selinux: handle files opened with flags 3 by checking ioctl permission
[sfrench/cifs-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16  *                Paul Moore <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "xfrm.h"
84 #include "netlabel.h"
85
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
89 #define NUM_SEL_MNT_OPTS 4
90
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
95
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
101
102 static int __init enforcing_setup(char *str)
103 {
104         selinux_enforcing = simple_strtol(str,NULL,0);
105         return 1;
106 }
107 __setup("enforcing=", enforcing_setup);
108 #endif
109
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113 static int __init selinux_enabled_setup(char *str)
114 {
115         selinux_enabled = simple_strtol(str, NULL, 0);
116         return 1;
117 }
118 __setup("selinux=", selinux_enabled_setup);
119 #else
120 int selinux_enabled = 1;
121 #endif
122
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
125
126 /* Minimal support for a secondary security module,
127    just to allow the use of the dummy or capability modules.
128    The owlsm module can alternatively be used as a secondary
129    module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
131
132 /* Lists of inode and superblock security structures initialized
133    before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
136
137 static struct kmem_cache *sel_inode_cache;
138
139 /**
140  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
141  *
142  * Description:
143  * This function checks the SECMARK reference counter to see if any SECMARK
144  * targets are currently configured, if the reference counter is greater than
145  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
146  * enabled, false (0) if SECMARK is disabled.
147  *
148  */
149 static int selinux_secmark_enabled(void)
150 {
151         return (atomic_read(&selinux_secmark_refcount) > 0);
152 }
153
154 /* Allocate and free functions for each kind of security blob. */
155
156 static int task_alloc_security(struct task_struct *task)
157 {
158         struct task_security_struct *tsec;
159
160         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
161         if (!tsec)
162                 return -ENOMEM;
163
164         tsec->task = task;
165         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166         task->security = tsec;
167
168         return 0;
169 }
170
171 static void task_free_security(struct task_struct *task)
172 {
173         struct task_security_struct *tsec = task->security;
174         task->security = NULL;
175         kfree(tsec);
176 }
177
178 static int inode_alloc_security(struct inode *inode)
179 {
180         struct task_security_struct *tsec = current->security;
181         struct inode_security_struct *isec;
182
183         isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
184         if (!isec)
185                 return -ENOMEM;
186
187         mutex_init(&isec->lock);
188         INIT_LIST_HEAD(&isec->list);
189         isec->inode = inode;
190         isec->sid = SECINITSID_UNLABELED;
191         isec->sclass = SECCLASS_FILE;
192         isec->task_sid = tsec->sid;
193         inode->i_security = isec;
194
195         return 0;
196 }
197
198 static void inode_free_security(struct inode *inode)
199 {
200         struct inode_security_struct *isec = inode->i_security;
201         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
203         spin_lock(&sbsec->isec_lock);
204         if (!list_empty(&isec->list))
205                 list_del_init(&isec->list);
206         spin_unlock(&sbsec->isec_lock);
207
208         inode->i_security = NULL;
209         kmem_cache_free(sel_inode_cache, isec);
210 }
211
212 static int file_alloc_security(struct file *file)
213 {
214         struct task_security_struct *tsec = current->security;
215         struct file_security_struct *fsec;
216
217         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
218         if (!fsec)
219                 return -ENOMEM;
220
221         fsec->file = file;
222         fsec->sid = tsec->sid;
223         fsec->fown_sid = tsec->sid;
224         file->f_security = fsec;
225
226         return 0;
227 }
228
229 static void file_free_security(struct file *file)
230 {
231         struct file_security_struct *fsec = file->f_security;
232         file->f_security = NULL;
233         kfree(fsec);
234 }
235
236 static int superblock_alloc_security(struct super_block *sb)
237 {
238         struct superblock_security_struct *sbsec;
239
240         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
241         if (!sbsec)
242                 return -ENOMEM;
243
244         mutex_init(&sbsec->lock);
245         INIT_LIST_HEAD(&sbsec->list);
246         INIT_LIST_HEAD(&sbsec->isec_head);
247         spin_lock_init(&sbsec->isec_lock);
248         sbsec->sb = sb;
249         sbsec->sid = SECINITSID_UNLABELED;
250         sbsec->def_sid = SECINITSID_FILE;
251         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252         sb->s_security = sbsec;
253
254         return 0;
255 }
256
257 static void superblock_free_security(struct super_block *sb)
258 {
259         struct superblock_security_struct *sbsec = sb->s_security;
260
261         spin_lock(&sb_security_lock);
262         if (!list_empty(&sbsec->list))
263                 list_del_init(&sbsec->list);
264         spin_unlock(&sb_security_lock);
265
266         sb->s_security = NULL;
267         kfree(sbsec);
268 }
269
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
271 {
272         struct sk_security_struct *ssec;
273
274         ssec = kzalloc(sizeof(*ssec), priority);
275         if (!ssec)
276                 return -ENOMEM;
277
278         ssec->sk = sk;
279         ssec->peer_sid = SECINITSID_UNLABELED;
280         ssec->sid = SECINITSID_UNLABELED;
281         sk->sk_security = ssec;
282
283         selinux_netlbl_sk_security_init(ssec, family);
284
285         return 0;
286 }
287
288 static void sk_free_security(struct sock *sk)
289 {
290         struct sk_security_struct *ssec = sk->sk_security;
291
292         sk->sk_security = NULL;
293         kfree(ssec);
294 }
295
296 /* The security server must be initialized before
297    any labeling or access decisions can be provided. */
298 extern int ss_initialized;
299
300 /* The file system's label must be initialized prior to use. */
301
302 static char *labeling_behaviors[6] = {
303         "uses xattr",
304         "uses transition SIDs",
305         "uses task SIDs",
306         "uses genfs_contexts",
307         "not configured for labeling",
308         "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315         return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319         Opt_error = -1,
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 3,
323         Opt_rootcontext = 4,
324 };
325
326 static match_table_t tokens = {
327         {Opt_context, "context=%s"},
328         {Opt_fscontext, "fscontext=%s"},
329         {Opt_defcontext, "defcontext=%s"},
330         {Opt_rootcontext, "rootcontext=%s"},
331         {Opt_error, NULL},
332 };
333
334 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
335
336 static int may_context_mount_sb_relabel(u32 sid,
337                         struct superblock_security_struct *sbsec,
338                         struct task_security_struct *tsec)
339 {
340         int rc;
341
342         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343                           FILESYSTEM__RELABELFROM, NULL);
344         if (rc)
345                 return rc;
346
347         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348                           FILESYSTEM__RELABELTO, NULL);
349         return rc;
350 }
351
352 static int may_context_mount_inode_relabel(u32 sid,
353                         struct superblock_security_struct *sbsec,
354                         struct task_security_struct *tsec)
355 {
356         int rc;
357         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358                           FILESYSTEM__RELABELFROM, NULL);
359         if (rc)
360                 return rc;
361
362         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363                           FILESYSTEM__ASSOCIATE, NULL);
364         return rc;
365 }
366
367 static int sb_finish_set_opts(struct super_block *sb)
368 {
369         struct superblock_security_struct *sbsec = sb->s_security;
370         struct dentry *root = sb->s_root;
371         struct inode *root_inode = root->d_inode;
372         int rc = 0;
373
374         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375                 /* Make sure that the xattr handler exists and that no
376                    error other than -ENODATA is returned by getxattr on
377                    the root directory.  -ENODATA is ok, as this may be
378                    the first boot of the SELinux kernel before we have
379                    assigned xattr values to the filesystem. */
380                 if (!root_inode->i_op->getxattr) {
381                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382                                "xattr support\n", sb->s_id, sb->s_type->name);
383                         rc = -EOPNOTSUPP;
384                         goto out;
385                 }
386                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387                 if (rc < 0 && rc != -ENODATA) {
388                         if (rc == -EOPNOTSUPP)
389                                 printk(KERN_WARNING "SELinux: (dev %s, type "
390                                        "%s) has no security xattr handler\n",
391                                        sb->s_id, sb->s_type->name);
392                         else
393                                 printk(KERN_WARNING "SELinux: (dev %s, type "
394                                        "%s) getxattr errno %d\n", sb->s_id,
395                                        sb->s_type->name, -rc);
396                         goto out;
397                 }
398         }
399
400         sbsec->initialized = 1;
401
402         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404                        sb->s_id, sb->s_type->name);
405         else
406                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407                        sb->s_id, sb->s_type->name,
408                        labeling_behaviors[sbsec->behavior-1]);
409
410         /* Initialize the root inode. */
411         rc = inode_doinit_with_dentry(root_inode, root);
412
413         /* Initialize any other inodes associated with the superblock, e.g.
414            inodes created prior to initial policy load or inodes created
415            during get_sb by a pseudo filesystem that directly
416            populates itself. */
417         spin_lock(&sbsec->isec_lock);
418 next_inode:
419         if (!list_empty(&sbsec->isec_head)) {
420                 struct inode_security_struct *isec =
421                                 list_entry(sbsec->isec_head.next,
422                                            struct inode_security_struct, list);
423                 struct inode *inode = isec->inode;
424                 spin_unlock(&sbsec->isec_lock);
425                 inode = igrab(inode);
426                 if (inode) {
427                         if (!IS_PRIVATE(inode))
428                                 inode_doinit(inode);
429                         iput(inode);
430                 }
431                 spin_lock(&sbsec->isec_lock);
432                 list_del_init(&isec->list);
433                 goto next_inode;
434         }
435         spin_unlock(&sbsec->isec_lock);
436 out:
437         return rc;
438 }
439
440 /*
441  * This function should allow an FS to ask what it's mount security
442  * options were so it can use those later for submounts, displaying
443  * mount options, or whatever.
444  */
445 static int selinux_get_mnt_opts(const struct super_block *sb,
446                                 struct security_mnt_opts *opts)
447 {
448         int rc = 0, i;
449         struct superblock_security_struct *sbsec = sb->s_security;
450         char *context = NULL;
451         u32 len;
452         char tmp;
453
454         security_init_mnt_opts(opts);
455
456         if (!sbsec->initialized)
457                 return -EINVAL;
458
459         if (!ss_initialized)
460                 return -EINVAL;
461
462         /*
463          * if we ever use sbsec flags for anything other than tracking mount
464          * settings this is going to need a mask
465          */
466         tmp = sbsec->flags;
467         /* count the number of mount options for this sb */
468         for (i = 0; i < 8; i++) {
469                 if (tmp & 0x01)
470                         opts->num_mnt_opts++;
471                 tmp >>= 1;
472         }
473
474         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
475         if (!opts->mnt_opts) {
476                 rc = -ENOMEM;
477                 goto out_free;
478         }
479
480         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
481         if (!opts->mnt_opts_flags) {
482                 rc = -ENOMEM;
483                 goto out_free;
484         }
485
486         i = 0;
487         if (sbsec->flags & FSCONTEXT_MNT) {
488                 rc = security_sid_to_context(sbsec->sid, &context, &len);
489                 if (rc)
490                         goto out_free;
491                 opts->mnt_opts[i] = context;
492                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
493         }
494         if (sbsec->flags & CONTEXT_MNT) {
495                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
496                 if (rc)
497                         goto out_free;
498                 opts->mnt_opts[i] = context;
499                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
500         }
501         if (sbsec->flags & DEFCONTEXT_MNT) {
502                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
503                 if (rc)
504                         goto out_free;
505                 opts->mnt_opts[i] = context;
506                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
507         }
508         if (sbsec->flags & ROOTCONTEXT_MNT) {
509                 struct inode *root = sbsec->sb->s_root->d_inode;
510                 struct inode_security_struct *isec = root->i_security;
511
512                 rc = security_sid_to_context(isec->sid, &context, &len);
513                 if (rc)
514                         goto out_free;
515                 opts->mnt_opts[i] = context;
516                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
517         }
518
519         BUG_ON(i != opts->num_mnt_opts);
520
521         return 0;
522
523 out_free:
524         security_free_mnt_opts(opts);
525         return rc;
526 }
527
528 static int bad_option(struct superblock_security_struct *sbsec, char flag,
529                       u32 old_sid, u32 new_sid)
530 {
531         /* check if the old mount command had the same options */
532         if (sbsec->initialized)
533                 if (!(sbsec->flags & flag) ||
534                     (old_sid != new_sid))
535                         return 1;
536
537         /* check if we were passed the same options twice,
538          * aka someone passed context=a,context=b
539          */
540         if (!sbsec->initialized)
541                 if (sbsec->flags & flag)
542                         return 1;
543         return 0;
544 }
545
546 /*
547  * Allow filesystems with binary mount data to explicitly set mount point
548  * labeling information.
549  */
550 static int selinux_set_mnt_opts(struct super_block *sb,
551                                 struct security_mnt_opts *opts)
552 {
553         int rc = 0, i;
554         struct task_security_struct *tsec = current->security;
555         struct superblock_security_struct *sbsec = sb->s_security;
556         const char *name = sb->s_type->name;
557         struct inode *inode = sbsec->sb->s_root->d_inode;
558         struct inode_security_struct *root_isec = inode->i_security;
559         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
560         u32 defcontext_sid = 0;
561         char **mount_options = opts->mnt_opts;
562         int *flags = opts->mnt_opts_flags;
563         int num_opts = opts->num_mnt_opts;
564
565         mutex_lock(&sbsec->lock);
566
567         if (!ss_initialized) {
568                 if (!num_opts) {
569                         /* Defer initialization until selinux_complete_init,
570                            after the initial policy is loaded and the security
571                            server is ready to handle calls. */
572                         spin_lock(&sb_security_lock);
573                         if (list_empty(&sbsec->list))
574                                 list_add(&sbsec->list, &superblock_security_head);
575                         spin_unlock(&sb_security_lock);
576                         goto out;
577                 }
578                 rc = -EINVAL;
579                 printk(KERN_WARNING "Unable to set superblock options before "
580                        "the security server is initialized\n");
581                 goto out;
582         }
583
584         /*
585          * Binary mount data FS will come through this function twice.  Once
586          * from an explicit call and once from the generic calls from the vfs.
587          * Since the generic VFS calls will not contain any security mount data
588          * we need to skip the double mount verification.
589          *
590          * This does open a hole in which we will not notice if the first
591          * mount using this sb set explict options and a second mount using
592          * this sb does not set any security options.  (The first options
593          * will be used for both mounts)
594          */
595         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
596             && (num_opts == 0))
597                 goto out;
598
599         /*
600          * parse the mount options, check if they are valid sids.
601          * also check if someone is trying to mount the same sb more
602          * than once with different security options.
603          */
604         for (i = 0; i < num_opts; i++) {
605                 u32 sid;
606                 rc = security_context_to_sid(mount_options[i],
607                                              strlen(mount_options[i]), &sid);
608                 if (rc) {
609                         printk(KERN_WARNING "SELinux: security_context_to_sid"
610                                "(%s) failed for (dev %s, type %s) errno=%d\n",
611                                mount_options[i], sb->s_id, name, rc);
612                         goto out;
613                 }
614                 switch (flags[i]) {
615                 case FSCONTEXT_MNT:
616                         fscontext_sid = sid;
617
618                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
619                                         fscontext_sid))
620                                 goto out_double_mount;
621
622                         sbsec->flags |= FSCONTEXT_MNT;
623                         break;
624                 case CONTEXT_MNT:
625                         context_sid = sid;
626
627                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
628                                         context_sid))
629                                 goto out_double_mount;
630
631                         sbsec->flags |= CONTEXT_MNT;
632                         break;
633                 case ROOTCONTEXT_MNT:
634                         rootcontext_sid = sid;
635
636                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
637                                         rootcontext_sid))
638                                 goto out_double_mount;
639
640                         sbsec->flags |= ROOTCONTEXT_MNT;
641
642                         break;
643                 case DEFCONTEXT_MNT:
644                         defcontext_sid = sid;
645
646                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
647                                         defcontext_sid))
648                                 goto out_double_mount;
649
650                         sbsec->flags |= DEFCONTEXT_MNT;
651
652                         break;
653                 default:
654                         rc = -EINVAL;
655                         goto out;
656                 }
657         }
658
659         if (sbsec->initialized) {
660                 /* previously mounted with options, but not on this attempt? */
661                 if (sbsec->flags && !num_opts)
662                         goto out_double_mount;
663                 rc = 0;
664                 goto out;
665         }
666
667         if (strcmp(sb->s_type->name, "proc") == 0)
668                 sbsec->proc = 1;
669
670         /* Determine the labeling behavior to use for this filesystem type. */
671         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
672         if (rc) {
673                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674                        __FUNCTION__, sb->s_type->name, rc);
675                 goto out;
676         }
677
678         /* sets the context of the superblock for the fs being mounted. */
679         if (fscontext_sid) {
680
681                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
682                 if (rc)
683                         goto out;
684
685                 sbsec->sid = fscontext_sid;
686         }
687
688         /*
689          * Switch to using mount point labeling behavior.
690          * sets the label used on all file below the mountpoint, and will set
691          * the superblock context if not already set.
692          */
693         if (context_sid) {
694                 if (!fscontext_sid) {
695                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
696                         if (rc)
697                                 goto out;
698                         sbsec->sid = context_sid;
699                 } else {
700                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
701                         if (rc)
702                                 goto out;
703                 }
704                 if (!rootcontext_sid)
705                         rootcontext_sid = context_sid;
706
707                 sbsec->mntpoint_sid = context_sid;
708                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
709         }
710
711         if (rootcontext_sid) {
712                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
713                 if (rc)
714                         goto out;
715
716                 root_isec->sid = rootcontext_sid;
717                 root_isec->initialized = 1;
718         }
719
720         if (defcontext_sid) {
721                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
722                         rc = -EINVAL;
723                         printk(KERN_WARNING "SELinux: defcontext option is "
724                                "invalid for this filesystem type\n");
725                         goto out;
726                 }
727
728                 if (defcontext_sid != sbsec->def_sid) {
729                         rc = may_context_mount_inode_relabel(defcontext_sid,
730                                                              sbsec, tsec);
731                         if (rc)
732                                 goto out;
733                 }
734
735                 sbsec->def_sid = defcontext_sid;
736         }
737
738         rc = sb_finish_set_opts(sb);
739 out:
740         mutex_unlock(&sbsec->lock);
741         return rc;
742 out_double_mount:
743         rc = -EINVAL;
744         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
745                "security settings for (dev %s, type %s)\n", sb->s_id, name);
746         goto out;
747 }
748
749 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
750                                         struct super_block *newsb)
751 {
752         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
753         struct superblock_security_struct *newsbsec = newsb->s_security;
754
755         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
756         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
757         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
758
759         /* we can't error, we can't save the info, this shouldn't get called
760          * this early in the boot process. */
761         BUG_ON(!ss_initialized);
762
763         /* this might go away sometime down the line if there is a new user
764          * of clone, but for now, nfs better not get here... */
765         BUG_ON(newsbsec->initialized);
766
767         /* how can we clone if the old one wasn't set up?? */
768         BUG_ON(!oldsbsec->initialized);
769
770         mutex_lock(&newsbsec->lock);
771
772         newsbsec->flags = oldsbsec->flags;
773
774         newsbsec->sid = oldsbsec->sid;
775         newsbsec->def_sid = oldsbsec->def_sid;
776         newsbsec->behavior = oldsbsec->behavior;
777
778         if (set_context) {
779                 u32 sid = oldsbsec->mntpoint_sid;
780
781                 if (!set_fscontext)
782                         newsbsec->sid = sid;
783                 if (!set_rootcontext) {
784                         struct inode *newinode = newsb->s_root->d_inode;
785                         struct inode_security_struct *newisec = newinode->i_security;
786                         newisec->sid = sid;
787                 }
788                 newsbsec->mntpoint_sid = sid;
789         }
790         if (set_rootcontext) {
791                 const struct inode *oldinode = oldsb->s_root->d_inode;
792                 const struct inode_security_struct *oldisec = oldinode->i_security;
793                 struct inode *newinode = newsb->s_root->d_inode;
794                 struct inode_security_struct *newisec = newinode->i_security;
795
796                 newisec->sid = oldisec->sid;
797         }
798
799         sb_finish_set_opts(newsb);
800         mutex_unlock(&newsbsec->lock);
801 }
802
803 static int selinux_parse_opts_str(char *options,
804                                   struct security_mnt_opts *opts)
805 {
806         char *p;
807         char *context = NULL, *defcontext = NULL;
808         char *fscontext = NULL, *rootcontext = NULL;
809         int rc, num_mnt_opts = 0;
810
811         opts->num_mnt_opts = 0;
812
813         /* Standard string-based options. */
814         while ((p = strsep(&options, "|")) != NULL) {
815                 int token;
816                 substring_t args[MAX_OPT_ARGS];
817
818                 if (!*p)
819                         continue;
820
821                 token = match_token(p, tokens, args);
822
823                 switch (token) {
824                 case Opt_context:
825                         if (context || defcontext) {
826                                 rc = -EINVAL;
827                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
828                                 goto out_err;
829                         }
830                         context = match_strdup(&args[0]);
831                         if (!context) {
832                                 rc = -ENOMEM;
833                                 goto out_err;
834                         }
835                         break;
836
837                 case Opt_fscontext:
838                         if (fscontext) {
839                                 rc = -EINVAL;
840                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
841                                 goto out_err;
842                         }
843                         fscontext = match_strdup(&args[0]);
844                         if (!fscontext) {
845                                 rc = -ENOMEM;
846                                 goto out_err;
847                         }
848                         break;
849
850                 case Opt_rootcontext:
851                         if (rootcontext) {
852                                 rc = -EINVAL;
853                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
854                                 goto out_err;
855                         }
856                         rootcontext = match_strdup(&args[0]);
857                         if (!rootcontext) {
858                                 rc = -ENOMEM;
859                                 goto out_err;
860                         }
861                         break;
862
863                 case Opt_defcontext:
864                         if (context || defcontext) {
865                                 rc = -EINVAL;
866                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
867                                 goto out_err;
868                         }
869                         defcontext = match_strdup(&args[0]);
870                         if (!defcontext) {
871                                 rc = -ENOMEM;
872                                 goto out_err;
873                         }
874                         break;
875
876                 default:
877                         rc = -EINVAL;
878                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
879                         goto out_err;
880
881                 }
882         }
883
884         rc = -ENOMEM;
885         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
886         if (!opts->mnt_opts)
887                 goto out_err;
888
889         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
890         if (!opts->mnt_opts_flags) {
891                 kfree(opts->mnt_opts);
892                 goto out_err;
893         }
894
895         if (fscontext) {
896                 opts->mnt_opts[num_mnt_opts] = fscontext;
897                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
898         }
899         if (context) {
900                 opts->mnt_opts[num_mnt_opts] = context;
901                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
902         }
903         if (rootcontext) {
904                 opts->mnt_opts[num_mnt_opts] = rootcontext;
905                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
906         }
907         if (defcontext) {
908                 opts->mnt_opts[num_mnt_opts] = defcontext;
909                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
910         }
911
912         opts->num_mnt_opts = num_mnt_opts;
913         return 0;
914
915 out_err:
916         kfree(context);
917         kfree(defcontext);
918         kfree(fscontext);
919         kfree(rootcontext);
920         return rc;
921 }
922 /*
923  * string mount options parsing and call set the sbsec
924  */
925 static int superblock_doinit(struct super_block *sb, void *data)
926 {
927         int rc = 0;
928         char *options = data;
929         struct security_mnt_opts opts;
930
931         security_init_mnt_opts(&opts);
932
933         if (!data)
934                 goto out;
935
936         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
937
938         rc = selinux_parse_opts_str(options, &opts);
939         if (rc)
940                 goto out_err;
941
942 out:
943         rc = selinux_set_mnt_opts(sb, &opts);
944
945 out_err:
946         security_free_mnt_opts(&opts);
947         return rc;
948 }
949
950 static inline u16 inode_mode_to_security_class(umode_t mode)
951 {
952         switch (mode & S_IFMT) {
953         case S_IFSOCK:
954                 return SECCLASS_SOCK_FILE;
955         case S_IFLNK:
956                 return SECCLASS_LNK_FILE;
957         case S_IFREG:
958                 return SECCLASS_FILE;
959         case S_IFBLK:
960                 return SECCLASS_BLK_FILE;
961         case S_IFDIR:
962                 return SECCLASS_DIR;
963         case S_IFCHR:
964                 return SECCLASS_CHR_FILE;
965         case S_IFIFO:
966                 return SECCLASS_FIFO_FILE;
967
968         }
969
970         return SECCLASS_FILE;
971 }
972
973 static inline int default_protocol_stream(int protocol)
974 {
975         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
976 }
977
978 static inline int default_protocol_dgram(int protocol)
979 {
980         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
981 }
982
983 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
984 {
985         switch (family) {
986         case PF_UNIX:
987                 switch (type) {
988                 case SOCK_STREAM:
989                 case SOCK_SEQPACKET:
990                         return SECCLASS_UNIX_STREAM_SOCKET;
991                 case SOCK_DGRAM:
992                         return SECCLASS_UNIX_DGRAM_SOCKET;
993                 }
994                 break;
995         case PF_INET:
996         case PF_INET6:
997                 switch (type) {
998                 case SOCK_STREAM:
999                         if (default_protocol_stream(protocol))
1000                                 return SECCLASS_TCP_SOCKET;
1001                         else
1002                                 return SECCLASS_RAWIP_SOCKET;
1003                 case SOCK_DGRAM:
1004                         if (default_protocol_dgram(protocol))
1005                                 return SECCLASS_UDP_SOCKET;
1006                         else
1007                                 return SECCLASS_RAWIP_SOCKET;
1008                 case SOCK_DCCP:
1009                         return SECCLASS_DCCP_SOCKET;
1010                 default:
1011                         return SECCLASS_RAWIP_SOCKET;
1012                 }
1013                 break;
1014         case PF_NETLINK:
1015                 switch (protocol) {
1016                 case NETLINK_ROUTE:
1017                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1018                 case NETLINK_FIREWALL:
1019                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1020                 case NETLINK_INET_DIAG:
1021                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1022                 case NETLINK_NFLOG:
1023                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1024                 case NETLINK_XFRM:
1025                         return SECCLASS_NETLINK_XFRM_SOCKET;
1026                 case NETLINK_SELINUX:
1027                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1028                 case NETLINK_AUDIT:
1029                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1030                 case NETLINK_IP6_FW:
1031                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1032                 case NETLINK_DNRTMSG:
1033                         return SECCLASS_NETLINK_DNRT_SOCKET;
1034                 case NETLINK_KOBJECT_UEVENT:
1035                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1036                 default:
1037                         return SECCLASS_NETLINK_SOCKET;
1038                 }
1039         case PF_PACKET:
1040                 return SECCLASS_PACKET_SOCKET;
1041         case PF_KEY:
1042                 return SECCLASS_KEY_SOCKET;
1043         case PF_APPLETALK:
1044                 return SECCLASS_APPLETALK_SOCKET;
1045         }
1046
1047         return SECCLASS_SOCKET;
1048 }
1049
1050 #ifdef CONFIG_PROC_FS
1051 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1052                                 u16 tclass,
1053                                 u32 *sid)
1054 {
1055         int buflen, rc;
1056         char *buffer, *path, *end;
1057
1058         buffer = (char*)__get_free_page(GFP_KERNEL);
1059         if (!buffer)
1060                 return -ENOMEM;
1061
1062         buflen = PAGE_SIZE;
1063         end = buffer+buflen;
1064         *--end = '\0';
1065         buflen--;
1066         path = end-1;
1067         *path = '/';
1068         while (de && de != de->parent) {
1069                 buflen -= de->namelen + 1;
1070                 if (buflen < 0)
1071                         break;
1072                 end -= de->namelen;
1073                 memcpy(end, de->name, de->namelen);
1074                 *--end = '/';
1075                 path = end;
1076                 de = de->parent;
1077         }
1078         rc = security_genfs_sid("proc", path, tclass, sid);
1079         free_page((unsigned long)buffer);
1080         return rc;
1081 }
1082 #else
1083 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1084                                 u16 tclass,
1085                                 u32 *sid)
1086 {
1087         return -EINVAL;
1088 }
1089 #endif
1090
1091 /* The inode's security attributes must be initialized before first use. */
1092 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1093 {
1094         struct superblock_security_struct *sbsec = NULL;
1095         struct inode_security_struct *isec = inode->i_security;
1096         u32 sid;
1097         struct dentry *dentry;
1098 #define INITCONTEXTLEN 255
1099         char *context = NULL;
1100         unsigned len = 0;
1101         int rc = 0;
1102
1103         if (isec->initialized)
1104                 goto out;
1105
1106         mutex_lock(&isec->lock);
1107         if (isec->initialized)
1108                 goto out_unlock;
1109
1110         sbsec = inode->i_sb->s_security;
1111         if (!sbsec->initialized) {
1112                 /* Defer initialization until selinux_complete_init,
1113                    after the initial policy is loaded and the security
1114                    server is ready to handle calls. */
1115                 spin_lock(&sbsec->isec_lock);
1116                 if (list_empty(&isec->list))
1117                         list_add(&isec->list, &sbsec->isec_head);
1118                 spin_unlock(&sbsec->isec_lock);
1119                 goto out_unlock;
1120         }
1121
1122         switch (sbsec->behavior) {
1123         case SECURITY_FS_USE_XATTR:
1124                 if (!inode->i_op->getxattr) {
1125                         isec->sid = sbsec->def_sid;
1126                         break;
1127                 }
1128
1129                 /* Need a dentry, since the xattr API requires one.
1130                    Life would be simpler if we could just pass the inode. */
1131                 if (opt_dentry) {
1132                         /* Called from d_instantiate or d_splice_alias. */
1133                         dentry = dget(opt_dentry);
1134                 } else {
1135                         /* Called from selinux_complete_init, try to find a dentry. */
1136                         dentry = d_find_alias(inode);
1137                 }
1138                 if (!dentry) {
1139                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
1140                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1141                                inode->i_ino);
1142                         goto out_unlock;
1143                 }
1144
1145                 len = INITCONTEXTLEN;
1146                 context = kmalloc(len, GFP_KERNEL);
1147                 if (!context) {
1148                         rc = -ENOMEM;
1149                         dput(dentry);
1150                         goto out_unlock;
1151                 }
1152                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1153                                            context, len);
1154                 if (rc == -ERANGE) {
1155                         /* Need a larger buffer.  Query for the right size. */
1156                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1157                                                    NULL, 0);
1158                         if (rc < 0) {
1159                                 dput(dentry);
1160                                 goto out_unlock;
1161                         }
1162                         kfree(context);
1163                         len = rc;
1164                         context = kmalloc(len, GFP_KERNEL);
1165                         if (!context) {
1166                                 rc = -ENOMEM;
1167                                 dput(dentry);
1168                                 goto out_unlock;
1169                         }
1170                         rc = inode->i_op->getxattr(dentry,
1171                                                    XATTR_NAME_SELINUX,
1172                                                    context, len);
1173                 }
1174                 dput(dentry);
1175                 if (rc < 0) {
1176                         if (rc != -ENODATA) {
1177                                 printk(KERN_WARNING "%s:  getxattr returned "
1178                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
1179                                        -rc, inode->i_sb->s_id, inode->i_ino);
1180                                 kfree(context);
1181                                 goto out_unlock;
1182                         }
1183                         /* Map ENODATA to the default file SID */
1184                         sid = sbsec->def_sid;
1185                         rc = 0;
1186                 } else {
1187                         rc = security_context_to_sid_default(context, rc, &sid,
1188                                                              sbsec->def_sid);
1189                         if (rc) {
1190                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
1191                                        "returned %d for dev=%s ino=%ld\n",
1192                                        __FUNCTION__, context, -rc,
1193                                        inode->i_sb->s_id, inode->i_ino);
1194                                 kfree(context);
1195                                 /* Leave with the unlabeled SID */
1196                                 rc = 0;
1197                                 break;
1198                         }
1199                 }
1200                 kfree(context);
1201                 isec->sid = sid;
1202                 break;
1203         case SECURITY_FS_USE_TASK:
1204                 isec->sid = isec->task_sid;
1205                 break;
1206         case SECURITY_FS_USE_TRANS:
1207                 /* Default to the fs SID. */
1208                 isec->sid = sbsec->sid;
1209
1210                 /* Try to obtain a transition SID. */
1211                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1212                 rc = security_transition_sid(isec->task_sid,
1213                                              sbsec->sid,
1214                                              isec->sclass,
1215                                              &sid);
1216                 if (rc)
1217                         goto out_unlock;
1218                 isec->sid = sid;
1219                 break;
1220         case SECURITY_FS_USE_MNTPOINT:
1221                 isec->sid = sbsec->mntpoint_sid;
1222                 break;
1223         default:
1224                 /* Default to the fs superblock SID. */
1225                 isec->sid = sbsec->sid;
1226
1227                 if (sbsec->proc) {
1228                         struct proc_inode *proci = PROC_I(inode);
1229                         if (proci->pde) {
1230                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1231                                 rc = selinux_proc_get_sid(proci->pde,
1232                                                           isec->sclass,
1233                                                           &sid);
1234                                 if (rc)
1235                                         goto out_unlock;
1236                                 isec->sid = sid;
1237                         }
1238                 }
1239                 break;
1240         }
1241
1242         isec->initialized = 1;
1243
1244 out_unlock:
1245         mutex_unlock(&isec->lock);
1246 out:
1247         if (isec->sclass == SECCLASS_FILE)
1248                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1249         return rc;
1250 }
1251
1252 /* Convert a Linux signal to an access vector. */
1253 static inline u32 signal_to_av(int sig)
1254 {
1255         u32 perm = 0;
1256
1257         switch (sig) {
1258         case SIGCHLD:
1259                 /* Commonly granted from child to parent. */
1260                 perm = PROCESS__SIGCHLD;
1261                 break;
1262         case SIGKILL:
1263                 /* Cannot be caught or ignored */
1264                 perm = PROCESS__SIGKILL;
1265                 break;
1266         case SIGSTOP:
1267                 /* Cannot be caught or ignored */
1268                 perm = PROCESS__SIGSTOP;
1269                 break;
1270         default:
1271                 /* All other signals. */
1272                 perm = PROCESS__SIGNAL;
1273                 break;
1274         }
1275
1276         return perm;
1277 }
1278
1279 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1280    fork check, ptrace check, etc. */
1281 static int task_has_perm(struct task_struct *tsk1,
1282                          struct task_struct *tsk2,
1283                          u32 perms)
1284 {
1285         struct task_security_struct *tsec1, *tsec2;
1286
1287         tsec1 = tsk1->security;
1288         tsec2 = tsk2->security;
1289         return avc_has_perm(tsec1->sid, tsec2->sid,
1290                             SECCLASS_PROCESS, perms, NULL);
1291 }
1292
1293 #if CAP_LAST_CAP > 63
1294 #error Fix SELinux to handle capabilities > 63.
1295 #endif
1296
1297 /* Check whether a task is allowed to use a capability. */
1298 static int task_has_capability(struct task_struct *tsk,
1299                                int cap)
1300 {
1301         struct task_security_struct *tsec;
1302         struct avc_audit_data ad;
1303         u16 sclass;
1304         u32 av = CAP_TO_MASK(cap);
1305
1306         tsec = tsk->security;
1307
1308         AVC_AUDIT_DATA_INIT(&ad,CAP);
1309         ad.tsk = tsk;
1310         ad.u.cap = cap;
1311
1312         switch (CAP_TO_INDEX(cap)) {
1313         case 0:
1314                 sclass = SECCLASS_CAPABILITY;
1315                 break;
1316         case 1:
1317                 sclass = SECCLASS_CAPABILITY2;
1318                 break;
1319         default:
1320                 printk(KERN_ERR
1321                        "SELinux:  out of range capability %d\n", cap);
1322                 BUG();
1323         }
1324         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1325 }
1326
1327 /* Check whether a task is allowed to use a system operation. */
1328 static int task_has_system(struct task_struct *tsk,
1329                            u32 perms)
1330 {
1331         struct task_security_struct *tsec;
1332
1333         tsec = tsk->security;
1334
1335         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1336                             SECCLASS_SYSTEM, perms, NULL);
1337 }
1338
1339 /* Check whether a task has a particular permission to an inode.
1340    The 'adp' parameter is optional and allows other audit
1341    data to be passed (e.g. the dentry). */
1342 static int inode_has_perm(struct task_struct *tsk,
1343                           struct inode *inode,
1344                           u32 perms,
1345                           struct avc_audit_data *adp)
1346 {
1347         struct task_security_struct *tsec;
1348         struct inode_security_struct *isec;
1349         struct avc_audit_data ad;
1350
1351         if (unlikely (IS_PRIVATE (inode)))
1352                 return 0;
1353
1354         tsec = tsk->security;
1355         isec = inode->i_security;
1356
1357         if (!adp) {
1358                 adp = &ad;
1359                 AVC_AUDIT_DATA_INIT(&ad, FS);
1360                 ad.u.fs.inode = inode;
1361         }
1362
1363         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1364 }
1365
1366 /* Same as inode_has_perm, but pass explicit audit data containing
1367    the dentry to help the auditing code to more easily generate the
1368    pathname if needed. */
1369 static inline int dentry_has_perm(struct task_struct *tsk,
1370                                   struct vfsmount *mnt,
1371                                   struct dentry *dentry,
1372                                   u32 av)
1373 {
1374         struct inode *inode = dentry->d_inode;
1375         struct avc_audit_data ad;
1376         AVC_AUDIT_DATA_INIT(&ad,FS);
1377         ad.u.fs.path.mnt = mnt;
1378         ad.u.fs.path.dentry = dentry;
1379         return inode_has_perm(tsk, inode, av, &ad);
1380 }
1381
1382 /* Check whether a task can use an open file descriptor to
1383    access an inode in a given way.  Check access to the
1384    descriptor itself, and then use dentry_has_perm to
1385    check a particular permission to the file.
1386    Access to the descriptor is implicitly granted if it
1387    has the same SID as the process.  If av is zero, then
1388    access to the file is not checked, e.g. for cases
1389    where only the descriptor is affected like seek. */
1390 static int file_has_perm(struct task_struct *tsk,
1391                                 struct file *file,
1392                                 u32 av)
1393 {
1394         struct task_security_struct *tsec = tsk->security;
1395         struct file_security_struct *fsec = file->f_security;
1396         struct inode *inode = file->f_path.dentry->d_inode;
1397         struct avc_audit_data ad;
1398         int rc;
1399
1400         AVC_AUDIT_DATA_INIT(&ad, FS);
1401         ad.u.fs.path = file->f_path;
1402
1403         if (tsec->sid != fsec->sid) {
1404                 rc = avc_has_perm(tsec->sid, fsec->sid,
1405                                   SECCLASS_FD,
1406                                   FD__USE,
1407                                   &ad);
1408                 if (rc)
1409                         return rc;
1410         }
1411
1412         /* av is zero if only checking access to the descriptor. */
1413         if (av)
1414                 return inode_has_perm(tsk, inode, av, &ad);
1415
1416         return 0;
1417 }
1418
1419 /* Check whether a task can create a file. */
1420 static int may_create(struct inode *dir,
1421                       struct dentry *dentry,
1422                       u16 tclass)
1423 {
1424         struct task_security_struct *tsec;
1425         struct inode_security_struct *dsec;
1426         struct superblock_security_struct *sbsec;
1427         u32 newsid;
1428         struct avc_audit_data ad;
1429         int rc;
1430
1431         tsec = current->security;
1432         dsec = dir->i_security;
1433         sbsec = dir->i_sb->s_security;
1434
1435         AVC_AUDIT_DATA_INIT(&ad, FS);
1436         ad.u.fs.path.dentry = dentry;
1437
1438         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1439                           DIR__ADD_NAME | DIR__SEARCH,
1440                           &ad);
1441         if (rc)
1442                 return rc;
1443
1444         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1445                 newsid = tsec->create_sid;
1446         } else {
1447                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1448                                              &newsid);
1449                 if (rc)
1450                         return rc;
1451         }
1452
1453         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1454         if (rc)
1455                 return rc;
1456
1457         return avc_has_perm(newsid, sbsec->sid,
1458                             SECCLASS_FILESYSTEM,
1459                             FILESYSTEM__ASSOCIATE, &ad);
1460 }
1461
1462 /* Check whether a task can create a key. */
1463 static int may_create_key(u32 ksid,
1464                           struct task_struct *ctx)
1465 {
1466         struct task_security_struct *tsec;
1467
1468         tsec = ctx->security;
1469
1470         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1471 }
1472
1473 #define MAY_LINK   0
1474 #define MAY_UNLINK 1
1475 #define MAY_RMDIR  2
1476
1477 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1478 static int may_link(struct inode *dir,
1479                     struct dentry *dentry,
1480                     int kind)
1481
1482 {
1483         struct task_security_struct *tsec;
1484         struct inode_security_struct *dsec, *isec;
1485         struct avc_audit_data ad;
1486         u32 av;
1487         int rc;
1488
1489         tsec = current->security;
1490         dsec = dir->i_security;
1491         isec = dentry->d_inode->i_security;
1492
1493         AVC_AUDIT_DATA_INIT(&ad, FS);
1494         ad.u.fs.path.dentry = dentry;
1495
1496         av = DIR__SEARCH;
1497         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1498         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1499         if (rc)
1500                 return rc;
1501
1502         switch (kind) {
1503         case MAY_LINK:
1504                 av = FILE__LINK;
1505                 break;
1506         case MAY_UNLINK:
1507                 av = FILE__UNLINK;
1508                 break;
1509         case MAY_RMDIR:
1510                 av = DIR__RMDIR;
1511                 break;
1512         default:
1513                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1514                 return 0;
1515         }
1516
1517         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1518         return rc;
1519 }
1520
1521 static inline int may_rename(struct inode *old_dir,
1522                              struct dentry *old_dentry,
1523                              struct inode *new_dir,
1524                              struct dentry *new_dentry)
1525 {
1526         struct task_security_struct *tsec;
1527         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1528         struct avc_audit_data ad;
1529         u32 av;
1530         int old_is_dir, new_is_dir;
1531         int rc;
1532
1533         tsec = current->security;
1534         old_dsec = old_dir->i_security;
1535         old_isec = old_dentry->d_inode->i_security;
1536         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1537         new_dsec = new_dir->i_security;
1538
1539         AVC_AUDIT_DATA_INIT(&ad, FS);
1540
1541         ad.u.fs.path.dentry = old_dentry;
1542         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1543                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1544         if (rc)
1545                 return rc;
1546         rc = avc_has_perm(tsec->sid, old_isec->sid,
1547                           old_isec->sclass, FILE__RENAME, &ad);
1548         if (rc)
1549                 return rc;
1550         if (old_is_dir && new_dir != old_dir) {
1551                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1552                                   old_isec->sclass, DIR__REPARENT, &ad);
1553                 if (rc)
1554                         return rc;
1555         }
1556
1557         ad.u.fs.path.dentry = new_dentry;
1558         av = DIR__ADD_NAME | DIR__SEARCH;
1559         if (new_dentry->d_inode)
1560                 av |= DIR__REMOVE_NAME;
1561         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1562         if (rc)
1563                 return rc;
1564         if (new_dentry->d_inode) {
1565                 new_isec = new_dentry->d_inode->i_security;
1566                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1567                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1568                                   new_isec->sclass,
1569                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1570                 if (rc)
1571                         return rc;
1572         }
1573
1574         return 0;
1575 }
1576
1577 /* Check whether a task can perform a filesystem operation. */
1578 static int superblock_has_perm(struct task_struct *tsk,
1579                                struct super_block *sb,
1580                                u32 perms,
1581                                struct avc_audit_data *ad)
1582 {
1583         struct task_security_struct *tsec;
1584         struct superblock_security_struct *sbsec;
1585
1586         tsec = tsk->security;
1587         sbsec = sb->s_security;
1588         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1589                             perms, ad);
1590 }
1591
1592 /* Convert a Linux mode and permission mask to an access vector. */
1593 static inline u32 file_mask_to_av(int mode, int mask)
1594 {
1595         u32 av = 0;
1596
1597         if ((mode & S_IFMT) != S_IFDIR) {
1598                 if (mask & MAY_EXEC)
1599                         av |= FILE__EXECUTE;
1600                 if (mask & MAY_READ)
1601                         av |= FILE__READ;
1602
1603                 if (mask & MAY_APPEND)
1604                         av |= FILE__APPEND;
1605                 else if (mask & MAY_WRITE)
1606                         av |= FILE__WRITE;
1607
1608         } else {
1609                 if (mask & MAY_EXEC)
1610                         av |= DIR__SEARCH;
1611                 if (mask & MAY_WRITE)
1612                         av |= DIR__WRITE;
1613                 if (mask & MAY_READ)
1614                         av |= DIR__READ;
1615         }
1616
1617         return av;
1618 }
1619
1620 /* Convert a Linux file to an access vector. */
1621 static inline u32 file_to_av(struct file *file)
1622 {
1623         u32 av = 0;
1624
1625         if (file->f_mode & FMODE_READ)
1626                 av |= FILE__READ;
1627         if (file->f_mode & FMODE_WRITE) {
1628                 if (file->f_flags & O_APPEND)
1629                         av |= FILE__APPEND;
1630                 else
1631                         av |= FILE__WRITE;
1632         }
1633         if (!av) {
1634                 /*
1635                  * Special file opened with flags 3 for ioctl-only use.
1636                  */
1637                 av = FILE__IOCTL;
1638         }
1639
1640         return av;
1641 }
1642
1643 /* Hook functions begin here. */
1644
1645 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1646 {
1647         struct task_security_struct *psec = parent->security;
1648         struct task_security_struct *csec = child->security;
1649         int rc;
1650
1651         rc = secondary_ops->ptrace(parent,child);
1652         if (rc)
1653                 return rc;
1654
1655         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1656         /* Save the SID of the tracing process for later use in apply_creds. */
1657         if (!(child->ptrace & PT_PTRACED) && !rc)
1658                 csec->ptrace_sid = psec->sid;
1659         return rc;
1660 }
1661
1662 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1663                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1664 {
1665         int error;
1666
1667         error = task_has_perm(current, target, PROCESS__GETCAP);
1668         if (error)
1669                 return error;
1670
1671         return secondary_ops->capget(target, effective, inheritable, permitted);
1672 }
1673
1674 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1675                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1676 {
1677         int error;
1678
1679         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1680         if (error)
1681                 return error;
1682
1683         return task_has_perm(current, target, PROCESS__SETCAP);
1684 }
1685
1686 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1687                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1688 {
1689         secondary_ops->capset_set(target, effective, inheritable, permitted);
1690 }
1691
1692 static int selinux_capable(struct task_struct *tsk, int cap)
1693 {
1694         int rc;
1695
1696         rc = secondary_ops->capable(tsk, cap);
1697         if (rc)
1698                 return rc;
1699
1700         return task_has_capability(tsk,cap);
1701 }
1702
1703 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1704 {
1705         int buflen, rc;
1706         char *buffer, *path, *end;
1707
1708         rc = -ENOMEM;
1709         buffer = (char*)__get_free_page(GFP_KERNEL);
1710         if (!buffer)
1711                 goto out;
1712
1713         buflen = PAGE_SIZE;
1714         end = buffer+buflen;
1715         *--end = '\0';
1716         buflen--;
1717         path = end-1;
1718         *path = '/';
1719         while (table) {
1720                 const char *name = table->procname;
1721                 size_t namelen = strlen(name);
1722                 buflen -= namelen + 1;
1723                 if (buflen < 0)
1724                         goto out_free;
1725                 end -= namelen;
1726                 memcpy(end, name, namelen);
1727                 *--end = '/';
1728                 path = end;
1729                 table = table->parent;
1730         }
1731         buflen -= 4;
1732         if (buflen < 0)
1733                 goto out_free;
1734         end -= 4;
1735         memcpy(end, "/sys", 4);
1736         path = end;
1737         rc = security_genfs_sid("proc", path, tclass, sid);
1738 out_free:
1739         free_page((unsigned long)buffer);
1740 out:
1741         return rc;
1742 }
1743
1744 static int selinux_sysctl(ctl_table *table, int op)
1745 {
1746         int error = 0;
1747         u32 av;
1748         struct task_security_struct *tsec;
1749         u32 tsid;
1750         int rc;
1751
1752         rc = secondary_ops->sysctl(table, op);
1753         if (rc)
1754                 return rc;
1755
1756         tsec = current->security;
1757
1758         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1759                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1760         if (rc) {
1761                 /* Default to the well-defined sysctl SID. */
1762                 tsid = SECINITSID_SYSCTL;
1763         }
1764
1765         /* The op values are "defined" in sysctl.c, thereby creating
1766          * a bad coupling between this module and sysctl.c */
1767         if(op == 001) {
1768                 error = avc_has_perm(tsec->sid, tsid,
1769                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1770         } else {
1771                 av = 0;
1772                 if (op & 004)
1773                         av |= FILE__READ;
1774                 if (op & 002)
1775                         av |= FILE__WRITE;
1776                 if (av)
1777                         error = avc_has_perm(tsec->sid, tsid,
1778                                              SECCLASS_FILE, av, NULL);
1779         }
1780
1781         return error;
1782 }
1783
1784 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1785 {
1786         int rc = 0;
1787
1788         if (!sb)
1789                 return 0;
1790
1791         switch (cmds) {
1792                 case Q_SYNC:
1793                 case Q_QUOTAON:
1794                 case Q_QUOTAOFF:
1795                 case Q_SETINFO:
1796                 case Q_SETQUOTA:
1797                         rc = superblock_has_perm(current,
1798                                                  sb,
1799                                                  FILESYSTEM__QUOTAMOD, NULL);
1800                         break;
1801                 case Q_GETFMT:
1802                 case Q_GETINFO:
1803                 case Q_GETQUOTA:
1804                         rc = superblock_has_perm(current,
1805                                                  sb,
1806                                                  FILESYSTEM__QUOTAGET, NULL);
1807                         break;
1808                 default:
1809                         rc = 0;  /* let the kernel handle invalid cmds */
1810                         break;
1811         }
1812         return rc;
1813 }
1814
1815 static int selinux_quota_on(struct dentry *dentry)
1816 {
1817         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1818 }
1819
1820 static int selinux_syslog(int type)
1821 {
1822         int rc;
1823
1824         rc = secondary_ops->syslog(type);
1825         if (rc)
1826                 return rc;
1827
1828         switch (type) {
1829                 case 3:         /* Read last kernel messages */
1830                 case 10:        /* Return size of the log buffer */
1831                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1832                         break;
1833                 case 6:         /* Disable logging to console */
1834                 case 7:         /* Enable logging to console */
1835                 case 8:         /* Set level of messages printed to console */
1836                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1837                         break;
1838                 case 0:         /* Close log */
1839                 case 1:         /* Open log */
1840                 case 2:         /* Read from log */
1841                 case 4:         /* Read/clear last kernel messages */
1842                 case 5:         /* Clear ring buffer */
1843                 default:
1844                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1845                         break;
1846         }
1847         return rc;
1848 }
1849
1850 /*
1851  * Check that a process has enough memory to allocate a new virtual
1852  * mapping. 0 means there is enough memory for the allocation to
1853  * succeed and -ENOMEM implies there is not.
1854  *
1855  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1856  * if the capability is granted, but __vm_enough_memory requires 1 if
1857  * the capability is granted.
1858  *
1859  * Do not audit the selinux permission check, as this is applied to all
1860  * processes that allocate mappings.
1861  */
1862 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1863 {
1864         int rc, cap_sys_admin = 0;
1865         struct task_security_struct *tsec = current->security;
1866
1867         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1868         if (rc == 0)
1869                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1870                                           SECCLASS_CAPABILITY,
1871                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1872                                           0,
1873                                           NULL);
1874
1875         if (rc == 0)
1876                 cap_sys_admin = 1;
1877
1878         return __vm_enough_memory(mm, pages, cap_sys_admin);
1879 }
1880
1881 /* binprm security operations */
1882
1883 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1884 {
1885         struct bprm_security_struct *bsec;
1886
1887         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1888         if (!bsec)
1889                 return -ENOMEM;
1890
1891         bsec->bprm = bprm;
1892         bsec->sid = SECINITSID_UNLABELED;
1893         bsec->set = 0;
1894
1895         bprm->security = bsec;
1896         return 0;
1897 }
1898
1899 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1900 {
1901         struct task_security_struct *tsec;
1902         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1903         struct inode_security_struct *isec;
1904         struct bprm_security_struct *bsec;
1905         u32 newsid;
1906         struct avc_audit_data ad;
1907         int rc;
1908
1909         rc = secondary_ops->bprm_set_security(bprm);
1910         if (rc)
1911                 return rc;
1912
1913         bsec = bprm->security;
1914
1915         if (bsec->set)
1916                 return 0;
1917
1918         tsec = current->security;
1919         isec = inode->i_security;
1920
1921         /* Default to the current task SID. */
1922         bsec->sid = tsec->sid;
1923
1924         /* Reset fs, key, and sock SIDs on execve. */
1925         tsec->create_sid = 0;
1926         tsec->keycreate_sid = 0;
1927         tsec->sockcreate_sid = 0;
1928
1929         if (tsec->exec_sid) {
1930                 newsid = tsec->exec_sid;
1931                 /* Reset exec SID on execve. */
1932                 tsec->exec_sid = 0;
1933         } else {
1934                 /* Check for a default transition on this program. */
1935                 rc = security_transition_sid(tsec->sid, isec->sid,
1936                                              SECCLASS_PROCESS, &newsid);
1937                 if (rc)
1938                         return rc;
1939         }
1940
1941         AVC_AUDIT_DATA_INIT(&ad, FS);
1942         ad.u.fs.path = bprm->file->f_path;
1943
1944         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1945                 newsid = tsec->sid;
1946
1947         if (tsec->sid == newsid) {
1948                 rc = avc_has_perm(tsec->sid, isec->sid,
1949                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1950                 if (rc)
1951                         return rc;
1952         } else {
1953                 /* Check permissions for the transition. */
1954                 rc = avc_has_perm(tsec->sid, newsid,
1955                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1956                 if (rc)
1957                         return rc;
1958
1959                 rc = avc_has_perm(newsid, isec->sid,
1960                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1961                 if (rc)
1962                         return rc;
1963
1964                 /* Clear any possibly unsafe personality bits on exec: */
1965                 current->personality &= ~PER_CLEAR_ON_SETID;
1966
1967                 /* Set the security field to the new SID. */
1968                 bsec->sid = newsid;
1969         }
1970
1971         bsec->set = 1;
1972         return 0;
1973 }
1974
1975 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1976 {
1977         return secondary_ops->bprm_check_security(bprm);
1978 }
1979
1980
1981 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1982 {
1983         struct task_security_struct *tsec = current->security;
1984         int atsecure = 0;
1985
1986         if (tsec->osid != tsec->sid) {
1987                 /* Enable secure mode for SIDs transitions unless
1988                    the noatsecure permission is granted between
1989                    the two SIDs, i.e. ahp returns 0. */
1990                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1991                                          SECCLASS_PROCESS,
1992                                          PROCESS__NOATSECURE, NULL);
1993         }
1994
1995         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1996 }
1997
1998 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1999 {
2000         kfree(bprm->security);
2001         bprm->security = NULL;
2002 }
2003
2004 extern struct vfsmount *selinuxfs_mount;
2005 extern struct dentry *selinux_null;
2006
2007 /* Derived from fs/exec.c:flush_old_files. */
2008 static inline void flush_unauthorized_files(struct files_struct * files)
2009 {
2010         struct avc_audit_data ad;
2011         struct file *file, *devnull = NULL;
2012         struct tty_struct *tty;
2013         struct fdtable *fdt;
2014         long j = -1;
2015         int drop_tty = 0;
2016
2017         mutex_lock(&tty_mutex);
2018         tty = get_current_tty();
2019         if (tty) {
2020                 file_list_lock();
2021                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2022                 if (file) {
2023                         /* Revalidate access to controlling tty.
2024                            Use inode_has_perm on the tty inode directly rather
2025                            than using file_has_perm, as this particular open
2026                            file may belong to another process and we are only
2027                            interested in the inode-based check here. */
2028                         struct inode *inode = file->f_path.dentry->d_inode;
2029                         if (inode_has_perm(current, inode,
2030                                            FILE__READ | FILE__WRITE, NULL)) {
2031                                 drop_tty = 1;
2032                         }
2033                 }
2034                 file_list_unlock();
2035         }
2036         mutex_unlock(&tty_mutex);
2037         /* Reset controlling tty. */
2038         if (drop_tty)
2039                 no_tty();
2040
2041         /* Revalidate access to inherited open files. */
2042
2043         AVC_AUDIT_DATA_INIT(&ad,FS);
2044
2045         spin_lock(&files->file_lock);
2046         for (;;) {
2047                 unsigned long set, i;
2048                 int fd;
2049
2050                 j++;
2051                 i = j * __NFDBITS;
2052                 fdt = files_fdtable(files);
2053                 if (i >= fdt->max_fds)
2054                         break;
2055                 set = fdt->open_fds->fds_bits[j];
2056                 if (!set)
2057                         continue;
2058                 spin_unlock(&files->file_lock);
2059                 for ( ; set ; i++,set >>= 1) {
2060                         if (set & 1) {
2061                                 file = fget(i);
2062                                 if (!file)
2063                                         continue;
2064                                 if (file_has_perm(current,
2065                                                   file,
2066                                                   file_to_av(file))) {
2067                                         sys_close(i);
2068                                         fd = get_unused_fd();
2069                                         if (fd != i) {
2070                                                 if (fd >= 0)
2071                                                         put_unused_fd(fd);
2072                                                 fput(file);
2073                                                 continue;
2074                                         }
2075                                         if (devnull) {
2076                                                 get_file(devnull);
2077                                         } else {
2078                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2079                                                 if (IS_ERR(devnull)) {
2080                                                         devnull = NULL;
2081                                                         put_unused_fd(fd);
2082                                                         fput(file);
2083                                                         continue;
2084                                                 }
2085                                         }
2086                                         fd_install(fd, devnull);
2087                                 }
2088                                 fput(file);
2089                         }
2090                 }
2091                 spin_lock(&files->file_lock);
2092
2093         }
2094         spin_unlock(&files->file_lock);
2095 }
2096
2097 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2098 {
2099         struct task_security_struct *tsec;
2100         struct bprm_security_struct *bsec;
2101         u32 sid;
2102         int rc;
2103
2104         secondary_ops->bprm_apply_creds(bprm, unsafe);
2105
2106         tsec = current->security;
2107
2108         bsec = bprm->security;
2109         sid = bsec->sid;
2110
2111         tsec->osid = tsec->sid;
2112         bsec->unsafe = 0;
2113         if (tsec->sid != sid) {
2114                 /* Check for shared state.  If not ok, leave SID
2115                    unchanged and kill. */
2116                 if (unsafe & LSM_UNSAFE_SHARE) {
2117                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2118                                         PROCESS__SHARE, NULL);
2119                         if (rc) {
2120                                 bsec->unsafe = 1;
2121                                 return;
2122                         }
2123                 }
2124
2125                 /* Check for ptracing, and update the task SID if ok.
2126                    Otherwise, leave SID unchanged and kill. */
2127                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2128                         rc = avc_has_perm(tsec->ptrace_sid, sid,
2129                                           SECCLASS_PROCESS, PROCESS__PTRACE,
2130                                           NULL);
2131                         if (rc) {
2132                                 bsec->unsafe = 1;
2133                                 return;
2134                         }
2135                 }
2136                 tsec->sid = sid;
2137         }
2138 }
2139
2140 /*
2141  * called after apply_creds without the task lock held
2142  */
2143 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2144 {
2145         struct task_security_struct *tsec;
2146         struct rlimit *rlim, *initrlim;
2147         struct itimerval itimer;
2148         struct bprm_security_struct *bsec;
2149         int rc, i;
2150
2151         tsec = current->security;
2152         bsec = bprm->security;
2153
2154         if (bsec->unsafe) {
2155                 force_sig_specific(SIGKILL, current);
2156                 return;
2157         }
2158         if (tsec->osid == tsec->sid)
2159                 return;
2160
2161         /* Close files for which the new task SID is not authorized. */
2162         flush_unauthorized_files(current->files);
2163
2164         /* Check whether the new SID can inherit signal state
2165            from the old SID.  If not, clear itimers to avoid
2166            subsequent signal generation and flush and unblock
2167            signals. This must occur _after_ the task SID has
2168           been updated so that any kill done after the flush
2169           will be checked against the new SID. */
2170         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2171                           PROCESS__SIGINH, NULL);
2172         if (rc) {
2173                 memset(&itimer, 0, sizeof itimer);
2174                 for (i = 0; i < 3; i++)
2175                         do_setitimer(i, &itimer, NULL);
2176                 flush_signals(current);
2177                 spin_lock_irq(&current->sighand->siglock);
2178                 flush_signal_handlers(current, 1);
2179                 sigemptyset(&current->blocked);
2180                 recalc_sigpending();
2181                 spin_unlock_irq(&current->sighand->siglock);
2182         }
2183
2184         /* Always clear parent death signal on SID transitions. */
2185         current->pdeath_signal = 0;
2186
2187         /* Check whether the new SID can inherit resource limits
2188            from the old SID.  If not, reset all soft limits to
2189            the lower of the current task's hard limit and the init
2190            task's soft limit.  Note that the setting of hard limits
2191            (even to lower them) can be controlled by the setrlimit
2192            check. The inclusion of the init task's soft limit into
2193            the computation is to avoid resetting soft limits higher
2194            than the default soft limit for cases where the default
2195            is lower than the hard limit, e.g. RLIMIT_CORE or
2196            RLIMIT_STACK.*/
2197         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2198                           PROCESS__RLIMITINH, NULL);
2199         if (rc) {
2200                 for (i = 0; i < RLIM_NLIMITS; i++) {
2201                         rlim = current->signal->rlim + i;
2202                         initrlim = init_task.signal->rlim+i;
2203                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2204                 }
2205                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2206                         /*
2207                          * This will cause RLIMIT_CPU calculations
2208                          * to be refigured.
2209                          */
2210                         current->it_prof_expires = jiffies_to_cputime(1);
2211                 }
2212         }
2213
2214         /* Wake up the parent if it is waiting so that it can
2215            recheck wait permission to the new task SID. */
2216         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2217 }
2218
2219 /* superblock security operations */
2220
2221 static int selinux_sb_alloc_security(struct super_block *sb)
2222 {
2223         return superblock_alloc_security(sb);
2224 }
2225
2226 static void selinux_sb_free_security(struct super_block *sb)
2227 {
2228         superblock_free_security(sb);
2229 }
2230
2231 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2232 {
2233         if (plen > olen)
2234                 return 0;
2235
2236         return !memcmp(prefix, option, plen);
2237 }
2238
2239 static inline int selinux_option(char *option, int len)
2240 {
2241         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2242                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2243                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2244                 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2245 }
2246
2247 static inline void take_option(char **to, char *from, int *first, int len)
2248 {
2249         if (!*first) {
2250                 **to = ',';
2251                 *to += 1;
2252         } else
2253                 *first = 0;
2254         memcpy(*to, from, len);
2255         *to += len;
2256 }
2257
2258 static inline void take_selinux_option(char **to, char *from, int *first, 
2259                                        int len)
2260 {
2261         int current_size = 0;
2262
2263         if (!*first) {
2264                 **to = '|';
2265                 *to += 1;
2266         }
2267         else
2268                 *first = 0;
2269
2270         while (current_size < len) {
2271                 if (*from != '"') {
2272                         **to = *from;
2273                         *to += 1;
2274                 }
2275                 from += 1;
2276                 current_size += 1;
2277         }
2278 }
2279
2280 static int selinux_sb_copy_data(char *orig, char *copy)
2281 {
2282         int fnosec, fsec, rc = 0;
2283         char *in_save, *in_curr, *in_end;
2284         char *sec_curr, *nosec_save, *nosec;
2285         int open_quote = 0;
2286
2287         in_curr = orig;
2288         sec_curr = copy;
2289
2290         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2291         if (!nosec) {
2292                 rc = -ENOMEM;
2293                 goto out;
2294         }
2295
2296         nosec_save = nosec;
2297         fnosec = fsec = 1;
2298         in_save = in_end = orig;
2299
2300         do {
2301                 if (*in_end == '"')
2302                         open_quote = !open_quote;
2303                 if ((*in_end == ',' && open_quote == 0) ||
2304                                 *in_end == '\0') {
2305                         int len = in_end - in_curr;
2306
2307                         if (selinux_option(in_curr, len))
2308                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2309                         else
2310                                 take_option(&nosec, in_curr, &fnosec, len);
2311
2312                         in_curr = in_end + 1;
2313                 }
2314         } while (*in_end++);
2315
2316         strcpy(in_save, nosec_save);
2317         free_page((unsigned long)nosec_save);
2318 out:
2319         return rc;
2320 }
2321
2322 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2323 {
2324         struct avc_audit_data ad;
2325         int rc;
2326
2327         rc = superblock_doinit(sb, data);
2328         if (rc)
2329                 return rc;
2330
2331         AVC_AUDIT_DATA_INIT(&ad,FS);
2332         ad.u.fs.path.dentry = sb->s_root;
2333         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2334 }
2335
2336 static int selinux_sb_statfs(struct dentry *dentry)
2337 {
2338         struct avc_audit_data ad;
2339
2340         AVC_AUDIT_DATA_INIT(&ad,FS);
2341         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2342         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2343 }
2344
2345 static int selinux_mount(char * dev_name,
2346                          struct nameidata *nd,
2347                          char * type,
2348                          unsigned long flags,
2349                          void * data)
2350 {
2351         int rc;
2352
2353         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2354         if (rc)
2355                 return rc;
2356
2357         if (flags & MS_REMOUNT)
2358                 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2359                                            FILESYSTEM__REMOUNT, NULL);
2360         else
2361                 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2362                                        FILE__MOUNTON);
2363 }
2364
2365 static int selinux_umount(struct vfsmount *mnt, int flags)
2366 {
2367         int rc;
2368
2369         rc = secondary_ops->sb_umount(mnt, flags);
2370         if (rc)
2371                 return rc;
2372
2373         return superblock_has_perm(current,mnt->mnt_sb,
2374                                    FILESYSTEM__UNMOUNT,NULL);
2375 }
2376
2377 /* inode security operations */
2378
2379 static int selinux_inode_alloc_security(struct inode *inode)
2380 {
2381         return inode_alloc_security(inode);
2382 }
2383
2384 static void selinux_inode_free_security(struct inode *inode)
2385 {
2386         inode_free_security(inode);
2387 }
2388
2389 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2390                                        char **name, void **value,
2391                                        size_t *len)
2392 {
2393         struct task_security_struct *tsec;
2394         struct inode_security_struct *dsec;
2395         struct superblock_security_struct *sbsec;
2396         u32 newsid, clen;
2397         int rc;
2398         char *namep = NULL, *context;
2399
2400         tsec = current->security;
2401         dsec = dir->i_security;
2402         sbsec = dir->i_sb->s_security;
2403
2404         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2405                 newsid = tsec->create_sid;
2406         } else {
2407                 rc = security_transition_sid(tsec->sid, dsec->sid,
2408                                              inode_mode_to_security_class(inode->i_mode),
2409                                              &newsid);
2410                 if (rc) {
2411                         printk(KERN_WARNING "%s:  "
2412                                "security_transition_sid failed, rc=%d (dev=%s "
2413                                "ino=%ld)\n",
2414                                __FUNCTION__,
2415                                -rc, inode->i_sb->s_id, inode->i_ino);
2416                         return rc;
2417                 }
2418         }
2419
2420         /* Possibly defer initialization to selinux_complete_init. */
2421         if (sbsec->initialized) {
2422                 struct inode_security_struct *isec = inode->i_security;
2423                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2424                 isec->sid = newsid;
2425                 isec->initialized = 1;
2426         }
2427
2428         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2429                 return -EOPNOTSUPP;
2430
2431         if (name) {
2432                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2433                 if (!namep)
2434                         return -ENOMEM;
2435                 *name = namep;
2436         }
2437
2438         if (value && len) {
2439                 rc = security_sid_to_context(newsid, &context, &clen);
2440                 if (rc) {
2441                         kfree(namep);
2442                         return rc;
2443                 }
2444                 *value = context;
2445                 *len = clen;
2446         }
2447
2448         return 0;
2449 }
2450
2451 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2452 {
2453         return may_create(dir, dentry, SECCLASS_FILE);
2454 }
2455
2456 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2457 {
2458         int rc;
2459
2460         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2461         if (rc)
2462                 return rc;
2463         return may_link(dir, old_dentry, MAY_LINK);
2464 }
2465
2466 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2467 {
2468         int rc;
2469
2470         rc = secondary_ops->inode_unlink(dir, dentry);
2471         if (rc)
2472                 return rc;
2473         return may_link(dir, dentry, MAY_UNLINK);
2474 }
2475
2476 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2477 {
2478         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2479 }
2480
2481 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2482 {
2483         return may_create(dir, dentry, SECCLASS_DIR);
2484 }
2485
2486 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2487 {
2488         return may_link(dir, dentry, MAY_RMDIR);
2489 }
2490
2491 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2492 {
2493         int rc;
2494
2495         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2496         if (rc)
2497                 return rc;
2498
2499         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2500 }
2501
2502 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2503                                 struct inode *new_inode, struct dentry *new_dentry)
2504 {
2505         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2506 }
2507
2508 static int selinux_inode_readlink(struct dentry *dentry)
2509 {
2510         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2511 }
2512
2513 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2514 {
2515         int rc;
2516
2517         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2518         if (rc)
2519                 return rc;
2520         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2521 }
2522
2523 static int selinux_inode_permission(struct inode *inode, int mask,
2524                                     struct nameidata *nd)
2525 {
2526         int rc;
2527
2528         rc = secondary_ops->inode_permission(inode, mask, nd);
2529         if (rc)
2530                 return rc;
2531
2532         if (!mask) {
2533                 /* No permission to check.  Existence test. */
2534                 return 0;
2535         }
2536
2537         return inode_has_perm(current, inode,
2538                                file_mask_to_av(inode->i_mode, mask), NULL);
2539 }
2540
2541 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2542 {
2543         int rc;
2544
2545         rc = secondary_ops->inode_setattr(dentry, iattr);
2546         if (rc)
2547                 return rc;
2548
2549         if (iattr->ia_valid & ATTR_FORCE)
2550                 return 0;
2551
2552         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2553                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2554                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2555
2556         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2557 }
2558
2559 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2560 {
2561         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2562 }
2563
2564 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2565 {
2566         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2567                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2568                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2569                         if (!capable(CAP_SETFCAP))
2570                                 return -EPERM;
2571                 } else if (!capable(CAP_SYS_ADMIN)) {
2572                         /* A different attribute in the security namespace.
2573                            Restrict to administrator. */
2574                         return -EPERM;
2575                 }
2576         }
2577
2578         /* Not an attribute we recognize, so just check the
2579            ordinary setattr permission. */
2580         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2581 }
2582
2583 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2584 {
2585         struct task_security_struct *tsec = current->security;
2586         struct inode *inode = dentry->d_inode;
2587         struct inode_security_struct *isec = inode->i_security;
2588         struct superblock_security_struct *sbsec;
2589         struct avc_audit_data ad;
2590         u32 newsid;
2591         int rc = 0;
2592
2593         if (strcmp(name, XATTR_NAME_SELINUX))
2594                 return selinux_inode_setotherxattr(dentry, name);
2595
2596         sbsec = inode->i_sb->s_security;
2597         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2598                 return -EOPNOTSUPP;
2599
2600         if (!is_owner_or_cap(inode))
2601                 return -EPERM;
2602
2603         AVC_AUDIT_DATA_INIT(&ad,FS);
2604         ad.u.fs.path.dentry = dentry;
2605
2606         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2607                           FILE__RELABELFROM, &ad);
2608         if (rc)
2609                 return rc;
2610
2611         rc = security_context_to_sid(value, size, &newsid);
2612         if (rc)
2613                 return rc;
2614
2615         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2616                           FILE__RELABELTO, &ad);
2617         if (rc)
2618                 return rc;
2619
2620         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2621                                           isec->sclass);
2622         if (rc)
2623                 return rc;
2624
2625         return avc_has_perm(newsid,
2626                             sbsec->sid,
2627                             SECCLASS_FILESYSTEM,
2628                             FILESYSTEM__ASSOCIATE,
2629                             &ad);
2630 }
2631
2632 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2633                                         void *value, size_t size, int flags)
2634 {
2635         struct inode *inode = dentry->d_inode;
2636         struct inode_security_struct *isec = inode->i_security;
2637         u32 newsid;
2638         int rc;
2639
2640         if (strcmp(name, XATTR_NAME_SELINUX)) {
2641                 /* Not an attribute we recognize, so nothing to do. */
2642                 return;
2643         }
2644
2645         rc = security_context_to_sid(value, size, &newsid);
2646         if (rc) {
2647                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2648                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2649                 return;
2650         }
2651
2652         isec->sid = newsid;
2653         return;
2654 }
2655
2656 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2657 {
2658         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2659 }
2660
2661 static int selinux_inode_listxattr (struct dentry *dentry)
2662 {
2663         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2664 }
2665
2666 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2667 {
2668         if (strcmp(name, XATTR_NAME_SELINUX))
2669                 return selinux_inode_setotherxattr(dentry, name);
2670
2671         /* No one is allowed to remove a SELinux security label.
2672            You can change the label, but all data must be labeled. */
2673         return -EACCES;
2674 }
2675
2676 /*
2677  * Copy the in-core inode security context value to the user.  If the
2678  * getxattr() prior to this succeeded, check to see if we need to
2679  * canonicalize the value to be finally returned to the user.
2680  *
2681  * Permission check is handled by selinux_inode_getxattr hook.
2682  */
2683 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2684 {
2685         u32 size;
2686         int error;
2687         char *context = NULL;
2688         struct inode_security_struct *isec = inode->i_security;
2689
2690         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2691                 return -EOPNOTSUPP;
2692
2693         error = security_sid_to_context(isec->sid, &context, &size);
2694         if (error)
2695                 return error;
2696         error = size;
2697         if (alloc) {
2698                 *buffer = context;
2699                 goto out_nofree;
2700         }
2701         kfree(context);
2702 out_nofree:
2703         return error;
2704 }
2705
2706 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2707                                      const void *value, size_t size, int flags)
2708 {
2709         struct inode_security_struct *isec = inode->i_security;
2710         u32 newsid;
2711         int rc;
2712
2713         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2714                 return -EOPNOTSUPP;
2715
2716         if (!value || !size)
2717                 return -EACCES;
2718
2719         rc = security_context_to_sid((void*)value, size, &newsid);
2720         if (rc)
2721                 return rc;
2722
2723         isec->sid = newsid;
2724         return 0;
2725 }
2726
2727 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2728 {
2729         const int len = sizeof(XATTR_NAME_SELINUX);
2730         if (buffer && len <= buffer_size)
2731                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2732         return len;
2733 }
2734
2735 static int selinux_inode_need_killpriv(struct dentry *dentry)
2736 {
2737         return secondary_ops->inode_need_killpriv(dentry);
2738 }
2739
2740 static int selinux_inode_killpriv(struct dentry *dentry)
2741 {
2742         return secondary_ops->inode_killpriv(dentry);
2743 }
2744
2745 /* file security operations */
2746
2747 static int selinux_revalidate_file_permission(struct file *file, int mask)
2748 {
2749         int rc;
2750         struct inode *inode = file->f_path.dentry->d_inode;
2751
2752         if (!mask) {
2753                 /* No permission to check.  Existence test. */
2754                 return 0;
2755         }
2756
2757         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2758         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2759                 mask |= MAY_APPEND;
2760
2761         rc = file_has_perm(current, file,
2762                            file_mask_to_av(inode->i_mode, mask));
2763         if (rc)
2764                 return rc;
2765
2766         return selinux_netlbl_inode_permission(inode, mask);
2767 }
2768
2769 static int selinux_file_permission(struct file *file, int mask)
2770 {
2771         struct inode *inode = file->f_path.dentry->d_inode;
2772         struct task_security_struct *tsec = current->security;
2773         struct file_security_struct *fsec = file->f_security;
2774         struct inode_security_struct *isec = inode->i_security;
2775
2776         if (!mask) {
2777                 /* No permission to check.  Existence test. */
2778                 return 0;
2779         }
2780
2781         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2782             && fsec->pseqno == avc_policy_seqno())
2783                 return selinux_netlbl_inode_permission(inode, mask);
2784
2785         return selinux_revalidate_file_permission(file, mask);
2786 }
2787
2788 static int selinux_file_alloc_security(struct file *file)
2789 {
2790         return file_alloc_security(file);
2791 }
2792
2793 static void selinux_file_free_security(struct file *file)
2794 {
2795         file_free_security(file);
2796 }
2797
2798 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2799                               unsigned long arg)
2800 {
2801         int error = 0;
2802
2803         switch (cmd) {
2804                 case FIONREAD:
2805                 /* fall through */
2806                 case FIBMAP:
2807                 /* fall through */
2808                 case FIGETBSZ:
2809                 /* fall through */
2810                 case EXT2_IOC_GETFLAGS:
2811                 /* fall through */
2812                 case EXT2_IOC_GETVERSION:
2813                         error = file_has_perm(current, file, FILE__GETATTR);
2814                         break;
2815
2816                 case EXT2_IOC_SETFLAGS:
2817                 /* fall through */
2818                 case EXT2_IOC_SETVERSION:
2819                         error = file_has_perm(current, file, FILE__SETATTR);
2820                         break;
2821
2822                 /* sys_ioctl() checks */
2823                 case FIONBIO:
2824                 /* fall through */
2825                 case FIOASYNC:
2826                         error = file_has_perm(current, file, 0);
2827                         break;
2828
2829                 case KDSKBENT:
2830                 case KDSKBSENT:
2831                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2832                         break;
2833
2834                 /* default case assumes that the command will go
2835                  * to the file's ioctl() function.
2836                  */
2837                 default:
2838                         error = file_has_perm(current, file, FILE__IOCTL);
2839
2840         }
2841         return error;
2842 }
2843
2844 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2845 {
2846 #ifndef CONFIG_PPC32
2847         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2848                 /*
2849                  * We are making executable an anonymous mapping or a
2850                  * private file mapping that will also be writable.
2851                  * This has an additional check.
2852                  */
2853                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2854                 if (rc)
2855                         return rc;
2856         }
2857 #endif
2858
2859         if (file) {
2860                 /* read access is always possible with a mapping */
2861                 u32 av = FILE__READ;
2862
2863                 /* write access only matters if the mapping is shared */
2864                 if (shared && (prot & PROT_WRITE))
2865                         av |= FILE__WRITE;
2866
2867                 if (prot & PROT_EXEC)
2868                         av |= FILE__EXECUTE;
2869
2870                 return file_has_perm(current, file, av);
2871         }
2872         return 0;
2873 }
2874
2875 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2876                              unsigned long prot, unsigned long flags,
2877                              unsigned long addr, unsigned long addr_only)
2878 {
2879         int rc = 0;
2880         u32 sid = ((struct task_security_struct*)(current->security))->sid;
2881
2882         if (addr < mmap_min_addr)
2883                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2884                                   MEMPROTECT__MMAP_ZERO, NULL);
2885         if (rc || addr_only)
2886                 return rc;
2887
2888         if (selinux_checkreqprot)
2889                 prot = reqprot;
2890
2891         return file_map_prot_check(file, prot,
2892                                    (flags & MAP_TYPE) == MAP_SHARED);
2893 }
2894
2895 static int selinux_file_mprotect(struct vm_area_struct *vma,
2896                                  unsigned long reqprot,
2897                                  unsigned long prot)
2898 {
2899         int rc;
2900
2901         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2902         if (rc)
2903                 return rc;
2904
2905         if (selinux_checkreqprot)
2906                 prot = reqprot;
2907
2908 #ifndef CONFIG_PPC32
2909         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2910                 rc = 0;
2911                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2912                     vma->vm_end <= vma->vm_mm->brk) {
2913                         rc = task_has_perm(current, current,
2914                                            PROCESS__EXECHEAP);
2915                 } else if (!vma->vm_file &&
2916                            vma->vm_start <= vma->vm_mm->start_stack &&
2917                            vma->vm_end >= vma->vm_mm->start_stack) {
2918                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2919                 } else if (vma->vm_file && vma->anon_vma) {
2920                         /*
2921                          * We are making executable a file mapping that has
2922                          * had some COW done. Since pages might have been
2923                          * written, check ability to execute the possibly
2924                          * modified content.  This typically should only
2925                          * occur for text relocations.
2926                          */
2927                         rc = file_has_perm(current, vma->vm_file,
2928                                            FILE__EXECMOD);
2929                 }
2930                 if (rc)
2931                         return rc;
2932         }
2933 #endif
2934
2935         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2936 }
2937
2938 static int selinux_file_lock(struct file *file, unsigned int cmd)
2939 {
2940         return file_has_perm(current, file, FILE__LOCK);
2941 }
2942
2943 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2944                               unsigned long arg)
2945 {
2946         int err = 0;
2947
2948         switch (cmd) {
2949                 case F_SETFL:
2950                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2951                                 err = -EINVAL;
2952                                 break;
2953                         }
2954
2955                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2956                                 err = file_has_perm(current, file,FILE__WRITE);
2957                                 break;
2958                         }
2959                         /* fall through */
2960                 case F_SETOWN:
2961                 case F_SETSIG:
2962                 case F_GETFL:
2963                 case F_GETOWN:
2964                 case F_GETSIG:
2965                         /* Just check FD__USE permission */
2966                         err = file_has_perm(current, file, 0);
2967                         break;
2968                 case F_GETLK:
2969                 case F_SETLK:
2970                 case F_SETLKW:
2971 #if BITS_PER_LONG == 32
2972                 case F_GETLK64:
2973                 case F_SETLK64:
2974                 case F_SETLKW64:
2975 #endif
2976                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2977                                 err = -EINVAL;
2978                                 break;
2979                         }
2980                         err = file_has_perm(current, file, FILE__LOCK);
2981                         break;
2982         }
2983
2984         return err;
2985 }
2986
2987 static int selinux_file_set_fowner(struct file *file)
2988 {
2989         struct task_security_struct *tsec;
2990         struct file_security_struct *fsec;
2991
2992         tsec = current->security;
2993         fsec = file->f_security;
2994         fsec->fown_sid = tsec->sid;
2995
2996         return 0;
2997 }
2998
2999 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3000                                        struct fown_struct *fown, int signum)
3001 {
3002         struct file *file;
3003         u32 perm;
3004         struct task_security_struct *tsec;
3005         struct file_security_struct *fsec;
3006
3007         /* struct fown_struct is never outside the context of a struct file */
3008         file = container_of(fown, struct file, f_owner);
3009
3010         tsec = tsk->security;
3011         fsec = file->f_security;
3012
3013         if (!signum)
3014                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3015         else
3016                 perm = signal_to_av(signum);
3017
3018         return avc_has_perm(fsec->fown_sid, tsec->sid,
3019                             SECCLASS_PROCESS, perm, NULL);
3020 }
3021
3022 static int selinux_file_receive(struct file *file)
3023 {
3024         return file_has_perm(current, file, file_to_av(file));
3025 }
3026
3027 static int selinux_dentry_open(struct file *file)
3028 {
3029         struct file_security_struct *fsec;
3030         struct inode *inode;
3031         struct inode_security_struct *isec;
3032         inode = file->f_path.dentry->d_inode;
3033         fsec = file->f_security;
3034         isec = inode->i_security;
3035         /*
3036          * Save inode label and policy sequence number
3037          * at open-time so that selinux_file_permission
3038          * can determine whether revalidation is necessary.
3039          * Task label is already saved in the file security
3040          * struct as its SID.
3041          */
3042         fsec->isid = isec->sid;
3043         fsec->pseqno = avc_policy_seqno();
3044         /*
3045          * Since the inode label or policy seqno may have changed
3046          * between the selinux_inode_permission check and the saving
3047          * of state above, recheck that access is still permitted.
3048          * Otherwise, access might never be revalidated against the
3049          * new inode label or new policy.
3050          * This check is not redundant - do not remove.
3051          */
3052         return inode_has_perm(current, inode, file_to_av(file), NULL);
3053 }
3054
3055 /* task security operations */
3056
3057 static int selinux_task_create(unsigned long clone_flags)
3058 {
3059         int rc;
3060
3061         rc = secondary_ops->task_create(clone_flags);
3062         if (rc)
3063                 return rc;
3064
3065         return task_has_perm(current, current, PROCESS__FORK);
3066 }
3067
3068 static int selinux_task_alloc_security(struct task_struct *tsk)
3069 {
3070         struct task_security_struct *tsec1, *tsec2;
3071         int rc;
3072
3073         tsec1 = current->security;
3074
3075         rc = task_alloc_security(tsk);
3076         if (rc)
3077                 return rc;
3078         tsec2 = tsk->security;
3079
3080         tsec2->osid = tsec1->osid;
3081         tsec2->sid = tsec1->sid;
3082
3083         /* Retain the exec, fs, key, and sock SIDs across fork */
3084         tsec2->exec_sid = tsec1->exec_sid;
3085         tsec2->create_sid = tsec1->create_sid;
3086         tsec2->keycreate_sid = tsec1->keycreate_sid;
3087         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3088
3089         /* Retain ptracer SID across fork, if any.
3090            This will be reset by the ptrace hook upon any
3091            subsequent ptrace_attach operations. */
3092         tsec2->ptrace_sid = tsec1->ptrace_sid;
3093
3094         return 0;
3095 }
3096
3097 static void selinux_task_free_security(struct task_struct *tsk)
3098 {
3099         task_free_security(tsk);
3100 }
3101
3102 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3103 {
3104         /* Since setuid only affects the current process, and
3105            since the SELinux controls are not based on the Linux
3106            identity attributes, SELinux does not need to control
3107            this operation.  However, SELinux does control the use
3108            of the CAP_SETUID and CAP_SETGID capabilities using the
3109            capable hook. */
3110         return 0;
3111 }
3112
3113 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3114 {
3115         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3116 }
3117
3118 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3119 {
3120         /* See the comment for setuid above. */
3121         return 0;
3122 }
3123
3124 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3125 {
3126         return task_has_perm(current, p, PROCESS__SETPGID);
3127 }
3128
3129 static int selinux_task_getpgid(struct task_struct *p)
3130 {
3131         return task_has_perm(current, p, PROCESS__GETPGID);
3132 }
3133
3134 static int selinux_task_getsid(struct task_struct *p)
3135 {
3136         return task_has_perm(current, p, PROCESS__GETSESSION);
3137 }
3138
3139 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3140 {
3141         selinux_get_task_sid(p, secid);
3142 }
3143
3144 static int selinux_task_setgroups(struct group_info *group_info)
3145 {
3146         /* See the comment for setuid above. */
3147         return 0;
3148 }
3149
3150 static int selinux_task_setnice(struct task_struct *p, int nice)
3151 {
3152         int rc;
3153
3154         rc = secondary_ops->task_setnice(p, nice);
3155         if (rc)
3156                 return rc;
3157
3158         return task_has_perm(current,p, PROCESS__SETSCHED);
3159 }
3160
3161 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3162 {
3163         int rc;
3164
3165         rc = secondary_ops->task_setioprio(p, ioprio);
3166         if (rc)
3167                 return rc;
3168
3169         return task_has_perm(current, p, PROCESS__SETSCHED);
3170 }
3171
3172 static int selinux_task_getioprio(struct task_struct *p)
3173 {
3174         return task_has_perm(current, p, PROCESS__GETSCHED);
3175 }
3176
3177 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3178 {
3179         struct rlimit *old_rlim = current->signal->rlim + resource;
3180         int rc;
3181
3182         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3183         if (rc)
3184                 return rc;
3185
3186         /* Control the ability to change the hard limit (whether
3187            lowering or raising it), so that the hard limit can
3188            later be used as a safe reset point for the soft limit
3189            upon context transitions. See selinux_bprm_apply_creds. */
3190         if (old_rlim->rlim_max != new_rlim->rlim_max)
3191                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3192
3193         return 0;
3194 }
3195
3196 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3197 {
3198         int rc;
3199
3200         rc = secondary_ops->task_setscheduler(p, policy, lp);
3201         if (rc)
3202                 return rc;
3203
3204         return task_has_perm(current, p, PROCESS__SETSCHED);
3205 }
3206
3207 static int selinux_task_getscheduler(struct task_struct *p)
3208 {
3209         return task_has_perm(current, p, PROCESS__GETSCHED);
3210 }
3211
3212 static int selinux_task_movememory(struct task_struct *p)