Merge commit 'v3.15' into next
[sfrench/cifs-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h>             /* for local_port_range[] */
54 #include <net/sock.h>
55 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>    /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/quota.h>
70 #include <linux/un.h>           /* for Unix socket types */
71 #include <net/af_unix.h>        /* for Unix socket types */
72 #include <linux/parser.h>
73 #include <linux/nfs_mount.h>
74 #include <net/ipv6.h>
75 #include <linux/hugetlb.h>
76 #include <linux/personality.h>
77 #include <linux/audit.h>
78 #include <linux/string.h>
79 #include <linux/selinux.h>
80 #include <linux/mutex.h>
81 #include <linux/posix-timers.h>
82 #include <linux/syslog.h>
83 #include <linux/user_namespace.h>
84 #include <linux/export.h>
85 #include <linux/msg.h>
86 #include <linux/shm.h>
87
88 #include "avc.h"
89 #include "objsec.h"
90 #include "netif.h"
91 #include "netnode.h"
92 #include "netport.h"
93 #include "xfrm.h"
94 #include "netlabel.h"
95 #include "audit.h"
96 #include "avc_ss.h"
97
98 extern struct security_operations *security_ops;
99
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
105
106 static int __init enforcing_setup(char *str)
107 {
108         unsigned long enforcing;
109         if (!kstrtoul(str, 0, &enforcing))
110                 selinux_enforcing = enforcing ? 1 : 0;
111         return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119 static int __init selinux_enabled_setup(char *str)
120 {
121         unsigned long enabled;
122         if (!kstrtoul(str, 0, &enabled))
123                 selinux_enabled = enabled ? 1 : 0;
124         return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130
131 static struct kmem_cache *sel_inode_cache;
132
133 /**
134  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135  *
136  * Description:
137  * This function checks the SECMARK reference counter to see if any SECMARK
138  * targets are currently configured, if the reference counter is greater than
139  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
140  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
141  * policy capability is enabled, SECMARK is always considered enabled.
142  *
143  */
144 static int selinux_secmark_enabled(void)
145 {
146         return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
147 }
148
149 /**
150  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
151  *
152  * Description:
153  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
154  * (1) if any are enabled or false (0) if neither are enabled.  If the
155  * always_check_network policy capability is enabled, peer labeling
156  * is always considered enabled.
157  *
158  */
159 static int selinux_peerlbl_enabled(void)
160 {
161         return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
162 }
163
164 /*
165  * initialise the security for the init task
166  */
167 static void cred_init_security(void)
168 {
169         struct cred *cred = (struct cred *) current->real_cred;
170         struct task_security_struct *tsec;
171
172         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
173         if (!tsec)
174                 panic("SELinux:  Failed to initialize initial task.\n");
175
176         tsec->osid = tsec->sid = SECINITSID_KERNEL;
177         cred->security = tsec;
178 }
179
180 /*
181  * get the security ID of a set of credentials
182  */
183 static inline u32 cred_sid(const struct cred *cred)
184 {
185         const struct task_security_struct *tsec;
186
187         tsec = cred->security;
188         return tsec->sid;
189 }
190
191 /*
192  * get the objective security ID of a task
193  */
194 static inline u32 task_sid(const struct task_struct *task)
195 {
196         u32 sid;
197
198         rcu_read_lock();
199         sid = cred_sid(__task_cred(task));
200         rcu_read_unlock();
201         return sid;
202 }
203
204 /*
205  * get the subjective security ID of the current task
206  */
207 static inline u32 current_sid(void)
208 {
209         const struct task_security_struct *tsec = current_security();
210
211         return tsec->sid;
212 }
213
214 /* Allocate and free functions for each kind of security blob. */
215
216 static int inode_alloc_security(struct inode *inode)
217 {
218         struct inode_security_struct *isec;
219         u32 sid = current_sid();
220
221         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
222         if (!isec)
223                 return -ENOMEM;
224
225         mutex_init(&isec->lock);
226         INIT_LIST_HEAD(&isec->list);
227         isec->inode = inode;
228         isec->sid = SECINITSID_UNLABELED;
229         isec->sclass = SECCLASS_FILE;
230         isec->task_sid = sid;
231         inode->i_security = isec;
232
233         return 0;
234 }
235
236 static void inode_free_rcu(struct rcu_head *head)
237 {
238         struct inode_security_struct *isec;
239
240         isec = container_of(head, struct inode_security_struct, rcu);
241         kmem_cache_free(sel_inode_cache, isec);
242 }
243
244 static void inode_free_security(struct inode *inode)
245 {
246         struct inode_security_struct *isec = inode->i_security;
247         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
248
249         spin_lock(&sbsec->isec_lock);
250         if (!list_empty(&isec->list))
251                 list_del_init(&isec->list);
252         spin_unlock(&sbsec->isec_lock);
253
254         /*
255          * The inode may still be referenced in a path walk and
256          * a call to selinux_inode_permission() can be made
257          * after inode_free_security() is called. Ideally, the VFS
258          * wouldn't do this, but fixing that is a much harder
259          * job. For now, simply free the i_security via RCU, and
260          * leave the current inode->i_security pointer intact.
261          * The inode will be freed after the RCU grace period too.
262          */
263         call_rcu(&isec->rcu, inode_free_rcu);
264 }
265
266 static int file_alloc_security(struct file *file)
267 {
268         struct file_security_struct *fsec;
269         u32 sid = current_sid();
270
271         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
272         if (!fsec)
273                 return -ENOMEM;
274
275         fsec->sid = sid;
276         fsec->fown_sid = sid;
277         file->f_security = fsec;
278
279         return 0;
280 }
281
282 static void file_free_security(struct file *file)
283 {
284         struct file_security_struct *fsec = file->f_security;
285         file->f_security = NULL;
286         kfree(fsec);
287 }
288
289 static int superblock_alloc_security(struct super_block *sb)
290 {
291         struct superblock_security_struct *sbsec;
292
293         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
294         if (!sbsec)
295                 return -ENOMEM;
296
297         mutex_init(&sbsec->lock);
298         INIT_LIST_HEAD(&sbsec->isec_head);
299         spin_lock_init(&sbsec->isec_lock);
300         sbsec->sb = sb;
301         sbsec->sid = SECINITSID_UNLABELED;
302         sbsec->def_sid = SECINITSID_FILE;
303         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
304         sb->s_security = sbsec;
305
306         return 0;
307 }
308
309 static void superblock_free_security(struct super_block *sb)
310 {
311         struct superblock_security_struct *sbsec = sb->s_security;
312         sb->s_security = NULL;
313         kfree(sbsec);
314 }
315
316 /* The file system's label must be initialized prior to use. */
317
318 static const char *labeling_behaviors[7] = {
319         "uses xattr",
320         "uses transition SIDs",
321         "uses task SIDs",
322         "uses genfs_contexts",
323         "not configured for labeling",
324         "uses mountpoint labeling",
325         "uses native labeling",
326 };
327
328 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
329
330 static inline int inode_doinit(struct inode *inode)
331 {
332         return inode_doinit_with_dentry(inode, NULL);
333 }
334
335 enum {
336         Opt_error = -1,
337         Opt_context = 1,
338         Opt_fscontext = 2,
339         Opt_defcontext = 3,
340         Opt_rootcontext = 4,
341         Opt_labelsupport = 5,
342         Opt_nextmntopt = 6,
343 };
344
345 #define NUM_SEL_MNT_OPTS        (Opt_nextmntopt - 1)
346
347 static const match_table_t tokens = {
348         {Opt_context, CONTEXT_STR "%s"},
349         {Opt_fscontext, FSCONTEXT_STR "%s"},
350         {Opt_defcontext, DEFCONTEXT_STR "%s"},
351         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
352         {Opt_labelsupport, LABELSUPP_STR},
353         {Opt_error, NULL},
354 };
355
356 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
357
358 static int may_context_mount_sb_relabel(u32 sid,
359                         struct superblock_security_struct *sbsec,
360                         const struct cred *cred)
361 {
362         const struct task_security_struct *tsec = cred->security;
363         int rc;
364
365         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
366                           FILESYSTEM__RELABELFROM, NULL);
367         if (rc)
368                 return rc;
369
370         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
371                           FILESYSTEM__RELABELTO, NULL);
372         return rc;
373 }
374
375 static int may_context_mount_inode_relabel(u32 sid,
376                         struct superblock_security_struct *sbsec,
377                         const struct cred *cred)
378 {
379         const struct task_security_struct *tsec = cred->security;
380         int rc;
381         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
382                           FILESYSTEM__RELABELFROM, NULL);
383         if (rc)
384                 return rc;
385
386         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
387                           FILESYSTEM__ASSOCIATE, NULL);
388         return rc;
389 }
390
391 static int selinux_is_sblabel_mnt(struct super_block *sb)
392 {
393         struct superblock_security_struct *sbsec = sb->s_security;
394
395         if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
396             sbsec->behavior == SECURITY_FS_USE_TRANS ||
397             sbsec->behavior == SECURITY_FS_USE_TASK)
398                 return 1;
399
400         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
401         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
402                 return 1;
403
404         /*
405          * Special handling for rootfs. Is genfs but supports
406          * setting SELinux context on in-core inodes.
407          */
408         if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
409                 return 1;
410
411         return 0;
412 }
413
414 static int sb_finish_set_opts(struct super_block *sb)
415 {
416         struct superblock_security_struct *sbsec = sb->s_security;
417         struct dentry *root = sb->s_root;
418         struct inode *root_inode = root->d_inode;
419         int rc = 0;
420
421         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
422                 /* Make sure that the xattr handler exists and that no
423                    error other than -ENODATA is returned by getxattr on
424                    the root directory.  -ENODATA is ok, as this may be
425                    the first boot of the SELinux kernel before we have
426                    assigned xattr values to the filesystem. */
427                 if (!root_inode->i_op->getxattr) {
428                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
429                                "xattr support\n", sb->s_id, sb->s_type->name);
430                         rc = -EOPNOTSUPP;
431                         goto out;
432                 }
433                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
434                 if (rc < 0 && rc != -ENODATA) {
435                         if (rc == -EOPNOTSUPP)
436                                 printk(KERN_WARNING "SELinux: (dev %s, type "
437                                        "%s) has no security xattr handler\n",
438                                        sb->s_id, sb->s_type->name);
439                         else
440                                 printk(KERN_WARNING "SELinux: (dev %s, type "
441                                        "%s) getxattr errno %d\n", sb->s_id,
442                                        sb->s_type->name, -rc);
443                         goto out;
444                 }
445         }
446
447         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
448                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
449                        sb->s_id, sb->s_type->name);
450         else
451                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
452                        sb->s_id, sb->s_type->name,
453                        labeling_behaviors[sbsec->behavior-1]);
454
455         sbsec->flags |= SE_SBINITIALIZED;
456         if (selinux_is_sblabel_mnt(sb))
457                 sbsec->flags |= SBLABEL_MNT;
458
459         /* Initialize the root inode. */
460         rc = inode_doinit_with_dentry(root_inode, root);
461
462         /* Initialize any other inodes associated with the superblock, e.g.
463            inodes created prior to initial policy load or inodes created
464            during get_sb by a pseudo filesystem that directly
465            populates itself. */
466         spin_lock(&sbsec->isec_lock);
467 next_inode:
468         if (!list_empty(&sbsec->isec_head)) {
469                 struct inode_security_struct *isec =
470                                 list_entry(sbsec->isec_head.next,
471                                            struct inode_security_struct, list);
472                 struct inode *inode = isec->inode;
473                 spin_unlock(&sbsec->isec_lock);
474                 inode = igrab(inode);
475                 if (inode) {
476                         if (!IS_PRIVATE(inode))
477                                 inode_doinit(inode);
478                         iput(inode);
479                 }
480                 spin_lock(&sbsec->isec_lock);
481                 list_del_init(&isec->list);
482                 goto next_inode;
483         }
484         spin_unlock(&sbsec->isec_lock);
485 out:
486         return rc;
487 }
488
489 /*
490  * This function should allow an FS to ask what it's mount security
491  * options were so it can use those later for submounts, displaying
492  * mount options, or whatever.
493  */
494 static int selinux_get_mnt_opts(const struct super_block *sb,
495                                 struct security_mnt_opts *opts)
496 {
497         int rc = 0, i;
498         struct superblock_security_struct *sbsec = sb->s_security;
499         char *context = NULL;
500         u32 len;
501         char tmp;
502
503         security_init_mnt_opts(opts);
504
505         if (!(sbsec->flags & SE_SBINITIALIZED))
506                 return -EINVAL;
507
508         if (!ss_initialized)
509                 return -EINVAL;
510
511         /* make sure we always check enough bits to cover the mask */
512         BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
513
514         tmp = sbsec->flags & SE_MNTMASK;
515         /* count the number of mount options for this sb */
516         for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
517                 if (tmp & 0x01)
518                         opts->num_mnt_opts++;
519                 tmp >>= 1;
520         }
521         /* Check if the Label support flag is set */
522         if (sbsec->flags & SBLABEL_MNT)
523                 opts->num_mnt_opts++;
524
525         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
526         if (!opts->mnt_opts) {
527                 rc = -ENOMEM;
528                 goto out_free;
529         }
530
531         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
532         if (!opts->mnt_opts_flags) {
533                 rc = -ENOMEM;
534                 goto out_free;
535         }
536
537         i = 0;
538         if (sbsec->flags & FSCONTEXT_MNT) {
539                 rc = security_sid_to_context(sbsec->sid, &context, &len);
540                 if (rc)
541                         goto out_free;
542                 opts->mnt_opts[i] = context;
543                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
544         }
545         if (sbsec->flags & CONTEXT_MNT) {
546                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
547                 if (rc)
548                         goto out_free;
549                 opts->mnt_opts[i] = context;
550                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
551         }
552         if (sbsec->flags & DEFCONTEXT_MNT) {
553                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
554                 if (rc)
555                         goto out_free;
556                 opts->mnt_opts[i] = context;
557                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
558         }
559         if (sbsec->flags & ROOTCONTEXT_MNT) {
560                 struct inode *root = sbsec->sb->s_root->d_inode;
561                 struct inode_security_struct *isec = root->i_security;
562
563                 rc = security_sid_to_context(isec->sid, &context, &len);
564                 if (rc)
565                         goto out_free;
566                 opts->mnt_opts[i] = context;
567                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
568         }
569         if (sbsec->flags & SBLABEL_MNT) {
570                 opts->mnt_opts[i] = NULL;
571                 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
572         }
573
574         BUG_ON(i != opts->num_mnt_opts);
575
576         return 0;
577
578 out_free:
579         security_free_mnt_opts(opts);
580         return rc;
581 }
582
583 static int bad_option(struct superblock_security_struct *sbsec, char flag,
584                       u32 old_sid, u32 new_sid)
585 {
586         char mnt_flags = sbsec->flags & SE_MNTMASK;
587
588         /* check if the old mount command had the same options */
589         if (sbsec->flags & SE_SBINITIALIZED)
590                 if (!(sbsec->flags & flag) ||
591                     (old_sid != new_sid))
592                         return 1;
593
594         /* check if we were passed the same options twice,
595          * aka someone passed context=a,context=b
596          */
597         if (!(sbsec->flags & SE_SBINITIALIZED))
598                 if (mnt_flags & flag)
599                         return 1;
600         return 0;
601 }
602
603 /*
604  * Allow filesystems with binary mount data to explicitly set mount point
605  * labeling information.
606  */
607 static int selinux_set_mnt_opts(struct super_block *sb,
608                                 struct security_mnt_opts *opts,
609                                 unsigned long kern_flags,
610                                 unsigned long *set_kern_flags)
611 {
612         const struct cred *cred = current_cred();
613         int rc = 0, i;
614         struct superblock_security_struct *sbsec = sb->s_security;
615         const char *name = sb->s_type->name;
616         struct inode *inode = sbsec->sb->s_root->d_inode;
617         struct inode_security_struct *root_isec = inode->i_security;
618         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
619         u32 defcontext_sid = 0;
620         char **mount_options = opts->mnt_opts;
621         int *flags = opts->mnt_opts_flags;
622         int num_opts = opts->num_mnt_opts;
623
624         mutex_lock(&sbsec->lock);
625
626         if (!ss_initialized) {
627                 if (!num_opts) {
628                         /* Defer initialization until selinux_complete_init,
629                            after the initial policy is loaded and the security
630                            server is ready to handle calls. */
631                         goto out;
632                 }
633                 rc = -EINVAL;
634                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
635                         "before the security server is initialized\n");
636                 goto out;
637         }
638         if (kern_flags && !set_kern_flags) {
639                 /* Specifying internal flags without providing a place to
640                  * place the results is not allowed */
641                 rc = -EINVAL;
642                 goto out;
643         }
644
645         /*
646          * Binary mount data FS will come through this function twice.  Once
647          * from an explicit call and once from the generic calls from the vfs.
648          * Since the generic VFS calls will not contain any security mount data
649          * we need to skip the double mount verification.
650          *
651          * This does open a hole in which we will not notice if the first
652          * mount using this sb set explict options and a second mount using
653          * this sb does not set any security options.  (The first options
654          * will be used for both mounts)
655          */
656         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
657             && (num_opts == 0))
658                 goto out;
659
660         /*
661          * parse the mount options, check if they are valid sids.
662          * also check if someone is trying to mount the same sb more
663          * than once with different security options.
664          */
665         for (i = 0; i < num_opts; i++) {
666                 u32 sid;
667
668                 if (flags[i] == SBLABEL_MNT)
669                         continue;
670                 rc = security_context_to_sid(mount_options[i],
671                                              strlen(mount_options[i]), &sid, GFP_KERNEL);
672                 if (rc) {
673                         printk(KERN_WARNING "SELinux: security_context_to_sid"
674                                "(%s) failed for (dev %s, type %s) errno=%d\n",
675                                mount_options[i], sb->s_id, name, rc);
676                         goto out;
677                 }
678                 switch (flags[i]) {
679                 case FSCONTEXT_MNT:
680                         fscontext_sid = sid;
681
682                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
683                                         fscontext_sid))
684                                 goto out_double_mount;
685
686                         sbsec->flags |= FSCONTEXT_MNT;
687                         break;
688                 case CONTEXT_MNT:
689                         context_sid = sid;
690
691                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
692                                         context_sid))
693                                 goto out_double_mount;
694
695                         sbsec->flags |= CONTEXT_MNT;
696                         break;
697                 case ROOTCONTEXT_MNT:
698                         rootcontext_sid = sid;
699
700                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
701                                         rootcontext_sid))
702                                 goto out_double_mount;
703
704                         sbsec->flags |= ROOTCONTEXT_MNT;
705
706                         break;
707                 case DEFCONTEXT_MNT:
708                         defcontext_sid = sid;
709
710                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
711                                         defcontext_sid))
712                                 goto out_double_mount;
713
714                         sbsec->flags |= DEFCONTEXT_MNT;
715
716                         break;
717                 default:
718                         rc = -EINVAL;
719                         goto out;
720                 }
721         }
722
723         if (sbsec->flags & SE_SBINITIALIZED) {
724                 /* previously mounted with options, but not on this attempt? */
725                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
726                         goto out_double_mount;
727                 rc = 0;
728                 goto out;
729         }
730
731         if (strcmp(sb->s_type->name, "proc") == 0)
732                 sbsec->flags |= SE_SBPROC;
733
734         if (!sbsec->behavior) {
735                 /*
736                  * Determine the labeling behavior to use for this
737                  * filesystem type.
738                  */
739                 rc = security_fs_use(sb);
740                 if (rc) {
741                         printk(KERN_WARNING
742                                 "%s: security_fs_use(%s) returned %d\n",
743                                         __func__, sb->s_type->name, rc);
744                         goto out;
745                 }
746         }
747         /* sets the context of the superblock for the fs being mounted. */
748         if (fscontext_sid) {
749                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
750                 if (rc)
751                         goto out;
752
753                 sbsec->sid = fscontext_sid;
754         }
755
756         /*
757          * Switch to using mount point labeling behavior.
758          * sets the label used on all file below the mountpoint, and will set
759          * the superblock context if not already set.
760          */
761         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
762                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
763                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
764         }
765
766         if (context_sid) {
767                 if (!fscontext_sid) {
768                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
769                                                           cred);
770                         if (rc)
771                                 goto out;
772                         sbsec->sid = context_sid;
773                 } else {
774                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
775                                                              cred);
776                         if (rc)
777                                 goto out;
778                 }
779                 if (!rootcontext_sid)
780                         rootcontext_sid = context_sid;
781
782                 sbsec->mntpoint_sid = context_sid;
783                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
784         }
785
786         if (rootcontext_sid) {
787                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
788                                                      cred);
789                 if (rc)
790                         goto out;
791
792                 root_isec->sid = rootcontext_sid;
793                 root_isec->initialized = 1;
794         }
795
796         if (defcontext_sid) {
797                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
798                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
799                         rc = -EINVAL;
800                         printk(KERN_WARNING "SELinux: defcontext option is "
801                                "invalid for this filesystem type\n");
802                         goto out;
803                 }
804
805                 if (defcontext_sid != sbsec->def_sid) {
806                         rc = may_context_mount_inode_relabel(defcontext_sid,
807                                                              sbsec, cred);
808                         if (rc)
809                                 goto out;
810                 }
811
812                 sbsec->def_sid = defcontext_sid;
813         }
814
815         rc = sb_finish_set_opts(sb);
816 out:
817         mutex_unlock(&sbsec->lock);
818         return rc;
819 out_double_mount:
820         rc = -EINVAL;
821         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
822                "security settings for (dev %s, type %s)\n", sb->s_id, name);
823         goto out;
824 }
825
826 static int selinux_cmp_sb_context(const struct super_block *oldsb,
827                                     const struct super_block *newsb)
828 {
829         struct superblock_security_struct *old = oldsb->s_security;
830         struct superblock_security_struct *new = newsb->s_security;
831         char oldflags = old->flags & SE_MNTMASK;
832         char newflags = new->flags & SE_MNTMASK;
833
834         if (oldflags != newflags)
835                 goto mismatch;
836         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
837                 goto mismatch;
838         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
839                 goto mismatch;
840         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
841                 goto mismatch;
842         if (oldflags & ROOTCONTEXT_MNT) {
843                 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
844                 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
845                 if (oldroot->sid != newroot->sid)
846                         goto mismatch;
847         }
848         return 0;
849 mismatch:
850         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
851                             "different security settings for (dev %s, "
852                             "type %s)\n", newsb->s_id, newsb->s_type->name);
853         return -EBUSY;
854 }
855
856 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
857                                         struct super_block *newsb)
858 {
859         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
860         struct superblock_security_struct *newsbsec = newsb->s_security;
861
862         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
863         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
864         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
865
866         /*
867          * if the parent was able to be mounted it clearly had no special lsm
868          * mount options.  thus we can safely deal with this superblock later
869          */
870         if (!ss_initialized)
871                 return 0;
872
873         /* how can we clone if the old one wasn't set up?? */
874         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
875
876         /* if fs is reusing a sb, make sure that the contexts match */
877         if (newsbsec->flags & SE_SBINITIALIZED)
878                 return selinux_cmp_sb_context(oldsb, newsb);
879
880         mutex_lock(&newsbsec->lock);
881
882         newsbsec->flags = oldsbsec->flags;
883
884         newsbsec->sid = oldsbsec->sid;
885         newsbsec->def_sid = oldsbsec->def_sid;
886         newsbsec->behavior = oldsbsec->behavior;
887
888         if (set_context) {
889                 u32 sid = oldsbsec->mntpoint_sid;
890
891                 if (!set_fscontext)
892                         newsbsec->sid = sid;
893                 if (!set_rootcontext) {
894                         struct inode *newinode = newsb->s_root->d_inode;
895                         struct inode_security_struct *newisec = newinode->i_security;
896                         newisec->sid = sid;
897                 }
898                 newsbsec->mntpoint_sid = sid;
899         }
900         if (set_rootcontext) {
901                 const struct inode *oldinode = oldsb->s_root->d_inode;
902                 const struct inode_security_struct *oldisec = oldinode->i_security;
903                 struct inode *newinode = newsb->s_root->d_inode;
904                 struct inode_security_struct *newisec = newinode->i_security;
905
906                 newisec->sid = oldisec->sid;
907         }
908
909         sb_finish_set_opts(newsb);
910         mutex_unlock(&newsbsec->lock);
911         return 0;
912 }
913
914 static int selinux_parse_opts_str(char *options,
915                                   struct security_mnt_opts *opts)
916 {
917         char *p;
918         char *context = NULL, *defcontext = NULL;
919         char *fscontext = NULL, *rootcontext = NULL;
920         int rc, num_mnt_opts = 0;
921
922         opts->num_mnt_opts = 0;
923
924         /* Standard string-based options. */
925         while ((p = strsep(&options, "|")) != NULL) {
926                 int token;
927                 substring_t args[MAX_OPT_ARGS];
928
929                 if (!*p)
930                         continue;
931
932                 token = match_token(p, tokens, args);
933
934                 switch (token) {
935                 case Opt_context:
936                         if (context || defcontext) {
937                                 rc = -EINVAL;
938                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
939                                 goto out_err;
940                         }
941                         context = match_strdup(&args[0]);
942                         if (!context) {
943                                 rc = -ENOMEM;
944                                 goto out_err;
945                         }
946                         break;
947
948                 case Opt_fscontext:
949                         if (fscontext) {
950                                 rc = -EINVAL;
951                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
952                                 goto out_err;
953                         }
954                         fscontext = match_strdup(&args[0]);
955                         if (!fscontext) {
956                                 rc = -ENOMEM;
957                                 goto out_err;
958                         }
959                         break;
960
961                 case Opt_rootcontext:
962                         if (rootcontext) {
963                                 rc = -EINVAL;
964                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
965                                 goto out_err;
966                         }
967                         rootcontext = match_strdup(&args[0]);
968                         if (!rootcontext) {
969                                 rc = -ENOMEM;
970                                 goto out_err;
971                         }
972                         break;
973
974                 case Opt_defcontext:
975                         if (context || defcontext) {
976                                 rc = -EINVAL;
977                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
978                                 goto out_err;
979                         }
980                         defcontext = match_strdup(&args[0]);
981                         if (!defcontext) {
982                                 rc = -ENOMEM;
983                                 goto out_err;
984                         }
985                         break;
986                 case Opt_labelsupport:
987                         break;
988                 default:
989                         rc = -EINVAL;
990                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
991                         goto out_err;
992
993                 }
994         }
995
996         rc = -ENOMEM;
997         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
998         if (!opts->mnt_opts)
999                 goto out_err;
1000
1001         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1002         if (!opts->mnt_opts_flags) {
1003                 kfree(opts->mnt_opts);
1004                 goto out_err;
1005         }
1006
1007         if (fscontext) {
1008                 opts->mnt_opts[num_mnt_opts] = fscontext;
1009                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1010         }
1011         if (context) {
1012                 opts->mnt_opts[num_mnt_opts] = context;
1013                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1014         }
1015         if (rootcontext) {
1016                 opts->mnt_opts[num_mnt_opts] = rootcontext;
1017                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1018         }
1019         if (defcontext) {
1020                 opts->mnt_opts[num_mnt_opts] = defcontext;
1021                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1022         }
1023
1024         opts->num_mnt_opts = num_mnt_opts;
1025         return 0;
1026
1027 out_err:
1028         kfree(context);
1029         kfree(defcontext);
1030         kfree(fscontext);
1031         kfree(rootcontext);
1032         return rc;
1033 }
1034 /*
1035  * string mount options parsing and call set the sbsec
1036  */
1037 static int superblock_doinit(struct super_block *sb, void *data)
1038 {
1039         int rc = 0;
1040         char *options = data;
1041         struct security_mnt_opts opts;
1042
1043         security_init_mnt_opts(&opts);
1044
1045         if (!data)
1046                 goto out;
1047
1048         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1049
1050         rc = selinux_parse_opts_str(options, &opts);
1051         if (rc)
1052                 goto out_err;
1053
1054 out:
1055         rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1056
1057 out_err:
1058         security_free_mnt_opts(&opts);
1059         return rc;
1060 }
1061
1062 static void selinux_write_opts(struct seq_file *m,
1063                                struct security_mnt_opts *opts)
1064 {
1065         int i;
1066         char *prefix;
1067
1068         for (i = 0; i < opts->num_mnt_opts; i++) {
1069                 char *has_comma;
1070
1071                 if (opts->mnt_opts[i])
1072                         has_comma = strchr(opts->mnt_opts[i], ',');
1073                 else
1074                         has_comma = NULL;
1075
1076                 switch (opts->mnt_opts_flags[i]) {
1077                 case CONTEXT_MNT:
1078                         prefix = CONTEXT_STR;
1079                         break;
1080                 case FSCONTEXT_MNT:
1081                         prefix = FSCONTEXT_STR;
1082                         break;
1083                 case ROOTCONTEXT_MNT:
1084                         prefix = ROOTCONTEXT_STR;
1085                         break;
1086                 case DEFCONTEXT_MNT:
1087                         prefix = DEFCONTEXT_STR;
1088                         break;
1089                 case SBLABEL_MNT:
1090                         seq_putc(m, ',');
1091                         seq_puts(m, LABELSUPP_STR);
1092                         continue;
1093                 default:
1094                         BUG();
1095                         return;
1096                 };
1097                 /* we need a comma before each option */
1098                 seq_putc(m, ',');
1099                 seq_puts(m, prefix);
1100                 if (has_comma)
1101                         seq_putc(m, '\"');
1102                 seq_puts(m, opts->mnt_opts[i]);
1103                 if (has_comma)
1104                         seq_putc(m, '\"');
1105         }
1106 }
1107
1108 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1109 {
1110         struct security_mnt_opts opts;
1111         int rc;
1112
1113         rc = selinux_get_mnt_opts(sb, &opts);
1114         if (rc) {
1115                 /* before policy load we may get EINVAL, don't show anything */
1116                 if (rc == -EINVAL)
1117                         rc = 0;
1118                 return rc;
1119         }
1120
1121         selinux_write_opts(m, &opts);
1122
1123         security_free_mnt_opts(&opts);
1124
1125         return rc;
1126 }
1127
1128 static inline u16 inode_mode_to_security_class(umode_t mode)
1129 {
1130         switch (mode & S_IFMT) {
1131         case S_IFSOCK:
1132                 return SECCLASS_SOCK_FILE;
1133         case S_IFLNK:
1134                 return SECCLASS_LNK_FILE;
1135         case S_IFREG:
1136                 return SECCLASS_FILE;
1137         case S_IFBLK:
1138                 return SECCLASS_BLK_FILE;
1139         case S_IFDIR:
1140                 return SECCLASS_DIR;
1141         case S_IFCHR:
1142                 return SECCLASS_CHR_FILE;
1143         case S_IFIFO:
1144                 return SECCLASS_FIFO_FILE;
1145
1146         }
1147
1148         return SECCLASS_FILE;
1149 }
1150
1151 static inline int default_protocol_stream(int protocol)
1152 {
1153         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1154 }
1155
1156 static inline int default_protocol_dgram(int protocol)
1157 {
1158         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1159 }
1160
1161 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1162 {
1163         switch (family) {
1164         case PF_UNIX:
1165                 switch (type) {
1166                 case SOCK_STREAM:
1167                 case SOCK_SEQPACKET:
1168                         return SECCLASS_UNIX_STREAM_SOCKET;
1169                 case SOCK_DGRAM:
1170                         return SECCLASS_UNIX_DGRAM_SOCKET;
1171                 }
1172                 break;
1173         case PF_INET:
1174         case PF_INET6:
1175                 switch (type) {
1176                 case SOCK_STREAM:
1177                         if (default_protocol_stream(protocol))
1178                                 return SECCLASS_TCP_SOCKET;
1179                         else
1180                                 return SECCLASS_RAWIP_SOCKET;
1181                 case SOCK_DGRAM:
1182                         if (default_protocol_dgram(protocol))
1183                                 return SECCLASS_UDP_SOCKET;
1184                         else
1185                                 return SECCLASS_RAWIP_SOCKET;
1186                 case SOCK_DCCP:
1187                         return SECCLASS_DCCP_SOCKET;
1188                 default:
1189                         return SECCLASS_RAWIP_SOCKET;
1190                 }
1191                 break;
1192         case PF_NETLINK:
1193                 switch (protocol) {
1194                 case NETLINK_ROUTE:
1195                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1196                 case NETLINK_FIREWALL:
1197                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1198                 case NETLINK_SOCK_DIAG:
1199                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1200                 case NETLINK_NFLOG:
1201                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1202                 case NETLINK_XFRM:
1203                         return SECCLASS_NETLINK_XFRM_SOCKET;
1204                 case NETLINK_SELINUX:
1205                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1206                 case NETLINK_AUDIT:
1207                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1208                 case NETLINK_IP6_FW:
1209                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1210                 case NETLINK_DNRTMSG:
1211                         return SECCLASS_NETLINK_DNRT_SOCKET;
1212                 case NETLINK_KOBJECT_UEVENT:
1213                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1214                 default:
1215                         return SECCLASS_NETLINK_SOCKET;
1216                 }
1217         case PF_PACKET:
1218                 return SECCLASS_PACKET_SOCKET;
1219         case PF_KEY:
1220                 return SECCLASS_KEY_SOCKET;
1221         case PF_APPLETALK:
1222                 return SECCLASS_APPLETALK_SOCKET;
1223         }
1224
1225         return SECCLASS_SOCKET;
1226 }
1227
1228 #ifdef CONFIG_PROC_FS
1229 static int selinux_proc_get_sid(struct dentry *dentry,
1230                                 u16 tclass,
1231                                 u32 *sid)
1232 {
1233         int rc;
1234         char *buffer, *path;
1235
1236         buffer = (char *)__get_free_page(GFP_KERNEL);
1237         if (!buffer)
1238                 return -ENOMEM;
1239
1240         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1241         if (IS_ERR(path))
1242                 rc = PTR_ERR(path);
1243         else {
1244                 /* each process gets a /proc/PID/ entry. Strip off the
1245                  * PID part to get a valid selinux labeling.
1246                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1247                 while (path[1] >= '0' && path[1] <= '9') {
1248                         path[1] = '/';
1249                         path++;
1250                 }
1251                 rc = security_genfs_sid("proc", path, tclass, sid);
1252         }
1253         free_page((unsigned long)buffer);
1254         return rc;
1255 }
1256 #else
1257 static int selinux_proc_get_sid(struct dentry *dentry,
1258                                 u16 tclass,
1259                                 u32 *sid)
1260 {
1261         return -EINVAL;
1262 }
1263 #endif
1264
1265 /* The inode's security attributes must be initialized before first use. */
1266 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1267 {
1268         struct superblock_security_struct *sbsec = NULL;
1269         struct inode_security_struct *isec = inode->i_security;
1270         u32 sid;
1271         struct dentry *dentry;
1272 #define INITCONTEXTLEN 255
1273         char *context = NULL;
1274         unsigned len = 0;
1275         int rc = 0;
1276
1277         if (isec->initialized)
1278                 goto out;
1279
1280         mutex_lock(&isec->lock);
1281         if (isec->initialized)
1282                 goto out_unlock;
1283
1284         sbsec = inode->i_sb->s_security;
1285         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1286                 /* Defer initialization until selinux_complete_init,
1287                    after the initial policy is loaded and the security
1288                    server is ready to handle calls. */
1289                 spin_lock(&sbsec->isec_lock);
1290                 if (list_empty(&isec->list))
1291                         list_add(&isec->list, &sbsec->isec_head);
1292                 spin_unlock(&sbsec->isec_lock);
1293                 goto out_unlock;
1294         }
1295
1296         switch (sbsec->behavior) {
1297         case SECURITY_FS_USE_NATIVE:
1298                 break;
1299         case SECURITY_FS_USE_XATTR:
1300                 if (!inode->i_op->getxattr) {
1301                         isec->sid = sbsec->def_sid;
1302                         break;
1303                 }
1304
1305                 /* Need a dentry, since the xattr API requires one.
1306                    Life would be simpler if we could just pass the inode. */
1307                 if (opt_dentry) {
1308                         /* Called from d_instantiate or d_splice_alias. */
1309                         dentry = dget(opt_dentry);
1310                 } else {
1311                         /* Called from selinux_complete_init, try to find a dentry. */
1312                         dentry = d_find_alias(inode);
1313                 }
1314                 if (!dentry) {
1315                         /*
1316                          * this is can be hit on boot when a file is accessed
1317                          * before the policy is loaded.  When we load policy we
1318                          * may find inodes that have no dentry on the
1319                          * sbsec->isec_head list.  No reason to complain as these
1320                          * will get fixed up the next time we go through
1321                          * inode_doinit with a dentry, before these inodes could
1322                          * be used again by userspace.
1323                          */
1324                         goto out_unlock;
1325                 }
1326
1327                 len = INITCONTEXTLEN;
1328                 context = kmalloc(len+1, GFP_NOFS);
1329                 if (!context) {
1330                         rc = -ENOMEM;
1331                         dput(dentry);
1332                         goto out_unlock;
1333                 }
1334                 context[len] = '\0';
1335                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1336                                            context, len);
1337                 if (rc == -ERANGE) {
1338                         kfree(context);
1339
1340                         /* Need a larger buffer.  Query for the right size. */
1341                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1342                                                    NULL, 0);
1343                         if (rc < 0) {
1344                                 dput(dentry);
1345                                 goto out_unlock;
1346                         }
1347                         len = rc;
1348                         context = kmalloc(len+1, GFP_NOFS);
1349                         if (!context) {
1350                                 rc = -ENOMEM;
1351                                 dput(dentry);
1352                                 goto out_unlock;
1353                         }
1354                         context[len] = '\0';
1355                         rc = inode->i_op->getxattr(dentry,
1356                                                    XATTR_NAME_SELINUX,
1357                                                    context, len);
1358                 }
1359                 dput(dentry);
1360                 if (rc < 0) {
1361                         if (rc != -ENODATA) {
1362                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1363                                        "%d for dev=%s ino=%ld\n", __func__,
1364                                        -rc, inode->i_sb->s_id, inode->i_ino);
1365                                 kfree(context);
1366                                 goto out_unlock;
1367                         }
1368                         /* Map ENODATA to the default file SID */
1369                         sid = sbsec->def_sid;
1370                         rc = 0;
1371                 } else {
1372                         rc = security_context_to_sid_default(context, rc, &sid,
1373                                                              sbsec->def_sid,
1374                                                              GFP_NOFS);
1375                         if (rc) {
1376                                 char *dev = inode->i_sb->s_id;
1377                                 unsigned long ino = inode->i_ino;
1378
1379                                 if (rc == -EINVAL) {
1380                                         if (printk_ratelimit())
1381                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1382                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1383                                                         "filesystem in question.\n", ino, dev, context);
1384                                 } else {
1385                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1386                                                "returned %d for dev=%s ino=%ld\n",
1387                                                __func__, context, -rc, dev, ino);
1388                                 }
1389                                 kfree(context);
1390                                 /* Leave with the unlabeled SID */
1391                                 rc = 0;
1392                                 break;
1393                         }
1394                 }
1395                 kfree(context);
1396                 isec->sid = sid;
1397                 break;
1398         case SECURITY_FS_USE_TASK:
1399                 isec->sid = isec->task_sid;
1400                 break;
1401         case SECURITY_FS_USE_TRANS:
1402                 /* Default to the fs SID. */
1403                 isec->sid = sbsec->sid;
1404
1405                 /* Try to obtain a transition SID. */
1406                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1407                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1408                                              isec->sclass, NULL, &sid);
1409                 if (rc)
1410                         goto out_unlock;
1411                 isec->sid = sid;
1412                 break;
1413         case SECURITY_FS_USE_MNTPOINT:
1414                 isec->sid = sbsec->mntpoint_sid;
1415                 break;
1416         default:
1417                 /* Default to the fs superblock SID. */
1418                 isec->sid = sbsec->sid;
1419
1420                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1421                         /* We must have a dentry to determine the label on
1422                          * procfs inodes */
1423                         if (opt_dentry)
1424                                 /* Called from d_instantiate or
1425                                  * d_splice_alias. */
1426                                 dentry = dget(opt_dentry);
1427                         else
1428                                 /* Called from selinux_complete_init, try to
1429                                  * find a dentry. */
1430                                 dentry = d_find_alias(inode);
1431                         /*
1432                          * This can be hit on boot when a file is accessed
1433                          * before the policy is loaded.  When we load policy we
1434                          * may find inodes that have no dentry on the
1435                          * sbsec->isec_head list.  No reason to complain as
1436                          * these will get fixed up the next time we go through
1437                          * inode_doinit() with a dentry, before these inodes
1438                          * could be used again by userspace.
1439                          */
1440                         if (!dentry)
1441                                 goto out_unlock;
1442                         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1443                         rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1444                         dput(dentry);
1445                         if (rc)
1446                                 goto out_unlock;
1447                         isec->sid = sid;
1448                 }
1449                 break;
1450         }
1451
1452         isec->initialized = 1;
1453
1454 out_unlock:
1455         mutex_unlock(&isec->lock);
1456 out:
1457         if (isec->sclass == SECCLASS_FILE)
1458                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1459         return rc;
1460 }
1461
1462 /* Convert a Linux signal to an access vector. */
1463 static inline u32 signal_to_av(int sig)
1464 {
1465         u32 perm = 0;
1466
1467         switch (sig) {
1468         case SIGCHLD:
1469                 /* Commonly granted from child to parent. */
1470                 perm = PROCESS__SIGCHLD;
1471                 break;
1472         case SIGKILL:
1473                 /* Cannot be caught or ignored */
1474                 perm = PROCESS__SIGKILL;
1475                 break;
1476         case SIGSTOP:
1477                 /* Cannot be caught or ignored */
1478                 perm = PROCESS__SIGSTOP;
1479                 break;
1480         default:
1481                 /* All other signals. */
1482                 perm = PROCESS__SIGNAL;
1483                 break;
1484         }
1485
1486         return perm;
1487 }
1488
1489 /*
1490  * Check permission between a pair of credentials
1491  * fork check, ptrace check, etc.
1492  */
1493 static int cred_has_perm(const struct cred *actor,
1494                          const struct cred *target,
1495                          u32 perms)
1496 {
1497         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1498
1499         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1500 }
1501
1502 /*
1503  * Check permission between a pair of tasks, e.g. signal checks,
1504  * fork check, ptrace check, etc.
1505  * tsk1 is the actor and tsk2 is the target
1506  * - this uses the default subjective creds of tsk1
1507  */
1508 static int task_has_perm(const struct task_struct *tsk1,
1509                          const struct task_struct *tsk2,
1510                          u32 perms)
1511 {
1512         const struct task_security_struct *__tsec1, *__tsec2;
1513         u32 sid1, sid2;
1514
1515         rcu_read_lock();
1516         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1517         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1518         rcu_read_unlock();
1519         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1520 }
1521
1522 /*
1523  * Check permission between current and another task, e.g. signal checks,
1524  * fork check, ptrace check, etc.
1525  * current is the actor and tsk2 is the target
1526  * - this uses current's subjective creds
1527  */
1528 static int current_has_perm(const struct task_struct *tsk,
1529                             u32 perms)
1530 {
1531         u32 sid, tsid;
1532
1533         sid = current_sid();
1534         tsid = task_sid(tsk);
1535         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1536 }
1537
1538 #if CAP_LAST_CAP > 63
1539 #error Fix SELinux to handle capabilities > 63.
1540 #endif
1541
1542 /* Check whether a task is allowed to use a capability. */
1543 static int cred_has_capability(const struct cred *cred,
1544                                int cap, int audit)
1545 {
1546         struct common_audit_data ad;
1547         struct av_decision avd;
1548         u16 sclass;
1549         u32 sid = cred_sid(cred);
1550         u32 av = CAP_TO_MASK(cap);
1551         int rc;
1552
1553         ad.type = LSM_AUDIT_DATA_CAP;
1554         ad.u.cap = cap;
1555
1556         switch (CAP_TO_INDEX(cap)) {
1557         case 0:
1558                 sclass = SECCLASS_CAPABILITY;
1559                 break;
1560         case 1:
1561                 sclass = SECCLASS_CAPABILITY2;
1562                 break;
1563         default:
1564                 printk(KERN_ERR
1565                        "SELinux:  out of range capability %d\n", cap);
1566                 BUG();
1567                 return -EINVAL;
1568         }
1569
1570         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1571         if (audit == SECURITY_CAP_AUDIT) {
1572                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1573                 if (rc2)
1574                         return rc2;
1575         }
1576         return rc;
1577 }
1578
1579 /* Check whether a task is allowed to use a system operation. */
1580 static int task_has_system(struct task_struct *tsk,
1581                            u32 perms)
1582 {
1583         u32 sid = task_sid(tsk);
1584
1585         return avc_has_perm(sid, SECINITSID_KERNEL,
1586                             SECCLASS_SYSTEM, perms, NULL);
1587 }
1588
1589 /* Check whether a task has a particular permission to an inode.
1590    The 'adp' parameter is optional and allows other audit
1591    data to be passed (e.g. the dentry). */
1592 static int inode_has_perm(const struct cred *cred,
1593                           struct inode *inode,
1594                           u32 perms,
1595                           struct common_audit_data *adp)
1596 {
1597         struct inode_security_struct *isec;
1598         u32 sid;
1599
1600         validate_creds(cred);
1601
1602         if (unlikely(IS_PRIVATE(inode)))
1603                 return 0;
1604
1605         sid = cred_sid(cred);
1606         isec = inode->i_security;
1607
1608         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1609 }
1610
1611 /* Same as inode_has_perm, but pass explicit audit data containing
1612    the dentry to help the auditing code to more easily generate the
1613    pathname if needed. */
1614 static inline int dentry_has_perm(const struct cred *cred,
1615                                   struct dentry *dentry,
1616                                   u32 av)
1617 {
1618         struct inode *inode = dentry->d_inode;
1619         struct common_audit_data ad;
1620
1621         ad.type = LSM_AUDIT_DATA_DENTRY;
1622         ad.u.dentry = dentry;
1623         return inode_has_perm(cred, inode, av, &ad);
1624 }
1625
1626 /* Same as inode_has_perm, but pass explicit audit data containing
1627    the path to help the auditing code to more easily generate the
1628    pathname if needed. */
1629 static inline int path_has_perm(const struct cred *cred,
1630                                 struct path *path,
1631                                 u32 av)
1632 {
1633         struct inode *inode = path->dentry->d_inode;
1634         struct common_audit_data ad;
1635
1636         ad.type = LSM_AUDIT_DATA_PATH;
1637         ad.u.path = *path;
1638         return inode_has_perm(cred, inode, av, &ad);
1639 }
1640
1641 /* Same as path_has_perm, but uses the inode from the file struct. */
1642 static inline int file_path_has_perm(const struct cred *cred,
1643                                      struct file *file,
1644                                      u32 av)
1645 {
1646         struct common_audit_data ad;
1647
1648         ad.type = LSM_AUDIT_DATA_PATH;
1649         ad.u.path = file->f_path;
1650         return inode_has_perm(cred, file_inode(file), av, &ad);
1651 }
1652
1653 /* Check whether a task can use an open file descriptor to
1654    access an inode in a given way.  Check access to the
1655    descriptor itself, and then use dentry_has_perm to
1656    check a particular permission to the file.
1657    Access to the descriptor is implicitly granted if it
1658    has the same SID as the process.  If av is zero, then
1659    access to the file is not checked, e.g. for cases
1660    where only the descriptor is affected like seek. */
1661 static int file_has_perm(const struct cred *cred,
1662                          struct file *file,
1663                          u32 av)
1664 {
1665         struct file_security_struct *fsec = file->f_security;
1666         struct inode *inode = file_inode(file);
1667         struct common_audit_data ad;
1668         u32 sid = cred_sid(cred);
1669         int rc;
1670
1671         ad.type = LSM_AUDIT_DATA_PATH;
1672         ad.u.path = file->f_path;
1673
1674         if (sid != fsec->sid) {
1675                 rc = avc_has_perm(sid, fsec->sid,
1676                                   SECCLASS_FD,
1677                                   FD__USE,
1678                                   &ad);
1679                 if (rc)
1680                         goto out;
1681         }
1682
1683         /* av is zero if only checking access to the descriptor. */
1684         rc = 0;
1685         if (av)
1686                 rc = inode_has_perm(cred, inode, av, &ad);
1687
1688 out:
1689         return rc;
1690 }
1691
1692 /* Check whether a task can create a file. */
1693 static int may_create(struct inode *dir,
1694                       struct dentry *dentry,
1695                       u16 tclass)
1696 {
1697         const struct task_security_struct *tsec = current_security();
1698         struct inode_security_struct *dsec;
1699         struct superblock_security_struct *sbsec;
1700         u32 sid, newsid;
1701         struct common_audit_data ad;
1702         int rc;
1703
1704         dsec = dir->i_security;
1705         sbsec = dir->i_sb->s_security;
1706
1707         sid = tsec->sid;
1708         newsid = tsec->create_sid;
1709
1710         ad.type = LSM_AUDIT_DATA_DENTRY;
1711         ad.u.dentry = dentry;
1712
1713         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1714                           DIR__ADD_NAME | DIR__SEARCH,
1715                           &ad);
1716         if (rc)
1717                 return rc;
1718
1719         if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1720                 rc = security_transition_sid(sid, dsec->sid, tclass,
1721                                              &dentry->d_name, &newsid);
1722                 if (rc)
1723                         return rc;
1724         }
1725
1726         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1727         if (rc)
1728                 return rc;
1729
1730         return avc_has_perm(newsid, sbsec->sid,
1731                             SECCLASS_FILESYSTEM,
1732                             FILESYSTEM__ASSOCIATE, &ad);
1733 }
1734
1735 /* Check whether a task can create a key. */
1736 static int may_create_key(u32 ksid,
1737                           struct task_struct *ctx)
1738 {
1739         u32 sid = task_sid(ctx);
1740
1741         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1742 }
1743
1744 #define MAY_LINK        0
1745 #define MAY_UNLINK      1
1746 #define MAY_RMDIR       2
1747
1748 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1749 static int may_link(struct inode *dir,
1750                     struct dentry *dentry,
1751                     int kind)
1752
1753 {
1754         struct inode_security_struct *dsec, *isec;
1755         struct common_audit_data ad;
1756         u32 sid = current_sid();
1757         u32 av;
1758         int rc;
1759
1760         dsec = dir->i_security;
1761         isec = dentry->d_inode->i_security;
1762
1763         ad.type = LSM_AUDIT_DATA_DENTRY;
1764         ad.u.dentry = dentry;
1765
1766         av = DIR__SEARCH;
1767         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1768         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1769         if (rc)
1770                 return rc;
1771
1772         switch (kind) {
1773         case MAY_LINK:
1774                 av = FILE__LINK;
1775                 break;
1776         case MAY_UNLINK:
1777                 av = FILE__UNLINK;
1778                 break;
1779         case MAY_RMDIR:
1780                 av = DIR__RMDIR;
1781                 break;
1782         default:
1783                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1784                         __func__, kind);
1785                 return 0;
1786         }
1787
1788         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1789         return rc;
1790 }
1791
1792 static inline int may_rename(struct inode *old_dir,
1793                              struct dentry *old_dentry,
1794                              struct inode *new_dir,
1795                              struct dentry *new_dentry)
1796 {
1797         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1798         struct common_audit_data ad;
1799         u32 sid = current_sid();
1800         u32 av;
1801         int old_is_dir, new_is_dir;
1802         int rc;
1803
1804         old_dsec = old_dir->i_security;
1805         old_isec = old_dentry->d_inode->i_security;
1806         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1807         new_dsec = new_dir->i_security;
1808
1809         ad.type = LSM_AUDIT_DATA_DENTRY;
1810
1811         ad.u.dentry = old_dentry;
1812         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1813                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1814         if (rc)
1815                 return rc;
1816         rc = avc_has_perm(sid, old_isec->sid,
1817                           old_isec->sclass, FILE__RENAME, &ad);
1818         if (rc)
1819                 return rc;
1820         if (old_is_dir && new_dir != old_dir) {
1821                 rc = avc_has_perm(sid, old_isec->sid,
1822                                   old_isec->sclass, DIR__REPARENT, &ad);
1823                 if (rc)
1824                         return rc;
1825         }
1826
1827         ad.u.dentry = new_dentry;
1828         av = DIR__ADD_NAME | DIR__SEARCH;
1829         if (new_dentry->d_inode)
1830                 av |= DIR__REMOVE_NAME;
1831         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1832         if (rc)
1833                 return rc;
1834         if (new_dentry->d_inode) {
1835                 new_isec = new_dentry->d_inode->i_security;
1836                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1837                 rc = avc_has_perm(sid, new_isec->sid,
1838                                   new_isec->sclass,
1839                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1840                 if (rc)
1841                         return rc;
1842         }
1843
1844         return 0;
1845 }
1846
1847 /* Check whether a task can perform a filesystem operation. */
1848 static int superblock_has_perm(const struct cred *cred,
1849                                struct super_block *sb,
1850                                u32 perms,
1851                                struct common_audit_data *ad)
1852 {
1853         struct superblock_security_struct *sbsec;
1854         u32 sid = cred_sid(cred);
1855
1856         sbsec = sb->s_security;
1857         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1858 }
1859
1860 /* Convert a Linux mode and permission mask to an access vector. */
1861 static inline u32 file_mask_to_av(int mode, int mask)
1862 {
1863         u32 av = 0;
1864
1865         if (!S_ISDIR(mode)) {
1866                 if (mask & MAY_EXEC)
1867                         av |= FILE__EXECUTE;
1868                 if (mask & MAY_READ)
1869                         av |= FILE__READ;
1870
1871                 if (mask & MAY_APPEND)
1872                         av |= FILE__APPEND;
1873                 else if (mask & MAY_WRITE)
1874                         av |= FILE__WRITE;
1875
1876         } else {
1877                 if (mask & MAY_EXEC)
1878                         av |= DIR__SEARCH;
1879                 if (mask & MAY_WRITE)
1880                         av |= DIR__WRITE;
1881                 if (mask & MAY_READ)
1882                         av |= DIR__READ;
1883         }
1884
1885         return av;
1886 }
1887
1888 /* Convert a Linux file to an access vector. */
1889 static inline u32 file_to_av(struct file *file)
1890 {
1891         u32 av = 0;
1892
1893         if (file->f_mode & FMODE_READ)
1894                 av |= FILE__READ;
1895         if (file->f_mode & FMODE_WRITE) {
1896                 if (file->f_flags & O_APPEND)
1897                         av |= FILE__APPEND;
1898                 else
1899                         av |= FILE__WRITE;
1900         }
1901         if (!av) {
1902                 /*
1903                  * Special file opened with flags 3 for ioctl-only use.
1904                  */
1905                 av = FILE__IOCTL;
1906         }
1907
1908         return av;
1909 }
1910
1911 /*
1912  * Convert a file to an access vector and include the correct open
1913  * open permission.
1914  */
1915 static inline u32 open_file_to_av(struct file *file)
1916 {
1917         u32 av = file_to_av(file);
1918
1919         if (selinux_policycap_openperm)
1920                 av |= FILE__OPEN;
1921
1922         return av;
1923 }
1924
1925 /* Hook functions begin here. */
1926
1927 static int selinux_ptrace_access_check(struct task_struct *child,
1928                                      unsigned int mode)
1929 {
1930         int rc;
1931
1932         rc = cap_ptrace_access_check(child, mode);
1933         if (rc)
1934                 return rc;
1935
1936         if (mode & PTRACE_MODE_READ) {
1937                 u32 sid = current_sid();
1938                 u32 csid = task_sid(child);
1939                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1940         }
1941
1942         return current_has_perm(child, PROCESS__PTRACE);
1943 }
1944
1945 static int selinux_ptrace_traceme(struct task_struct *parent)
1946 {
1947         int rc;
1948
1949         rc = cap_ptrace_traceme(parent);
1950         if (rc)
1951                 return rc;
1952
1953         return task_has_perm(parent, current, PROCESS__PTRACE);
1954 }
1955
1956 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1957                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1958 {
1959         int error;
1960
1961         error = current_has_perm(target, PROCESS__GETCAP);
1962         if (error)
1963                 return error;
1964
1965         return cap_capget(target, effective, inheritable, permitted);
1966 }
1967
1968 static int selinux_capset(struct cred *new, const struct cred *old,
1969                           const kernel_cap_t *effective,
1970                           const kernel_cap_t *inheritable,
1971                           const kernel_cap_t *permitted)
1972 {
1973         int error;
1974
1975         error = cap_capset(new, old,
1976                                       effective, inheritable, permitted);
1977         if (error)
1978                 return error;
1979
1980         return cred_has_perm(old, new, PROCESS__SETCAP);
1981 }
1982
1983 /*
1984  * (This comment used to live with the selinux_task_setuid hook,
1985  * which was removed).
1986  *
1987  * Since setuid only affects the current process, and since the SELinux
1988  * controls are not based on the Linux identity attributes, SELinux does not
1989  * need to control this operation.  However, SELinux does control the use of
1990  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1991  */
1992
1993 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1994                            int cap, int audit)
1995 {
1996         int rc;
1997
1998         rc = cap_capable(cred, ns, cap, audit);
1999         if (rc)
2000                 return rc;
2001
2002         return cred_has_capability(cred, cap, audit);
2003 }
2004
2005 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2006 {
2007         const struct cred *cred = current_cred();
2008         int rc = 0;
2009
2010         if (!sb)
2011                 return 0;
2012
2013         switch (cmds) {
2014         case Q_SYNC:
2015         case Q_QUOTAON:
2016         case Q_QUOTAOFF:
2017         case Q_SETINFO:
2018         case Q_SETQUOTA:
2019                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2020                 break;
2021         case Q_GETFMT:
2022         case Q_GETINFO:
2023         case Q_GETQUOTA:
2024                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2025                 break;
2026         default:
2027                 rc = 0;  /* let the kernel handle invalid cmds */
2028                 break;
2029         }
2030         return rc;
2031 }
2032
2033 static int selinux_quota_on(struct dentry *dentry)
2034 {
2035         const struct cred *cred = current_cred();
2036
2037         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2038 }
2039
2040 static int selinux_syslog(int type)
2041 {
2042         int rc;
2043
2044         switch (type) {
2045         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2046         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2047                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2048                 break;
2049         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2050         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2051         /* Set level of messages printed to console */
2052         case SYSLOG_ACTION_CONSOLE_LEVEL:
2053                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2054                 break;
2055         case SYSLOG_ACTION_CLOSE:       /* Close log */
2056         case SYSLOG_ACTION_OPEN:        /* Open log */
2057         case SYSLOG_ACTION_READ:        /* Read from log */
2058         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
2059         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
2060         default:
2061                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2062                 break;
2063         }
2064         return rc;
2065 }
2066
2067 /*
2068  * Check that a process has enough memory to allocate a new virtual
2069  * mapping. 0 means there is enough memory for the allocation to
2070  * succeed and -ENOMEM implies there is not.
2071  *
2072  * Do not audit the selinux permission check, as this is applied to all
2073  * processes that allocate mappings.
2074  */
2075 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2076 {
2077         int rc, cap_sys_admin = 0;
2078
2079         rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2080                              SECURITY_CAP_NOAUDIT);
2081         if (rc == 0)
2082                 cap_sys_admin = 1;
2083
2084         return __vm_enough_memory(mm, pages, cap_sys_admin);
2085 }
2086
2087 /* binprm security operations */
2088
2089 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2090 {
2091         const struct task_security_struct *old_tsec;
2092         struct task_security_struct *new_tsec;
2093         struct inode_security_struct *isec;
2094         struct common_audit_data ad;
2095         struct inode *inode = file_inode(bprm->file);
2096         int rc;
2097
2098         rc = cap_bprm_set_creds(bprm);
2099         if (rc)
2100                 return rc;
2101
2102         /* SELinux context only depends on initial program or script and not
2103          * the script interpreter */
2104         if (bprm->cred_prepared)
2105                 return 0;
2106
2107         old_tsec = current_security();
2108         new_tsec = bprm->cred->security;
2109         isec = inode->i_security;
2110
2111         /* Default to the current task SID. */
2112         new_tsec->sid = old_tsec->sid;
2113         new_tsec->osid = old_tsec->sid;
2114
2115         /* Reset fs, key, and sock SIDs on execve. */
2116         new_tsec->create_sid = 0;
2117         new_tsec->keycreate_sid = 0;
2118         new_tsec->sockcreate_sid = 0;
2119
2120         if (old_tsec->exec_sid) {
2121                 new_tsec->sid = old_tsec->exec_sid;
2122                 /* Reset exec SID on execve. */
2123                 new_tsec->exec_sid = 0;
2124
2125                 /*
2126                  * Minimize confusion: if no_new_privs or nosuid and a
2127                  * transition is explicitly requested, then fail the exec.
2128                  */
2129                 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2130                         return -EPERM;
2131                 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2132                         return -EACCES;
2133         } else {
2134                 /* Check for a default transition on this program. */
2135                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2136                                              SECCLASS_PROCESS, NULL,
2137                                              &new_tsec->sid);
2138                 if (rc)
2139                         return rc;
2140         }
2141
2142         ad.type = LSM_AUDIT_DATA_PATH;
2143         ad.u.path = bprm->file->f_path;
2144
2145         if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2146             (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2147                 new_tsec->sid = old_tsec->sid;
2148
2149         if (new_tsec->sid == old_tsec->sid) {
2150                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2151                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2152                 if (rc)
2153                         return rc;
2154         } else {
2155                 /* Check permissions for the transition. */
2156                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2157                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2158                 if (rc)
2159                         return rc;
2160
2161                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2162                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2163                 if (rc)
2164                         return rc;
2165
2166                 /* Check for shared state */
2167                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2168                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2169                                           SECCLASS_PROCESS, PROCESS__SHARE,
2170                                           NULL);
2171                         if (rc)
2172                                 return -EPERM;
2173                 }
2174
2175                 /* Make sure that anyone attempting to ptrace over a task that
2176                  * changes its SID has the appropriate permit */
2177                 if (bprm->unsafe &
2178                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2179                         struct task_struct *tracer;
2180                         struct task_security_struct *sec;
2181                         u32 ptsid = 0;
2182
2183                         rcu_read_lock();
2184                         tracer = ptrace_parent(current);
2185                         if (likely(tracer != NULL)) {
2186                                 sec = __task_cred(tracer)->security;
2187                                 ptsid = sec->sid;
2188                         }
2189                         rcu_read_unlock();
2190
2191                         if (ptsid != 0) {
2192                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2193                                                   SECCLASS_PROCESS,
2194                                                   PROCESS__PTRACE, NULL);
2195                                 if (rc)
2196                                         return -EPERM;
2197                         }
2198                 }
2199
2200                 /* Clear any possibly unsafe personality bits on exec: */
2201                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2202         }
2203
2204         return 0;
2205 }
2206
2207 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2208 {
2209         const struct task_security_struct *tsec = current_security();
2210         u32 sid, osid;
2211         int atsecure = 0;
2212
2213         sid = tsec->sid;
2214         osid = tsec->osid;
2215
2216         if (osid != sid) {
2217                 /* Enable secure mode for SIDs transitions unless
2218                    the noatsecure permission is granted between
2219                    the two SIDs, i.e. ahp returns 0. */
2220                 atsecure = avc_has_perm(osid, sid,
2221                                         SECCLASS_PROCESS,
2222                                         PROCESS__NOATSECURE, NULL);
2223         }
2224
2225         return (atsecure || cap_bprm_secureexec(bprm));
2226 }
2227
2228 static int match_file(const void *p, struct file *file, unsigned fd)
2229 {
2230         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2231 }
2232
2233 /* Derived from fs/exec.c:flush_old_files. */
2234 static inline void flush_unauthorized_files(const struct cred *cred,
2235                                             struct files_struct *files)
2236 {
2237         struct file *file, *devnull = NULL;
2238         struct tty_struct *tty;
2239         int drop_tty = 0;
2240         unsigned n;
2241
2242         tty = get_current_tty();
2243         if (tty) {
2244                 spin_lock(&tty_files_lock);
2245                 if (!list_empty(&tty->tty_files)) {
2246                         struct tty_file_private *file_priv;
2247
2248                         /* Revalidate access to controlling tty.
2249                            Use file_path_has_perm on the tty path directly
2250                            rather than using file_has_perm, as this particular
2251                            open file may belong to another process and we are
2252                            only interested in the inode-based check here. */
2253                         file_priv = list_first_entry(&tty->tty_files,
2254                                                 struct tty_file_private, list);
2255                         file = file_priv->file;
2256                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2257                                 drop_tty = 1;
2258                 }
2259                 spin_unlock(&tty_files_lock);
2260                 tty_kref_put(tty);
2261         }
2262         /* Reset controlling tty. */
2263         if (drop_tty)
2264                 no_tty();
2265
2266         /* Revalidate access to inherited open files. */
2267         n = iterate_fd(files, 0, match_file, cred);
2268         if (!n) /* none found? */
2269                 return;
2270
2271         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2272         if (IS_ERR(devnull))
2273                 devnull = NULL;
2274         /* replace all the matching ones with this */
2275         do {
2276                 replace_fd(n - 1, devnull, 0);
2277         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2278         if (devnull)
2279                 fput(devnull);
2280 }
2281
2282 /*
2283  * Prepare a process for imminent new credential changes due to exec
2284  */
2285 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2286 {
2287         struct task_security_struct *new_tsec;
2288         struct rlimit *rlim, *initrlim;
2289         int rc, i;
2290
2291         new_tsec = bprm->cred->security;
2292         if (new_tsec->sid == new_tsec->osid)
2293                 return;
2294
2295         /* Close files for which the new task SID is not authorized. */
2296         flush_unauthorized_files(bprm->cred, current->files);
2297
2298         /* Always clear parent death signal on SID transitions. */
2299         current->pdeath_signal = 0;
2300
2301         /* Check whether the new SID can inherit resource limits from the old
2302          * SID.  If not, reset all soft limits to the lower of the current
2303          * task's hard limit and the init task's soft limit.
2304          *
2305          * Note that the setting of hard limits (even to lower them) can be
2306          * controlled by the setrlimit check.  The inclusion of the init task's
2307          * soft limit into the computation is to avoid resetting soft limits
2308          * higher than the default soft limit for cases where the default is
2309          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2310          */
2311         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2312                           PROCESS__RLIMITINH, NULL);
2313         if (rc) {
2314                 /* protect against do_prlimit() */
2315                 task_lock(current);
2316                 for (i = 0; i < RLIM_NLIMITS; i++) {
2317                         rlim = current->signal->rlim + i;
2318                         initrlim = init_task.signal->rlim + i;
2319                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2320                 }
2321                 task_unlock(current);
2322                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2323         }
2324 }
2325
2326 /*
2327  * Clean up the process immediately after the installation of new credentials
2328  * due to exec
2329  */
2330 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2331 {
2332         const struct task_security_struct *tsec = current_security();
2333         struct itimerval itimer;
2334         u32 osid, sid;
2335         int rc, i;
2336
2337         osid = tsec->osid;
2338         sid = tsec->sid;
2339
2340         if (sid == osid)
2341                 return;
2342
2343         /* Check whether the new SID can inherit signal state from the old SID.
2344          * If not, clear itimers to avoid subsequent signal generation and
2345          * flush and unblock signals.
2346          *
2347          * This must occur _after_ the task SID has been updated so that any
2348          * kill done after the flush will be checked against the new SID.
2349          */
2350         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2351         if (rc) {
2352                 memset(&itimer, 0, sizeof itimer);
2353                 for (i = 0; i < 3; i++)
2354                         do_setitimer(i, &itimer, NULL);
2355                 spin_lock_irq(&current->sighand->siglock);
2356                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2357                         __flush_signals(current);
2358                         flush_signal_handlers(current, 1);
2359                         sigemptyset(&current->blocked);
2360                 }
2361                 spin_unlock_irq(&current->sighand->siglock);
2362         }
2363
2364         /* Wake up the parent if it is waiting so that it can recheck
2365          * wait permission to the new task SID. */
2366         read_lock(&tasklist_lock);
2367         __wake_up_parent(current, current->real_parent);
2368         read_unlock(&tasklist_lock);
2369 }
2370
2371 /* superblock security operations */
2372
2373 static int selinux_sb_alloc_security(struct super_block *sb)
2374 {
2375         return superblock_alloc_security(sb);
2376 }
2377
2378 static void selinux_sb_free_security(struct super_block *sb)
2379 {
2380         superblock_free_security(sb);
2381 }
2382
2383 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2384 {
2385         if (plen > olen)
2386                 return 0;
2387
2388         return !memcmp(prefix, option, plen);
2389 }
2390
2391 static inline int selinux_option(char *option, int len)
2392 {
2393         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2394                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2395                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2396                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2397                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2398 }
2399
2400 static inline void take_option(char **to, char *from, int *first, int len)
2401 {
2402         if (!*first) {
2403                 **to = ',';
2404                 *to += 1;
2405         } else
2406                 *first = 0;
2407         memcpy(*to, from, len);
2408         *to += len;
2409 }
2410
2411 static inline void take_selinux_option(char **to, char *from, int *first,
2412                                        int len)
2413 {
2414         int current_size = 0;
2415
2416         if (!*first) {
2417                 **to = '|';
2418                 *to += 1;
2419         } else
2420                 *first = 0;
2421
2422         while (current_size < len) {
2423                 if (*from != '"') {
2424                         **to = *from;
2425                         *to += 1;
2426                 }
2427                 from += 1;
2428                 current_size += 1;
2429         }
2430 }
2431
2432 static int selinux_sb_copy_data(char *orig, char *copy)
2433 {
2434         int fnosec, fsec, rc = 0;
2435         char *in_save, *in_curr, *in_end;
2436         char *sec_curr, *nosec_save, *nosec;
2437         int open_quote = 0;
2438
2439         in_curr = orig;
2440         sec_curr = copy;
2441
2442         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2443         if (!nosec) {
2444                 rc = -ENOMEM;
2445                 goto out;
2446         }
2447
2448         nosec_save = nosec;
2449         fnosec = fsec = 1;
2450         in_save = in_end = orig;
2451
2452         do {
2453                 if (*in_end == '"')
2454                         open_quote = !open_quote;
2455                 if ((*in_end == ',' && open_quote == 0) ||
2456                                 *in_end == '\0') {
2457                         int len = in_end - in_curr;
2458
2459                         if (selinux_option(in_curr, len))
2460                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2461                         else
2462                                 take_option(&nosec, in_curr, &fnosec, len);
2463
2464                         in_curr = in_end + 1;
2465                 }
2466         } while (*in_end++);
2467
2468         strcpy(in_save, nosec_save);
2469         free_page((unsigned long)nosec_save);
2470 out:
2471         return rc;
2472 }
2473
2474 static int selinux_sb_remount(struct super_block *sb, void *data)
2475 {
2476         int rc, i, *flags;
2477         struct security_mnt_opts opts;
2478         char *secdata, **mount_options;
2479         struct superblock_security_struct *sbsec = sb->s_security;
2480
2481         if (!(sbsec->flags & SE_SBINITIALIZED))
2482                 return 0;
2483
2484         if (!data)
2485                 return 0;
2486
2487         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2488                 return 0;
2489
2490         security_init_mnt_opts(&opts);
2491         secdata = alloc_secdata();
2492         if (!secdata)
2493                 return -ENOMEM;
2494         rc = selinux_sb_copy_data(data, secdata);
2495         if (rc)
2496                 goto out_free_secdata;
2497
2498         rc = selinux_parse_opts_str(secdata, &opts);
2499         if (rc)
2500                 goto out_free_secdata;
2501
2502         mount_options = opts.mnt_opts;
2503         flags = opts.mnt_opts_flags;
2504
2505         for (i = 0; i < opts.num_mnt_opts; i++) {
2506                 u32 sid;
2507                 size_t len;
2508
2509                 if (flags[i] == SBLABEL_MNT)
2510                         continue;
2511                 len = strlen(mount_options[i]);
2512                 rc = security_context_to_sid(mount_options[i], len, &sid,
2513                                              GFP_KERNEL);
2514                 if (rc) {
2515                         printk(KERN_WARNING "SELinux: security_context_to_sid"
2516                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2517                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2518                         goto out_free_opts;
2519                 }
2520                 rc = -EINVAL;
2521                 switch (flags[i]) {
2522                 case FSCONTEXT_MNT:
2523                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2524                                 goto out_bad_option;
2525                         break;
2526                 case CONTEXT_MNT:
2527                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2528                                 goto out_bad_option;
2529                         break;
2530                 case ROOTCONTEXT_MNT: {
2531                         struct inode_security_struct *root_isec;
2532                         root_isec = sb->s_root->d_inode->i_security;
2533
2534                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2535                                 goto out_bad_option;
2536                         break;
2537                 }
2538                 case DEFCONTEXT_MNT:
2539                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2540                                 goto out_bad_option;
2541                         break;
2542                 default:
2543                         goto out_free_opts;
2544                 }
2545         }
2546
2547         rc = 0;
2548 out_free_opts:
2549         security_free_mnt_opts(&opts);
2550 out_free_secdata:
2551         free_secdata(secdata);
2552         return rc;
2553 out_bad_option:
2554         printk(KERN_WARNING "SELinux: unable to change security options "
2555                "during remount (dev %s, type=%s)\n", sb->s_id,
2556                sb->s_type->name);
2557         goto out_free_opts;
2558 }
2559
2560 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2561 {
2562         const struct cred *cred = current_cred();
2563         struct common_audit_data ad;
2564         int rc;
2565
2566         rc = superblock_doinit(sb, data);
2567         if (rc)
2568                 return rc;
2569
2570         /* Allow all mounts performed by the kernel */
2571         if (flags & MS_KERNMOUNT)
2572                 return 0;
2573
2574         ad.type = LSM_AUDIT_DATA_DENTRY;
2575         ad.u.dentry = sb->s_root;
2576         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2577 }
2578
2579 static int selinux_sb_statfs(struct dentry *dentry)
2580 {
2581         const struct cred *cred = current_cred();
2582         struct common_audit_data ad;
2583
2584         ad.type = LSM_AUDIT_DATA_DENTRY;
2585         ad.u.dentry = dentry->d_sb->s_root;
2586         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2587 }
2588
2589 static int selinux_mount(const char *dev_name,
2590                          struct path *path,
2591                          const char *type,
2592                          unsigned long flags,
2593                          void *data)
2594 {
2595         const struct cred *cred = current_cred();
2596
2597         if (flags & MS_REMOUNT)
2598                 return superblock_has_perm(cred, path->dentry->d_sb,
2599                                            FILESYSTEM__REMOUNT, NULL);
2600         else
2601                 return path_has_perm(cred, path, FILE__MOUNTON);
2602 }
2603
2604 static int selinux_umount(struct vfsmount *mnt, int flags)
2605 {
2606         const struct cred *cred = current_cred();
2607
2608         return superblock_has_perm(cred, mnt->mnt_sb,
2609                                    FILESYSTEM__UNMOUNT, NULL);
2610 }
2611
2612 /* inode security operations */
2613
2614 static int selinux_inode_alloc_security(struct inode *inode)
2615 {
2616         return inode_alloc_security(inode);
2617 }
2618
2619 static void selinux_inode_free_security(struct inode *inode)
2620 {
2621         inode_free_security(inode);
2622 }
2623
2624 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2625                                         struct qstr *name, void **ctx,
2626                                         u32 *ctxlen)
2627 {
2628         const struct cred *cred = current_cred();
2629         struct task_security_struct *tsec;
2630         struct inode_security_struct *dsec;
2631         struct superblock_security_struct *sbsec;
2632         struct inode *dir = dentry->d_parent->d_inode;
2633         u32 newsid;
2634         int rc;
2635
2636         tsec = cred->security;
2637         dsec = dir->i_security;
2638         sbsec = dir->i_sb->s_security;
2639
2640         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2641                 newsid = tsec->create_sid;
2642         } else {
2643                 rc = security_transition_sid(tsec->sid, dsec->sid,
2644                                              inode_mode_to_security_class(mode),
2645                                              name,
2646                                              &newsid);
2647                 if (rc) {
2648                         printk(KERN_WARNING
2649                                 "%s: security_transition_sid failed, rc=%d\n",
2650                                __func__, -rc);
2651                         return rc;
2652                 }
2653         }
2654
2655         return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2656 }
2657
2658 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2659                                        const struct qstr *qstr,
2660                                        const char **name,
2661                                        void **value, size_t *len)
2662 {
2663         const struct task_security_struct *tsec = current_security();
2664         struct inode_security_struct *dsec;
2665         struct superblock_security_struct *sbsec;
2666         u32 sid, newsid, clen;
2667         int rc;
2668         char *context;
2669
2670         dsec = dir->i_security;
2671         sbsec = dir->i_sb->s_security;
2672
2673         sid = tsec->sid;
2674         newsid = tsec->create_sid;
2675
2676         if ((sbsec->flags & SE_SBINITIALIZED) &&
2677             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2678                 newsid = sbsec->mntpoint_sid;
2679         else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2680                 rc = security_transition_sid(sid, dsec->sid,
2681                                              inode_mode_to_security_class(inode->i_mode),
2682                                              qstr, &newsid);
2683                 if (rc) {
2684                         printk(KERN_WARNING "%s:  "
2685                                "security_transition_sid failed, rc=%d (dev=%s "
2686                                "ino=%ld)\n",
2687                                __func__,
2688                                -rc, inode->i_sb->s_id, inode->i_ino);
2689                         return rc;
2690                 }
2691         }
2692
2693         /* Possibly defer initialization to selinux_complete_init. */
2694         if (sbsec->flags & SE_SBINITIALIZED) {
2695                 struct inode_security_struct *isec = inode->i_security;
2696                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2697                 isec->sid = newsid;
2698                 isec->initialized = 1;
2699         }
2700
2701         if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2702                 return -EOPNOTSUPP;
2703
2704         if (name)
2705                 *name = XATTR_SELINUX_SUFFIX;
2706
2707         if (value && len) {
2708                 rc = security_sid_to_context_force(newsid, &context, &clen);
2709                 if (rc)
2710                         return rc;
2711                 *value = context;
2712                 *len = clen;
2713         }
2714
2715         return 0;
2716 }
2717
2718 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2719 {
2720         return may_create(dir, dentry, SECCLASS_FILE);
2721 }
2722
2723 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2724 {
2725         return may_link(dir, old_dentry, MAY_LINK);
2726 }
2727
2728 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2729 {
2730         return may_link(dir, dentry, MAY_UNLINK);
2731 }
2732
2733 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2734 {
2735         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2736 }
2737
2738 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2739 {
2740         return may_create(dir, dentry, SECCLASS_DIR);
2741 }
2742
2743 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2744 {
2745         return may_link(dir, dentry, MAY_RMDIR);
2746 }
2747
2748 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2749 {
2750         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2751 }
2752
2753 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2754                                 struct inode *new_inode, struct dentry *new_dentry)
2755 {
2756         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2757 }
2758
2759 static int selinux_inode_readlink(struct dentry *dentry)
2760 {
2761         const struct cred *cred = current_cred();
2762
2763         return dentry_has_perm(cred, dentry, FILE__READ);
2764 }
2765
2766 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2767 {
2768         const struct cred *cred = current_cred();
2769
2770         return dentry_has_perm(cred, dentry, FILE__READ);
2771 }
2772
2773 static noinline int audit_inode_permission(struct inode *inode,
2774                                            u32 perms, u32 audited, u32 denied,
2775                                            int result,
2776                                            unsigned flags)
2777 {
2778         struct common_audit_data ad;
2779         struct inode_security_struct *isec = inode->i_security;
2780         int rc;
2781
2782         ad.type = LSM_AUDIT_DATA_INODE;
2783         ad.u.inode = inode;
2784
2785         rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2786                             audited, denied, result, &ad, flags);
2787         if (rc)
2788                 return rc;
2789         return 0;
2790 }
2791
2792 static int selinux_inode_permission(struct inode *inode, int mask)
2793 {
2794         const struct cred *cred = current_cred();
2795         u32 perms;
2796         bool from_access;
2797         unsigned flags = mask & MAY_NOT_BLOCK;
2798         struct inode_security_struct *isec;
2799         u32 sid;
2800         struct av_decision avd;
2801         int rc, rc2;
2802         u32 audited, denied;
2803
2804         from_access = mask & MAY_ACCESS;
2805         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2806
2807         /* No permission to check.  Existence test. */
2808         if (!mask)
2809                 return 0;
2810
2811         validate_creds(cred);
2812
2813         if (unlikely(IS_PRIVATE(inode)))
2814                 return 0;
2815
2816         perms = file_mask_to_av(inode->i_mode, mask);
2817
2818         sid = cred_sid(cred);
2819         isec = inode->i_security;
2820
2821         rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2822         audited = avc_audit_required(perms, &avd, rc,
2823                                      from_access ? FILE__AUDIT_ACCESS : 0,
2824                                      &denied);
2825         if (likely(!audited))
2826                 return rc;
2827
2828         rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2829         if (rc2)
2830                 return rc2;
2831         return rc;
2832 }
2833
2834 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2835 {
2836         const struct cred *cred = current_cred();
2837         unsigned int ia_valid = iattr->ia_valid;
2838         __u32 av = FILE__WRITE;
2839
2840         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2841         if (ia_valid & ATTR_FORCE) {
2842                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2843                               ATTR_FORCE);
2844                 if (!ia_valid)
2845                         return 0;
2846         }
2847
2848         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2849                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2850                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2851
2852         if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2853                 av |= FILE__OPEN;
2854
2855         return dentry_has_perm(cred, dentry, av);
2856 }
2857
2858 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2859 {
2860         const struct cred *cred = current_cred();
2861         struct path path;
2862
2863         path.dentry = dentry;
2864         path.mnt = mnt;
2865
2866         return path_has_perm(cred, &path, FILE__GETATTR);
2867 }
2868
2869 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2870 {
2871         const struct cred *cred = current_cred();
2872
2873         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2874                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2875                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2876                         if (!capable(CAP_SETFCAP))
2877                                 return -EPERM;
2878                 } else if (!capable(CAP_SYS_ADMIN)) {
2879                         /* A different attribute in the security namespace.
2880                            Restrict to administrator. */
2881                         return -EPERM;
2882                 }
2883         }
2884
2885         /* Not an attribute we recognize, so just check the
2886            ordinary setattr permission. */
2887         return dentry_has_perm(cred, dentry, FILE__SETATTR);
2888 }
2889
2890 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2891                                   const void *value, size_t size, int flags)
2892 {
2893         struct inode *inode = dentry->d_inode;
2894         struct inode_security_struct *isec = inode->i_security;
2895         struct superblock_security_struct *sbsec;
2896         struct common_audit_data ad;
2897         u32 newsid, sid = current_sid();
2898         int rc = 0;
2899
2900         if (strcmp(name, XATTR_NAME_SELINUX))
2901                 return selinux_inode_setotherxattr(dentry, name);
2902
2903         sbsec = inode->i_sb->s_security;
2904         if (!(sbsec->flags & SBLABEL_MNT))
2905                 return -EOPNOTSUPP;
2906
2907         if (!inode_owner_or_capable(inode))
2908                 return -EPERM;
2909
2910         ad.type = LSM_AUDIT_DATA_DENTRY;
2911         ad.u.dentry = dentry;
2912
2913         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2914                           FILE__RELABELFROM, &ad);
2915         if (rc)
2916                 return rc;
2917
2918         rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
2919         if (rc == -EINVAL) {
2920                 if (!capable(CAP_MAC_ADMIN)) {
2921                         struct audit_buffer *ab;
2922                         size_t audit_size;
2923                         const char *str;
2924
2925                         /* We strip a nul only if it is at the end, otherwise the
2926                          * context contains a nul and we should audit that */
2927                         if (value) {
2928                                 str = value;
2929                                 if (str[size - 1] == '\0')
2930                                         audit_size = size - 1;
2931                                 else
2932                                         audit_size = size;
2933                         } else {
2934                                 str = "";
2935                                 audit_size = 0;
2936                         }
2937                         ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2938                         audit_log_format(ab, "op=setxattr invalid_context=");
2939                         audit_log_n_untrustedstring(ab, value, audit_size);
2940                         audit_log_end(ab);
2941
2942                         return rc;
2943                 }
2944                 rc = security_context_to_sid_force(value, size, &newsid);
2945         }
2946         if (rc)
2947                 return rc;
2948
2949         rc = avc_has_perm(sid, newsid, isec->sclass,
2950                           FILE__RELABELTO, &ad);
2951         if (rc)
2952                 return rc;
2953
2954         rc = security_validate_transition(isec->sid, newsid, sid,
2955                                           isec->sclass);
2956         if (rc)
2957                 return rc;
2958
2959         return avc_has_perm(newsid,
2960                             sbsec->sid,
2961                             SECCLASS_FILESYSTEM,
2962                             FILESYSTEM__ASSOCIATE,
2963                             &ad);
2964 }
2965
2966 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2967                                         const void *value, size_t size,
2968                                         int flags)
2969 {
2970         struct inode *inode = dentry->d_inode;
2971         struct inode_security_struct *isec = inode->i_security;
2972         u32 newsid;
2973         int rc;
2974
2975         if (strcmp(name, XATTR_NAME_SELINUX)) {
2976                 /* Not an attribute we recognize, so nothing to do. */
2977                 return;
2978         }
2979
2980         rc = security_context_to_sid_force(value, size, &newsid);
2981         if (rc) {
2982                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2983                        "for (%s, %lu), rc=%d\n",
2984                        inode->i_sb->s_id, inode->i_ino, -rc);
2985                 return;
2986         }
2987
2988         isec->sclass = inode_mode_to_security_class(inode->i_mode);
2989         isec->sid = newsid;
2990         isec->initialized = 1;
2991
2992         return;
2993 }
2994
2995 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2996 {
2997         const struct cred *cred = current_cred();
2998
2999         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3000 }
3001
3002 static int selinux_inode_listxattr(struct dentry *dentry)
3003 {
3004         const struct cred *cred = current_cred();
3005
3006         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3007 }
3008
3009 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3010 {
3011         if (strcmp(name, XATTR_NAME_SELINUX))
3012                 return selinux_inode_setotherxattr(dentry, name);
3013
3014         /* No one is allowed to remove a SELinux security label.
3015            You can change the label, but all data must be labeled. */
3016         return -EACCES;
3017 }
3018
3019 /*
3020  * Copy the inode security context value to the user.
3021  *
3022  * Permission check is handled by selinux_inode_getxattr hook.
3023  */
3024 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
3025 {
3026         u32 size;
3027         int error;
3028         char *context = NULL;
3029         struct inode_security_struct *isec = inode->i_security;
3030
3031         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3032                 return -EOPNOTSUPP;
3033
3034         /*
3035          * If the caller has CAP_MAC_ADMIN, then get the raw context
3036          * value even if it is not defined by current policy; otherwise,
3037          * use the in-core value under current policy.
3038          * Use the non-auditing forms of the permission checks since
3039          * getxattr may be called by unprivileged processes commonly
3040          * and lack of permission just means that we fall back to the
3041          * in-core context value, not a denial.
3042          */
3043         error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3044                                 SECURITY_CAP_NOAUDIT);
3045         if (!error)
3046                 error = security_sid_to_context_force(isec->sid, &context,
3047                                                       &size);
3048         else
3049                 error = security_sid_to_context(isec->sid, &context, &size);
3050         if (error)
3051                 return error;
3052         error = size;
3053         if (alloc) {
3054                 *buffer = context;
3055                 goto out_nofree;
3056         }
3057         kfree(context);
3058 out_nofree:
3059         return error;
3060 }
3061
3062 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3063                                      const void *value, size_t size, int flags)
3064 {
3065         struct inode_security_struct *isec = inode->i_security;
3066         u32 newsid;
3067         int rc;
3068
3069         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3070                 return -EOPNOTSUPP;
3071
3072         if (!value || !size)
3073                 return -EACCES;
3074
3075         rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
3076         if (rc)
3077                 return rc;
3078
3079         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3080         isec->sid = newsid;
3081         isec->initialized = 1;
3082         return 0;
3083 }
3084
3085 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3086 {
3087         const int len = sizeof(XATTR_NAME_SELINUX);
3088         if (buffer && len <= buffer_size)
3089                 memcpy(buffer, XATTR_NAME_SELINUX, len);
3090         return len;
3091 }
3092
3093 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3094 {
3095         struct inode_security_struct *isec = inode->i_security;
3096         *secid = isec->sid;
3097 }
3098
3099 /* file security operations */
3100
3101 static int selinux_revalidate_file_permission(struct file *file, int mask)
3102 {
3103         const struct cred *cred = current_cred();
3104         struct inode *inode = file_inode(file);
3105
3106         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3107         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3108                 mask |= MAY_APPEND;
3109
3110         return file_has_perm(cred, file,
3111                              file_mask_to_av(inode->i_mode, mask));
3112 }
3113
3114 static int selinux_file_permission(struct file *file, int mask)
3115 {
3116         struct inode *inode = file_inode(file);
3117         struct file_security_struct *fsec = file->f_security;
3118         struct inode_security_struct *isec = inode->i_security;
3119         u32 sid = current_sid();
3120
3121         if (!mask)
3122                 /* No permission to check.  Existence test. */
3123                 return 0;
3124
3125         if (sid == fsec->sid && fsec->isid == isec->sid &&
3126             fsec->pseqno == avc_policy_seqno())
3127                 /* No change since file_open check. */
3128                 return 0;
3129
3130         return selinux_revalidate_file_permission(file, mask);
3131 }
3132
3133 static int selinux_file_alloc_security(struct file *file)
3134 {
3135         return file_alloc_security(file);
3136 }
3137
3138 static void selinux_file_free_security(struct file *file)
3139 {
3140         file_free_security(file);
3141 }
3142
3143 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3144                               unsigned long arg)
3145 {
3146         const struct cred *cred = current_cred();
3147         int error = 0;
3148
3149         switch (cmd) {
3150         case FIONREAD:
3151         /* fall through */
3152         case FIBMAP:
3153         /* fall through */
3154         case FIGETBSZ:
3155         /* fall through */
3156         case FS_IOC_GETFLAGS:
3157         /* fall through */
3158         case FS_IOC_GETVERSION:
3159                 error = file_has_perm(cred, file, FILE__GETATTR);
3160                 break;
3161
3162         case FS_IOC_SETFLAGS:
3163         /* fall through */
3164         case FS_IOC_SETVERSION:
3165                 error = file_has_perm(cred, file, FILE__SETATTR);
3166                 break;
3167
3168         /* sys_ioctl() checks */
3169         case FIONBIO:
3170         /* fall through */
3171         case FIOASYNC:
3172                 error = file_has_perm(cred, file, 0);
3173                 break;
3174
3175         case KDSKBENT:
3176         case KDSKBSENT:
3177                 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3178                                             SECURITY_CAP_AUDIT);
3179                 break;
3180
3181         /* default case assumes that the command will go
3182          * to the file's ioctl() function.
3183          */
3184         default:
3185                 error = file_has_perm(cred, file, FILE__IOCTL);