3 for ioctl-only use.
1904                  */
1905                 av = FILE__IOCTL;
1906         }
1907
1908         return av;
1909 }
1910
1911 /*
1912  * Convert a file to an access vector and include the correct open
1913  * open permission.
1914  */
1915 static inline u32 open_file_to_av(struct file *file)
1916 {
1917         u32 av = file_to_av(file);
1918
1919         if (selinux_policycap_openperm)
1920                 av |= FILE__OPEN;
1921
1922         return av;
1923 }
1924
1925 /* Hook functions begin here. */
1926
1927 static int selinux_ptrace_access_check(struct task_struct *child,
1928                                      unsigned int mode)
1929 {
1930         int rc;
1931
1932         rc = cap_ptrace_access_check(child, mode);
1933         if (rc)
1934                 return rc;
1935
1936         if (mode & PTRACE_MODE_READ) {
1937                 u32 sid = current_sid();
1938                 u32 csid = task_sid(child);
1939                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1940         }
1941
1942         return current_has_perm(child, PROCESS__PTRACE);
1943 }
1944
1945 static int selinux_ptrace_traceme(struct task_struct *parent)
1946 {
1947         int rc;
1948
1949         rc = cap_ptrace_traceme(parent);
1950         if (rc)
1951                 return rc;
1952
1953         return task_has_perm(parent, current, PROCESS__PTRACE);
1954 }
1955
1956 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1957                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1958 {
1959         int error;
1960
1961         error = current_has_perm(target, PROCESS__GETCAP);
1962         if (error)
1963                 return error;
1964
1965         return cap_capget(target, effective, inheritable, permitted);
1966 }
1967
1968 static int selinux_capset(struct cred *new, const struct cred *old,
1969                           const kernel_cap_t *effective,
1970                           const kernel_cap_t *inheritable,
1971                           const kernel_cap_t *permitted)
1972 {
1973         int error;
1974
1975         error = cap_capset(new, old,
1976                                       effective, inheritable, permitted);
1977         if (error)
1978                 return error;
1979
1980         return cred_has_perm(old, new, PROCESS__SETCAP);
1981 }
1982
1983 /*
1984  * (This comment used to live with the selinux_task_setuid hook,
1985  * which was removed).
1986  *
1987  * Since setuid only affects the current process, and since the SELinux
1988  * controls are not based on the Linux identity attributes, SELinux does not
1989  * need to control this operation.  However, SELinux does control the use of
1990  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1991  */
1992
1993 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1994                            int cap, int audit)
1995 {
1996         int rc;
1997
1998         rc = cap_capable(cred, ns, cap, audit);
1999         if (rc)
2000                 return rc;
2001
2002         return cred_has_capability(cred, cap, audit);
2003 }
2004
2005 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2006 {
2007         const struct cred *cred = current_cred();
2008         int rc = 0;
2009
2010         if (!sb)
2011                 return 0;
2012
2013         switch (cmds) {
2014         case Q_SYNC:
2015         case Q_QUOTAON:
2016         case Q_QUOTAOFF:
2017         case Q_SETINFO:
2018         case Q_SETQUOTA:
2019                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2020                 break;
2021         case Q_GETFMT:
2022         case Q_GETINFO:
2023         case Q_GETQUOTA:
2024                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2025                 break;
2026         default:
2027                 rc = 0;  /* let the kernel handle invalid cmds */
2028                 break;
2029         }
2030         return rc;
2031 }
2032
2033 static int selinux_quota_on(struct dentry *dentry)
2034 {
2035         const struct cred *cred = current_cred();
2036
2037         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2038 }
2039
2040 static int selinux_syslog(int type)
2041 {
2042         int rc;
2043
2044         switch (type) {
2045         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2046         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2047                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2048                 break;
2049         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2050         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2051         /* Set level of messages printed to console */
2052         case SYSLOG_ACTION_CONSOLE_LEVEL:
2053                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2054                 break;
2055         case SYSLOG_ACTION_CLOSE:       /* Close log */
2056         case SYSLOG_ACTION_OPEN:        /* Open log */
2057         case SYSLOG_ACTION_READ:        /* Read from log */
2058         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
2059         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
2060         default:
2061                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2062                 break;
2063         }
2064         return rc;
2065 }
2066
2067 /*
2068  * Check that a process has enough memory to allocate a new virtual
2069  * mapping. 0 means there is enough memory for the allocation to
2070  * succeed and -ENOMEM implies there is not.
2071  *
2072  * Do not audit the selinux permission check, as this is applied to all
2073  * processes that allocate mappings.
2074  */
2075 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2076 {
2077         int rc, cap_sys_admin = 0;
2078
2079         rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2080                              SECURITY_CAP_NOAUDIT);
2081         if (rc == 0)
2082                 cap_sys_admin = 1;
2083
2084         return __vm_enough_memory(mm, pages, cap_sys_admin);
2085 }
2086
2087 /* binprm security operations */
2088
2089 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2090 {
2091         const struct task_security_struct *old_tsec;
2092         struct task_security_struct *new_tsec;
2093         struct inode_security_struct *isec;
2094         struct common_audit_data ad;
2095         struct inode *inode = file_inode(bprm->file);
2096         int rc;
2097
2098         rc = cap_bprm_set_creds(bprm);
2099         if (rc)
2100                 return rc;
2101
2102         /* SELinux context only depends on initial program or script and not
2103          * the script interpreter */
2104         if (bprm->cred_prepared)
2105                 return 0;
2106
2107         old_tsec = current_security();
2108         new_tsec = bprm->cred->security;
2109         isec = inode->i_security;
2110
2111         /* Default to the current task SID. */
2112         new_tsec->sid = old_tsec->sid;
2113         new_tsec->osid = old_tsec->sid;
2114
2115         /* Reset fs, key, and sock SIDs on execve. */
2116         new_tsec->create_sid = 0;
2117         new_tsec->keycreate_sid = 0;
2118         new_tsec->sockcreate_sid = 0;
2119
2120         if (old_tsec->exec_sid) {
2121                 new_tsec->sid = old_tsec->exec_sid;
2122                 /* Reset exec SID on execve. */
2123                 new_tsec->exec_sid = 0;
2124
2125                 /*
2126                  * Minimize confusion: if no_new_privs and a transition is
2127                  * explicitly requested, then fail the exec.
2128                  */
2129                 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2130                         return -EPERM;
2131         } else {
2132                 /* Check for a default transition on this program. */
2133                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2134                                              SECCLASS_PROCESS, NULL,
2135                                              &new_tsec->sid);
2136                 if (rc)
2137                         return rc;
2138         }
2139
2140         ad.type = LSM_AUDIT_DATA_PATH;
2141         ad.u.path = bprm->file->f_path;
2142
2143         if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2144             (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2145                 new_tsec->sid = old_tsec->sid;
2146
2147         if (new_tsec->sid == old_tsec->sid) {
2148                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2149                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2150                 if (rc)
2151                         return rc;
2152         } else {
2153                 /* Check permissions for the transition. */
2154                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2155                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2156                 if (rc)
2157                         return rc;
2158
2159                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2160                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2161                 if (rc)
2162                         return rc;
2163
2164                 /* Check for shared state */
2165                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2166                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2167                                           SECCLASS_PROCESS, PROCESS__SHARE,
2168                                           NULL);
2169                         if (rc)
2170                                 return -EPERM;
2171                 }
2172
2173                 /* Make sure that anyone attempting to ptrace over a task that
2174                  * changes its SID has the appropriate permit */
2175                 if (bprm->unsafe &
2176                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2177                         struct task_struct *tracer;
2178                         struct task_security_struct *sec;
2179                         u32 ptsid = 0;
2180
2181                         rcu_read_lock();
2182                         tracer = ptrace_parent(current);
2183                         if (likely(tracer != NULL)) {
2184                                 sec = __task_cred(tracer)->security;
2185                                 ptsid = sec->sid;
2186                         }
2187                         rcu_read_unlock();
2188
2189                         if (ptsid != 0) {
2190                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2191                                                   SECCLASS_PROCESS,
2192                                                   PROCESS__PTRACE, NULL);
2193                                 if (rc)
2194                                         return -EPERM;
2195                         }
2196                 }
2197
2198                 /* Clear any possibly unsafe personality bits on exec: */
2199                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2200         }
2201
2202         return 0;
2203 }
2204
2205 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2206 {
2207         const struct task_security_struct *tsec = current_security();
2208         u32 sid, osid;
2209         int atsecure = 0;
2210
2211         sid = tsec->sid;
2212         osid = tsec->osid;
2213
2214         if (osid != sid) {
2215                 /* Enable secure mode for SIDs transitions unless
2216                    the noatsecure permission is granted between
2217                    the two SIDs, i.e. ahp returns 0. */
2218                 atsecure = avc_has_perm(osid, sid,
2219                                         SECCLASS_PROCESS,
2220                                         PROCESS__NOATSECURE, NULL);
2221         }
2222
2223         return (atsecure || cap_bprm_secureexec(bprm));
2224 }
2225
2226 static int match_file(const void *p, struct file *file, unsigned fd)
2227 {
2228         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2229 }
2230
2231 /* Derived from fs/exec.c:flush_old_files. */
2232 static inline void flush_unauthorized_files(const struct cred *cred,
2233                                             struct files_struct *files)
2234 {
2235         struct file *file, *devnull = NULL;
2236         struct tty_struct *tty;
2237         int drop_tty = 0;
2238         unsigned n;
2239
2240         tty = get_current_tty();
2241         if (tty) {
2242                 spin_lock(&tty_files_lock);
2243                 if (!list_empty(&tty->tty_files)) {
2244                         struct tty_file_private *file_priv;
2245
2246                         /* Revalidate access to controlling tty.
2247                            Use file_path_has_perm on the tty path directly
2248                            rather than using file_has_perm, as this particular
2249                            open file may belong to another process and we are
2250                            only interested in the inode-based check here. */
2251                         file_priv = list_first_entry(&tty->tty_files,
2252                                                 struct tty_file_private, list);
2253                         file = file_priv->file;
2254                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2255                                 drop_tty = 1;
2256                 }
2257                 spin_unlock(&tty_files_lock);
2258                 tty_kref_put(tty);
2259         }
2260         /* Reset controlling tty. */
2261         if (drop_tty)
2262                 no_tty();
2263
2264         /* Revalidate access to inherited open files. */
2265         n = iterate_fd(files, 0, match_file, cred);
2266         if (!n) /* none found? */
2267                 return;
2268
2269         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2270         if (IS_ERR(devnull))
2271                 devnull = NULL;
2272         /* replace all the matching ones with this */
2273         do {
2274                 replace_fd(n - 1, devnull, 0);
2275         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2276         if (devnull)
2277                 fput(devnull);
2278 }
2279
2280 /*
2281  * Prepare a process for imminent new credential changes due to exec
2282  */
2283 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2284 {
2285         struct task_security_struct *new_tsec;
2286         struct rlimit *rlim, *initrlim;
2287         int rc, i;
2288
2289         new_tsec = bprm->cred->security;
2290         if (new_tsec->sid == new_tsec->osid)
2291                 return;
2292
2293         /* Close files for which the new task SID is not authorized. */
2294         flush_unauthorized_files(bprm->cred, current->files);
2295
2296         /* Always clear parent death signal on SID transitions. */
2297         current->pdeath_signal = 0;
2298
2299         /* Check whether the new SID can inherit resource limits from the old
2300          * SID.  If not, reset all soft limits to the lower of the current
2301          * task's hard limit and the init task's soft limit.
2302          *
2303          * Note that the setting of hard limits (even to lower them) can be
2304          * controlled by the setrlimit check.  The inclusion of the init task's
2305          * soft limit into the computation is to avoid resetting soft limits
2306          * higher than the default soft limit for cases where the default is
2307          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2308          */
2309         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2310                           PROCESS__RLIMITINH, NULL);
2311         if (rc) {
2312                 /* protect against do_prlimit() */
2313                 task_lock(current);
2314                 for (i = 0; i < RLIM_NLIMITS; i++) {
2315                         rlim = current->signal->rlim + i;
2316                         initrlim = init_task.signal->rlim + i;
2317                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2318                 }
2319                 task_unlock(current);
2320                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2321         }
2322 }
2323
2324 /*
2325  * Clean up the process immediately after the installation of new credentials
2326  * due to exec
2327  */
2328 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2329 {
2330         const struct task_security_struct *tsec = current_security();
2331         struct itimerval itimer;
2332         u32 osid, sid;
2333         int rc, i;
2334
2335         osid = tsec->osid;
2336         sid = tsec->sid;
2337
2338         if (sid == osid)
2339                 return;
2340
2341         /* Check whether the new SID can inherit signal state from the old SID.
2342          * If not, clear itimers to avoid subsequent signal generation and
2343          * flush and unblock signals.
2344          *
2345          * This must occur _after_ the task SID has been updated so that any
2346          * kill done after the flush will be checked against the new SID.
2347          */
2348         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2349         if (rc) {
2350                 memset(&itimer, 0, sizeof itimer);
2351                 for (i = 0; i < 3; i++)
2352                         do_setitimer(i, &itimer, NULL);
2353                 spin_lock_irq(&current->sighand->siglock);
2354                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2355                         __flush_signals(current);
2356                         flush_signal_handlers(current, 1);
2357                         sigemptyset(&current->blocked);
2358                 }
2359                 spin_unlock_irq(&current->sighand->siglock);
2360         }
2361
2362         /* Wake up the parent if it is waiting so that it can recheck
2363          * wait permission to the new task SID. */
2364         read_lock(&tasklist_lock);
2365         __wake_up_parent(current, current->real_parent);
2366         read_unlock(&tasklist_lock);
2367 }
2368
2369 /* superblock security operations */
2370
2371 static int selinux_sb_alloc_security(struct super_block *sb)
2372 {
2373         return superblock_alloc_security(sb);
2374 }
2375
2376 static void selinux_sb_free_security(struct super_block *sb)
2377 {
2378         superblock_free_security(sb);
2379 }
2380
2381 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2382 {
2383         if (plen > olen)
2384                 return 0;
2385
2386         return !memcmp(prefix, option, plen);
2387 }
2388
2389 static inline int selinux_option(char *option, int len)
2390 {
2391         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2392                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2393                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2394                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2395                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2396 }
2397
2398 static inline void take_option(char **to, char *from, int *first, int len)
2399 {
2400         if (!*first) {
2401                 **to = ',';
2402                 *to += 1;
2403         } else
2404                 *first = 0;
2405         memcpy(*to, from, len);
2406         *to += len;
2407 }
2408
2409 static inline void take_selinux_option(char **to, char *from, int *first,
2410                                        int len)
2411 {
2412         int current_size = 0;
2413
2414         if (!*first) {
2415                 **to = '|';
2416                 *to += 1;
2417         } else
2418                 *first = 0;
2419
2420         while (current_size < len) {
2421                 if (*from != '"') {
2422                         **to = *from;
2423                         *to += 1;
2424                 }
2425                 from += 1;
2426                 current_size += 1;
2427         }
2428 }
2429
2430 static int selinux_sb_copy_data(char *orig, char *copy)
2431 {
2432         int fnosec, fsec, rc = 0;
2433         char *in_save, *in_curr, *in_end;
2434         char *sec_curr, *nosec_save, *nosec;
2435         int open_quote = 0;
2436
2437         in_curr = orig;
2438         sec_curr = copy;
2439
2440         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2441         if (!nosec) {
2442                 rc = -ENOMEM;
2443                 goto out;
2444         }
2445
2446         nosec_save = nosec;
2447         fnosec = fsec = 1;
2448         in_save = in_end = orig;
2449
2450         do {
2451                 if (*in_end == '"')
2452                         open_quote = !open_quote;
2453                 if ((*in_end == ',' && open_quote == 0) ||
2454                                 *in_end == '\0') {
2455                         int len = in_end - in_curr;
2456
2457                         if (selinux_option(in_curr, len))
2458                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2459                         else
2460                                 take_option(&nosec, in_curr, &fnosec, len);
2461
2462                         in_curr = in_end + 1;
2463                 }
2464         } while (*in_end++);
2465
2466         strcpy(in_save, nosec_save);
2467         free_page((unsigned long)nosec_save);
2468 out:
2469         return rc;
2470 }
2471
2472 static int selinux_sb_remount(struct super_block *sb, void *data)
2473 {
2474         int rc, i, *flags;
2475         struct security_mnt_opts opts;
2476         char *secdata, **mount_options;
2477         struct superblock_security_struct *sbsec = sb->s_security;
2478
2479         if (!(sbsec->flags & SE_SBINITIALIZED))
2480                 return 0;
2481
2482         if (!data)
2483                 return 0;
2484
2485         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2486                 return 0;
2487
2488         security_init_mnt_opts(&opts);
2489         secdata = alloc_secdata();
2490         if (!secdata)
2491                 return -ENOMEM;
2492         rc = selinux_sb_copy_data(data, secdata);
2493         if (rc)
2494                 goto out_free_secdata;
2495
2496         rc = selinux_parse_opts_str(secdata, &opts);
2497         if (rc)
2498                 goto out_free_secdata;
2499
2500         mount_options = opts.mnt_opts;
2501         flags = opts.mnt_opts_flags;
2502
2503         for (i = 0; i < opts.num_mnt_opts; i++) {
2504                 u32 sid;
2505                 size_t len;
2506
2507                 if (flags[i] == SBLABEL_MNT)
2508                         continue;
2509                 len = strlen(mount_options[i]);
2510                 rc = security_context_to_sid(mount_options[i], len, &sid,
2511                                              GFP_KERNEL);
2512                 if (rc) {
2513                         printk(KERN_WARNING "SELinux: security_context_to_sid"
2514                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2515                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2516                         goto out_free_opts;
2517                 }
2518                 rc = -EINVAL;
2519                 switch (flags[i]) {
2520                 case FSCONTEXT_MNT:
2521                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2522                                 goto out_bad_option;
2523                         break;
2524                 case CONTEXT_MNT:
2525                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2526                                 goto out_bad_option;
2527                         break;
2528                 case ROOTCONTEXT_MNT: {
2529                         struct inode_security_struct *root_isec;
2530                         root_isec = sb->s_root->d_inode->i_security;
2531
2532                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2533                                 goto out_bad_option;
2534                         break;
2535                 }
2536                 case DEFCONTEXT_MNT:
2537                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2538                                 goto out_bad_option;
2539                         break;
2540                 default:
2541                         goto out_free_opts;
2542                 }
2543         }
2544
2545         rc = 0;
2546 out_free_opts:
2547         security_free_mnt_opts(&opts);
2548 out_free_secdata:
2549         free_secdata(secdata);
2550         return rc;
2551 out_bad_option:
2552         printk(KERN_WARNING "SELinux: unable to change security options "
2553                "during remount (dev %s, type=%s)\n", sb->s_id,
2554                sb->s_type->name);
2555         goto out_free_opts;
2556 }
2557
2558 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2559 {
2560         const struct cred *cred = current_cred();
2561         struct common_audit_data ad;
2562         int rc;
2563
2564         rc = superblock_doinit(sb, data);
2565         if (rc)
2566                 return rc;
2567
2568         /* Allow all mounts performed by the kernel */
2569         if (flags & MS_KERNMOUNT)
2570                 return 0;
2571
2572         ad.type = LSM_AUDIT_DATA_DENTRY;
2573         ad.u.dentry = sb->s_root;
2574         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2575 }
2576
2577 static int selinux_sb_statfs(struct dentry *dentry)
2578 {
2579         const struct cred *cred = current_cred();
2580         struct common_audit_data ad;
2581
2582         ad.type = LSM_AUDIT_DATA_DENTRY;
2583         ad.u.dentry = dentry->d_sb->s_root;
2584         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2585 }
2586
2587 static int selinux_mount(const char *dev_name,
2588                          struct path *path,
2589                          const char *type,
2590                          unsigned long flags,
2591                          void *data)
2592 {
2593         const struct cred *cred = current_cred();
2594
2595         if (flags & MS_REMOUNT)
2596                 return superblock_has_perm(cred, path->dentry->d_sb,
2597                                            FILESYSTEM__REMOUNT, NULL);
2598         else
2599                 return path_has_perm(cred, path, FILE__MOUNTON);
2600 }
2601
2602 static int selinux_umount(struct vfsmount *mnt, int flags)
2603 {
2604         const struct cred *cred = current_cred();
2605
2606         return superblock_has_perm(cred, mnt->mnt_sb,
2607                                    FILESYSTEM__UNMOUNT, NULL);
2608 }
2609
2610 /* inode security operations */
2611
2612 static int selinux_inode_alloc_security(struct inode *inode)
2613 {
2614         return inode_alloc_security(inode);
2615 }
2616
2617 static void selinux_inode_free_security(struct inode *inode)
2618 {
2619         inode_free_security(inode);
2620 }
2621
2622 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2623                                         struct qstr *name, void **ctx,
2624                                         u32 *ctxlen)
2625 {
2626         const struct cred *cred = current_cred();
2627         struct task_security_struct *tsec;
2628         struct inode_security_struct *dsec;
2629         struct superblock_security_struct *sbsec;
2630         struct inode *dir = dentry->d_parent->d_inode;
2631         u32 newsid;
2632         int rc;
2633
2634         tsec = cred->security;
2635         dsec = dir->i_security;
2636         sbsec = dir->i_sb->s_security;
2637
2638         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2639                 newsid = tsec->create_sid;
2640         } else {
2641                 rc = security_transition_sid(tsec->sid, dsec->sid,
2642                                              inode_mode_to_security_class(mode),
2643                                              name,
2644                                              &newsid);
2645                 if (rc) {
2646                         printk(KERN_WARNING
2647                                 "%s: security_transition_sid failed, rc=%d\n",
2648                                __func__, -rc);
2649                         return rc;
2650                 }
2651         }
2652
2653         return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2654 }
2655
2656 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2657                                        const struct qstr *qstr,
2658                                        const char **name,
2659                                        void **value, size_t *len)
2660 {
2661         const struct task_security_struct *tsec = current_security();
2662         struct inode_security_struct *dsec;
2663         struct superblock_security_struct *sbsec;
2664         u32 sid, newsid, clen;
2665         int rc;
2666         char *context;
2667
2668         dsec = dir->i_security;
2669         sbsec = dir->i_sb->s_security;
2670
2671         sid = tsec->sid;
2672         newsid = tsec->create_sid;
2673
2674         if ((sbsec->flags & SE_SBINITIALIZED) &&
2675             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2676                 newsid = sbsec->mntpoint_sid;
2677         else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2678                 rc = security_transition_sid(sid, dsec->sid,
2679                                              inode_mode_to_security_class(inode->i_mode),
2680                                              qstr, &newsid);
2681                 if (rc) {
2682                         printk(KERN_WARNING "%s:  "
2683                                "security_transition_sid failed, rc=%d (dev=%s "
2684                                "ino=%ld)\n",
2685                                __func__,
2686                                -rc, inode->i_sb->s_id, inode->i_ino);
2687                         return rc;
2688                 }
2689         }
2690
2691         /* Possibly defer initialization to selinux_complete_init. */
2692         if (sbsec->flags & SE_SBINITIALIZED) {
2693                 struct inode_security_struct *isec = inode->i_security;
2694                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2695                 isec->sid = newsid;
2696                 isec->initialized = 1;
2697         }
2698
2699         if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2700                 return -EOPNOTSUPP;
2701
2702         if (name)
2703                 *name = XATTR_SELINUX_SUFFIX;
2704
2705         if (value && len) {
2706                 rc = security_sid_to_context_force(newsid, &context, &clen);
2707                 if (rc)
2708                         return rc;
2709                 *value = context;
2710                 *len = clen;
2711         }
2712
2713         return 0;
2714 }
2715
2716 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2717 {
2718         return may_create(dir, dentry, SECCLASS_FILE);
2719 }
2720
2721 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2722 {
2723         return may_link(dir, old_dentry, MAY_LINK);
2724 }
2725
2726 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2727 {
2728         return may_link(dir, dentry, MAY_UNLINK);
2729 }
2730
2731 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2732 {
2733         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2734 }
2735
2736 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2737 {
2738         return may_create(dir, dentry, SECCLASS_DIR);
2739 }
2740
2741 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2742 {
2743         return may_link(dir, dentry, MAY_RMDIR);
2744 }
2745
2746 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2747 {
2748         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2749 }
2750
2751 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2752                                 struct inode *new_inode, struct dentry *new_dentry)
2753 {
2754         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2755 }
2756
2757 static int selinux_inode_readlink(struct dentry *dentry)
2758 {
2759         const struct cred *cred = current_cred();
2760
2761         return dentry_has_perm(cred, dentry, FILE__READ);
2762 }
2763
2764 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2765 {
2766         const struct cred *cred = current_cred();
2767
2768         return dentry_has_perm(cred, dentry, FILE__READ);
2769 }
2770
2771 static noinline int audit_inode_permission(struct inode *inode,
2772                                            u32 perms, u32 audited, u32 denied,
2773                                            unsigned flags)
2774 {
2775         struct common_audit_data ad;
2776         struct inode_security_struct *isec = inode->i_security;
2777         int rc;
2778
2779         ad.type = LSM_AUDIT_DATA_INODE;
2780         ad.u.inode = inode;
2781
2782         rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2783                             audited, denied, &ad, flags);
2784         if (rc)
2785                 return rc;
2786         return 0;
2787 }
2788
2789 static int selinux_inode_permission(struct inode *inode, int mask)
2790 {
2791         const struct cred *cred = current_cred();
2792         u32 perms;
2793         bool from_access;
2794         unsigned flags = mask & MAY_NOT_BLOCK;
2795         struct inode_security_struct *isec;
2796         u32 sid;
2797         struct av_decision avd;
2798         int rc, rc2;
2799         u32 audited, denied;
2800
2801         from_access = mask & MAY_ACCESS;
2802         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2803
2804         /* No permission to check.  Existence test. */
2805         if (!mask)
2806                 return 0;
2807
2808         validate_creds(cred);
2809
2810         if (unlikely(IS_PRIVATE(inode)))
2811                 return 0;
2812
2813         perms = file_mask_to_av(inode->i_mode, mask);
2814
2815         sid = cred_sid(cred);
2816         isec = inode->i_security;
2817
2818         rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2819         audited = avc_audit_required(perms, &avd, rc,
2820                                      from_access ? FILE__AUDIT_ACCESS : 0,
2821                                      &denied);
2822         if (likely(!audited))
2823                 return rc;
2824
2825         rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2826         if (rc2)
2827                 return rc2;
2828         return rc;
2829 }
2830
2831 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2832 {
2833         const struct cred *cred = current_cred();
2834         unsigned int ia_valid = iattr->ia_valid;
2835         __u32 av = FILE__WRITE;
2836
2837         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2838         if (ia_valid & ATTR_FORCE) {
2839                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2840                               ATTR_FORCE);
2841                 if (!ia_valid)
2842                         return 0;
2843         }
2844
2845         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2846                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2847                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2848
2849         if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2850                 av |= FILE__OPEN;
2851
2852         return dentry_has_perm(cred, dentry, av);
2853 }
2854
2855 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2856 {
2857         const struct cred *cred = current_cred();
2858         struct path path;
2859
2860         path.dentry = dentry;
2861         path.mnt = mnt;
2862
2863         return path_has_perm(cred, &path, FILE__GETATTR);
2864 }
2865
2866 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2867 {
2868         const struct cred *cred = current_cred();
2869
2870         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2871                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2872                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2873                         if (!capable(CAP_SETFCAP))
2874                                 return -EPERM;
2875                 } else if (!capable(CAP_SYS_ADMIN)) {
2876                         /* A different attribute in the security namespace.
2877                            Restrict to administrator. */
2878                         return -EPERM;
2879                 }
2880         }
2881
2882         /* Not an attribute we recognize, so just check the
2883            ordinary setattr permission. */
2884         return dentry_has_perm(cred, dentry, FILE__SETATTR);
2885 }
2886
2887 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2888                                   const void *value, size_t size, int flags)
2889 {
2890         struct inode *inode = dentry->d_inode;
2891         struct inode_security_struct *isec = inode->i_security;
2892         struct superblock_security_struct *sbsec;
2893         struct common_audit_data ad;
2894         u32 newsid, sid = current_sid();
2895         int rc = 0;
2896
2897         if (strcmp(name, XATTR_NAME_SELINUX))
2898                 return selinux_inode_setotherxattr(dentry, name);
2899
2900         sbsec = inode->i_sb->s_security;
2901         if (!(sbsec->flags & SBLABEL_MNT))
2902                 return -EOPNOTSUPP;
2903
2904         if (!inode_owner_or_capable(inode))
2905                 return -EPERM;
2906
2907         ad.type = LSM_AUDIT_DATA_DENTRY;
2908         ad.u.dentry = dentry;
2909
2910         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2911                           FILE__RELABELFROM, &ad);
2912         if (rc)
2913                 return rc;
2914
2915         rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
2916         if (rc == -EINVAL) {
2917                 if (!capable(CAP_MAC_ADMIN)) {
2918                         struct audit_buffer *ab;
2919                         size_t audit_size;
2920                         const char *str;
2921
2922                         /* We strip a nul only if it is at the end, otherwise the
2923                          * context contains a nul and we should audit that */
2924                         if (value) {
2925                                 str = value;
2926                                 if (str[size - 1] == '\0')
2927                                         audit_size = size - 1;
2928                                 else
2929                                         audit_size = size;
2930                         } else {
2931                                 str = "";
2932                                 audit_size = 0;
2933                         }
2934                         ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2935                         audit_log_format(ab, "op=setxattr invalid_context=");
2936                         audit_log_n_untrustedstring(ab, value, audit_size);
2937                         audit_log_end(ab);
2938
2939                         return rc;
2940                 }
2941                 rc = security_context_to_sid_force(value, size, &newsid);
2942         }
2943         if (rc)
2944                 return rc;
2945
2946         rc = avc_has_perm(sid, newsid, isec->sclass,
2947                           FILE__RELABELTO, &ad);
2948         if (rc)
2949                 return rc;
2950
2951         rc = security_validate_transition(isec->sid, newsid, sid,
2952                                           isec->sclass);
2953         if (rc)
2954                 return rc;
2955
2956         return avc_has_perm(newsid,
2957                             sbsec->sid,
2958                             SECCLASS_FILESYSTEM,
2959                             FILESYSTEM__ASSOCIATE,
2960                             &ad);
2961 }
2962
2963 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2964                                         const void *value, size_t size,
2965                                         int flags)
2966 {
2967         struct inode *inode = dentry->d_inode;
2968         struct inode_security_struct *isec = inode->i_security;
2969         u32 newsid;
2970         int rc;
2971
2972         if (strcmp(name, XATTR_NAME_SELINUX)) {
2973                 /* Not an attribute we recognize, so nothing to do. */
2974                 return;
2975         }
2976
2977         rc = security_context_to_sid_force(value, size, &newsid);
2978         if (rc) {
2979                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2980                        "for (%s, %lu), rc=%d\n",
2981                        inode->i_sb->s_id, inode->i_ino, -rc);
2982                 return;
2983         }
2984
2985         isec->sclass = inode_mode_to_security_class(inode->i_mode);
2986         isec->sid = newsid;
2987         isec->initialized = 1;
2988
2989         return;
2990 }
2991
2992 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2993 {
2994         const struct cred *cred = current_cred();
2995
2996         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2997 }
2998
2999 static int selinux_inode_listxattr(struct dentry *dentry)
3000 {
3001         const struct cred *cred = current_cred();
3002
3003         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3004 }
3005
3006 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3007 {
3008         if (strcmp(name, XATTR_NAME_SELINUX))
3009                 return selinux_inode_setotherxattr(dentry, name);
3010
3011         /* No one is allowed to remove a SELinux security label.
3012            You can change the label, but all data must be labeled. */
3013         return -EACCES;
3014 }
3015
3016 /*
3017  * Copy the inode security context value to the user.
3018  *
3019  * Permission check is handled by selinux_inode_getxattr hook.
3020  */
3021 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
3022 {
3023         u32 size;
3024         int error;
3025         char *context = NULL;
3026         struct inode_security_struct *isec = inode->i_security;
3027
3028         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3029                 return -EOPNOTSUPP;
3030
3031         /*
3032          * If the caller has CAP_MAC_ADMIN, then get the raw context
3033          * value even if it is not defined by current policy; otherwise,
3034          * use the in-core value under current policy.
3035          * Use the non-auditing forms of the permission checks since
3036          * getxattr may be called by unprivileged processes commonly
3037          * and lack of permission just means that we fall back to the
3038          * in-core context value, not a denial.
3039          */
3040         error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3041                                 SECURITY_CAP_NOAUDIT);
3042         if (!error)
3043                 error = security_sid_to_context_force(isec->sid, &context,
3044                                                       &size);
3045         else
3046                 error = security_sid_to_context(isec->sid, &context, &size);
3047         if (error)
3048                 return error;
3049         error = size;
3050         if (alloc) {
3051                 *buffer = context;
3052                 goto out_nofree;
3053         }
3054         kfree(context);
3055 out_nofree:
3056         return error;
3057 }
3058
3059 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3060                                      const void *value, size_t size, int flags)
3061 {
3062         struct inode_security_struct *isec = inode->i_security;
3063         u32 newsid;
3064         int rc;
3065
3066         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3067                 return -EOPNOTSUPP;
3068
3069         if (!value || !size)
3070                 return -EACCES;
3071
3072         rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
3073         if (rc)
3074                 return rc;
3075
3076         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3077         isec->sid = newsid;
3078         isec->initialized = 1;
3079         return 0;
3080 }
3081
3082 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3083 {
3084         const int len = sizeof(XATTR_NAME_SELINUX);
3085         if (buffer && len <= buffer_size)
3086                 memcpy(buffer, XATTR_NAME_SELINUX, len);
3087         return len;
3088 }
3089
3090 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3091 {
3092         struct inode_security_struct *isec = inode->i_security;
3093         *secid = isec->sid;
3094 }
3095
3096 /* file security operations */
3097
3098 static int selinux_revalidate_file_permission(struct file *file, int mask)
3099 {
3100         const struct cred *cred = current_cred();
3101         struct inode *inode = file_inode(file);
3102
3103         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3104         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3105                 mask |= MAY_APPEND;
3106
3107         return file_has_perm(cred, file,
3108                              file_mask_to_av(inode->i_mode, mask));
3109 }
3110
3111 static int selinux_file_permission(struct file *file, int mask)
3112 {
3113         struct inode *inode = file_inode(file);
3114         struct file_security_struct *fsec = file->f_security;
3115         struct inode_security_struct *isec = inode->i_security;
3116         u32 sid = current_sid();
3117
3118         if (!mask)
3119                 /* No permission to check.  Existence test. */
3120                 return 0;
3121
3122         if (sid == fsec->sid && fsec->isid == isec->sid &&
3123             fsec->pseqno == avc_policy_seqno())
3124                 /* No change since file_open check. */
3125                 return 0;
3126
3127         return selinux_revalidate_file_permission(file, mask);
3128 }
3129
3130 static int selinux_file_alloc_security(struct file *file)
3131 {
3132         return file_alloc_security(file);
3133 }
3134
3135 static void selinux_file_free_security(struct file *file)
3136 {
3137         file_free_security(file);
3138 }
3139
3140 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3141                               unsigned long arg)
3142 {
3143         const struct cred *cred = current_cred();
3144         int error = 0;
3145
3146         switch (cmd) {
3147         case FIONREAD:
3148         /* fall through */
3149         case FIBMAP:
3150         /* fall through */
3151         case FIGETBSZ:
3152         /* fall through */
3153         case FS_IOC_GETFLAGS:
3154         /* fall through */
3155         case FS_IOC_GETVERSION:
3156                 error = file_has_perm(cred, file, FILE__GETATTR);
3157                 break;
3158
3159         case FS_IOC_SETFLAGS:
3160         /* fall through */
3161         case FS_IOC_SETVERSION:
3162                 error = file_has_perm(cred, file, FILE__SETATTR);
3163                 break;
3164
3165         /* sys_ioctl() checks */
3166         case FIONBIO:
3167         /* fall through */
3168         case FIOASYNC:
3169                 error = file_has_perm(cred, file, 0);
3170                 break;
3171
3172         case KDSKBENT:
3173         case KDSKBSENT:
3174                 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3175                                             SECURITY_CAP_AUDIT);
3176                 break;
3177
3178         /* default case assumes that the command will go
3179          * to the file's ioctl() function.
3180          */
3181         default:
3182                 error = file_has_perm(cred, file, FILE__IOCTL);
3183         }
3184         return error;
3185 }
3186
3187 static int default_noexec;
3188