diff options
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r-- | security/selinux/hooks.c | 4565 |
1 files changed, 4565 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c new file mode 100644 index 00000000000..8a2cc75b394 --- /dev/null +++ b/security/selinux/hooks.c @@ -0,0 +1,4565 @@ +/* + * NSA Security-Enhanced Linux (SELinux) security module + * + * This file contains the SELinux hook function implementations. + * + * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> + * Chris Vance, <cvance@nai.com> + * Wayne Salamon, <wsalamon@nai.com> + * James Morris <jmorris@redhat.com> + * + * Copyright (C) 2001,2002 Networks Associates Technology, Inc. + * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> + * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. + * <dgoeddel@trustedcs.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ + +#include <linux/config.h> +#include <linux/module.h> +#include <linux/init.h> +#include <linux/kernel.h> +#include <linux/ptrace.h> +#include <linux/errno.h> +#include <linux/sched.h> +#include <linux/security.h> +#include <linux/xattr.h> +#include <linux/capability.h> +#include <linux/unistd.h> +#include <linux/mm.h> +#include <linux/mman.h> +#include <linux/slab.h> +#include <linux/pagemap.h> +#include <linux/swap.h> +#include <linux/smp_lock.h> +#include <linux/spinlock.h> +#include <linux/syscalls.h> +#include <linux/file.h> +#include <linux/namei.h> +#include <linux/mount.h> +#include <linux/ext2_fs.h> +#include <linux/proc_fs.h> +#include <linux/kd.h> +#include <linux/netfilter_ipv4.h> +#include <linux/netfilter_ipv6.h> +#include <linux/tty.h> +#include <net/icmp.h> +#include <net/ip.h> /* for sysctl_local_port_range[] */ +#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ +#include <asm/uaccess.h> +#include <asm/semaphore.h> +#include <asm/ioctls.h> +#include <linux/bitops.h> +#include <linux/interrupt.h> +#include <linux/netdevice.h> /* for network interface checks */ +#include <linux/netlink.h> +#include <linux/tcp.h> +#include <linux/udp.h> +#include <linux/quota.h> +#include <linux/un.h> /* for Unix socket types */ +#include <net/af_unix.h> /* for Unix socket types */ +#include <linux/parser.h> +#include <linux/nfs_mount.h> +#include <net/ipv6.h> +#include <linux/hugetlb.h> +#include <linux/personality.h> +#include <linux/sysctl.h> +#include <linux/audit.h> + +#include "avc.h" +#include "objsec.h" +#include "netif.h" + +#define XATTR_SELINUX_SUFFIX "selinux" +#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX + +extern unsigned int policydb_loaded_version; +extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); + +#ifdef CONFIG_SECURITY_SELINUX_DEVELOP +int selinux_enforcing = 0; + +static int __init enforcing_setup(char *str) +{ + selinux_enforcing = simple_strtol(str,NULL,0); + return 1; +} +__setup("enforcing=", enforcing_setup); +#endif + +#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM +int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; + +static int __init selinux_enabled_setup(char *str) +{ + selinux_enabled = simple_strtol(str, NULL, 0); + return 1; +} +__setup("selinux=", selinux_enabled_setup); +#endif + +/* Original (dummy) security module. */ +static struct security_operations *original_ops = NULL; + +/* Minimal support for a secondary security module, + just to allow the use of the dummy or capability modules. + The owlsm module can alternatively be used as a secondary + module as long as CONFIG_OWLSM_FD is not enabled. */ +static struct security_operations *secondary_ops = NULL; + +/* Lists of inode and superblock security structures initialized + before the policy was loaded. */ +static LIST_HEAD(superblock_security_head); +static DEFINE_SPINLOCK(sb_security_lock); + +/* Allocate and free functions for each kind of security blob. */ + +static int task_alloc_security(struct task_struct *task) +{ + struct task_security_struct *tsec; + + tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL); + if (!tsec) + return -ENOMEM; + + memset(tsec, 0, sizeof(struct task_security_struct)); + tsec->magic = SELINUX_MAGIC; + tsec->task = task; + tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED; + task->security = tsec; + + return 0; +} + +static void task_free_security(struct task_struct *task) +{ + struct task_security_struct *tsec = task->security; + + if (!tsec || tsec->magic != SELINUX_MAGIC) + return; + + task->security = NULL; + kfree(tsec); +} + +static int inode_alloc_security(struct inode *inode) +{ + struct task_security_struct *tsec = current->security; + struct inode_security_struct *isec; + + isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL); + if (!isec) + return -ENOMEM; + + memset(isec, 0, sizeof(struct inode_security_struct)); + init_MUTEX(&isec->sem); + INIT_LIST_HEAD(&isec->list); + isec->magic = SELINUX_MAGIC; + isec->inode = inode; + isec->sid = SECINITSID_UNLABELED; + isec->sclass = SECCLASS_FILE; + if (tsec && tsec->magic == SELINUX_MAGIC) + isec->task_sid = tsec->sid; + else + isec->task_sid = SECINITSID_UNLABELED; + inode->i_security = isec; + + return 0; +} + +static void inode_free_security(struct inode *inode) +{ + struct inode_security_struct *isec = inode->i_security; + struct superblock_security_struct *sbsec = inode->i_sb->s_security; + + if (!isec || isec->magic != SELINUX_MAGIC) + return; + + spin_lock(&sbsec->isec_lock); + if (!list_empty(&isec->list)) + list_del_init(&isec->list); + spin_unlock(&sbsec->isec_lock); + + inode->i_security = NULL; + kfree(isec); +} + +static int file_alloc_security(struct file *file) +{ + struct task_security_struct *tsec = current->security; + struct file_security_struct *fsec; + + fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC); + if (!fsec) + return -ENOMEM; + + memset(fsec, 0, sizeof(struct file_security_struct)); + fsec->magic = SELINUX_MAGIC; + fsec->file = file; + if (tsec && tsec->magic == SELINUX_MAGIC) { + fsec->sid = tsec->sid; + fsec->fown_sid = tsec->sid; + } else { + fsec->sid = SECINITSID_UNLABELED; + fsec->fown_sid = SECINITSID_UNLABELED; + } + file->f_security = fsec; + + return 0; +} + +static void file_free_security(struct file *file) +{ + struct file_security_struct *fsec = file->f_security; + + if (!fsec || fsec->magic != SELINUX_MAGIC) + return; + + file->f_security = NULL; + kfree(fsec); +} + +static int superblock_alloc_security(struct super_block *sb) +{ + struct superblock_security_struct *sbsec; + + sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); + if (!sbsec) + return -ENOMEM; + + memset(sbsec, 0, sizeof(struct superblock_security_struct)); + init_MUTEX(&sbsec->sem); + INIT_LIST_HEAD(&sbsec->list); + INIT_LIST_HEAD(&sbsec->isec_head); + spin_lock_init(&sbsec->isec_lock); + sbsec->magic = SELINUX_MAGIC; + sbsec->sb = sb; + sbsec->sid = SECINITSID_UNLABELED; + sbsec->def_sid = SECINITSID_FILE; + sb->s_security = sbsec; + + return 0; +} + +static void superblock_free_security(struct super_block *sb) +{ + struct superblock_security_struct *sbsec = sb->s_security; + + if (!sbsec || sbsec->magic != SELINUX_MAGIC) + return; + + spin_lock(&sb_security_lock); + if (!list_empty(&sbsec->list)) + list_del_init(&sbsec->list); + spin_unlock(&sb_security_lock); + + sb->s_security = NULL; + kfree(sbsec); +} + +#ifdef CONFIG_SECURITY_NETWORK +static int sk_alloc_security(struct sock *sk, int family, int priority) +{ + struct sk_security_struct *ssec; + + if (family != PF_UNIX) + return 0; + + ssec = kmalloc(sizeof(*ssec), priority); + if (!ssec) + return -ENOMEM; + + memset(ssec, 0, sizeof(*ssec)); + ssec->magic = SELINUX_MAGIC; + ssec->sk = sk; + ssec->peer_sid = SECINITSID_UNLABELED; + sk->sk_security = ssec; + + return 0; +} + +static void sk_free_security(struct sock *sk) +{ + struct sk_security_struct *ssec = sk->sk_security; + + if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC) + return; + + sk->sk_security = NULL; + kfree(ssec); +} +#endif /* CONFIG_SECURITY_NETWORK */ + +/* The security server must be initialized before + any labeling or access decisions can be provided. */ +extern int ss_initialized; + +/* The file system's label must be initialized prior to use. */ + +static char *labeling_behaviors[6] = { + "uses xattr", + "uses transition SIDs", + "uses task SIDs", + "uses genfs_contexts", + "not configured for labeling", + "uses mountpoint labeling", +}; + +static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); + +static inline int inode_doinit(struct inode *inode) +{ + return inode_doinit_with_dentry(inode, NULL); +} + +enum { + Opt_context = 1, + Opt_fscontext = 2, + Opt_defcontext = 4, +}; + +static match_table_t tokens = { + {Opt_context, "context=%s"}, + {Opt_fscontext, "fscontext=%s"}, + {Opt_defcontext, "defcontext=%s"}, +}; + +#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" + +static int try_context_mount(struct super_block *sb, void *data) +{ + char *context = NULL, *defcontext = NULL; + const char *name; + u32 sid; + int alloc = 0, rc = 0, seen = 0; + struct task_security_struct *tsec = current->security; + struct superblock_security_struct *sbsec = sb->s_security; + + if (!data) + goto out; + + name = sb->s_type->name; + + if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) { + + /* NFS we understand. */ + if (!strcmp(name, "nfs")) { + struct nfs_mount_data *d = data; + + if (d->version < NFS_MOUNT_VERSION) + goto out; + + if (d->context[0]) { + context = d->context; + seen |= Opt_context; + } + } else + goto out; + + } else { + /* Standard string-based options. */ + char *p, *options = data; + + while ((p = strsep(&options, ",")) != NULL) { + int token; + substring_t args[MAX_OPT_ARGS]; + + if (!*p) + continue; + + token = match_token(p, tokens, args); + + switch (token) { + case Opt_context: + if (seen) { + rc = -EINVAL; + printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); + goto out_free; + } + context = match_strdup(&args[0]); + if (!context) { + rc = -ENOMEM; + goto out_free; + } + if (!alloc) + alloc = 1; + seen |= Opt_context; + break; + + case Opt_fscontext: + if (seen & (Opt_context|Opt_fscontext)) { + rc = -EINVAL; + printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); + goto out_free; + } + context = match_strdup(&args[0]); + if (!context) { + rc = -ENOMEM; + goto out_free; + } + if (!alloc) + alloc = 1; + seen |= Opt_fscontext; + break; + + case Opt_defcontext: + if (sbsec->behavior != SECURITY_FS_USE_XATTR) { + rc = -EINVAL; + printk(KERN_WARNING "SELinux: " + "defcontext option is invalid " + "for this filesystem type\n"); + goto out_free; + } + if (seen & (Opt_context|Opt_defcontext)) { + rc = -EINVAL; + printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); + goto out_free; + } + defcontext = match_strdup(&args[0]); + if (!defcontext) { + rc = -ENOMEM; + goto out_free; + } + if (!alloc) + alloc = 1; + seen |= Opt_defcontext; + break; + + default: + rc = -EINVAL; + printk(KERN_WARNING "SELinux: unknown mount " + "option\n"); + goto out_free; + + } + } + } + + if (!seen) + goto out; + + if (context) { + rc = security_context_to_sid(context, strlen(context), &sid); + if (rc) { + printk(KERN_WARNING "SELinux: security_context_to_sid" + "(%s) failed for (dev %s, type %s) errno=%d\n", + context, sb->s_id, name, rc); + goto out_free; + } + + rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, + FILESYSTEM__RELABELFROM, NULL); + if (rc) + goto out_free; + + rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, + FILESYSTEM__RELABELTO, NULL); + if (rc) + goto out_free; + + sbsec->sid = sid; + + if (seen & Opt_context) + sbsec->behavior = SECURITY_FS_USE_MNTPOINT; + } + + if (defcontext) { + rc = security_context_to_sid(defcontext, strlen(defcontext), &sid); + if (rc) { + printk(KERN_WARNING "SELinux: security_context_to_sid" + "(%s) failed for (dev %s, type %s) errno=%d\n", + defcontext, sb->s_id, name, rc); + goto out_free; + } + + if (sid == sbsec->def_sid) + goto out_free; + + rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, + FILESYSTEM__RELABELFROM, NULL); + if (rc) + goto out_free; + + rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, + FILESYSTEM__ASSOCIATE, NULL); + if (rc) + goto out_free; + + sbsec->def_sid = sid; + } + +out_free: + if (alloc) { + kfree(context); + kfree(defcontext); + } +out: + return rc; +} + +static int superblock_doinit(struct super_block *sb, void *data) +{ + struct superblock_security_struct *sbsec = sb->s_security; + struct dentry *root = sb->s_root; + struct inode *inode = root->d_inode; + int rc = 0; + + down(&sbsec->sem); + if (sbsec->initialized) + goto out; + + if (!ss_initialized) { + /* Defer initialization until selinux_complete_init, + after the initial policy is loaded and the security + server is ready to handle calls. */ + spin_lock(&sb_security_lock); + if (list_empty(&sbsec->list)) + list_add(&sbsec->list, &superblock_security_head); + spin_unlock(&sb_security_lock); + goto out; + } + + /* Determine the labeling behavior to use for this filesystem type. */ + rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid); + if (rc) { + printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", + __FUNCTION__, sb->s_type->name, rc); + goto out; + } + + rc = try_context_mount(sb, data); + if (rc) + goto out; + + if (sbsec->behavior == SECURITY_FS_USE_XATTR) { + /* Make sure that the xattr handler exists and that no + error other than -ENODATA is returned by getxattr on + the root directory. -ENODATA is ok, as this may be + the first boot of the SELinux kernel before we have + assigned xattr values to the filesystem. */ + if (!inode->i_op->getxattr) { + printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " + "xattr support\n", sb->s_id, sb->s_type->name); + rc = -EOPNOTSUPP; + goto out; + } + rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); + if (rc < 0 && rc != -ENODATA) { + if (rc == -EOPNOTSUPP) + printk(KERN_WARNING "SELinux: (dev %s, type " + "%s) has no security xattr handler\n", + sb->s_id, sb->s_type->name); + else + printk(KERN_WARNING "SELinux: (dev %s, type " + "%s) getxattr errno %d\n", sb->s_id, + sb->s_type->name, -rc); + goto out; + } + } + + if (strcmp(sb->s_type->name, "proc") == 0) + sbsec->proc = 1; + + sbsec->initialized = 1; + + if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) { + printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n", + sb->s_id, sb->s_type->name); + } + else { + printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n", + sb->s_id, sb->s_type->name, + labeling_behaviors[sbsec->behavior-1]); + } + + /* Initialize the root inode. */ + rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root); + + /* Initialize any other inodes associated with the superblock, e.g. + inodes created prior to initial policy load or inodes created + during get_sb by a pseudo filesystem that directly + populates itself. */ + spin_lock(&sbsec->isec_lock); +next_inode: + if (!list_empty(&sbsec->isec_head)) { + struct inode_security_struct *isec = + list_entry(sbsec->isec_head.next, + struct inode_security_struct, list); + struct inode *inode = isec->inode; + spin_unlock(&sbsec->isec_lock); + inode = igrab(inode); + if (inode) { + if (!IS_PRIVATE (inode)) + inode_doinit(inode); + iput(inode); + } + spin_lock(&sbsec->isec_lock); + list_del_init(&isec->list); + goto next_inode; + } + spin_unlock(&sbsec->isec_lock); +out: + up(&sbsec->sem); + return rc; +} + +static inline u16 inode_mode_to_security_class(umode_t mode) +{ + switch (mode & S_IFMT) { + case S_IFSOCK: + return SECCLASS_SOCK_FILE; + case S_IFLNK: + return SECCLASS_LNK_FILE; + case S_IFREG: + return SECCLASS_FILE; + case S_IFBLK: + return SECCLASS_BLK_FILE; + case S_IFDIR: + return SECCLASS_DIR; + case S_IFCHR: + return SECCLASS_CHR_FILE; + case S_IFIFO: + return SECCLASS_FIFO_FILE; + + } + + return SECCLASS_FILE; +} + +static inline u16 socket_type_to_security_class(int family, int type, int protocol) +{ + switch (family) { + case PF_UNIX: + switch (type) { + case SOCK_STREAM: + case SOCK_SEQPACKET: + return SECCLASS_UNIX_STREAM_SOCKET; + case SOCK_DGRAM: + return SECCLASS_UNIX_DGRAM_SOCKET; + } + break; + case PF_INET: + case PF_INET6: + switch (type) { + case SOCK_STREAM: + return SECCLASS_TCP_SOCKET; + case SOCK_DGRAM: + return SECCLASS_UDP_SOCKET; + case SOCK_RAW: + return SECCLASS_RAWIP_SOCKET; + } + break; + case PF_NETLINK: + switch (protocol) { + case NETLINK_ROUTE: + return SECCLASS_NETLINK_ROUTE_SOCKET; + case NETLINK_FIREWALL: + return SECCLASS_NETLINK_FIREWALL_SOCKET; + case NETLINK_TCPDIAG: + return SECCLASS_NETLINK_TCPDIAG_SOCKET; + case NETLINK_NFLOG: + return SECCLASS_NETLINK_NFLOG_SOCKET; + case NETLINK_XFRM: + return SECCLASS_NETLINK_XFRM_SOCKET; + case NETLINK_SELINUX: + return SECCLASS_NETLINK_SELINUX_SOCKET; + case NETLINK_AUDIT: + return SECCLASS_NETLINK_AUDIT_SOCKET; + case NETLINK_IP6_FW: + return SECCLASS_NETLINK_IP6FW_SOCKET; + case NETLINK_DNRTMSG: + return SECCLASS_NETLINK_DNRT_SOCKET; + default: + return SECCLASS_NETLINK_SOCKET; + } + case PF_PACKET: + return SECCLASS_PACKET_SOCKET; + case PF_KEY: + return SECCLASS_KEY_SOCKET; + } + + return SECCLASS_SOCKET; +} + +#ifdef CONFIG_PROC_FS +static int selinux_proc_get_sid(struct proc_dir_entry *de, + u16 tclass, + u32 *sid) +{ + int buflen, rc; + char *buffer, *path, *end; + + buffer = (char*)__get_free_page(GFP_KERNEL); + if (!buffer) + return -ENOMEM; + + buflen = PAGE_SIZE; + end = buffer+buflen; + *--end = '\0'; + buflen--; + path = end-1; + *path = '/'; + while (de && de != de->parent) { + buflen -= de->namelen + 1; + if (buflen < 0) + break; + end -= de->namelen; + memcpy(end, de->name, de->namelen); + *--end = '/'; + path = end; + de = de->parent; + } + rc = security_genfs_sid("proc", path, tclass, sid); + free_page((unsigned long)buffer); + return rc; +} +#else +static int selinux_proc_get_sid(struct proc_dir_entry *de, + u16 tclass, + u32 *sid) +{ + return -EINVAL; +} +#endif + +/* The inode's security attributes must be initialized before first use. */ +static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) +{ + struct superblock_security_struct *sbsec = NULL; + struct inode_security_struct *isec = inode->i_security; + u32 sid; + struct dentry *dentry; +#define INITCONTEXTLEN 255 + char *context = NULL; + unsigned len = 0; + int rc = 0; + int hold_sem = 0; + + if (isec->initialized) + goto out; + + down(&isec->sem); + hold_sem = 1; + if (isec->initialized) + goto out; + + sbsec = inode->i_sb->s_security; + if (!sbsec->initialized) { + /* Defer initialization until selinux_complete_init, + after the initial policy is loaded and the security + server is ready to handle calls. */ + spin_lock(&sbsec->isec_lock); + if (list_empty(&isec->list)) + list_add(&isec->list, &sbsec->isec_head); + spin_unlock(&sbsec->isec_lock); + goto out; + } + + switch (sbsec->behavior) { + case SECURITY_FS_USE_XATTR: + if (!inode->i_op->getxattr) { + isec->sid = sbsec->def_sid; + break; + } + + /* Need a dentry, since the xattr API requires one. + Life would be simpler if we could just pass the inode. */ + if (opt_dentry) { + /* Called from d_instantiate or d_splice_alias. */ + dentry = dget(opt_dentry); + } else { + /* Called from selinux_complete_init, try to find a dentry. */ + dentry = d_find_alias(inode); + } + if (!dentry) { + printk(KERN_WARNING "%s: no dentry for dev=%s " + "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id, + inode->i_ino); + goto out; + } + + len = INITCONTEXTLEN; + context = kmalloc(len, GFP_KERNEL); + if (!context) { + rc = -ENOMEM; + dput(dentry); + goto out; + } + rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, + context, len); + if (rc == -ERANGE) { + /* Need a larger buffer. Query for the right size. */ + rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, + NULL, 0); + if (rc < 0) { + dput(dentry); + goto out; + } + kfree(context); + len = rc; + context = kmalloc(len, GFP_KERNEL); + if (!context) { + rc = -ENOMEM; + dput(dentry); + goto out; + } + rc = inode->i_op->getxattr(dentry, + XATTR_NAME_SELINUX, + context, len); + } + dput(dentry); + if (rc < 0) { + if (rc != -ENODATA) { + printk(KERN_WARNING "%s: getxattr returned " + "%d for dev=%s ino=%ld\n", __FUNCTION__, + -rc, inode->i_sb->s_id, inode->i_ino); + kfree(context); + goto out; + } + /* Map ENODATA to the default file SID */ + sid = sbsec->def_sid; + rc = 0; + } else { + rc = security_context_to_sid(context, rc, &sid); + if (rc) { + printk(KERN_WARNING "%s: context_to_sid(%s) " + "returned %d for dev=%s ino=%ld\n", + __FUNCTION__, context, -rc, + inode->i_sb->s_id, inode->i_ino); + kfree(context); + /* Leave with the unlabeled SID */ + rc = 0; + break; + } + } + kfree(context); + isec->sid = sid; + break; + case SECURITY_FS_USE_TASK: + isec->sid = isec->task_sid; + break; + case SECURITY_FS_USE_TRANS: + /* Default to the fs SID. */ + isec->sid = sbsec->sid; + + /* Try to obtain a transition SID. */ + isec->sclass = inode_mode_to_security_class(inode->i_mode); + rc = security_transition_sid(isec->task_sid, + sbsec->sid, + isec->sclass, + &sid); + if (rc) + goto out; + isec->sid = sid; + break; + default: + /* Default to the fs SID. */ + isec->sid = sbsec->sid; + + if (sbsec->proc) { + struct proc_inode *proci = PROC_I(inode); + if (proci->pde) { + isec->sclass = inode_mode_to_security_class(inode->i_mode); + rc = selinux_proc_get_sid(proci->pde, + isec->sclass, + &sid); + if (rc) + goto out; + isec->sid = sid; + } + } + break; + } + + isec->initialized = 1; + +out: + if (isec->sclass == SECCLASS_FILE) + isec->sclass = inode_mode_to_security_class(inode->i_mode); + + if (hold_sem) + up(&isec->sem); + return rc; +} + +/* Convert a Linux signal to an access vector. */ +static inline u32 signal_to_av(int sig) +{ + u32 perm = 0; + + switch (sig) { + case SIGCHLD: + /* Commonly granted from child to parent. */ + perm = PROCESS__SIGCHLD; + break; + case SIGKILL: + /* Cannot be caught or ignored */ + perm = PROCESS__SIGKILL; + break; + case SIGSTOP: + /* Cannot be caught or ignored */ + perm = PROCESS__SIGSTOP; + break; + default: + /* All other signals. */ + perm = PROCESS__SIGNAL; + break; + } + + return perm; +} + +/* Check permission betweeen a pair of tasks, e.g. signal checks, + fork check, ptrace check, etc. */ +static int task_has_perm(struct task_struct *tsk1, + struct task_struct *tsk2, + u32 perms) +{ + struct task_security_struct *tsec1, *tsec2; + + tsec1 = tsk1->security; + tsec2 = tsk2->security; + return avc_has_perm(tsec1->sid, tsec2->sid, + SECCLASS_PROCESS, perms, NULL); +} + +/* Check whether a task is allowed to use a capability. */ +static int task_has_capability(struct task_struct *tsk, + int cap) +{ + struct task_security_struct *tsec; + struct avc_audit_data ad; + + tsec = tsk->security; + + AVC_AUDIT_DATA_INIT(&ad,CAP); + ad.tsk = tsk; + ad.u.cap = cap; + + return avc_has_perm(tsec->sid, tsec->sid, + SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad); +} + +/* Check whether a task is allowed to use a system operation. */ +static int task_has_system(struct task_struct *tsk, + u32 perms) +{ + struct task_security_struct *tsec; + + tsec = tsk->security; + + return avc_has_perm(tsec->sid, SECINITSID_KERNEL, + SECCLASS_SYSTEM, perms, NULL); +} + +/* Check whether a task has a particular permission to an inode. + The 'adp' parameter is optional and allows other audit + data to be passed (e.g. the dentry). */ +static int inode_has_perm(struct task_struct *tsk, + struct inode *inode, + u32 perms, + struct avc_audit_data *adp) +{ + struct task_security_struct *tsec; + struct inode_security_struct *isec; + struct avc_audit_data ad; + + tsec = tsk->security; + isec = inode->i_security; + + if (!adp) { + adp = &ad; + AVC_AUDIT_DATA_INIT(&ad, FS); + ad.u.fs.inode = inode; + } + + return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp); +} + +/* Same as inode_has_perm, but pass explicit audit data containing + the dentry to help the auditing code to more easily generate the + pathname if needed. */ +static inline int dentry_has_perm(struct task_struct *tsk, + struct vfsmount *mnt, + struct dentry *dentry, + u32 av) +{ + struct inode *inode = dentry->d_inode; + struct avc_audit_data ad; + AVC_AUDIT_DATA_INIT(&ad,FS); + ad.u.fs.mnt = mnt; + ad.u.fs.dentry = dentry; + return inode_has_perm(tsk, inode, av, &ad); +} + +/* Check whether a task can use an open file descriptor to + access an inode in a given way. Check access to the + descriptor itself, and then use dentry_has_perm to + check a particular permission to the file. + Access to the descriptor is implicitly granted if it + has the same SID as the process. If av is zero, then + access to the file is not checked, e.g. for cases + where only the descriptor is affected like seek. */ +static inline int file_has_perm(struct task_struct *tsk, + struct file *file, + u32 av) +{ + struct task_security_struct *tsec = tsk->security; + struct file_security_struct *fsec = file->f_security; + struct vfsmount *mnt = file->f_vfsmnt; + struct dentry *dentry = file->f_dentry; + struct inode *inode = dentry->d_inode; + struct avc_audit_data ad; + int rc; + + AVC_AUDIT_DATA_INIT(&ad, FS); + ad.u.fs.mnt = mnt; + ad.u.fs.dentry = dentry; + + if (tsec->sid != fsec->sid) { + rc = avc_has_perm(tsec->sid, fsec->sid, + SECCLASS_FD, + FD__USE, + &ad); + if (rc) + return rc; + } + + /* av is zero if only checking access to the descriptor. */ + if (av) + return inode_has_perm(tsk, inode, av, &ad); + + return 0; +} + +/* Check whether a task can create a file. */ +static int may_create(struct inode *dir, + struct dentry *dentry, + u16 tclass) +{ + struct task_security_struct *tsec; + struct inode_security_struct *dsec; + struct superblock_security_struct *sbsec; + u32 newsid; + struct avc_audit_data ad; + int rc; + + tsec = current->security; + dsec = dir->i_security; + sbsec = dir->i_sb->s_security; + + AVC_AUDIT_DATA_INIT(&ad, FS); + ad.u.fs.dentry = dentry; + + rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, + DIR__ADD_NAME | DIR__SEARCH, + &ad); + if (rc) + return rc; + + if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { + newsid = tsec->create_sid; + } else { + rc = security_transition_sid(tsec->sid, dsec->sid, tclass, + &newsid); + if (rc) + return rc; + } + + rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad); + if (rc) + return rc; + + return avc_has_perm(newsid, sbsec->sid, + SECCLASS_FILESYSTEM, + FILESYSTEM__ASSOCIATE, &ad); +} + +#define MAY_LINK 0 +#define MAY_UNLINK 1 +#define MAY_RMDIR 2 + +/* Check whether a task can link, unlink, or rmdir a file/directory. */ +static int may_link(struct inode *dir, + struct dentry *dentry, + int kind) + +{ + struct task_security_struct *tsec; + struct inode_security_struct *dsec, *isec; + struct avc_audit_data ad; + u32 av; + int rc; + + tsec = current->security; + dsec = dir->i_security; + isec = dentry->d_inode->i_security; + + AVC_AUDIT_DATA_INIT(&ad, FS); + ad.u.fs.dentry = dentry; + + av = DIR__SEARCH; + av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); + rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad); + if (rc) + return rc; + + switch (kind) { + case MAY_LINK: + av = FILE__LINK; + break; + case MAY_UNLINK: + av = FILE__UNLINK; + break; + case MAY_RMDIR: + av = DIR__RMDIR; + break; + default: + printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind); + return 0; + } + + rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad); + return rc; +} + +static inline int may_rename(struct inode *old_dir, + struct dentry *old_dentry, + struct inode *new_dir, + struct dentry *new_dentry) +{ + struct task_security_struct *tsec; + struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; + struct avc_audit_data ad; + u32 av; + int old_is_dir, new_is_dir; + int rc; + + tsec = current->security; + old_dsec = old_dir->i_security; + old_isec = old_dentry->d_inode->i_security; + old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); + new_dsec = new_dir->i_security; + + AVC_AUDIT_DATA_INIT(&ad, FS); + + ad.u.fs.dentry = old_dentry; + rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, + DIR__REMOVE_NAME | DIR__SEARCH, &ad); + if (rc) + return rc; + rc = avc_has_perm(tsec->sid, old_isec->sid, + old_isec->sclass, FILE__RENAME, &ad); + if (rc) + return rc; + if (old_is_dir && new_dir != old_dir) { + rc = avc_has_perm(tsec->sid, old_isec->sid, + old_isec->sclass, DIR__REPARENT, &ad); + if (rc) + return rc; + } + + ad.u.fs.dentry = new_dentry; + av = DIR__ADD_NAME | DIR__SEARCH; + if (new_dentry->d_inode) + av |= DIR__REMOVE_NAME; + rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad); + if (rc) + return rc; + if (new_dentry->d_inode) { + new_isec = new_dentry->d_inode->i_security; + new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); + rc = avc_has_perm(tsec->sid, new_isec->sid, + new_isec->sclass, + (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); + if (rc) + return rc; + } + + return 0; +} + +/* Check whether a task can perform a filesystem operation. */ +static int superblock_has_perm(struct task_struct *tsk, + struct super_block *sb, + u32 perms, + struct avc_audit_data *ad) +{ + struct task_security_struct *tsec; + struct superblock_security_struct *sbsec; + + tsec = tsk->security; + sbsec = sb->s_security; + return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, + perms, ad); +} + +/* Convert a Linux mode and permission mask to an access vector. */ +static inline u32 file_mask_to_av(int mode, int mask) +{ + u32 av = 0; + + if ((mode & S_IFMT) != S_IFDIR) { + if (mask & MAY_EXEC) + av |= FILE__EXECUTE; + if (mask & MAY_READ) + av |= FILE__READ; + + if (mask & MAY_APPEND) + av |= FILE__APPEND; + else if (mask & MAY_WRITE) + av |= FILE__WRITE; + + } else { + if (mask & MAY_EXEC) + av |= DIR__SEARCH; + if (mask & MAY_WRITE) + av |= DIR__WRITE; + if (mask & MAY_READ) + av |= DIR__READ; + } + + return av; +} + +/* Convert a Linux file to an access vector. */ +static inline u32 file_to_av(struct file *file) +{ + u32 av = 0; + + if (file->f_mode & FMODE_REA |