89bb6d36c0a7f69aec9d8e0e373fe68a3c820514
[sfrench/cifs-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16  *                Paul Moore <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "xfrm.h"
84 #include "netlabel.h"
85
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
89 #define NUM_SEL_MNT_OPTS 4
90
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
95
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
101
102 static int __init enforcing_setup(char *str)
103 {
104         selinux_enforcing = simple_strtol(str,NULL,0);
105         return 1;
106 }
107 __setup("enforcing=", enforcing_setup);
108 #endif
109
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113 static int __init selinux_enabled_setup(char *str)
114 {
115         selinux_enabled = simple_strtol(str, NULL, 0);
116         return 1;
117 }
118 __setup("selinux=", selinux_enabled_setup);
119 #else
120 int selinux_enabled = 1;
121 #endif
122
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
125
126 /* Minimal support for a secondary security module,
127    just to allow the use of the dummy or capability modules.
128    The owlsm module can alternatively be used as a secondary
129    module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
131
132 /* Lists of inode and superblock security structures initialized
133    before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
136
137 static struct kmem_cache *sel_inode_cache;
138
139 /**
140  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
141  *
142  * Description:
143  * This function checks the SECMARK reference counter to see if any SECMARK
144  * targets are currently configured, if the reference counter is greater than
145  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
146  * enabled, false (0) if SECMARK is disabled.
147  *
148  */
149 static int selinux_secmark_enabled(void)
150 {
151         return (atomic_read(&selinux_secmark_refcount) > 0);
152 }
153
154 /* Allocate and free functions for each kind of security blob. */
155
156 static int task_alloc_security(struct task_struct *task)
157 {
158         struct task_security_struct *tsec;
159
160         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
161         if (!tsec)
162                 return -ENOMEM;
163
164         tsec->task = task;
165         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166         task->security = tsec;
167
168         return 0;
169 }
170
171 static void task_free_security(struct task_struct *task)
172 {
173         struct task_security_struct *tsec = task->security;
174         task->security = NULL;
175         kfree(tsec);
176 }
177
178 static int inode_alloc_security(struct inode *inode)
179 {
180         struct task_security_struct *tsec = current->security;
181         struct inode_security_struct *isec;
182
183         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
184         if (!isec)
185                 return -ENOMEM;
186
187         mutex_init(&isec->lock);
188         INIT_LIST_HEAD(&isec->list);
189         isec->inode = inode;
190         isec->sid = SECINITSID_UNLABELED;
191         isec->sclass = SECCLASS_FILE;
192         isec->task_sid = tsec->sid;
193         inode->i_security = isec;
194
195         return 0;
196 }
197
198 static void inode_free_security(struct inode *inode)
199 {
200         struct inode_security_struct *isec = inode->i_security;
201         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
203         spin_lock(&sbsec->isec_lock);
204         if (!list_empty(&isec->list))
205                 list_del_init(&isec->list);
206         spin_unlock(&sbsec->isec_lock);
207
208         inode->i_security = NULL;
209         kmem_cache_free(sel_inode_cache, isec);
210 }
211
212 static int file_alloc_security(struct file *file)
213 {
214         struct task_security_struct *tsec = current->security;
215         struct file_security_struct *fsec;
216
217         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
218         if (!fsec)
219                 return -ENOMEM;
220
221         fsec->file = file;
222         fsec->sid = tsec->sid;
223         fsec->fown_sid = tsec->sid;
224         file->f_security = fsec;
225
226         return 0;
227 }
228
229 static void file_free_security(struct file *file)
230 {
231         struct file_security_struct *fsec = file->f_security;
232         file->f_security = NULL;
233         kfree(fsec);
234 }
235
236 static int superblock_alloc_security(struct super_block *sb)
237 {
238         struct superblock_security_struct *sbsec;
239
240         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
241         if (!sbsec)
242                 return -ENOMEM;
243
244         mutex_init(&sbsec->lock);
245         INIT_LIST_HEAD(&sbsec->list);
246         INIT_LIST_HEAD(&sbsec->isec_head);
247         spin_lock_init(&sbsec->isec_lock);
248         sbsec->sb = sb;
249         sbsec->sid = SECINITSID_UNLABELED;
250         sbsec->def_sid = SECINITSID_FILE;
251         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252         sb->s_security = sbsec;
253
254         return 0;
255 }
256
257 static void superblock_free_security(struct super_block *sb)
258 {
259         struct superblock_security_struct *sbsec = sb->s_security;
260
261         spin_lock(&sb_security_lock);
262         if (!list_empty(&sbsec->list))
263                 list_del_init(&sbsec->list);
264         spin_unlock(&sb_security_lock);
265
266         sb->s_security = NULL;
267         kfree(sbsec);
268 }
269
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
271 {
272         struct sk_security_struct *ssec;
273
274         ssec = kzalloc(sizeof(*ssec), priority);
275         if (!ssec)
276                 return -ENOMEM;
277
278         ssec->sk = sk;
279         ssec->peer_sid = SECINITSID_UNLABELED;
280         ssec->sid = SECINITSID_UNLABELED;
281         sk->sk_security = ssec;
282
283         selinux_netlbl_sk_security_init(ssec, family);
284
285         return 0;
286 }
287
288 static void sk_free_security(struct sock *sk)
289 {
290         struct sk_security_struct *ssec = sk->sk_security;
291
292         sk->sk_security = NULL;
293         kfree(ssec);
294 }
295
296 /* The security server must be initialized before
297    any labeling or access decisions can be provided. */
298 extern int ss_initialized;
299
300 /* The file system's label must be initialized prior to use. */
301
302 static char *labeling_behaviors[6] = {
303         "uses xattr",
304         "uses transition SIDs",
305         "uses task SIDs",
306         "uses genfs_contexts",
307         "not configured for labeling",
308         "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315         return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319         Opt_error = -1,
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 3,
323         Opt_rootcontext = 4,
324 };
325
326 static match_table_t tokens = {
327         {Opt_context, "context=%s"},
328         {Opt_fscontext, "fscontext=%s"},
329         {Opt_defcontext, "defcontext=%s"},
330         {Opt_rootcontext, "rootcontext=%s"},
331         {Opt_error, NULL},
332 };
333
334 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
335
336 static int may_context_mount_sb_relabel(u32 sid,
337                         struct superblock_security_struct *sbsec,
338                         struct task_security_struct *tsec)
339 {
340         int rc;
341
342         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343                           FILESYSTEM__RELABELFROM, NULL);
344         if (rc)
345                 return rc;
346
347         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348                           FILESYSTEM__RELABELTO, NULL);
349         return rc;
350 }
351
352 static int may_context_mount_inode_relabel(u32 sid,
353                         struct superblock_security_struct *sbsec,
354                         struct task_security_struct *tsec)
355 {
356         int rc;
357         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358                           FILESYSTEM__RELABELFROM, NULL);
359         if (rc)
360                 return rc;
361
362         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363                           FILESYSTEM__ASSOCIATE, NULL);
364         return rc;
365 }
366
367 static int sb_finish_set_opts(struct super_block *sb)
368 {
369         struct superblock_security_struct *sbsec = sb->s_security;
370         struct dentry *root = sb->s_root;
371         struct inode *root_inode = root->d_inode;
372         int rc = 0;
373
374         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375                 /* Make sure that the xattr handler exists and that no
376                    error other than -ENODATA is returned by getxattr on
377                    the root directory.  -ENODATA is ok, as this may be
378                    the first boot of the SELinux kernel before we have
379                    assigned xattr values to the filesystem. */
380                 if (!root_inode->i_op->getxattr) {
381                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382                                "xattr support\n", sb->s_id, sb->s_type->name);
383                         rc = -EOPNOTSUPP;
384                         goto out;
385                 }
386                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387                 if (rc < 0 && rc != -ENODATA) {
388                         if (rc == -EOPNOTSUPP)
389                                 printk(KERN_WARNING "SELinux: (dev %s, type "
390                                        "%s) has no security xattr handler\n",
391                                        sb->s_id, sb->s_type->name);
392                         else
393                                 printk(KERN_WARNING "SELinux: (dev %s, type "
394                                        "%s) getxattr errno %d\n", sb->s_id,
395                                        sb->s_type->name, -rc);
396                         goto out;
397                 }
398         }
399
400         sbsec->initialized = 1;
401
402         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404                        sb->s_id, sb->s_type->name);
405         else
406                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407                        sb->s_id, sb->s_type->name,
408                        labeling_behaviors[sbsec->behavior-1]);
409
410         /* Initialize the root inode. */
411         rc = inode_doinit_with_dentry(root_inode, root);
412
413         /* Initialize any other inodes associated with the superblock, e.g.
414            inodes created prior to initial policy load or inodes created
415            during get_sb by a pseudo filesystem that directly
416            populates itself. */
417         spin_lock(&sbsec->isec_lock);
418 next_inode:
419         if (!list_empty(&sbsec->isec_head)) {
420                 struct inode_security_struct *isec =
421                                 list_entry(sbsec->isec_head.next,
422                                            struct inode_security_struct, list);
423                 struct inode *inode = isec->inode;
424                 spin_unlock(&sbsec->isec_lock);
425                 inode = igrab(inode);
426                 if (inode) {
427                         if (!IS_PRIVATE(inode))
428                                 inode_doinit(inode);
429                         iput(inode);
430                 }
431                 spin_lock(&sbsec->isec_lock);
432                 list_del_init(&isec->list);
433                 goto next_inode;
434         }
435         spin_unlock(&sbsec->isec_lock);
436 out:
437         return rc;
438 }
439
440 /*
441  * This function should allow an FS to ask what it's mount security
442  * options were so it can use those later for submounts, displaying
443  * mount options, or whatever.
444  */
445 static int selinux_get_mnt_opts(const struct super_block *sb,
446                                 struct security_mnt_opts *opts)
447 {
448         int rc = 0, i;
449         struct superblock_security_struct *sbsec = sb->s_security;
450         char *context = NULL;
451         u32 len;
452         char tmp;
453
454         security_init_mnt_opts(opts);
455
456         if (!sbsec->initialized)
457                 return -EINVAL;
458
459         if (!ss_initialized)
460                 return -EINVAL;
461
462         /*
463          * if we ever use sbsec flags for anything other than tracking mount
464          * settings this is going to need a mask
465          */
466         tmp = sbsec->flags;
467         /* count the number of mount options for this sb */
468         for (i = 0; i < 8; i++) {
469                 if (tmp & 0x01)
470                         opts->num_mnt_opts++;
471                 tmp >>= 1;
472         }
473
474         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
475         if (!opts->mnt_opts) {
476                 rc = -ENOMEM;
477                 goto out_free;
478         }
479
480         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
481         if (!opts->mnt_opts_flags) {
482                 rc = -ENOMEM;
483                 goto out_free;
484         }
485
486         i = 0;
487         if (sbsec->flags & FSCONTEXT_MNT) {
488                 rc = security_sid_to_context(sbsec->sid, &context, &len);
489                 if (rc)
490                         goto out_free;
491                 opts->mnt_opts[i] = context;
492                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
493         }
494         if (sbsec->flags & CONTEXT_MNT) {
495                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
496                 if (rc)
497                         goto out_free;
498                 opts->mnt_opts[i] = context;
499                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
500         }
501         if (sbsec->flags & DEFCONTEXT_MNT) {
502                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
503                 if (rc)
504                         goto out_free;
505                 opts->mnt_opts[i] = context;
506                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
507         }
508         if (sbsec->flags & ROOTCONTEXT_MNT) {
509                 struct inode *root = sbsec->sb->s_root->d_inode;
510                 struct inode_security_struct *isec = root->i_security;
511
512                 rc = security_sid_to_context(isec->sid, &context, &len);
513                 if (rc)
514                         goto out_free;
515                 opts->mnt_opts[i] = context;
516                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
517         }
518
519         BUG_ON(i != opts->num_mnt_opts);
520
521         return 0;
522
523 out_free:
524         security_free_mnt_opts(opts);
525         return rc;
526 }
527
528 static int bad_option(struct superblock_security_struct *sbsec, char flag,
529                       u32 old_sid, u32 new_sid)
530 {
531         /* check if the old mount command had the same options */
532         if (sbsec->initialized)
533                 if (!(sbsec->flags & flag) ||
534                     (old_sid != new_sid))
535                         return 1;
536
537         /* check if we were passed the same options twice,
538          * aka someone passed context=a,context=b
539          */
540         if (!sbsec->initialized)
541                 if (sbsec->flags & flag)
542                         return 1;
543         return 0;
544 }
545
546 /*
547  * Allow filesystems with binary mount data to explicitly set mount point
548  * labeling information.
549  */
550 static int selinux_set_mnt_opts(struct super_block *sb,
551                                 struct security_mnt_opts *opts)
552 {
553         int rc = 0, i;
554         struct task_security_struct *tsec = current->security;
555         struct superblock_security_struct *sbsec = sb->s_security;
556         const char *name = sb->s_type->name;
557         struct inode *inode = sbsec->sb->s_root->d_inode;
558         struct inode_security_struct *root_isec = inode->i_security;
559         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
560         u32 defcontext_sid = 0;
561         char **mount_options = opts->mnt_opts;
562         int *flags = opts->mnt_opts_flags;
563         int num_opts = opts->num_mnt_opts;
564
565         mutex_lock(&sbsec->lock);
566
567         if (!ss_initialized) {
568                 if (!num_opts) {
569                         /* Defer initialization until selinux_complete_init,
570                            after the initial policy is loaded and the security
571                            server is ready to handle calls. */
572                         spin_lock(&sb_security_lock);
573                         if (list_empty(&sbsec->list))
574                                 list_add(&sbsec->list, &superblock_security_head);
575                         spin_unlock(&sb_security_lock);
576                         goto out;
577                 }
578                 rc = -EINVAL;
579                 printk(KERN_WARNING "Unable to set superblock options before "
580                        "the security server is initialized\n");
581                 goto out;
582         }
583
584         /*
585          * Binary mount data FS will come through this function twice.  Once
586          * from an explicit call and once from the generic calls from the vfs.
587          * Since the generic VFS calls will not contain any security mount data
588          * we need to skip the double mount verification.
589          *
590          * This does open a hole in which we will not notice if the first
591          * mount using this sb set explict options and a second mount using
592          * this sb does not set any security options.  (The first options
593          * will be used for both mounts)
594          */
595         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
596             && (num_opts == 0))
597                 goto out;
598
599         /*
600          * parse the mount options, check if they are valid sids.
601          * also check if someone is trying to mount the same sb more
602          * than once with different security options.
603          */
604         for (i = 0; i < num_opts; i++) {
605                 u32 sid;
606                 rc = security_context_to_sid(mount_options[i],
607                                              strlen(mount_options[i]), &sid);
608                 if (rc) {
609                         printk(KERN_WARNING "SELinux: security_context_to_sid"
610                                "(%s) failed for (dev %s, type %s) errno=%d\n",
611                                mount_options[i], sb->s_id, name, rc);
612                         goto out;
613                 }
614                 switch (flags[i]) {
615                 case FSCONTEXT_MNT:
616                         fscontext_sid = sid;
617
618                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
619                                         fscontext_sid))
620                                 goto out_double_mount;
621
622                         sbsec->flags |= FSCONTEXT_MNT;
623                         break;
624                 case CONTEXT_MNT:
625                         context_sid = sid;
626
627                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
628                                         context_sid))
629                                 goto out_double_mount;
630
631                         sbsec->flags |= CONTEXT_MNT;
632                         break;
633                 case ROOTCONTEXT_MNT:
634                         rootcontext_sid = sid;
635
636                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
637                                         rootcontext_sid))
638                                 goto out_double_mount;
639
640                         sbsec->flags |= ROOTCONTEXT_MNT;
641
642                         break;
643                 case DEFCONTEXT_MNT:
644                         defcontext_sid = sid;
645
646                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
647                                         defcontext_sid))
648                                 goto out_double_mount;
649
650                         sbsec->flags |= DEFCONTEXT_MNT;
651
652                         break;
653                 default:
654                         rc = -EINVAL;
655                         goto out;
656                 }
657         }
658
659         if (sbsec->initialized) {
660                 /* previously mounted with options, but not on this attempt? */
661                 if (sbsec->flags && !num_opts)
662                         goto out_double_mount;
663                 rc = 0;
664                 goto out;
665         }
666
667         if (strcmp(sb->s_type->name, "proc") == 0)
668                 sbsec->proc = 1;
669
670         /* Determine the labeling behavior to use for this filesystem type. */
671         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
672         if (rc) {
673                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674                        __FUNCTION__, sb->s_type->name, rc);
675                 goto out;
676         }
677
678         /* sets the context of the superblock for the fs being mounted. */
679         if (fscontext_sid) {
680
681                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
682                 if (rc)
683                         goto out;
684
685                 sbsec->sid = fscontext_sid;
686         }
687
688         /*
689          * Switch to using mount point labeling behavior.
690          * sets the label used on all file below the mountpoint, and will set
691          * the superblock context if not already set.
692          */
693         if (context_sid) {
694                 if (!fscontext_sid) {
695                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
696                         if (rc)
697                                 goto out;
698                         sbsec->sid = context_sid;
699                 } else {
700                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
701                         if (rc)
702                                 goto out;
703                 }
704                 if (!rootcontext_sid)
705                         rootcontext_sid = context_sid;
706
707                 sbsec->mntpoint_sid = context_sid;
708                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
709         }
710
711         if (rootcontext_sid) {
712                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
713                 if (rc)
714                         goto out;
715
716                 root_isec->sid = rootcontext_sid;
717                 root_isec->initialized = 1;
718         }
719
720         if (defcontext_sid) {
721                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
722                         rc = -EINVAL;
723                         printk(KERN_WARNING "SELinux: defcontext option is "
724                                "invalid for this filesystem type\n");
725                         goto out;
726                 }
727
728                 if (defcontext_sid != sbsec->def_sid) {
729                         rc = may_context_mount_inode_relabel(defcontext_sid,
730                                                              sbsec, tsec);
731                         if (rc)
732                                 goto out;
733                 }
734
735                 sbsec->def_sid = defcontext_sid;
736         }
737
738         rc = sb_finish_set_opts(sb);
739 out:
740         mutex_unlock(&sbsec->lock);
741         return rc;
742 out_double_mount:
743         rc = -EINVAL;
744         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
745                "security settings for (dev %s, type %s)\n", sb->s_id, name);
746         goto out;
747 }
748
749 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
750                                         struct super_block *newsb)
751 {
752         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
753         struct superblock_security_struct *newsbsec = newsb->s_security;
754
755         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
756         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
757         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
758
759         /* we can't error, we can't save the info, this shouldn't get called
760          * this early in the boot process. */
761         BUG_ON(!ss_initialized);
762
763         /* this might go away sometime down the line if there is a new user
764          * of clone, but for now, nfs better not get here... */
765         BUG_ON(newsbsec->initialized);
766
767         /* how can we clone if the old one wasn't set up?? */
768         BUG_ON(!oldsbsec->initialized);
769
770         mutex_lock(&newsbsec->lock);
771
772         newsbsec->flags = oldsbsec->flags;
773
774         newsbsec->sid = oldsbsec->sid;
775         newsbsec->def_sid = oldsbsec->def_sid;
776         newsbsec->behavior = oldsbsec->behavior;
777
778         if (set_context) {
779                 u32 sid = oldsbsec->mntpoint_sid;
780
781                 if (!set_fscontext)
782                         newsbsec->sid = sid;
783                 if (!set_rootcontext) {
784                         struct inode *newinode = newsb->s_root->d_inode;
785                         struct inode_security_struct *newisec = newinode->i_security;
786                         newisec->sid = sid;
787                 }
788                 newsbsec->mntpoint_sid = sid;
789         }
790         if (set_rootcontext) {
791                 const struct inode *oldinode = oldsb->s_root->d_inode;
792                 const struct inode_security_struct *oldisec = oldinode->i_security;
793                 struct inode *newinode = newsb->s_root->d_inode;
794                 struct inode_security_struct *newisec = newinode->i_security;
795
796                 newisec->sid = oldisec->sid;
797         }
798
799         sb_finish_set_opts(newsb);
800         mutex_unlock(&newsbsec->lock);
801 }
802
803 static int selinux_parse_opts_str(char *options,
804                                   struct security_mnt_opts *opts)
805 {
806         char *p;
807         char *context = NULL, *defcontext = NULL;
808         char *fscontext = NULL, *rootcontext = NULL;
809         int rc, num_mnt_opts = 0;
810
811         opts->num_mnt_opts = 0;
812
813         /* Standard string-based options. */
814         while ((p = strsep(&options, "|")) != NULL) {
815                 int token;
816                 substring_t args[MAX_OPT_ARGS];
817
818                 if (!*p)
819                         continue;
820
821                 token = match_token(p, tokens, args);
822
823                 switch (token) {
824                 case Opt_context:
825                         if (context || defcontext) {
826                                 rc = -EINVAL;
827                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
828                                 goto out_err;
829                         }
830                         context = match_strdup(&args[0]);
831                         if (!context) {
832                                 rc = -ENOMEM;
833                                 goto out_err;
834                         }
835                         break;
836
837                 case Opt_fscontext:
838                         if (fscontext) {
839                                 rc = -EINVAL;
840                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
841                                 goto out_err;
842                         }
843                         fscontext = match_strdup(&args[0]);
844                         if (!fscontext) {
845                                 rc = -ENOMEM;
846                                 goto out_err;
847                         }
848                         break;
849
850                 case Opt_rootcontext:
851                         if (rootcontext) {
852                                 rc = -EINVAL;
853                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
854                                 goto out_err;
855                         }
856                         rootcontext = match_strdup(&args[0]);
857                         if (!rootcontext) {
858                                 rc = -ENOMEM;
859                                 goto out_err;
860                         }
861                         break;
862
863                 case Opt_defcontext:
864                         if (context || defcontext) {
865                                 rc = -EINVAL;
866                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
867                                 goto out_err;
868                         }
869                         defcontext = match_strdup(&args[0]);
870                         if (!defcontext) {
871                                 rc = -ENOMEM;
872                                 goto out_err;
873                         }
874                         break;
875
876                 default:
877                         rc = -EINVAL;
878                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
879                         goto out_err;
880
881                 }
882         }
883
884         rc = -ENOMEM;
885         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
886         if (!opts->mnt_opts)
887                 goto out_err;
888
889         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
890         if (!opts->mnt_opts_flags) {
891                 kfree(opts->mnt_opts);
892                 goto out_err;
893         }
894
895         if (fscontext) {
896                 opts->mnt_opts[num_mnt_opts] = fscontext;
897                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
898         }
899         if (context) {
900                 opts->mnt_opts[num_mnt_opts] = context;
901                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
902         }
903         if (rootcontext) {
904                 opts->mnt_opts[num_mnt_opts] = rootcontext;
905                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
906         }
907         if (defcontext) {
908                 opts->mnt_opts[num_mnt_opts] = defcontext;
909                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
910         }
911
912         opts->num_mnt_opts = num_mnt_opts;
913         return 0;
914
915 out_err:
916         kfree(context);
917         kfree(defcontext);
918         kfree(fscontext);
919         kfree(rootcontext);
920         return rc;
921 }
922 /*
923  * string mount options parsing and call set the sbsec
924  */
925 static int superblock_doinit(struct super_block *sb, void *data)
926 {
927         int rc = 0;
928         char *options = data;
929         struct security_mnt_opts opts;
930
931         security_init_mnt_opts(&opts);
932
933         if (!data)
934                 goto out;
935
936         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
937
938         rc = selinux_parse_opts_str(options, &opts);
939         if (rc)
940                 goto out_err;
941
942 out:
943         rc = selinux_set_mnt_opts(sb, &opts);
944
945 out_err:
946         security_free_mnt_opts(&opts);
947         return rc;
948 }
949
950 static inline u16 inode_mode_to_security_class(umode_t mode)
951 {
952         switch (mode & S_IFMT) {
953         case S_IFSOCK:
954                 return SECCLASS_SOCK_FILE;
955         case S_IFLNK:
956                 return SECCLASS_LNK_FILE;
957         case S_IFREG:
958                 return SECCLASS_FILE;
959         case S_IFBLK:
960                 return SECCLASS_BLK_FILE;
961         case S_IFDIR:
962                 return SECCLASS_DIR;
963         case S_IFCHR:
964                 return SECCLASS_CHR_FILE;
965         case S_IFIFO:
966                 return SECCLASS_FIFO_FILE;
967
968         }
969
970         return SECCLASS_FILE;
971 }
972
973 static inline int default_protocol_stream(int protocol)
974 {
975         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
976 }
977
978 static inline int default_protocol_dgram(int protocol)
979 {
980         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
981 }
982
983 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
984 {
985         switch (family) {
986         case PF_UNIX:
987                 switch (type) {
988                 case SOCK_STREAM:
989                 case SOCK_SEQPACKET:
990                         return SECCLASS_UNIX_STREAM_SOCKET;
991                 case SOCK_DGRAM:
992                         return SECCLASS_UNIX_DGRAM_SOCKET;
993                 }
994                 break;
995         case PF_INET:
996         case PF_INET6:
997                 switch (type) {
998                 case SOCK_STREAM:
999                         if (default_protocol_stream(protocol))
1000                                 return SECCLASS_TCP_SOCKET;
1001                         else
1002                                 return SECCLASS_RAWIP_SOCKET;
1003                 case SOCK_DGRAM:
1004                         if (default_protocol_dgram(protocol))
1005                                 return SECCLASS_UDP_SOCKET;
1006                         else
1007                                 return SECCLASS_RAWIP_SOCKET;
1008                 case SOCK_DCCP:
1009                         return SECCLASS_DCCP_SOCKET;
1010                 default:
1011                         return SECCLASS_RAWIP_SOCKET;
1012                 }
1013                 break;
1014         case PF_NETLINK:
1015                 switch (protocol) {
1016                 case NETLINK_ROUTE:
1017                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1018                 case NETLINK_FIREWALL:
1019                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1020                 case NETLINK_INET_DIAG:
1021                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1022                 case NETLINK_NFLOG:
1023                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1024                 case NETLINK_XFRM:
1025                         return SECCLASS_NETLINK_XFRM_SOCKET;
1026                 case NETLINK_SELINUX:
1027                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1028                 case NETLINK_AUDIT:
1029                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1030                 case NETLINK_IP6_FW:
1031                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1032                 case NETLINK_DNRTMSG:
1033                         return SECCLASS_NETLINK_DNRT_SOCKET;
1034                 case NETLINK_KOBJECT_UEVENT:
1035                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1036                 default:
1037                         return SECCLASS_NETLINK_SOCKET;
1038                 }
1039         case PF_PACKET:
1040                 return SECCLASS_PACKET_SOCKET;
1041         case PF_KEY:
1042                 return SECCLASS_KEY_SOCKET;
1043         case PF_APPLETALK:
1044                 return SECCLASS_APPLETALK_SOCKET;
1045         }
1046
1047         return SECCLASS_SOCKET;
1048 }
1049
1050 #ifdef CONFIG_PROC_FS
1051 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1052                                 u16 tclass,
1053                                 u32 *sid)
1054 {
1055         int buflen, rc;
1056         char *buffer, *path, *end;
1057
1058         buffer = (char*)__get_free_page(GFP_KERNEL);
1059         if (!buffer)
1060                 return -ENOMEM;
1061
1062         buflen = PAGE_SIZE;
1063         end = buffer+buflen;
1064         *--end = '\0';
1065         buflen--;
1066         path = end-1;
1067         *path = '/';
1068         while (de && de != de->parent) {
1069                 buflen -= de->namelen + 1;
1070                 if (buflen < 0)
1071                         break;
1072                 end -= de->namelen;
1073                 memcpy(end, de->name, de->namelen);
1074                 *--end = '/';
1075                 path = end;
1076                 de = de->parent;
1077         }
1078         rc = security_genfs_sid("proc", path, tclass, sid);
1079         free_page((unsigned long)buffer);
1080         return rc;
1081 }
1082 #else
1083 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1084                                 u16 tclass,
1085                                 u32 *sid)
1086 {
1087         return -EINVAL;
1088 }
1089 #endif
1090
1091 /* The inode's security attributes must be initialized before first use. */
1092 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1093 {
1094         struct superblock_security_struct *sbsec = NULL;
1095         struct inode_security_struct *isec = inode->i_security;
1096         u32 sid;
1097         struct dentry *dentry;
1098 #define INITCONTEXTLEN 255
1099         char *context = NULL;
1100         unsigned len = 0;
1101         int rc = 0;
1102
1103         if (isec->initialized)
1104                 goto out;
1105
1106         mutex_lock(&isec->lock);
1107         if (isec->initialized)
1108                 goto out_unlock;
1109
1110         sbsec = inode->i_sb->s_security;
1111         if (!sbsec->initialized) {
1112                 /* Defer initialization until selinux_complete_init,
1113                    after the initial policy is loaded and the security
1114                    server is ready to handle calls. */
1115                 spin_lock(&sbsec->isec_lock);
1116                 if (list_empty(&isec->list))
1117                         list_add(&isec->list, &sbsec->isec_head);
1118                 spin_unlock(&sbsec->isec_lock);
1119                 goto out_unlock;
1120         }
1121
1122         switch (sbsec->behavior) {
1123         case SECURITY_FS_USE_XATTR:
1124                 if (!inode->i_op->getxattr) {
1125                         isec->sid = sbsec->def_sid;
1126                         break;
1127                 }
1128
1129                 /* Need a dentry, since the xattr API requires one.
1130                    Life would be simpler if we could just pass the inode. */
1131                 if (opt_dentry) {
1132                         /* Called from d_instantiate or d_splice_alias. */
1133                         dentry = dget(opt_dentry);
1134                 } else {
1135                         /* Called from selinux_complete_init, try to find a dentry. */
1136                         dentry = d_find_alias(inode);
1137                 }
1138                 if (!dentry) {
1139                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
1140                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1141                                inode->i_ino);
1142                         goto out_unlock;
1143                 }
1144
1145                 len = INITCONTEXTLEN;
1146                 context = kmalloc(len, GFP_NOFS);
1147                 if (!context) {
1148                         rc = -ENOMEM;
1149                         dput(dentry);
1150                         goto out_unlock;
1151                 }
1152                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1153                                            context, len);
1154                 if (rc == -ERANGE) {
1155                         /* Need a larger buffer.  Query for the right size. */
1156                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1157                                                    NULL, 0);
1158                         if (rc < 0) {
1159                                 dput(dentry);
1160                                 goto out_unlock;
1161                         }
1162                         kfree(context);
1163                         len = rc;
1164                         context = kmalloc(len, GFP_NOFS);
1165                         if (!context) {
1166                                 rc = -ENOMEM;
1167                                 dput(dentry);
1168                                 goto out_unlock;
1169                         }
1170                         rc = inode->i_op->getxattr(dentry,
1171                                                    XATTR_NAME_SELINUX,
1172                                                    context, len);
1173                 }
1174                 dput(dentry);
1175                 if (rc < 0) {
1176                         if (rc != -ENODATA) {
1177                                 printk(KERN_WARNING "%s:  getxattr returned "
1178                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
1179                                        -rc, inode->i_sb->s_id, inode->i_ino);
1180                                 kfree(context);
1181                                 goto out_unlock;
1182                         }
1183                         /* Map ENODATA to the default file SID */
1184                         sid = sbsec->def_sid;
1185                         rc = 0;
1186                 } else {
1187                         rc = security_context_to_sid_default(context, rc, &sid,
1188                                                              sbsec->def_sid,
1189                                                              GFP_NOFS);
1190                         if (rc) {
1191                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
1192                                        "returned %d for dev=%s ino=%ld\n",
1193                                        __FUNCTION__, context, -rc,
1194                                        inode->i_sb->s_id, inode->i_ino);
1195                                 kfree(context);
1196                                 /* Leave with the unlabeled SID */
1197                                 rc = 0;
1198                                 break;
1199                         }
1200                 }
1201                 kfree(context);
1202                 isec->sid = sid;
1203                 break;
1204         case SECURITY_FS_USE_TASK:
1205                 isec->sid = isec->task_sid;
1206                 break;
1207         case SECURITY_FS_USE_TRANS:
1208                 /* Default to the fs SID. */
1209                 isec->sid = sbsec->sid;
1210
1211                 /* Try to obtain a transition SID. */
1212                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1213                 rc = security_transition_sid(isec->task_sid,
1214                                              sbsec->sid,
1215                                              isec->sclass,
1216                                              &sid);
1217                 if (rc)
1218                         goto out_unlock;
1219                 isec->sid = sid;
1220                 break;
1221         case SECURITY_FS_USE_MNTPOINT:
1222                 isec->sid = sbsec->mntpoint_sid;
1223                 break;
1224         default:
1225                 /* Default to the fs superblock SID. */
1226                 isec->sid = sbsec->sid;
1227
1228                 if (sbsec->proc) {
1229                         struct proc_inode *proci = PROC_I(inode);
1230                         if (proci->pde) {
1231                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1232                                 rc = selinux_proc_get_sid(proci->pde,
1233                                                           isec->sclass,
1234                                                           &sid);
1235                                 if (rc)
1236                                         goto out_unlock;
1237                                 isec->sid = sid;
1238                         }
1239                 }
1240                 break;
1241         }
1242
1243         isec->initialized = 1;
1244
1245 out_unlock:
1246         mutex_unlock(&isec->lock);
1247 out:
1248         if (isec->sclass == SECCLASS_FILE)
1249                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1250         return rc;
1251 }
1252
1253 /* Convert a Linux signal to an access vector. */
1254 static inline u32 signal_to_av(int sig)
1255 {
1256         u32 perm = 0;
1257
1258         switch (sig) {
1259         case SIGCHLD:
1260                 /* Commonly granted from child to parent. */
1261                 perm = PROCESS__SIGCHLD;
1262                 break;
1263         case SIGKILL:
1264                 /* Cannot be caught or ignored */
1265                 perm = PROCESS__SIGKILL;
1266                 break;
1267         case SIGSTOP:
1268                 /* Cannot be caught or ignored */
1269                 perm = PROCESS__SIGSTOP;
1270                 break;
1271         default:
1272                 /* All other signals. */
1273                 perm = PROCESS__SIGNAL;
1274                 break;
1275         }
1276
1277         return perm;
1278 }
1279
1280 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1281    fork check, ptrace check, etc. */
1282 static int task_has_perm(struct task_struct *tsk1,
1283                          struct task_struct *tsk2,
1284                          u32 perms)
1285 {
1286         struct task_security_struct *tsec1, *tsec2;
1287
1288         tsec1 = tsk1->security;
1289         tsec2 = tsk2->security;
1290         return avc_has_perm(tsec1->sid, tsec2->sid,
1291                             SECCLASS_PROCESS, perms, NULL);
1292 }
1293
1294 #if CAP_LAST_CAP > 63
1295 #error Fix SELinux to handle capabilities > 63.
1296 #endif
1297
1298 /* Check whether a task is allowed to use a capability. */
1299 static int task_has_capability(struct task_struct *tsk,
1300                                int cap)
1301 {
1302         struct task_security_struct *tsec;
1303         struct avc_audit_data ad;
1304         u16 sclass;
1305         u32 av = CAP_TO_MASK(cap);
1306
1307         tsec = tsk->security;
1308
1309         AVC_AUDIT_DATA_INIT(&ad,CAP);
1310         ad.tsk = tsk;
1311         ad.u.cap = cap;
1312
1313         switch (CAP_TO_INDEX(cap)) {
1314         case 0:
1315                 sclass = SECCLASS_CAPABILITY;
1316                 break;
1317         case 1:
1318                 sclass = SECCLASS_CAPABILITY2;
1319                 break;
1320         default:
1321                 printk(KERN_ERR
1322                        "SELinux:  out of range capability %d\n", cap);
1323                 BUG();
1324         }
1325         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1326 }
1327
1328 /* Check whether a task is allowed to use a system operation. */
1329 static int task_has_system(struct task_struct *tsk,
1330                            u32 perms)
1331 {
1332         struct task_security_struct *tsec;
1333
1334         tsec = tsk->security;
1335
1336         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1337                             SECCLASS_SYSTEM, perms, NULL);
1338 }
1339
1340 /* Check whether a task has a particular permission to an inode.
1341    The 'adp' parameter is optional and allows other audit
1342    data to be passed (e.g. the dentry). */
1343 static int inode_has_perm(struct task_struct *tsk,
1344                           struct inode *inode,
1345                           u32 perms,
1346                           struct avc_audit_data *adp)
1347 {
1348         struct task_security_struct *tsec;
1349         struct inode_security_struct *isec;
1350         struct avc_audit_data ad;
1351
1352         if (unlikely (IS_PRIVATE (inode)))
1353                 return 0;
1354
1355         tsec = tsk->security;
1356         isec = inode->i_security;
1357
1358         if (!adp) {
1359                 adp = &ad;
1360                 AVC_AUDIT_DATA_INIT(&ad, FS);
1361                 ad.u.fs.inode = inode;
1362         }
1363
1364         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1365 }
1366
1367 /* Same as inode_has_perm, but pass explicit audit data containing
1368    the dentry to help the auditing code to more easily generate the
1369    pathname if needed. */
1370 static inline int dentry_has_perm(struct task_struct *tsk,
1371                                   struct vfsmount *mnt,
1372                                   struct dentry *dentry,
1373                                   u32 av)
1374 {
1375         struct inode *inode = dentry->d_inode;
1376         struct avc_audit_data ad;
1377         AVC_AUDIT_DATA_INIT(&ad,FS);
1378         ad.u.fs.path.mnt = mnt;
1379         ad.u.fs.path.dentry = dentry;
1380         return inode_has_perm(tsk, inode, av, &ad);
1381 }
1382
1383 /* Check whether a task can use an open file descriptor to
1384    access an inode in a given way.  Check access to the
1385    descriptor itself, and then use dentry_has_perm to
1386    check a particular permission to the file.
1387    Access to the descriptor is implicitly granted if it
1388    has the same SID as the process.  If av is zero, then
1389    access to the file is not checked, e.g. for cases
1390    where only the descriptor is affected like seek. */
1391 static int file_has_perm(struct task_struct *tsk,
1392                                 struct file *file,
1393                                 u32 av)
1394 {
1395         struct task_security_struct *tsec = tsk->security;
1396         struct file_security_struct *fsec = file->f_security;
1397         struct inode *inode = file->f_path.dentry->d_inode;
1398         struct avc_audit_data ad;
1399         int rc;
1400
1401         AVC_AUDIT_DATA_INIT(&ad, FS);
1402         ad.u.fs.path = file->f_path;
1403
1404         if (tsec->sid != fsec->sid) {
1405                 rc = avc_has_perm(tsec->sid, fsec->sid,
1406                                   SECCLASS_FD,
1407                                   FD__USE,
1408                                   &ad);
1409                 if (rc)
1410                         return rc;
1411         }
1412
1413         /* av is zero if only checking access to the descriptor. */
1414         if (av)
1415                 return inode_has_perm(tsk, inode, av, &ad);
1416
1417         return 0;
1418 }
1419
1420 /* Check whether a task can create a file. */
1421 static int may_create(struct inode *dir,
1422                       struct dentry *dentry,
1423                       u16 tclass)
1424 {
1425         struct task_security_struct *tsec;
1426         struct inode_security_struct *dsec;
1427         struct superblock_security_struct *sbsec;
1428         u32 newsid;
1429         struct avc_audit_data ad;
1430         int rc;
1431
1432         tsec = current->security;
1433         dsec = dir->i_security;
1434         sbsec = dir->i_sb->s_security;
1435
1436         AVC_AUDIT_DATA_INIT(&ad, FS);
1437         ad.u.fs.path.dentry = dentry;
1438
1439         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1440                           DIR__ADD_NAME | DIR__SEARCH,
1441                           &ad);
1442         if (rc)
1443                 return rc;
1444
1445         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1446                 newsid = tsec->create_sid;
1447         } else {
1448                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1449                                              &newsid);
1450                 if (rc)
1451                         return rc;
1452         }
1453
1454         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1455         if (rc)
1456                 return rc;
1457
1458         return avc_has_perm(newsid, sbsec->sid,
1459                             SECCLASS_FILESYSTEM,
1460                             FILESYSTEM__ASSOCIATE, &ad);
1461 }
1462
1463 /* Check whether a task can create a key. */
1464 static int may_create_key(u32 ksid,
1465                           struct task_struct *ctx)
1466 {
1467         struct task_security_struct *tsec;
1468
1469         tsec = ctx->security;
1470
1471         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1472 }
1473
1474 #define MAY_LINK   0
1475 #define MAY_UNLINK 1
1476 #define MAY_RMDIR  2
1477
1478 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1479 static int may_link(struct inode *dir,
1480                     struct dentry *dentry,
1481                     int kind)
1482
1483 {
1484         struct task_security_struct *tsec;
1485         struct inode_security_struct *dsec, *isec;
1486         struct avc_audit_data ad;
1487         u32 av;
1488         int rc;
1489
1490         tsec = current->security;
1491         dsec = dir->i_security;
1492         isec = dentry->d_inode->i_security;
1493
1494         AVC_AUDIT_DATA_INIT(&ad, FS);
1495         ad.u.fs.path.dentry = dentry;
1496
1497         av = DIR__SEARCH;
1498         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1499         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1500         if (rc)
1501                 return rc;
1502
1503         switch (kind) {
1504         case MAY_LINK:
1505                 av = FILE__LINK;
1506                 break;
1507         case MAY_UNLINK:
1508                 av = FILE__UNLINK;
1509                 break;
1510         case MAY_RMDIR:
1511                 av = DIR__RMDIR;
1512                 break;
1513         default:
1514                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1515                 return 0;
1516         }
1517
1518         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1519         return rc;
1520 }
1521
1522 static inline int may_rename(struct inode *old_dir,
1523                              struct dentry *old_dentry,
1524                              struct inode *new_dir,
1525                              struct dentry *new_dentry)
1526 {
1527         struct task_security_struct *tsec;
1528         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1529         struct avc_audit_data ad;
1530         u32 av;
1531         int old_is_dir, new_is_dir;
1532         int rc;
1533
1534         tsec = current->security;
1535         old_dsec = old_dir->i_security;
1536         old_isec = old_dentry->d_inode->i_security;
1537         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1538         new_dsec = new_dir->i_security;
1539
1540         AVC_AUDIT_DATA_INIT(&ad, FS);
1541
1542         ad.u.fs.path.dentry = old_dentry;
1543         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1544                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1545         if (rc)
1546                 return rc;
1547         rc = avc_has_perm(tsec->sid, old_isec->sid,
1548                           old_isec->sclass, FILE__RENAME, &ad);
1549         if (rc)
1550                 return rc;
1551         if (old_is_dir && new_dir != old_dir) {
1552                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1553                                   old_isec->sclass, DIR__REPARENT, &ad);
1554                 if (rc)
1555                         return rc;
1556         }
1557
1558         ad.u.fs.path.dentry = new_dentry;
1559         av = DIR__ADD_NAME | DIR__SEARCH;
1560         if (new_dentry->d_inode)
1561                 av |= DIR__REMOVE_NAME;
1562         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1563         if (rc)
1564                 return rc;
1565         if (new_dentry->d_inode) {
1566                 new_isec = new_dentry->d_inode->i_security;
1567                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1568                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1569                                   new_isec->sclass,
1570                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1571                 if (rc)
1572                         return rc;
1573         }
1574
1575         return 0;
1576 }
1577
1578 /* Check whether a task can perform a filesystem operation. */
1579 static int superblock_has_perm(struct task_struct *tsk,
1580                                struct super_block *sb,
1581                                u32 perms,
1582                                struct avc_audit_data *ad)
1583 {
1584         struct task_security_struct *tsec;
1585         struct superblock_security_struct *sbsec;
1586
1587         tsec = tsk->security;
1588         sbsec = sb->s_security;
1589         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1590                             perms, ad);
1591 }
1592
1593 /* Convert a Linux mode and permission mask to an access vector. */
1594 static inline u32 file_mask_to_av(int mode, int mask)
1595 {
1596         u32 av = 0;
1597
1598         if ((mode & S_IFMT) != S_IFDIR) {
1599                 if (mask & MAY_EXEC)
1600                         av |= FILE__EXECUTE;
1601                 if (mask & MAY_READ)
1602                         av |= FILE__READ;
1603
1604                 if (mask & MAY_APPEND)
1605                         av |= FILE__APPEND;
1606                 else if (mask & MAY_WRITE)
1607                         av |= FILE__WRITE;
1608
1609         } else {
1610                 if (mask & MAY_EXEC)
1611                         av |= DIR__SEARCH;
1612                 if (mask & MAY_WRITE)
1613                         av |= DIR__WRITE;
1614                 if (mask & MAY_READ)
1615                         av |= DIR__READ;
1616         }
1617
1618         return av;
1619 }
1620
1621 /* Convert a Linux file to an access vector. */
1622 static inline u32 file_to_av(struct file *file)
1623 {
1624         u32 av = 0;
1625
1626         if (file->f_mode & FMODE_READ)
1627                 av |= FILE__READ;
1628         if (file->f_mode & FMODE_WRITE) {
1629                 if (file->f_flags & O_APPEND)
1630                         av |= FILE__APPEND;
1631                 else
1632                         av |= FILE__WRITE;
1633         }
1634         if (!av) {
1635                 /*
1636                  * Special file opened with flags 3 for ioctl-only use.
1637                  */
1638                 av = FILE__IOCTL;
1639         }
1640
1641         return av;
1642 }
1643
1644 /* Hook functions begin here. */
1645
1646 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1647 {
1648         struct task_security_struct *psec = parent->security;
1649         struct task_security_struct *csec = child->security;
1650         int rc;
1651
1652         rc = secondary_ops->ptrace(parent,child);
1653         if (rc)
1654                 return rc;
1655
1656         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1657         /* Save the SID of the tracing process for later use in apply_creds. */
1658         if (!(child->ptrace & PT_PTRACED) && !rc)
1659                 csec->ptrace_sid = psec->sid;
1660         return rc;
1661 }
1662
1663 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1664                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1665 {
1666         int error;
1667
1668         error = task_has_perm(current, target, PROCESS__GETCAP);
1669         if (error)
1670                 return error;
1671
1672         return secondary_ops->capget(target, effective, inheritable, permitted);
1673 }
1674
1675 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1676                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1677 {
1678         int error;
1679
1680         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1681         if (error)
1682                 return error;
1683
1684         return task_has_perm(current, target, PROCESS__SETCAP);
1685 }
1686
1687 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1688                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1689 {
1690         secondary_ops->capset_set(target, effective, inheritable, permitted);
1691 }
1692
1693 static int selinux_capable(struct task_struct *tsk, int cap)
1694 {
1695         int rc;
1696
1697         rc = secondary_ops->capable(tsk, cap);
1698         if (rc)
1699                 return rc;
1700
1701         return task_has_capability(tsk,cap);
1702 }
1703
1704 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1705 {
1706         int buflen, rc;
1707         char *buffer, *path, *end;
1708
1709         rc = -ENOMEM;
1710         buffer = (char*)__get_free_page(GFP_KERNEL);
1711         if (!buffer)
1712                 goto out;
1713
1714         buflen = PAGE_SIZE;
1715         end = buffer+buflen;
1716         *--end = '\0';
1717         buflen--;
1718         path = end-1;
1719         *path = '/';
1720         while (table) {
1721                 const char *name = table->procname;
1722                 size_t namelen = strlen(name);
1723                 buflen -= namelen + 1;
1724                 if (buflen < 0)
1725                         goto out_free;
1726                 end -= namelen;
1727                 memcpy(end, name, namelen);
1728                 *--end = '/';
1729                 path = end;
1730                 table = table->parent;
1731         }
1732         buflen -= 4;
1733         if (buflen < 0)
1734                 goto out_free;
1735         end -= 4;
1736         memcpy(end, "/sys", 4);
1737         path = end;
1738         rc = security_genfs_sid("proc", path, tclass, sid);
1739 out_free:
1740         free_page((unsigned long)buffer);
1741 out:
1742         return rc;
1743 }
1744
1745 static int selinux_sysctl(ctl_table *table, int op)
1746 {
1747         int error = 0;
1748         u32 av;
1749         struct task_security_struct *tsec;
1750         u32 tsid;
1751         int rc;
1752
1753         rc = secondary_ops->sysctl(table, op);
1754         if (rc)
1755                 return rc;
1756
1757         tsec = current->security;
1758
1759         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1760                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1761         if (rc) {
1762                 /* Default to the well-defined sysctl SID. */
1763                 tsid = SECINITSID_SYSCTL;
1764         }
1765
1766         /* The op values are "defined" in sysctl.c, thereby creating
1767          * a bad coupling between this module and sysctl.c */
1768         if(op == 001) {
1769                 error = avc_has_perm(tsec->sid, tsid,
1770                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1771         } else {
1772                 av = 0;
1773                 if (op & 004)
1774                         av |= FILE__READ;
1775                 if (op & 002)
1776                         av |= FILE__WRITE;
1777                 if (av)
1778                         error = avc_has_perm(tsec->sid, tsid,
1779                                              SECCLASS_FILE, av, NULL);
1780         }
1781
1782         return error;
1783 }
1784
1785 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1786 {
1787         int rc = 0;
1788
1789         if (!sb)
1790                 return 0;
1791
1792         switch (cmds) {
1793                 case Q_SYNC:
1794                 case Q_QUOTAON:
1795                 case Q_QUOTAOFF:
1796                 case Q_SETINFO:
1797                 case Q_SETQUOTA:
1798                         rc = superblock_has_perm(current,
1799                                                  sb,
1800                                                  FILESYSTEM__QUOTAMOD, NULL);
1801                         break;
1802                 case Q_GETFMT:
1803                 case Q_GETINFO:
1804                 case Q_GETQUOTA:
1805                         rc = superblock_has_perm(current,
1806                                                  sb,
1807                                                  FILESYSTEM__QUOTAGET, NULL);
1808                         break;
1809                 default:
1810                         rc = 0;  /* let the kernel handle invalid cmds */
1811                         break;
1812         }
1813         return rc;
1814 }
1815
1816 static int selinux_quota_on(struct dentry *dentry)
1817 {
1818         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1819 }
1820
1821 static int selinux_syslog(int type)
1822 {
1823         int rc;
1824
1825         rc = secondary_ops->syslog(type);
1826         if (rc)
1827                 return rc;
1828
1829         switch (type) {
1830                 case 3:         /* Read last kernel messages */
1831                 case 10:        /* Return size of the log buffer */
1832                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1833                         break;
1834                 case 6:         /* Disable logging to console */
1835                 case 7:         /* Enable logging to console */
1836                 case 8:         /* Set level of messages printed to console */
1837                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1838                         break;
1839                 case 0:         /* Close log */
1840                 case 1:         /* Open log */
1841                 case 2:         /* Read from log */
1842                 case 4:         /* Read/clear last kernel messages */
1843                 case 5:         /* Clear ring buffer */
1844                 default:
1845                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1846                         break;
1847         }
1848         return rc;
1849 }
1850
1851 /*
1852  * Check that a process has enough memory to allocate a new virtual
1853  * mapping. 0 means there is enough memory for the allocation to
1854  * succeed and -ENOMEM implies there is not.
1855  *
1856  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1857  * if the capability is granted, but __vm_enough_memory requires 1 if
1858  * the capability is granted.
1859  *
1860  * Do not audit the selinux permission check, as this is applied to all
1861  * processes that allocate mappings.
1862  */
1863 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1864 {
1865         int rc, cap_sys_admin = 0;
1866         struct task_security_struct *tsec = current->security;
1867
1868         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1869         if (rc == 0)
1870                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1871                                           SECCLASS_CAPABILITY,
1872                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1873                                           0,
1874                                           NULL);
1875
1876         if (rc == 0)
1877                 cap_sys_admin = 1;
1878
1879         return __vm_enough_memory(mm, pages, cap_sys_admin);
1880 }
1881
1882 /* binprm security operations */
1883
1884 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1885 {
1886         struct bprm_security_struct *bsec;
1887
1888         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1889         if (!bsec)
1890                 return -ENOMEM;
1891
1892         bsec->bprm = bprm;
1893         bsec->sid = SECINITSID_UNLABELED;
1894         bsec->set = 0;
1895
1896         bprm->security = bsec;
1897         return 0;
1898 }
1899
1900 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1901 {
1902         struct task_security_struct *tsec;
1903         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1904         struct inode_security_struct *isec;
1905         struct bprm_security_struct *bsec;
1906         u32 newsid;
1907         struct avc_audit_data ad;
1908         int rc;
1909
1910         rc = secondary_ops->bprm_set_security(bprm);
1911         if (rc)
1912                 return rc;
1913
1914         bsec = bprm->security;
1915
1916         if (bsec->set)
1917                 return 0;
1918
1919         tsec = current->security;
1920         isec = inode->i_security;
1921
1922         /* Default to the current task SID. */
1923         bsec->sid = tsec->sid;
1924
1925         /* Reset fs, key, and sock SIDs on execve. */
1926         tsec->create_sid = 0;
1927         tsec->keycreate_sid = 0;
1928         tsec->sockcreate_sid = 0;
1929
1930         if (tsec->exec_sid) {
1931                 newsid = tsec->exec_sid;
1932                 /* Reset exec SID on execve. */
1933                 tsec->exec_sid = 0;
1934         } else {
1935                 /* Check for a default transition on this program. */
1936                 rc = security_transition_sid(tsec->sid, isec->sid,
1937                                              SECCLASS_PROCESS, &newsid);
1938                 if (rc)
1939                         return rc;
1940         }
1941
1942         AVC_AUDIT_DATA_INIT(&ad, FS);
1943         ad.u.fs.path = bprm->file->f_path;
1944
1945         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1946                 newsid = tsec->sid;
1947
1948         if (tsec->sid == newsid) {
1949                 rc = avc_has_perm(tsec->sid, isec->sid,
1950                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1951                 if (rc)
1952                         return rc;
1953         } else {
1954                 /* Check permissions for the transition. */
1955                 rc = avc_has_perm(tsec->sid, newsid,
1956                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1957                 if (rc)
1958                         return rc;
1959
1960                 rc = avc_has_perm(newsid, isec->sid,
1961                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1962                 if (rc)
1963                         return rc;
1964
1965                 /* Clear any possibly unsafe personality bits on exec: */
1966                 current->personality &= ~PER_CLEAR_ON_SETID;
1967
1968                 /* Set the security field to the new SID. */
1969                 bsec->sid = newsid;
1970         }
1971
1972         bsec->set = 1;
1973         return 0;
1974 }
1975
1976 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1977 {
1978         return secondary_ops->bprm_check_security(bprm);
1979 }
1980
1981
1982 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1983 {
1984         struct task_security_struct *tsec = current->security;
1985         int atsecure = 0;
1986
1987         if (tsec->osid != tsec->sid) {
1988                 /* Enable secure mode for SIDs transitions unless
1989                    the noatsecure permission is granted between
1990                    the two SIDs, i.e. ahp returns 0. */
1991                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1992                                          SECCLASS_PROCESS,
1993                                          PROCESS__NOATSECURE, NULL);
1994         }
1995
1996         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1997 }
1998
1999 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2000 {
2001         kfree(bprm->security);
2002         bprm->security = NULL;
2003 }
2004
2005 extern struct vfsmount *selinuxfs_mount;
2006 extern struct dentry *selinux_null;
2007
2008 /* Derived from fs/exec.c:flush_old_files. */
2009 static inline void flush_unauthorized_files(struct files_struct * files)
2010 {
2011         struct avc_audit_data ad;
2012         struct file *file, *devnull = NULL;
2013         struct tty_struct *tty;
2014         struct fdtable *fdt;
2015         long j = -1;
2016         int drop_tty = 0;
2017
2018         mutex_lock(&tty_mutex);
2019         tty = get_current_tty();
2020         if (tty) {
2021                 file_list_lock();
2022                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2023                 if (file) {
2024                         /* Revalidate access to controlling tty.
2025                            Use inode_has_perm on the tty inode directly rather
2026                            than using file_has_perm, as this particular open
2027                            file may belong to another process and we are only
2028                            interested in the inode-based check here. */
2029                         struct inode *inode = file->f_path.dentry->d_inode;
2030                         if (inode_has_perm(current, inode,
2031                                            FILE__READ | FILE__WRITE, NULL)) {
2032                                 drop_tty = 1;
2033                         }
2034                 }
2035                 file_list_unlock();
2036         }
2037         mutex_unlock(&tty_mutex);
2038         /* Reset controlling tty. */
2039         if (drop_tty)
2040                 no_tty();
2041
2042         /* Revalidate access to inherited open files. */
2043
2044         AVC_AUDIT_DATA_INIT(&ad,FS);
2045
2046         spin_lock(&files->file_lock);
2047         for (;;) {
2048                 unsigned long set, i;
2049                 int fd;
2050
2051                 j++;
2052                 i = j * __NFDBITS;
2053                 fdt = files_fdtable(files);
2054                 if (i >= fdt->max_fds)
2055                         break;
2056                 set = fdt->open_fds->fds_bits[j];
2057                 if (!set)
2058                         continue;
2059                 spin_unlock(&files->file_lock);
2060                 for ( ; set ; i++,set >>= 1) {
2061                         if (set & 1) {
2062                                 file = fget(i);
2063                                 if (!file)
2064                                         continue;
2065                                 if (file_has_perm(current,
2066                                                   file,
2067                                                   file_to_av(file))) {
2068                                         sys_close(i);
2069                                         fd = get_unused_fd();
2070                                         if (fd != i) {
2071                                                 if (fd >= 0)
2072                                                         put_unused_fd(fd);
2073                                                 fput(file);
2074                                                 continue;
2075                                         }
2076                                         if (devnull) {
2077                                                 get_file(devnull);
2078                                         } else {
2079                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2080                                                 if (IS_ERR(devnull)) {
2081                                                         devnull = NULL;
2082                                                         put_unused_fd(fd);
2083                                                         fput(file);
2084                                                         continue;
2085                                                 }
2086                                         }
2087                                         fd_install(fd, devnull);
2088                                 }
2089                                 fput(file);
2090                         }
2091                 }
2092                 spin_lock(&files->file_lock);
2093
2094         }
2095         spin_unlock(&files->file_lock);
2096 }
2097
2098 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2099 {
2100         struct task_security_struct *tsec;
2101         struct bprm_security_struct *bsec;
2102         u32 sid;
2103         int rc;
2104
2105         secondary_ops->bprm_apply_creds(bprm, unsafe);
2106
2107         tsec = current->security;
2108
2109         bsec = bprm->security;
2110         sid = bsec->sid;
2111
2112         tsec->osid = tsec->sid;
2113         bsec->unsafe = 0;
2114         if (tsec->sid != sid) {
2115                 /* Check for shared state.  If not ok, leave SID
2116                    unchanged and kill. */
2117                 if (unsafe & LSM_UNSAFE_SHARE) {
2118                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2119                                         PROCESS__SHARE, NULL);
2120                         if (rc) {
2121                                 bsec->unsafe = 1;
2122                                 return;
2123                         }
2124                 }
2125
2126                 /* Check for ptracing, and update the task SID if ok.
2127                    Otherwise, leave SID unchanged and kill. */
2128                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2129                         rc = avc_has_perm(tsec->ptrace_sid, sid,
2130                                           SECCLASS_PROCESS, PROCESS__PTRACE,
2131                                           NULL);
2132                         if (rc) {
2133                                 bsec->unsafe = 1;
2134                                 return;
2135                         }
2136                 }
2137                 tsec->sid = sid;
2138         }
2139 }
2140
2141 /*
2142  * called after apply_creds without the task lock held
2143  */
2144 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2145 {
2146         struct task_security_struct *tsec;
2147         struct rlimit *rlim, *initrlim;
2148         struct itimerval itimer;
2149         struct bprm_security_struct *bsec;
2150         int rc, i;
2151
2152         tsec = current->security;
2153         bsec = bprm->security;
2154
2155         if (bsec->unsafe) {
2156                 force_sig_specific(SIGKILL, current);
2157                 return;
2158         }
2159         if (tsec->osid == tsec->sid)
2160                 return;
2161
2162         /* Close files for which the new task SID is not authorized. */
2163         flush_unauthorized_files(current->files);
2164
2165         /* Check whether the new SID can inherit signal state
2166            from the old SID.  If not, clear itimers to avoid
2167            subsequent signal generation and flush and unblock
2168            signals. This must occur _after_ the task SID has
2169           been updated so that any kill done after the flush
2170           will be checked against the new SID. */
2171         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2172                           PROCESS__SIGINH, NULL);
2173         if (rc) {
2174                 memset(&itimer, 0, sizeof itimer);
2175                 for (i = 0; i < 3; i++)
2176                         do_setitimer(i, &itimer, NULL);
2177                 flush_signals(current);
2178                 spin_lock_irq(&current->sighand->siglock);
2179                 flush_signal_handlers(current, 1);
2180                 sigemptyset(&current->blocked);
2181                 recalc_sigpending();
2182                 spin_unlock_irq(&current->sighand->siglock);
2183         }
2184
2185         /* Always clear parent death signal on SID transitions. */
2186         current->pdeath_signal = 0;
2187
2188         /* Check whether the new SID can inherit resource limits
2189            from the old SID.  If not, reset all soft limits to
2190            the lower of the current task's hard limit and the init
2191            task's soft limit.  Note that the setting of hard limits
2192            (even to lower them) can be controlled by the setrlimit
2193            check. The inclusion of the init task's soft limit into
2194            the computation is to avoid resetting soft limits higher
2195            than the default soft limit for cases where the default
2196            is lower than the hard limit, e.g. RLIMIT_CORE or
2197            RLIMIT_STACK.*/
2198         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2199                           PROCESS__RLIMITINH, NULL);
2200         if (rc) {
2201                 for (i = 0; i < RLIM_NLIMITS; i++) {
2202                         rlim = current->signal->rlim + i;
2203                         initrlim = init_task.signal->rlim+i;
2204                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2205                 }
2206                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2207                         /*
2208                          * This will cause RLIMIT_CPU calculations
2209                          * to be refigured.
2210                          */
2211                         current->it_prof_expires = jiffies_to_cputime(1);
2212                 }
2213         }
2214
2215         /* Wake up the parent if it is waiting so that it can
2216            recheck wait permission to the new task SID. */
2217         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2218 }
2219
2220 /* superblock security operations */
2221
2222 static int selinux_sb_alloc_security(struct super_block *sb)
2223 {
2224         return superblock_alloc_security(sb);
2225 }
2226
2227 static void selinux_sb_free_security(struct super_block *sb)
2228 {
2229         superblock_free_security(sb);
2230 }
2231
2232 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2233 {
2234         if (plen > olen)
2235                 return 0;
2236
2237         return !memcmp(prefix, option, plen);
2238 }
2239
2240 static inline int selinux_option(char *option, int len)
2241 {
2242         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2243                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2244                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2245                 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2246 }
2247
2248 static inline void take_option(char **to, char *from, int *first, int len)
2249 {
2250         if (!*first) {
2251                 **to = ',';
2252                 *to += 1;
2253         } else
2254                 *first = 0;
2255         memcpy(*to, from, len);
2256         *to += len;
2257 }
2258
2259 static inline void take_selinux_option(char **to, char *from, int *first, 
2260                                        int len)
2261 {
2262         int current_size = 0;
2263
2264         if (!*first) {
2265                 **to = '|';
2266                 *to += 1;
2267         }
2268         else
2269                 *first = 0;
2270
2271         while (current_size < len) {
2272                 if (*from != '"') {
2273                         **to = *from;
2274                         *to += 1;
2275                 }
2276                 from += 1;
2277                 current_size += 1;
2278         }
2279 }
2280
2281 static int selinux_sb_copy_data(char *orig, char *copy)
2282 {
2283         int fnosec, fsec, rc = 0;
2284         char *in_save, *in_curr, *in_end;
2285         char *sec_curr, *nosec_save, *nosec;
2286         int open_quote = 0;
2287
2288         in_curr = orig;
2289         sec_curr = copy;
2290
2291         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2292         if (!nosec) {
2293                 rc = -ENOMEM;
2294                 goto out;
2295         }
2296
2297         nosec_save = nosec;
2298         fnosec = fsec = 1;
2299         in_save = in_end = orig;
2300
2301         do {
2302                 if (*in_end == '"')
2303                         open_quote = !open_quote;
2304                 if ((*in_end == ',' && open_quote == 0) ||
2305                                 *in_end == '\0') {
2306                         int len = in_end - in_curr;
2307
2308                         if (selinux_option(in_curr, len))
2309                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2310                         else
2311                                 take_option(&nosec, in_curr, &fnosec, len);
2312
2313                         in_curr = in_end + 1;
2314                 }
2315         } while (*in_end++);
2316
2317         strcpy(in_save, nosec_save);
2318         free_page((unsigned long)nosec_save);
2319 out:
2320         return rc;
2321 }
2322
2323 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2324 {
2325         struct avc_audit_data ad;
2326         int rc;
2327
2328         rc = superblock_doinit(sb, data);
2329         if (rc)
2330                 return rc;
2331
2332         AVC_AUDIT_DATA_INIT(&ad,FS);
2333         ad.u.fs.path.dentry = sb->s_root;
2334         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2335 }
2336
2337 static int selinux_sb_statfs(struct dentry *dentry)
2338 {
2339         struct avc_audit_data ad;
2340
2341         AVC_AUDIT_DATA_INIT(&ad,FS);
2342         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2343         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2344 }
2345
2346 static int selinux_mount(char * dev_name,
2347                          struct nameidata *nd,
2348                          char * type,
2349                          unsigned long flags,
2350                          void * data)
2351 {
2352         int rc;
2353
2354         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2355         if (rc)
2356                 return rc;
2357
2358         if (flags & MS_REMOUNT)
2359                 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2360                                            FILESYSTEM__REMOUNT, NULL);
2361         else
2362                 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2363                                        FILE__MOUNTON);
2364 }
2365
2366 static int selinux_umount(struct vfsmount *mnt, int flags)
2367 {
2368         int rc;
2369
2370         rc = secondary_ops->sb_umount(mnt, flags);
2371         if (rc)
2372                 return rc;
2373
2374         return superblock_has_perm(current,mnt->mnt_sb,
2375                                    FILESYSTEM__UNMOUNT,NULL);
2376 }
2377
2378 /* inode security operations */
2379
2380 static int selinux_inode_alloc_security(struct inode *inode)
2381 {
2382         return inode_alloc_security(inode);
2383 }
2384
2385 static void selinux_inode_free_security(struct inode *inode)
2386 {
2387         inode_free_security(inode);
2388 }
2389
2390 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2391                                        char **name, void **value,
2392                                        size_t *len)
2393 {
2394         struct task_security_struct *tsec;
2395         struct inode_security_struct *dsec;
2396         struct superblock_security_struct *sbsec;
2397         u32 newsid, clen;
2398         int rc;
2399         char *namep = NULL, *context;
2400
2401         tsec = current->security;
2402         dsec = dir->i_security;
2403         sbsec = dir->i_sb->s_security;
2404
2405         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2406                 newsid = tsec->create_sid;
2407         } else {
2408                 rc = security_transition_sid(tsec->sid, dsec->sid,
2409                                              inode_mode_to_security_class(inode->i_mode),
2410                                              &newsid);
2411                 if (rc) {
2412                         printk(KERN_WARNING "%s:  "
2413                                "security_transition_sid failed, rc=%d (dev=%s "
2414                                "ino=%ld)\n",
2415                                __FUNCTION__,
2416                                -rc, inode->i_sb->s_id, inode->i_ino);
2417                         return rc;
2418                 }
2419         }
2420
2421         /* Possibly defer initialization to selinux_complete_init. */
2422         if (sbsec->initialized) {
2423                 struct inode_security_struct *isec = inode->i_security;
2424                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2425                 isec->sid = newsid;
2426                 isec->initialized = 1;
2427         }
2428
2429         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2430                 return -EOPNOTSUPP;
2431
2432         if (name) {
2433                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2434                 if (!namep)
2435                         return -ENOMEM;
2436                 *name = namep;
2437         }
2438
2439         if (value && len) {
2440                 rc = security_sid_to_context(newsid, &context, &clen);
2441                 if (rc) {
2442                         kfree(namep);
2443                         return rc;
2444                 }
2445                 *value = context;
2446                 *len = clen;
2447         }
2448
2449         return 0;
2450 }
2451
2452 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2453 {
2454         return may_create(dir, dentry, SECCLASS_FILE);
2455 }
2456
2457 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2458 {
2459         int rc;
2460
2461         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2462         if (rc)
2463                 return rc;
2464         return may_link(dir, old_dentry, MAY_LINK);
2465 }
2466
2467 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2468 {
2469         int rc;
2470
2471         rc = secondary_ops->inode_unlink(dir, dentry);
2472         if (rc)
2473                 return rc;
2474         return may_link(dir, dentry, MAY_UNLINK);
2475 }
2476
2477 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2478 {
2479         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2480 }
2481
2482 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2483 {
2484         return may_create(dir, dentry, SECCLASS_DIR);
2485 }
2486
2487 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2488 {
2489         return may_link(dir, dentry, MAY_RMDIR);
2490 }
2491
2492 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2493 {
2494         int rc;
2495
2496         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2497         if (rc)
2498                 return rc;
2499
2500         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2501 }
2502
2503 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2504                                 struct inode *new_inode, struct dentry *new_dentry)
2505 {
2506         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2507 }
2508
2509 static int selinux_inode_readlink(struct dentry *dentry)
2510 {
2511         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2512 }
2513
2514 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2515 {
2516         int rc;
2517
2518         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2519         if (rc)
2520                 return rc;
2521         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2522 }
2523
2524 static int selinux_inode_permission(struct inode *inode, int mask,
2525                                     struct nameidata *nd)
2526 {
2527         int rc;
2528
2529         rc = secondary_ops->inode_permission(inode, mask, nd);
2530         if (rc)
2531                 return rc;
2532
2533         if (!mask) {
2534                 /* No permission to check.  Existence test. */
2535                 return 0;
2536         }
2537
2538         return inode_has_perm(current, inode,
2539                                file_mask_to_av(inode->i_mode, mask), NULL);
2540 }
2541
2542 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2543 {
2544         int rc;
2545
2546         rc = secondary_ops->inode_setattr(dentry, iattr);
2547         if (rc)
2548                 return rc;
2549
2550         if (iattr->ia_valid & ATTR_FORCE)
2551                 return 0;
2552
2553         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2554                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2555                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2556
2557         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2558 }
2559
2560 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2561 {
2562         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2563 }
2564
2565 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2566 {
2567         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2568                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2569                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2570                         if (!capable(CAP_SETFCAP))
2571                                 return -EPERM;
2572                 } else if (!capable(CAP_SYS_ADMIN)) {
2573                         /* A different attribute in the security namespace.
2574                            Restrict to administrator. */
2575                         return -EPERM;
2576                 }
2577         }
2578
2579         /* Not an attribute we recognize, so just check the
2580            ordinary setattr permission. */
2581         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2582 }
2583
2584 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2585 {
2586         struct task_security_struct *tsec = current->security;
2587         struct inode *inode = dentry->d_inode;
2588         struct inode_security_struct *isec = inode->i_security;
2589         struct superblock_security_struct *sbsec;
2590         struct avc_audit_data ad;
2591         u32 newsid;
2592         int rc = 0;
2593
2594         if (strcmp(name, XATTR_NAME_SELINUX))
2595                 return selinux_inode_setotherxattr(dentry, name);
2596
2597         sbsec = inode->i_sb->s_security;
2598         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2599                 return -EOPNOTSUPP;
2600
2601         if (!is_owner_or_cap(inode))
2602                 return -EPERM;
2603
2604         AVC_AUDIT_DATA_INIT(&ad,FS);
2605         ad.u.fs.path.dentry = dentry;
2606
2607         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2608                           FILE__RELABELFROM, &ad);
2609         if (rc)
2610                 return rc;
2611
2612         rc = security_context_to_sid(value, size, &newsid);
2613         if (rc)
2614                 return rc;
2615
2616         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2617                           FILE__RELABELTO, &ad);
2618         if (rc)
2619                 return rc;
2620
2621         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2622                                           isec->sclass);
2623         if (rc)
2624                 return rc;
2625
2626         return avc_has_perm(newsid,
2627                             sbsec->sid,
2628                             SECCLASS_FILESYSTEM,
2629                             FILESYSTEM__ASSOCIATE,
2630                             &ad);
2631 }
2632
2633 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2634                                         void *value, size_t size, int flags)
2635 {
2636         struct inode *inode = dentry->d_inode;
2637         struct inode_security_struct *isec = inode->i_security;
2638         u32 newsid;
2639         int rc;
2640
2641         if (strcmp(name, XATTR_NAME_SELINUX)) {
2642                 /* Not an attribute we recognize, so nothing to do. */
2643                 return;
2644         }
2645
2646         rc = security_context_to_sid(value, size, &newsid);
2647         if (rc) {
2648                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2649                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2650                 return;
2651         }
2652
2653         isec->sid = newsid;
2654         return;
2655 }
2656
2657 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2658 {
2659         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2660 }
2661
2662 static int selinux_inode_listxattr (struct dentry *dentry)
2663 {
2664         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2665 }
2666
2667 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2668 {
2669         if (strcmp(name, XATTR_NAME_SELINUX))
2670                 return selinux_inode_setotherxattr(dentry, name);
2671
2672         /* No one is allowed to remove a SELinux security label.
2673            You can change the label, but all data must be labeled. */
2674         return -EACCES;
2675 }
2676
2677 /*
2678  * Copy the in-core inode security context value to the user.  If the
2679  * getxattr() prior to this succeeded, check to see if we need to
2680  * canonicalize the value to be finally returned to the user.
2681  *
2682  * Permission check is handled by selinux_inode_getxattr hook.
2683  */
2684 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2685 {
2686         u32 size;
2687         int error;
2688         char *context = NULL;
2689         struct inode_security_struct *isec = inode->i_security;
2690
2691         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2692                 return -EOPNOTSUPP;
2693
2694         error = security_sid_to_context(isec->sid, &context, &size);
2695         if (error)
2696                 return error;
2697         error = size;
2698         if (alloc) {
2699                 *buffer = context;
2700                 goto out_nofree;
2701         }
2702         kfree(context);
2703 out_nofree:
2704         return error;
2705 }
2706
2707 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2708                                      const void *value, size_t size, int flags)
2709 {
2710         struct inode_security_struct *isec = inode->i_security;
2711         u32 newsid;
2712         int rc;
2713
2714         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2715                 return -EOPNOTSUPP;
2716
2717         if (!value || !size)
2718                 return -EACCES;
2719
2720         rc = security_context_to_sid((void*)value, size, &newsid);
2721         if (rc)
2722                 return rc;
2723
2724         isec->sid = newsid;
2725         return 0;
2726 }
2727
2728 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2729 {
2730         const int len = sizeof(XATTR_NAME_SELINUX);
2731         if (buffer && len <= buffer_size)
2732                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2733         return len;
2734 }
2735
2736 static int selinux_inode_need_killpriv(struct dentry *dentry)
2737 {
2738         return secondary_ops->inode_need_killpriv(dentry);
2739 }
2740
2741 static int selinux_inode_killpriv(struct dentry *dentry)
2742 {
2743         return secondary_ops->inode_killpriv(dentry);
2744 }
2745
2746 /* file security operations */
2747
2748 static int selinux_revalidate_file_permission(struct file *file, int mask)
2749 {
2750         int rc;
2751         struct inode *inode = file->f_path.dentry->d_inode;
2752
2753         if (!mask) {
2754                 /* No permission to check.  Existence test. */
2755                 return 0;
2756         }
2757
2758         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2759         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2760                 mask |= MAY_APPEND;
2761
2762         rc = file_has_perm(current, file,
2763                            file_mask_to_av(inode->i_mode, mask));
2764         if (rc)
2765                 return rc;
2766
2767         return selinux_netlbl_inode_permission(inode, mask);
2768 }
2769
2770 static int selinux_file_permission(struct file *file, int mask)
2771 {
2772         struct inode *inode = file->f_path.dentry->d_inode;
2773         struct task_security_struct *tsec = current->security;
2774         struct file_security_struct *fsec = file->f_security;
2775         struct inode_security_struct *isec = inode->i_security;
2776
2777         if (!mask) {
2778                 /* No permission to check.  Existence test. */
2779                 return 0;
2780         }
2781
2782         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2783             && fsec->pseqno == avc_policy_seqno())
2784                 return selinux_netlbl_inode_permission(inode, mask);
2785
2786         return selinux_revalidate_file_permission(file, mask);
2787 }
2788
2789 static int selinux_file_alloc_security(struct file *file)
2790 {
2791         return file_alloc_security(file);
2792 }
2793
2794 static void selinux_file_free_security(struct file *file)
2795 {
2796         file_free_security(file);
2797 }
2798
2799 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2800                               unsigned long arg)
2801 {
2802         int error = 0;
2803
2804         switch (cmd) {
2805                 case FIONREAD:
2806                 /* fall through */
2807                 case FIBMAP:
2808                 /* fall through */
2809                 case FIGETBSZ:
2810                 /* fall through */
2811                 case EXT2_IOC_GETFLAGS:
2812                 /* fall through */
2813                 case EXT2_IOC_GETVERSION:
2814                         error = file_has_perm(current, file, FILE__GETATTR);
2815                         break;
2816
2817                 case EXT2_IOC_SETFLAGS:
2818                 /* fall through */
2819                 case EXT2_IOC_SETVERSION:
2820                         error = file_has_perm(current, file, FILE__SETATTR);
2821                         break;
2822
2823                 /* sys_ioctl() checks */
2824                 case FIONBIO:
2825                 /* fall through */
2826                 case FIOASYNC:
2827                         error = file_has_perm(current, file, 0);
2828                         break;
2829
2830                 case KDSKBENT:
2831                 case KDSKBSENT:
2832                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2833                         break;
2834
2835                 /* default case assumes that the command will go
2836                  * to the file's ioctl() function.
2837                  */
2838                 default:
2839                         error = file_has_perm(current, file, FILE__IOCTL);
2840
2841         }
2842         return error;
2843 }
2844
2845 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2846 {
2847 #ifndef CONFIG_PPC32
2848         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2849                 /*
2850                  * We are making executable an anonymous mapping or a
2851                  * private file mapping that will also be writable.
2852                  * This has an additional check.
2853                  */
2854                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2855                 if (rc)
2856                         return rc;
2857         }
2858 #endif
2859
2860         if (file) {
2861                 /* read access is always possible with a mapping */
2862                 u32 av = FILE__READ;
2863
2864                 /* write access only matters if the mapping is shared */
2865                 if (shared && (prot & PROT_WRITE))
2866                         av |= FILE__WRITE;
2867
2868                 if (prot & PROT_EXEC)
2869                         av |= FILE__EXECUTE;
2870
2871                 return file_has_perm(current, file, av);
2872         }
2873         return 0;
2874 }
2875
2876 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2877                              unsigned long prot, unsigned long flags,
2878                              unsigned long addr, unsigned long addr_only)
2879 {
2880         int rc = 0;
2881         u32 sid = ((struct task_security_struct*)(current->security))->sid;
2882
2883         if (addr < mmap_min_addr)
2884                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2885                                   MEMPROTECT__MMAP_ZERO, NULL);
2886         if (rc || addr_only)
2887                 return rc;
2888
2889         if (selinux_checkreqprot)
2890                 prot = reqprot;
2891
2892         return file_map_prot_check(file, prot,
2893                                    (flags & MAP_TYPE) == MAP_SHARED);
2894 }
2895
2896 static int selinux_file_mprotect(struct vm_area_struct *vma,
2897                                  unsigned long reqprot,
2898                                  unsigned long prot)
2899 {
2900         int rc;
2901
2902         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2903         if (rc)
2904                 return rc;
2905
2906         if (selinux_checkreqprot)
2907                 prot = reqprot;
2908
2909 #ifndef CONFIG_PPC32
2910         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2911                 rc = 0;
2912                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2913                     vma->vm_end <= vma->vm_mm->brk) {
2914                         rc = task_has_perm(current, current,
2915                                            PROCESS__EXECHEAP);
2916                 } else if (!vma->vm_file &&
2917                            vma->vm_start <= vma->vm_mm->start_stack &&
2918                            vma->vm_end >= vma->vm_mm->start_stack) {
2919                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2920                 } else if (vma->vm_file && vma->anon_vma) {
2921                         /*
2922                          * We are making executable a file mapping that has
2923                          * had some COW done. Since pages might have been
2924                          * written, check ability to execute the possibly
2925                          * modified content.  This typically should only
2926                          * occur for text relocations.
2927                          */
2928                         rc = file_has_perm(current, vma->vm_file,
2929                                            FILE__EXECMOD);
2930                 }
2931                 if (rc)
2932                         return rc;
2933         }
2934 #endif
2935
2936         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2937 }
2938
2939 static int selinux_file_lock(struct file *file, unsigned int cmd)
2940 {
2941         return file_has_perm(current, file, FILE__LOCK);
2942 }
2943
2944 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2945                               unsigned long arg)
2946 {
2947         int err = 0;
2948
2949         switch (cmd) {
2950                 case F_SETFL:
2951                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2952                                 err = -EINVAL;
2953                                 break;
2954                         }
2955
2956                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2957                                 err = file_has_perm(current, file,FILE__WRITE);
2958                                 break;
2959                         }
2960                         /* fall through */
2961                 case F_SETOWN:
2962                 case F_SETSIG:
2963                 case F_GETFL:
2964                 case F_GETOWN:
2965                 case F_GETSIG:
2966                         /* Just check FD__USE permission */
2967                         err = file_has_perm(current, file, 0);
2968                         break;
2969                 case F_GETLK:
2970                 case F_SETLK:
2971                 case F_SETLKW:
2972 #if BITS_PER_LONG == 32
2973                 case F_GETLK64:
2974                 case F_SETLK64:
2975                 case F_SETLKW64:
2976 #endif
2977                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2978                                 err = -EINVAL;
2979                                 break;
2980                         }
2981                         err = file_has_perm(current, file, FILE__LOCK);
2982                         break;
2983         }
2984
2985         return err;
2986 }
2987
2988 static int selinux_file_set_fowner(struct file *file)
2989 {
2990         struct task_security_struct *tsec;
2991         struct file_security_struct *fsec;
2992
2993         tsec = current->security;
2994         fsec = file->f_security;
2995         fsec->fown_sid = tsec->sid;
2996
2997         return 0;
2998 }
2999
3000 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3001                                        struct fown_struct *fown, int signum)
3002 {
3003         struct file *file;
3004         u32 perm;
3005         struct task_security_struct *tsec;
3006         struct file_security_struct *fsec;
3007
3008         /* struct fown_struct is never outside the context of a struct file */
3009         file = container_of(fown, struct file, f_owner);
3010
3011         tsec = tsk->security;
3012         fsec = file->f_security;
3013
3014         if (!signum)
3015                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3016         else
3017                 perm = signal_to_av(signum);
3018
3019         return avc_has_perm(fsec->fown_sid, tsec->sid,
3020                             SECCLASS_PROCESS, perm, NULL);
3021 }
3022
3023 static int selinux_file_receive(struct file *file)
3024 {
3025         return file_has_perm(current, file, file_to_av(file));
3026 }
3027
3028 static int selinux_dentry_open(struct file *file)
3029 {
3030         struct file_security_struct *fsec;
3031         struct inode *inode;
3032         struct inode_security_struct *isec;
3033         inode = file->f_path.dentry->d_inode;
3034         fsec = file->f_security;
3035         isec = inode->i_security;
3036         /*
3037          * Save inode label and policy sequence number
3038          * at open-time so that selinux_file_permission
3039          * can determine whether revalidation is necessary.
3040          * Task label is already saved in the file security
3041          * struct as its SID.
3042          */
3043         fsec->isid = isec->sid;
3044         fsec->pseqno = avc_policy_seqno();
3045         /*
3046          * Since the inode label or policy seqno may have changed
3047          * between the selinux_inode_permission check and the saving
3048          * of state above, recheck that access is still permitted.
3049          * Otherwise, access might never be revalidated against the
3050          * new inode label or new policy.
3051          * This check is not redundant - do not remove.
3052          */
3053         return inode_has_perm(current, inode, file_to_av(file), NULL);
3054 }
3055
3056 /* task security operations */
3057
3058 static int selinux_task_create(unsigned long clone_flags)
3059 {
3060         int rc;
3061
3062         rc = secondary_ops->task_create(clone_flags);
3063         if (rc)
3064                 return rc;
3065
3066         return task_has_perm(current, current, PROCESS__FORK);
3067 }
3068
3069 static int selinux_task_alloc_security(struct task_struct *tsk)
3070 {
3071         struct task_security_struct *tsec1, *tsec2;
3072         int rc;
3073
3074         tsec1 = current->security;
3075
3076         rc = task_alloc_security(tsk);
3077         if (rc)
3078                 return rc;
3079         tsec2 = tsk->security;
3080
3081         tsec2->osid = tsec1->osid;
3082         tsec2->sid = tsec1->sid;
3083
3084         /* Retain the exec, fs, key, and sock SIDs across fork */
3085         tsec2->exec_sid = tsec1->exec_sid;
3086         tsec2->create_sid = tsec1->create_sid;
3087         tsec2->keycreate_sid = tsec1->keycreate_sid;
3088         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3089
3090         /* Retain ptracer SID across fork, if any.
3091            This will be reset by the ptrace hook upon any
3092            subsequent ptrace_attach operations. */
3093         tsec2->ptrace_sid = tsec1->ptrace_sid;
3094
3095         return 0;
3096 }
3097
3098 static void selinux_task_free_security(struct task_struct *tsk)
3099 {
3100         task_free_security(tsk);
3101 }
3102
3103 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3104 {
3105         /* Since setuid only affects the current process, and
3106            since the SELinux controls are not based on the Linux
3107            identity attributes, SELinux does not need to control
3108            this operation.  However, SELinux does control the use
3109            of the CAP_SETUID and CAP_SETGID capabilities using the
3110            capable hook. */
3111         return 0;
3112 }
3113
3114 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3115 {
3116         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3117 }
3118
3119 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3120 {
3121         /* See the comment for setuid above. */
3122         return 0;
3123 }
3124
3125 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3126 {
3127         return task_has_perm(current, p, PROCESS__SETPGID);
3128 }
3129
3130 static int selinux_task_getpgid(struct task_struct *p)
3131 {
3132         return task_has_perm(current, p, PROCESS__GETPGID);
3133 }
3134
3135 static int selinux_task_getsid(struct task_struct *p)
3136 {
3137         return task_has_perm(current, p, PROCESS__GETSESSION);
3138 }
3139
3140 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3141 {
3142         selinux_get_task_sid(p, secid);
3143 }
3144
3145 static int selinux_task_setgroups(struct group_info *group_info)
3146 {
3147         /* See the comment for setuid above. */
3148         return 0;
3149 }
3150
3151 static int selinux_task_setnice(struct task_struct *p, int nice)
3152 {
3153         int rc;
3154
3155         rc = secondary_ops->task_setnice(p, nice);
3156         if (rc)
3157                 return rc;
3158
3159         return task_has_perm(current,p, PROCESS__SETSCHED);
3160 }
3161
3162 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3163 {
3164         int rc;
3165
3166         rc = secondary_ops->task_setioprio(p, ioprio);
3167         if (rc)
3168                 return rc;
3169
3170         return task_has_perm(current, p, PROCESS__SETSCHED);
3171 }
3172
3173 static int selinux_task_getioprio(struct task_struct *p)
3174 {
3175         return task_has_perm(current, p, PROCESS__GETSCHED);
3176 }
3177
3178 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3179 {
3180         struct rlimit *old_rlim = current->signal->rlim + resource;
3181         int rc;
3182
3183         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3184         if (rc)
3185                 return rc;
3186
3187         /* Control the ability to change the hard limit (whether
3188            lowering or raising it), so that the hard limit can
3189            later be used as a safe reset point for the soft limit
3190            upon context transitions. See selinux_bprm_apply_creds. */
3191         if (old_rlim->rlim_max != new_rlim->rlim_max)
3192                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3193
3194         return 0;
3195 }
3196
3197 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3198 {
3199         int rc;
3200
3201         rc = secondary_ops->task_setscheduler(p, policy, lp);
3202         if (rc)
3203                 return rc;
3204
3205         return task_has_perm(current, p, PROCESS__SETSCHED);
3206 }
3207
3208 static int selinux_task_getscheduler(struct task_struct *p)
3209 {
3210         return task_has_perm(current, p, PROCESS__GETSCHED);
3211 }
3212
3213 static int selinux_task_movememory(struct task_struct *p)
3214 {
3215         return task_has_perm(current, p, PROCESS__SETSCHED);