6 files changed, 197 insertions, 37 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 099bbd07732f..6ae19fd28be5 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1301,10 +1301,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
                /* Try to obtain a transition SID. */
                isec->sclass = inode_mode_to_security_class(inode->i_mode);
-                rc = security_transition_sid(isec->task_sid,
+                rc = security_transition_sid(isec->task_sid, sbsec->sid,
-                                             sbsec->sid,
+                                             isec->sclass, NULL, &sid);
-                                             isec->sclass,
-                                             &sid);
                if (rc)
                        goto out_unlock;
                isec->sid = sid;
@@ -1579,7 +1577,7 @@ static int may_create(struct inode *dir,
                return rc;
        if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
-                rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
+                rc = security_transition_sid(sid, dsec->sid, tclass, NULL, &newsid);
                if (rc)
                        return rc;
        }
@@ -2061,7 +2059,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
        } else {
                /* Check for a default transition on this program. */
                rc = security_transition_sid(old_tsec->sid, isec->sid,
-                                             SECCLASS_PROCESS, &new_tsec->sid);
+                                             SECCLASS_PROCESS, NULL,
+                                             &new_tsec->sid);
                if (rc)
                        return rc;
        }
@@ -2532,7 +2531,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
        else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
                rc = security_transition_sid(sid, dsec->sid,
                                             inode_mode_to_security_class(inode->i_mode),
-                                             &newsid);
+                                             qstr, &newsid);
                if (rc) {
                        printk(KERN_WARNING "%s:  "
                               "security_transition_sid failed, rc=%d (dev=%s "
@@ -4845,7 +4844,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
                 * message queue this message will be stored in
                 */
                rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
-                                             &msec->sid);
+                                             NULL, &msec->sid);
                if (rc)
                        return rc;
        }
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 671273eb1115..348eb00cb668 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -8,6 +8,7 @@
 #ifndef _SELINUX_SECURITY_H_
 #define _SELINUX_SECURITY_H_
+#include <linux/dcache.h>
 #include <linux/magic.h>
 #include <linux/types.h>
 #include "flask.h"
@@ -28,13 +29,14 @@
 #define POLICYDB_VERSION_POLCAP         22
 #define POLICYDB_VERSION_PERMISSIVE     23
 #define POLICYDB_VERSION_BOUNDARY       24
+#define POLICYDB_VERSION_FILENAME_TRANS 25
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
 #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
 #define POLICYDB_VERSION_MAX    CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
 #else
-#define POLICYDB_VERSION_MAX    POLICYDB_VERSION_BOUNDARY
+#define POLICYDB_VERSION_MAX    POLICYDB_VERSION_FILENAME_TRANS
 #endif
 /* Mask for just the mount related flags */
@@ -106,8 +108,8 @@ void security_compute_av(u32 ssid, u32 tsid,
 void security_compute_av_user(u32 ssid, u32 tsid,
                             u16 tclass, struct av_decision *avd);
-int security_transition_sid(u32 ssid, u32 tsid,
+int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,
-                            u16 tclass, u32 *out_sid);
+                            const struct qstr *qstr, u32 *out_sid);
 int security_transition_sid_user(u32 ssid, u32 tsid,
                                 u16 tclass, u32 *out_sid);
diff --git a/security/selinux/ss/avtab.h b/security/selinux/ss/avtab.h
index 3417f9cc1cbd..63ce2f9e441d 100644
--- a/security/selinux/ss/avtab.h
+++ b/security/selinux/ss/avtab.h
@@ -14,7 +14,7 @@
 *
 * Copyright (C) 2003 Tresys Technology, LLC
 *      This program is free software; you can redistribute it and/or modify
- *      it under the terms of the GNU General Public License as published by
+ *      it under the terms of the GNU General Public License as published by
 *      the Free Software Foundation, version 2.
 *
 * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp>
@@ -27,16 +27,16 @@ struct avtab_key {
        u16 source_type;        /* source type */
        u16 target_type;        /* target type */
        u16 target_class;       /* target object class */
-#define AVTAB_ALLOWED     1
+#define AVTAB_ALLOWED           0x0001
-#define AVTAB_AUDITALLOW  2
+#define AVTAB_AUDITALLOW        0x0002
-#define AVTAB_AUDITDENY   4
+#define AVTAB_AUDITDENY         0x0004
-#define AVTAB_AV         (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY)
+#define AVTAB_AV                (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY)
-#define AVTAB_TRANSITION 16
+#define AVTAB_TRANSITION        0x0010
-#define AVTAB_MEMBER     32
+#define AVTAB_MEMBER            0x0020
-#define AVTAB_CHANGE     64
+#define AVTAB_CHANGE            0x0040
-#define AVTAB_TYPE       (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
+#define AVTAB_TYPE              (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
-#define AVTAB_ENABLED_OLD    0x80000000 /* reserved for used in cond_avtab */
+#define AVTAB_ENABLED_OLD   0x80000000 /* reserved for used in cond_avtab */
-#define AVTAB_ENABLED    0x8000 /* reserved for used in cond_avtab */
+#define AVTAB_ENABLED           0x8000 /* reserved for used in cond_avtab */
        u16 specified;  /* what field is specified */
 };
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index be9de3872837..159c81806760 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -123,6 +123,11 @@ static struct policydb_compat_info policydb_compat[] = {
                .sym_num        = SYM_NUM,
                .ocon_num       = OCON_NUM,
        },
+        {
+                .version        = POLICYDB_VERSION_FILENAME_TRANS,
+                .sym_num        = SYM_NUM,
+                .ocon_num       = OCON_NUM,
+        },
 };
 static struct policydb_compat_info *policydb_lookup_compat(int version)
@@ -704,6 +709,7 @@ void policydb_destroy(struct policydb *p)
        int i;
        struct role_allow *ra, *lra = NULL;
        struct role_trans *tr, *ltr = NULL;
+        struct filename_trans *ft, *nft;
        for (i = 0; i < SYM_NUM; i++) {
                cond_resched();
@@ -781,6 +787,15 @@ void policydb_destroy(struct policydb *p)
                }
                flex_array_free(p->type_attr_map_array);
        }
+        ft = p->filename_trans;
+        while (ft) {
+                nft = ft->next;
+                kfree(ft->name);
+                kfree(ft);
+                ft = nft;
+        }
        ebitmap_destroy(&p->policycaps);
        ebitmap_destroy(&p->permissive_map);
@@ -1788,6 +1803,76 @@ out:
        return rc;
 }
+static int filename_trans_read(struct policydb *p, void *fp)
+{
+        struct filename_trans *ft, *last;
+        u32 nel, len;
+        char *name;
+        __le32 buf[4];
+        int rc, i;
+        if (p->policyvers < POLICYDB_VERSION_FILENAME_TRANS)
+                return 0;
+        rc = next_entry(buf, fp, sizeof(u32));
+        if (rc)
+                goto out;
+        nel = le32_to_cpu(buf[0]);
+        printk(KERN_ERR "%s: nel=%d\n", __func__, nel);
+        last = p->filename_trans;
+        while (last && last->next)
+                last = last->next;
+        for (i = 0; i < nel; i++) {
+                rc = -ENOMEM;
+                ft = kzalloc(sizeof(*ft), GFP_KERNEL);
+                if (!ft)
+                        goto out;
+                /* add it to the tail of the list */
+                if (!last)
+                        p->filename_trans = ft;
+                else
+                        last->next = ft;
+                last = ft;
+                /* length of the path component string */
+                rc = next_entry(buf, fp, sizeof(u32));
+                if (rc)
+                        goto out;
+                len = le32_to_cpu(buf[0]);
+                rc = -ENOMEM;
+                name = kmalloc(len + 1, GFP_KERNEL);
+                if (!name)
+                        goto out;
+                ft->name = name;
+                /* path component string */
+                rc = next_entry(name, fp, len);
+                if (rc)
+                        goto out;
+                name[len] = 0;
+                printk(KERN_ERR "%s: ft=%p ft->name=%p ft->name=%s\n", __func__, ft, ft->name, ft->name);
+                rc = next_entry(buf, fp, sizeof(u32) * 4);
+                if (rc)
+                        goto out;
+                ft->stype = le32_to_cpu(buf[0]);
+                ft->ttype = le32_to_cpu(buf[1]);
+                ft->tclass = le32_to_cpu(buf[2]);
+                ft->otype = le32_to_cpu(buf[3]);
+        }
+        rc = 0;
+out:
+        return rc;
+}
 static int genfs_read(struct policydb *p, void *fp)
 {
        int i, j, rc;
@@ -2251,6 +2336,10 @@ int policydb_read(struct policydb *p, void *fp)
                lra = ra;
        }
+        rc = filename_trans_read(p, fp);
+        if (rc)
+                goto bad;
        rc = policydb_index(p);
        if (rc)
                goto bad;
@@ -3025,6 +3114,43 @@ static int range_write(struct policydb *p, void *fp)
        return 0;
 }
+static int filename_trans_write(struct policydb *p, void *fp)
+{
+        struct filename_trans *ft;
+        u32 len, nel = 0;
+        __le32 buf[4];
+        int rc;
+        for (ft = p->filename_trans; ft; ft = ft->next)
+                nel++;
+        buf[0] = cpu_to_le32(nel);
+        rc = put_entry(buf, sizeof(u32), 1, fp);
+        if (rc)
+                return rc;
+        for (ft = p->filename_trans; ft; ft = ft->next) {
+                len = strlen(ft->name);
+                buf[0] = cpu_to_le32(len);
+                rc = put_entry(buf, sizeof(u32), 1, fp);
+                if (rc)
+                        return rc;
+                rc = put_entry(ft->name, sizeof(char), len, fp);
+                if (rc)
+                        return rc;
+                buf[0] = ft->stype;
+                buf[1] = ft->ttype;
+                buf[2] = ft->tclass;
+                buf[3] = ft->otype;
+                rc = put_entry(buf, sizeof(u32), 4, fp);
+                if (rc)
+                        return rc;
+        }
+        return 0;
+}
 /*
 * Write the configuration data in a policy database
 * structure to a policy database binary representation
@@ -3135,6 +3261,10 @@ int policydb_write(struct policydb *p, void *fp)
        if (rc)
                return rc;
+        rc = filename_trans_write(p, fp);
+        if (rc)
+                return rc;
        rc = ocontext_write(p, info, fp);
        if (rc)
                return rc;
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index 4e3ab9d0b315..732ea4a68682 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -77,6 +77,15 @@ struct role_trans {
        struct role_trans *next;
 };
+struct filename_trans {
+        struct filename_trans *next;
+        u32 stype;              /* current process */
+        u32 ttype;              /* parent dir context */
+        u16 tclass;             /* class of new object */
+        const char *name;       /* last path component */
+        u32 otype;              /* expected of new object */
+};
 struct role_allow {
        u32 role;               /* current role */
        u32 new_role;           /* new role */
@@ -217,6 +226,9 @@ struct policydb {
        /* role transitions */
        struct role_trans *role_tr;
+        /* file transitions with the last path component */
+        struct filename_trans *filename_trans;
        /* bools indexed by (value - 1) */
        struct cond_bool_datum **bool_val_to_struct;
        /* type enforcement conditional access vectors and transitions */
@@ -302,7 +314,7 @@ static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
        return 0;
 }
-static inline int put_entry(void *buf, size_t bytes, int num, struct policy_file *fp)
+static inline int put_entry(const void *buf, size_t bytes, int num, struct policy_file *fp)
 {
        size_t len = bytes * num;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index a03cfaf0ee07..2e36e03c21f2 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1343,10 +1343,27 @@ out:
        return -EACCES;
 }
+static void filename_compute_type(struct policydb *p, struct context *newcontext,
+                                  u32 scon, u32 tcon, u16 tclass,
+                                  const struct qstr *qstr)
+{
+        struct filename_trans *ft;
+        for (ft = p->filename_trans; ft; ft = ft->next) {
+                if (ft->stype == scon &&
+                    ft->ttype == tcon &&
+                    ft->tclass == tclass &&
+                    !strcmp(ft->name, qstr->name)) {
+                        newcontext->type = ft->otype;
+                        return;
+                }
+        }
+}
 static int security_compute_sid(u32 ssid,
                                u32 tsid,
                                u16 orig_tclass,
                                u32 specified,
+                                const struct qstr *qstr,
                                u32 *out_sid,
                                bool kern)
 {
@@ -1442,6 +1459,11 @@ static int security_compute_sid(u32 ssid,
                newcontext.type = avdatum->data;
        }
+        /* if we have a qstr this is a file trans check so check those rules */
+        if (qstr)
+                filename_compute_type(&policydb, &newcontext, scontext->type,
+                                      tcontext->type, tclass, qstr);
        /* Check for class-specific changes. */
        if  (tclass == policydb.process_class) {
                if (specified & AVTAB_TRANSITION) {
@@ -1495,22 +1517,17 @@ out:
 * if insufficient memory is available, or %0 if the new SID was
 * computed successfully.
 */
-int security_transition_sid(u32 ssid,
+int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,
-                            u32 tsid,
+                            const struct qstr *qstr, u32 *out_sid)
-                            u16 tclass,
-                            u32 *out_sid)
 {
        return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
-                                    out_sid, true);
+                                    qstr, out_sid, true);
 }
-int security_transition_sid_user(u32 ssid,
+int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid)
-                                 u32 tsid,
-                                 u16 tclass,
-                                 u32 *out_sid)
 {
        return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
-                                    out_sid, false);
+                                    NULL, out_sid, false);
 }
 /**
@@ -1531,8 +1548,8 @@ int security_member_sid(u32 ssid,
                        u16 tclass,
                        u32 *out_sid)
 {
-        return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid,
+        return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, NULL,
-                                    false);
+                                    out_sid, false);
 }
 /**
@@ -1553,8 +1570,8 @@ int security_change_sid(u32 ssid,
                        u16 tclass,
                        u32 *out_sid)
 {
-        return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid,
+        return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, NULL,
-                                    false);
+                                    out_sid, false);
 }
 /* Clone the SID into the new SID table. */