LSM/SELinux: Interfaces to allow FS to control mount options
[sfrench/cifs-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16  *                Paul Moore <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "xfrm.h"
84 #include "netlabel.h"
85
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
89 #define NUM_SEL_MNT_OPTS 4
90
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
95
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
101
102 static int __init enforcing_setup(char *str)
103 {
104         selinux_enforcing = simple_strtol(str,NULL,0);
105         return 1;
106 }
107 __setup("enforcing=", enforcing_setup);
108 #endif
109
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113 static int __init selinux_enabled_setup(char *str)
114 {
115         selinux_enabled = simple_strtol(str, NULL, 0);
116         return 1;
117 }
118 __setup("selinux=", selinux_enabled_setup);
119 #else
120 int selinux_enabled = 1;
121 #endif
122
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
125
126 /* Minimal support for a secondary security module,
127    just to allow the use of the dummy or capability modules.
128    The owlsm module can alternatively be used as a secondary
129    module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
131
132 /* Lists of inode and superblock security structures initialized
133    before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
136
137 static struct kmem_cache *sel_inode_cache;
138
139 /**
140  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
141  *
142  * Description:
143  * This function checks the SECMARK reference counter to see if any SECMARK
144  * targets are currently configured, if the reference counter is greater than
145  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
146  * enabled, false (0) if SECMARK is disabled.
147  *
148  */
149 static int selinux_secmark_enabled(void)
150 {
151         return (atomic_read(&selinux_secmark_refcount) > 0);
152 }
153
154 /* Allocate and free functions for each kind of security blob. */
155
156 static int task_alloc_security(struct task_struct *task)
157 {
158         struct task_security_struct *tsec;
159
160         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
161         if (!tsec)
162                 return -ENOMEM;
163
164         tsec->task = task;
165         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166         task->security = tsec;
167
168         return 0;
169 }
170
171 static void task_free_security(struct task_struct *task)
172 {
173         struct task_security_struct *tsec = task->security;
174         task->security = NULL;
175         kfree(tsec);
176 }
177
178 static int inode_alloc_security(struct inode *inode)
179 {
180         struct task_security_struct *tsec = current->security;
181         struct inode_security_struct *isec;
182
183         isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
184         if (!isec)
185                 return -ENOMEM;
186
187         mutex_init(&isec->lock);
188         INIT_LIST_HEAD(&isec->list);
189         isec->inode = inode;
190         isec->sid = SECINITSID_UNLABELED;
191         isec->sclass = SECCLASS_FILE;
192         isec->task_sid = tsec->sid;
193         inode->i_security = isec;
194
195         return 0;
196 }
197
198 static void inode_free_security(struct inode *inode)
199 {
200         struct inode_security_struct *isec = inode->i_security;
201         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
203         spin_lock(&sbsec->isec_lock);
204         if (!list_empty(&isec->list))
205                 list_del_init(&isec->list);
206         spin_unlock(&sbsec->isec_lock);
207
208         inode->i_security = NULL;
209         kmem_cache_free(sel_inode_cache, isec);
210 }
211
212 static int file_alloc_security(struct file *file)
213 {
214         struct task_security_struct *tsec = current->security;
215         struct file_security_struct *fsec;
216
217         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
218         if (!fsec)
219                 return -ENOMEM;
220
221         fsec->file = file;
222         fsec->sid = tsec->sid;
223         fsec->fown_sid = tsec->sid;
224         file->f_security = fsec;
225
226         return 0;
227 }
228
229 static void file_free_security(struct file *file)
230 {
231         struct file_security_struct *fsec = file->f_security;
232         file->f_security = NULL;
233         kfree(fsec);
234 }
235
236 static int superblock_alloc_security(struct super_block *sb)
237 {
238         struct superblock_security_struct *sbsec;
239
240         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
241         if (!sbsec)
242                 return -ENOMEM;
243
244         mutex_init(&sbsec->lock);
245         INIT_LIST_HEAD(&sbsec->list);
246         INIT_LIST_HEAD(&sbsec->isec_head);
247         spin_lock_init(&sbsec->isec_lock);
248         sbsec->sb = sb;
249         sbsec->sid = SECINITSID_UNLABELED;
250         sbsec->def_sid = SECINITSID_FILE;
251         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252         sb->s_security = sbsec;
253
254         return 0;
255 }
256
257 static void superblock_free_security(struct super_block *sb)
258 {
259         struct superblock_security_struct *sbsec = sb->s_security;
260
261         spin_lock(&sb_security_lock);
262         if (!list_empty(&sbsec->list))
263                 list_del_init(&sbsec->list);
264         spin_unlock(&sb_security_lock);
265
266         sb->s_security = NULL;
267         kfree(sbsec);
268 }
269
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
271 {
272         struct sk_security_struct *ssec;
273
274         ssec = kzalloc(sizeof(*ssec), priority);
275         if (!ssec)
276                 return -ENOMEM;
277
278         ssec->sk = sk;
279         ssec->peer_sid = SECINITSID_UNLABELED;
280         ssec->sid = SECINITSID_UNLABELED;
281         sk->sk_security = ssec;
282
283         selinux_netlbl_sk_security_init(ssec, family);
284
285         return 0;
286 }
287
288 static void sk_free_security(struct sock *sk)
289 {
290         struct sk_security_struct *ssec = sk->sk_security;
291
292         sk->sk_security = NULL;
293         kfree(ssec);
294 }
295
296 /* The security server must be initialized before
297    any labeling or access decisions can be provided. */
298 extern int ss_initialized;
299
300 /* The file system's label must be initialized prior to use. */
301
302 static char *labeling_behaviors[6] = {
303         "uses xattr",
304         "uses transition SIDs",
305         "uses task SIDs",
306         "uses genfs_contexts",
307         "not configured for labeling",
308         "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315         return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319         Opt_error = -1,
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 3,
323         Opt_rootcontext = 4,
324 };
325
326 static match_table_t tokens = {
327         {Opt_context, "context=%s"},
328         {Opt_fscontext, "fscontext=%s"},
329         {Opt_defcontext, "defcontext=%s"},
330         {Opt_rootcontext, "rootcontext=%s"},
331         {Opt_error, NULL},
332 };
333
334 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
335
336 static int may_context_mount_sb_relabel(u32 sid,
337                         struct superblock_security_struct *sbsec,
338                         struct task_security_struct *tsec)
339 {
340         int rc;
341
342         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343                           FILESYSTEM__RELABELFROM, NULL);
344         if (rc)
345                 return rc;
346
347         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348                           FILESYSTEM__RELABELTO, NULL);
349         return rc;
350 }
351
352 static int may_context_mount_inode_relabel(u32 sid,
353                         struct superblock_security_struct *sbsec,
354                         struct task_security_struct *tsec)
355 {
356         int rc;
357         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358                           FILESYSTEM__RELABELFROM, NULL);
359         if (rc)
360                 return rc;
361
362         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363                           FILESYSTEM__ASSOCIATE, NULL);
364         return rc;
365 }
366
367 static int sb_finish_set_opts(struct super_block *sb)
368 {
369         struct superblock_security_struct *sbsec = sb->s_security;
370         struct dentry *root = sb->s_root;
371         struct inode *root_inode = root->d_inode;
372         int rc = 0;
373
374         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375                 /* Make sure that the xattr handler exists and that no
376                    error other than -ENODATA is returned by getxattr on
377                    the root directory.  -ENODATA is ok, as this may be
378                    the first boot of the SELinux kernel before we have
379                    assigned xattr values to the filesystem. */
380                 if (!root_inode->i_op->getxattr) {
381                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382                                "xattr support\n", sb->s_id, sb->s_type->name);
383                         rc = -EOPNOTSUPP;
384                         goto out;
385                 }
386                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387                 if (rc < 0 && rc != -ENODATA) {
388                         if (rc == -EOPNOTSUPP)
389                                 printk(KERN_WARNING "SELinux: (dev %s, type "
390                                        "%s) has no security xattr handler\n",
391                                        sb->s_id, sb->s_type->name);
392                         else
393                                 printk(KERN_WARNING "SELinux: (dev %s, type "
394                                        "%s) getxattr errno %d\n", sb->s_id,
395                                        sb->s_type->name, -rc);
396                         goto out;
397                 }
398         }
399
400         sbsec->initialized = 1;
401
402         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404                        sb->s_id, sb->s_type->name);
405         else
406                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407                        sb->s_id, sb->s_type->name,
408                        labeling_behaviors[sbsec->behavior-1]);
409
410         /* Initialize the root inode. */
411         rc = inode_doinit_with_dentry(root_inode, root);
412
413         /* Initialize any other inodes associated with the superblock, e.g.
414            inodes created prior to initial policy load or inodes created
415            during get_sb by a pseudo filesystem that directly
416            populates itself. */
417         spin_lock(&sbsec->isec_lock);
418 next_inode:
419         if (!list_empty(&sbsec->isec_head)) {
420                 struct inode_security_struct *isec =
421                                 list_entry(sbsec->isec_head.next,
422                                            struct inode_security_struct, list);
423                 struct inode *inode = isec->inode;
424                 spin_unlock(&sbsec->isec_lock);
425                 inode = igrab(inode);
426                 if (inode) {
427                         if (!IS_PRIVATE(inode))
428                                 inode_doinit(inode);
429                         iput(inode);
430                 }
431                 spin_lock(&sbsec->isec_lock);
432                 list_del_init(&isec->list);
433                 goto next_inode;
434         }
435         spin_unlock(&sbsec->isec_lock);
436 out:
437         return rc;
438 }
439
440 /*
441  * This function should allow an FS to ask what it's mount security
442  * options were so it can use those later for submounts, displaying
443  * mount options, or whatever.
444  */
445 static int selinux_get_mnt_opts(const struct super_block *sb,
446                                 struct security_mnt_opts *opts)
447 {
448         int rc = 0, i;
449         struct superblock_security_struct *sbsec = sb->s_security;
450         char *context = NULL;
451         u32 len;
452         char tmp;
453
454         security_init_mnt_opts(opts);
455
456         if (!sbsec->initialized)
457                 return -EINVAL;
458
459         if (!ss_initialized)
460                 return -EINVAL;
461
462         /*
463          * if we ever use sbsec flags for anything other than tracking mount
464          * settings this is going to need a mask
465          */
466         tmp = sbsec->flags;
467         /* count the number of mount options for this sb */
468         for (i = 0; i < 8; i++) {
469                 if (tmp & 0x01)
470                         opts->num_mnt_opts++;
471                 tmp >>= 1;
472         }
473
474         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
475         if (!opts->mnt_opts) {
476                 rc = -ENOMEM;
477                 goto out_free;
478         }
479
480         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
481         if (!opts->mnt_opts_flags) {
482                 rc = -ENOMEM;
483                 goto out_free;
484         }
485
486         i = 0;
487         if (sbsec->flags & FSCONTEXT_MNT) {
488                 rc = security_sid_to_context(sbsec->sid, &context, &len);
489                 if (rc)
490                         goto out_free;
491                 opts->mnt_opts[i] = context;
492                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
493         }
494         if (sbsec->flags & CONTEXT_MNT) {
495                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
496                 if (rc)
497                         goto out_free;
498                 opts->mnt_opts[i] = context;
499                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
500         }
501         if (sbsec->flags & DEFCONTEXT_MNT) {
502                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
503                 if (rc)
504                         goto out_free;
505                 opts->mnt_opts[i] = context;
506                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
507         }
508         if (sbsec->flags & ROOTCONTEXT_MNT) {
509                 struct inode *root = sbsec->sb->s_root->d_inode;
510                 struct inode_security_struct *isec = root->i_security;
511
512                 rc = security_sid_to_context(isec->sid, &context, &len);
513                 if (rc)
514                         goto out_free;
515                 opts->mnt_opts[i] = context;
516                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
517         }
518
519         BUG_ON(i != opts->num_mnt_opts);
520
521         return 0;
522
523 out_free:
524         security_free_mnt_opts(opts);
525         return rc;
526 }
527
528 static int bad_option(struct superblock_security_struct *sbsec, char flag,
529                       u32 old_sid, u32 new_sid)
530 {
531         /* check if the old mount command had the same options */
532         if (sbsec->initialized)
533                 if (!(sbsec->flags & flag) ||
534                     (old_sid != new_sid))
535                         return 1;
536
537         /* check if we were passed the same options twice,
538          * aka someone passed context=a,context=b
539          */
540         if (!sbsec->initialized)
541                 if (sbsec->flags & flag)
542                         return 1;
543         return 0;
544 }
545
546 /*
547  * Allow filesystems with binary mount data to explicitly set mount point
548  * labeling information.
549  */
550 static int selinux_set_mnt_opts(struct super_block *sb,
551                                 struct security_mnt_opts *opts)
552 {
553         int rc = 0, i;
554         struct task_security_struct *tsec = current->security;
555         struct superblock_security_struct *sbsec = sb->s_security;
556         const char *name = sb->s_type->name;
557         struct inode *inode = sbsec->sb->s_root->d_inode;
558         struct inode_security_struct *root_isec = inode->i_security;
559         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
560         u32 defcontext_sid = 0;
561         char **mount_options = opts->mnt_opts;
562         int *flags = opts->mnt_opts_flags;
563         int num_opts = opts->num_mnt_opts;
564
565         mutex_lock(&sbsec->lock);
566
567         if (!ss_initialized) {
568                 if (!num_opts) {
569                         /* Defer initialization until selinux_complete_init,
570                            after the initial policy is loaded and the security
571                            server is ready to handle calls. */
572                         spin_lock(&sb_security_lock);
573                         if (list_empty(&sbsec->list))
574                                 list_add(&sbsec->list, &superblock_security_head);
575                         spin_unlock(&sb_security_lock);
576                         goto out;
577                 }
578                 rc = -EINVAL;
579                 printk(KERN_WARNING "Unable to set superblock options before "
580                        "the security server is initialized\n");
581                 goto out;
582         }
583
584         /*
585          * Binary mount data FS will come through this function twice.  Once
586          * from an explicit call and once from the generic calls from the vfs.
587          * Since the generic VFS calls will not contain any security mount data
588          * we need to skip the double mount verification.
589          *
590          * This does open a hole in which we will not notice if the first
591          * mount using this sb set explict options and a second mount using
592          * this sb does not set any security options.  (The first options
593          * will be used for both mounts)
594          */
595         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
596             && (num_opts == 0))
597                 goto out;
598
599         /*
600          * parse the mount options, check if they are valid sids.
601          * also check if someone is trying to mount the same sb more
602          * than once with different security options.
603          */
604         for (i = 0; i < num_opts; i++) {
605                 u32 sid;
606                 rc = security_context_to_sid(mount_options[i],
607                                              strlen(mount_options[i]), &sid);
608                 if (rc) {
609                         printk(KERN_WARNING "SELinux: security_context_to_sid"
610                                "(%s) failed for (dev %s, type %s) errno=%d\n",
611                                mount_options[i], sb->s_id, name, rc);
612                         goto out;
613                 }
614                 switch (flags[i]) {
615                 case FSCONTEXT_MNT:
616                         fscontext_sid = sid;
617
618                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
619                                         fscontext_sid))
620                                 goto out_double_mount;
621
622                         sbsec->flags |= FSCONTEXT_MNT;
623                         break;
624                 case CONTEXT_MNT:
625                         context_sid = sid;
626
627                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
628                                         context_sid))
629                                 goto out_double_mount;
630
631                         sbsec->flags |= CONTEXT_MNT;
632                         break;
633                 case ROOTCONTEXT_MNT:
634                         rootcontext_sid = sid;
635
636                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
637                                         rootcontext_sid))
638                                 goto out_double_mount;
639
640                         sbsec->flags |= ROOTCONTEXT_MNT;
641
642                         break;
643                 case DEFCONTEXT_MNT:
644                         defcontext_sid = sid;
645
646                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
647                                         defcontext_sid))
648                                 goto out_double_mount;
649
650                         sbsec->flags |= DEFCONTEXT_MNT;
651
652                         break;
653                 default:
654                         rc = -EINVAL;
655                         goto out;
656                 }
657         }
658
659         if (sbsec->initialized) {
660                 /* previously mounted with options, but not on this attempt? */
661                 if (sbsec->flags && !num_opts)
662                         goto out_double_mount;
663                 rc = 0;
664                 goto out;
665         }
666
667         if (strcmp(sb->s_type->name, "proc") == 0)
668                 sbsec->proc = 1;
669
670         /* Determine the labeling behavior to use for this filesystem type. */
671         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
672         if (rc) {
673                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674                        __FUNCTION__, sb->s_type->name, rc);
675                 goto out;
676         }
677
678         /* sets the context of the superblock for the fs being mounted. */
679         if (fscontext_sid) {
680
681                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
682                 if (rc)
683                         goto out;
684
685                 sbsec->sid = fscontext_sid;
686         }
687
688         /*
689          * Switch to using mount point labeling behavior.
690          * sets the label used on all file below the mountpoint, and will set
691          * the superblock context if not already set.
692          */
693         if (context_sid) {
694                 if (!fscontext_sid) {
695                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
696                         if (rc)
697                                 goto out;
698                         sbsec->sid = context_sid;
699                 } else {
700                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
701                         if (rc)
702                                 goto out;
703                 }
704                 if (!rootcontext_sid)
705                         rootcontext_sid = context_sid;
706
707                 sbsec->mntpoint_sid = context_sid;
708                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
709         }
710
711         if (rootcontext_sid) {
712                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
713                 if (rc)
714                         goto out;
715
716                 root_isec->sid = rootcontext_sid;
717                 root_isec->initialized = 1;
718         }
719
720         if (defcontext_sid) {
721                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
722                         rc = -EINVAL;
723                         printk(KERN_WARNING "SELinux: defcontext option is "
724                                "invalid for this filesystem type\n");
725                         goto out;
726                 }
727
728                 if (defcontext_sid != sbsec->def_sid) {
729                         rc = may_context_mount_inode_relabel(defcontext_sid,
730                                                              sbsec, tsec);
731                         if (rc)
732                                 goto out;
733                 }
734
735                 sbsec->def_sid = defcontext_sid;
736         }
737
738         rc = sb_finish_set_opts(sb);
739 out:
740         mutex_unlock(&sbsec->lock);
741         return rc;
742 out_double_mount:
743         rc = -EINVAL;
744         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
745                "security settings for (dev %s, type %s)\n", sb->s_id, name);
746         goto out;
747 }
748
749 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
750                                         struct super_block *newsb)
751 {
752         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
753         struct superblock_security_struct *newsbsec = newsb->s_security;
754
755         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
756         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
757         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
758
759         /* we can't error, we can't save the info, this shouldn't get called
760          * this early in the boot process. */
761         BUG_ON(!ss_initialized);
762
763         /* this might go away sometime down the line if there is a new user
764          * of clone, but for now, nfs better not get here... */
765         BUG_ON(newsbsec->initialized);
766
767         /* how can we clone if the old one wasn't set up?? */
768         BUG_ON(!oldsbsec->initialized);
769
770         mutex_lock(&newsbsec->lock);
771
772         newsbsec->flags = oldsbsec->flags;
773
774         newsbsec->sid = oldsbsec->sid;
775         newsbsec->def_sid = oldsbsec->def_sid;
776         newsbsec->behavior = oldsbsec->behavior;
777
778         if (set_context) {
779                 u32 sid = oldsbsec->mntpoint_sid;
780
781                 if (!set_fscontext)
782                         newsbsec->sid = sid;
783                 if (!set_rootcontext) {
784                         struct inode *newinode = newsb->s_root->d_inode;
785                         struct inode_security_struct *newisec = newinode->i_security;
786                         newisec->sid = sid;
787                 }
788                 newsbsec->mntpoint_sid = sid;
789         }
790         if (set_rootcontext) {
791                 const struct inode *oldinode = oldsb->s_root->d_inode;
792                 const struct inode_security_struct *oldisec = oldinode->i_security;
793                 struct inode *newinode = newsb->s_root->d_inode;
794                 struct inode_security_struct *newisec = newinode->i_security;
795
796                 newisec->sid = oldisec->sid;
797         }
798
799         sb_finish_set_opts(newsb);
800         mutex_unlock(&newsbsec->lock);
801 }
802
803 int selinux_parse_opts_str(char *options, struct security_mnt_opts *opts)
804 {
805         char *p;
806         char *context = NULL, *defcontext = NULL;
807         char *fscontext = NULL, *rootcontext = NULL;
808         int rc, num_mnt_opts = 0;
809
810         opts->num_mnt_opts = 0;
811
812         /* Standard string-based options. */
813         while ((p = strsep(&options, "|")) != NULL) {
814                 int token;
815                 substring_t args[MAX_OPT_ARGS];
816
817                 if (!*p)
818                         continue;
819
820                 token = match_token(p, tokens, args);
821
822                 switch (token) {
823                 case Opt_context:
824                         if (context || defcontext) {
825                                 rc = -EINVAL;
826                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
827                                 goto out_err;
828                         }
829                         context = match_strdup(&args[0]);
830                         if (!context) {
831                                 rc = -ENOMEM;
832                                 goto out_err;
833                         }
834                         break;
835
836                 case Opt_fscontext:
837                         if (fscontext) {
838                                 rc = -EINVAL;
839                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
840                                 goto out_err;
841                         }
842                         fscontext = match_strdup(&args[0]);
843                         if (!fscontext) {
844                                 rc = -ENOMEM;
845                                 goto out_err;
846                         }
847                         break;
848
849                 case Opt_rootcontext:
850                         if (rootcontext) {
851                                 rc = -EINVAL;
852                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
853                                 goto out_err;
854                         }
855                         rootcontext = match_strdup(&args[0]);
856                         if (!rootcontext) {
857                                 rc = -ENOMEM;
858                                 goto out_err;
859                         }
860                         break;
861
862                 case Opt_defcontext:
863                         if (context || defcontext) {
864                                 rc = -EINVAL;
865                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
866                                 goto out_err;
867                         }
868                         defcontext = match_strdup(&args[0]);
869                         if (!defcontext) {
870                                 rc = -ENOMEM;
871                                 goto out_err;
872                         }
873                         break;
874
875                 default:
876                         rc = -EINVAL;
877                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
878                         goto out_err;
879
880                 }
881         }
882
883         rc = -ENOMEM;
884         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
885         if (!opts->mnt_opts)
886                 goto out_err;
887
888         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
889         if (!opts->mnt_opts_flags) {
890                 kfree(opts->mnt_opts);
891                 goto out_err;
892         }
893
894         if (fscontext) {
895                 opts->mnt_opts[num_mnt_opts] = fscontext;
896                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
897         }
898         if (context) {
899                 opts->mnt_opts[num_mnt_opts] = context;
900                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
901         }
902         if (rootcontext) {
903                 opts->mnt_opts[num_mnt_opts] = rootcontext;
904                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
905         }
906         if (defcontext) {
907                 opts->mnt_opts[num_mnt_opts] = defcontext;
908                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
909         }
910
911         opts->num_mnt_opts = num_mnt_opts;
912         return 0;
913
914 out_err:
915         kfree(context);
916         kfree(defcontext);
917         kfree(fscontext);
918         kfree(rootcontext);
919         return rc;
920 }
921 /*
922  * string mount options parsing and call set the sbsec
923  */
924 static int superblock_doinit(struct super_block *sb, void *data)
925 {
926         int rc = 0;
927         char *options = data;
928         struct security_mnt_opts opts;
929
930         security_init_mnt_opts(&opts);
931
932         if (!data)
933                 goto out;
934
935         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
936
937         rc = selinux_parse_opts_str(options, &opts);
938         if (rc)
939                 goto out_err;
940
941 out:
942         rc = selinux_set_mnt_opts(sb, &opts);
943
944 out_err:
945         security_free_mnt_opts(&opts);
946         return rc;
947 }
948
949 static inline u16 inode_mode_to_security_class(umode_t mode)
950 {
951         switch (mode & S_IFMT) {
952         case S_IFSOCK:
953                 return SECCLASS_SOCK_FILE;
954         case S_IFLNK:
955                 return SECCLASS_LNK_FILE;
956         case S_IFREG:
957                 return SECCLASS_FILE;
958         case S_IFBLK:
959                 return SECCLASS_BLK_FILE;
960         case S_IFDIR:
961                 return SECCLASS_DIR;
962         case S_IFCHR:
963                 return SECCLASS_CHR_FILE;
964         case S_IFIFO:
965                 return SECCLASS_FIFO_FILE;
966
967         }
968
969         return SECCLASS_FILE;
970 }
971
972 static inline int default_protocol_stream(int protocol)
973 {
974         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
975 }
976
977 static inline int default_protocol_dgram(int protocol)
978 {
979         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
980 }
981
982 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
983 {
984         switch (family) {
985         case PF_UNIX:
986                 switch (type) {
987                 case SOCK_STREAM:
988                 case SOCK_SEQPACKET:
989                         return SECCLASS_UNIX_STREAM_SOCKET;
990                 case SOCK_DGRAM:
991                         return SECCLASS_UNIX_DGRAM_SOCKET;
992                 }
993                 break;
994         case PF_INET:
995         case PF_INET6:
996                 switch (type) {
997                 case SOCK_STREAM:
998                         if (default_protocol_stream(protocol))
999                                 return SECCLASS_TCP_SOCKET;
1000                         else
1001                                 return SECCLASS_RAWIP_SOCKET;
1002                 case SOCK_DGRAM:
1003                         if (default_protocol_dgram(protocol))
1004                                 return SECCLASS_UDP_SOCKET;
1005                         else
1006                                 return SECCLASS_RAWIP_SOCKET;
1007                 case SOCK_DCCP:
1008                         return SECCLASS_DCCP_SOCKET;
1009                 default:
1010                         return SECCLASS_RAWIP_SOCKET;
1011                 }
1012                 break;
1013         case PF_NETLINK:
1014                 switch (protocol) {
1015                 case NETLINK_ROUTE:
1016                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1017                 case NETLINK_FIREWALL:
1018                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1019                 case NETLINK_INET_DIAG:
1020                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1021                 case NETLINK_NFLOG:
1022                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1023                 case NETLINK_XFRM:
1024                         return SECCLASS_NETLINK_XFRM_SOCKET;
1025                 case NETLINK_SELINUX:
1026                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1027                 case NETLINK_AUDIT:
1028                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1029                 case NETLINK_IP6_FW:
1030                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1031                 case NETLINK_DNRTMSG:
1032                         return SECCLASS_NETLINK_DNRT_SOCKET;
1033                 case NETLINK_KOBJECT_UEVENT:
1034                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1035                 default:
1036                         return SECCLASS_NETLINK_SOCKET;
1037                 }
1038         case PF_PACKET:
1039                 return SECCLASS_PACKET_SOCKET;
1040         case PF_KEY:
1041                 return SECCLASS_KEY_SOCKET;
1042         case PF_APPLETALK:
1043                 return SECCLASS_APPLETALK_SOCKET;
1044         }
1045
1046         return SECCLASS_SOCKET;
1047 }
1048
1049 #ifdef CONFIG_PROC_FS
1050 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1051                                 u16 tclass,
1052                                 u32 *sid)
1053 {
1054         int buflen, rc;
1055         char *buffer, *path, *end;
1056
1057         buffer = (char*)__get_free_page(GFP_KERNEL);
1058         if (!buffer)
1059                 return -ENOMEM;
1060
1061         buflen = PAGE_SIZE;
1062         end = buffer+buflen;
1063         *--end = '\0';
1064         buflen--;
1065         path = end-1;
1066         *path = '/';
1067         while (de && de != de->parent) {
1068                 buflen -= de->namelen + 1;
1069                 if (buflen < 0)
1070                         break;
1071                 end -= de->namelen;
1072                 memcpy(end, de->name, de->namelen);
1073                 *--end = '/';
1074                 path = end;
1075                 de = de->parent;
1076         }
1077         rc = security_genfs_sid("proc", path, tclass, sid);
1078         free_page((unsigned long)buffer);
1079         return rc;
1080 }
1081 #else
1082 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1083                                 u16 tclass,
1084                                 u32 *sid)
1085 {
1086         return -EINVAL;
1087 }
1088 #endif
1089
1090 /* The inode's security attributes must be initialized before first use. */
1091 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1092 {
1093         struct superblock_security_struct *sbsec = NULL;
1094         struct inode_security_struct *isec = inode->i_security;
1095         u32 sid;
1096         struct dentry *dentry;
1097 #define INITCONTEXTLEN 255
1098         char *context = NULL;
1099         unsigned len = 0;
1100         int rc = 0;
1101
1102         if (isec->initialized)
1103                 goto out;
1104
1105         mutex_lock(&isec->lock);
1106         if (isec->initialized)
1107                 goto out_unlock;
1108
1109         sbsec = inode->i_sb->s_security;
1110         if (!sbsec->initialized) {
1111                 /* Defer initialization until selinux_complete_init,
1112                    after the initial policy is loaded and the security
1113                    server is ready to handle calls. */
1114                 spin_lock(&sbsec->isec_lock);
1115                 if (list_empty(&isec->list))
1116                         list_add(&isec->list, &sbsec->isec_head);
1117                 spin_unlock(&sbsec->isec_lock);
1118                 goto out_unlock;
1119         }
1120
1121         switch (sbsec->behavior) {
1122         case SECURITY_FS_USE_XATTR:
1123                 if (!inode->i_op->getxattr) {
1124                         isec->sid = sbsec->def_sid;
1125                         break;
1126                 }
1127
1128                 /* Need a dentry, since the xattr API requires one.
1129                    Life would be simpler if we could just pass the inode. */
1130                 if (opt_dentry) {
1131                         /* Called from d_instantiate or d_splice_alias. */
1132                         dentry = dget(opt_dentry);
1133                 } else {
1134                         /* Called from selinux_complete_init, try to find a dentry. */
1135                         dentry = d_find_alias(inode);
1136                 }
1137                 if (!dentry) {
1138                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
1139                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1140                                inode->i_ino);
1141                         goto out_unlock;
1142                 }
1143
1144                 len = INITCONTEXTLEN;
1145                 context = kmalloc(len, GFP_KERNEL);
1146                 if (!context) {
1147                         rc = -ENOMEM;
1148                         dput(dentry);
1149                         goto out_unlock;
1150                 }
1151                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1152                                            context, len);
1153                 if (rc == -ERANGE) {
1154                         /* Need a larger buffer.  Query for the right size. */
1155                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1156                                                    NULL, 0);
1157                         if (rc < 0) {
1158                                 dput(dentry);
1159                                 goto out_unlock;
1160                         }
1161                         kfree(context);
1162                         len = rc;
1163                         context = kmalloc(len, GFP_KERNEL);
1164                         if (!context) {
1165                                 rc = -ENOMEM;
1166                                 dput(dentry);
1167                                 goto out_unlock;
1168                         }
1169                         rc = inode->i_op->getxattr(dentry,
1170                                                    XATTR_NAME_SELINUX,
1171                                                    context, len);
1172                 }
1173                 dput(dentry);
1174                 if (rc < 0) {
1175                         if (rc != -ENODATA) {
1176                                 printk(KERN_WARNING "%s:  getxattr returned "
1177                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
1178                                        -rc, inode->i_sb->s_id, inode->i_ino);
1179                                 kfree(context);
1180                                 goto out_unlock;
1181                         }
1182                         /* Map ENODATA to the default file SID */
1183                         sid = sbsec->def_sid;
1184                         rc = 0;
1185                 } else {
1186                         rc = security_context_to_sid_default(context, rc, &sid,
1187                                                              sbsec->def_sid);
1188                         if (rc) {
1189                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
1190                                        "returned %d for dev=%s ino=%ld\n",
1191                                        __FUNCTION__, context, -rc,
1192                                        inode->i_sb->s_id, inode->i_ino);
1193                                 kfree(context);
1194                                 /* Leave with the unlabeled SID */
1195                                 rc = 0;
1196                                 break;
1197                         }
1198                 }
1199                 kfree(context);
1200                 isec->sid = sid;
1201                 break;
1202         case SECURITY_FS_USE_TASK:
1203                 isec->sid = isec->task_sid;
1204                 break;
1205         case SECURITY_FS_USE_TRANS:
1206                 /* Default to the fs SID. */
1207                 isec->sid = sbsec->sid;
1208
1209                 /* Try to obtain a transition SID. */
1210                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1211                 rc = security_transition_sid(isec->task_sid,
1212                                              sbsec->sid,
1213                                              isec->sclass,
1214                                              &sid);
1215                 if (rc)
1216                         goto out_unlock;
1217                 isec->sid = sid;
1218                 break;
1219         case SECURITY_FS_USE_MNTPOINT:
1220                 isec->sid = sbsec->mntpoint_sid;
1221                 break;
1222         default:
1223                 /* Default to the fs superblock SID. */
1224                 isec->sid = sbsec->sid;
1225
1226                 if (sbsec->proc) {
1227                         struct proc_inode *proci = PROC_I(inode);
1228                         if (proci->pde) {
1229                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1230                                 rc = selinux_proc_get_sid(proci->pde,
1231                                                           isec->sclass,
1232                                                           &sid);
1233                                 if (rc)
1234                                         goto out_unlock;
1235                                 isec->sid = sid;
1236                         }
1237                 }
1238                 break;
1239         }
1240
1241         isec->initialized = 1;
1242
1243 out_unlock:
1244         mutex_unlock(&isec->lock);
1245 out:
1246         if (isec->sclass == SECCLASS_FILE)
1247                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1248         return rc;
1249 }
1250
1251 /* Convert a Linux signal to an access vector. */
1252 static inline u32 signal_to_av(int sig)
1253 {
1254         u32 perm = 0;
1255
1256         switch (sig) {
1257         case SIGCHLD:
1258                 /* Commonly granted from child to parent. */
1259                 perm = PROCESS__SIGCHLD;
1260                 break;
1261         case SIGKILL:
1262                 /* Cannot be caught or ignored */
1263                 perm = PROCESS__SIGKILL;
1264                 break;
1265         case SIGSTOP:
1266                 /* Cannot be caught or ignored */
1267                 perm = PROCESS__SIGSTOP;
1268                 break;
1269         default:
1270                 /* All other signals. */
1271                 perm = PROCESS__SIGNAL;
1272                 break;
1273         }
1274
1275         return perm;
1276 }
1277
1278 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1279    fork check, ptrace check, etc. */
1280 static int task_has_perm(struct task_struct *tsk1,
1281                          struct task_struct *tsk2,
1282                          u32 perms)
1283 {
1284         struct task_security_struct *tsec1, *tsec2;
1285
1286         tsec1 = tsk1->security;
1287         tsec2 = tsk2->security;
1288         return avc_has_perm(tsec1->sid, tsec2->sid,
1289                             SECCLASS_PROCESS, perms, NULL);
1290 }
1291
1292 #if CAP_LAST_CAP > 63
1293 #error Fix SELinux to handle capabilities > 63.
1294 #endif
1295
1296 /* Check whether a task is allowed to use a capability. */
1297 static int task_has_capability(struct task_struct *tsk,
1298                                int cap)
1299 {
1300         struct task_security_struct *tsec;
1301         struct avc_audit_data ad;
1302         u16 sclass;
1303         u32 av = CAP_TO_MASK(cap);
1304
1305         tsec = tsk->security;
1306
1307         AVC_AUDIT_DATA_INIT(&ad,CAP);
1308         ad.tsk = tsk;
1309         ad.u.cap = cap;
1310
1311         switch (CAP_TO_INDEX(cap)) {
1312         case 0:
1313                 sclass = SECCLASS_CAPABILITY;
1314                 break;
1315         case 1:
1316                 sclass = SECCLASS_CAPABILITY2;
1317                 break;
1318         default:
1319                 printk(KERN_ERR
1320                        "SELinux:  out of range capability %d\n", cap);
1321                 BUG();
1322         }
1323         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1324 }
1325
1326 /* Check whether a task is allowed to use a system operation. */
1327 static int task_has_system(struct task_struct *tsk,
1328                            u32 perms)
1329 {
1330         struct task_security_struct *tsec;
1331
1332         tsec = tsk->security;
1333
1334         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1335                             SECCLASS_SYSTEM, perms, NULL);
1336 }
1337
1338 /* Check whether a task has a particular permission to an inode.
1339    The 'adp' parameter is optional and allows other audit
1340    data to be passed (e.g. the dentry). */
1341 static int inode_has_perm(struct task_struct *tsk,
1342                           struct inode *inode,
1343                           u32 perms,
1344                           struct avc_audit_data *adp)
1345 {
1346         struct task_security_struct *tsec;
1347         struct inode_security_struct *isec;
1348         struct avc_audit_data ad;
1349
1350         if (unlikely (IS_PRIVATE (inode)))
1351                 return 0;
1352
1353         tsec = tsk->security;
1354         isec = inode->i_security;
1355
1356         if (!adp) {
1357                 adp = &ad;
1358                 AVC_AUDIT_DATA_INIT(&ad, FS);
1359                 ad.u.fs.inode = inode;
1360         }
1361
1362         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1363 }
1364
1365 /* Same as inode_has_perm, but pass explicit audit data containing
1366    the dentry to help the auditing code to more easily generate the
1367    pathname if needed. */
1368 static inline int dentry_has_perm(struct task_struct *tsk,
1369                                   struct vfsmount *mnt,
1370                                   struct dentry *dentry,
1371                                   u32 av)
1372 {
1373         struct inode *inode = dentry->d_inode;
1374         struct avc_audit_data ad;
1375         AVC_AUDIT_DATA_INIT(&ad,FS);
1376         ad.u.fs.path.mnt = mnt;
1377         ad.u.fs.path.dentry = dentry;
1378         return inode_has_perm(tsk, inode, av, &ad);
1379 }
1380
1381 /* Check whether a task can use an open file descriptor to
1382    access an inode in a given way.  Check access to the
1383    descriptor itself, and then use dentry_has_perm to
1384    check a particular permission to the file.
1385    Access to the descriptor is implicitly granted if it
1386    has the same SID as the process.  If av is zero, then
1387    access to the file is not checked, e.g. for cases
1388    where only the descriptor is affected like seek. */
1389 static int file_has_perm(struct task_struct *tsk,
1390                                 struct file *file,
1391                                 u32 av)
1392 {
1393         struct task_security_struct *tsec = tsk->security;
1394         struct file_security_struct *fsec = file->f_security;
1395         struct inode *inode = file->f_path.dentry->d_inode;
1396         struct avc_audit_data ad;
1397         int rc;
1398
1399         AVC_AUDIT_DATA_INIT(&ad, FS);
1400         ad.u.fs.path = file->f_path;
1401
1402         if (tsec->sid != fsec->sid) {
1403                 rc = avc_has_perm(tsec->sid, fsec->sid,
1404                                   SECCLASS_FD,
1405                                   FD__USE,
1406                                   &ad);
1407                 if (rc)
1408                         return rc;
1409         }
1410
1411         /* av is zero if only checking access to the descriptor. */
1412         if (av)
1413                 return inode_has_perm(tsk, inode, av, &ad);
1414
1415         return 0;
1416 }
1417
1418 /* Check whether a task can create a file. */
1419 static int may_create(struct inode *dir,
1420                       struct dentry *dentry,
1421                       u16 tclass)
1422 {
1423         struct task_security_struct *tsec;
1424         struct inode_security_struct *dsec;
1425         struct superblock_security_struct *sbsec;
1426         u32 newsid;
1427         struct avc_audit_data ad;
1428         int rc;
1429
1430         tsec = current->security;
1431         dsec = dir->i_security;
1432         sbsec = dir->i_sb->s_security;
1433
1434         AVC_AUDIT_DATA_INIT(&ad, FS);
1435         ad.u.fs.path.dentry = dentry;
1436
1437         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1438                           DIR__ADD_NAME | DIR__SEARCH,
1439                           &ad);
1440         if (rc)
1441                 return rc;
1442
1443         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1444                 newsid = tsec->create_sid;
1445         } else {
1446                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1447                                              &newsid);
1448                 if (rc)
1449                         return rc;
1450         }
1451
1452         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1453         if (rc)
1454                 return rc;
1455
1456         return avc_has_perm(newsid, sbsec->sid,
1457                             SECCLASS_FILESYSTEM,
1458                             FILESYSTEM__ASSOCIATE, &ad);
1459 }
1460
1461 /* Check whether a task can create a key. */
1462 static int may_create_key(u32 ksid,
1463                           struct task_struct *ctx)
1464 {
1465         struct task_security_struct *tsec;
1466
1467         tsec = ctx->security;
1468
1469         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1470 }
1471
1472 #define MAY_LINK   0
1473 #define MAY_UNLINK 1
1474 #define MAY_RMDIR  2
1475
1476 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1477 static int may_link(struct inode *dir,
1478                     struct dentry *dentry,
1479                     int kind)
1480
1481 {
1482         struct task_security_struct *tsec;
1483         struct inode_security_struct *dsec, *isec;
1484         struct avc_audit_data ad;
1485         u32 av;
1486         int rc;
1487
1488         tsec = current->security;
1489         dsec = dir->i_security;
1490         isec = dentry->d_inode->i_security;
1491
1492         AVC_AUDIT_DATA_INIT(&ad, FS);
1493         ad.u.fs.path.dentry = dentry;
1494
1495         av = DIR__SEARCH;
1496         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1497         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1498         if (rc)
1499                 return rc;
1500
1501         switch (kind) {
1502         case MAY_LINK:
1503                 av = FILE__LINK;
1504                 break;
1505         case MAY_UNLINK:
1506                 av = FILE__UNLINK;
1507                 break;
1508         case MAY_RMDIR:
1509                 av = DIR__RMDIR;
1510                 break;
1511         default:
1512                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1513                 return 0;
1514         }
1515
1516         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1517         return rc;
1518 }
1519
1520 static inline int may_rename(struct inode *old_dir,
1521                              struct dentry *old_dentry,
1522                              struct inode *new_dir,
1523                              struct dentry *new_dentry)
1524 {
1525         struct task_security_struct *tsec;
1526         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1527         struct avc_audit_data ad;
1528         u32 av;
1529         int old_is_dir, new_is_dir;
1530         int rc;
1531
1532         tsec = current->security;
1533         old_dsec = old_dir->i_security;
1534         old_isec = old_dentry->d_inode->i_security;
1535         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1536         new_dsec = new_dir->i_security;
1537
1538         AVC_AUDIT_DATA_INIT(&ad, FS);
1539
1540         ad.u.fs.path.dentry = old_dentry;
1541         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1542                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1543         if (rc)
1544                 return rc;
1545         rc = avc_has_perm(tsec->sid, old_isec->sid,
1546                           old_isec->sclass, FILE__RENAME, &ad);
1547         if (rc)
1548                 return rc;
1549         if (old_is_dir && new_dir != old_dir) {
1550                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1551                                   old_isec->sclass, DIR__REPARENT, &ad);
1552                 if (rc)
1553                         return rc;
1554         }
1555
1556         ad.u.fs.path.dentry = new_dentry;
1557         av = DIR__ADD_NAME | DIR__SEARCH;
1558         if (new_dentry->d_inode)
1559                 av |= DIR__REMOVE_NAME;
1560         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1561         if (rc)
1562                 return rc;
1563         if (new_dentry->d_inode) {
1564                 new_isec = new_dentry->d_inode->i_security;
1565                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1566                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1567                                   new_isec->sclass,
1568                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1569                 if (rc)
1570                         return rc;
1571         }
1572
1573         return 0;
1574 }
1575
1576 /* Check whether a task can perform a filesystem operation. */
1577 static int superblock_has_perm(struct task_struct *tsk,
1578                                struct super_block *sb,
1579                                u32 perms,
1580                                struct avc_audit_data *ad)
1581 {
1582         struct task_security_struct *tsec;
1583         struct superblock_security_struct *sbsec;
1584
1585         tsec = tsk->security;
1586         sbsec = sb->s_security;
1587         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1588                             perms, ad);
1589 }
1590
1591 /* Convert a Linux mode and permission mask to an access vector. */
1592 static inline u32 file_mask_to_av(int mode, int mask)
1593 {
1594         u32 av = 0;
1595
1596         if ((mode & S_IFMT) != S_IFDIR) {
1597                 if (mask & MAY_EXEC)
1598                         av |= FILE__EXECUTE;
1599                 if (mask & MAY_READ)
1600                         av |= FILE__READ;
1601
1602                 if (mask & MAY_APPEND)
1603                         av |= FILE__APPEND;
1604                 else if (mask & MAY_WRITE)
1605                         av |= FILE__WRITE;
1606
1607         } else {
1608                 if (mask & MAY_EXEC)
1609                         av |= DIR__SEARCH;
1610                 if (mask & MAY_WRITE)
1611                         av |= DIR__WRITE;
1612                 if (mask & MAY_READ)
1613                         av |= DIR__READ;
1614         }
1615
1616         return av;
1617 }
1618
1619 /* Convert a Linux file to an access vector. */
1620 static inline u32 file_to_av(struct file *file)
1621 {
1622         u32 av = 0;
1623
1624         if (file->f_mode & FMODE_READ)
1625                 av |= FILE__READ;
1626         if (file->f_mode & FMODE_WRITE) {
1627                 if (file->f_flags & O_APPEND)
1628                         av |= FILE__APPEND;
1629                 else
1630                         av |= FILE__WRITE;
1631         }
1632
1633         return av;
1634 }
1635
1636 /* Hook functions begin here. */
1637
1638 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1639 {
1640         struct task_security_struct *psec = parent->security;
1641         struct task_security_struct *csec = child->security;
1642         int rc;
1643
1644         rc = secondary_ops->ptrace(parent,child);
1645         if (rc)
1646                 return rc;
1647
1648         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1649         /* Save the SID of the tracing process for later use in apply_creds. */
1650         if (!(child->ptrace & PT_PTRACED) && !rc)
1651                 csec->ptrace_sid = psec->sid;
1652         return rc;
1653 }
1654
1655 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1656                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1657 {
1658         int error;
1659
1660         error = task_has_perm(current, target, PROCESS__GETCAP);
1661         if (error)
1662                 return error;
1663
1664         return secondary_ops->capget(target, effective, inheritable, permitted);
1665 }
1666
1667 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1668                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1669 {
1670         int error;
1671
1672         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1673         if (error)
1674                 return error;
1675
1676         return task_has_perm(current, target, PROCESS__SETCAP);
1677 }
1678
1679 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1680                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1681 {
1682         secondary_ops->capset_set(target, effective, inheritable, permitted);
1683 }
1684
1685 static int selinux_capable(struct task_struct *tsk, int cap)
1686 {
1687         int rc;
1688
1689         rc = secondary_ops->capable(tsk, cap);
1690         if (rc)
1691                 return rc;
1692
1693         return task_has_capability(tsk,cap);
1694 }
1695
1696 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1697 {
1698         int buflen, rc;
1699         char *buffer, *path, *end;
1700
1701         rc = -ENOMEM;
1702         buffer = (char*)__get_free_page(GFP_KERNEL);
1703         if (!buffer)
1704                 goto out;
1705
1706         buflen = PAGE_SIZE;
1707         end = buffer+buflen;
1708         *--end = '\0';
1709         buflen--;
1710         path = end-1;
1711         *path = '/';
1712         while (table) {
1713                 const char *name = table->procname;
1714                 size_t namelen = strlen(name);
1715                 buflen -= namelen + 1;
1716                 if (buflen < 0)
1717                         goto out_free;
1718                 end -= namelen;
1719                 memcpy(end, name, namelen);
1720                 *--end = '/';
1721                 path = end;
1722                 table = table->parent;
1723         }
1724         buflen -= 4;
1725         if (buflen < 0)
1726                 goto out_free;
1727         end -= 4;
1728         memcpy(end, "/sys", 4);
1729         path = end;
1730         rc = security_genfs_sid("proc", path, tclass, sid);
1731 out_free:
1732         free_page((unsigned long)buffer);
1733 out:
1734         return rc;
1735 }
1736
1737 static int selinux_sysctl(ctl_table *table, int op)
1738 {
1739         int error = 0;
1740         u32 av;
1741         struct task_security_struct *tsec;
1742         u32 tsid;
1743         int rc;
1744
1745         rc = secondary_ops->sysctl(table, op);
1746         if (rc)
1747                 return rc;
1748
1749         tsec = current->security;
1750
1751         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1752                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1753         if (rc) {
1754                 /* Default to the well-defined sysctl SID. */
1755                 tsid = SECINITSID_SYSCTL;
1756         }
1757
1758         /* The op values are "defined" in sysctl.c, thereby creating
1759          * a bad coupling between this module and sysctl.c */
1760         if(op == 001) {
1761                 error = avc_has_perm(tsec->sid, tsid,
1762                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1763         } else {
1764                 av = 0;
1765                 if (op & 004)
1766                         av |= FILE__READ;
1767                 if (op & 002)
1768                         av |= FILE__WRITE;
1769                 if (av)
1770                         error = avc_has_perm(tsec->sid, tsid,
1771                                              SECCLASS_FILE, av, NULL);
1772         }
1773
1774         return error;
1775 }
1776
1777 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1778 {
1779         int rc = 0;
1780
1781         if (!sb)
1782                 return 0;
1783
1784         switch (cmds) {
1785                 case Q_SYNC:
1786                 case Q_QUOTAON:
1787                 case Q_QUOTAOFF:
1788                 case Q_SETINFO:
1789                 case Q_SETQUOTA:
1790                         rc = superblock_has_perm(current,
1791                                                  sb,
1792                                                  FILESYSTEM__QUOTAMOD, NULL);
1793                         break;
1794                 case Q_GETFMT:
1795                 case Q_GETINFO:
1796                 case Q_GETQUOTA:
1797                         rc = superblock_has_perm(current,
1798                                                  sb,
1799                                                  FILESYSTEM__QUOTAGET, NULL);
1800                         break;
1801                 default:
1802                         rc = 0;  /* let the kernel handle invalid cmds */
1803                         break;
1804         }
1805         return rc;
1806 }
1807
1808 static int selinux_quota_on(struct dentry *dentry)
1809 {
1810         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1811 }
1812
1813 static int selinux_syslog(int type)
1814 {
1815         int rc;
1816
1817         rc = secondary_ops->syslog(type);
1818         if (rc)
1819                 return rc;
1820
1821         switch (type) {
1822                 case 3:         /* Read last kernel messages */
1823                 case 10:        /* Return size of the log buffer */
1824                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1825                         break;
1826                 case 6:         /* Disable logging to console */
1827                 case 7:         /* Enable logging to console */
1828                 case 8:         /* Set level of messages printed to console */
1829                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1830                         break;
1831                 case 0:         /* Close log */
1832                 case 1:         /* Open log */
1833                 case 2:         /* Read from log */
1834                 case 4:         /* Read/clear last kernel messages */
1835                 case 5:         /* Clear ring buffer */
1836                 default:
1837                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1838                         break;
1839         }
1840         return rc;
1841 }
1842
1843 /*
1844  * Check that a process has enough memory to allocate a new virtual
1845  * mapping. 0 means there is enough memory for the allocation to
1846  * succeed and -ENOMEM implies there is not.
1847  *
1848  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1849  * if the capability is granted, but __vm_enough_memory requires 1 if
1850  * the capability is granted.
1851  *
1852  * Do not audit the selinux permission check, as this is applied to all
1853  * processes that allocate mappings.
1854  */
1855 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1856 {
1857         int rc, cap_sys_admin = 0;
1858         struct task_security_struct *tsec = current->security;
1859
1860         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1861         if (rc == 0)
1862                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1863                                           SECCLASS_CAPABILITY,
1864                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1865                                           0,
1866                                           NULL);
1867
1868         if (rc == 0)
1869                 cap_sys_admin = 1;
1870
1871         return __vm_enough_memory(mm, pages, cap_sys_admin);
1872 }
1873
1874 /* binprm security operations */
1875
1876 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1877 {
1878         struct bprm_security_struct *bsec;
1879
1880         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1881         if (!bsec)
1882                 return -ENOMEM;
1883
1884         bsec->bprm = bprm;
1885         bsec->sid = SECINITSID_UNLABELED;
1886         bsec->set = 0;
1887
1888         bprm->security = bsec;
1889         return 0;
1890 }
1891
1892 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1893 {
1894         struct task_security_struct *tsec;
1895         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1896         struct inode_security_struct *isec;
1897         struct bprm_security_struct *bsec;
1898         u32 newsid;
1899         struct avc_audit_data ad;
1900         int rc;
1901
1902         rc = secondary_ops->bprm_set_security(bprm);
1903         if (rc)
1904                 return rc;
1905
1906         bsec = bprm->security;
1907
1908         if (bsec->set)
1909                 return 0;
1910
1911         tsec = current->security;
1912         isec = inode->i_security;
1913
1914         /* Default to the current task SID. */
1915         bsec->sid = tsec->sid;
1916
1917         /* Reset fs, key, and sock SIDs on execve. */
1918         tsec->create_sid = 0;
1919         tsec->keycreate_sid = 0;
1920         tsec->sockcreate_sid = 0;
1921
1922         if (tsec->exec_sid) {
1923                 newsid = tsec->exec_sid;
1924                 /* Reset exec SID on execve. */
1925                 tsec->exec_sid = 0;
1926         } else {
1927                 /* Check for a default transition on this program. */
1928                 rc = security_transition_sid(tsec->sid, isec->sid,
1929                                              SECCLASS_PROCESS, &newsid);
1930                 if (rc)
1931                         return rc;
1932         }
1933
1934         AVC_AUDIT_DATA_INIT(&ad, FS);
1935         ad.u.fs.path = bprm->file->f_path;
1936
1937         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1938                 newsid = tsec->sid;
1939
1940         if (tsec->sid == newsid) {
1941                 rc = avc_has_perm(tsec->sid, isec->sid,
1942                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1943                 if (rc)
1944                         return rc;
1945         } else {
1946                 /* Check permissions for the transition. */
1947                 rc = avc_has_perm(tsec->sid, newsid,
1948                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1949                 if (rc)
1950                         return rc;
1951
1952                 rc = avc_has_perm(newsid, isec->sid,
1953                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1954                 if (rc)
1955                         return rc;
1956
1957                 /* Clear any possibly unsafe personality bits on exec: */
1958                 current->personality &= ~PER_CLEAR_ON_SETID;
1959
1960                 /* Set the security field to the new SID. */
1961                 bsec->sid = newsid;
1962         }
1963
1964         bsec->set = 1;
1965         return 0;
1966 }
1967
1968 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1969 {
1970         return secondary_ops->bprm_check_security(bprm);
1971 }
1972
1973
1974 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1975 {
1976         struct task_security_struct *tsec = current->security;
1977         int atsecure = 0;
1978
1979         if (tsec->osid != tsec->sid) {
1980                 /* Enable secure mode for SIDs transitions unless
1981                    the noatsecure permission is granted between
1982                    the two SIDs, i.e. ahp returns 0. */
1983                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1984                                          SECCLASS_PROCESS,
1985                                          PROCESS__NOATSECURE, NULL);
1986         }
1987
1988         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1989 }
1990
1991 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1992 {
1993         kfree(bprm->security);
1994         bprm->security = NULL;
1995 }
1996
1997 extern struct vfsmount *selinuxfs_mount;
1998 extern struct dentry *selinux_null;
1999
2000 /* Derived from fs/exec.c:flush_old_files. */
2001 static inline void flush_unauthorized_files(struct files_struct * files)
2002 {
2003         struct avc_audit_data ad;
2004         struct file *file, *devnull = NULL;
2005         struct tty_struct *tty;
2006         struct fdtable *fdt;
2007         long j = -1;
2008         int drop_tty = 0;
2009
2010         mutex_lock(&tty_mutex);
2011         tty = get_current_tty();
2012         if (tty) {
2013                 file_list_lock();
2014                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2015                 if (file) {
2016                         /* Revalidate access to controlling tty.
2017                            Use inode_has_perm on the tty inode directly rather
2018                            than using file_has_perm, as this particular open
2019                            file may belong to another process and we are only
2020                            interested in the inode-based check here. */
2021                         struct inode *inode = file->f_path.dentry->d_inode;
2022                         if (inode_has_perm(current, inode,
2023                                            FILE__READ | FILE__WRITE, NULL)) {
2024                                 drop_tty = 1;
2025                         }
2026                 }
2027                 file_list_unlock();
2028         }
2029         mutex_unlock(&tty_mutex);
2030         /* Reset controlling tty. */
2031         if (drop_tty)
2032                 no_tty();
2033
2034         /* Revalidate access to inherited open files. */
2035
2036         AVC_AUDIT_DATA_INIT(&ad,FS);
2037
2038         spin_lock(&files->file_lock);
2039         for (;;) {
2040                 unsigned long set, i;
2041                 int fd;
2042
2043                 j++;
2044                 i = j * __NFDBITS;
2045                 fdt = files_fdtable(files);
2046                 if (i >= fdt->max_fds)
2047                         break;
2048                 set = fdt->open_fds->fds_bits[j];
2049                 if (!set)
2050                         continue;
2051                 spin_unlock(&files->file_lock);
2052                 for ( ; set ; i++,set >>= 1) {
2053                         if (set & 1) {
2054                                 file = fget(i);
2055                                 if (!file)
2056                                         continue;
2057                                 if (file_has_perm(current,
2058                                                   file,
2059                                                   file_to_av(file))) {
2060                                         sys_close(i);
2061                                         fd = get_unused_fd();
2062                                         if (fd != i) {
2063                                                 if (fd >= 0)
2064                                                         put_unused_fd(fd);
2065                                                 fput(file);
2066                                                 continue;
2067                                         }
2068                                         if (devnull) {
2069                                                 get_file(devnull);
2070                                         } else {
2071                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2072                                                 if (IS_ERR(devnull)) {
2073                                                         devnull = NULL;
2074                                                         put_unused_fd(fd);
2075                                                         fput(file);
2076                                                         continue;
2077                                                 }
2078                                         }
2079                                         fd_install(fd, devnull);
2080                                 }
2081                                 fput(file);
2082                         }
2083                 }
2084                 spin_lock(&files->file_lock);
2085
2086         }
2087         spin_unlock(&files->file_lock);
2088 }
2089
2090 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2091 {
2092         struct task_security_struct *tsec;
2093         struct bprm_security_struct *bsec;
2094         u32 sid;
2095         int rc;
2096
2097         secondary_ops->bprm_apply_creds(bprm, unsafe);
2098
2099         tsec = current->security;
2100
2101         bsec = bprm->security;
2102         sid = bsec->sid;
2103
2104         tsec->osid = tsec->sid;
2105         bsec->unsafe = 0;
2106         if (tsec->sid != sid) {
2107                 /* Check for shared state.  If not ok, leave SID
2108                    unchanged and kill. */
2109                 if (unsafe & LSM_UNSAFE_SHARE) {
2110                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2111                                         PROCESS__SHARE, NULL);
2112                         if (rc) {
2113                                 bsec->unsafe = 1;
2114                                 return;
2115                         }
2116                 }
2117
2118                 /* Check for ptracing, and update the task SID if ok.
2119                    Otherwise, leave SID unchanged and kill. */
2120                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2121                         rc = avc_has_perm(tsec->ptrace_sid, sid,
2122                                           SECCLASS_PROCESS, PROCESS__PTRACE,
2123                                           NULL);
2124                         if (rc) {
2125                                 bsec->unsafe = 1;
2126                                 return;
2127                         }
2128                 }
2129                 tsec->sid = sid;
2130         }
2131 }
2132
2133 /*
2134  * called after apply_creds without the task lock held
2135  */
2136 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2137 {
2138         struct task_security_struct *tsec;
2139         struct rlimit *rlim, *initrlim;
2140         struct itimerval itimer;
2141         struct bprm_security_struct *bsec;
2142         int rc, i;
2143
2144         tsec = current->security;
2145         bsec = bprm->security;
2146
2147         if (bsec->unsafe) {
2148                 force_sig_specific(SIGKILL, current);
2149                 return;
2150         }
2151         if (tsec->osid == tsec->sid)
2152                 return;
2153
2154         /* Close files for which the new task SID is not authorized. */
2155         flush_unauthorized_files(current->files);
2156
2157         /* Check whether the new SID can inherit signal state
2158            from the old SID.  If not, clear itimers to avoid
2159            subsequent signal generation and flush and unblock
2160            signals. This must occur _after_ the task SID has
2161           been updated so that any kill done after the flush
2162           will be checked against the new SID. */
2163         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2164                           PROCESS__SIGINH, NULL);
2165         if (rc) {
2166                 memset(&itimer, 0, sizeof itimer);
2167                 for (i = 0; i < 3; i++)
2168                         do_setitimer(i, &itimer, NULL);
2169                 flush_signals(current);
2170                 spin_lock_irq(&current->sighand->siglock);
2171                 flush_signal_handlers(current, 1);
2172                 sigemptyset(&current->blocked);
2173                 recalc_sigpending();
2174                 spin_unlock_irq(&current->sighand->siglock);
2175         }
2176
2177         /* Always clear parent death signal on SID transitions. */
2178         current->pdeath_signal = 0;
2179
2180         /* Check whether the new SID can inherit resource limits
2181            from the old SID.  If not, reset all soft limits to
2182            the lower of the current task's hard limit and the init
2183            task's soft limit.  Note that the setting of hard limits
2184            (even to lower them) can be controlled by the setrlimit
2185            check. The inclusion of the init task's soft limit into
2186            the computation is to avoid resetting soft limits higher
2187            than the default soft limit for cases where the default
2188            is lower than the hard limit, e.g. RLIMIT_CORE or
2189            RLIMIT_STACK.*/
2190         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2191                           PROCESS__RLIMITINH, NULL);
2192         if (rc) {
2193                 for (i = 0; i < RLIM_NLIMITS; i++) {
2194                         rlim = current->signal->rlim + i;
2195                         initrlim = init_task.signal->rlim+i;
2196                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2197                 }
2198                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2199                         /*
2200                          * This will cause RLIMIT_CPU calculations
2201                          * to be refigured.
2202                          */
2203                         current->it_prof_expires = jiffies_to_cputime(1);
2204                 }
2205         }
2206
2207         /* Wake up the parent if it is waiting so that it can
2208            recheck wait permission to the new task SID. */
2209         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2210 }
2211
2212 /* superblock security operations */
2213
2214 static int selinux_sb_alloc_security(struct super_block *sb)
2215 {
2216         return superblock_alloc_security(sb);
2217 }
2218
2219 static void selinux_sb_free_security(struct super_block *sb)
2220 {
2221         superblock_free_security(sb);
2222 }
2223
2224 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2225 {
2226         if (plen > olen)
2227                 return 0;
2228
2229         return !memcmp(prefix, option, plen);
2230 }
2231
2232 static inline int selinux_option(char *option, int len)
2233 {
2234         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2235                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2236                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2237                 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2238 }
2239
2240 static inline void take_option(char **to, char *from, int *first, int len)
2241 {
2242         if (!*first) {
2243                 **to = ',';
2244                 *to += 1;
2245         } else
2246                 *first = 0;
2247         memcpy(*to, from, len);
2248         *to += len;
2249 }
2250
2251 static inline void take_selinux_option(char **to, char *from, int *first, 
2252                                        int len)
2253 {
2254         int current_size = 0;
2255
2256         if (!*first) {
2257                 **to = '|';
2258                 *to += 1;
2259         }
2260         else
2261                 *first = 0;
2262
2263         while (current_size < len) {
2264                 if (*from != '"') {
2265                         **to = *from;
2266                         *to += 1;
2267                 }
2268                 from += 1;
2269                 current_size += 1;
2270         }
2271 }
2272
2273 static int selinux_sb_copy_data(char *orig, char *copy)
2274 {
2275         int fnosec, fsec, rc = 0;
2276         char *in_save, *in_curr, *in_end;
2277         char *sec_curr, *nosec_save, *nosec;
2278         int open_quote = 0;
2279
2280         in_curr = orig;
2281         sec_curr = copy;
2282
2283         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2284         if (!nosec) {
2285                 rc = -ENOMEM;
2286                 goto out;
2287         }
2288
2289         nosec_save = nosec;
2290         fnosec = fsec = 1;
2291         in_save = in_end = orig;
2292
2293         do {
2294                 if (*in_end == '"')
2295                         open_quote = !open_quote;
2296                 if ((*in_end == ',' && open_quote == 0) ||
2297                                 *in_end == '\0') {
2298                         int len = in_end - in_curr;
2299
2300                         if (selinux_option(in_curr, len))
2301                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2302                         else
2303                                 take_option(&nosec, in_curr, &fnosec, len);
2304
2305                         in_curr = in_end + 1;
2306                 }
2307         } while (*in_end++);
2308
2309         strcpy(in_save, nosec_save);
2310         free_page((unsigned long)nosec_save);
2311 out:
2312         return rc;
2313 }
2314
2315 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2316 {
2317         struct avc_audit_data ad;
2318         int rc;
2319
2320         rc = superblock_doinit(sb, data);
2321         if (rc)
2322                 return rc;
2323
2324         AVC_AUDIT_DATA_INIT(&ad,FS);
2325         ad.u.fs.path.dentry = sb->s_root;
2326         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2327 }
2328
2329 static int selinux_sb_statfs(struct dentry *dentry)
2330 {
2331         struct avc_audit_data ad;
2332
2333         AVC_AUDIT_DATA_INIT(&ad,FS);
2334         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2335         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2336 }
2337
2338 static int selinux_mount(char * dev_name,
2339                          struct nameidata *nd,
2340                          char * type,
2341                          unsigned long flags,
2342                          void * data)
2343 {
2344         int rc;
2345
2346         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2347         if (rc)
2348                 return rc;
2349
2350         if (flags & MS_REMOUNT)
2351                 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2352                                            FILESYSTEM__REMOUNT, NULL);
2353         else
2354                 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2355                                        FILE__MOUNTON);
2356 }
2357
2358 static int selinux_umount(struct vfsmount *mnt, int flags)
2359 {
2360         int rc;
2361
2362         rc = secondary_ops->sb_umount(mnt, flags);
2363         if (rc)
2364                 return rc;
2365
2366         return superblock_has_perm(current,mnt->mnt_sb,
2367                                    FILESYSTEM__UNMOUNT,NULL);
2368 }
2369
2370 /* inode security operations */
2371
2372 static int selinux_inode_alloc_security(struct inode *inode)
2373 {
2374         return inode_alloc_security(inode);
2375 }
2376
2377 static void selinux_inode_free_security(struct inode *inode)
2378 {
2379         inode_free_security(inode);
2380 }
2381
2382 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2383                                        char **name, void **value,
2384                                        size_t *len)
2385 {
2386         struct task_security_struct *tsec;
2387         struct inode_security_struct *dsec;
2388         struct superblock_security_struct *sbsec;
2389         u32 newsid, clen;
2390         int rc;
2391         char *namep = NULL, *context;
2392
2393         tsec = current->security;
2394         dsec = dir->i_security;
2395         sbsec = dir->i_sb->s_security;
2396
2397         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2398                 newsid = tsec->create_sid;
2399         } else {
2400                 rc = security_transition_sid(tsec->sid, dsec->sid,
2401                                              inode_mode_to_security_class(inode->i_mode),
2402                                              &newsid);
2403                 if (rc) {
2404                         printk(KERN_WARNING "%s:  "
2405                                "security_transition_sid failed, rc=%d (dev=%s "
2406                                "ino=%ld)\n",
2407                                __FUNCTION__,
2408                                -rc, inode->i_sb->s_id, inode->i_ino);
2409                         return rc;
2410                 }
2411         }
2412
2413         /* Possibly defer initialization to selinux_complete_init. */
2414         if (sbsec->initialized) {
2415                 struct inode_security_struct *isec = inode->i_security;
2416                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2417                 isec->sid = newsid;
2418                 isec->initialized = 1;
2419         }
2420
2421         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2422                 return -EOPNOTSUPP;
2423
2424         if (name) {
2425                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2426                 if (!namep)
2427                         return -ENOMEM;
2428                 *name = namep;
2429         }
2430
2431         if (value && len) {
2432                 rc = security_sid_to_context(newsid, &context, &clen);
2433                 if (rc) {
2434                         kfree(namep);
2435                         return rc;
2436                 }
2437                 *value = context;
2438                 *len = clen;
2439         }
2440
2441         return 0;
2442 }
2443
2444 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2445 {
2446         return may_create(dir, dentry, SECCLASS_FILE);
2447 }
2448
2449 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2450 {
2451         int rc;
2452
2453         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2454         if (rc)
2455                 return rc;
2456         return may_link(dir, old_dentry, MAY_LINK);
2457 }
2458
2459 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2460 {
2461         int rc;
2462
2463         rc = secondary_ops->inode_unlink(dir, dentry);
2464         if (rc)
2465                 return rc;
2466         return may_link(dir, dentry, MAY_UNLINK);
2467 }
2468
2469 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2470 {
2471         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2472 }
2473
2474 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2475 {
2476         return may_create(dir, dentry, SECCLASS_DIR);
2477 }
2478
2479 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2480 {
2481         return may_link(dir, dentry, MAY_RMDIR);
2482 }
2483
2484 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2485 {
2486         int rc;
2487
2488         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2489         if (rc)
2490                 return rc;
2491
2492         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2493 }
2494
2495 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2496                                 struct inode *new_inode, struct dentry *new_dentry)
2497 {
2498         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2499 }
2500
2501 static int selinux_inode_readlink(struct dentry *dentry)
2502 {
2503         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2504 }
2505
2506 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2507 {
2508         int rc;
2509
2510         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2511         if (rc)
2512                 return rc;
2513         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2514 }
2515
2516 static int selinux_inode_permission(struct inode *inode, int mask,
2517                                     struct nameidata *nd)
2518 {
2519         int rc;
2520
2521         rc = secondary_ops->inode_permission(inode, mask, nd);
2522         if (rc)
2523                 return rc;
2524
2525         if (!mask) {
2526                 /* No permission to check.  Existence test. */
2527                 return 0;
2528         }
2529
2530         return inode_has_perm(current, inode,
2531                                file_mask_to_av(inode->i_mode, mask), NULL);
2532 }
2533
2534 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2535 {
2536         int rc;
2537
2538         rc = secondary_ops->inode_setattr(dentry, iattr);
2539         if (rc)
2540                 return rc;
2541
2542         if (iattr->ia_valid & ATTR_FORCE)
2543                 return 0;
2544
2545         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2546                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2547                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2548
2549         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2550 }
2551
2552 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2553 {
2554         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2555 }
2556
2557 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2558 {
2559         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2560                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2561                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2562                         if (!capable(CAP_SETFCAP))
2563                                 return -EPERM;
2564                 } else if (!capable(CAP_SYS_ADMIN)) {
2565                         /* A different attribute in the security namespace.
2566                            Restrict to administrator. */
2567                         return -EPERM;
2568                 }
2569         }
2570
2571         /* Not an attribute we recognize, so just check the
2572            ordinary setattr permission. */
2573         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2574 }
2575
2576 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2577 {
2578         struct task_security_struct *tsec = current->security;
2579         struct inode *inode = dentry->d_inode;
2580         struct inode_security_struct *isec = inode->i_security;
2581         struct superblock_security_struct *sbsec;
2582         struct avc_audit_data ad;
2583         u32 newsid;
2584         int rc = 0;
2585
2586         if (strcmp(name, XATTR_NAME_SELINUX))
2587                 return selinux_inode_setotherxattr(dentry, name);
2588
2589         sbsec = inode->i_sb->s_security;
2590         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2591                 return -EOPNOTSUPP;
2592
2593         if (!is_owner_or_cap(inode))
2594                 return -EPERM;
2595
2596         AVC_AUDIT_DATA_INIT(&ad,FS);
2597         ad.u.fs.path.dentry = dentry;
2598
2599         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2600                           FILE__RELABELFROM, &ad);
2601         if (rc)
2602                 return rc;
2603
2604         rc = security_context_to_sid(value, size, &newsid);
2605         if (rc)
2606                 return rc;
2607
2608         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2609                           FILE__RELABELTO, &ad);
2610         if (rc)
2611                 return rc;
2612
2613         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2614                                           isec->sclass);
2615         if (rc)
2616                 return rc;
2617
2618         return avc_has_perm(newsid,
2619                             sbsec->sid,
2620                             SECCLASS_FILESYSTEM,
2621                             FILESYSTEM__ASSOCIATE,
2622                             &ad);
2623 }
2624
2625 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2626                                         void *value, size_t size, int flags)
2627 {
2628         struct inode *inode = dentry->d_inode;
2629         struct inode_security_struct *isec = inode->i_security;
2630         u32 newsid;
2631         int rc;
2632
2633         if (strcmp(name, XATTR_NAME_SELINUX)) {
2634                 /* Not an attribute we recognize, so nothing to do. */
2635                 return;
2636         }
2637
2638         rc = security_context_to_sid(value, size, &newsid);
2639         if (rc) {
2640                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2641                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2642                 return;
2643         }
2644
2645         isec->sid = newsid;
2646         return;
2647 }
2648
2649 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2650 {
2651         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2652 }
2653
2654 static int selinux_inode_listxattr (struct dentry *dentry)
2655 {
2656         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2657 }
2658
2659 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2660 {
2661         if (strcmp(name, XATTR_NAME_SELINUX))
2662                 return selinux_inode_setotherxattr(dentry, name);
2663
2664         /* No one is allowed to remove a SELinux security label.
2665            You can change the label, but all data must be labeled. */
2666         return -EACCES;
2667 }
2668
2669 /*
2670  * Copy the in-core inode security context value to the user.  If the
2671  * getxattr() prior to this succeeded, check to see if we need to
2672  * canonicalize the value to be finally returned to the user.
2673  *
2674  * Permission check is handled by selinux_inode_getxattr hook.
2675  */
2676 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2677 {
2678         u32 size;
2679         int error;
2680         char *context = NULL;
2681         struct inode_security_struct *isec = inode->i_security;
2682
2683         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2684                 return -EOPNOTSUPP;
2685
2686         error = security_sid_to_context(isec->sid, &context, &size);
2687         if (error)
2688                 return error;
2689         error = size;
2690         if (alloc) {
2691                 *buffer = context;
2692                 goto out_nofree;
2693         }
2694         kfree(context);
2695 out_nofree:
2696         return error;
2697 }
2698
2699 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2700                                      const void *value, size_t size, int flags)
2701 {
2702         struct inode_security_struct *isec = inode->i_security;
2703         u32 newsid;
2704         int rc;
2705
2706         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2707                 return -EOPNOTSUPP;
2708
2709         if (!value || !size)
2710                 return -EACCES;
2711
2712         rc = security_context_to_sid((void*)value, size, &newsid);
2713         if (rc)
2714                 return rc;
2715
2716         isec->sid = newsid;
2717         return 0;
2718 }
2719
2720 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2721 {
2722         const int len = sizeof(XATTR_NAME_SELINUX);
2723         if (buffer && len <= buffer_size)
2724                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2725         return len;
2726 }
2727
2728 static int selinux_inode_need_killpriv(struct dentry *dentry)
2729 {
2730         return secondary_ops->inode_need_killpriv(dentry);
2731 }
2732
2733 static int selinux_inode_killpriv(struct dentry *dentry)
2734 {
2735         return secondary_ops->inode_killpriv(dentry);
2736 }
2737
2738 /* file security operations */
2739
2740 static int selinux_revalidate_file_permission(struct file *file, int mask)
2741 {
2742         int rc;
2743         struct inode *inode = file->f_path.dentry->d_inode;
2744
2745         if (!mask) {
2746                 /* No permission to check.  Existence test. */
2747                 return 0;
2748         }
2749
2750         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2751         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2752                 mask |= MAY_APPEND;
2753
2754         rc = file_has_perm(current, file,
2755                            file_mask_to_av(inode->i_mode, mask));
2756         if (rc)
2757                 return rc;
2758
2759         return selinux_netlbl_inode_permission(inode, mask);
2760 }
2761
2762 static int selinux_file_permission(struct file *file, int mask)
2763 {
2764         struct inode *inode = file->f_path.dentry->d_inode;
2765         struct task_security_struct *tsec = current->security;
2766         struct file_security_struct *fsec = file->f_security;
2767         struct inode_security_struct *isec = inode->i_security;
2768
2769         if (!mask) {
2770                 /* No permission to check.  Existence test. */
2771                 return 0;
2772         }
2773
2774         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2775             && fsec->pseqno == avc_policy_seqno())
2776                 return selinux_netlbl_inode_permission(inode, mask);
2777
2778         return selinux_revalidate_file_permission(file, mask);
2779 }
2780
2781 static int selinux_file_alloc_security(struct file *file)
2782 {
2783         return file_alloc_security(file);
2784 }
2785
2786 static void selinux_file_free_security(struct file *file)
2787 {
2788         file_free_security(file);
2789 }
2790
2791 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2792                               unsigned long arg)
2793 {
2794         int error = 0;
2795
2796         switch (cmd) {
2797                 case FIONREAD:
2798                 /* fall through */
2799                 case FIBMAP:
2800                 /* fall through */
2801                 case FIGETBSZ:
2802                 /* fall through */
2803                 case EXT2_IOC_GETFLAGS:
2804                 /* fall through */
2805                 case EXT2_IOC_GETVERSION:
2806                         error = file_has_perm(current, file, FILE__GETATTR);
2807                         break;
2808
2809                 case EXT2_IOC_SETFLAGS:
2810                 /* fall through */
2811                 case EXT2_IOC_SETVERSION:
2812                         error = file_has_perm(current, file, FILE__SETATTR);
2813                         break;
2814
2815                 /* sys_ioctl() checks */
2816                 case FIONBIO:
2817                 /* fall through */
2818                 case FIOASYNC:
2819                         error = file_has_perm(current, file, 0);
2820                         break;
2821
2822                 case KDSKBENT:
2823                 case KDSKBSENT:
2824                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2825                         break;
2826
2827                 /* default case assumes that the command will go
2828                  * to the file's ioctl() function.
2829                  */
2830                 default:
2831                         error = file_has_perm(current, file, FILE__IOCTL);
2832
2833         }
2834         return error;
2835 }
2836
2837 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2838 {
2839 #ifndef CONFIG_PPC32
2840         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2841                 /*
2842                  * We are making executable an anonymous mapping or a
2843                  * private file mapping that will also be writable.
2844                  * This has an additional check.
2845                  */
2846                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2847                 if (rc)
2848                         return rc;
2849         }
2850 #endif
2851
2852         if (file) {
2853                 /* read access is always possible with a mapping */
2854                 u32 av = FILE__READ;
2855
2856                 /* write access only matters if the mapping is shared */
2857                 if (shared && (prot & PROT_WRITE))
2858                         av |= FILE__WRITE;
2859
2860                 if (prot & PROT_EXEC)
2861                         av |= FILE__EXECUTE;
2862
2863                 return file_has_perm(current, file, av);
2864         }
2865         return 0;
2866 }
2867
2868 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2869                              unsigned long prot, unsigned long flags,
2870                              unsigned long addr, unsigned long addr_only)
2871 {
2872         int rc = 0;
2873         u32 sid = ((struct task_security_struct*)(current->security))->sid;
2874
2875         if (addr < mmap_min_addr)
2876                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2877                                   MEMPROTECT__MMAP_ZERO, NULL);
2878         if (rc || addr_only)
2879                 return rc;
2880
2881         if (selinux_checkreqprot)
2882                 prot = reqprot;
2883
2884         return file_map_prot_check(file, prot,
2885                                    (flags & MAP_TYPE) == MAP_SHARED);
2886 }
2887
2888 static int selinux_file_mprotect(struct vm_area_struct *vma,
2889                                  unsigned long reqprot,
2890                                  unsigned long prot)
2891 {
2892         int rc;
2893
2894         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2895         if (rc)
2896                 return rc;
2897
2898         if (selinux_checkreqprot)
2899                 prot = reqprot;
2900
2901 #ifndef CONFIG_PPC32
2902         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2903                 rc = 0;
2904                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2905                     vma->vm_end <= vma->vm_mm->brk) {
2906                         rc = task_has_perm(current, current,
2907                                            PROCESS__EXECHEAP);
2908                 } else if (!vma->vm_file &&
2909                            vma->vm_start <= vma->vm_mm->start_stack &&
2910                            vma->vm_end >= vma->vm_mm->start_stack) {
2911                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2912                 } else if (vma->vm_file && vma->anon_vma) {
2913                         /*
2914                          * We are making executable a file mapping that has
2915                          * had some COW done. Since pages might have been
2916                          * written, check ability to execute the possibly
2917                          * modified content.  This typically should only
2918                          * occur for text relocations.
2919                          */
2920                         rc = file_has_perm(current, vma->vm_file,
2921                                            FILE__EXECMOD);
2922                 }
2923                 if (rc)
2924                         return rc;
2925         }
2926 #endif
2927
2928         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2929 }
2930
2931 static int selinux_file_lock(struct file *file, unsigned int cmd)
2932 {
2933         return file_has_perm(current, file, FILE__LOCK);
2934 }
2935
2936 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2937                               unsigned long arg)
2938 {
2939         int err = 0;
2940
2941         switch (cmd) {
2942                 case F_SETFL:
2943                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2944                                 err = -EINVAL;
2945                                 break;
2946                         }
2947
2948                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2949                                 err = file_has_perm(current, file,FILE__WRITE);
2950                                 break;
2951                         }
2952                         /* fall through */
2953                 case F_SETOWN:
2954                 case F_SETSIG:
2955                 case F_GETFL:
2956                 case F_GETOWN:
2957                 case F_GETSIG:
2958                         /* Just check FD__USE permission */
2959                         err = file_has_perm(current, file, 0);
2960                         break;
2961                 case F_GETLK:
2962                 case F_SETLK:
2963                 case F_SETLKW:
2964 #if BITS_PER_LONG == 32
2965                 case F_GETLK64:
2966                 case F_SETLK64:
2967                 case F_SETLKW64:
2968 #endif
2969                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2970                                 err = -EINVAL;
2971                                 break;
2972                         }
2973                         err = file_has_perm(current, file, FILE__LOCK);
2974                         break;
2975         }
2976
2977         return err;
2978 }
2979
2980 static int selinux_file_set_fowner(struct file *file)
2981 {
2982         struct task_security_struct *tsec;
2983         struct file_security_struct *fsec;
2984
2985         tsec = current->security;
2986         fsec = file->f_security;
2987         fsec->fown_sid = tsec->sid;
2988
2989         return 0;
2990 }
2991
2992 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2993                                        struct fown_struct *fown, int signum)
2994 {
2995         struct file *file;
2996         u32 perm;
2997         struct task_security_struct *tsec;
2998         struct file_security_struct *fsec;
2999
3000         /* struct fown_struct is never outside the context of a struct file */
3001         file = container_of(fown, struct file, f_owner);
3002
3003         tsec = tsk->security;
3004         fsec = file->f_security;
3005
3006         if (!signum)
3007                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3008         else
3009                 perm = signal_to_av(signum);
3010
3011         return avc_has_perm(fsec->fown_sid, tsec->sid,
3012                             SECCLASS_PROCESS, perm, NULL);
3013 }
3014
3015 static int selinux_file_receive(struct file *file)
3016 {
3017         return file_has_perm(current, file, file_to_av(file));
3018 }
3019
3020 static int selinux_dentry_open(struct file *file)
3021 {
3022         struct file_security_struct *fsec;
3023         struct inode *inode;
3024         struct inode_security_struct *isec;
3025         inode = file->f_path.dentry->d_inode;
3026         fsec = file->f_security;
3027         isec = inode->i_security;
3028         /*
3029          * Save inode label and policy sequence number
3030          * at open-time so that selinux_file_permission
3031          * can determine whether revalidation is necessary.
3032          * Task label is already saved in the file security
3033          * struct as its SID.
3034          */
3035         fsec->isid = isec->sid;
3036         fsec->pseqno = avc_policy_seqno();
3037         /*
3038          * Since the inode label or policy seqno may have changed
3039          * between the selinux_inode_permission check and the saving
3040          * of state above, recheck that access is still permitted.
3041          * Otherwise, access might never be revalidated against the
3042          * new inode label or new policy.
3043          * This check is not redundant - do not remove.
3044          */
3045         return inode_has_perm(current, inode, file_to_av(file), NULL);
3046 }
3047
3048 /* task security operations */
3049
3050 static int selinux_task_create(unsigned long clone_flags)
3051 {
3052         int rc;
3053
3054         rc = secondary_ops->task_create(clone_flags);
3055         if (rc)
3056                 return rc;
3057
3058         return task_has_perm(current, current, PROCESS__FORK);
3059 }
3060
3061 static int selinux_task_alloc_security(struct task_struct *tsk)
3062 {
3063         struct task_security_struct *tsec1, *tsec2;
3064         int rc;
3065
3066         tsec1 = current->security;
3067
3068         rc = task_alloc_security(tsk);
3069         if (rc)
3070                 return rc;
3071         tsec2 = tsk->security;
3072
3073         tsec2->osid = tsec1->osid;
3074         tsec2->sid = tsec1->sid;
3075
3076         /* Retain the exec, fs, key, and sock SIDs across fork */
3077         tsec2->exec_sid = tsec1->exec_sid;
3078         tsec2->create_sid = tsec1->create_sid;
3079         tsec2->keycreate_sid = tsec1->keycreate_sid;
3080         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3081
3082         /* Retain ptracer SID across fork, if any.
3083            This will be reset by the ptrace hook upon any
3084            subsequent ptrace_attach operations. */
3085         tsec2->ptrace_sid = tsec1->ptrace_sid;
3086
3087         return 0;
3088 }
3089
3090 static void selinux_task_free_security(struct task_struct *tsk)
3091 {
3092         task_free_security(tsk);
3093 }
3094
3095 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3096 {
3097         /* Since setuid only affects the current process, and
3098            since the SELinux controls are not based on the Linux
3099            identity attributes, SELinux does not need to control
3100            this operation.  However, SELinux does control the use
3101            of the CAP_SETUID and CAP_SETGID capabilities using the
3102            capable hook. */
3103         return 0;
3104 }
3105
3106 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3107 {
3108         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3109 }
3110
3111 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3112 {
3113         /* See the comment for setuid above. */
3114         return 0;
3115 }
3116
3117 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3118 {
3119         return task_has_perm(current, p, PROCESS__SETPGID);
3120 }
3121
3122 static int selinux_task_getpgid(struct task_struct *p)
3123 {
3124         return task_has_perm(current, p, PROCESS__GETPGID);
3125 }
3126
3127 static int selinux_task_getsid(struct task_struct *p)
3128 {
3129         return task_has_perm(current, p, PROCESS__GETSESSION);
3130 }
3131
3132 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3133 {
3134         selinux_get_task_sid(p, secid);
3135 }
3136
3137 static int selinux_task_setgroups(struct group_info *group_info)
3138 {
3139         /* See the comment for setuid above. */
3140         return 0;
3141 }
3142
3143 static int selinux_task_setnice(struct task_struct *p, int nice)
3144 {
3145         int rc;
3146
3147         rc = secondary_ops->task_setnice(p, nice);
3148         if (rc)
3149                 return rc;
3150
3151         return task_has_perm(current,p, PROCESS__SETSCHED);
3152 }
3153
3154 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3155 {
3156         int rc;
3157
3158         rc = secondary_ops->task_setioprio(p, ioprio);
3159         if (rc)
3160                 return rc;
3161
3162         return task_has_perm(current, p, PROCESS__SETSCHED);
3163 }
3164
3165 static int selinux_task_getioprio(struct task_struct *p)
3166 {
3167         return task_has_perm(current, p, PROCESS__GETSCHED);
3168 }
3169
3170 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3171 {
3172         struct rlimit *old_rlim = current->signal->rlim + resource;
3173         int rc;
3174
3175         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3176         if (rc)
3177                 return rc;
3178
3179         /* Control the ability to change the hard limit (whether
3180            lowering or raising it), so that the hard limit can
3181            later be used as a safe reset point for the soft limit
3182            upon context transitions. See selinux_bprm_apply_creds. */
3183         if (old_rlim->rlim_max != new_rlim->rlim_max)
3184                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3185
3186         return 0;
3187 }
3188
3189 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3190 {
3191         int rc;
3192
3193         rc = secondary_ops->task_setscheduler(p, policy, lp);
3194         if (rc)
3195                 return rc;
3196
3197         return task_has_perm(current, p, PROCESS__SETSCHED);
3198 }
3199
3200 static int selinux_task_getscheduler(struct task_struct *p)
3201 {
3202         return task_has_perm(current, p, PROCESS__GETSCHED);
3203 }
3204
3205 static int selinux_task_movememory(struct task_struct *p)
3206 {
3207         return task_has_perm(current, p, PROCESS__SETSCHED);
3208 }
3209
3210 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3211                                 int sig, u32 secid)
3212 {
3213         u32 perm;
3214         int rc;</