1443
1444
printk(KERN_ERR
1444
1445
"SELinux: out of range capability %d\n", cap);
1448
1450
rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1485
1486
sid = cred_sid(cred);
1486
1487
isec = inode->i_security;
1490
COMMON_AUDIT_DATA_INIT(&ad, FS);
1491
ad.u.fs.inode = inode;
1494
1489
return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1492
static int inode_has_perm_noadp(const struct cred *cred,
1493
struct inode *inode,
1497
struct common_audit_data ad;
1499
COMMON_AUDIT_DATA_INIT(&ad, INODE);
1501
return inode_has_perm(cred, inode, perms, &ad, flags);
1497
1504
/* Same as inode_has_perm, but pass explicit audit data containing
1498
1505
the dentry to help the auditing code to more easily generate the
1499
1506
pathname if needed. */
1500
1507
static inline int dentry_has_perm(const struct cred *cred,
1501
struct vfsmount *mnt,
1502
1508
struct dentry *dentry,
1505
1511
struct inode *inode = dentry->d_inode;
1506
1512
struct common_audit_data ad;
1508
COMMON_AUDIT_DATA_INIT(&ad, FS);
1509
ad.u.fs.path.mnt = mnt;
1510
ad.u.fs.path.dentry = dentry;
1514
COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1515
ad.u.dentry = dentry;
1516
return inode_has_perm(cred, inode, av, &ad, 0);
1519
/* Same as inode_has_perm, but pass explicit audit data containing
1520
the path to help the auditing code to more easily generate the
1521
pathname if needed. */
1522
static inline int path_has_perm(const struct cred *cred,
1526
struct inode *inode = path->dentry->d_inode;
1527
struct common_audit_data ad;
1529
COMMON_AUDIT_DATA_INIT(&ad, PATH);
1511
1531
return inode_has_perm(cred, inode, av, &ad, 0);
1529
1549
u32 sid = cred_sid(cred);
1532
COMMON_AUDIT_DATA_INIT(&ad, FS);
1533
ad.u.fs.path = file->f_path;
1552
COMMON_AUDIT_DATA_INIT(&ad, PATH);
1553
ad.u.path = file->f_path;
1535
1555
if (sid != fsec->sid) {
1536
1556
rc = avc_has_perm(sid, fsec->sid,
1568
1588
sid = tsec->sid;
1569
1589
newsid = tsec->create_sid;
1571
COMMON_AUDIT_DATA_INIT(&ad, FS);
1572
ad.u.fs.path.dentry = dentry;
1591
COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1592
ad.u.dentry = dentry;
1574
1594
rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1575
1595
DIR__ADD_NAME | DIR__SEARCH,
1621
1641
dsec = dir->i_security;
1622
1642
isec = dentry->d_inode->i_security;
1624
COMMON_AUDIT_DATA_INIT(&ad, FS);
1625
ad.u.fs.path.dentry = dentry;
1644
COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1645
ad.u.dentry = dentry;
1627
1647
av = DIR__SEARCH;
1628
1648
av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1667
1687
old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1668
1688
new_dsec = new_dir->i_security;
1670
COMMON_AUDIT_DATA_INIT(&ad, FS);
1690
COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1672
ad.u.fs.path.dentry = old_dentry;
1692
ad.u.dentry = old_dentry;
1673
1693
rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1674
1694
DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1896
1916
const struct cred *cred = current_cred();
1898
return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1918
return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1901
1921
static int selinux_syslog(int type)
1995
COMMON_AUDIT_DATA_INIT(&ad, FS);
1996
ad.u.fs.path = bprm->file->f_path;
2015
COMMON_AUDIT_DATA_INIT(&ad, PATH);
2016
ad.u.path = bprm->file->f_path;
1998
2018
if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1999
2019
new_tsec->sid = old_tsec->sid;
2107
2127
struct tty_file_private, list);
2108
2128
file = file_priv->file;
2109
2129
inode = file->f_path.dentry->d_inode;
2110
if (inode_has_perm(cred, inode,
2111
FILE__READ | FILE__WRITE, NULL, 0)) {
2130
if (inode_has_perm_noadp(cred, inode,
2131
FILE__READ | FILE__WRITE, 0)) {
2122
2142
/* Revalidate access to inherited open files. */
2124
COMMON_AUDIT_DATA_INIT(&ad, FS);
2144
COMMON_AUDIT_DATA_INIT(&ad, INODE);
2126
2146
spin_lock(&files->file_lock);
2469
2489
if (flags & MS_KERNMOUNT)
2472
COMMON_AUDIT_DATA_INIT(&ad, FS);
2473
ad.u.fs.path.dentry = sb->s_root;
2492
COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2493
ad.u.dentry = sb->s_root;
2474
2494
return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2479
2499
const struct cred *cred = current_cred();
2480
2500
struct common_audit_data ad;
2482
COMMON_AUDIT_DATA_INIT(&ad, FS);
2483
ad.u.fs.path.dentry = dentry->d_sb->s_root;
2502
COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2503
ad.u.dentry = dentry->d_sb->s_root;
2484
2504
return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2496
2516
return superblock_has_perm(cred, path->mnt->mnt_sb,
2497
2517
FILESYSTEM__REMOUNT, NULL);
2499
return dentry_has_perm(cred, path->mnt, path->dentry,
2519
return path_has_perm(cred, path, FILE__MOUNTON);
2503
2522
static int selinux_umount(struct vfsmount *mnt, int flags)
2631
2650
const struct cred *cred = current_cred();
2633
return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2652
return dentry_has_perm(cred, dentry, FILE__READ);
2636
2655
static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2638
2657
const struct cred *cred = current_cred();
2640
return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2659
return dentry_has_perm(cred, dentry, FILE__READ);
2643
2662
static int selinux_inode_permission(struct inode *inode, int mask, unsigned flags)
2681
2700
if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2682
2701
ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2683
return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2702
return dentry_has_perm(cred, dentry, FILE__SETATTR);
2685
return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2704
return dentry_has_perm(cred, dentry, FILE__WRITE);
2688
2707
static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2690
2709
const struct cred *cred = current_cred();
2692
return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2712
path.dentry = dentry;
2715
return path_has_perm(cred, &path, FILE__GETATTR);
2695
2718
static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2711
2734
/* Not an attribute we recognize, so just check the
2712
2735
ordinary setattr permission. */
2713
return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2736
return dentry_has_perm(cred, dentry, FILE__SETATTR);
2716
2739
static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2733
2756
if (!inode_owner_or_capable(inode))
2736
COMMON_AUDIT_DATA_INIT(&ad, FS);
2737
ad.u.fs.path.dentry = dentry;
2759
COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2760
ad.u.dentry = dentry;
2739
2762
rc = avc_has_perm(sid, isec->sid, isec->sclass,
2740
2763
FILE__RELABELFROM, &ad);
2798
2821
const struct cred *cred = current_cred();
2800
return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2823
return dentry_has_perm(cred, dentry, FILE__GETATTR);
2803
2826
static int selinux_inode_listxattr(struct dentry *dentry)
2805
2828
const struct cred *cred = current_cred();
2807
return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2830
return dentry_has_perm(cred, dentry, FILE__GETATTR);
2810
2833
static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3210
3233
* new inode label or new policy.
3211
3234
* This check is not redundant - do not remove.
3213
return inode_has_perm(cred, inode, open_file_to_av(file), NULL, 0);
3236
return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0);
3216
3239
/* task security operations */