get rid of pointless includes of ext2_fs.h
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h>             /* for local_port_range[] */
54 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
55 #include <net/net_namespace.h>
56 #include <net/netlabel.h>
57 #include <linux/uaccess.h>
58 #include <asm/ioctls.h>
59 #include <linux/atomic.h>
60 #include <linux/bitops.h>
61 #include <linux/interrupt.h>
62 #include <linux/netdevice.h>    /* for network interface checks */
63 #include <linux/netlink.h>
64 #include <linux/tcp.h>
65 #include <linux/udp.h>
66 #include <linux/dccp.h>
67 #include <linux/quota.h>
68 #include <linux/un.h>           /* for Unix socket types */
69 #include <net/af_unix.h>        /* for Unix socket types */
70 #include <linux/parser.h>
71 #include <linux/nfs_mount.h>
72 #include <net/ipv6.h>
73 #include <linux/hugetlb.h>
74 #include <linux/personality.h>
75 #include <linux/audit.h>
76 #include <linux/string.h>
77 #include <linux/selinux.h>
78 #include <linux/mutex.h>
79 #include <linux/posix-timers.h>
80 #include <linux/syslog.h>
81 #include <linux/user_namespace.h>
82 #include <linux/export.h>
83 #include <linux/msg.h>
84 #include <linux/shm.h>
85
86 #include "avc.h"
87 #include "objsec.h"
88 #include "netif.h"
89 #include "netnode.h"
90 #include "netport.h"
91 #include "xfrm.h"
92 #include "netlabel.h"
93 #include "audit.h"
94 #include "avc_ss.h"
95
96 #define NUM_SEL_MNT_OPTS 5
97
98 extern struct security_operations *security_ops;
99
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
105
106 static int __init enforcing_setup(char *str)
107 {
108         unsigned long enforcing;
109         if (!strict_strtoul(str, 0, &enforcing))
110                 selinux_enforcing = enforcing ? 1 : 0;
111         return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119 static int __init selinux_enabled_setup(char *str)
120 {
121         unsigned long enabled;
122         if (!strict_strtoul(str, 0, &enabled))
123                 selinux_enabled = enabled ? 1 : 0;
124         return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130
131 static struct kmem_cache *sel_inode_cache;
132
133 /**
134  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135  *
136  * Description:
137  * This function checks the SECMARK reference counter to see if any SECMARK
138  * targets are currently configured, if the reference counter is greater than
139  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
140  * enabled, false (0) if SECMARK is disabled.
141  *
142  */
143 static int selinux_secmark_enabled(void)
144 {
145         return (atomic_read(&selinux_secmark_refcount) > 0);
146 }
147
148 /*
149  * initialise the security for the init task
150  */
151 static void cred_init_security(void)
152 {
153         struct cred *cred = (struct cred *) current->real_cred;
154         struct task_security_struct *tsec;
155
156         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
157         if (!tsec)
158                 panic("SELinux:  Failed to initialize initial task.\n");
159
160         tsec->osid = tsec->sid = SECINITSID_KERNEL;
161         cred->security = tsec;
162 }
163
164 /*
165  * get the security ID of a set of credentials
166  */
167 static inline u32 cred_sid(const struct cred *cred)
168 {
169         const struct task_security_struct *tsec;
170
171         tsec = cred->security;
172         return tsec->sid;
173 }
174
175 /*
176  * get the objective security ID of a task
177  */
178 static inline u32 task_sid(const struct task_struct *task)
179 {
180         u32 sid;
181
182         rcu_read_lock();
183         sid = cred_sid(__task_cred(task));
184         rcu_read_unlock();
185         return sid;
186 }
187
188 /*
189  * get the subjective security ID of the current task
190  */
191 static inline u32 current_sid(void)
192 {
193         const struct task_security_struct *tsec = current_security();
194
195         return tsec->sid;
196 }
197
198 /* Allocate and free functions for each kind of security blob. */
199
200 static int inode_alloc_security(struct inode *inode)
201 {
202         struct inode_security_struct *isec;
203         u32 sid = current_sid();
204
205         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
206         if (!isec)
207                 return -ENOMEM;
208
209         mutex_init(&isec->lock);
210         INIT_LIST_HEAD(&isec->list);
211         isec->inode = inode;
212         isec->sid = SECINITSID_UNLABELED;
213         isec->sclass = SECCLASS_FILE;
214         isec->task_sid = sid;
215         inode->i_security = isec;
216
217         return 0;
218 }
219
220 static void inode_free_security(struct inode *inode)
221 {
222         struct inode_security_struct *isec = inode->i_security;
223         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
224
225         spin_lock(&sbsec->isec_lock);
226         if (!list_empty(&isec->list))
227                 list_del_init(&isec->list);
228         spin_unlock(&sbsec->isec_lock);
229
230         inode->i_security = NULL;
231         kmem_cache_free(sel_inode_cache, isec);
232 }
233
234 static int file_alloc_security(struct file *file)
235 {
236         struct file_security_struct *fsec;
237         u32 sid = current_sid();
238
239         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
240         if (!fsec)
241                 return -ENOMEM;
242
243         fsec->sid = sid;
244         fsec->fown_sid = sid;
245         file->f_security = fsec;
246
247         return 0;
248 }
249
250 static void file_free_security(struct file *file)
251 {
252         struct file_security_struct *fsec = file->f_security;
253         file->f_security = NULL;
254         kfree(fsec);
255 }
256
257 static int superblock_alloc_security(struct super_block *sb)
258 {
259         struct superblock_security_struct *sbsec;
260
261         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
262         if (!sbsec)
263                 return -ENOMEM;
264
265         mutex_init(&sbsec->lock);
266         INIT_LIST_HEAD(&sbsec->isec_head);
267         spin_lock_init(&sbsec->isec_lock);
268         sbsec->sb = sb;
269         sbsec->sid = SECINITSID_UNLABELED;
270         sbsec->def_sid = SECINITSID_FILE;
271         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
272         sb->s_security = sbsec;
273
274         return 0;
275 }
276
277 static void superblock_free_security(struct super_block *sb)
278 {
279         struct superblock_security_struct *sbsec = sb->s_security;
280         sb->s_security = NULL;
281         kfree(sbsec);
282 }
283
284 /* The file system's label must be initialized prior to use. */
285
286 static const char *labeling_behaviors[6] = {
287         "uses xattr",
288         "uses transition SIDs",
289         "uses task SIDs",
290         "uses genfs_contexts",
291         "not configured for labeling",
292         "uses mountpoint labeling",
293 };
294
295 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
296
297 static inline int inode_doinit(struct inode *inode)
298 {
299         return inode_doinit_with_dentry(inode, NULL);
300 }
301
302 enum {
303         Opt_error = -1,
304         Opt_context = 1,
305         Opt_fscontext = 2,
306         Opt_defcontext = 3,
307         Opt_rootcontext = 4,
308         Opt_labelsupport = 5,
309 };
310
311 static const match_table_t tokens = {
312         {Opt_context, CONTEXT_STR "%s"},
313         {Opt_fscontext, FSCONTEXT_STR "%s"},
314         {Opt_defcontext, DEFCONTEXT_STR "%s"},
315         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
316         {Opt_labelsupport, LABELSUPP_STR},
317         {Opt_error, NULL},
318 };
319
320 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
321
322 static int may_context_mount_sb_relabel(u32 sid,
323                         struct superblock_security_struct *sbsec,
324                         const struct cred *cred)
325 {
326         const struct task_security_struct *tsec = cred->security;
327         int rc;
328
329         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
330                           FILESYSTEM__RELABELFROM, NULL);
331         if (rc)
332                 return rc;
333
334         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
335                           FILESYSTEM__RELABELTO, NULL);
336         return rc;
337 }
338
339 static int may_context_mount_inode_relabel(u32 sid,
340                         struct superblock_security_struct *sbsec,
341                         const struct cred *cred)
342 {
343         const struct task_security_struct *tsec = cred->security;
344         int rc;
345         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
346                           FILESYSTEM__RELABELFROM, NULL);
347         if (rc)
348                 return rc;
349
350         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
351                           FILESYSTEM__ASSOCIATE, NULL);
352         return rc;
353 }
354
355 static int sb_finish_set_opts(struct super_block *sb)
356 {
357         struct superblock_security_struct *sbsec = sb->s_security;
358         struct dentry *root = sb->s_root;
359         struct inode *root_inode = root->d_inode;
360         int rc = 0;
361
362         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
363                 /* Make sure that the xattr handler exists and that no
364                    error other than -ENODATA is returned by getxattr on
365                    the root directory.  -ENODATA is ok, as this may be
366                    the first boot of the SELinux kernel before we have
367                    assigned xattr values to the filesystem. */
368                 if (!root_inode->i_op->getxattr) {
369                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
370                                "xattr support\n", sb->s_id, sb->s_type->name);
371                         rc = -EOPNOTSUPP;
372                         goto out;
373                 }
374                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
375                 if (rc < 0 && rc != -ENODATA) {
376                         if (rc == -EOPNOTSUPP)
377                                 printk(KERN_WARNING "SELinux: (dev %s, type "
378                                        "%s) has no security xattr handler\n",
379                                        sb->s_id, sb->s_type->name);
380                         else
381                                 printk(KERN_WARNING "SELinux: (dev %s, type "
382                                        "%s) getxattr errno %d\n", sb->s_id,
383                                        sb->s_type->name, -rc);
384                         goto out;
385                 }
386         }
387
388         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
389
390         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
391                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
392                        sb->s_id, sb->s_type->name);
393         else
394                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
395                        sb->s_id, sb->s_type->name,
396                        labeling_behaviors[sbsec->behavior-1]);
397
398         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
399             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
400             sbsec->behavior == SECURITY_FS_USE_NONE ||
401             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
402                 sbsec->flags &= ~SE_SBLABELSUPP;
403
404         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
405         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
406                 sbsec->flags |= SE_SBLABELSUPP;
407
408         /* Initialize the root inode. */
409         rc = inode_doinit_with_dentry(root_inode, root);
410
411         /* Initialize any other inodes associated with the superblock, e.g.
412            inodes created prior to initial policy load or inodes created
413            during get_sb by a pseudo filesystem that directly
414            populates itself. */
415         spin_lock(&sbsec->isec_lock);
416 next_inode:
417         if (!list_empty(&sbsec->isec_head)) {
418                 struct inode_security_struct *isec =
419                                 list_entry(sbsec->isec_head.next,
420                                            struct inode_security_struct, list);
421                 struct inode *inode = isec->inode;
422                 spin_unlock(&sbsec->isec_lock);
423                 inode = igrab(inode);
424                 if (inode) {
425                         if (!IS_PRIVATE(inode))
426                                 inode_doinit(inode);
427                         iput(inode);
428                 }
429                 spin_lock(&sbsec->isec_lock);
430                 list_del_init(&isec->list);
431                 goto next_inode;
432         }
433         spin_unlock(&sbsec->isec_lock);
434 out:
435         return rc;
436 }
437
438 /*
439  * This function should allow an FS to ask what it's mount security
440  * options were so it can use those later for submounts, displaying
441  * mount options, or whatever.
442  */
443 static int selinux_get_mnt_opts(const struct super_block *sb,
444                                 struct security_mnt_opts *opts)
445 {
446         int rc = 0, i;
447         struct superblock_security_struct *sbsec = sb->s_security;
448         char *context = NULL;
449         u32 len;
450         char tmp;
451
452         security_init_mnt_opts(opts);
453
454         if (!(sbsec->flags & SE_SBINITIALIZED))
455                 return -EINVAL;
456
457         if (!ss_initialized)
458                 return -EINVAL;
459
460         tmp = sbsec->flags & SE_MNTMASK;
461         /* count the number of mount options for this sb */
462         for (i = 0; i < 8; i++) {
463                 if (tmp & 0x01)
464                         opts->num_mnt_opts++;
465                 tmp >>= 1;
466         }
467         /* Check if the Label support flag is set */
468         if (sbsec->flags & SE_SBLABELSUPP)
469                 opts->num_mnt_opts++;
470
471         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
472         if (!opts->mnt_opts) {
473                 rc = -ENOMEM;
474                 goto out_free;
475         }
476
477         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
478         if (!opts->mnt_opts_flags) {
479                 rc = -ENOMEM;
480                 goto out_free;
481         }
482
483         i = 0;
484         if (sbsec->flags & FSCONTEXT_MNT) {
485                 rc = security_sid_to_context(sbsec->sid, &context, &len);
486                 if (rc)
487                         goto out_free;
488                 opts->mnt_opts[i] = context;
489                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
490         }
491         if (sbsec->flags & CONTEXT_MNT) {
492                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
493                 if (rc)
494                         goto out_free;
495                 opts->mnt_opts[i] = context;
496                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
497         }
498         if (sbsec->flags & DEFCONTEXT_MNT) {
499                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
500                 if (rc)
501                         goto out_free;
502                 opts->mnt_opts[i] = context;
503                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
504         }
505         if (sbsec->flags & ROOTCONTEXT_MNT) {
506                 struct inode *root = sbsec->sb->s_root->d_inode;
507                 struct inode_security_struct *isec = root->i_security;
508
509                 rc = security_sid_to_context(isec->sid, &context, &len);
510                 if (rc)
511                         goto out_free;
512                 opts->mnt_opts[i] = context;
513                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
514         }
515         if (sbsec->flags & SE_SBLABELSUPP) {
516                 opts->mnt_opts[i] = NULL;
517                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
518         }
519
520         BUG_ON(i != opts->num_mnt_opts);
521
522         return 0;
523
524 out_free:
525         security_free_mnt_opts(opts);
526         return rc;
527 }
528
529 static int bad_option(struct superblock_security_struct *sbsec, char flag,
530                       u32 old_sid, u32 new_sid)
531 {
532         char mnt_flags = sbsec->flags & SE_MNTMASK;
533
534         /* check if the old mount command had the same options */
535         if (sbsec->flags & SE_SBINITIALIZED)
536                 if (!(sbsec->flags & flag) ||
537                     (old_sid != new_sid))
538                         return 1;
539
540         /* check if we were passed the same options twice,
541          * aka someone passed context=a,context=b
542          */
543         if (!(sbsec->flags & SE_SBINITIALIZED))
544                 if (mnt_flags & flag)
545                         return 1;
546         return 0;
547 }
548
549 /*
550  * Allow filesystems with binary mount data to explicitly set mount point
551  * labeling information.
552  */
553 static int selinux_set_mnt_opts(struct super_block *sb,
554                                 struct security_mnt_opts *opts)
555 {
556         const struct cred *cred = current_cred();
557         int rc = 0, i;
558         struct superblock_security_struct *sbsec = sb->s_security;
559         const char *name = sb->s_type->name;
560         struct inode *inode = sbsec->sb->s_root->d_inode;
561         struct inode_security_struct *root_isec = inode->i_security;
562         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
563         u32 defcontext_sid = 0;
564         char **mount_options = opts->mnt_opts;
565         int *flags = opts->mnt_opts_flags;
566         int num_opts = opts->num_mnt_opts;
567
568         mutex_lock(&sbsec->lock);
569
570         if (!ss_initialized) {
571                 if (!num_opts) {
572                         /* Defer initialization until selinux_complete_init,
573                            after the initial policy is loaded and the security
574                            server is ready to handle calls. */
575                         goto out;
576                 }
577                 rc = -EINVAL;
578                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
579                         "before the security server is initialized\n");
580                 goto out;
581         }
582
583         /*
584          * Binary mount data FS will come through this function twice.  Once
585          * from an explicit call and once from the generic calls from the vfs.
586          * Since the generic VFS calls will not contain any security mount data
587          * we need to skip the double mount verification.
588          *
589          * This does open a hole in which we will not notice if the first
590          * mount using this sb set explict options and a second mount using
591          * this sb does not set any security options.  (The first options
592          * will be used for both mounts)
593          */
594         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
595             && (num_opts == 0))
596                 goto out;
597
598         /*
599          * parse the mount options, check if they are valid sids.
600          * also check if someone is trying to mount the same sb more
601          * than once with different security options.
602          */
603         for (i = 0; i < num_opts; i++) {
604                 u32 sid;
605
606                 if (flags[i] == SE_SBLABELSUPP)
607                         continue;
608                 rc = security_context_to_sid(mount_options[i],
609                                              strlen(mount_options[i]), &sid);
610                 if (rc) {
611                         printk(KERN_WARNING "SELinux: security_context_to_sid"
612                                "(%s) failed for (dev %s, type %s) errno=%d\n",
613                                mount_options[i], sb->s_id, name, rc);
614                         goto out;
615                 }
616                 switch (flags[i]) {
617                 case FSCONTEXT_MNT:
618                         fscontext_sid = sid;
619
620                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
621                                         fscontext_sid))
622                                 goto out_double_mount;
623
624                         sbsec->flags |= FSCONTEXT_MNT;
625                         break;
626                 case CONTEXT_MNT:
627                         context_sid = sid;
628
629                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
630                                         context_sid))
631                                 goto out_double_mount;
632
633                         sbsec->flags |= CONTEXT_MNT;
634                         break;
635                 case ROOTCONTEXT_MNT:
636                         rootcontext_sid = sid;
637
638                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
639                                         rootcontext_sid))
640                                 goto out_double_mount;
641
642                         sbsec->flags |= ROOTCONTEXT_MNT;
643
644                         break;
645                 case DEFCONTEXT_MNT:
646                         defcontext_sid = sid;
647
648                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
649                                         defcontext_sid))
650                                 goto out_double_mount;
651
652                         sbsec->flags |= DEFCONTEXT_MNT;
653
654                         break;
655                 default:
656                         rc = -EINVAL;
657                         goto out;
658                 }
659         }
660
661         if (sbsec->flags & SE_SBINITIALIZED) {
662                 /* previously mounted with options, but not on this attempt? */
663                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
664                         goto out_double_mount;
665                 rc = 0;
666                 goto out;
667         }
668
669         if (strcmp(sb->s_type->name, "proc") == 0)
670                 sbsec->flags |= SE_SBPROC;
671
672         /* Determine the labeling behavior to use for this filesystem type. */
673         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
674         if (rc) {
675                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
676                        __func__, sb->s_type->name, rc);
677                 goto out;
678         }
679
680         /* sets the context of the superblock for the fs being mounted. */
681         if (fscontext_sid) {
682                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
683                 if (rc)
684                         goto out;
685
686                 sbsec->sid = fscontext_sid;
687         }
688
689         /*
690          * Switch to using mount point labeling behavior.
691          * sets the label used on all file below the mountpoint, and will set
692          * the superblock context if not already set.
693          */
694         if (context_sid) {
695                 if (!fscontext_sid) {
696                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
697                                                           cred);
698                         if (rc)
699                                 goto out;
700                         sbsec->sid = context_sid;
701                 } else {
702                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
703                                                              cred);
704                         if (rc)
705                                 goto out;
706                 }
707                 if (!rootcontext_sid)
708                         rootcontext_sid = context_sid;
709
710                 sbsec->mntpoint_sid = context_sid;
711                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
712         }
713
714         if (rootcontext_sid) {
715                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
716                                                      cred);
717                 if (rc)
718                         goto out;
719
720                 root_isec->sid = rootcontext_sid;
721                 root_isec->initialized = 1;
722         }
723
724         if (defcontext_sid) {
725                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
726                         rc = -EINVAL;
727                         printk(KERN_WARNING "SELinux: defcontext option is "
728                                "invalid for this filesystem type\n");
729                         goto out;
730                 }
731
732                 if (defcontext_sid != sbsec->def_sid) {
733                         rc = may_context_mount_inode_relabel(defcontext_sid,
734                                                              sbsec, cred);
735                         if (rc)
736                                 goto out;
737                 }
738
739                 sbsec->def_sid = defcontext_sid;
740         }
741
742         rc = sb_finish_set_opts(sb);
743 out:
744         mutex_unlock(&sbsec->lock);
745         return rc;
746 out_double_mount:
747         rc = -EINVAL;
748         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
749                "security settings for (dev %s, type %s)\n", sb->s_id, name);
750         goto out;
751 }
752
753 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
754                                         struct super_block *newsb)
755 {
756         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
757         struct superblock_security_struct *newsbsec = newsb->s_security;
758
759         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
760         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
761         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
762
763         /*
764          * if the parent was able to be mounted it clearly had no special lsm
765          * mount options.  thus we can safely deal with this superblock later
766          */
767         if (!ss_initialized)
768                 return;
769
770         /* how can we clone if the old one wasn't set up?? */
771         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
772
773         /* if fs is reusing a sb, just let its options stand... */
774         if (newsbsec->flags & SE_SBINITIALIZED)
775                 return;
776
777         mutex_lock(&newsbsec->lock);
778
779         newsbsec->flags = oldsbsec->flags;
780
781         newsbsec->sid = oldsbsec->sid;
782         newsbsec->def_sid = oldsbsec->def_sid;
783         newsbsec->behavior = oldsbsec->behavior;
784
785         if (set_context) {
786                 u32 sid = oldsbsec->mntpoint_sid;
787
788                 if (!set_fscontext)
789                         newsbsec->sid = sid;
790                 if (!set_rootcontext) {
791                         struct inode *newinode = newsb->s_root->d_inode;
792                         struct inode_security_struct *newisec = newinode->i_security;
793                         newisec->sid = sid;
794                 }
795                 newsbsec->mntpoint_sid = sid;
796         }
797         if (set_rootcontext) {
798                 const struct inode *oldinode = oldsb->s_root->d_inode;
799                 const struct inode_security_struct *oldisec = oldinode->i_security;
800                 struct inode *newinode = newsb->s_root->d_inode;
801                 struct inode_security_struct *newisec = newinode->i_security;
802
803                 newisec->sid = oldisec->sid;
804         }
805
806         sb_finish_set_opts(newsb);
807         mutex_unlock(&newsbsec->lock);
808 }
809
810 static int selinux_parse_opts_str(char *options,
811                                   struct security_mnt_opts *opts)
812 {
813         char *p;
814         char *context = NULL, *defcontext = NULL;
815         char *fscontext = NULL, *rootcontext = NULL;
816         int rc, num_mnt_opts = 0;
817
818         opts->num_mnt_opts = 0;
819
820         /* Standard string-based options. */
821         while ((p = strsep(&options, "|")) != NULL) {
822                 int token;
823                 substring_t args[MAX_OPT_ARGS];
824
825                 if (!*p)
826                         continue;
827
828                 token = match_token(p, tokens, args);
829
830                 switch (token) {
831                 case Opt_context:
832                         if (context || defcontext) {
833                                 rc = -EINVAL;
834                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
835                                 goto out_err;
836                         }
837                         context = match_strdup(&args[0]);
838                         if (!context) {
839                                 rc = -ENOMEM;
840                                 goto out_err;
841                         }
842                         break;
843
844                 case Opt_fscontext:
845                         if (fscontext) {
846                                 rc = -EINVAL;
847                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
848                                 goto out_err;
849                         }
850                         fscontext = match_strdup(&args[0]);
851                         if (!fscontext) {
852                                 rc = -ENOMEM;
853                                 goto out_err;
854                         }
855                         break;
856
857                 case Opt_rootcontext:
858                         if (rootcontext) {
859                                 rc = -EINVAL;
860                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
861                                 goto out_err;
862                         }
863                         rootcontext = match_strdup(&args[0]);
864                         if (!rootcontext) {
865                                 rc = -ENOMEM;
866                                 goto out_err;
867                         }
868                         break;
869
870                 case Opt_defcontext:
871                         if (context || defcontext) {
872                                 rc = -EINVAL;
873                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
874                                 goto out_err;
875                         }
876                         defcontext = match_strdup(&args[0]);
877                         if (!defcontext) {
878                                 rc = -ENOMEM;
879                                 goto out_err;
880                         }
881                         break;
882                 case Opt_labelsupport:
883                         break;
884                 default:
885                         rc = -EINVAL;
886                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
887                         goto out_err;
888
889                 }
890         }
891
892         rc = -ENOMEM;
893         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
894         if (!opts->mnt_opts)
895                 goto out_err;
896
897         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
898         if (!opts->mnt_opts_flags) {
899                 kfree(opts->mnt_opts);
900                 goto out_err;
901         }
902
903         if (fscontext) {
904                 opts->mnt_opts[num_mnt_opts] = fscontext;
905                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
906         }
907         if (context) {
908                 opts->mnt_opts[num_mnt_opts] = context;
909                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
910         }
911         if (rootcontext) {
912                 opts->mnt_opts[num_mnt_opts] = rootcontext;
913                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
914         }
915         if (defcontext) {
916                 opts->mnt_opts[num_mnt_opts] = defcontext;
917                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
918         }
919
920         opts->num_mnt_opts = num_mnt_opts;
921         return 0;
922
923 out_err:
924         kfree(context);
925         kfree(defcontext);
926         kfree(fscontext);
927         kfree(rootcontext);
928         return rc;
929 }
930 /*
931  * string mount options parsing and call set the sbsec
932  */
933 static int superblock_doinit(struct super_block *sb, void *data)
934 {
935         int rc = 0;
936         char *options = data;
937         struct security_mnt_opts opts;
938
939         security_init_mnt_opts(&opts);
940
941         if (!data)
942                 goto out;
943
944         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
945
946         rc = selinux_parse_opts_str(options, &opts);
947         if (rc)
948                 goto out_err;
949
950 out:
951         rc = selinux_set_mnt_opts(sb, &opts);
952
953 out_err:
954         security_free_mnt_opts(&opts);
955         return rc;
956 }
957
958 static void selinux_write_opts(struct seq_file *m,
959                                struct security_mnt_opts *opts)
960 {
961         int i;
962         char *prefix;
963
964         for (i = 0; i < opts->num_mnt_opts; i++) {
965                 char *has_comma;
966
967                 if (opts->mnt_opts[i])
968                         has_comma = strchr(opts->mnt_opts[i], ',');
969                 else
970                         has_comma = NULL;
971
972                 switch (opts->mnt_opts_flags[i]) {
973                 case CONTEXT_MNT:
974                         prefix = CONTEXT_STR;
975                         break;
976                 case FSCONTEXT_MNT:
977                         prefix = FSCONTEXT_STR;
978                         break;
979                 case ROOTCONTEXT_MNT:
980                         prefix = ROOTCONTEXT_STR;
981                         break;
982                 case DEFCONTEXT_MNT:
983                         prefix = DEFCONTEXT_STR;
984                         break;
985                 case SE_SBLABELSUPP:
986                         seq_putc(m, ',');
987                         seq_puts(m, LABELSUPP_STR);
988                         continue;
989                 default:
990                         BUG();
991                         return;
992                 };
993                 /* we need a comma before each option */
994                 seq_putc(m, ',');
995                 seq_puts(m, prefix);
996                 if (has_comma)
997                         seq_putc(m, '\"');
998                 seq_puts(m, opts->mnt_opts[i]);
999                 if (has_comma)
1000                         seq_putc(m, '\"');
1001         }
1002 }
1003
1004 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1005 {
1006         struct security_mnt_opts opts;
1007         int rc;
1008
1009         rc = selinux_get_mnt_opts(sb, &opts);
1010         if (rc) {
1011                 /* before policy load we may get EINVAL, don't show anything */
1012                 if (rc == -EINVAL)
1013                         rc = 0;
1014                 return rc;
1015         }
1016
1017         selinux_write_opts(m, &opts);
1018
1019         security_free_mnt_opts(&opts);
1020
1021         return rc;
1022 }
1023
1024 static inline u16 inode_mode_to_security_class(umode_t mode)
1025 {
1026         switch (mode & S_IFMT) {
1027         case S_IFSOCK:
1028                 return SECCLASS_SOCK_FILE;
1029         case S_IFLNK:
1030                 return SECCLASS_LNK_FILE;
1031         case S_IFREG:
1032                 return SECCLASS_FILE;
1033         case S_IFBLK:
1034                 return SECCLASS_BLK_FILE;
1035         case S_IFDIR:
1036                 return SECCLASS_DIR;
1037         case S_IFCHR:
1038                 return SECCLASS_CHR_FILE;
1039         case S_IFIFO:
1040                 return SECCLASS_FIFO_FILE;
1041
1042         }
1043
1044         return SECCLASS_FILE;
1045 }
1046
1047 static inline int default_protocol_stream(int protocol)
1048 {
1049         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1050 }
1051
1052 static inline int default_protocol_dgram(int protocol)
1053 {
1054         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1055 }
1056
1057 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1058 {
1059         switch (family) {
1060         case PF_UNIX:
1061                 switch (type) {
1062                 case SOCK_STREAM:
1063                 case SOCK_SEQPACKET:
1064                         return SECCLASS_UNIX_STREAM_SOCKET;
1065                 case SOCK_DGRAM:
1066                         return SECCLASS_UNIX_DGRAM_SOCKET;
1067                 }
1068                 break;
1069         case PF_INET:
1070         case PF_INET6:
1071                 switch (type) {
1072                 case SOCK_STREAM:
1073                         if (default_protocol_stream(protocol))
1074                                 return SECCLASS_TCP_SOCKET;
1075                         else
1076                                 return SECCLASS_RAWIP_SOCKET;
1077                 case SOCK_DGRAM:
1078                         if (default_protocol_dgram(protocol))
1079                                 return SECCLASS_UDP_SOCKET;
1080                         else
1081                                 return SECCLASS_RAWIP_SOCKET;
1082                 case SOCK_DCCP:
1083                         return SECCLASS_DCCP_SOCKET;
1084                 default:
1085                         return SECCLASS_RAWIP_SOCKET;
1086                 }
1087                 break;
1088         case PF_NETLINK:
1089                 switch (protocol) {
1090                 case NETLINK_ROUTE:
1091                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1092                 case NETLINK_FIREWALL:
1093                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1094                 case NETLINK_SOCK_DIAG:
1095                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1096                 case NETLINK_NFLOG:
1097                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1098                 case NETLINK_XFRM:
1099                         return SECCLASS_NETLINK_XFRM_SOCKET;
1100                 case NETLINK_SELINUX:
1101                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1102                 case NETLINK_AUDIT:
1103                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1104                 case NETLINK_IP6_FW:
1105                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1106                 case NETLINK_DNRTMSG:
1107                         return SECCLASS_NETLINK_DNRT_SOCKET;
1108                 case NETLINK_KOBJECT_UEVENT:
1109                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1110                 default:
1111                         return SECCLASS_NETLINK_SOCKET;
1112                 }
1113         case PF_PACKET:
1114                 return SECCLASS_PACKET_SOCKET;
1115         case PF_KEY:
1116                 return SECCLASS_KEY_SOCKET;
1117         case PF_APPLETALK:
1118                 return SECCLASS_APPLETALK_SOCKET;
1119         }
1120
1121         return SECCLASS_SOCKET;
1122 }
1123
1124 #ifdef CONFIG_PROC_FS
1125 static int selinux_proc_get_sid(struct dentry *dentry,
1126                                 u16 tclass,
1127                                 u32 *sid)
1128 {
1129         int rc;
1130         char *buffer, *path;
1131
1132         buffer = (char *)__get_free_page(GFP_KERNEL);
1133         if (!buffer)
1134                 return -ENOMEM;
1135
1136         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1137         if (IS_ERR(path))
1138                 rc = PTR_ERR(path);
1139         else {
1140                 /* each process gets a /proc/PID/ entry. Strip off the
1141                  * PID part to get a valid selinux labeling.
1142                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1143                 while (path[1] >= '0' && path[1] <= '9') {
1144                         path[1] = '/';
1145                         path++;
1146                 }
1147                 rc = security_genfs_sid("proc", path, tclass, sid);
1148         }
1149         free_page((unsigned long)buffer);
1150         return rc;
1151 }
1152 #else
1153 static int selinux_proc_get_sid(struct dentry *dentry,
1154                                 u16 tclass,
1155                                 u32 *sid)
1156 {
1157         return -EINVAL;
1158 }
1159 #endif
1160
1161 /* The inode's security attributes must be initialized before first use. */
1162 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1163 {
1164         struct superblock_security_struct *sbsec = NULL;
1165         struct inode_security_struct *isec = inode->i_security;
1166         u32 sid;
1167         struct dentry *dentry;
1168 #define INITCONTEXTLEN 255
1169         char *context = NULL;
1170         unsigned len = 0;
1171         int rc = 0;
1172
1173         if (isec->initialized)
1174                 goto out;
1175
1176         mutex_lock(&isec->lock);
1177         if (isec->initialized)
1178                 goto out_unlock;
1179
1180         sbsec = inode->i_sb->s_security;
1181         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1182                 /* Defer initialization until selinux_complete_init,
1183                    after the initial policy is loaded and the security
1184                    server is ready to handle calls. */
1185                 spin_lock(&sbsec->isec_lock);
1186                 if (list_empty(&isec->list))
1187                         list_add(&isec->list, &sbsec->isec_head);
1188                 spin_unlock(&sbsec->isec_lock);
1189                 goto out_unlock;
1190         }
1191
1192         switch (sbsec->behavior) {
1193         case SECURITY_FS_USE_XATTR:
1194                 if (!inode->i_op->getxattr) {
1195                         isec->sid = sbsec->def_sid;
1196                         break;
1197                 }
1198
1199                 /* Need a dentry, since the xattr API requires one.
1200                    Life would be simpler if we could just pass the inode. */
1201                 if (opt_dentry) {
1202                         /* Called from d_instantiate or d_splice_alias. */
1203                         dentry = dget(opt_dentry);
1204                 } else {
1205                         /* Called from selinux_complete_init, try to find a dentry. */
1206                         dentry = d_find_alias(inode);
1207                 }
1208                 if (!dentry) {
1209                         /*
1210                          * this is can be hit on boot when a file is accessed
1211                          * before the policy is loaded.  When we load policy we
1212                          * may find inodes that have no dentry on the
1213                          * sbsec->isec_head list.  No reason to complain as these
1214                          * will get fixed up the next time we go through
1215                          * inode_doinit with a dentry, before these inodes could
1216                          * be used again by userspace.
1217                          */
1218                         goto out_unlock;
1219                 }
1220
1221                 len = INITCONTEXTLEN;
1222                 context = kmalloc(len+1, GFP_NOFS);
1223                 if (!context) {
1224                         rc = -ENOMEM;
1225                         dput(dentry);
1226                         goto out_unlock;
1227                 }
1228                 context[len] = '\0';
1229                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1230                                            context, len);
1231                 if (rc == -ERANGE) {
1232                         kfree(context);
1233
1234                         /* Need a larger buffer.  Query for the right size. */
1235                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1236                                                    NULL, 0);
1237                         if (rc < 0) {
1238                                 dput(dentry);
1239                                 goto out_unlock;
1240                         }
1241                         len = rc;
1242                         context = kmalloc(len+1, GFP_NOFS);
1243                         if (!context) {
1244                                 rc = -ENOMEM;
1245                                 dput(dentry);
1246                                 goto out_unlock;
1247                         }
1248                         context[len] = '\0';
1249                         rc = inode->i_op->getxattr(dentry,
1250                                                    XATTR_NAME_SELINUX,
1251                                                    context, len);
1252                 }
1253                 dput(dentry);
1254                 if (rc < 0) {
1255                         if (rc != -ENODATA) {
1256                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1257                                        "%d for dev=%s ino=%ld\n", __func__,
1258                                        -rc, inode->i_sb->s_id, inode->i_ino);
1259                                 kfree(context);
1260                                 goto out_unlock;
1261                         }
1262                         /* Map ENODATA to the default file SID */
1263                         sid = sbsec->def_sid;
1264                         rc = 0;
1265                 } else {
1266                         rc = security_context_to_sid_default(context, rc, &sid,
1267                                                              sbsec->def_sid,
1268                                                              GFP_NOFS);
1269                         if (rc) {
1270                                 char *dev = inode->i_sb->s_id;
1271                                 unsigned long ino = inode->i_ino;
1272
1273                                 if (rc == -EINVAL) {
1274                                         if (printk_ratelimit())
1275                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1276                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1277                                                         "filesystem in question.\n", ino, dev, context);
1278                                 } else {
1279                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1280                                                "returned %d for dev=%s ino=%ld\n",
1281                                                __func__, context, -rc, dev, ino);
1282                                 }
1283                                 kfree(context);
1284                                 /* Leave with the unlabeled SID */
1285                                 rc = 0;
1286                                 break;
1287                         }
1288                 }
1289                 kfree(context);
1290                 isec->sid = sid;
1291                 break;
1292         case SECURITY_FS_USE_TASK:
1293                 isec->sid = isec->task_sid;
1294                 break;
1295         case SECURITY_FS_USE_TRANS:
1296                 /* Default to the fs SID. */
1297                 isec->sid = sbsec->sid;
1298
1299                 /* Try to obtain a transition SID. */
1300                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1301                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1302                                              isec->sclass, NULL, &sid);
1303                 if (rc)
1304                         goto out_unlock;
1305                 isec->sid = sid;
1306                 break;
1307         case SECURITY_FS_USE_MNTPOINT:
1308                 isec->sid = sbsec->mntpoint_sid;
1309                 break;
1310         default:
1311                 /* Default to the fs superblock SID. */
1312                 isec->sid = sbsec->sid;
1313
1314                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1315                         if (opt_dentry) {
1316                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1317                                 rc = selinux_proc_get_sid(opt_dentry,
1318                                                           isec->sclass,
1319                                                           &sid);
1320                                 if (rc)
1321                                         goto out_unlock;
1322                                 isec->sid = sid;
1323                         }
1324                 }
1325                 break;
1326         }
1327
1328         isec->initialized = 1;
1329
1330 out_unlock:
1331         mutex_unlock(&isec->lock);
1332 out:
1333         if (isec->sclass == SECCLASS_FILE)
1334                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1335         return rc;
1336 }
1337
1338 /* Convert a Linux signal to an access vector. */
1339 static inline u32 signal_to_av(int sig)
1340 {
1341         u32 perm = 0;
1342
1343         switch (sig) {
1344         case SIGCHLD:
1345                 /* Commonly granted from child to parent. */
1346                 perm = PROCESS__SIGCHLD;
1347                 break;
1348         case SIGKILL:
1349                 /* Cannot be caught or ignored */
1350                 perm = PROCESS__SIGKILL;
1351                 break;
1352         case SIGSTOP:
1353                 /* Cannot be caught or ignored */
1354                 perm = PROCESS__SIGSTOP;
1355                 break;
1356         default:
1357                 /* All other signals. */
1358                 perm = PROCESS__SIGNAL;
1359                 break;
1360         }
1361
1362         return perm;
1363 }
1364
1365 /*
1366  * Check permission between a pair of credentials
1367  * fork check, ptrace check, etc.
1368  */
1369 static int cred_has_perm(const struct cred *actor,
1370                          const struct cred *target,
1371                          u32 perms)
1372 {
1373         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1374
1375         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1376 }
1377
1378 /*
1379  * Check permission between a pair of tasks, e.g. signal checks,
1380  * fork check, ptrace check, etc.
1381  * tsk1 is the actor and tsk2 is the target
1382  * - this uses the default subjective creds of tsk1
1383  */
1384 static int task_has_perm(const struct task_struct *tsk1,
1385                          const struct task_struct *tsk2,
1386                          u32 perms)
1387 {
1388         const struct task_security_struct *__tsec1, *__tsec2;
1389         u32 sid1, sid2;
1390
1391         rcu_read_lock();
1392         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1393         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1394         rcu_read_unlock();
1395         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1396 }
1397
1398 /*
1399  * Check permission between current and another task, e.g. signal checks,
1400  * fork check, ptrace check, etc.
1401  * current is the actor and tsk2 is the target
1402  * - this uses current's subjective creds
1403  */
1404 static int current_has_perm(const struct task_struct *tsk,
1405                             u32 perms)
1406 {
1407         u32 sid, tsid;
1408
1409         sid = current_sid();
1410         tsid = task_sid(tsk);
1411         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1412 }
1413
1414 #if CAP_LAST_CAP > 63
1415 #error Fix SELinux to handle capabilities > 63.
1416 #endif
1417
1418 /* Check whether a task is allowed to use a capability. */
1419 static int cred_has_capability(const struct cred *cred,
1420                                int cap, int audit)
1421 {
1422         struct common_audit_data ad;
1423         struct av_decision avd;
1424         u16 sclass;
1425         u32 sid = cred_sid(cred);
1426         u32 av = CAP_TO_MASK(cap);
1427         int rc;
1428
1429         COMMON_AUDIT_DATA_INIT(&ad, CAP);
1430         ad.tsk = current;
1431         ad.u.cap = cap;
1432
1433         switch (CAP_TO_INDEX(cap)) {
1434         case 0:
1435                 sclass = SECCLASS_CAPABILITY;
1436                 break;
1437         case 1:
1438                 sclass = SECCLASS_CAPABILITY2;
1439                 break;
1440         default:
1441                 printk(KERN_ERR
1442                        "SELinux:  out of range capability %d\n", cap);
1443                 BUG();
1444                 return -EINVAL;
1445         }
1446
1447         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1448         if (audit == SECURITY_CAP_AUDIT) {
1449                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1450                 if (rc2)
1451                         return rc2;
1452         }
1453         return rc;
1454 }
1455
1456 /* Check whether a task is allowed to use a system operation. */
1457 static int task_has_system(struct task_struct *tsk,
1458                            u32 perms)
1459 {
1460         u32 sid = task_sid(tsk);
1461
1462         return avc_has_perm(sid, SECINITSID_KERNEL,
1463                             SECCLASS_SYSTEM, perms, NULL);
1464 }
1465
1466 /* Check whether a task has a particular permission to an inode.
1467    The 'adp' parameter is optional and allows other audit
1468    data to be passed (e.g. the dentry). */
1469 static int inode_has_perm(const struct cred *cred,
1470                           struct inode *inode,
1471                           u32 perms,
1472                           struct common_audit_data *adp,
1473                           unsigned flags)
1474 {
1475         struct inode_security_struct *isec;
1476         u32 sid;
1477
1478         validate_creds(cred);
1479
1480         if (unlikely(IS_PRIVATE(inode)))
1481                 return 0;
1482
1483         sid = cred_sid(cred);
1484         isec = inode->i_security;
1485
1486         return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1487 }
1488
1489 static int inode_has_perm_noadp(const struct cred *cred,
1490                                 struct inode *inode,
1491                                 u32 perms,
1492                                 unsigned flags)
1493 {
1494         struct common_audit_data ad;
1495
1496         COMMON_AUDIT_DATA_INIT(&ad, INODE);
1497         ad.u.inode = inode;
1498         return inode_has_perm(cred, inode, perms, &ad, flags);
1499 }
1500
1501 /* Same as inode_has_perm, but pass explicit audit data containing
1502    the dentry to help the auditing code to more easily generate the
1503    pathname if needed. */
1504 static inline int dentry_has_perm(const struct cred *cred,
1505                                   struct dentry *dentry,
1506                                   u32 av)
1507 {
1508         struct inode *inode = dentry->d_inode;
1509         struct common_audit_data ad;
1510
1511         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1512         ad.u.dentry = dentry;
1513         return inode_has_perm(cred, inode, av, &ad, 0);
1514 }
1515
1516 /* Same as inode_has_perm, but pass explicit audit data containing
1517    the path to help the auditing code to more easily generate the
1518    pathname if needed. */
1519 static inline int path_has_perm(const struct cred *cred,
1520                                 struct path *path,
1521                                 u32 av)
1522 {
1523         struct inode *inode = path->dentry->d_inode;
1524         struct common_audit_data ad;
1525
1526         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1527         ad.u.path = *path;
1528         return inode_has_perm(cred, inode, av, &ad, 0);
1529 }
1530
1531 /* Check whether a task can use an open file descriptor to
1532    access an inode in a given way.  Check access to the
1533    descriptor itself, and then use dentry_has_perm to
1534    check a particular permission to the file.
1535    Access to the descriptor is implicitly granted if it
1536    has the same SID as the process.  If av is zero, then
1537    access to the file is not checked, e.g. for cases
1538    where only the descriptor is affected like seek. */
1539 static int file_has_perm(const struct cred *cred,
1540                          struct file *file,
1541                          u32 av)
1542 {
1543         struct file_security_struct *fsec = file->f_security;
1544         struct inode *inode = file->f_path.dentry->d_inode;
1545         struct common_audit_data ad;
1546         u32 sid = cred_sid(cred);
1547         int rc;
1548
1549         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1550         ad.u.path = file->f_path;
1551
1552         if (sid != fsec->sid) {
1553                 rc = avc_has_perm(sid, fsec->sid,
1554                                   SECCLASS_FD,
1555                                   FD__USE,
1556                                   &ad);
1557                 if (rc)
1558                         goto out;
1559         }
1560
1561         /* av is zero if only checking access to the descriptor. */
1562         rc = 0;
1563         if (av)
1564                 rc = inode_has_perm(cred, inode, av, &ad, 0);
1565
1566 out:
1567         return rc;
1568 }
1569
1570 /* Check whether a task can create a file. */
1571 static int may_create(struct inode *dir,
1572                       struct dentry *dentry,
1573                       u16 tclass)
1574 {
1575         const struct task_security_struct *tsec = current_security();
1576         struct inode_security_struct *dsec;
1577         struct superblock_security_struct *sbsec;
1578         u32 sid, newsid;
1579         struct common_audit_data ad;
1580         int rc;
1581
1582         dsec = dir->i_security;
1583         sbsec = dir->i_sb->s_security;
1584
1585         sid = tsec->sid;
1586         newsid = tsec->create_sid;
1587
1588         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1589         ad.u.dentry = dentry;
1590
1591         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1592                           DIR__ADD_NAME | DIR__SEARCH,
1593                           &ad);
1594         if (rc)
1595                 return rc;
1596
1597         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1598                 rc = security_transition_sid(sid, dsec->sid, tclass,
1599                                              &dentry->d_name, &newsid);
1600                 if (rc)
1601                         return rc;
1602         }
1603
1604         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1605         if (rc)
1606                 return rc;
1607
1608         return avc_has_perm(newsid, sbsec->sid,
1609                             SECCLASS_FILESYSTEM,
1610                             FILESYSTEM__ASSOCIATE, &ad);
1611 }
1612
1613 /* Check whether a task can create a key. */
1614 static int may_create_key(u32 ksid,
1615                           struct task_struct *ctx)
1616 {
1617         u32 sid = task_sid(ctx);
1618
1619         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1620 }
1621
1622 #define MAY_LINK        0
1623 #define MAY_UNLINK      1
1624 #define MAY_RMDIR       2
1625
1626 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1627 static int may_link(struct inode *dir,
1628                     struct dentry *dentry,
1629                     int kind)
1630
1631 {
1632         struct inode_security_struct *dsec, *isec;
1633         struct common_audit_data ad;
1634         u32 sid = current_sid();
1635         u32 av;
1636         int rc;
1637
1638         dsec = dir->i_security;
1639         isec = dentry->d_inode->i_security;
1640
1641         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1642         ad.u.dentry = dentry;
1643
1644         av = DIR__SEARCH;
1645         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1646         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1647         if (rc)
1648                 return rc;
1649
1650         switch (kind) {
1651         case MAY_LINK:
1652                 av = FILE__LINK;
1653                 break;
1654         case MAY_UNLINK:
1655                 av = FILE__UNLINK;
1656                 break;
1657         case MAY_RMDIR:
1658                 av = DIR__RMDIR;
1659                 break;
1660         default:
1661                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1662                         __func__, kind);
1663                 return 0;
1664         }
1665
1666         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1667         return rc;
1668 }
1669
1670 static inline int may_rename(struct inode *old_dir,
1671                              struct dentry *old_dentry,
1672                              struct inode *new_dir,
1673                              struct dentry *new_dentry)
1674 {
1675         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1676         struct common_audit_data ad;
1677         u32 sid = current_sid();
1678         u32 av;
1679         int old_is_dir, new_is_dir;
1680         int rc;
1681
1682         old_dsec = old_dir->i_security;
1683         old_isec = old_dentry->d_inode->i_security;
1684         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1685         new_dsec = new_dir->i_security;
1686
1687         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1688
1689         ad.u.dentry = old_dentry;
1690         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1691                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1692         if (rc)
1693                 return rc;
1694         rc = avc_has_perm(sid, old_isec->sid,
1695                           old_isec->sclass, FILE__RENAME, &ad);
1696         if (rc)
1697                 return rc;
1698         if (old_is_dir && new_dir != old_dir) {
1699                 rc = avc_has_perm(sid, old_isec->sid,
1700                                   old_isec->sclass, DIR__REPARENT, &ad);
1701                 if (rc)
1702                         return rc;
1703         }
1704
1705         ad.u.dentry = new_dentry;
1706         av = DIR__ADD_NAME | DIR__SEARCH;
1707         if (new_dentry->d_inode)
1708                 av |= DIR__REMOVE_NAME;
1709         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1710         if (rc)
1711                 return rc;
1712         if (new_dentry->d_inode) {
1713                 new_isec = new_dentry->d_inode->i_security;
1714                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1715                 rc = avc_has_perm(sid, new_isec->sid,
1716                                   new_isec->sclass,
1717                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1718                 if (rc)
1719                         return rc;
1720         }
1721
1722         return 0;
1723 }
1724
1725 /* Check whether a task can perform a filesystem operation. */
1726 static int superblock_has_perm(const struct cred *cred,
1727                                struct super_block *sb,
1728                                u32 perms,
1729                                struct common_audit_data *ad)
1730 {
1731         struct superblock_security_struct *sbsec;
1732         u32 sid = cred_sid(cred);
1733
1734         sbsec = sb->s_security;
1735         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1736 }
1737
1738 /* Convert a Linux mode and permission mask to an access vector. */
1739 static inline u32 file_mask_to_av(int mode, int mask)
1740 {
1741         u32 av = 0;
1742
1743         if (!S_ISDIR(mode)) {
1744                 if (mask & MAY_EXEC)
1745                         av |= FILE__EXECUTE;
1746                 if (mask & MAY_READ)
1747                         av |= FILE__READ;
1748
1749                 if (mask & MAY_APPEND)
1750                         av |= FILE__APPEND;
1751                 else if (mask & MAY_WRITE)
1752                         av |= FILE__WRITE;
1753
1754         } else {
1755                 if (mask & MAY_EXEC)
1756                         av |= DIR__SEARCH;
1757                 if (mask & MAY_WRITE)
1758                         av |= DIR__WRITE;
1759                 if (mask & MAY_READ)
1760                         av |= DIR__READ;
1761         }
1762
1763         return av;
1764 }
1765
1766 /* Convert a Linux file to an access vector. */
1767 static inline u32 file_to_av(struct file *file)
1768 {
1769         u32 av = 0;
1770
1771         if (file->f_mode & FMODE_READ)
1772                 av |= FILE__READ;
1773         if (file->f_mode & FMODE_WRITE) {
1774                 if (file->f_flags & O_APPEND)
1775                         av |= FILE__APPEND;
1776                 else
1777                         av |= FILE__WRITE;
1778         }
1779         if (!av) {
1780                 /*
1781                  * Special file opened with flags 3 for ioctl-only use.
1782                  */
1783                 av = FILE__IOCTL;
1784         }
1785
1786         return av;
1787 }
1788
1789 /*
1790  * Convert a file to an access vector and include the correct open
1791  * open permission.
1792  */
1793 static inline u32 open_file_to_av(struct file *file)
1794 {
1795         u32 av = file_to_av(file);
1796
1797         if (selinux_policycap_openperm)
1798                 av |= FILE__OPEN;
1799
1800         return av;
1801 }
1802
1803 /* Hook functions begin here. */
1804
1805 static int selinux_ptrace_access_check(struct task_struct *child,
1806                                      unsigned int mode)
1807 {
1808         int rc;
1809
1810         rc = cap_ptrace_access_check(child, mode);
1811         if (rc)
1812                 return rc;
1813
1814         if (mode & PTRACE_MODE_READ) {
1815                 u32 sid = current_sid();
1816                 u32 csid = task_sid(child);
1817                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1818         }
1819
1820         return current_has_perm(child, PROCESS__PTRACE);
1821 }
1822
1823 static int selinux_ptrace_traceme(struct task_struct *parent)
1824 {
1825         int rc;
1826
1827         rc = cap_ptrace_traceme(parent);
1828         if (rc)
1829                 return rc;
1830
1831         return task_has_perm(parent, current, PROCESS__PTRACE);
1832 }
1833
1834 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1835                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1836 {
1837         int error;
1838
1839         error = current_has_perm(target, PROCESS__GETCAP);
1840         if (error)
1841                 return error;
1842
1843         return cap_capget(target, effective, inheritable, permitted);
1844 }
1845
1846 static int selinux_capset(struct cred *new, const struct cred *old,
1847                           const kernel_cap_t *effective,
1848                           const kernel_cap_t *inheritable,
1849                           const kernel_cap_t *permitted)
1850 {
1851         int error;
1852
1853         error = cap_capset(new, old,
1854                                       effective, inheritable, permitted);
1855         if (error)
1856                 return error;
1857
1858         return cred_has_perm(old, new, PROCESS__SETCAP);
1859 }
1860
1861 /*
1862  * (This comment used to live with the selinux_task_setuid hook,
1863  * which was removed).
1864  *
1865  * Since setuid only affects the current process, and since the SELinux
1866  * controls are not based on the Linux identity attributes, SELinux does not
1867  * need to control this operation.  However, SELinux does control the use of
1868  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1869  */
1870
1871 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1872                            int cap, int audit)
1873 {
1874         int rc;
1875
1876         rc = cap_capable(cred, ns, cap, audit);
1877         if (rc)
1878                 return rc;
1879
1880         return cred_has_capability(cred, cap, audit);
1881 }
1882
1883 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1884 {
1885         const struct cred *cred = current_cred();
1886         int rc = 0;
1887
1888         if (!sb)
1889                 return 0;
1890
1891         switch (cmds) {
1892         case Q_SYNC:
1893         case Q_QUOTAON:
1894         case Q_QUOTAOFF:
1895         case Q_SETINFO:
1896         case Q_SETQUOTA:
1897                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1898                 break;
1899         case Q_GETFMT:
1900         case Q_GETINFO:
1901         case Q_GETQUOTA:
1902                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1903                 break;
1904         default:
1905                 rc = 0;  /* let the kernel handle invalid cmds */
1906                 break;
1907         }
1908         return rc;
1909 }
1910
1911 static int selinux_quota_on(struct dentry *dentry)
1912 {
1913         const struct cred *cred = current_cred();
1914
1915         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1916 }
1917
1918 static int selinux_syslog(int type)
1919 {
1920         int rc;
1921
1922         switch (type) {
1923         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1924         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1925                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1926                 break;
1927         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1928         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1929         /* Set level of messages printed to console */
1930         case SYSLOG_ACTION_CONSOLE_LEVEL:
1931                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1932                 break;
1933         case SYSLOG_ACTION_CLOSE:       /* Close log */
1934         case SYSLOG_ACTION_OPEN:        /* Open log */
1935         case SYSLOG_ACTION_READ:        /* Read from log */
1936         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1937         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1938         default:
1939                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1940                 break;
1941         }
1942         return rc;
1943 }
1944
1945 /*
1946  * Check that a process has enough memory to allocate a new virtual
1947  * mapping. 0 means there is enough memory for the allocation to
1948  * succeed and -ENOMEM implies there is not.
1949  *
1950  * Do not audit the selinux permission check, as this is applied to all
1951  * processes that allocate mappings.
1952  */
1953 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1954 {
1955         int rc, cap_sys_admin = 0;
1956
1957         rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1958                              SECURITY_CAP_NOAUDIT);
1959         if (rc == 0)
1960                 cap_sys_admin = 1;
1961
1962         return __vm_enough_memory(mm, pages, cap_sys_admin);
1963 }
1964
1965 /* binprm security operations */
1966
1967 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1968 {
1969         const struct task_security_struct *old_tsec;
1970         struct task_security_struct *new_tsec;
1971         struct inode_security_struct *isec;
1972         struct common_audit_data ad;
1973         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1974         int rc;
1975
1976         rc = cap_bprm_set_creds(bprm);
1977         if (rc)
1978                 return rc;
1979
1980         /* SELinux context only depends on initial program or script and not
1981          * the script interpreter */
1982         if (bprm->cred_prepared)
1983                 return 0;
1984
1985         old_tsec = current_security();
1986         new_tsec = bprm->cred->security;
1987         isec = inode->i_security;
1988
1989         /* Default to the current task SID. */
1990         new_tsec->sid = old_tsec->sid;
1991         new_tsec->osid = old_tsec->sid;
1992
1993         /* Reset fs, key, and sock SIDs on execve. */
1994         new_tsec->create_sid = 0;
1995         new_tsec->keycreate_sid = 0;
1996         new_tsec->sockcreate_sid = 0;
1997
1998         if (old_tsec->exec_sid) {
1999                 new_tsec->sid = old_tsec->exec_sid;
2000                 /* Reset exec SID on execve. */
2001                 new_tsec->exec_sid = 0;
2002         } else {
2003                 /* Check for a default transition on this program. */
2004                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2005                                              SECCLASS_PROCESS, NULL,
2006                                              &new_tsec->sid);
2007                 if (rc)
2008                         return rc;
2009         }
2010
2011         COMMON_AUDIT_DATA_INIT(&ad, PATH);
2012         ad.u.path = bprm->file->f_path;
2013
2014         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2015                 new_tsec->sid = old_tsec->sid;
2016
2017         if (new_tsec->sid == old_tsec->sid) {
2018                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2019                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2020                 if (rc)
2021                         return rc;
2022         } else {
2023                 /* Check permissions for the transition. */
2024                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2025                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2026                 if (rc)
2027                         return rc;
2028
2029                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2030                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2031                 if (rc)
2032                         return rc;
2033
2034                 /* Check for shared state */
2035                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2036                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2037                                           SECCLASS_PROCESS, PROCESS__SHARE,
2038                                           NULL);
2039                         if (rc)
2040                                 return -EPERM;
2041                 }
2042
2043                 /* Make sure that anyone attempting to ptrace over a task that
2044                  * changes its SID has the appropriate permit */
2045                 if (bprm->unsafe &
2046                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2047                         struct task_struct *tracer;
2048                         struct task_security_struct *sec;
2049                         u32 ptsid = 0;
2050
2051                         rcu_read_lock();
2052                         tracer = ptrace_parent(current);
2053                         if (likely(tracer != NULL)) {
2054                                 sec = __task_cred(tracer)->security;
2055                                 ptsid = sec->sid;
2056                         }
2057                         rcu_read_unlock();
2058
2059                         if (ptsid != 0) {
2060                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2061                                                   SECCLASS_PROCESS,
2062                                                   PROCESS__PTRACE, NULL);
2063                                 if (rc)
2064                                         return -EPERM;
2065                         }
2066                 }
2067
2068                 /* Clear any possibly unsafe personality bits on exec: */
2069                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2070         }
2071
2072         return 0;
2073 }
2074
2075 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2076 {
2077         const struct task_security_struct *tsec = current_security();
2078         u32 sid, osid;
2079         int atsecure = 0;
2080
2081         sid = tsec->sid;
2082         osid = tsec->osid;
2083
2084         if (osid != sid) {
2085                 /* Enable secure mode for SIDs transitions unless
2086                    the noatsecure permission is granted between
2087                    the two SIDs, i.e. ahp returns 0. */
2088                 atsecure = avc_has_perm(osid, sid,
2089                                         SECCLASS_PROCESS,
2090                                         PROCESS__NOATSECURE, NULL);
2091         }
2092
2093         return (atsecure || cap_bprm_secureexec(bprm));
2094 }
2095
2096 /* Derived from fs/exec.c:flush_old_files. */
2097 static inline void flush_unauthorized_files(const struct cred *cred,
2098                                             struct files_struct *files)
2099 {
2100         struct common_audit_data ad;
2101         struct file *file, *devnull = NULL;
2102         struct tty_struct *tty;
2103         struct fdtable *fdt;
2104         long j = -1;
2105         int drop_tty = 0;
2106
2107         tty = get_current_tty();
2108         if (tty) {
2109                 spin_lock(&tty_files_lock);
2110                 if (!list_empty(&tty->tty_files)) {
2111                         struct tty_file_private *file_priv;
2112                         struct inode *inode;
2113
2114                         /* Revalidate access to controlling tty.
2115                            Use inode_has_perm on the tty inode directly rather
2116                            than using file_has_perm, as this particular open
2117                            file may belong to another process and we are only
2118                            interested in the inode-based check here. */
2119                         file_priv = list_first_entry(&tty->tty_files,
2120                                                 struct tty_file_private, list);
2121                         file = file_priv->file;
2122                         inode = file->f_path.dentry->d_inode;
2123                         if (inode_has_perm_noadp(cred, inode,
2124                                            FILE__READ | FILE__WRITE, 0)) {
2125                                 drop_tty = 1;
2126                         }
2127                 }
2128                 spin_unlock(&tty_files_lock);
2129                 tty_kref_put(tty);
2130         }
2131         /* Reset controlling tty. */
2132         if (drop_tty)
2133                 no_tty();
2134
2135         /* Revalidate access to inherited open files. */
2136
2137         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2138
2139         spin_lock(&files->file_lock);
2140         for (;;) {
2141                 unsigned long set, i;
2142                 int fd;
2143
2144                 j++;
2145                 i = j * __NFDBITS;
2146                 fdt = files_fdtable(files);
2147                 if (i >= fdt->max_fds)
2148                         break;
2149                 set = fdt->open_fds[j];
2150                 if (!set)
2151                         continue;
2152                 spin_unlock(&files->file_lock);
2153                 for ( ; set ; i++, set >>= 1) {
2154                         if (set & 1) {
2155                                 file = fget(i);
2156                                 if (!file)
2157                                         continue;
2158                                 if (file_has_perm(cred,
2159                                                   file,
2160                                                   file_to_av(file))) {
2161                                         sys_close(i);
2162                                         fd = get_unused_fd();
2163                                         if (fd != i) {
2164                                                 if (fd >= 0)
2165                                                         put_unused_fd(fd);
2166                                                 fput(file);
2167                                                 continue;
2168                                         }
2169                                         if (devnull) {
2170                                                 get_file(devnull);
2171                                         } else {
2172                                                 devnull = dentry_open(
2173                                                         dget(selinux_null),
2174                                                         mntget(selinuxfs_mount),
2175                                                         O_RDWR, cred);
2176                                                 if (IS_ERR(devnull)) {
2177                                                         devnull = NULL;
2178                                                         put_unused_fd(fd);
2179                                                         fput(file);
2180                                                         continue;
2181                                                 }
2182                                         }
2183                                         fd_install(fd, devnull);
2184                                 }
2185                                 fput(file);
2186                         }
2187                 }
2188                 spin_lock(&files->file_lock);
2189
2190         }
2191         spin_unlock(&files->file_lock);
2192 }
2193
2194 /*
2195  * Prepare a process for imminent new credential changes due to exec
2196  */
2197 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2198 {
2199         struct task_security_struct *new_tsec;
2200         struct rlimit *rlim, *initrlim;
2201         int rc, i;
2202
2203         new_tsec = bprm->cred->security;
2204         if (new_tsec->sid == new_tsec->osid)
2205                 return;
2206
2207         /* Close files for which the new task SID is not authorized. */
2208         flush_unauthorized_files(bprm->cred, current->files);
2209
2210         /* Always clear parent death signal on SID transitions. */
2211         current->pdeath_signal = 0;
2212
2213         /* Check whether the new SID can inherit resource limits from the old
2214          * SID.  If not, reset all soft limits to the lower of the current
2215          * task's hard limit and the init task's soft limit.
2216          *
2217          * Note that the setting of hard limits (even to lower them) can be
2218          * controlled by the setrlimit check.  The inclusion of the init task's
2219          * soft limit into the computation is to avoid resetting soft limits
2220          * higher than the default soft limit for cases where the default is
2221          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2222          */
2223         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2224                           PROCESS__RLIMITINH, NULL);
2225         if (rc) {
2226                 /* protect against do_prlimit() */
2227                 task_lock(current);
2228                 for (i = 0; i < RLIM_NLIMITS; i++) {
2229                         rlim = current->signal->rlim + i;
2230                         initrlim = init_task.signal->rlim + i;
2231                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2232                 }
2233                 task_unlock(current);
2234                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2235         }
2236 }
2237
2238 /*
2239  * Clean up the process immediately after the installation of new credentials
2240  * due to exec
2241  */
2242 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2243 {
2244         const struct task_security_struct *tsec = current_security();
2245         struct itimerval itimer;
2246         u32 osid, sid;
2247         int rc, i;
2248
2249         osid = tsec->osid;
2250         sid = tsec->sid;
2251
2252         if (sid == osid)
2253                 return;
2254
2255         /* Check whether the new SID can inherit signal state from the old SID.
2256          * If not, clear itimers to avoid subsequent signal generation and
2257          * flush and unblock signals.
2258          *
2259          * This must occur _after_ the task SID has been updated so that any
2260          * kill done after the flush will be checked against the new SID.
2261          */
2262         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2263         if (rc) {
2264                 memset(&itimer, 0, sizeof itimer);
2265                 for (i = 0; i < 3; i++)
2266                         do_setitimer(i, &itimer, NULL);
2267                 spin_lock_irq(&current->sighand->siglock);
2268                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2269                         __flush_signals(current);
2270                         flush_signal_handlers(current, 1);
2271                         sigemptyset(&current->blocked);
2272                 }
2273                 spin_unlock_irq(&current->sighand->siglock);
2274         }
2275
2276         /* Wake up the parent if it is waiting so that it can recheck
2277          * wait permission to the new task SID. */
2278         read_lock(&tasklist_lock);
2279         __wake_up_parent(current, current->real_parent);
2280         read_unlock(&tasklist_lock);
2281 }
2282
2283 /* superblock security operations */
2284
2285 static int selinux_sb_alloc_security(struct super_block *sb)
2286 {
2287         return superblock_alloc_security(sb);
2288 }
2289
2290 static void selinux_sb_free_security(struct super_block *sb)
2291 {
2292         superblock_free_security(sb);
2293 }
2294
2295 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2296 {
2297         if (plen > olen)
2298                 return 0;
2299
2300         return !memcmp(prefix, option, plen);
2301 }
2302
2303 static inline int selinux_option(char *option, int len)
2304 {
2305         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2306                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2307                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2308                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2309                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2310 }
2311
2312 static inline void take_option(char **to, char *from, int *first, int len)
2313 {
2314         if (!*first) {
2315                 **to = ',';
2316                 *to += 1;
2317         } else
2318                 *first = 0;
2319         memcpy(*to, from, len);
2320         *to += len;
2321 }
2322
2323 static inline void take_selinux_option(char **to, char *from, int *first,
2324                                        int len)
2325 {
2326         int current_size = 0;
2327
2328         if (!*first) {
2329                 **to = '|';
2330                 *to += 1;
2331         } else
2332                 *first = 0;
2333
2334         while (current_size < len) {
2335                 if (*from != '"') {
2336                         **to = *from;
2337                         *to += 1;
2338                 }
2339                 from += 1;
2340                 current_size += 1;
2341         }
2342 }
2343
2344 static int selinux_sb_copy_data(char *orig, char *copy)
2345 {
2346         int fnosec, fsec, rc = 0;
2347         char *in_save, *in_curr, *in_end;
2348         char *sec_curr, *nosec_save, *nosec;
2349         int open_quote = 0;
2350
2351         in_curr = orig;
2352         sec_curr = copy;
2353
2354         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2355         if (!nosec) {
2356                 rc = -ENOMEM;
2357                 goto out;
2358         }
2359
2360         nosec_save = nosec;
2361         fnosec = fsec = 1;
2362         in_save = in_end = orig;
2363
2364         do {
2365                 if (*in_end == '"')
2366                         open_quote = !open_quote;
2367                 if ((*in_end == ',' && open_quote == 0) ||
2368                                 *in_end == '\0') {
2369                         int len = in_end - in_curr;
2370
2371                         if (selinux_option(in_curr, len))
2372                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2373                         else
2374                                 take_option(&nosec, in_curr, &fnosec, len);
2375
2376                         in_curr = in_end + 1;
2377                 }
2378         } while (*in_end++);
2379
2380         strcpy(in_save, nosec_save);
2381         free_page((unsigned long)nosec_save);
2382 out:
2383         return rc;
2384 }
2385
2386 static int selinux_sb_remount(struct super_block *sb, void *data)
2387 {
2388         int rc, i, *flags;
2389         struct security_mnt_opts opts;
2390         char *secdata, **mount_options;
2391         struct superblock_security_struct *sbsec = sb->s_security;
2392
2393         if (!(sbsec->flags & SE_SBINITIALIZED))
2394                 return 0;
2395
2396         if (!data)
2397                 return 0;
2398
2399         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2400                 return 0;
2401
2402         security_init_mnt_opts(&opts);
2403         secdata = alloc_secdata();
2404         if (!secdata)
2405                 return -ENOMEM;
2406         rc = selinux_sb_copy_data(data, secdata);
2407         if (rc)
2408                 goto out_free_secdata;
2409
2410         rc = selinux_parse_opts_str(secdata, &opts);
2411         if (rc)
2412                 goto out_free_secdata;
2413
2414         mount_options = opts.mnt_opts;
2415         flags = opts.mnt_opts_flags;
2416
2417         for (i = 0; i < opts.num_mnt_opts; i++) {
2418                 u32 sid;
2419                 size_t len;
2420
2421                 if (flags[i] == SE_SBLABELSUPP)
2422                         continue;
2423                 len = strlen(mount_options[i]);
2424                 rc = security_context_to_sid(mount_options[i], len, &sid);
2425                 if (rc) {
2426                         printk(KERN_WARNING "SELinux: security_context_to_sid"
2427                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2428                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2429                         goto out_free_opts;
2430                 }
2431                 rc = -EINVAL;
2432                 switch (flags[i]) {
2433                 case FSCONTEXT_MNT:
2434                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2435                                 goto out_bad_option;
2436                         break;
2437                 case CONTEXT_MNT:
2438                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2439                                 goto out_bad_option;
2440                         break;
2441                 case ROOTCONTEXT_MNT: {
2442                         struct inode_security_struct *root_isec;
2443                         root_isec = sb->s_root->d_inode->i_security;
2444
2445                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2446                                 goto out_bad_option;
2447                         break;
2448                 }
2449                 case DEFCONTEXT_MNT:
2450                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2451                                 goto out_bad_option;
2452                         break;
2453                 default:
2454                         goto out_free_opts;
2455                 }
2456         }
2457
2458         rc = 0;
2459 out_free_opts:
2460         security_free_mnt_opts(&opts);
2461 out_free_secdata:
2462         free_secdata(secdata);
2463         return rc;
2464 out_bad_option:
2465         printk(KERN_WARNING "SELinux: unable to change security options "
2466                "during remount (dev %s, type=%s)\n", sb->s_id,
2467                sb->s_type->name);
2468         goto out_free_opts;
2469 }
2470
2471 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2472 {
2473         const struct cred *cred = current_cred();
2474         struct common_audit_data ad;
2475         int rc;
2476
2477         rc = superblock_doinit(sb, data);
2478         if (rc)
2479                 return rc;
2480
2481         /* Allow all mounts performed by the kernel */
2482         if (flags & MS_KERNMOUNT)
2483                 return 0;
2484
2485         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2486         ad.u.dentry = sb->s_root;
2487         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2488 }
2489
2490 static int selinux_sb_statfs(struct dentry *dentry)
2491 {
2492         const struct cred *cred = current_cred();
2493         struct common_audit_data ad;
2494
2495         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2496         ad.u.dentry = dentry->d_sb->s_root;
2497         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2498 }
2499
2500 static int selinux_mount(char *dev_name,
2501                          struct path *path,
2502                          char *type,
2503                          unsigned long flags,
2504                          void *data)
2505 {
2506         const struct cred *cred = current_cred();
2507
2508         if (flags & MS_REMOUNT)
2509                 return superblock_has_perm(cred, path->dentry->d_sb,
2510                                            FILESYSTEM__REMOUNT, NULL);
2511         else
2512                 return path_has_perm(cred, path, FILE__MOUNTON);
2513 }
2514
2515 static int selinux_umount(struct vfsmount *mnt, int flags)
2516 {
2517         const struct cred *cred = current_cred();
2518
2519         return superblock_has_perm(cred, mnt->mnt_sb,
2520                                    FILESYSTEM__UNMOUNT, NULL);
2521 }
2522
2523 /* inode security operations */
2524
2525 static int selinux_inode_alloc_security(struct inode *inode)
2526 {
2527         return inode_alloc_security(inode);
2528 }
2529
2530 static void selinux_inode_free_security(struct inode *inode)
2531 {
2532         inode_free_security(inode);
2533 }
2534
2535 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2536                                        const struct qstr *qstr, char **name,
2537                                        void **value, size_t *len)
2538 {
2539         const struct task_security_struct *tsec = current_security();
2540         struct inode_security_struct *dsec;
2541         struct superblock_security_struct *sbsec;
2542         u32 sid, newsid, clen;
2543         int rc;
2544         char *namep = NULL, *context;
2545
2546         dsec = dir->i_security;
2547         sbsec = dir->i_sb->s_security;
2548
2549         sid = tsec->sid;
2550         newsid = tsec->create_sid;
2551
2552         if ((sbsec->flags & SE_SBINITIALIZED) &&
2553             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2554                 newsid = sbsec->mntpoint_sid;
2555         else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2556                 rc = security_transition_sid(sid, dsec->sid,
2557                                              inode_mode_to_security_class(inode->i_mode),
2558                                              qstr, &newsid);
2559                 if (rc) {
2560                         printk(KERN_WARNING "%s:  "
2561                                "security_transition_sid failed, rc=%d (dev=%s "
2562                                "ino=%ld)\n",
2563                                __func__,
2564                                -rc, inode->i_sb->s_id, inode->i_ino);
2565                         return rc;
2566                 }
2567         }
2568
2569         /* Possibly defer initialization to selinux_complete_init. */
2570         if (sbsec->flags & SE_SBINITIALIZED) {
2571                 struct inode_security_struct *isec = inode->i_security;
2572                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2573                 isec->sid = newsid;
2574                 isec->initialized = 1;
2575         }
2576
2577         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2578                 return -EOPNOTSUPP;
2579
2580         if (name) {
2581                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2582                 if (!namep)
2583                         return -ENOMEM;
2584                 *name = namep;
2585         }
2586
2587         if (value && len) {
2588                 rc = security_sid_to_context_force(newsid, &context, &clen);
2589                 if (rc) {
2590                         kfree(namep);
2591                         return rc;
2592                 }
2593                 *value = context;
2594                 *len = clen;
2595         }
2596
2597         return 0;
2598 }
2599
2600 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2601 {
2602         return may_create(dir, dentry, SECCLASS_FILE);
2603 }
2604
2605 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2606 {
2607         return may_link(dir, old_dentry, MAY_LINK);
2608 }
2609
2610 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2611 {
2612         return may_link(dir, dentry, MAY_UNLINK);
2613 }
2614
2615 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2616 {
2617         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2618 }
2619
2620 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2621 {
2622         return may_create(dir, dentry, SECCLASS_DIR);
2623 }
2624
2625 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2626 {
2627         return may_link(dir, dentry, MAY_RMDIR);
2628 }
2629
2630 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2631 {
2632         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2633 }
2634
2635 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2636                                 struct inode *new_inode, struct dentry *new_dentry)
2637 {
2638         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2639 }
2640
2641 static int selinux_inode_readlink(struct dentry *dentry)
2642 {
2643         const struct cred *cred = current_cred();
2644
2645         return dentry_has_perm(cred, dentry, FILE__READ);
2646 }
2647
2648 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2649 {
2650         const struct cred *cred = current_cred();
2651
2652         return dentry_has_perm(cred, dentry, FILE__READ);
2653 }
2654
2655 static int selinux_inode_permission(struct inode *inode, int mask)
2656 {
2657         const struct cred *cred = current_cred();
2658         struct common_audit_data ad;
2659         u32 perms;
2660         bool from_access;
2661         unsigned flags = mask & MAY_NOT_BLOCK;
2662
2663         from_access = mask & MAY_ACCESS;
2664         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2665
2666         /* No permission to check.  Existence test. */
2667         if (!mask)
2668                 return 0;
2669
2670         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2671         ad.u.inode = inode;
2672
2673         if (from_access)
2674                 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2675
2676         perms = file_mask_to_av(inode->i_mode, mask);
2677
2678         return inode_has_perm(cred, inode, perms, &ad, flags);
2679 }
2680
2681 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2682 {
2683         const struct cred *cred = current_cred();
2684         unsigned int ia_valid = iattr->ia_valid;
2685
2686         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2687         if (ia_valid & ATTR_FORCE) {
2688                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2689                               ATTR_FORCE);
2690                 if (!ia_valid)
2691                         return 0;
2692         }
2693
2694         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2695                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2696                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2697
2698         return dentry_has_perm(cred, dentry, FILE__WRITE);
2699 }
2700
2701 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2702 {
2703         const struct cred *cred = current_cred();
2704         struct path path;
2705
2706         path.dentry = dentry;
2707         path.mnt = mnt;
2708
2709         return path_has_perm(cred, &path, FILE__GETATTR);
2710 }
2711
2712 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2713 {
2714         const struct cred *cred = current_cred();
2715
2716         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2717                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2718                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2719                         if (!capable(CAP_SETFCAP))
2720                                 return -EPERM;
2721                 } else if (!capable(CAP_SYS_ADMIN)) {
2722                         /* A different attribute in the security namespace.
2723                            Restrict to administrator. */
2724                         return -EPERM;
2725                 }
2726         }
2727
2728         /* Not an attribute we recognize, so just check the
2729            ordinary setattr permission. */
2730         return dentry_has_perm(cred, dentry, FILE__SETATTR);
2731 }
2732
2733 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2734                                   const void *value, size_t size, int flags)
2735 {
2736         struct inode *inode = dentry->d_inode;
2737         struct inode_security_struct *isec = inode->i_security;
2738         struct superblock_security_struct *sbsec;
2739         struct common_audit_data ad;
2740         u32 newsid, sid = current_sid();
2741         int rc = 0;
2742
2743         if (strcmp(name, XATTR_NAME_SELINUX))
2744                 return selinux_inode_setotherxattr(dentry, name);
2745
2746         sbsec = inode->i_sb->s_security;
2747         if (!(sbsec->flags & SE_SBLABELSUPP))
2748                 return -EOPNOTSUPP;
2749
2750         if (!inode_owner_or_capable(inode))
2751                 return -EPERM;
2752
2753         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2754         ad.u.dentry = dentry;
2755
2756         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2757                           FILE__RELABELFROM, &ad);
2758         if (rc)
2759                 return rc;
2760
2761         rc = security_context_to_sid(value, size, &newsid);
2762         if (rc == -EINVAL) {
2763                 if (!capable(CAP_MAC_ADMIN))
2764                         return rc;
2765                 rc = security_context_to_sid_force(value, size, &newsid);
2766         }
2767         if (rc)
2768                 return rc;
2769
2770         rc = avc_has_perm(sid, newsid, isec->sclass,
2771                           FILE__RELABELTO, &ad);
2772         if (rc)
2773                 return rc;
2774
2775         rc = security_validate_transition(isec->sid, newsid, sid,
2776                                           isec->sclass);
2777         if (rc)
2778                 return rc;
2779
2780         return avc_has_perm(newsid,
2781                             sbsec->sid,
2782                             SECCLASS_FILESYSTEM,
2783                             FILESYSTEM__ASSOCIATE,
2784                             &ad);
2785 }
2786
2787 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2788                                         const void *value, size_t size,
2789                                         int flags)
2790 {
2791         struct inode *inode = dentry->d_inode;
2792         struct inode_security_struct *isec = inode->i_security;
2793         u32 newsid;
2794         int rc;
2795
2796         if (strcmp(name, XATTR_NAME_SELINUX)) {
2797                 /* Not an attribute we recognize, so nothing to do. */
2798                 return;
2799         }
2800
2801         rc = security_context_to_sid_force(value, size, &newsid);
2802         if (rc) {
2803                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2804                        "for (%s, %lu), rc=%d\n",
2805                        inode->i_sb->s_id, inode->i_ino, -rc);
2806                 return;
2807         }
2808
2809         isec->sid = newsid;
2810         return;
2811 }
2812
2813 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2814 {
2815         const struct cred *cred = current_cred();
2816
2817         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2818 }
2819
2820 static int selinux_inode_listxattr(struct dentry *dentry)
2821 {
2822         const struct cred *cred = current_cred();
2823
2824         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2825 }
2826
2827 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2828 {
2829         if (strcmp(name, XATTR_NAME_SELINUX))
2830                 return selinux_inode_setotherxattr(dentry, name);
2831
2832         /* No one is allowed to remove a SELinux security label.
2833            You can change the label, but all data must be labeled. */
2834         return -EACCES;
2835 }
2836
2837 /*
2838  * Copy the inode security context value to the user.
2839  *
2840  * Permission check is handled by selinux_inode_getxattr hook.
2841  */
2842 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2843 {
2844         u32 size;
2845         int error;
2846         char *context = NULL;
2847         struct inode_security_struct *isec = inode->i_security;
2848
2849         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2850                 return -EOPNOTSUPP;
2851
2852         /*
2853          * If the caller has CAP_MAC_ADMIN, then get the raw context
2854          * value even if it is not defined by current policy; otherwise,
2855          * use the in-core value under current policy.
2856          * Use the non-auditing forms of the permission checks since
2857          * getxattr may be called by unprivileged processes commonly
2858          * and lack of permission just means that we fall back to the
2859          * in-core context value, not a denial.
2860          */
2861         error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2862                                 SECURITY_CAP_NOAUDIT);
2863         if (!error)
2864                 error = security_sid_to_context_force(isec->sid, &context,
2865                                                       &size);
2866         else
2867                 error = security_sid_to_context(isec->sid, &context, &size);
2868         if (error)
2869                 return error;
2870         error = size;
2871         if (alloc) {
2872                 *buffer = context;
2873                 goto out_nofree;
2874         }
2875         kfree(context);
2876 out_nofree:
2877         return error;
2878 }
2879
2880 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2881                                      const void *value, size_t size, int flags)
2882 {
2883         struct inode_security_struct *isec = inode->i_security;
2884         u32 newsid;
2885         int rc;
2886
2887         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2888                 return -EOPNOTSUPP;
2889
2890         if (!value || !size)
2891                 return -EACCES;
2892
2893         rc = security_context_to_sid((void *)value, size, &newsid);
2894         if (rc)
2895                 return rc;
2896
2897         isec->sid = newsid;
2898         isec->initialized = 1;
2899         return 0;
2900 }
2901
2902 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2903 {
2904         const int len = sizeof(XATTR_NAME_SELINUX);
2905         if (buffer && len <= buffer_size)
2906                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2907         return len;
2908 }
2909
2910 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2911 {
2912         struct inode_security_struct *isec = inode->i_security;
2913         *secid = isec->sid;
2914 }
2915
2916 /* file security operations */
2917
2918 static int selinux_revalidate_file_permission(struct file *file, int mask)
2919 {
2920         const struct cred *cred = current_cred();
2921         struct inode *inode = file->f_path.dentry->d_inode;
2922
2923         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2924         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2925                 mask |= MAY_APPEND;
2926
2927         return file_has_perm(cred, file,
2928                              file_mask_to_av(inode->i_mode, mask));
2929 }
2930
2931 static int selinux_file_permission(struct file *file, int mask)
2932 {
2933         struct inode *inode = file->f_path.dentry->d_inode;
2934         struct file_security_struct *fsec = file->f_security;
2935         struct inode_security_struct *isec = inode->i_security;
2936         u32 sid = current_sid();
2937
2938         if (!mask)
2939                 /* No permission to check.  Existence test. */
2940                 return 0;
2941
2942         if (sid == fsec->sid && fsec->isid == isec->sid &&
2943             fsec->pseqno == avc_policy_seqno())
2944                 /* No change since dentry_open check. */
2945                 return 0;
2946
2947         return selinux_revalidate_file_permission(file, mask);
2948 }
2949
2950 static int selinux_file_alloc_security(struct file *file)
2951 {
2952         return file_alloc_security(file);
2953 }
2954
2955 static void selinux_file_free_security(struct file *file)
2956 {
2957         file_free_security(file);
2958 }
2959
2960 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2961                               unsigned long arg)
2962 {
2963         const struct cred *cred = current_cred();
2964         int error = 0;
2965
2966         switch (cmd) {
2967         case FIONREAD:
2968         /* fall through */
2969         case FIBMAP:
2970         /* fall through */
2971         case FIGETBSZ:
2972         /* fall through */
2973         case FS_IOC_GETFLAGS:
2974         /* fall through */
2975         case FS_IOC_GETVERSION:
2976                 error = file_has_perm(cred, file, FILE__GETATTR);
2977                 break;
2978
2979         case FS_IOC_SETFLAGS:
2980         /* fall through */
2981         case FS_IOC_SETVERSION:
2982                 error = file_has_perm(cred, file, FILE__SETATTR);
2983                 break;
2984
2985         /* sys_ioctl() checks */
2986         case FIONBIO:
2987         /* fall through */
2988         case FIOASYNC:
2989                 error = file_has_perm(cred, file, 0);
2990                 break;
2991
2992         case KDSKBENT:
2993         case KDSKBSENT:
2994                 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
2995                                             SECURITY_CAP_AUDIT);
2996                 break;
2997
2998         /* default case assumes that the command will go
2999          * to the file's ioctl() function.
3000          */
3001         default:
3002                 error = file_has_perm(cred, file, FILE__IOCTL);
3003         }
3004         return error;
3005 }
3006
3007 static int default_noexec;
3008
3009 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3010 {
3011         const struct cred *cred = current_cred();
3012         int rc = 0;
3013
3014         if (default_noexec &&
3015             (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3016                 /*
3017                  * We are making executable an anonymous mapping or a
3018                  * private file mapping that will also be writable.
3019                  * This has an additional check.
3020                  */
3021                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3022                 if (rc)
3023                         goto error;
3024         }
3025
3026         if (file) {
3027                 /* read access is always possible with a mapping */
3028                 u32 av = FILE__READ;
3029
3030                 /* write access only matters if the mapping is shared */
3031                 if (shared && (prot & PROT_WRITE))
3032                         av |= FILE__WRITE;
3033
3034                 if (prot & PROT_EXEC)
3035                         av |= FILE__EXECUTE;
3036
3037                 return file_has_perm(cred, file, av);
3038         }
3039
3040 error:
3041         return rc;
3042 }
3043
3044 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3045                              unsigned long prot, unsigned long flags,
3046                              unsigned long addr, unsigned long addr_only)
3047 {
3048         int rc = 0;
3049         u32 sid = current_sid();
3050
3051         /*
3052          * notice that we are intentionally putting the SELinux check before
3053          * the secondary cap_file_mmap check.  This is such a likely attempt
3054          * at bad behaviour/exploit that we always want to get the AVC, even
3055          * if DAC would have also denied the operation.
3056          */
3057         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3058                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3059                                   MEMPROTECT__MMAP_ZERO, NULL);
3060                 if (rc)
3061                         return rc;
3062         }
3063
3064         /* do DAC check on address space usage */
3065         rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3066         if (rc || addr_only)
3067                 return rc;
3068
3069         if (selinux_checkreqprot)
3070                 prot = reqprot;
3071
3072         return file_map_prot_check(file, prot,
3073                                    (flags & MAP_TYPE) == MAP_SHARED);
3074 }
3075
3076 static int selinux_file_mprotect(struct vm_area_struct *vma,
3077                                  unsigned long reqprot,
3078                                  unsigned long prot)
3079 {
3080         const struct cred *cred = current_cred();
3081
3082         if (selinux_checkreqprot)
3083                 prot = reqprot;
3084
3085         if (default_noexec &&
3086             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3087                 int rc = 0;
3088                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3089                     vma->vm_end <= vma->vm_mm->brk) {
3090                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3091                 } else if (!vma->vm_file &&
3092                            vma->vm_start <= vma->vm_mm->start_stack &&
3093                            vma->vm_end >= vma->vm_mm->start_stack) {
3094                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3095                 } else if (vma->vm_file && vma->anon_vma) {
3096                         /*
3097                          * We are making executable a file mapping that has
3098                          * had some COW done. Since pages might have been
3099                          * written, check ability to execute the possibly
3100                          * modified content.  This typically should only
3101                          * occur for text relocations.
3102                          */
3103                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3104                 }
3105                 if (rc)
3106                         return rc;
3107         }
3108
3109         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3110 }
3111
3112 static int selinux_file_lock(struct file *file, unsigned int cmd)
3113 {
3114         const struct cred *cred = current_cred();
3115
3116         return file_has_perm(cred, file, FILE__LOCK);
3117 }
3118
3119 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3120                               unsigned long arg)
3121 {
3122         const struct cred *cred = current_cred();
3123         int err = 0;
3124
3125         switch (cmd) {
3126         case F_SETFL:
3127                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3128                         err = -EINVAL;
3129                         break;
3130                 }
3131
3132                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3133                         err = file_has_perm(cred, file, FILE__WRITE);
3134                         break;
3135                 }
3136                 /* fall through */
3137         case F_SETOWN:
3138         case F_SETSIG:
3139         case F_GETFL:
3140         case F_GETOWN:
3141         case F_GETSIG:
3142                 /* Just check FD__USE permission */
3143                 err = file_has_perm(cred, file, 0);
3144                 break;
3145         case F_GETLK:
3146         case F_SETLK:
3147         case F_SETLKW:
3148 #if BITS_PER_LONG == 32
3149         case F_GETLK64:
3150         case F_SETLK64:
3151         case F_SETLKW64:
3152 #endif
3153                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3154                         err = -EINVAL;
3155                         break;
3156                 }
3157                 err = file_has_perm(cred, file, FILE__LOCK);
3158                 break;
3159         }
3160
3161         return err;
3162 }
3163
3164 static int selinux_file_set_fowner(struct file *file)
3165 {
3166         struct file_security_struct *fsec;
3167
3168         fsec = file->f_security;
3169         fsec->fown_sid = current_sid();
3170
3171         return 0;
3172 }
3173
3174 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3175                                        struct fown_struct *fown, int signum)
3176 {
3177         struct file *file;
3178         u32 sid = task_sid(tsk);
3179         u32 perm;
3180         struct file_security_struct *fsec;
3181
3182         /* struct fown_struct is never outside the context of a struct file */
3183         file = container_of(fown, struct file, f_owner);
3184
3185         fsec = file->f_security;
3186
3187         if (!signum)
3188                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3189         else
3190                 perm = signal_to_av(signum);
3191
3192         return avc_has_perm(fsec->fown_sid, sid,
3193                             SECCLASS_PROCESS, perm, NULL);
3194 }
3195
3196 static int selinux_file_receive(struct file *file)
3197 {
3198         const struct cred *cred = current_cred();
3199
3200         return file_has_perm(cred, file, file_to_av(file));
3201 }
3202
3203 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3204 {
3205         struct file_security_struct *fsec;
3206         struct inode *inode;
3207         struct inode_security_struct *isec;
3208
3209         inode = file->f_path.dentry->d_inode;
3210         fsec = file->f_security;
3211         isec = inode->i_security;
3212         /*
3213          * Save inode label and policy sequence number
3214          * at open-time so that selinux_file_permission
3215          * can determine whether revalidation is necessary.
3216          * Task label is already saved in the file security
3217          * struct as its SID.
3218          */
3219         fsec->isid = isec->sid;
3220         fsec->pseqno = avc_policy_seqno();
3221         /*
3222          * Since the inode label or policy seqno may have changed
3223          * between the selinux_inode_permission check and the saving
3224          * of state above, recheck that access is still permitted.
3225          * Otherwise, access might never be revalidated against the
3226          * new inode label or new policy.
3227          * This check is not redundant - do not remove.
3228          */
3229         return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0);
3230 }
3231
3232 /* task security operations */
3233
3234 static int selinux_task_create(unsigned long clone_flags)
3235 {
3236         return current_has_perm(current, PROCESS__FORK);
3237 }
3238
3239 /*
3240  * allocate the SELinux part of blank credentials
3241  */
3242 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3243 {
3244         struct task_security_struct *tsec;
3245
3246         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3247         if (!tsec)
3248                 return -ENOMEM;
3249
3250         cred->security = tsec;
3251         return 0;
3252 }
3253
3254 /*
3255  * detach and free the LSM part of a set of credentials
3256  */
3257 static void selinux_cred_free(struct cred *cred)
3258 {
3259         struct task_security_struct *tsec = cred->security;
3260
3261         /*
3262          * cred->security == NULL if security_cred_alloc_blank() or
3263          * security_prepare_creds() returned an error.
3264          */
3265         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3266         cred->security = (void *) 0x7UL;
3267         kfree(tsec);
3268 }
3269
3270 /*
3271  * prepare a new set of credentials for modification
3272  */
3273 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3274                                 gfp_t gfp)
3275 {
3276         const struct task_security_struct *old_tsec;
3277         struct task_security_struct *tsec;
3278
3279         old_tsec = old->security;
3280
3281         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3282         if (!tsec)
3283                 return -ENOMEM;
3284
3285         new->security = tsec;
3286         return 0;
3287 }
3288
3289 /*
3290  * transfer the SELinux data to a blank set of creds
3291  */
3292 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3293 {
3294         const struct task_security_struct *old_tsec = old->security;
3295         struct task_security_struct *tsec = new->security;
3296
3297         *tsec = *old_tsec;
3298 }
3299
3300 /*
3301  * set the security data for a kernel service
3302  * - all the creation contexts are set to unlabelled
3303  */
3304 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3305 {
3306         struct task_security_struct *tsec = new->security;
3307         u32 sid = current_sid();
3308         int ret;
3309
3310         ret = avc_has_perm(sid, secid,
3311                            SECCLASS_KERNEL_SERVICE,
3312                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3313                            NULL);
3314         if (ret == 0) {
3315                 tsec->sid = secid;
3316                 tsec->create_sid = 0;
3317                 tsec->keycreate_sid = 0;
3318                 tsec->sockcreate_sid = 0;
3319         }
3320         return ret;
3321 }
3322
3323 /*
3324  * set the file creation context in a security record to the same as the
3325  * objective context of the specified inode
3326  */
3327 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3328 {
3329         struct inode_security_struct *isec = inode->i_security;
3330         struct task_security_struct *tsec = new->security;
3331         u32 sid = current_sid();
3332         int ret;
3333
3334         ret = avc_has_perm(sid, isec->sid,
3335                            SECCLASS_KERNEL_SERVICE,
3336                            KERNEL_SERVICE__CREATE_FILES_AS,
3337                            NULL);
3338
3339         if (ret == 0)
3340                 tsec->create_sid = isec->sid;
3341         return ret;
3342 }
3343
3344 static int selinux_kernel_module_request(char *kmod_name)
3345 {
3346         u32 sid;
3347         struct common_audit_data ad;
3348
3349         sid = task_sid(current);
3350
3351         COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3352         ad.u.kmod_name = kmod_name;
3353
3354         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3355                             SYSTEM__MODULE_REQUEST, &ad);
3356 }
3357
3358 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3359 {
3360         return current_has_perm(p, PROCESS__SETPGID);
3361 }
3362
3363 static int selinux_task_getpgid(struct task_struct *p)
3364 {
3365         return current_has_perm(p, PROCESS__GETPGID);
3366 }
3367
3368 static int selinux_task_getsid(struct task_struct *p)
3369 {
3370         return current_has_perm(p, PROCESS__GETSESSION);
3371 }
3372
3373 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3374 {
3375         *secid = task_sid(p);
3376 }
3377
3378 static int selinux_task_setnice(struct task_struct *p, int nice)
3379 {
3380         int rc;
3381
3382         rc = cap_task_setnice(p, nice);
3383         if (rc)
3384                 return rc;
3385
3386         return current_has_perm(p, PROCESS__SETSCHED);
3387 }
3388
3389 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3390 {
3391         int rc;
3392
3393         rc = cap_task_setioprio(p, ioprio);
3394         if (rc)
3395                 return rc;
3396
3397         return current_has_perm(p, PROCESS__SETSCHED);
3398 }
3399
3400 static int selinux_task_getioprio(struct task_struct *p)
3401 {
3402         return current_has_perm(p, PROCESS__GETSCHED);
3403 }
3404
3405 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3406                 struct rlimit *new_rlim)
3407 {
3408         struct rlimit *old_rlim = p->signal->rlim + resource;
3409
3410         /* Control the ability to change the hard limit (whether
3411            lowering or raising it), so that the hard limit can
3412            later be used as a safe reset point for the soft limit
3413            upon context transitions.  See selinux_bprm_committing_creds. */
3414         if (old_rlim->rlim_max != new_rlim->rlim_max)
3415                 return current_has_perm(p, PROCESS__SETRLIMIT);
3416
3417         return 0;
3418 }
3419
3420 static int selinux_task_setscheduler(struct task_struct *p)
3421 {
3422         int rc;
3423
3424         rc = cap_task_setscheduler(p);
3425         if (rc)
3426                 return rc;
3427
3428         return current_has_perm(p, PROCESS__SETSCHED);
3429 }
3430
3431 static int selinux_task_getscheduler(struct task_struct *p)
3432 {
3433         return current_has_perm(p, PROCESS__GETSCHED);
3434 }
3435
3436 static int selinux_task_movememory(struct task_struct *p)
3437 {
3438         return current_has_perm(p, PROCESS__SETSCHED);
3439 }
3440
3441 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3442                                 int sig, u32 secid)
3443 {
3444         u32 perm;
3445         int rc;
3446
3447         if (!sig)
3448                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3449         else
3450                 perm = signal_to_av(sig);
3451         if (secid)
3452                 rc = avc_has_perm(secid, task_sid(p),
3453                                   SECCLASS_PROCESS, perm, NULL);
3454         else
3455                 rc = current_has_perm(p, perm);
3456         return rc;
3457 }
3458
3459 static int selinux_task_wait(struct task_struct *p)
3460 {
3461         return task_has_perm(p, current, PROCESS__SIGCHLD);
3462 }
3463
3464 static void selinux_task_to_inode(struct task_struct *p,
3465                                   struct inode *inode)
3466 {
3467         struct inode_security_struct *isec = inode->i_security;
3468         u32 sid = task_sid(p);
3469
3470         isec->sid = sid;
3471         isec->initialized = 1;
3472 }
3473
3474 /* Returns error only if unable to parse addresses */
3475 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3476                         struct common_audit_data *ad, u8 *proto)
3477 {
3478         int offset, ihlen, ret = -EINVAL;
3479         struct iphdr _iph, *ih;
3480
3481         offset = skb_network_offset(skb);
3482         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3483         if (ih == NULL)
3484                 goto out;
3485
3486         ihlen = ih->ihl * 4;
3487         if (ihlen < sizeof(_iph))
3488                 goto out;
3489
3490         ad->u.net.v4info.saddr = ih->saddr;
3491         ad->u.net.v4info.daddr = ih->daddr;
3492         ret = 0;
3493
3494         if (proto)
3495                 *proto = ih->protocol;
3496
3497         switch (ih->protocol) {
3498         case IPPROTO_TCP: {
3499                 struct tcphdr _tcph, *th;
3500
3501                 if (ntohs(ih->frag_off) & IP_OFFSET)
3502                         break;
3503
3504                 offset += ihlen;
3505                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3506                 if (th == NULL)
3507                         break;
3508
3509                 ad->u.net.sport = th->source;
3510                 ad->u.net.dport = th->dest;
3511                 break;
3512         }
3513
3514         case IPPROTO_UDP: {
3515                 struct udphdr _udph, *uh;
3516
3517                 if (ntohs(ih->frag_off) & IP_OFFSET)
3518                         break;
3519
3520                 offset += ihlen;
3521                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3522                 if (uh == NULL)
3523                         break;
3524
3525                 ad->u.net.sport = uh->source;
3526                 ad->u.net.dport = uh->dest;
3527                 break;
3528         }
3529
3530         case IPPROTO_DCCP: {
3531                 struct dccp_hdr _dccph, *dh;
3532
3533                 if (ntohs(ih->frag_off) & IP_OFFSET)
3534                         break;
3535
3536                 offset += ihlen;
3537                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3538                 if (dh == NULL)
3539                         break;
3540
3541                 ad->u.net.sport = dh->dccph_sport;
3542                 ad->u.net.dport = dh->dccph_dport;
3543                 break;
3544         }
3545
3546         default:
3547                 break;
3548         }
3549 out:
3550         return ret;
3551 }
3552
3553 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3554
3555 /* Returns error only if unable to parse addresses */
3556 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3557                         struct common_audit_data *ad, u8 *proto)
3558 {
3559         u8 nexthdr;
3560         int ret = -EINVAL, offset;
3561         struct ipv6hdr _ipv6h, *ip6;
3562         __be16 frag_off;
3563
3564         offset = skb_network_offset(skb);
3565         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3566         if (ip6 == NULL)
3567                 goto out;
3568
3569         ad->u.net.v6info.saddr = ip6->saddr;
3570         ad->u.net.v6info.daddr = ip6->daddr;
3571         ret = 0;
3572
3573         nexthdr = ip6->nexthdr;
3574         offset += sizeof(_ipv6h);
3575         offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3576         if (offset < 0)
3577                 goto out;
3578
3579         if (proto)
3580                 *proto = nexthdr;
3581
3582         switch (nexthdr) {
3583         case IPPROTO_TCP: {
3584                 struct tcphdr _tcph, *th;
3585
3586                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3587                 if (th == NULL)
3588                         break;
3589
3590                 ad->u.net.sport = th->source;
3591                 ad->u.net.dport = th->dest;
3592                 break;
3593         }
3594
3595         case IPPROTO_UDP: {
3596                 struct udphdr _udph, *uh;
3597
3598                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3599                 if (uh == NULL)
3600                         break;
3601
3602                 ad->u.net.sport = uh->source;
3603                 ad->u.net.dport = uh->dest;
3604                 break;
3605         }
3606
3607         case IPPROTO_DCCP: {
3608                 struct dccp_hdr _dccph, *dh;
3609
3610                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3611                 if (dh == NULL)
3612                         break;
3613
3614                 ad->u.net.sport = dh->dccph_sport;
3615                 ad->u.net.dport = dh->dccph_dport;
3616                 break;
3617         }
3618
3619         /* includes fragments */
3620         default:
3621                 break;
3622         }
3623 out:
3624         return ret;
3625 }
3626
3627 #endif /* IPV6 */
3628
3629 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3630                              char **_addrp, int src, u8 *proto)
3631 {
3632         char *addrp;
3633         int ret;
3634
3635         switch (ad->u.net.family) {
3636         case PF_INET:
3637                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3638                 if (ret)
3639                         goto parse_error;
3640                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3641                                        &ad->u.net.v4info.daddr);
3642                 goto okay;
3643
3644 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3645         case PF_INET6:
3646                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3647                 if (ret)
3648                         goto parse_error;
3649                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3650                                        &ad->u.net.v6info.daddr);
3651                 goto okay;
3652 #endif  /* IPV6 */
3653         default:
3654                 addrp = NULL;
3655                 goto okay;
3656         }
3657
3658 parse_error:
3659         printk(KERN_WARNING
3660                "SELinux: failure in selinux_parse_skb(),"
3661                " unable to parse packet\n");
3662         return ret;
3663
3664 okay:
3665         if (_addrp)
3666                 *_addrp = addrp;
3667         return 0;
3668 }
3669
3670 /**
3671  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3672  * @skb: the packet
3673  * @family: protocol family
3674  * @sid: the packet's peer label SID
3675  *
3676  * Description:
3677  * Check the various different forms of network peer labeling and determine
3678  * the peer label/SID for the packet; most of the magic actually occurs in
3679  * the security server function security_net_peersid_cmp().  The function
3680  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3681  * or -EACCES if @sid is invalid due to inconsistencies with the different
3682  * peer labels.
3683  *
3684  */
3685 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3686 {
3687         int err;
3688         u32 xfrm_sid;
3689         u32 nlbl_sid;
3690         u32 nlbl_type;
3691
3692         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3693         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3694
3695         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3696         if (unlikely(err)) {
3697                 printk(KERN_WARNING
3698                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3699                        " unable to determine packet's peer label\n");
3700                 return -EACCES;
3701         }
3702
3703         return 0;
3704 }
3705
3706 /* socket security operations */
3707
3708 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3709                                  u16 secclass, u32 *socksid)
3710 {
3711         if (tsec->sockcreate_sid > SECSID_NULL) {
3712                 *socksid = tsec->sockcreate_sid;
3713                 return 0;
3714         }
3715
3716         return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3717                                        socksid);
3718 }
3719
3720 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3721 {
3722         struct sk_security_struct *sksec = sk->sk_security;
3723         struct common_audit_data ad;
3724         u32 tsid = task_sid(task);
3725
3726         if (sksec->sid == SECINITSID_KERNEL)
3727                 return 0;
3728
3729         COMMON_AUDIT_DATA_INIT(&ad, NET);
3730         ad.u.net.sk = sk;
3731
3732         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3733 }
3734
3735 static int selinux_socket_create(int family, int type,
3736                                  int protocol, int kern)
3737 {
3738         const struct task_security_struct *tsec = current_security();
3739         u32 newsid;
3740         u16 secclass;
3741         int rc;
3742
3743         if (kern)
3744                 return 0;
3745
3746         secclass = socket_type_to_security_class(family, type, protocol);
3747         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3748         if (rc)
3749                 return rc;
3750
3751         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3752 }
3753
3754 static int selinux_socket_post_create(struct socket *sock, int family,
3755                                       int type, int protocol, int kern)
3756 {
3757         const struct task_security_struct *tsec = current_security();
3758         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3759         struct sk_security_struct *sksec;
3760         int err = 0;
3761
3762         isec->sclass = socket_type_to_security_class(family, type, protocol);
3763
3764         if (kern)
3765                 isec->sid = SECINITSID_KERNEL;
3766         else {
3767                 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3768                 if (err)
3769                         return err;
3770         }
3771
3772         isec->initialized = 1;
3773
3774         if (sock->sk) {
3775                 sksec = sock->sk->sk_security;
3776                 sksec->sid = isec->sid;
3777                 sksec->sclass = isec->sclass;
3778                 err = selinux_netlbl_socket_post_create(sock->sk, family);
3779         }
3780
3781         return err;
3782 }
3783
3784 /* Range of port numbers used to automatically bind.
3785    Need to determine whether we should perform a name_bind
3786    permission check between the socket and the port number. */
3787
3788 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3789 {
3790         struct sock *sk = sock->sk;
3791         u16 family;
3792         int err;
3793
3794         err = sock_has_perm(current, sk, SOCKET__BIND);
3795         if (err)
3796                 goto out;
3797
3798         /*
3799          * If PF_INET or PF_INET6, check name_bind permission for the port.
3800          * Multiple address binding for SCTP is not supported yet: we just
3801          * check the first address now.
3802          */
3803         family = sk->sk_family;
3804         if (family == PF_INET || family == PF_INET6) {
3805                 char *addrp;
3806                 struct sk_security_struct *sksec = sk->sk_security;
3807                 struct common_audit_data ad;
3808                 struct sockaddr_in *addr4 = NULL;
3809                 struct sockaddr_in6 *addr6 = NULL;
3810                 unsigned short snum;
3811                 u32 sid, node_perm;
3812
3813                 if (family == PF_INET) {
3814                         addr4 = (struct sockaddr_in *)address;
3815                         snum = ntohs(addr4->sin_port);
3816                         addrp = (char *)&addr4->sin_addr.s_addr;
3817                 } else {
3818                         addr6 = (struct sockaddr_in6 *)address;
3819                         snum = ntohs(addr6->sin6_port);
3820                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3821                 }
3822
3823                 if (snum) {
3824                         int low, high;
3825
3826                         inet_get_local_port_range(&low, &high);
3827
3828                         if (snum < max(PROT_SOCK, low) || snum > high) {
3829                                 err = sel_netport_sid(sk->sk_protocol,
3830                                                       snum, &sid);
3831                                 if (err)
3832                                         goto out;
3833                                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3834                                 ad.u.net.sport = htons(snum);
3835                                 ad.u.net.family = family;
3836                                 err = avc_has_perm(sksec->sid, sid,
3837                                                    sksec->sclass,
3838                                                    SOCKET__NAME_BIND, &ad);
3839                                 if (err)
3840                                         goto out;
3841                         }
3842                 }
3843
3844                 switch (sksec->sclass) {
3845                 case SECCLASS_TCP_SOCKET:
3846                         node_perm = TCP_SOCKET__NODE_BIND;
3847                         break;
3848
3849                 case SECCLASS_UDP_SOCKET:
3850                         node_perm = UDP_SOCKET__NODE_BIND;
3851                         break;
3852
3853                 case SECCLASS_DCCP_SOCKET:
3854                         node_perm = DCCP_SOCKET__NODE_BIND;
3855                         break;
3856
3857                 default:
3858                         node_perm = RAWIP_SOCKET__NODE_BIND;
3859                         break;
3860                 }
3861
3862                 err = sel_netnode_sid(addrp, family, &sid);
3863                 if (err)
3864                         goto out;
3865
3866                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3867                 ad.u.net.sport = htons(snum);
3868                 ad.u.net.family = family;
3869
3870                 if (family == PF_INET)
3871                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3872                 else
3873                         ad.u.net.v6info.saddr = addr6->sin6_addr;
3874
3875                 err = avc_has_perm(sksec->sid, sid,
3876                                    sksec->sclass, node_perm, &ad);
3877                 if (err)
3878                         goto out;
3879         }
3880 out:
3881         return err;
3882 }
3883
3884 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3885 {
3886         struct sock *sk = sock->sk;
3887         struct sk_security_struct *sksec = sk->sk_security;
3888         int err;
3889
3890         err = sock_has_perm(current, sk, SOCKET__CONNECT);
3891         if (err)
3892                 return err;
3893
3894         /*
3895          * If a TCP or DCCP socket, check name_connect permission for the port.
3896          */
3897         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3898             sksec->sclass == SECCLASS_DCCP_SOCKET) {
3899                 struct common_audit_data ad;
3900                 struct sockaddr_in *addr4 = NULL;
3901                 struct sockaddr_in6 *addr6 = NULL;
3902                 unsigned short snum;
3903                 u32 sid, perm;
3904
3905                 if (sk->sk_family == PF_INET) {
3906                         addr4 = (struct sockaddr_in *)address;
3907                         if (addrlen < sizeof(struct sockaddr_in))
3908                                 return -EINVAL;
3909                         snum = ntohs(addr4->sin_port);
3910                 } else {
3911                         addr6 = (struct sockaddr_in6 *)address;
3912                         if (addrlen < SIN6_LEN_RFC2133)
3913                                 return -EINVAL;
3914                         snum = ntohs(addr6->sin6_port);
3915                 }
3916
3917                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3918                 if (err)
3919                         goto out;
3920
3921                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3922                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3923
3924                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3925                 ad.u.net.dport = htons(snum);
3926                 ad.u.net.family = sk->sk_family;
3927                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3928                 if (err)
3929                         goto out;
3930         }
3931
3932         err = selinux_netlbl_socket_connect(sk, address);
3933
3934 out:
3935         return err;
3936 }
3937
3938 static int selinux_socket_listen(struct socket *sock, int backlog)
3939 {
3940         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3941 }
3942
3943 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3944 {
3945         int err;
3946         struct inode_security_struct *isec;
3947         struct inode_security_struct *newisec;
3948
3949         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3950         if (err)
3951                 return err;
3952
3953         newisec = SOCK_INODE(newsock)->i_security;
3954
3955         isec = SOCK_INODE(sock)->i_security;
3956         newisec->sclass = isec->sclass;
3957         newisec->sid = isec->sid;
3958         newisec->initialized = 1;
3959
3960         return 0;
3961 }
3962
3963 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3964                                   int size)
3965 {
3966         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3967 }
3968
3969 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3970                                   int size, int flags)
3971 {
3972         return sock_has_perm(current, sock->sk, SOCKET__READ);
3973 }
3974
3975 static int selinux_socket_getsockname(struct socket *sock)
3976 {
3977         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3978 }
3979
3980 static int selinux_socket_getpeername(struct socket *sock)
3981 {
3982         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3983 }
3984
3985 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3986 {
3987         int err;
3988
3989         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3990         if (err)
3991                 return err;
3992
3993         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3994 }
3995
3996 static int selinux_socket_getsockopt(struct socket *sock, int level,
3997                                      int optname)
3998 {
3999         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4000 }
4001
4002 static int selinux_socket_shutdown(struct socket *sock, int how)
4003 {
4004         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4005 }
4006
4007 static int selinux_socket_unix_stream_connect(struct sock *sock,
4008                                               struct sock *other,
4009                                               struct sock *newsk)
4010 {
4011         struct sk_security_struct *sksec_sock = sock->sk_security;
4012         struct sk_security_struct *sksec_other = other->sk_security;
4013         struct sk_security_struct *sksec_new = newsk->sk_security;
4014         struct common_audit_data ad;
4015         int err;
4016
4017         COMMON_AUDIT_DATA_INIT(&ad, NET);
4018         ad.u.net.sk = other;
4019
4020         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4021                            sksec_other->sclass,
4022                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4023         if (err)
4024                 return err;
4025
4026         /* server child socket */
4027         sksec_new->peer_sid = sksec_sock->sid;
4028         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4029                                     &sksec_new->sid);
4030         if (err)
4031                 return err;
4032
4033         /* connecting socket */
4034         sksec_sock->peer_sid = sksec_new->sid;
4035
4036         return 0;
4037 }
4038
4039 static int selinux_socket_unix_may_send(struct socket *sock,
4040                                         struct socket *other)
4041 {
4042         struct sk_security_struct *ssec = sock->sk->sk_security;
4043         struct sk_security_struct *osec = other->sk->sk_security;
4044         struct common_audit_data ad;
4045
4046         COMMON_AUDIT_DATA_INIT(&ad, NET);
4047         ad.u.net.sk = other->sk;
4048
4049         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4050                             &ad);
4051 }
4052
4053 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4054                                     u32 peer_sid,
4055                                     struct common_audit_data *ad)
4056 {
4057         int err;
4058         u32 if_sid;
4059         u32 node_sid;
4060
4061         err = sel_netif_sid(ifindex, &if_sid);
4062         if (err)
4063                 return err;
4064         err = avc_has_perm(peer_sid, if_sid,
4065                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4066         if (err)
4067                 return err;
4068
4069         err = sel_netnode_sid(addrp, family, &node_sid);
4070         if (err)
4071                 return err;
4072         return avc_has_perm(peer_sid, node_sid,
4073                             SECCLASS_NODE, NODE__RECVFROM, ad);
4074 }
4075
4076 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4077                                        u16 family)
4078 {
4079         int err = 0;
4080         struct sk_security_struct *sksec = sk->sk_security;
4081         u32 sk_sid = sksec->sid;
4082         struct common_audit_data ad;
4083         char *addrp;
4084
4085         COMMON_AUDIT_DATA_INIT(&ad, NET);
4086         ad.u.net.netif = skb->skb_iif;
4087         ad.u.net.family = family;
4088         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4089         if (err)
4090                 return err;
4091
4092         if (selinux_secmark_enabled()) {
4093                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4094                                    PACKET__RECV, &ad);
4095                 if (err)
4096                         return err;
4097         }
4098
4099         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4100         if (err)
4101                 return err;
4102         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4103
4104         return err;
4105 }
4106
4107 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4108 {
4109         int err;
4110         struct sk_security_struct *sksec = sk->sk_security;
4111         u16 family = sk->sk_family;
4112         u32 sk_sid = sksec->sid;
4113         struct common_audit_data ad;
4114         char *addrp;
4115         u8 secmark_active;
4116         u8 peerlbl_active;
4117
4118         if (family != PF_INET && family != PF_INET6)
4119                 return 0;
4120
4121         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4122         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4123                 family = PF_INET;
4124
4125         /* If any sort of compatibility mode is enabled then handoff processing
4126          * to the selinux_sock_rcv_skb_compat() function to deal with the
4127          * special handling.  We do this in an attempt to keep this function
4128          * as fast and as clean as possible. */
4129         if (!selinux_policycap_netpeer)
4130                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4131
4132         secmark_active = selinux_secmark_enabled();
4133         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4134         if (!secmark_active && !peerlbl_active)
4135                 return 0;
4136
4137         COMMON_AUDIT_DATA_INIT(&ad, NET);
4138         ad.u.net.netif = skb->skb_iif;
4139         ad.u.net.family = family;
4140         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4141         if (err)
4142                 return err;
4143
4144         if (peerlbl_active) {
4145                 u32 peer_sid;
4146
4147                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4148                 if (err)
4149                         return err;
4150                 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4151                                                peer_sid, &ad);
4152                 if (err) {
4153                         selinux_netlbl_err(skb, err, 0);
4154                         return err;
4155                 }
4156                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4157                                    PEER__RECV, &ad);
4158                 if (err)
4159                         selinux_netlbl_err(skb, err, 0);
4160         }
4161
4162         if (secmark_active) {
4163                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4164                                    PACKET__RECV, &ad);
4165                 if (err)
4166                         return err;
4167         }
4168
4169         return err;
4170 }
4171
4172 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4173                                             int __user *optlen, unsigned len)
4174 {
4175         int err = 0;
4176         char *scontext;
4177         u32 scontext_len;
4178         struct sk_security_struct *sksec = sock->sk->sk_security;
4179         u32 peer_sid = SECSID_NULL;
4180
4181         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4182             sksec->sclass == SECCLASS_TCP_SOCKET)
4183                 peer_sid = sksec->peer_sid;
4184         if (peer_sid == SECSID_NULL)
4185                 return -ENOPROTOOPT;
4186
4187         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4188         if (err)
4189                 return err;
4190
4191         if (scontext_len > len) {
4192                 err = -ERANGE;
4193                 goto out_len;
4194         }
4195
4196         if (copy_to_user(optval, scontext, scontext_len))
4197                 err = -EFAULT;
4198
4199 out_len:
4200         if (put_user(scontext_len, optlen))
4201                 err = -EFAULT;
4202         kfree(scontext);
4203         return err;
4204 }
4205
4206 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4207 {
4208         u32 peer_secid = SECSID_NULL;
4209         u16 family;
4210
4211         if (skb && skb->protocol == htons(ETH_P_IP))
4212                 family = PF_INET;
4213         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4214                 family = PF_INET6;
4215         else if (sock)
4216                 family = sock->sk->sk_family;
4217         else
4218                 goto out;
4219
4220         if (sock && family == PF_UNIX)
4221                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4222         else if (skb)
4223                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4224
4225 out:
4226         *secid = peer_secid;
4227         if (peer_secid == SECSID_NULL)
4228                 return -EINVAL;
4229         return 0;
4230 }
4231
4232 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4233 {
4234         struct sk_security_struct *sksec;
4235
4236         sksec = kzalloc(sizeof(*sksec), priority);
4237         if (!sksec)
4238                 return -ENOMEM;
4239
4240         sksec->peer_sid = SECINITSID_UNLABELED;
4241         sksec->sid = SECINITSID_UNLABELED;
4242         selinux_netlbl_sk_security_reset(sksec);
4243         sk->sk_security = sksec;
4244
4245         return 0;
4246 }
4247
4248 static void selinux_sk_free_security(struct sock *sk)
4249 {
4250         struct sk_security_struct *sksec = sk->sk_security;
4251
4252         sk->sk_security = NULL;
4253         selinux_netlbl_sk_security_free(sksec);
4254         kfree(sksec);
4255 }
4256
4257 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4258 {
4259         struct sk_security_struct *sksec = sk->sk_security;
4260         struct sk_security_struct *newsksec = newsk->sk_security;
4261
4262         newsksec->sid = sksec->sid;
4263         newsksec->peer_sid = sksec->peer_sid;
4264         newsksec->sclass = sksec->sclass;
4265
4266         selinux_netlbl_sk_security_reset(newsksec);
4267 }
4268
4269 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4270 {
4271         if (!sk)
4272                 *secid = SECINITSID_ANY_SOCKET;
4273         else {
4274                 struct sk_security_struct *sksec = sk->sk_security;
4275
4276                 *secid = sksec->sid;
4277         }
4278 }
4279
4280 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4281 {
4282         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4283         struct sk_security_struct *sksec = sk->sk_security;
4284
4285         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4286             sk->sk_family == PF_UNIX)
4287                 isec->sid = sksec->sid;
4288         sksec->sclass = isec->sclass;
4289 }
4290
4291 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4292                                      struct request_sock *req)
4293 {
4294         struct sk_security_struct *sksec = sk->sk_security;
4295         int err;
4296         u16 family = sk->sk_family;
4297         u32 newsid;
4298         u32 peersid;
4299
4300         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4301         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4302                 family = PF_INET;
4303
4304         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4305         if (err)
4306                 return err;
4307         if (peersid == SECSID_NULL) {
4308                 req->secid = sksec->sid;
4309                 req->peer_secid = SECSID_NULL;
4310         } else {
4311                 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4312                 if (err)
4313                         return err;
4314                 req->secid = newsid;
4315                 req->peer_secid = peersid;
4316         }
4317
4318         return selinux_netlbl_inet_conn_request(req, family);
4319 }
4320
4321 static void selinux_inet_csk_clone(struct sock *newsk,
4322                                    const struct request_sock *req)
4323 {
4324         struct sk_security_struct *newsksec = newsk->sk_security;
4325
4326         newsksec->sid = req->secid;
4327         newsksec->peer_sid = req->peer_secid;
4328         /* NOTE: Ideally, we should also get the isec->sid for the
4329            new socket in sync, but we don't have the isec available yet.
4330            So we will wait until sock_graft to do it, by which
4331            time it will have been created and available. */
4332
4333         /* We don't need to take any sort of lock here as we are the only
4334          * thread with access to newsksec */
4335         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4336 }
4337
4338 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4339 {
4340         u16 family = sk->sk_family;
4341         struct sk_security_struct *sksec = sk->sk_security;
4342
4343         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4344         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4345                 family = PF_INET;
4346
4347         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4348 }
4349
4350 static int selinux_secmark_relabel_packet(u32 sid)
4351 {
4352         const struct task_security_struct *__tsec;
4353         u32 tsid;
4354
4355         __tsec = current_security();
4356         tsid = __tsec->sid;
4357
4358         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4359 }
4360
4361 static void selinux_secmark_refcount_inc(void)
4362 {
4363         atomic_inc(&selinux_secmark_refcount);
4364 }
4365
4366 static void selinux_secmark_refcount_dec(void)
4367 {
4368         atomic_dec(&selinux_secmark_refcount);
4369 }
4370
4371 static void selinux_req_classify_flow(const struct request_sock *req,
4372                                       struct flowi *fl)
4373 {
4374         fl->flowi_secid = req->secid;
4375 }
4376
4377 static int selinux_tun_dev_create(void)
4378 {
4379         u32 sid = current_sid();
4380
4381         /* we aren't taking into account the "sockcreate" SID since the socket
4382          * that is being created here is not a socket in the traditional sense,
4383          * instead it is a private sock, accessible only to the kernel, and
4384          * representing a wide range of network traffic spanning multiple
4385          * connections unlike traditional sockets - check the TUN driver to
4386          * get a better understanding of why this socket is special */
4387
4388         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4389                             NULL);
4390 }
4391
4392 static void selinux_tun_dev_post_create(struct sock *sk)
4393 {
4394         struct sk_security_struct *sksec = sk->sk_security;
4395
4396         /* we don't currently perform any NetLabel based labeling here and it
4397          * isn't clear that we would want to do so anyway; while we could apply
4398          * labeling without the support of the TUN user the resulting labeled
4399          * traffic from the other end of the connection would almost certainly
4400          * cause confusion to the TUN user that had no idea network labeling
4401          * protocols were being used */
4402
4403         /* see the comments in selinux_tun_dev_create() about why we don't use
4404          * the sockcreate SID here */
4405
4406         sksec->sid = current_sid();
4407         sksec->sclass = SECCLASS_TUN_SOCKET;
4408 }
4409
4410 static int selinux_tun_dev_attach(struct sock *sk)
4411 {
4412         struct sk_security_struct *sksec = sk->sk_security;
4413         u32 sid = current_sid();
4414         int err;
4415
4416         err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4417                            TUN_SOCKET__RELABELFROM, NULL);
4418         if (err)
4419                 return err;
4420         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4421                            TUN_SOCKET__RELABELTO, NULL);
4422         if (err)
4423                 return err;
4424
4425         sksec->sid = sid;
4426
4427         return 0;
4428 }
4429
4430 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4431 {
4432         int err = 0;
4433         u32 perm;
4434         struct nlmsghdr *nlh;
4435         struct sk_security_struct *sksec = sk->sk_security;
4436
4437         if (skb->len < NLMSG_SPACE(0)) {
4438                 err = -EINVAL;
4439                 goto out;
4440         }
4441         nlh = nlmsg_hdr(skb);
4442
4443         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4444         if (err) {
4445                 if (err == -EINVAL) {
4446                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4447                                   "SELinux:  unrecognized netlink message"
4448                                   " type=%hu for sclass=%hu\n",
4449                                   nlh->nlmsg_type, sksec->sclass);
4450                         if (!selinux_enforcing || security_get_allow_unknown())
4451                                 err = 0;
4452                 }
4453
4454                 /* Ignore */
4455                 if (err == -ENOENT)
4456                         err = 0;
4457                 goto out;
4458         }
4459
4460         err = sock_has_perm(current, sk, perm);
4461 out:
4462         return err;
4463 }
4464
4465 #ifdef CONFIG_NETFILTER
4466
4467 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4468                                        u16 family)
4469 {
4470         int err;
4471         char *addrp;
4472         u32 peer_sid;
4473         struct common_audit_data ad;
4474         u8 secmark_active;
4475         u8 netlbl_active;
4476         u8 peerlbl_active;
4477
4478         if (!selinux_policycap_netpeer)
4479                 return NF_ACCEPT;
4480
4481         secmark_active = selinux_secmark_enabled();
4482         netlbl_active = netlbl_enabled();
4483         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4484         if (!secmark_active && !peerlbl_active)
4485                 return NF_ACCEPT;
4486
4487         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4488                 return NF_DROP;
4489
4490         COMMON_AUDIT_DATA_INIT(&ad, NET);
4491         ad.u.net.netif = ifindex;
4492         ad.u.net.family = family;
4493         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4494                 return NF_DROP;
4495
4496         if (peerlbl_active) {
4497                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4498                                                peer_sid, &ad);
4499                 if (err) {
4500                         selinux_netlbl_err(skb, err, 1);
4501                         return NF_DROP;
4502                 }
4503         }
4504
4505         if (secmark_active)
4506                 if (avc_has_perm(peer_sid, skb->secmark,
4507                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4508                         return NF_DROP;
4509
4510         if (netlbl_active)
4511                 /* we do this in the FORWARD path and not the POST_ROUTING
4512                  * path because we want to make sure we apply the necessary
4513                  * labeling before IPsec is applied so we can leverage AH
4514                  * protection */
4515                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4516                         return NF_DROP;
4517
4518         return NF_ACCEPT;
4519 }
4520
4521 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4522                                          struct sk_buff *skb,
4523                                          const struct net_device *in,
4524                                          const struct net_device *out,
4525                                          int (*okfn)(struct sk_buff *))
4526 {
4527         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4528 }
4529
4530 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4531 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4532                                          struct sk_buff *skb,
4533                                          const struct net_device *in,
4534                                          const struct net_device *out,
4535                                          int (*okfn)(struct sk_buff *))
4536 {
4537         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4538 }
4539 #endif  /* IPV6 */
4540
4541 static unsigned int selinux_ip_output(struct sk_buff *skb,
4542                                       u16 family)
4543 {
4544         u32 sid;
4545
4546         if (!netlbl_enabled())
4547                 return NF_ACCEPT;
4548
4549         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4550          * because we want to make sure we apply the necessary labeling
4551          * before IPsec is applied so we can leverage AH protection */
4552         if (skb->sk) {
4553                 struct sk_security_struct *sksec = skb->sk->sk_security;
4554                 sid = sksec->sid;
4555         } else
4556                 sid = SECINITSID_KERNEL;
4557         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4558                 return NF_DROP;
4559
4560         return NF_ACCEPT;
4561 }
4562
4563 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4564                                         struct sk_buff *skb,
4565                                         const struct net_device *in,
4566                                         const struct net_device *out,
4567                                         int (*okfn)(struct sk_buff *))
4568 {
4569         return selinux_ip_output(skb, PF_INET);
4570 }
4571
4572 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4573                                                 int ifindex,
4574                                                 u16 family)
4575 {
4576         struct sock *sk = skb->sk;
4577         struct sk_security_struct *sksec;
4578         struct common_audit_data ad;
4579         char *addrp;
4580         u8 proto;
4581
4582         if (sk == NULL)
4583                 return NF_ACCEPT;
4584         sksec = sk->sk_security;
4585
4586         COMMON_AUDIT_DATA_INIT(&ad, NET);
4587         ad.u.net.netif = ifindex;
4588         ad.u.net.family = family;
4589         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4590                 return NF_DROP;
4591
4592         if (selinux_secmark_enabled())
4593                 if (avc_has_perm(sksec->sid, skb->secmark,
4594                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4595                         return NF_DROP_ERR(-ECONNREFUSED);
4596
4597         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4598                 return NF_DROP_ERR(-ECONNREFUSED);
4599
4600         return NF_ACCEPT;
4601 }
4602
4603 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4604                                          u16 family)
4605 {
4606         u32 secmark_perm;
4607         u32 peer_sid;
4608         struct sock *sk;
4609         struct common_audit_data ad;
4610         char *addrp;
4611         u8 secmark_active;
4612         u8 peerlbl_active;
4613
4614         /* If any sort of compatibility mode is enabled then handoff processing
4615          * to the selinux_ip_postroute_compat() function to deal with the
4616          * special handling.  We do this in an attempt to keep this function
4617          * as fast and as clean as possible. */
4618         if (!selinux_policycap_netpeer)
4619                 return selinux_ip_postroute_compat(skb, ifindex, family);
4620 #ifdef CONFIG_XFRM
4621         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4622          * packet transformation so allow the packet to pass without any checks
4623          * since we'll have another chance to perform access control checks
4624          * when the packet is on it's final way out.
4625          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4626          *       is NULL, in this case go ahead and apply access control. */
4627         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4628                 return NF_ACCEPT;
4629 #endif
4630         secmark_active = selinux_secmark_enabled();
4631         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4632         if (!secmark_active && !peerlbl_active)
4633                 return NF_ACCEPT;
4634
4635         /* if the packet is being forwarded then get the peer label from the
4636          * packet itself; otherwise check to see if it is from a local
4637          * application or the kernel, if from an application get the peer label
4638          * from the sending socket, otherwise use the kernel's sid */
4639         sk = skb->sk;
4640         if (sk == NULL) {
4641                 if (skb->skb_iif) {
4642                         secmark_perm = PACKET__FORWARD_OUT;
4643                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4644                                 return NF_DROP;
4645                 } else {
4646                         secmark_perm = PACKET__SEND;
4647                         peer_sid = SECINITSID_KERNEL;
4648                 }
4649         } else {
4650                 struct sk_security_struct *sksec = sk->sk_security;
4651                 peer_sid = sksec->sid;
4652                 secmark_perm = PACKET__SEND;
4653         }
4654
4655         COMMON_AUDIT_DATA_INIT(&ad, NET);
4656         ad.u.net.netif = ifindex;
4657         ad.u.net.family = family;
4658         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4659                 return NF_DROP;
4660
4661         if (secmark_active)
4662                 if (avc_has_perm(peer_sid, skb->secmark,
4663                                  SECCLASS_PACKET, secmark_perm, &ad))
4664                         return NF_DROP_ERR(-ECONNREFUSED);
4665
4666         if (peerlbl_active) {
4667                 u32 if_sid;
4668                 u32 node_sid;
4669
4670                 if (sel_netif_sid(ifindex, &if_sid))
4671                         return NF_DROP;
4672                 if (avc_has_perm(peer_sid, if_sid,
4673                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4674                         return NF_DROP_ERR(-ECONNREFUSED);
4675
4676                 if (sel_netnode_sid(addrp, family, &node_sid))
4677                         return NF_DROP;
4678                 if (avc_has_perm(peer_sid, node_sid,
4679                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4680                         return NF_DROP_ERR(-ECONNREFUSED);
4681         }
4682
4683         return NF_ACCEPT;
4684 }
4685
4686 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4687                                            struct sk_buff *skb,
4688                                            const struct net_device *in,
4689                                            const struct net_device *out,
4690                                            int (*okfn)(struct sk_buff *))
4691 {
4692         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4693 }
4694
4695 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4696 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4697                                            struct sk_buff *skb,
4698                                            const struct net_device *in,
4699                                            const struct net_device *out,
4700                                            int (*okfn)(struct sk_buff *))
4701 {
4702         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4703 }
4704 #endif  /* IPV6 */
4705
4706 #endif  /* CONFIG_NETFILTER */
4707
4708 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4709 {
4710         int err;
4711
4712         err = cap_netlink_send(sk, skb);
4713         if (err)
4714                 return err;
4715
4716         return selinux_nlmsg_perm(sk, skb);
4717 }
4718
4719 static int ipc_alloc_security(struct task_struct *task,
4720                               struct kern_ipc_perm *perm,
4721                               u16 sclass)
4722 {
4723         struct ipc_security_struct *isec;
4724         u32 sid;
4725
4726         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4727         if (!isec)
4728                 return -ENOMEM;
4729
4730         sid = task_sid(task);
4731         isec->sclass = sclass;
4732         isec->sid = sid;
4733         perm->security = isec;
4734
4735         return 0;
4736 }
4737
4738 static void ipc_free_security(struct kern_ipc_perm *perm)
4739 {
4740         struct ipc_security_struct *isec = perm->security;
4741         perm->security = NULL;
4742         kfree(isec);
4743 }
4744
4745 static int msg_msg_alloc_security(struct msg_msg *msg)
4746 {
4747         struct msg_security_struct *msec;
4748
4749         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4750         if (!msec)
4751                 return -ENOMEM;
4752
4753         msec->sid = SECINITSID_UNLABELED;
4754         msg->security = msec;
4755
4756         return 0;
4757 }
4758
4759 static void msg_msg_free_security(struct msg_msg *msg)
4760 {
4761         struct msg_security_struct *msec = msg->security;
4762
4763         msg->security = NULL;
4764         kfree(msec);
4765 }
4766
4767 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4768                         u32 perms)
4769 {
4770         struct ipc_security_struct *isec;
4771         struct common_audit_data ad;
4772         u32 sid = current_sid();
4773
4774         isec = ipc_perms->security;
4775
4776         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4777         ad.u.ipc_id = ipc_perms->key;
4778
4779         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4780 }
4781
4782 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4783 {
4784         return msg_msg_alloc_security(msg);
4785 }
4786
4787 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4788 {
4789         msg_msg_free_security(msg);
4790 }
4791
4792 /* message queue security operations */
4793 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4794 {
4795         struct ipc_security_struct *isec;
4796         struct common_audit_data ad;
4797         u32 sid = current_sid();
4798         int rc;
4799
4800         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4801         if (rc)
4802                 return rc;
4803
4804         isec = msq->q_perm.security;
4805
4806         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4807         ad.u.ipc_id = msq->q_perm.key;
4808
4809         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4810                           MSGQ__CREATE, &ad);
4811         if (rc) {
4812                 ipc_free_security(&msq->q_perm);
4813                 return rc;
4814         }
4815         return 0;
4816 }
4817
4818 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4819 {
4820         ipc_free_security(&msq->q_perm);
4821 }
4822
4823 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4824 {
4825         struct ipc_security_struct *isec;
4826         struct common_audit_data ad;
4827         u32 sid = current_sid();
4828
4829         isec = msq->q_perm.security;
4830
4831         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4832         ad.u.ipc_id = msq->q_perm.key;
4833
4834         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4835                             MSGQ__ASSOCIATE, &ad);
4836 }
4837
4838 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4839 {
4840         int err;
4841         int perms;
4842
4843         switch (cmd) {
4844         case IPC_INFO:
4845         case MSG_INFO:
4846                 /* No specific object, just general system-wide information. */
4847                 return task_has_system(current, SYSTEM__IPC_INFO);
4848         case IPC_STAT:
4849         case MSG_STAT:
4850                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4851                 break;
4852         case IPC_SET:
4853                 perms = MSGQ__SETATTR;
4854                 break;
4855         case IPC_RMID:
4856                 perms = MSGQ__DESTROY;
4857                 break;
4858         default:
4859                 return 0;
4860         }
4861
4862         err = ipc_has_perm(&msq->q_perm, perms);
4863         return err;
4864 }
4865
4866 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4867 {
4868         struct ipc_security_struct *isec;
4869         struct msg_security_struct *msec;
4870         struct common_audit_data ad;
4871         u32 sid = current_sid();
4872         int rc;
4873
4874         isec = msq->q_perm.security;
4875         msec = msg->security;
4876
4877         /*
4878          * First time through, need to assign label to the message
4879          */
4880         if (msec->sid == SECINITSID_UNLABELED) {
4881                 /*
4882                  * Compute new sid based on current process and
4883                  * message queue this message will be stored in
4884                  */
4885                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4886                                              NULL, &msec->sid);
4887                 if (rc)
4888                         return rc;
4889         }
4890
4891         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4892         ad.u.ipc_id = msq->q_perm.key;
4893
4894         /* Can this process write to the queue? */
4895         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4896                           MSGQ__WRITE, &ad);
4897         if (!rc)
4898                 /* Can this process send the message */
4899                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4900                                   MSG__SEND, &ad);
4901         if (!rc)
4902                 /* Can the message be put in the queue? */
4903                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4904                                   MSGQ__ENQUEUE, &ad);
4905
4906         return rc;
4907 }
4908
4909 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4910                                     struct task_struct *target,
4911                                     long type, int mode)
4912 {
4913         struct ipc_security_struct *isec;
4914         struct msg_security_struct *msec;
4915         struct common_audit_data ad;
4916         u32 sid = task_sid(target);
4917         int rc;
4918
4919         isec = msq->q_perm.security;
4920         msec = msg->security;
4921
4922         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4923         ad.u.ipc_id = msq->q_perm.key;
4924
4925         rc = avc_has_perm(sid, isec->sid,
4926                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4927         if (!rc)
4928                 rc = avc_has_perm(sid, msec->sid,
4929                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4930         return rc;
4931 }
4932
4933 /* Shared Memory security operations */
4934 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4935 {
4936         struct ipc_security_struct *isec;
4937         struct common_audit_data ad;
4938         u32 sid = current_sid();
4939         int rc;
4940
4941         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4942         if (rc)
4943                 return rc;
4944
4945         isec = shp->shm_perm.security;
4946
4947         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4948         ad.u.ipc_id = shp->shm_perm.key;
4949
4950         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4951                           SHM__CREATE, &ad);
4952         if (rc) {
4953                 ipc_free_security(&shp->shm_perm);
4954                 return rc;
4955         }
4956         return 0;
4957 }
4958
4959 static void selinux_shm_free_security(struct shmid_kernel *shp)
4960 {
4961         ipc_free_security(&shp->shm_perm);
4962 }
4963
4964 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4965 {
4966         struct ipc_security_struct *isec;
4967         struct common_audit_data ad;
4968         u32 sid = current_sid();
4969
4970         isec = shp->shm_perm.security;
4971
4972         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4973         ad.u.ipc_id = shp->shm_perm.key;
4974
4975         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4976                             SHM__ASSOCIATE, &ad);
4977 }
4978
4979 /* Note, at this point, shp is locked down */
4980 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4981 {
4982         int perms;
4983         int err;
4984
4985         switch (cmd) {
4986         case IPC_INFO:
4987         case SHM_INFO:
4988                 /* No specific object, just general system-wide information. */
4989                 return task_has_system(current, SYSTEM__IPC_INFO);
4990         case IPC_STAT:
4991         case SHM_STAT:
4992                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4993                 break;
4994         case IPC_SET:
4995                 perms = SHM__SETATTR;
4996                 break;
4997         case SHM_LOCK:
4998         case SHM_UNLOCK:
4999                 perms = SHM__LOCK;
5000                 break;
5001         case IPC_RMID:
5002                 perms = SHM__DESTROY;
5003                 break;
5004         default:
5005                 return 0;
5006         }
5007
5008         err = ipc_has_perm(&shp->shm_perm, perms);
5009         return err;
5010 }
5011
5012 static int selinux_shm_shmat(struct shmid_kernel *shp,
5013                              char __user *shmaddr, int shmflg)
5014 {
5015         u32 perms;
5016
5017         if (shmflg & SHM_RDONLY)
5018                 perms = SHM__READ;
5019         else
5020                 perms = SHM__READ | SHM__WRITE;
5021
5022         return ipc_has_perm(&shp->shm_perm, perms);
5023 }
5024
5025 /* Semaphore security operations */
5026 static int selinux_sem_alloc_security(struct sem_array *sma)
5027 {
5028         struct ipc_security_struct *isec;
5029         struct common_audit_data ad;
5030         u32 sid = current_sid();
5031         int rc;
5032
5033         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5034         if (rc)
5035                 return rc;
5036
5037         isec = sma->sem_perm.security;
5038
5039         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5040         ad.u.ipc_id = sma->sem_perm.key;
5041
5042         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5043                           SEM__CREATE, &ad);
5044         if (rc) {
5045                 ipc_free_security(&sma->sem_perm);
5046                 return rc;
5047         }
5048         return 0;
5049 }
5050
5051 static void selinux_sem_free_security(struct sem_array *sma)
5052 {
5053         ipc_free_security(&sma->sem_perm);
5054 }
5055
5056 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5057 {
5058         struct ipc_security_struct *isec;
5059         struct common_audit_data ad;
5060         u32 sid = current_sid();
5061
5062         isec = sma->sem_perm.security;
5063
5064         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5065         ad.u.ipc_id = sma->sem_perm.key;
5066
5067         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5068                             SEM__ASSOCIATE, &ad);
5069 }
5070
5071 /* Note, at this point, sma is locked down */
5072 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5073 {
5074         int err;
5075         u32 perms;
5076
5077         switch (cmd) {
5078         case IPC_INFO:
5079         case SEM_INFO:
5080                 /* No specific object, just general system-wide information. */
5081                 return task_has_system(current, SYSTEM__IPC_INFO);
5082         case GETPID:
5083         case GETNCNT:
5084         case GETZCNT:
5085                 perms = SEM__GETATTR;
5086                 break;
5087         case GETVAL:
5088         case GETALL:
5089                 perms = SEM__READ;
5090                 break;
5091         case SETVAL:
5092         case SETALL:
5093                 perms = SEM__WRITE;
5094                 break;
5095         case IPC_RMID:
5096                 perms = SEM__DESTROY;
5097                 break;
5098         case IPC_SET:
5099                 perms = SEM__SETATTR;
5100                 break;
5101         case IPC_STAT:
5102         case SEM_STAT:
5103                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5104                 break;
5105         default:
5106                 return 0;
5107         }
5108
5109         err = ipc_has_perm(&sma->sem_perm, perms);
5110         return err;
5111 }
5112
5113 static int selinux_sem_semop(struct sem_array *sma,
5114                              struct sembuf *sops, unsigned nsops, int alter)
5115 {
5116         u32 perms;
5117
5118         if (alter)
5119                 perms = SEM__READ | SEM__WRITE;
5120         else
5121                 perms = SEM__READ;
5122
5123         return ipc_has_perm(&sma->sem_perm, perms);
5124 }
5125
5126 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5127 {
5128         u32 av = 0;
5129
5130         av = 0;
5131         if (flag & S_IRUGO)
5132                 av |= IPC__UNIX_READ;
5133         if (flag & S_IWUGO)
5134                 av |= IPC__UNIX_WRITE;
5135
5136         if (av == 0)
5137                 return 0;
5138
5139         return ipc_has_perm(ipcp, av);
5140 }
5141
5142 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5143 {
5144         struct ipc_security_struct *isec = ipcp->security;
5145         *secid = isec->sid;
5146 }
5147
5148 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5149 {
5150         if (inode)
5151                 inode_doinit_with_dentry(inode, dentry);
5152 }
5153
5154 static int selinux_getprocattr(struct task_struct *p,
5155                                char *name, char **value)
5156 {
5157         const struct task_security_struct *__tsec;
5158         u32 sid;
5159         int error;
5160         unsigned len;
5161
5162         if (current != p) {
5163                 error = current_has_perm(p, PROCESS__GETATTR);
5164                 if (error)
5165                         return error;
5166         }
5167
5168         rcu_read_lock();
5169         __tsec = __task_cred(p)->security;
5170
5171         if (!strcmp(name, "current"))
5172                 sid = __tsec->sid;
5173         else if (!strcmp(name, "prev"))
5174                 sid = __tsec->osid;
5175         else if (!strcmp(name, "exec"))
5176                 sid = __tsec->exec_sid;
5177         else if (!strcmp(name, "fscreate"))
5178                 sid = __tsec->create_sid;
5179         else if (!strcmp(name, "keycreate"))
5180                 sid = __tsec->keycreate_sid;
5181         else if (!strcmp(name, "sockcreate"))
5182                 sid = __tsec->sockcreate_sid;
5183         else
5184                 goto invalid;
5185         rcu_read_unlock();
5186
5187         if (!sid)
5188                 return 0;
5189
5190         error = security_sid_to_context(sid, value, &len);
5191         if (error)
5192                 return error;
5193         return len;
5194
5195 invalid:
5196         rcu_read_unlock();
5197         return -EINVAL;
5198 }
5199
5200 static int selinux_setprocattr(struct task_struct *p,
5201                                char *name, void *value, size_t size)
5202 {
5203         struct task_security_struct *tsec;
5204         struct task_struct *tracer;
5205         struct cred *new;
5206         u32 sid = 0, ptsid;
5207         int error;
5208         char *str = value;
5209
5210         if (current != p) {
5211                 /* SELinux only allows a process to change its own
5212                    security attributes. */
5213                 return -EACCES;
5214         }
5215
5216         /*
5217          * Basic control over ability to set these attributes at all.
5218          * current == p, but we'll pass them separately in case the
5219          * above restriction is ever removed.
5220          */
5221         if (!strcmp(name, "exec"))
5222                 error = current_has_perm(p, PROCESS__SETEXEC);
5223         else if (!strcmp(name, "fscreate"))
5224                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5225         else if (!strcmp(name, "keycreate"))
5226                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5227         else if (!strcmp(name, "sockcreate"))
5228                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5229         else if (!strcmp(name, "current"))
5230                 error = current_has_perm(p, PROCESS__SETCURRENT);
5231         else
5232                 error = -EINVAL;
5233         if (error)
5234                 return error;
5235
5236         /* Obtain a SID for the context, if one was specified. */
5237         if (size && str[1] && str[1] != '\n') {
5238                 if (str[size-1] == '\n') {
5239                         str[size-1] = 0;
5240                         size--;
5241                 }
5242                 error = security_context_to_sid(value, size, &sid);
5243                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5244                         if (!capable(CAP_MAC_ADMIN))
5245                                 return error;
5246                         error = security_context_to_sid_force(value, size,
5247                                                               &sid);
5248                 }
5249                 if (error)
5250                         return error;
5251         }
5252
5253         new = prepare_creds();
5254         if (!new)
5255                 return -ENOMEM;
5256
5257         /* Permission checking based on the specified context is
5258            performed during the actual operation (execve,
5259            open/mkdir/...), when we know the full context of the
5260            operation.  See selinux_bprm_set_creds for the execve
5261            checks and may_create for the file creation checks. The
5262            operation will then fail if the context is not permitted. */
5263         tsec = new->security;
5264         if (!strcmp(name, "exec")) {
5265                 tsec->exec_sid = sid;
5266         } else if (!strcmp(name, "fscreate")) {
5267                 tsec->create_sid = sid;
5268         } else if (!strcmp(name, "keycreate")) {
5269                 error = may_create_key(sid, p);
5270                 if (error)
5271                         goto abort_change;
5272                 tsec->keycreate_sid = sid;
5273         } else if (!strcmp(name, "sockcreate")) {
5274                 tsec->sockcreate_sid = sid;
5275         } else if (!strcmp(name, "current")) {
5276                 error = -EINVAL;
5277                 if (sid == 0)
5278                         goto abort_change;
5279
5280                 /* Only allow single threaded processes to change context */
5281                 error = -EPERM;
5282                 if (!current_is_single_threaded()) {
5283                         error = security_bounded_transition(tsec->sid, sid);
5284                         if (error)
5285                                 goto abort_change;
5286                 }
5287
5288                 /* Check permissions for the transition. */
5289                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5290                                      PROCESS__DYNTRANSITION, NULL);
5291                 if (error)
5292                         goto abort_change;
5293
5294                 /* Check for ptracing, and update the task SID if ok.
5295                    Otherwise, leave SID unchanged and fail. */
5296                 ptsid = 0;
5297                 task_lock(p);
5298                 tracer = ptrace_parent(p);
5299                 if (tracer)
5300                         ptsid = task_sid(tracer);
5301                 task_unlock(p);
5302
5303                 if (tracer) {
5304                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5305                                              PROCESS__PTRACE, NULL);
5306                         if (error)
5307                                 goto abort_change;
5308                 }
5309
5310                 tsec->sid = sid;
5311         } else {
5312                 error = -EINVAL;
5313                 goto abort_change;
5314         }
5315
5316         commit_creds(new);
5317         return size;
5318
5319 abort_change:
5320         abort_creds(new);
5321         return error;
5322 }
5323
5324 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5325 {
5326         return security_sid_to_context(secid, secdata, seclen);
5327 }
5328
5329 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5330 {
5331         return security_context_to_sid(secdata, seclen, secid);
5332 }
5333
5334 static void selinux_release_secctx(char *secdata, u32 seclen)
5335 {
5336         kfree(secdata);
5337 }
5338
5339 /*
5340  *      called with inode->i_mutex locked
5341  */
5342 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5343 {
5344         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5345 }
5346
5347 /*
5348  *      called with inode->i_mutex locked
5349  */
5350 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5351 {
5352         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5353 }
5354
5355 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5356 {
5357         int len = 0;
5358         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5359                                                 ctx, true);
5360         if (len < 0)
5361                 return len;
5362         *ctxlen = len;
5363         return 0;
5364 }
5365 #ifdef CONFIG_KEYS
5366
5367 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5368                              unsigned long flags)
5369 {
5370         const struct task_security_struct *tsec;
5371         struct key_security_struct *ksec;
5372
5373         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5374         if (!ksec)
5375                 return -ENOMEM;
5376
5377         tsec = cred->security;
5378         if (tsec->keycreate_sid)
5379                 ksec->sid = tsec->keycreate_sid;
5380         else
5381                 ksec->sid = tsec->sid;
5382
5383         k->security = ksec;
5384         return 0;
5385 }
5386
5387 static void selinux_key_free(struct key *k)
5388 {
5389         struct key_security_struct *ksec = k->security;
5390
5391         k->security = NULL;
5392         kfree(ksec);
5393 }
5394
5395 static int selinux_key_permission(key_ref_t key_ref,
5396                                   const struct cred *cred,
5397                                   key_perm_t perm)
5398 {
5399         struct key *key;
5400         struct key_security_struct *ksec;
5401         u32 sid;
5402
5403         /* if no specific permissions are requested, we skip the
5404            permission check. No serious, additional covert channels
5405            appear to be created. */
5406         if (perm == 0)
5407                 return 0;
5408
5409         sid = cred_sid(cred);
5410
5411         key = key_ref_to_ptr(key_ref);
5412         ksec = key->security;
5413
5414         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5415 }
5416
5417 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5418 {
5419         struct key_security_struct *ksec = key->security;
5420         char *context = NULL;
5421         unsigned len;
5422         int rc;
5423
5424         rc = security_sid_to_context(ksec->sid, &context, &len);
5425         if (!rc)
5426                 rc = len;
5427         *_buffer = context;
5428         return rc;
5429 }
5430
5431 #endif
5432
5433 static struct security_operations selinux_ops = {
5434         .name =                         "selinux",
5435
5436         .ptrace_access_check =          selinux_ptrace_access_check,
5437         .ptrace_traceme =               selinux_ptrace_traceme,
5438         .capget =                       selinux_capget,
5439         .capset =                       selinux_capset,
5440         .capable =                      selinux_capable,
5441         .quotactl =                     selinux_quotactl,
5442         .quota_on =                     selinux_quota_on,
5443         .syslog =                       selinux_syslog,
5444         .vm_enough_memory =             selinux_vm_enough_memory,
5445
5446         .netlink_send =                 selinux_netlink_send,
5447
5448         .bprm_set_creds =               selinux_bprm_set_creds,
5449         .bprm_committing_creds =        selinux_bprm_committing_creds,
5450         .bprm_committed_creds =         selinux_bprm_committed_creds,
5451         .bprm_secureexec =              selinux_bprm_secureexec,
5452
5453         .sb_alloc_security =            selinux_sb_alloc_security,
5454         .sb_free_security =             selinux_sb_free_security,
5455         .sb_copy_data =                 selinux_sb_copy_data,
5456         .sb_remount =                   selinux_sb_remount,
5457         .sb_kern_mount =                selinux_sb_kern_mount,
5458         .sb_show_options =              selinux_sb_show_options,
5459         .sb_statfs =                    selinux_sb_statfs,
5460         .sb_mount =                     selinux_mount,
5461         .sb_umount =                    selinux_umount,
5462         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5463         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5464         .sb_parse_opts_str =            selinux_parse_opts_str,
5465
5466
5467         .inode_alloc_security =         selinux_inode_alloc_security,
5468         .inode_free_security =          selinux_inode_free_security,
5469         .inode_init_security =          selinux_inode_init_security,
5470         .inode_create =                 selinux_inode_create,
5471         .inode_link =                   selinux_inode_link,
5472         .inode_unlink =                 selinux_inode_unlink,
5473         .inode_symlink =                selinux_inode_symlink,
5474         .inode_mkdir =                  selinux_inode_mkdir,
5475         .inode_rmdir =                  selinux_inode_rmdir,
5476         .inode_mknod =                  selinux_inode_mknod,
5477         .inode_rename =                 selinux_inode_rename,
5478         .inode_readlink =               selinux_inode_readlink,
5479         .inode_follow_link =            selinux_inode_follow_link,
5480         .inode_permission =             selinux_inode_permission,
5481         .inode_setattr =                selinux_inode_setattr,
5482         .inode_getattr =                selinux_inode_getattr,
5483         .inode_setxattr =               selinux_inode_setxattr,
5484         .inode_post_setxattr =          selinux_inode_post_setxattr,
5485         .inode_getxattr =               selinux_inode_getxattr,
5486         .inode_listxattr =              selinux_inode_listxattr,
5487         .inode_removexattr =            selinux_inode_removexattr,
5488         .inode_getsecurity =            selinux_inode_getsecurity,
5489         .inode_setsecurity =            selinux_inode_setsecurity,
5490         .inode_listsecurity =           selinux_inode_listsecurity,
5491         .inode_getsecid =               selinux_inode_getsecid,
5492
5493         .file_permission =              selinux_file_permission,
5494         .file_alloc_security =          selinux_file_alloc_security,
5495         .file_free_security =           selinux_file_free_security,
5496         .file_ioctl =                   selinux_file_ioctl,
5497         .file_mmap =                    selinux_file_mmap,
5498         .file_mprotect =                selinux_file_mprotect,
5499         .file_lock =                    selinux_file_lock,
5500         .file_fcntl =                   selinux_file_fcntl,
5501         .file_set_fowner =              selinux_file_set_fowner,
5502         .file_send_sigiotask =          selinux_file_send_sigiotask,
5503         .file_receive =                 selinux_file_receive,
5504
5505         .dentry_open =                  selinux_dentry_open,
5506
5507         .task_create =                  selinux_task_create,
5508         .cred_alloc_blank =             selinux_cred_alloc_blank,
5509         .cred_free =                    selinux_cred_free,
5510         .cred_prepare =                 selinux_cred_prepare,
5511         .cred_transfer =                selinux_cred_transfer,
5512         .kernel_act_as =                selinux_kernel_act_as,
5513         .kernel_create_files_as =       selinux_kernel_create_files_as,
5514         .kernel_module_request =        selinux_kernel_module_request,
5515         .task_setpgid =                 selinux_task_setpgid,
5516         .task_getpgid =                 selinux_task_getpgid,
5517         .task_getsid =                  selinux_task_getsid,
5518         .task_getsecid =                selinux_task_getsecid,
5519         .task_setnice =                 selinux_task_setnice,
5520         .task_setioprio =               selinux_task_setioprio,
5521         .task_getioprio =               selinux_task_getioprio,
5522         .task_setrlimit =               selinux_task_setrlimit,
5523         .task_setscheduler =            selinux_task_setscheduler,
5524         .task_getscheduler =            selinux_task_getscheduler,
5525         .task_movememory =              selinux_task_movememory,
5526         .task_kill =                    selinux_task_kill,
5527         .task_wait =                    selinux_task_wait,
5528         .task_to_inode =                selinux_task_to_inode,
5529
5530         .ipc_permission =               selinux_ipc_permission,
5531         .ipc_getsecid =                 selinux_ipc_getsecid,
5532
5533         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5534         .msg_msg_free_security =        selinux_msg_msg_free_security,
5535
5536         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5537         .msg_queue_free_security =      selinux_msg_queue_free_security,
5538         .msg_queue_associate =          selinux_msg_queue_associate,
5539         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5540         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5541         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5542
5543         .shm_alloc_security =           selinux_shm_alloc_security,
5544         .shm_free_security =            selinux_shm_free_security,
5545         .shm_associate =                selinux_shm_associate,
5546         .shm_shmctl =                   selinux_shm_shmctl,
5547         .shm_shmat =                    selinux_shm_shmat,
5548
5549         .sem_alloc_security =           selinux_sem_alloc_security,
5550         .sem_free_security =            selinux_sem_free_security,
5551         .sem_associate =                selinux_sem_associate,
5552         .sem_semctl =                   selinux_sem_semctl,
5553         .sem_semop =                    selinux_sem_semop,
5554
5555         .d_instantiate =                selinux_d_instantiate,
5556
5557         .getprocattr =                  selinux_getprocattr,
5558         .setprocattr =                  selinux_setprocattr,
5559
5560         .secid_to_secctx =              selinux_secid_to_secctx,
5561         .secctx_to_secid =              selinux_secctx_to_secid,
5562         .release_secctx =               selinux_release_secctx,
5563         .inode_notifysecctx =           selinux_inode_notifysecctx,
5564         .inode_setsecctx =              selinux_inode_setsecctx,
5565         .inode_getsecctx =              selinux_inode_getsecctx,
5566
5567         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5568         .unix_may_send =                selinux_socket_unix_may_send,
5569
5570         .socket_create =                selinux_socket_create,
5571         .socket_post_create =           selinux_socket_post_create,
5572         .socket_bind =                  selinux_socket_bind,
5573         .socket_connect =               selinux_socket_connect,
5574         .socket_listen =                selinux_socket_listen,
5575         .socket_accept =                selinux_socket_accept,
5576         .socket_sendmsg =               selinux_socket_sendmsg,
5577         .socket_recvmsg =               selinux_socket_recvmsg,
5578         .socket_getsockname =           selinux_socket_getsockname,
5579         .socket_getpeername =           selinux_socket_getpeername,
5580         .socket_getsockopt =            selinux_socket_getsockopt,
5581         .socket_setsockopt =            selinux_socket_setsockopt,
5582         .socket_shutdown =              selinux_socket_shutdown,
5583         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5584         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5585         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5586         .sk_alloc_security =            selinux_sk_alloc_security,
5587         .sk_free_security =             selinux_sk_free_security,
5588         .sk_clone_security =            selinux_sk_clone_security,
5589         .sk_getsecid =                  selinux_sk_getsecid,
5590         .sock_graft =                   selinux_sock_graft,
5591         .inet_conn_request =            selinux_inet_conn_request,
5592         .inet_csk_clone =               selinux_inet_csk_clone,
5593         .inet_conn_established =        selinux_inet_conn_established,
5594         .secmark_relabel_packet =       selinux_secmark_relabel_packet,
5595         .secmark_refcount_inc =         selinux_secmark_refcount_inc,
5596         .secmark_refcount_dec =         selinux_secmark_refcount_dec,
5597         .req_classify_flow =            selinux_req_classify_flow,
5598         .tun_dev_create =               selinux_tun_dev_create,
5599         .tun_dev_post_create =          selinux_tun_dev_post_create,
5600         .tun_dev_attach =               selinux_tun_dev_attach,
5601
5602 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5603         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5604         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5605         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5606         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5607         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5608         .xfrm_state_free_security =     selinux_xfrm_state_free,
5609         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5610         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5611         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5612         .xfrm_decode_session =          selinux_xfrm_decode_session,
5613 #endif
5614
5615 #ifdef CONFIG_KEYS
5616         .key_alloc =                    selinux_key_alloc,
5617         .key_free =                     selinux_key_free,
5618         .key_permission =               selinux_key_permission,
5619         .key_getsecurity =              selinux_key_getsecurity,
5620 #endif
5621
5622 #ifdef CONFIG_AUDIT
5623         .audit_rule_init =              selinux_audit_rule_init,
5624         .audit_rule_known =             selinux_audit_rule_known,
5625         .audit_rule_match =             selinux_audit_rule_match,
5626         .audit_rule_free =              selinux_audit_rule_free,
5627 #endif
5628 };
5629
5630 static __init int selinux_init(void)
5631 {
5632         if (!security_module_enable(&selinux_ops)) {
5633                 selinux_enabled = 0;
5634                 return 0;
5635         }
5636
5637         if (!selinux_enabled) {
5638                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5639                 return 0;
5640         }
5641
5642         printk(KERN_INFO "SELinux:  Initializing.\n");
5643
5644         /* Set the security state for the initial task. */
5645         cred_init_security();
5646
5647         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5648
5649         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5650                                             sizeof(struct inode_security_struct),
5651                                             0, SLAB_PANIC, NULL);
5652         avc_init();
5653
5654         if (register_security(&selinux_ops))
5655                 panic("SELinux: Unable to register with kernel.\n");
5656
5657         if (selinux_enforcing)
5658                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5659         else
5660                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5661
5662         return 0;
5663 }
5664
5665 static void delayed_superblock_init(struct super_block *sb, void *unused)
5666 {
5667         superblock_doinit(sb, NULL);
5668 }
5669
5670 void selinux_complete_init(void)
5671 {
5672         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5673
5674         /* Set up any superblocks initialized prior to the policy load. */
5675         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5676         iterate_supers(delayed_superblock_init, NULL);
5677 }
5678
5679 /* SELinux requires early initialization in order to label
5680    all processes and objects when they are created. */
5681 security_initcall(selinux_init);
5682
5683 #if defined(CONFIG_NETFILTER)
5684
5685 static struct nf_hook_ops selinux_ipv4_ops[] = {
5686         {
5687                 .hook =         selinux_ipv4_postroute,
5688                 .owner =        THIS_MODULE,
5689                 .pf =           PF_INET,
5690                 .hooknum =      NF_INET_POST_ROUTING,
5691                 .priority =     NF_IP_PRI_SELINUX_LAST,
5692         },
5693         {
5694                 .hook =         selinux_ipv4_forward,
5695                 .owner =        THIS_MODULE,
5696                 .pf =           PF_INET,
5697                 .hooknum =      NF_INET_FORWARD,
5698                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5699         },
5700         {
5701                 .hook =         selinux_ipv4_output,
5702                 .owner =        THIS_MODULE,
5703                 .pf =           PF_INET,
5704                 .hooknum =      NF_INET_LOCAL_OUT,
5705                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5706         }
5707 };
5708
5709 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5710
5711 static struct nf_hook_ops selinux_ipv6_ops[] = {
5712         {
5713                 .hook =         selinux_ipv6_postroute,
5714                 .owner =        THIS_MODULE,
5715                 .pf =           PF_INET6,
5716                 .hooknum =      NF_INET_POST_ROUTING,
5717                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5718         },
5719         {
5720                 .hook =         selinux_ipv6_forward,
5721                 .owner =        THIS_MODULE,
5722                 .pf =           PF_INET6,
5723                 .hooknum =      NF_INET_FORWARD,
5724                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5725         }
5726 };
5727
5728 #endif  /* IPV6 */
5729
5730 static int __init selinux_nf_ip_init(void)
5731 {
5732         int err = 0;
5733
5734         if (!selinux_enabled)
5735                 goto out;
5736
5737         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5738
5739         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5740         if (err)
5741                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5742
5743 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5744         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5745         if (err)
5746                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5747 #endif  /* IPV6 */
5748
5749 out:
5750         return err;
5751 }
5752
5753 __initcall(selinux_nf_ip_init);
5754
5755 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5756 static void selinux_nf_ip_exit(void)
5757 {
5758         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5759
5760         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5761 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5762         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5763 #endif  /* IPV6 */
5764 }
5765 #endif
5766
5767 #else /* CONFIG_NETFILTER */
5768
5769 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5770 #define selinux_nf_ip_exit()
5771 #endif
5772
5773 #endif /* CONFIG_NETFILTER */
5774
5775 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5776 static int selinux_disabled;
5777
5778 int selinux_disable(void)
5779 {
5780         if (ss_initialized) {
5781                 /* Not permitted after initial policy load. */
5782                 return -EINVAL;
5783         }
5784
5785         if (selinux_disabled) {
5786                 /* Only do this once. */
5787                 return -EINVAL;
5788         }
5789
5790         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5791
5792         selinux_disabled = 1;
5793         selinux_enabled = 0;
5794
5795         reset_security_ops();
5796
5797         /* Try to destroy the avc node cache */
5798         avc_disable();
5799
5800         /* Unregister netfilter hooks. */
5801         selinux_nf_ip_exit();
5802
5803         /* Unregister selinuxfs. */
5804         exit_sel_fs();
5805
5806         return 0;
5807 }
5808 #endif