8fb248843009de5e6b71a01cae7b884cd597ba36
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/ext2_fs.h>
32 #include <linux/sched.h>
33 #include <linux/security.h>
34 #include <linux/xattr.h>
35 #include <linux/capability.h>
36 #include <linux/unistd.h>
37 #include <linux/mm.h>
38 #include <linux/mman.h>
39 #include <linux/slab.h>
40 #include <linux/pagemap.h>
41 #include <linux/proc_fs.h>
42 #include <linux/swap.h>
43 #include <linux/spinlock.h>
44 #include <linux/syscalls.h>
45 #include <linux/dcache.h>
46 #include <linux/file.h>
47 #include <linux/fdtable.h>
48 #include <linux/namei.h>
49 #include <linux/mount.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>             /* for local_port_range[] */
55 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <asm/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h>    /* for network interface checks */
64 #include <linux/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h>           /* for Unix socket types */
70 #include <net/af_unix.h>        /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83
84 #include "avc.h"
85 #include "objsec.h"
86 #include "netif.h"
87 #include "netnode.h"
88 #include "netport.h"
89 #include "xfrm.h"
90 #include "netlabel.h"
91 #include "audit.h"
92
93 #define NUM_SEL_MNT_OPTS 5
94
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern struct security_operations *security_ops;
97
98 /* SECMARK reference count */
99 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103
104 static int __init enforcing_setup(char *str)
105 {
106         unsigned long enforcing;
107         if (!strict_strtoul(str, 0, &enforcing))
108                 selinux_enforcing = enforcing ? 1 : 0;
109         return 1;
110 }
111 __setup("enforcing=", enforcing_setup);
112 #endif
113
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117 static int __init selinux_enabled_setup(char *str)
118 {
119         unsigned long enabled;
120         if (!strict_strtoul(str, 0, &enabled))
121                 selinux_enabled = enabled ? 1 : 0;
122         return 1;
123 }
124 __setup("selinux=", selinux_enabled_setup);
125 #else
126 int selinux_enabled = 1;
127 #endif
128
129 static struct kmem_cache *sel_inode_cache;
130
131 /**
132  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133  *
134  * Description:
135  * This function checks the SECMARK reference counter to see if any SECMARK
136  * targets are currently configured, if the reference counter is greater than
137  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
138  * enabled, false (0) if SECMARK is disabled.
139  *
140  */
141 static int selinux_secmark_enabled(void)
142 {
143         return (atomic_read(&selinux_secmark_refcount) > 0);
144 }
145
146 /*
147  * initialise the security for the init task
148  */
149 static void cred_init_security(void)
150 {
151         struct cred *cred = (struct cred *) current->real_cred;
152         struct task_security_struct *tsec;
153
154         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
155         if (!tsec)
156                 panic("SELinux:  Failed to initialize initial task.\n");
157
158         tsec->osid = tsec->sid = SECINITSID_KERNEL;
159         cred->security = tsec;
160 }
161
162 /*
163  * get the security ID of a set of credentials
164  */
165 static inline u32 cred_sid(const struct cred *cred)
166 {
167         const struct task_security_struct *tsec;
168
169         tsec = cred->security;
170         return tsec->sid;
171 }
172
173 /*
174  * get the objective security ID of a task
175  */
176 static inline u32 task_sid(const struct task_struct *task)
177 {
178         u32 sid;
179
180         rcu_read_lock();
181         sid = cred_sid(__task_cred(task));
182         rcu_read_unlock();
183         return sid;
184 }
185
186 /*
187  * get the subjective security ID of the current task
188  */
189 static inline u32 current_sid(void)
190 {
191         const struct task_security_struct *tsec = current_security();
192
193         return tsec->sid;
194 }
195
196 /* Allocate and free functions for each kind of security blob. */
197
198 static int inode_alloc_security(struct inode *inode)
199 {
200         struct inode_security_struct *isec;
201         u32 sid = current_sid();
202
203         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
204         if (!isec)
205                 return -ENOMEM;
206
207         mutex_init(&isec->lock);
208         INIT_LIST_HEAD(&isec->list);
209         isec->inode = inode;
210         isec->sid = SECINITSID_UNLABELED;
211         isec->sclass = SECCLASS_FILE;
212         isec->task_sid = sid;
213         inode->i_security = isec;
214
215         return 0;
216 }
217
218 static void inode_free_security(struct inode *inode)
219 {
220         struct inode_security_struct *isec = inode->i_security;
221         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
222
223         spin_lock(&sbsec->isec_lock);
224         if (!list_empty(&isec->list))
225                 list_del_init(&isec->list);
226         spin_unlock(&sbsec->isec_lock);
227
228         inode->i_security = NULL;
229         kmem_cache_free(sel_inode_cache, isec);
230 }
231
232 static int file_alloc_security(struct file *file)
233 {
234         struct file_security_struct *fsec;
235         u32 sid = current_sid();
236
237         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
238         if (!fsec)
239                 return -ENOMEM;
240
241         fsec->sid = sid;
242         fsec->fown_sid = sid;
243         file->f_security = fsec;
244
245         return 0;
246 }
247
248 static void file_free_security(struct file *file)
249 {
250         struct file_security_struct *fsec = file->f_security;
251         file->f_security = NULL;
252         kfree(fsec);
253 }
254
255 static int superblock_alloc_security(struct super_block *sb)
256 {
257         struct superblock_security_struct *sbsec;
258
259         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
260         if (!sbsec)
261                 return -ENOMEM;
262
263         mutex_init(&sbsec->lock);
264         INIT_LIST_HEAD(&sbsec->isec_head);
265         spin_lock_init(&sbsec->isec_lock);
266         sbsec->sb = sb;
267         sbsec->sid = SECINITSID_UNLABELED;
268         sbsec->def_sid = SECINITSID_FILE;
269         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
270         sb->s_security = sbsec;
271
272         return 0;
273 }
274
275 static void superblock_free_security(struct super_block *sb)
276 {
277         struct superblock_security_struct *sbsec = sb->s_security;
278         sb->s_security = NULL;
279         kfree(sbsec);
280 }
281
282 /* The security server must be initialized before
283    any labeling or access decisions can be provided. */
284 extern int ss_initialized;
285
286 /* The file system's label must be initialized prior to use. */
287
288 static const char *labeling_behaviors[6] = {
289         "uses xattr",
290         "uses transition SIDs",
291         "uses task SIDs",
292         "uses genfs_contexts",
293         "not configured for labeling",
294         "uses mountpoint labeling",
295 };
296
297 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
298
299 static inline int inode_doinit(struct inode *inode)
300 {
301         return inode_doinit_with_dentry(inode, NULL);
302 }
303
304 enum {
305         Opt_error = -1,
306         Opt_context = 1,
307         Opt_fscontext = 2,
308         Opt_defcontext = 3,
309         Opt_rootcontext = 4,
310         Opt_labelsupport = 5,
311 };
312
313 static const match_table_t tokens = {
314         {Opt_context, CONTEXT_STR "%s"},
315         {Opt_fscontext, FSCONTEXT_STR "%s"},
316         {Opt_defcontext, DEFCONTEXT_STR "%s"},
317         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
318         {Opt_labelsupport, LABELSUPP_STR},
319         {Opt_error, NULL},
320 };
321
322 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
323
324 static int may_context_mount_sb_relabel(u32 sid,
325                         struct superblock_security_struct *sbsec,
326                         const struct cred *cred)
327 {
328         const struct task_security_struct *tsec = cred->security;
329         int rc;
330
331         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
332                           FILESYSTEM__RELABELFROM, NULL);
333         if (rc)
334                 return rc;
335
336         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
337                           FILESYSTEM__RELABELTO, NULL);
338         return rc;
339 }
340
341 static int may_context_mount_inode_relabel(u32 sid,
342                         struct superblock_security_struct *sbsec,
343                         const struct cred *cred)
344 {
345         const struct task_security_struct *tsec = cred->security;
346         int rc;
347         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
348                           FILESYSTEM__RELABELFROM, NULL);
349         if (rc)
350                 return rc;
351
352         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
353                           FILESYSTEM__ASSOCIATE, NULL);
354         return rc;
355 }
356
357 static int sb_finish_set_opts(struct super_block *sb)
358 {
359         struct superblock_security_struct *sbsec = sb->s_security;
360         struct dentry *root = sb->s_root;
361         struct inode *root_inode = root->d_inode;
362         int rc = 0;
363
364         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
365                 /* Make sure that the xattr handler exists and that no
366                    error other than -ENODATA is returned by getxattr on
367                    the root directory.  -ENODATA is ok, as this may be
368                    the first boot of the SELinux kernel before we have
369                    assigned xattr values to the filesystem. */
370                 if (!root_inode->i_op->getxattr) {
371                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
372                                "xattr support\n", sb->s_id, sb->s_type->name);
373                         rc = -EOPNOTSUPP;
374                         goto out;
375                 }
376                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
377                 if (rc < 0 && rc != -ENODATA) {
378                         if (rc == -EOPNOTSUPP)
379                                 printk(KERN_WARNING "SELinux: (dev %s, type "
380                                        "%s) has no security xattr handler\n",
381                                        sb->s_id, sb->s_type->name);
382                         else
383                                 printk(KERN_WARNING "SELinux: (dev %s, type "
384                                        "%s) getxattr errno %d\n", sb->s_id,
385                                        sb->s_type->name, -rc);
386                         goto out;
387                 }
388         }
389
390         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
391
392         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
393                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
394                        sb->s_id, sb->s_type->name);
395         else
396                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
397                        sb->s_id, sb->s_type->name,
398                        labeling_behaviors[sbsec->behavior-1]);
399
400         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
401             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
402             sbsec->behavior == SECURITY_FS_USE_NONE ||
403             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
404                 sbsec->flags &= ~SE_SBLABELSUPP;
405
406         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
407         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
408                 sbsec->flags |= SE_SBLABELSUPP;
409
410         /* Initialize the root inode. */
411         rc = inode_doinit_with_dentry(root_inode, root);
412
413         /* Initialize any other inodes associated with the superblock, e.g.
414            inodes created prior to initial policy load or inodes created
415            during get_sb by a pseudo filesystem that directly
416            populates itself. */
417         spin_lock(&sbsec->isec_lock);
418 next_inode:
419         if (!list_empty(&sbsec->isec_head)) {
420                 struct inode_security_struct *isec =
421                                 list_entry(sbsec->isec_head.next,
422                                            struct inode_security_struct, list);
423                 struct inode *inode = isec->inode;
424                 spin_unlock(&sbsec->isec_lock);
425                 inode = igrab(inode);
426                 if (inode) {
427                         if (!IS_PRIVATE(inode))
428                                 inode_doinit(inode);
429                         iput(inode);
430                 }
431                 spin_lock(&sbsec->isec_lock);
432                 list_del_init(&isec->list);
433                 goto next_inode;
434         }
435         spin_unlock(&sbsec->isec_lock);
436 out:
437         return rc;
438 }
439
440 /*
441  * This function should allow an FS to ask what it's mount security
442  * options were so it can use those later for submounts, displaying
443  * mount options, or whatever.
444  */
445 static int selinux_get_mnt_opts(const struct super_block *sb,
446                                 struct security_mnt_opts *opts)
447 {
448         int rc = 0, i;
449         struct superblock_security_struct *sbsec = sb->s_security;
450         char *context = NULL;
451         u32 len;
452         char tmp;
453
454         security_init_mnt_opts(opts);
455
456         if (!(sbsec->flags & SE_SBINITIALIZED))
457                 return -EINVAL;
458
459         if (!ss_initialized)
460                 return -EINVAL;
461
462         tmp = sbsec->flags & SE_MNTMASK;
463         /* count the number of mount options for this sb */
464         for (i = 0; i < 8; i++) {
465                 if (tmp & 0x01)
466                         opts->num_mnt_opts++;
467                 tmp >>= 1;
468         }
469         /* Check if the Label support flag is set */
470         if (sbsec->flags & SE_SBLABELSUPP)
471                 opts->num_mnt_opts++;
472
473         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
474         if (!opts->mnt_opts) {
475                 rc = -ENOMEM;
476                 goto out_free;
477         }
478
479         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
480         if (!opts->mnt_opts_flags) {
481                 rc = -ENOMEM;
482                 goto out_free;
483         }
484
485         i = 0;
486         if (sbsec->flags & FSCONTEXT_MNT) {
487                 rc = security_sid_to_context(sbsec->sid, &context, &len);
488                 if (rc)
489                         goto out_free;
490                 opts->mnt_opts[i] = context;
491                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
492         }
493         if (sbsec->flags & CONTEXT_MNT) {
494                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
495                 if (rc)
496                         goto out_free;
497                 opts->mnt_opts[i] = context;
498                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
499         }
500         if (sbsec->flags & DEFCONTEXT_MNT) {
501                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
502                 if (rc)
503                         goto out_free;
504                 opts->mnt_opts[i] = context;
505                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
506         }
507         if (sbsec->flags & ROOTCONTEXT_MNT) {
508                 struct inode *root = sbsec->sb->s_root->d_inode;
509                 struct inode_security_struct *isec = root->i_security;
510
511                 rc = security_sid_to_context(isec->sid, &context, &len);
512                 if (rc)
513                         goto out_free;
514                 opts->mnt_opts[i] = context;
515                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
516         }
517         if (sbsec->flags & SE_SBLABELSUPP) {
518                 opts->mnt_opts[i] = NULL;
519                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
520         }
521
522         BUG_ON(i != opts->num_mnt_opts);
523
524         return 0;
525
526 out_free:
527         security_free_mnt_opts(opts);
528         return rc;
529 }
530
531 static int bad_option(struct superblock_security_struct *sbsec, char flag,
532                       u32 old_sid, u32 new_sid)
533 {
534         char mnt_flags = sbsec->flags & SE_MNTMASK;
535
536         /* check if the old mount command had the same options */
537         if (sbsec->flags & SE_SBINITIALIZED)
538                 if (!(sbsec->flags & flag) ||
539                     (old_sid != new_sid))
540                         return 1;
541
542         /* check if we were passed the same options twice,
543          * aka someone passed context=a,context=b
544          */
545         if (!(sbsec->flags & SE_SBINITIALIZED))
546                 if (mnt_flags & flag)
547                         return 1;
548         return 0;
549 }
550
551 /*
552  * Allow filesystems with binary mount data to explicitly set mount point
553  * labeling information.
554  */
555 static int selinux_set_mnt_opts(struct super_block *sb,
556                                 struct security_mnt_opts *opts)
557 {
558         const struct cred *cred = current_cred();
559         int rc = 0, i;
560         struct superblock_security_struct *sbsec = sb->s_security;
561         const char *name = sb->s_type->name;
562         struct inode *inode = sbsec->sb->s_root->d_inode;
563         struct inode_security_struct *root_isec = inode->i_security;
564         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
565         u32 defcontext_sid = 0;
566         char **mount_options = opts->mnt_opts;
567         int *flags = opts->mnt_opts_flags;
568         int num_opts = opts->num_mnt_opts;
569
570         mutex_lock(&sbsec->lock);
571
572         if (!ss_initialized) {
573                 if (!num_opts) {
574                         /* Defer initialization until selinux_complete_init,
575                            after the initial policy is loaded and the security
576                            server is ready to handle calls. */
577                         goto out;
578                 }
579                 rc = -EINVAL;
580                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
581                         "before the security server is initialized\n");
582                 goto out;
583         }
584
585         /*
586          * Binary mount data FS will come through this function twice.  Once
587          * from an explicit call and once from the generic calls from the vfs.
588          * Since the generic VFS calls will not contain any security mount data
589          * we need to skip the double mount verification.
590          *
591          * This does open a hole in which we will not notice if the first
592          * mount using this sb set explict options and a second mount using
593          * this sb does not set any security options.  (The first options
594          * will be used for both mounts)
595          */
596         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
597             && (num_opts == 0))
598                 goto out;
599
600         /*
601          * parse the mount options, check if they are valid sids.
602          * also check if someone is trying to mount the same sb more
603          * than once with different security options.
604          */
605         for (i = 0; i < num_opts; i++) {
606                 u32 sid;
607
608                 if (flags[i] == SE_SBLABELSUPP)
609                         continue;
610                 rc = security_context_to_sid(mount_options[i],
611                                              strlen(mount_options[i]), &sid);
612                 if (rc) {
613                         printk(KERN_WARNING "SELinux: security_context_to_sid"
614                                "(%s) failed for (dev %s, type %s) errno=%d\n",
615                                mount_options[i], sb->s_id, name, rc);
616                         goto out;
617                 }
618                 switch (flags[i]) {
619                 case FSCONTEXT_MNT:
620                         fscontext_sid = sid;
621
622                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
623                                         fscontext_sid))
624                                 goto out_double_mount;
625
626                         sbsec->flags |= FSCONTEXT_MNT;
627                         break;
628                 case CONTEXT_MNT:
629                         context_sid = sid;
630
631                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
632                                         context_sid))
633                                 goto out_double_mount;
634
635                         sbsec->flags |= CONTEXT_MNT;
636                         break;
637                 case ROOTCONTEXT_MNT:
638                         rootcontext_sid = sid;
639
640                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
641                                         rootcontext_sid))
642                                 goto out_double_mount;
643
644                         sbsec->flags |= ROOTCONTEXT_MNT;
645
646                         break;
647                 case DEFCONTEXT_MNT:
648                         defcontext_sid = sid;
649
650                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
651                                         defcontext_sid))
652                                 goto out_double_mount;
653
654                         sbsec->flags |= DEFCONTEXT_MNT;
655
656                         break;
657                 default:
658                         rc = -EINVAL;
659                         goto out;
660                 }
661         }
662
663         if (sbsec->flags & SE_SBINITIALIZED) {
664                 /* previously mounted with options, but not on this attempt? */
665                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
666                         goto out_double_mount;
667                 rc = 0;
668                 goto out;
669         }
670
671         if (strcmp(sb->s_type->name, "proc") == 0)
672                 sbsec->flags |= SE_SBPROC;
673
674         /* Determine the labeling behavior to use for this filesystem type. */
675         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
676         if (rc) {
677                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
678                        __func__, sb->s_type->name, rc);
679                 goto out;
680         }
681
682         /* sets the context of the superblock for the fs being mounted. */
683         if (fscontext_sid) {
684                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
685                 if (rc)
686                         goto out;
687
688                 sbsec->sid = fscontext_sid;
689         }
690
691         /*
692          * Switch to using mount point labeling behavior.
693          * sets the label used on all file below the mountpoint, and will set
694          * the superblock context if not already set.
695          */
696         if (context_sid) {
697                 if (!fscontext_sid) {
698                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
699                                                           cred);
700                         if (rc)
701                                 goto out;
702                         sbsec->sid = context_sid;
703                 } else {
704                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
705                                                              cred);
706                         if (rc)
707                                 goto out;
708                 }
709                 if (!rootcontext_sid)
710                         rootcontext_sid = context_sid;
711
712                 sbsec->mntpoint_sid = context_sid;
713                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
714         }
715
716         if (rootcontext_sid) {
717                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
718                                                      cred);
719                 if (rc)
720                         goto out;
721
722                 root_isec->sid = rootcontext_sid;
723                 root_isec->initialized = 1;
724         }
725
726         if (defcontext_sid) {
727                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
728                         rc = -EINVAL;
729                         printk(KERN_WARNING "SELinux: defcontext option is "
730                                "invalid for this filesystem type\n");
731                         goto out;
732                 }
733
734                 if (defcontext_sid != sbsec->def_sid) {
735                         rc = may_context_mount_inode_relabel(defcontext_sid,
736                                                              sbsec, cred);
737                         if (rc)
738                                 goto out;
739                 }
740
741                 sbsec->def_sid = defcontext_sid;
742         }
743
744         rc = sb_finish_set_opts(sb);
745 out:
746         mutex_unlock(&sbsec->lock);
747         return rc;
748 out_double_mount:
749         rc = -EINVAL;
750         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
751                "security settings for (dev %s, type %s)\n", sb->s_id, name);
752         goto out;
753 }
754
755 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
756                                         struct super_block *newsb)
757 {
758         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
759         struct superblock_security_struct *newsbsec = newsb->s_security;
760
761         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
762         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
763         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
764
765         /*
766          * if the parent was able to be mounted it clearly had no special lsm
767          * mount options.  thus we can safely deal with this superblock later
768          */
769         if (!ss_initialized)
770                 return;
771
772         /* how can we clone if the old one wasn't set up?? */
773         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
774
775         /* if fs is reusing a sb, just let its options stand... */
776         if (newsbsec->flags & SE_SBINITIALIZED)
777                 return;
778
779         mutex_lock(&newsbsec->lock);
780
781         newsbsec->flags = oldsbsec->flags;
782
783         newsbsec->sid = oldsbsec->sid;
784         newsbsec->def_sid = oldsbsec->def_sid;
785         newsbsec->behavior = oldsbsec->behavior;
786
787         if (set_context) {
788                 u32 sid = oldsbsec->mntpoint_sid;
789
790                 if (!set_fscontext)
791                         newsbsec->sid = sid;
792                 if (!set_rootcontext) {
793                         struct inode *newinode = newsb->s_root->d_inode;
794                         struct inode_security_struct *newisec = newinode->i_security;
795                         newisec->sid = sid;
796                 }
797                 newsbsec->mntpoint_sid = sid;
798         }
799         if (set_rootcontext) {
800                 const struct inode *oldinode = oldsb->s_root->d_inode;
801                 const struct inode_security_struct *oldisec = oldinode->i_security;
802                 struct inode *newinode = newsb->s_root->d_inode;
803                 struct inode_security_struct *newisec = newinode->i_security;
804
805                 newisec->sid = oldisec->sid;
806         }
807
808         sb_finish_set_opts(newsb);
809         mutex_unlock(&newsbsec->lock);
810 }
811
812 static int selinux_parse_opts_str(char *options,
813                                   struct security_mnt_opts *opts)
814 {
815         char *p;
816         char *context = NULL, *defcontext = NULL;
817         char *fscontext = NULL, *rootcontext = NULL;
818         int rc, num_mnt_opts = 0;
819
820         opts->num_mnt_opts = 0;
821
822         /* Standard string-based options. */
823         while ((p = strsep(&options, "|")) != NULL) {
824                 int token;
825                 substring_t args[MAX_OPT_ARGS];
826
827                 if (!*p)
828                         continue;
829
830                 token = match_token(p, tokens, args);
831
832                 switch (token) {
833                 case Opt_context:
834                         if (context || defcontext) {
835                                 rc = -EINVAL;
836                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
837                                 goto out_err;
838                         }
839                         context = match_strdup(&args[0]);
840                         if (!context) {
841                                 rc = -ENOMEM;
842                                 goto out_err;
843                         }
844                         break;
845
846                 case Opt_fscontext:
847                         if (fscontext) {
848                                 rc = -EINVAL;
849                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
850                                 goto out_err;
851                         }
852                         fscontext = match_strdup(&args[0]);
853                         if (!fscontext) {
854                                 rc = -ENOMEM;
855                                 goto out_err;
856                         }
857                         break;
858
859                 case Opt_rootcontext:
860                         if (rootcontext) {
861                                 rc = -EINVAL;
862                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
863                                 goto out_err;
864                         }
865                         rootcontext = match_strdup(&args[0]);
866                         if (!rootcontext) {
867                                 rc = -ENOMEM;
868                                 goto out_err;
869                         }
870                         break;
871
872                 case Opt_defcontext:
873                         if (context || defcontext) {
874                                 rc = -EINVAL;
875                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
876                                 goto out_err;
877                         }
878                         defcontext = match_strdup(&args[0]);
879                         if (!defcontext) {
880                                 rc = -ENOMEM;
881                                 goto out_err;
882                         }
883                         break;
884                 case Opt_labelsupport:
885                         break;
886                 default:
887                         rc = -EINVAL;
888                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
889                         goto out_err;
890
891                 }
892         }
893
894         rc = -ENOMEM;
895         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
896         if (!opts->mnt_opts)
897                 goto out_err;
898
899         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
900         if (!opts->mnt_opts_flags) {
901                 kfree(opts->mnt_opts);
902                 goto out_err;
903         }
904
905         if (fscontext) {
906                 opts->mnt_opts[num_mnt_opts] = fscontext;
907                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
908         }
909         if (context) {
910                 opts->mnt_opts[num_mnt_opts] = context;
911                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
912         }
913         if (rootcontext) {
914                 opts->mnt_opts[num_mnt_opts] = rootcontext;
915                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
916         }
917         if (defcontext) {
918                 opts->mnt_opts[num_mnt_opts] = defcontext;
919                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
920         }
921
922         opts->num_mnt_opts = num_mnt_opts;
923         return 0;
924
925 out_err:
926         kfree(context);
927         kfree(defcontext);
928         kfree(fscontext);
929         kfree(rootcontext);
930         return rc;
931 }
932 /*
933  * string mount options parsing and call set the sbsec
934  */
935 static int superblock_doinit(struct super_block *sb, void *data)
936 {
937         int rc = 0;
938         char *options = data;
939         struct security_mnt_opts opts;
940
941         security_init_mnt_opts(&opts);
942
943         if (!data)
944                 goto out;
945
946         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
947
948         rc = selinux_parse_opts_str(options, &opts);
949         if (rc)
950                 goto out_err;
951
952 out:
953         rc = selinux_set_mnt_opts(sb, &opts);
954
955 out_err:
956         security_free_mnt_opts(&opts);
957         return rc;
958 }
959
960 static void selinux_write_opts(struct seq_file *m,
961                                struct security_mnt_opts *opts)
962 {
963         int i;
964         char *prefix;
965
966         for (i = 0; i < opts->num_mnt_opts; i++) {
967                 char *has_comma;
968
969                 if (opts->mnt_opts[i])
970                         has_comma = strchr(opts->mnt_opts[i], ',');
971                 else
972                         has_comma = NULL;
973
974                 switch (opts->mnt_opts_flags[i]) {
975                 case CONTEXT_MNT:
976                         prefix = CONTEXT_STR;
977                         break;
978                 case FSCONTEXT_MNT:
979                         prefix = FSCONTEXT_STR;
980                         break;
981                 case ROOTCONTEXT_MNT:
982                         prefix = ROOTCONTEXT_STR;
983                         break;
984                 case DEFCONTEXT_MNT:
985                         prefix = DEFCONTEXT_STR;
986                         break;
987                 case SE_SBLABELSUPP:
988                         seq_putc(m, ',');
989                         seq_puts(m, LABELSUPP_STR);
990                         continue;
991                 default:
992                         BUG();
993                 };
994                 /* we need a comma before each option */
995                 seq_putc(m, ',');
996                 seq_puts(m, prefix);
997                 if (has_comma)
998                         seq_putc(m, '\"');
999                 seq_puts(m, opts->mnt_opts[i]);
1000                 if (has_comma)
1001                         seq_putc(m, '\"');
1002         }
1003 }
1004
1005 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1006 {
1007         struct security_mnt_opts opts;
1008         int rc;
1009
1010         rc = selinux_get_mnt_opts(sb, &opts);
1011         if (rc) {
1012                 /* before policy load we may get EINVAL, don't show anything */
1013                 if (rc == -EINVAL)
1014                         rc = 0;
1015                 return rc;
1016         }
1017
1018         selinux_write_opts(m, &opts);
1019
1020         security_free_mnt_opts(&opts);
1021
1022         return rc;
1023 }
1024
1025 static inline u16 inode_mode_to_security_class(umode_t mode)
1026 {
1027         switch (mode & S_IFMT) {
1028         case S_IFSOCK:
1029                 return SECCLASS_SOCK_FILE;
1030         case S_IFLNK:
1031                 return SECCLASS_LNK_FILE;
1032         case S_IFREG:
1033                 return SECCLASS_FILE;
1034         case S_IFBLK:
1035                 return SECCLASS_BLK_FILE;
1036         case S_IFDIR:
1037                 return SECCLASS_DIR;
1038         case S_IFCHR:
1039                 return SECCLASS_CHR_FILE;
1040         case S_IFIFO:
1041                 return SECCLASS_FIFO_FILE;
1042
1043         }
1044
1045         return SECCLASS_FILE;
1046 }
1047
1048 static inline int default_protocol_stream(int protocol)
1049 {
1050         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1051 }
1052
1053 static inline int default_protocol_dgram(int protocol)
1054 {
1055         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1056 }
1057
1058 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1059 {
1060         switch (family) {
1061         case PF_UNIX:
1062                 switch (type) {
1063                 case SOCK_STREAM:
1064                 case SOCK_SEQPACKET:
1065                         return SECCLASS_UNIX_STREAM_SOCKET;
1066                 case SOCK_DGRAM:
1067                         return SECCLASS_UNIX_DGRAM_SOCKET;
1068                 }
1069                 break;
1070         case PF_INET:
1071         case PF_INET6:
1072                 switch (type) {
1073                 case SOCK_STREAM:
1074                         if (default_protocol_stream(protocol))
1075                                 return SECCLASS_TCP_SOCKET;
1076                         else
1077                                 return SECCLASS_RAWIP_SOCKET;
1078                 case SOCK_DGRAM:
1079                         if (default_protocol_dgram(protocol))
1080                                 return SECCLASS_UDP_SOCKET;
1081                         else
1082                                 return SECCLASS_RAWIP_SOCKET;
1083                 case SOCK_DCCP:
1084                         return SECCLASS_DCCP_SOCKET;
1085                 default:
1086                         return SECCLASS_RAWIP_SOCKET;
1087                 }
1088                 break;
1089         case PF_NETLINK:
1090                 switch (protocol) {
1091                 case NETLINK_ROUTE:
1092                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1093                 case NETLINK_FIREWALL:
1094                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1095                 case NETLINK_INET_DIAG:
1096                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1097                 case NETLINK_NFLOG:
1098                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1099                 case NETLINK_XFRM:
1100                         return SECCLASS_NETLINK_XFRM_SOCKET;
1101                 case NETLINK_SELINUX:
1102                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1103                 case NETLINK_AUDIT:
1104                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1105                 case NETLINK_IP6_FW:
1106                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1107                 case NETLINK_DNRTMSG:
1108                         return SECCLASS_NETLINK_DNRT_SOCKET;
1109                 case NETLINK_KOBJECT_UEVENT:
1110                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1111                 default:
1112                         return SECCLASS_NETLINK_SOCKET;
1113                 }
1114         case PF_PACKET:
1115                 return SECCLASS_PACKET_SOCKET;
1116         case PF_KEY:
1117                 return SECCLASS_KEY_SOCKET;
1118         case PF_APPLETALK:
1119                 return SECCLASS_APPLETALK_SOCKET;
1120         }
1121
1122         return SECCLASS_SOCKET;
1123 }
1124
1125 #ifdef CONFIG_PROC_FS
1126 static int selinux_proc_get_sid(struct dentry *dentry,
1127                                 u16 tclass,
1128                                 u32 *sid)
1129 {
1130         int rc;
1131         char *buffer, *path;
1132
1133         buffer = (char *)__get_free_page(GFP_KERNEL);
1134         if (!buffer)
1135                 return -ENOMEM;
1136
1137         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1138         if (IS_ERR(path))
1139                 rc = PTR_ERR(path);
1140         else {
1141                 /* each process gets a /proc/PID/ entry. Strip off the
1142                  * PID part to get a valid selinux labeling.
1143                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1144                 while (path[1] >= '0' && path[1] <= '9') {
1145                         path[1] = '/';
1146                         path++;
1147                 }
1148                 rc = security_genfs_sid("proc", path, tclass, sid);
1149         }
1150         free_page((unsigned long)buffer);
1151         return rc;
1152 }
1153 #else
1154 static int selinux_proc_get_sid(struct dentry *dentry,
1155                                 u16 tclass,
1156                                 u32 *sid)
1157 {
1158         return -EINVAL;
1159 }
1160 #endif
1161
1162 /* The inode's security attributes must be initialized before first use. */
1163 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1164 {
1165         struct superblock_security_struct *sbsec = NULL;
1166         struct inode_security_struct *isec = inode->i_security;
1167         u32 sid;
1168         struct dentry *dentry;
1169 #define INITCONTEXTLEN 255
1170         char *context = NULL;
1171         unsigned len = 0;
1172         int rc = 0;
1173
1174         if (isec->initialized)
1175                 goto out;
1176
1177         mutex_lock(&isec->lock);
1178         if (isec->initialized)
1179                 goto out_unlock;
1180
1181         sbsec = inode->i_sb->s_security;
1182         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1183                 /* Defer initialization until selinux_complete_init,
1184                    after the initial policy is loaded and the security
1185                    server is ready to handle calls. */
1186                 spin_lock(&sbsec->isec_lock);
1187                 if (list_empty(&isec->list))
1188                         list_add(&isec->list, &sbsec->isec_head);
1189                 spin_unlock(&sbsec->isec_lock);
1190                 goto out_unlock;
1191         }
1192
1193         switch (sbsec->behavior) {
1194         case SECURITY_FS_USE_XATTR:
1195                 if (!inode->i_op->getxattr) {
1196                         isec->sid = sbsec->def_sid;
1197                         break;
1198                 }
1199
1200                 /* Need a dentry, since the xattr API requires one.
1201                    Life would be simpler if we could just pass the inode. */
1202                 if (opt_dentry) {
1203                         /* Called from d_instantiate or d_splice_alias. */
1204                         dentry = dget(opt_dentry);
1205                 } else {
1206                         /* Called from selinux_complete_init, try to find a dentry. */
1207                         dentry = d_find_alias(inode);
1208                 }
1209                 if (!dentry) {
1210                         /*
1211                          * this is can be hit on boot when a file is accessed
1212                          * before the policy is loaded.  When we load policy we
1213                          * may find inodes that have no dentry on the
1214                          * sbsec->isec_head list.  No reason to complain as these
1215                          * will get fixed up the next time we go through
1216                          * inode_doinit with a dentry, before these inodes could
1217                          * be used again by userspace.
1218                          */
1219                         goto out_unlock;
1220                 }
1221
1222                 len = INITCONTEXTLEN;
1223                 context = kmalloc(len+1, GFP_NOFS);
1224                 if (!context) {
1225                         rc = -ENOMEM;
1226                         dput(dentry);
1227                         goto out_unlock;
1228                 }
1229                 context[len] = '\0';
1230                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1231                                            context, len);
1232                 if (rc == -ERANGE) {
1233                         kfree(context);
1234
1235                         /* Need a larger buffer.  Query for the right size. */
1236                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1237                                                    NULL, 0);
1238                         if (rc < 0) {
1239                                 dput(dentry);
1240                                 goto out_unlock;
1241                         }
1242                         len = rc;
1243                         context = kmalloc(len+1, GFP_NOFS);
1244                         if (!context) {
1245                                 rc = -ENOMEM;
1246                                 dput(dentry);
1247                                 goto out_unlock;
1248                         }
1249                         context[len] = '\0';
1250                         rc = inode->i_op->getxattr(dentry,
1251                                                    XATTR_NAME_SELINUX,
1252                                                    context, len);
1253                 }
1254                 dput(dentry);
1255                 if (rc < 0) {
1256                         if (rc != -ENODATA) {
1257                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1258                                        "%d for dev=%s ino=%ld\n", __func__,
1259                                        -rc, inode->i_sb->s_id, inode->i_ino);
1260                                 kfree(context);
1261                                 goto out_unlock;
1262                         }
1263                         /* Map ENODATA to the default file SID */
1264                         sid = sbsec->def_sid;
1265                         rc = 0;
1266                 } else {
1267                         rc = security_context_to_sid_default(context, rc, &sid,
1268                                                              sbsec->def_sid,
1269                                                              GFP_NOFS);
1270                         if (rc) {
1271                                 char *dev = inode->i_sb->s_id;
1272                                 unsigned long ino = inode->i_ino;
1273
1274                                 if (rc == -EINVAL) {
1275                                         if (printk_ratelimit())
1276                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1277                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1278                                                         "filesystem in question.\n", ino, dev, context);
1279                                 } else {
1280                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1281                                                "returned %d for dev=%s ino=%ld\n",
1282                                                __func__, context, -rc, dev, ino);
1283                                 }
1284                                 kfree(context);
1285                                 /* Leave with the unlabeled SID */
1286                                 rc = 0;
1287                                 break;
1288                         }
1289                 }
1290                 kfree(context);
1291                 isec->sid = sid;
1292                 break;
1293         case SECURITY_FS_USE_TASK:
1294                 isec->sid = isec->task_sid;
1295                 break;
1296         case SECURITY_FS_USE_TRANS:
1297                 /* Default to the fs SID. */
1298                 isec->sid = sbsec->sid;
1299
1300                 /* Try to obtain a transition SID. */
1301                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1302                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1303                                              isec->sclass, NULL, &sid);
1304                 if (rc)
1305                         goto out_unlock;
1306                 isec->sid = sid;
1307                 break;
1308         case SECURITY_FS_USE_MNTPOINT:
1309                 isec->sid = sbsec->mntpoint_sid;
1310                 break;
1311         default:
1312                 /* Default to the fs superblock SID. */
1313                 isec->sid = sbsec->sid;
1314
1315                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1316                         if (opt_dentry) {
1317                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1318                                 rc = selinux_proc_get_sid(opt_dentry,
1319                                                           isec->sclass,
1320                                                           &sid);
1321                                 if (rc)
1322                                         goto out_unlock;
1323                                 isec->sid = sid;
1324                         }
1325                 }
1326                 break;
1327         }
1328
1329         isec->initialized = 1;
1330
1331 out_unlock:
1332         mutex_unlock(&isec->lock);
1333 out:
1334         if (isec->sclass == SECCLASS_FILE)
1335                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1336         return rc;
1337 }
1338
1339 /* Convert a Linux signal to an access vector. */
1340 static inline u32 signal_to_av(int sig)
1341 {
1342         u32 perm = 0;
1343
1344         switch (sig) {
1345         case SIGCHLD:
1346                 /* Commonly granted from child to parent. */
1347                 perm = PROCESS__SIGCHLD;
1348                 break;
1349         case SIGKILL:
1350                 /* Cannot be caught or ignored */
1351                 perm = PROCESS__SIGKILL;
1352                 break;
1353         case SIGSTOP:
1354                 /* Cannot be caught or ignored */
1355                 perm = PROCESS__SIGSTOP;
1356                 break;
1357         default:
1358                 /* All other signals. */
1359                 perm = PROCESS__SIGNAL;
1360                 break;
1361         }
1362
1363         return perm;
1364 }
1365
1366 /*
1367  * Check permission between a pair of credentials
1368  * fork check, ptrace check, etc.
1369  */
1370 static int cred_has_perm(const struct cred *actor,
1371                          const struct cred *target,
1372                          u32 perms)
1373 {
1374         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1375
1376         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1377 }
1378
1379 /*
1380  * Check permission between a pair of tasks, e.g. signal checks,
1381  * fork check, ptrace check, etc.
1382  * tsk1 is the actor and tsk2 is the target
1383  * - this uses the default subjective creds of tsk1
1384  */
1385 static int task_has_perm(const struct task_struct *tsk1,
1386                          const struct task_struct *tsk2,
1387                          u32 perms)
1388 {
1389         const struct task_security_struct *__tsec1, *__tsec2;
1390         u32 sid1, sid2;
1391
1392         rcu_read_lock();
1393         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1394         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1395         rcu_read_unlock();
1396         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1397 }
1398
1399 /*
1400  * Check permission between current and another task, e.g. signal checks,
1401  * fork check, ptrace check, etc.
1402  * current is the actor and tsk2 is the target
1403  * - this uses current's subjective creds
1404  */
1405 static int current_has_perm(const struct task_struct *tsk,
1406                             u32 perms)
1407 {
1408         u32 sid, tsid;
1409
1410         sid = current_sid();
1411         tsid = task_sid(tsk);
1412         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1413 }
1414
1415 #if CAP_LAST_CAP > 63
1416 #error Fix SELinux to handle capabilities > 63.
1417 #endif
1418
1419 /* Check whether a task is allowed to use a capability. */
1420 static int task_has_capability(struct task_struct *tsk,
1421                                const struct cred *cred,
1422                                int cap, int audit)
1423 {
1424         struct common_audit_data ad;
1425         struct av_decision avd;
1426         u16 sclass;
1427         u32 sid = cred_sid(cred);
1428         u32 av = CAP_TO_MASK(cap);
1429         int rc;
1430
1431         COMMON_AUDIT_DATA_INIT(&ad, CAP);
1432         ad.tsk = tsk;
1433         ad.u.cap = cap;
1434
1435         switch (CAP_TO_INDEX(cap)) {
1436         case 0:
1437                 sclass = SECCLASS_CAPABILITY;
1438                 break;
1439         case 1:
1440                 sclass = SECCLASS_CAPABILITY2;
1441                 break;
1442         default:
1443                 printk(KERN_ERR
1444                        "SELinux:  out of range capability %d\n", cap);
1445                 BUG();
1446         }
1447
1448         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1449         if (audit == SECURITY_CAP_AUDIT) {
1450                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1451                 if (rc2)
1452                         return rc2;
1453         }
1454         return rc;
1455 }
1456
1457 /* Check whether a task is allowed to use a system operation. */
1458 static int task_has_system(struct task_struct *tsk,
1459                            u32 perms)
1460 {
1461         u32 sid = task_sid(tsk);
1462
1463         return avc_has_perm(sid, SECINITSID_KERNEL,
1464                             SECCLASS_SYSTEM, perms, NULL);
1465 }
1466
1467 /* Check whether a task has a particular permission to an inode.
1468    The 'adp' parameter is optional and allows other audit
1469    data to be passed (e.g. the dentry). */
1470 static int inode_has_perm(const struct cred *cred,
1471                           struct inode *inode,
1472                           u32 perms,
1473                           struct common_audit_data *adp,
1474                           unsigned flags)
1475 {
1476         struct inode_security_struct *isec;
1477         struct common_audit_data ad;
1478         u32 sid;
1479
1480         validate_creds(cred);
1481
1482         if (unlikely(IS_PRIVATE(inode)))
1483                 return 0;
1484
1485         sid = cred_sid(cred);
1486         isec = inode->i_security;
1487
1488         if (!adp) {
1489                 adp = &ad;
1490                 COMMON_AUDIT_DATA_INIT(&ad, FS);
1491                 ad.u.fs.inode = inode;
1492         }
1493
1494         return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1495 }
1496
1497 /* Same as inode_has_perm, but pass explicit audit data containing
1498    the dentry to help the auditing code to more easily generate the
1499    pathname if needed. */
1500 static inline int dentry_has_perm(const struct cred *cred,
1501                                   struct vfsmount *mnt,
1502                                   struct dentry *dentry,
1503                                   u32 av)
1504 {
1505         struct inode *inode = dentry->d_inode;
1506         struct common_audit_data ad;
1507
1508         COMMON_AUDIT_DATA_INIT(&ad, FS);
1509         ad.u.fs.path.mnt = mnt;
1510         ad.u.fs.path.dentry = dentry;
1511         return inode_has_perm(cred, inode, av, &ad, 0);
1512 }
1513
1514 /* Check whether a task can use an open file descriptor to
1515    access an inode in a given way.  Check access to the
1516    descriptor itself, and then use dentry_has_perm to
1517    check a particular permission to the file.
1518    Access to the descriptor is implicitly granted if it
1519    has the same SID as the process.  If av is zero, then
1520    access to the file is not checked, e.g. for cases
1521    where only the descriptor is affected like seek. */
1522 static int file_has_perm(const struct cred *cred,
1523                          struct file *file,
1524                          u32 av)
1525 {
1526         struct file_security_struct *fsec = file->f_security;
1527         struct inode *inode = file->f_path.dentry->d_inode;
1528         struct common_audit_data ad;
1529         u32 sid = cred_sid(cred);
1530         int rc;
1531
1532         COMMON_AUDIT_DATA_INIT(&ad, FS);
1533         ad.u.fs.path = file->f_path;
1534
1535         if (sid != fsec->sid) {
1536                 rc = avc_has_perm(sid, fsec->sid,
1537                                   SECCLASS_FD,
1538                                   FD__USE,
1539                                   &ad);
1540                 if (rc)
1541                         goto out;
1542         }
1543
1544         /* av is zero if only checking access to the descriptor. */
1545         rc = 0;
1546         if (av)
1547                 rc = inode_has_perm(cred, inode, av, &ad, 0);
1548
1549 out:
1550         return rc;
1551 }
1552
1553 /* Check whether a task can create a file. */
1554 static int may_create(struct inode *dir,
1555                       struct dentry *dentry,
1556                       u16 tclass)
1557 {
1558         const struct task_security_struct *tsec = current_security();
1559         struct inode_security_struct *dsec;
1560         struct superblock_security_struct *sbsec;
1561         u32 sid, newsid;
1562         struct common_audit_data ad;
1563         int rc;
1564
1565         dsec = dir->i_security;
1566         sbsec = dir->i_sb->s_security;
1567
1568         sid = tsec->sid;
1569         newsid = tsec->create_sid;
1570
1571         COMMON_AUDIT_DATA_INIT(&ad, FS);
1572         ad.u.fs.path.dentry = dentry;
1573
1574         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1575                           DIR__ADD_NAME | DIR__SEARCH,
1576                           &ad);
1577         if (rc)
1578                 return rc;
1579
1580         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1581                 rc = security_transition_sid(sid, dsec->sid, tclass,
1582                                              &dentry->d_name, &newsid);
1583                 if (rc)
1584                         return rc;
1585         }
1586
1587         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1588         if (rc)
1589                 return rc;
1590
1591         return avc_has_perm(newsid, sbsec->sid,
1592                             SECCLASS_FILESYSTEM,
1593                             FILESYSTEM__ASSOCIATE, &ad);
1594 }
1595
1596 /* Check whether a task can create a key. */
1597 static int may_create_key(u32 ksid,
1598                           struct task_struct *ctx)
1599 {
1600         u32 sid = task_sid(ctx);
1601
1602         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1603 }
1604
1605 #define MAY_LINK        0
1606 #define MAY_UNLINK      1
1607 #define MAY_RMDIR       2
1608
1609 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1610 static int may_link(struct inode *dir,
1611                     struct dentry *dentry,
1612                     int kind)
1613
1614 {
1615         struct inode_security_struct *dsec, *isec;
1616         struct common_audit_data ad;
1617         u32 sid = current_sid();
1618         u32 av;
1619         int rc;
1620
1621         dsec = dir->i_security;
1622         isec = dentry->d_inode->i_security;
1623
1624         COMMON_AUDIT_DATA_INIT(&ad, FS);
1625         ad.u.fs.path.dentry = dentry;
1626
1627         av = DIR__SEARCH;
1628         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1629         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1630         if (rc)
1631                 return rc;
1632
1633         switch (kind) {
1634         case MAY_LINK:
1635                 av = FILE__LINK;
1636                 break;
1637         case MAY_UNLINK:
1638                 av = FILE__UNLINK;
1639                 break;
1640         case MAY_RMDIR:
1641                 av = DIR__RMDIR;
1642                 break;
1643         default:
1644                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1645                         __func__, kind);
1646                 return 0;
1647         }
1648
1649         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1650         return rc;
1651 }
1652
1653 static inline int may_rename(struct inode *old_dir,
1654                              struct dentry *old_dentry,
1655                              struct inode *new_dir,
1656                              struct dentry *new_dentry)
1657 {
1658         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1659         struct common_audit_data ad;
1660         u32 sid = current_sid();
1661         u32 av;
1662         int old_is_dir, new_is_dir;
1663         int rc;
1664
1665         old_dsec = old_dir->i_security;
1666         old_isec = old_dentry->d_inode->i_security;
1667         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1668         new_dsec = new_dir->i_security;
1669
1670         COMMON_AUDIT_DATA_INIT(&ad, FS);
1671
1672         ad.u.fs.path.dentry = old_dentry;
1673         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1674                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1675         if (rc)
1676                 return rc;
1677         rc = avc_has_perm(sid, old_isec->sid,
1678                           old_isec->sclass, FILE__RENAME, &ad);
1679         if (rc)
1680                 return rc;
1681         if (old_is_dir && new_dir != old_dir) {
1682                 rc = avc_has_perm(sid, old_isec->sid,
1683                                   old_isec->sclass, DIR__REPARENT, &ad);
1684                 if (rc)
1685                         return rc;
1686         }
1687
1688         ad.u.fs.path.dentry = new_dentry;
1689         av = DIR__ADD_NAME | DIR__SEARCH;
1690         if (new_dentry->d_inode)
1691                 av |= DIR__REMOVE_NAME;
1692         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1693         if (rc)
1694                 return rc;
1695         if (new_dentry->d_inode) {
1696                 new_isec = new_dentry->d_inode->i_security;
1697                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1698                 rc = avc_has_perm(sid, new_isec->sid,
1699                                   new_isec->sclass,
1700                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1701                 if (rc)
1702                         return rc;
1703         }
1704
1705         return 0;
1706 }
1707
1708 /* Check whether a task can perform a filesystem operation. */
1709 static int superblock_has_perm(const struct cred *cred,
1710                                struct super_block *sb,
1711                                u32 perms,
1712                                struct common_audit_data *ad)
1713 {
1714         struct superblock_security_struct *sbsec;
1715         u32 sid = cred_sid(cred);
1716
1717         sbsec = sb->s_security;
1718         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1719 }
1720
1721 /* Convert a Linux mode and permission mask to an access vector. */
1722 static inline u32 file_mask_to_av(int mode, int mask)
1723 {
1724         u32 av = 0;
1725
1726         if ((mode & S_IFMT) != S_IFDIR) {
1727                 if (mask & MAY_EXEC)
1728                         av |= FILE__EXECUTE;
1729                 if (mask & MAY_READ)
1730                         av |= FILE__READ;
1731
1732                 if (mask & MAY_APPEND)
1733                         av |= FILE__APPEND;
1734                 else if (mask & MAY_WRITE)
1735                         av |= FILE__WRITE;
1736
1737         } else {
1738                 if (mask & MAY_EXEC)
1739                         av |= DIR__SEARCH;
1740                 if (mask & MAY_WRITE)
1741                         av |= DIR__WRITE;
1742                 if (mask & MAY_READ)
1743                         av |= DIR__READ;
1744         }
1745
1746         return av;
1747 }
1748
1749 /* Convert a Linux file to an access vector. */
1750 static inline u32 file_to_av(struct file *file)
1751 {
1752         u32 av = 0;
1753
1754         if (file->f_mode & FMODE_READ)
1755                 av |= FILE__READ;
1756         if (file->f_mode & FMODE_WRITE) {
1757                 if (file->f_flags & O_APPEND)
1758                         av |= FILE__APPEND;
1759                 else
1760                         av |= FILE__WRITE;
1761         }
1762         if (!av) {
1763                 /*
1764                  * Special file opened with flags 3 for ioctl-only use.
1765                  */
1766                 av = FILE__IOCTL;
1767         }
1768
1769         return av;
1770 }
1771
1772 /*
1773  * Convert a file to an access vector and include the correct open
1774  * open permission.
1775  */
1776 static inline u32 open_file_to_av(struct file *file)
1777 {
1778         u32 av = file_to_av(file);
1779
1780         if (selinux_policycap_openperm)
1781                 av |= FILE__OPEN;
1782
1783         return av;
1784 }
1785
1786 /* Hook functions begin here. */
1787
1788 static int selinux_ptrace_access_check(struct task_struct *child,
1789                                      unsigned int mode)
1790 {
1791         int rc;
1792
1793         rc = cap_ptrace_access_check(child, mode);
1794         if (rc)
1795                 return rc;
1796
1797         if (mode == PTRACE_MODE_READ) {
1798                 u32 sid = current_sid();
1799                 u32 csid = task_sid(child);
1800                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1801         }
1802
1803         return current_has_perm(child, PROCESS__PTRACE);
1804 }
1805
1806 static int selinux_ptrace_traceme(struct task_struct *parent)
1807 {
1808         int rc;
1809
1810         rc = cap_ptrace_traceme(parent);
1811         if (rc)
1812                 return rc;
1813
1814         return task_has_perm(parent, current, PROCESS__PTRACE);
1815 }
1816
1817 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1818                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1819 {
1820         int error;
1821
1822         error = current_has_perm(target, PROCESS__GETCAP);
1823         if (error)
1824                 return error;
1825
1826         return cap_capget(target, effective, inheritable, permitted);
1827 }
1828
1829 static int selinux_capset(struct cred *new, const struct cred *old,
1830                           const kernel_cap_t *effective,
1831                           const kernel_cap_t *inheritable,
1832                           const kernel_cap_t *permitted)
1833 {
1834         int error;
1835
1836         error = cap_capset(new, old,
1837                                       effective, inheritable, permitted);
1838         if (error)
1839                 return error;
1840
1841         return cred_has_perm(old, new, PROCESS__SETCAP);
1842 }
1843
1844 /*
1845  * (This comment used to live with the selinux_task_setuid hook,
1846  * which was removed).
1847  *
1848  * Since setuid only affects the current process, and since the SELinux
1849  * controls are not based on the Linux identity attributes, SELinux does not
1850  * need to control this operation.  However, SELinux does control the use of
1851  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1852  */
1853
1854 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1855                            struct user_namespace *ns, int cap, int audit)
1856 {
1857         int rc;
1858
1859         rc = cap_capable(tsk, cred, ns, cap, audit);
1860         if (rc)
1861                 return rc;
1862
1863         return task_has_capability(tsk, cred, cap, audit);
1864 }
1865
1866 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1867 {
1868         const struct cred *cred = current_cred();
1869         int rc = 0;
1870
1871         if (!sb)
1872                 return 0;
1873
1874         switch (cmds) {
1875         case Q_SYNC:
1876         case Q_QUOTAON:
1877         case Q_QUOTAOFF:
1878         case Q_SETINFO:
1879         case Q_SETQUOTA:
1880                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1881                 break;
1882         case Q_GETFMT:
1883         case Q_GETINFO:
1884         case Q_GETQUOTA:
1885                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1886                 break;
1887         default:
1888                 rc = 0;  /* let the kernel handle invalid cmds */
1889                 break;
1890         }
1891         return rc;
1892 }
1893
1894 static int selinux_quota_on(struct dentry *dentry)
1895 {
1896         const struct cred *cred = current_cred();
1897
1898         return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1899 }
1900
1901 static int selinux_syslog(int type)
1902 {
1903         int rc;
1904
1905         switch (type) {
1906         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1907         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1908                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1909                 break;
1910         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1911         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1912         /* Set level of messages printed to console */
1913         case SYSLOG_ACTION_CONSOLE_LEVEL:
1914                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1915                 break;
1916         case SYSLOG_ACTION_CLOSE:       /* Close log */
1917         case SYSLOG_ACTION_OPEN:        /* Open log */
1918         case SYSLOG_ACTION_READ:        /* Read from log */
1919         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1920         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1921         default:
1922                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1923                 break;
1924         }
1925         return rc;
1926 }
1927
1928 /*
1929  * Check that a process has enough memory to allocate a new virtual
1930  * mapping. 0 means there is enough memory for the allocation to
1931  * succeed and -ENOMEM implies there is not.
1932  *
1933  * Do not audit the selinux permission check, as this is applied to all
1934  * processes that allocate mappings.
1935  */
1936 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1937 {
1938         int rc, cap_sys_admin = 0;
1939
1940         rc = selinux_capable(current, current_cred(),
1941                              &init_user_ns, CAP_SYS_ADMIN,
1942                              SECURITY_CAP_NOAUDIT);
1943         if (rc == 0)
1944                 cap_sys_admin = 1;
1945
1946         return __vm_enough_memory(mm, pages, cap_sys_admin);
1947 }
1948
1949 /* binprm security operations */
1950
1951 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1952 {
1953         const struct task_security_struct *old_tsec;
1954         struct task_security_struct *new_tsec;
1955         struct inode_security_struct *isec;
1956         struct common_audit_data ad;
1957         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1958         int rc;
1959
1960         rc = cap_bprm_set_creds(bprm);
1961         if (rc)
1962                 return rc;
1963
1964         /* SELinux context only depends on initial program or script and not
1965          * the script interpreter */
1966         if (bprm->cred_prepared)
1967                 return 0;
1968
1969         old_tsec = current_security();
1970         new_tsec = bprm->cred->security;
1971         isec = inode->i_security;
1972
1973         /* Default to the current task SID. */
1974         new_tsec->sid = old_tsec->sid;
1975         new_tsec->osid = old_tsec->sid;
1976
1977         /* Reset fs, key, and sock SIDs on execve. */
1978         new_tsec->create_sid = 0;
1979         new_tsec->keycreate_sid = 0;
1980         new_tsec->sockcreate_sid = 0;
1981
1982         if (old_tsec->exec_sid) {
1983                 new_tsec->sid = old_tsec->exec_sid;
1984                 /* Reset exec SID on execve. */
1985                 new_tsec->exec_sid = 0;
1986         } else {
1987                 /* Check for a default transition on this program. */
1988                 rc = security_transition_sid(old_tsec->sid, isec->sid,
1989                                              SECCLASS_PROCESS, NULL,
1990                                              &new_tsec->sid);
1991                 if (rc)
1992                         return rc;
1993         }
1994
1995         COMMON_AUDIT_DATA_INIT(&ad, FS);
1996         ad.u.fs.path = bprm->file->f_path;
1997
1998         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1999                 new_tsec->sid = old_tsec->sid;
2000
2001         if (new_tsec->sid == old_tsec->sid) {
2002                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2003                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2004                 if (rc)
2005                         return rc;
2006         } else {
2007                 /* Check permissions for the transition. */
2008                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2009                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2010                 if (rc)
2011                         return rc;
2012
2013                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2014                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2015                 if (rc)
2016                         return rc;
2017
2018                 /* Check for shared state */
2019                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2020                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2021                                           SECCLASS_PROCESS, PROCESS__SHARE,
2022                                           NULL);
2023                         if (rc)
2024                                 return -EPERM;
2025                 }
2026
2027                 /* Make sure that anyone attempting to ptrace over a task that
2028                  * changes its SID has the appropriate permit */
2029                 if (bprm->unsafe &
2030                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2031                         struct task_struct *tracer;
2032                         struct task_security_struct *sec;
2033                         u32 ptsid = 0;
2034
2035                         rcu_read_lock();
2036                         tracer = tracehook_tracer_task(current);
2037                         if (likely(tracer != NULL)) {
2038                                 sec = __task_cred(tracer)->security;
2039                                 ptsid = sec->sid;
2040                         }
2041                         rcu_read_unlock();
2042
2043                         if (ptsid != 0) {
2044                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2045                                                   SECCLASS_PROCESS,
2046                                                   PROCESS__PTRACE, NULL);
2047                                 if (rc)
2048                                         return -EPERM;
2049                         }
2050                 }
2051
2052                 /* Clear any possibly unsafe personality bits on exec: */
2053                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2054         }
2055
2056         return 0;
2057 }
2058
2059 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2060 {
2061         const struct task_security_struct *tsec = current_security();
2062         u32 sid, osid;
2063         int atsecure = 0;
2064
2065         sid = tsec->sid;
2066         osid = tsec->osid;
2067
2068         if (osid != sid) {
2069                 /* Enable secure mode for SIDs transitions unless
2070                    the noatsecure permission is granted between
2071                    the two SIDs, i.e. ahp returns 0. */
2072                 atsecure = avc_has_perm(osid, sid,
2073                                         SECCLASS_PROCESS,
2074                                         PROCESS__NOATSECURE, NULL);
2075         }
2076
2077         return (atsecure || cap_bprm_secureexec(bprm));
2078 }
2079
2080 extern struct vfsmount *selinuxfs_mount;
2081 extern struct dentry *selinux_null;
2082
2083 /* Derived from fs/exec.c:flush_old_files. */
2084 static inline void flush_unauthorized_files(const struct cred *cred,
2085                                             struct files_struct *files)
2086 {
2087         struct common_audit_data ad;
2088         struct file *file, *devnull = NULL;
2089         struct tty_struct *tty;
2090         struct fdtable *fdt;
2091         long j = -1;
2092         int drop_tty = 0;
2093
2094         tty = get_current_tty();
2095         if (tty) {
2096                 spin_lock(&tty_files_lock);
2097                 if (!list_empty(&tty->tty_files)) {
2098                         struct tty_file_private *file_priv;
2099                         struct inode *inode;
2100
2101                         /* Revalidate access to controlling tty.
2102                            Use inode_has_perm on the tty inode directly rather
2103                            than using file_has_perm, as this particular open
2104                            file may belong to another process and we are only
2105                            interested in the inode-based check here. */
2106                         file_priv = list_first_entry(&tty->tty_files,
2107                                                 struct tty_file_private, list);
2108                         file = file_priv->file;
2109                         inode = file->f_path.dentry->d_inode;
2110                         if (inode_has_perm(cred, inode,
2111                                            FILE__READ | FILE__WRITE, NULL, 0)) {
2112                                 drop_tty = 1;
2113                         }
2114                 }
2115                 spin_unlock(&tty_files_lock);
2116                 tty_kref_put(tty);
2117         }
2118         /* Reset controlling tty. */
2119         if (drop_tty)
2120                 no_tty();
2121
2122         /* Revalidate access to inherited open files. */
2123
2124         COMMON_AUDIT_DATA_INIT(&ad, FS);
2125
2126         spin_lock(&files->file_lock);
2127         for (;;) {
2128                 unsigned long set, i;
2129                 int fd;
2130
2131                 j++;
2132                 i = j * __NFDBITS;
2133                 fdt = files_fdtable(files);
2134                 if (i >= fdt->max_fds)
2135                         break;
2136                 set = fdt->open_fds->fds_bits[j];
2137                 if (!set)
2138                         continue;
2139                 spin_unlock(&files->file_lock);
2140                 for ( ; set ; i++, set >>= 1) {
2141                         if (set & 1) {
2142                                 file = fget(i);
2143                                 if (!file)
2144                                         continue;
2145                                 if (file_has_perm(cred,
2146                                                   file,
2147                                                   file_to_av(file))) {
2148                                         sys_close(i);
2149                                         fd = get_unused_fd();
2150                                         if (fd != i) {
2151                                                 if (fd >= 0)
2152                                                         put_unused_fd(fd);
2153                                                 fput(file);
2154                                                 continue;
2155                                         }
2156                                         if (devnull) {
2157                                                 get_file(devnull);
2158                                         } else {
2159                                                 devnull = dentry_open(
2160                                                         dget(selinux_null),
2161                                                         mntget(selinuxfs_mount),
2162                                                         O_RDWR, cred);
2163                                                 if (IS_ERR(devnull)) {
2164                                                         devnull = NULL;
2165                                                         put_unused_fd(fd);
2166                                                         fput(file);
2167                                                         continue;
2168                                                 }
2169                                         }
2170                                         fd_install(fd, devnull);
2171                                 }
2172                                 fput(file);
2173                         }
2174                 }
2175                 spin_lock(&files->file_lock);
2176
2177         }
2178         spin_unlock(&files->file_lock);
2179 }
2180
2181 /*
2182  * Prepare a process for imminent new credential changes due to exec
2183  */
2184 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2185 {
2186         struct task_security_struct *new_tsec;
2187         struct rlimit *rlim, *initrlim;
2188         int rc, i;
2189
2190         new_tsec = bprm->cred->security;
2191         if (new_tsec->sid == new_tsec->osid)
2192                 return;
2193
2194         /* Close files for which the new task SID is not authorized. */
2195         flush_unauthorized_files(bprm->cred, current->files);
2196
2197         /* Always clear parent death signal on SID transitions. */
2198         current->pdeath_signal = 0;
2199
2200         /* Check whether the new SID can inherit resource limits from the old
2201          * SID.  If not, reset all soft limits to the lower of the current
2202          * task's hard limit and the init task's soft limit.
2203          *
2204          * Note that the setting of hard limits (even to lower them) can be
2205          * controlled by the setrlimit check.  The inclusion of the init task's
2206          * soft limit into the computation is to avoid resetting soft limits
2207          * higher than the default soft limit for cases where the default is
2208          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2209          */
2210         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2211                           PROCESS__RLIMITINH, NULL);
2212         if (rc) {
2213                 /* protect against do_prlimit() */
2214                 task_lock(current);
2215                 for (i = 0; i < RLIM_NLIMITS; i++) {
2216                         rlim = current->signal->rlim + i;
2217                         initrlim = init_task.signal->rlim + i;
2218                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2219                 }
2220                 task_unlock(current);
2221                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2222         }
2223 }
2224
2225 /*
2226  * Clean up the process immediately after the installation of new credentials
2227  * due to exec
2228  */
2229 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2230 {
2231         const struct task_security_struct *tsec = current_security();
2232         struct itimerval itimer;
2233         u32 osid, sid;
2234         int rc, i;
2235
2236         osid = tsec->osid;
2237         sid = tsec->sid;
2238
2239         if (sid == osid)
2240                 return;
2241
2242         /* Check whether the new SID can inherit signal state from the old SID.
2243          * If not, clear itimers to avoid subsequent signal generation and
2244          * flush and unblock signals.
2245          *
2246          * This must occur _after_ the task SID has been updated so that any
2247          * kill done after the flush will be checked against the new SID.
2248          */
2249         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2250         if (rc) {
2251                 memset(&itimer, 0, sizeof itimer);
2252                 for (i = 0; i < 3; i++)
2253                         do_setitimer(i, &itimer, NULL);
2254                 spin_lock_irq(&current->sighand->siglock);
2255                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2256                         __flush_signals(current);
2257                         flush_signal_handlers(current, 1);
2258                         sigemptyset(&current->blocked);
2259                 }
2260                 spin_unlock_irq(&current->sighand->siglock);
2261         }
2262
2263         /* Wake up the parent if it is waiting so that it can recheck
2264          * wait permission to the new task SID. */
2265         read_lock(&tasklist_lock);
2266         __wake_up_parent(current, current->real_parent);
2267         read_unlock(&tasklist_lock);
2268 }
2269
2270 /* superblock security operations */
2271
2272 static int selinux_sb_alloc_security(struct super_block *sb)
2273 {
2274         return superblock_alloc_security(sb);
2275 }
2276
2277 static void selinux_sb_free_security(struct super_block *sb)
2278 {
2279         superblock_free_security(sb);
2280 }
2281
2282 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2283 {
2284         if (plen > olen)
2285                 return 0;
2286
2287         return !memcmp(prefix, option, plen);
2288 }
2289
2290 static inline int selinux_option(char *option, int len)
2291 {
2292         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2293                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2294                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2295                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2296                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2297 }
2298
2299 static inline void take_option(char **to, char *from, int *first, int len)
2300 {
2301         if (!*first) {
2302                 **to = ',';
2303                 *to += 1;
2304         } else
2305                 *first = 0;
2306         memcpy(*to, from, len);
2307         *to += len;
2308 }
2309
2310 static inline void take_selinux_option(char **to, char *from, int *first,
2311                                        int len)
2312 {
2313         int current_size = 0;
2314
2315         if (!*first) {
2316                 **to = '|';
2317                 *to += 1;
2318         } else
2319                 *first = 0;
2320
2321         while (current_size < len) {
2322                 if (*from != '"') {
2323                         **to = *from;
2324                         *to += 1;
2325                 }
2326                 from += 1;
2327                 current_size += 1;
2328         }
2329 }
2330
2331 static int selinux_sb_copy_data(char *orig, char *copy)
2332 {
2333         int fnosec, fsec, rc = 0;
2334         char *in_save, *in_curr, *in_end;
2335         char *sec_curr, *nosec_save, *nosec;
2336         int open_quote = 0;
2337
2338         in_curr = orig;
2339         sec_curr = copy;
2340
2341         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2342         if (!nosec) {
2343                 rc = -ENOMEM;
2344                 goto out;
2345         }
2346
2347         nosec_save = nosec;
2348         fnosec = fsec = 1;
2349         in_save = in_end = orig;
2350
2351         do {
2352                 if (*in_end == '"')
2353                         open_quote = !open_quote;
2354                 if ((*in_end == ',' && open_quote == 0) ||
2355                                 *in_end == '\0') {
2356                         int len = in_end - in_curr;
2357
2358                         if (selinux_option(in_curr, len))
2359                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2360                         else
2361                                 take_option(&nosec, in_curr, &fnosec, len);
2362
2363                         in_curr = in_end + 1;
2364                 }
2365         } while (*in_end++);
2366
2367         strcpy(in_save, nosec_save);
2368         free_page((unsigned long)nosec_save);
2369 out:
2370         return rc;
2371 }
2372
2373 static int selinux_sb_remount(struct super_block *sb, void *data)
2374 {
2375         int rc, i, *flags;
2376         struct security_mnt_opts opts;
2377         char *secdata, **mount_options;
2378         struct superblock_security_struct *sbsec = sb->s_security;
2379
2380         if (!(sbsec->flags & SE_SBINITIALIZED))
2381                 return 0;
2382
2383         if (!data)
2384                 return 0;
2385
2386         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2387                 return 0;
2388
2389         security_init_mnt_opts(&opts);
2390         secdata = alloc_secdata();
2391         if (!secdata)
2392                 return -ENOMEM;
2393         rc = selinux_sb_copy_data(data, secdata);
2394         if (rc)
2395                 goto out_free_secdata;
2396
2397         rc = selinux_parse_opts_str(secdata, &opts);
2398         if (rc)
2399                 goto out_free_secdata;
2400
2401         mount_options = opts.mnt_opts;
2402         flags = opts.mnt_opts_flags;
2403
2404         for (i = 0; i < opts.num_mnt_opts; i++) {
2405                 u32 sid;
2406                 size_t len;
2407
2408                 if (flags[i] == SE_SBLABELSUPP)
2409                         continue;
2410                 len = strlen(mount_options[i]);
2411                 rc = security_context_to_sid(mount_options[i], len, &sid);
2412                 if (rc) {
2413                         printk(KERN_WARNING "SELinux: security_context_to_sid"
2414                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2415                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2416                         goto out_free_opts;
2417                 }
2418                 rc = -EINVAL;
2419                 switch (flags[i]) {
2420                 case FSCONTEXT_MNT:
2421                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2422                                 goto out_bad_option;
2423                         break;
2424                 case CONTEXT_MNT:
2425                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2426                                 goto out_bad_option;
2427                         break;
2428                 case ROOTCONTEXT_MNT: {
2429                         struct inode_security_struct *root_isec;
2430                         root_isec = sb->s_root->d_inode->i_security;
2431
2432                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2433                                 goto out_bad_option;
2434                         break;
2435                 }
2436                 case DEFCONTEXT_MNT:
2437                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2438                                 goto out_bad_option;
2439                         break;
2440                 default:
2441                         goto out_free_opts;
2442                 }
2443         }
2444
2445         rc = 0;
2446 out_free_opts:
2447         security_free_mnt_opts(&opts);
2448 out_free_secdata:
2449         free_secdata(secdata);
2450         return rc;
2451 out_bad_option:
2452         printk(KERN_WARNING "SELinux: unable to change security options "
2453                "during remount (dev %s, type=%s)\n", sb->s_id,
2454                sb->s_type->name);
2455         goto out_free_opts;
2456 }
2457
2458 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2459 {
2460         const struct cred *cred = current_cred();
2461         struct common_audit_data ad;
2462         int rc;
2463
2464         rc = superblock_doinit(sb, data);
2465         if (rc)
2466                 return rc;
2467
2468         /* Allow all mounts performed by the kernel */
2469         if (flags & MS_KERNMOUNT)
2470                 return 0;
2471
2472         COMMON_AUDIT_DATA_INIT(&ad, FS);
2473         ad.u.fs.path.dentry = sb->s_root;
2474         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2475 }
2476
2477 static int selinux_sb_statfs(struct dentry *dentry)
2478 {
2479         const struct cred *cred = current_cred();
2480         struct common_audit_data ad;
2481
2482         COMMON_AUDIT_DATA_INIT(&ad, FS);
2483         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2484         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2485 }
2486
2487 static int selinux_mount(char *dev_name,
2488                          struct path *path,
2489                          char *type,
2490                          unsigned long flags,
2491                          void *data)
2492 {
2493         const struct cred *cred = current_cred();
2494
2495         if (flags & MS_REMOUNT)
2496                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2497                                            FILESYSTEM__REMOUNT, NULL);
2498         else
2499                 return dentry_has_perm(cred, path->mnt, path->dentry,
2500                                        FILE__MOUNTON);
2501 }
2502
2503 static int selinux_umount(struct vfsmount *mnt, int flags)
2504 {
2505         const struct cred *cred = current_cred();
2506
2507         return superblock_has_perm(cred, mnt->mnt_sb,
2508                                    FILESYSTEM__UNMOUNT, NULL);
2509 }
2510
2511 /* inode security operations */
2512
2513 static int selinux_inode_alloc_security(struct inode *inode)
2514 {
2515         return inode_alloc_security(inode);
2516 }
2517
2518 static void selinux_inode_free_security(struct inode *inode)
2519 {
2520         inode_free_security(inode);
2521 }
2522
2523 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2524                                        const struct qstr *qstr, char **name,
2525                                        void **value, size_t *len)
2526 {
2527         const struct task_security_struct *tsec = current_security();
2528         struct inode_security_struct *dsec;
2529         struct superblock_security_struct *sbsec;
2530         u32 sid, newsid, clen;
2531         int rc;
2532         char *namep = NULL, *context;
2533
2534         dsec = dir->i_security;
2535         sbsec = dir->i_sb->s_security;
2536
2537         sid = tsec->sid;
2538         newsid = tsec->create_sid;
2539
2540         if ((sbsec->flags & SE_SBINITIALIZED) &&
2541             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2542                 newsid = sbsec->mntpoint_sid;
2543         else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2544                 rc = security_transition_sid(sid, dsec->sid,
2545                                              inode_mode_to_security_class(inode->i_mode),
2546                                              qstr, &newsid);
2547                 if (rc) {
2548                         printk(KERN_WARNING "%s:  "
2549                                "security_transition_sid failed, rc=%d (dev=%s "
2550                                "ino=%ld)\n",
2551                                __func__,
2552                                -rc, inode->i_sb->s_id, inode->i_ino);
2553                         return rc;
2554                 }
2555         }
2556
2557         /* Possibly defer initialization to selinux_complete_init. */
2558         if (sbsec->flags & SE_SBINITIALIZED) {
2559                 struct inode_security_struct *isec = inode->i_security;
2560                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2561                 isec->sid = newsid;
2562                 isec->initialized = 1;
2563         }
2564
2565         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2566                 return -EOPNOTSUPP;
2567
2568         if (name) {
2569                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2570                 if (!namep)
2571                         return -ENOMEM;
2572                 *name = namep;
2573         }
2574
2575         if (value && len) {
2576                 rc = security_sid_to_context_force(newsid, &context, &clen);
2577                 if (rc) {
2578                         kfree(namep);
2579                         return rc;
2580                 }
2581                 *value = context;
2582                 *len = clen;
2583         }
2584
2585         return 0;
2586 }
2587
2588 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2589 {
2590         return may_create(dir, dentry, SECCLASS_FILE);
2591 }
2592
2593 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2594 {
2595         return may_link(dir, old_dentry, MAY_LINK);
2596 }
2597
2598 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2599 {
2600         return may_link(dir, dentry, MAY_UNLINK);
2601 }
2602
2603 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2604 {
2605         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2606 }
2607
2608 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2609 {
2610         return may_create(dir, dentry, SECCLASS_DIR);
2611 }
2612
2613 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2614 {
2615         return may_link(dir, dentry, MAY_RMDIR);
2616 }
2617
2618 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2619 {
2620         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2621 }
2622
2623 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2624                                 struct inode *new_inode, struct dentry *new_dentry)
2625 {
2626         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2627 }
2628
2629 static int selinux_inode_readlink(struct dentry *dentry)
2630 {
2631         const struct cred *cred = current_cred();
2632
2633         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2634 }
2635
2636 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2637 {
2638         const struct cred *cred = current_cred();
2639
2640         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2641 }
2642
2643 static int selinux_inode_permission(struct inode *inode, int mask, unsigned flags)
2644 {
2645         const struct cred *cred = current_cred();
2646         struct common_audit_data ad;
2647         u32 perms;
2648         bool from_access;
2649
2650         from_access = mask & MAY_ACCESS;
2651         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2652
2653         /* No permission to check.  Existence test. */
2654         if (!mask)
2655                 return 0;
2656
2657         COMMON_AUDIT_DATA_INIT(&ad, FS);
2658         ad.u.fs.inode = inode;
2659
2660         if (from_access)
2661                 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2662
2663         perms = file_mask_to_av(inode->i_mode, mask);
2664
2665         return inode_has_perm(cred, inode, perms, &ad, flags);
2666 }
2667
2668 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2669 {
2670         const struct cred *cred = current_cred();
2671         unsigned int ia_valid = iattr->ia_valid;
2672
2673         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2674         if (ia_valid & ATTR_FORCE) {
2675                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2676                               ATTR_FORCE);
2677                 if (!ia_valid)
2678                         return 0;
2679         }
2680
2681         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2682                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2683                 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2684
2685         return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2686 }
2687
2688 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2689 {
2690         const struct cred *cred = current_cred();
2691
2692         return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2693 }
2694
2695 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2696 {
2697         const struct cred *cred = current_cred();
2698
2699         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2700                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2701                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2702                         if (!capable(CAP_SETFCAP))
2703                                 return -EPERM;
2704                 } else if (!capable(CAP_SYS_ADMIN)) {
2705                         /* A different attribute in the security namespace.
2706                            Restrict to administrator. */
2707                         return -EPERM;
2708                 }
2709         }
2710
2711         /* Not an attribute we recognize, so just check the
2712            ordinary setattr permission. */
2713         return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2714 }
2715
2716 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2717                                   const void *value, size_t size, int flags)
2718 {
2719         struct inode *inode = dentry->d_inode;
2720         struct inode_security_struct *isec = inode->i_security;
2721         struct superblock_security_struct *sbsec;
2722         struct common_audit_data ad;
2723         u32 newsid, sid = current_sid();
2724         int rc = 0;
2725
2726         if (strcmp(name, XATTR_NAME_SELINUX))
2727                 return selinux_inode_setotherxattr(dentry, name);
2728
2729         sbsec = inode->i_sb->s_security;
2730         if (!(sbsec->flags & SE_SBLABELSUPP))
2731                 return -EOPNOTSUPP;
2732
2733         if (!inode_owner_or_capable(inode))
2734                 return -EPERM;
2735
2736         COMMON_AUDIT_DATA_INIT(&ad, FS);
2737         ad.u.fs.path.dentry = dentry;
2738
2739         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2740                           FILE__RELABELFROM, &ad);
2741         if (rc)
2742                 return rc;
2743
2744         rc = security_context_to_sid(value, size, &newsid);
2745         if (rc == -EINVAL) {
2746                 if (!capable(CAP_MAC_ADMIN))
2747                         return rc;
2748                 rc = security_context_to_sid_force(value, size, &newsid);
2749         }
2750         if (rc)
2751                 return rc;
2752
2753         rc = avc_has_perm(sid, newsid, isec->sclass,
2754                           FILE__RELABELTO, &ad);
2755         if (rc)
2756                 return rc;
2757
2758         rc = security_validate_transition(isec->sid, newsid, sid,
2759                                           isec->sclass);
2760         if (rc)
2761                 return rc;
2762
2763         return avc_has_perm(newsid,
2764                             sbsec->sid,
2765                             SECCLASS_FILESYSTEM,
2766                             FILESYSTEM__ASSOCIATE,
2767                             &ad);
2768 }
2769
2770 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2771                                         const void *value, size_t size,
2772                                         int flags)
2773 {
2774         struct inode *inode = dentry->d_inode;
2775         struct inode_security_struct *isec = inode->i_security;
2776         u32 newsid;
2777         int rc;
2778
2779         if (strcmp(name, XATTR_NAME_SELINUX)) {
2780                 /* Not an attribute we recognize, so nothing to do. */
2781                 return;
2782         }
2783
2784         rc = security_context_to_sid_force(value, size, &newsid);
2785         if (rc) {
2786                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2787                        "for (%s, %lu), rc=%d\n",
2788                        inode->i_sb->s_id, inode->i_ino, -rc);
2789                 return;
2790         }
2791
2792         isec->sid = newsid;
2793         return;
2794 }
2795
2796 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2797 {
2798         const struct cred *cred = current_cred();
2799
2800         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2801 }
2802
2803 static int selinux_inode_listxattr(struct dentry *dentry)
2804 {
2805         const struct cred *cred = current_cred();
2806
2807         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2808 }
2809
2810 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2811 {
2812         if (strcmp(name, XATTR_NAME_SELINUX))
2813                 return selinux_inode_setotherxattr(dentry, name);
2814
2815         /* No one is allowed to remove a SELinux security label.
2816            You can change the label, but all data must be labeled. */
2817         return -EACCES;
2818 }
2819
2820 /*
2821  * Copy the inode security context value to the user.
2822  *
2823  * Permission check is handled by selinux_inode_getxattr hook.
2824  */
2825 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2826 {
2827         u32 size;
2828         int error;
2829         char *context = NULL;
2830         struct inode_security_struct *isec = inode->i_security;
2831
2832         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2833                 return -EOPNOTSUPP;
2834
2835         /*
2836          * If the caller has CAP_MAC_ADMIN, then get the raw context
2837          * value even if it is not defined by current policy; otherwise,
2838          * use the in-core value under current policy.
2839          * Use the non-auditing forms of the permission checks since
2840          * getxattr may be called by unprivileged processes commonly
2841          * and lack of permission just means that we fall back to the
2842          * in-core context value, not a denial.
2843          */
2844         error = selinux_capable(current, current_cred(),
2845                                 &init_user_ns, CAP_MAC_ADMIN,
2846                                 SECURITY_CAP_NOAUDIT);
2847         if (!error)
2848                 error = security_sid_to_context_force(isec->sid, &context,
2849                                                       &size);
2850         else
2851                 error = security_sid_to_context(isec->sid, &context, &size);
2852         if (error)
2853                 return error;
2854         error = size;
2855         if (alloc) {
2856                 *buffer = context;
2857                 goto out_nofree;
2858         }
2859         kfree(context);
2860 out_nofree:
2861         return error;
2862 }
2863
2864 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2865                                      const void *value, size_t size, int flags)
2866 {
2867         struct inode_security_struct *isec = inode->i_security;
2868         u32 newsid;
2869         int rc;
2870
2871         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2872                 return -EOPNOTSUPP;
2873
2874         if (!value || !size)
2875                 return -EACCES;
2876
2877         rc = security_context_to_sid((void *)value, size, &newsid);
2878         if (rc)
2879                 return rc;
2880
2881         isec->sid = newsid;
2882         isec->initialized = 1;
2883         return 0;
2884 }
2885
2886 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2887 {
2888         const int len = sizeof(XATTR_NAME_SELINUX);
2889         if (buffer && len <= buffer_size)
2890                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2891         return len;
2892 }
2893
2894 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2895 {
2896         struct inode_security_struct *isec = inode->i_security;
2897         *secid = isec->sid;
2898 }
2899
2900 /* file security operations */
2901
2902 static int selinux_revalidate_file_permission(struct file *file, int mask)
2903 {
2904         const struct cred *cred = current_cred();
2905         struct inode *inode = file->f_path.dentry->d_inode;
2906
2907         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2908         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2909                 mask |= MAY_APPEND;
2910
2911         return file_has_perm(cred, file,
2912                              file_mask_to_av(inode->i_mode, mask));
2913 }
2914
2915 static int selinux_file_permission(struct file *file, int mask)
2916 {
2917         struct inode *inode = file->f_path.dentry->d_inode;
2918         struct file_security_struct *fsec = file->f_security;
2919         struct inode_security_struct *isec = inode->i_security;
2920         u32 sid = current_sid();
2921
2922         if (!mask)
2923                 /* No permission to check.  Existence test. */
2924                 return 0;
2925
2926         if (sid == fsec->sid && fsec->isid == isec->sid &&
2927             fsec->pseqno == avc_policy_seqno())
2928                 /* No change since dentry_open check. */
2929                 return 0;
2930
2931         return selinux_revalidate_file_permission(file, mask);
2932 }
2933
2934 static int selinux_file_alloc_security(struct file *file)
2935 {
2936         return file_alloc_security(file);
2937 }
2938
2939 static void selinux_file_free_security(struct file *file)
2940 {
2941         file_free_security(file);
2942 }
2943
2944 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2945                               unsigned long arg)
2946 {
2947         const struct cred *cred = current_cred();
2948         int error = 0;
2949
2950         switch (cmd) {
2951         case FIONREAD:
2952         /* fall through */
2953         case FIBMAP:
2954         /* fall through */
2955         case FIGETBSZ:
2956         /* fall through */
2957         case EXT2_IOC_GETFLAGS:
2958         /* fall through */
2959         case EXT2_IOC_GETVERSION:
2960                 error = file_has_perm(cred, file, FILE__GETATTR);
2961                 break;
2962
2963         case EXT2_IOC_SETFLAGS:
2964         /* fall through */
2965         case EXT2_IOC_SETVERSION:
2966                 error = file_has_perm(cred, file, FILE__SETATTR);
2967                 break;
2968
2969         /* sys_ioctl() checks */
2970         case FIONBIO:
2971         /* fall through */
2972         case FIOASYNC:
2973                 error = file_has_perm(cred, file, 0);
2974                 break;
2975
2976         case KDSKBENT:
2977         case KDSKBSENT:
2978                 error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
2979                                         SECURITY_CAP_AUDIT);
2980                 break;
2981
2982         /* default case assumes that the command will go
2983          * to the file's ioctl() function.
2984          */
2985         default:
2986                 error = file_has_perm(cred, file, FILE__IOCTL);
2987         }
2988         return error;
2989 }
2990
2991 static int default_noexec;
2992
2993 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2994 {
2995         const struct cred *cred = current_cred();
2996         int rc = 0;
2997
2998         if (default_noexec &&
2999             (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3000                 /*
3001                  * We are making executable an anonymous mapping or a
3002                  * private file mapping that will also be writable.
3003                  * This has an additional check.
3004                  */
3005                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3006                 if (rc)
3007                         goto error;
3008         }
3009
3010         if (file) {
3011                 /* read access is always possible with a mapping */
3012                 u32 av = FILE__READ;
3013
3014                 /* write access only matters if the mapping is shared */
3015                 if (shared && (prot & PROT_WRITE))
3016                         av |= FILE__WRITE;
3017
3018                 if (prot & PROT_EXEC)
3019                         av |= FILE__EXECUTE;
3020
3021                 return file_has_perm(cred, file, av);
3022         }
3023
3024 error:
3025         return rc;
3026 }
3027
3028 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3029                              unsigned long prot, unsigned long flags,
3030                              unsigned long addr, unsigned long addr_only)
3031 {
3032         int rc = 0;
3033         u32 sid = current_sid();
3034
3035         /*
3036          * notice that we are intentionally putting the SELinux check before
3037          * the secondary cap_file_mmap check.  This is such a likely attempt
3038          * at bad behaviour/exploit that we always want to get the AVC, even
3039          * if DAC would have also denied the operation.
3040          */
3041         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3042                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3043                                   MEMPROTECT__MMAP_ZERO, NULL);
3044                 if (rc)
3045                         return rc;
3046         }
3047
3048         /* do DAC check on address space usage */
3049         rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3050         if (rc || addr_only)
3051                 return rc;
3052
3053         if (selinux_checkreqprot)
3054                 prot = reqprot;
3055
3056         return file_map_prot_check(file, prot,
3057                                    (flags & MAP_TYPE) == MAP_SHARED);
3058 }
3059
3060 static int selinux_file_mprotect(struct vm_area_struct *vma,
3061                                  unsigned long reqprot,
3062                                  unsigned long prot)
3063 {
3064         const struct cred *cred = current_cred();
3065
3066         if (selinux_checkreqprot)
3067                 prot = reqprot;
3068
3069         if (default_noexec &&
3070             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3071                 int rc = 0;
3072                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3073                     vma->vm_end <= vma->vm_mm->brk) {
3074                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3075                 } else if (!vma->vm_file &&
3076                            vma->vm_start <= vma->vm_mm->start_stack &&
3077                            vma->vm_end >= vma->vm_mm->start_stack) {
3078                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3079                 } else if (vma->vm_file && vma->anon_vma) {
3080                         /*
3081                          * We are making executable a file mapping that has
3082                          * had some COW done. Since pages might have been
3083                          * written, check ability to execute the possibly
3084                          * modified content.  This typically should only
3085                          * occur for text relocations.
3086                          */
3087                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3088                 }
3089                 if (rc)
3090                         return rc;
3091         }
3092
3093         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3094 }
3095
3096 static int selinux_file_lock(struct file *file, unsigned int cmd)
3097 {
3098         const struct cred *cred = current_cred();
3099
3100         return file_has_perm(cred, file, FILE__LOCK);
3101 }
3102
3103 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3104                               unsigned long arg)
3105 {
3106         const struct cred *cred = current_cred();
3107         int err = 0;
3108
3109         switch (cmd) {
3110         case F_SETFL:
3111                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3112                         err = -EINVAL;
3113                         break;
3114                 }
3115
3116                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3117                         err = file_has_perm(cred, file, FILE__WRITE);
3118                         break;
3119                 }
3120                 /* fall through */
3121         case F_SETOWN:
3122         case F_SETSIG:
3123         case F_GETFL:
3124         case F_GETOWN:
3125         case F_GETSIG:
3126                 /* Just check FD__USE permission */
3127                 err = file_has_perm(cred, file, 0);
3128                 break;
3129         case F_GETLK:
3130         case F_SETLK:
3131         case F_SETLKW:
3132 #if BITS_PER_LONG == 32
3133         case F_GETLK64:
3134         case F_SETLK64:
3135         case F_SETLKW64:
3136 #endif
3137                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3138                         err = -EINVAL;
3139                         break;
3140                 }
3141                 err = file_has_perm(cred, file, FILE__LOCK);
3142                 break;
3143         }
3144
3145         return err;
3146 }
3147
3148 static int selinux_file_set_fowner(struct file *file)
3149 {
3150         struct file_security_struct *fsec;
3151
3152         fsec = file->f_security;
3153         fsec->fown_sid = current_sid();
3154
3155         return 0;
3156 }
3157
3158 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3159                                        struct fown_struct *fown, int signum)
3160 {
3161         struct file *file;
3162         u32 sid = task_sid(tsk);
3163         u32 perm;
3164         struct file_security_struct *fsec;
3165
3166         /* struct fown_struct is never outside the context of a struct file */
3167         file = container_of(fown, struct file, f_owner);
3168
3169         fsec = file->f_security;
3170
3171         if (!signum)
3172                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3173         else
3174                 perm = signal_to_av(signum);
3175
3176         return avc_has_perm(fsec->fown_sid, sid,
3177                             SECCLASS_PROCESS, perm, NULL);
3178 }
3179
3180 static int selinux_file_receive(struct file *file)
3181 {
3182         const struct cred *cred = current_cred();
3183
3184         return file_has_perm(cred, file, file_to_av(file));
3185 }
3186
3187 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3188 {
3189         struct file_security_struct *fsec;
3190         struct inode *inode;
3191         struct inode_security_struct *isec;
3192
3193         inode = file->f_path.dentry->d_inode;
3194         fsec = file->f_security;
3195         isec = inode->i_security;
3196         /*
3197          * Save inode label and policy sequence number
3198          * at open-time so that selinux_file_permission
3199          * can determine whether revalidation is necessary.
3200          * Task label is already saved in the file security
3201          * struct as its SID.
3202          */
3203         fsec->isid = isec->sid;
3204         fsec->pseqno = avc_policy_seqno();
3205         /*
3206          * Since the inode label or policy seqno may have changed
3207          * between the selinux_inode_permission check and the saving
3208          * of state above, recheck that access is still permitted.
3209          * Otherwise, access might never be revalidated against the
3210          * new inode label or new policy.
3211          * This check is not redundant - do not remove.
3212          */
3213         return inode_has_perm(cred, inode, open_file_to_av(file), NULL, 0);
3214 }
3215
3216 /* task security operations */
3217
3218 static int selinux_task_create(unsigned long clone_flags)
3219 {
3220         return current_has_perm(current, PROCESS__FORK);
3221 }
3222
3223 /*
3224  * allocate the SELinux part of blank credentials
3225  */
3226 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3227 {
3228         struct task_security_struct *tsec;
3229
3230         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3231         if (!tsec)
3232                 return -ENOMEM;
3233
3234         cred->security = tsec;
3235         return 0;
3236 }
3237
3238 /*
3239  * detach and free the LSM part of a set of credentials
3240  */
3241 static void selinux_cred_free(struct cred *cred)
3242 {
3243         struct task_security_struct *tsec = cred->security;
3244
3245         /*
3246          * cred->security == NULL if security_cred_alloc_blank() or
3247          * security_prepare_creds() returned an error.
3248          */
3249         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3250         cred->security = (void *) 0x7UL;
3251         kfree(tsec);
3252 }
3253
3254 /*
3255  * prepare a new set of credentials for modification
3256  */
3257 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3258                                 gfp_t gfp)
3259 {
3260         const struct task_security_struct *old_tsec;
3261         struct task_security_struct *tsec;
3262
3263         old_tsec = old->security;
3264
3265         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3266         if (!tsec)
3267                 return -ENOMEM;
3268
3269         new->security = tsec;
3270         return 0;
3271 }
3272
3273 /*
3274  * transfer the SELinux data to a blank set of creds
3275  */
3276 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3277 {
3278         const struct task_security_struct *old_tsec = old->security;
3279         struct task_security_struct *tsec = new->security;
3280
3281         *tsec = *old_tsec;
3282 }
3283
3284 /*
3285  * set the security data for a kernel service
3286  * - all the creation contexts are set to unlabelled
3287  */
3288 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3289 {
3290         struct task_security_struct *tsec = new->security;
3291         u32 sid = current_sid();
3292         int ret;
3293
3294         ret = avc_has_perm(sid, secid,
3295                            SECCLASS_KERNEL_SERVICE,
3296                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3297                            NULL);
3298         if (ret == 0) {
3299                 tsec->sid = secid;
3300                 tsec->create_sid = 0;
3301                 tsec->keycreate_sid = 0;
3302                 tsec->sockcreate_sid = 0;
3303         }
3304         return ret;
3305 }
3306
3307 /*
3308  * set the file creation context in a security record to the same as the
3309  * objective context of the specified inode
3310  */
3311 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3312 {
3313         struct inode_security_struct *isec = inode->i_security;
3314         struct task_security_struct *tsec = new->security;
3315         u32 sid = current_sid();
3316         int ret;
3317
3318         ret = avc_has_perm(sid, isec->sid,
3319                            SECCLASS_KERNEL_SERVICE,
3320                            KERNEL_SERVICE__CREATE_FILES_AS,
3321                            NULL);
3322
3323         if (ret == 0)
3324                 tsec->create_sid = isec->sid;
3325         return ret;
3326 }
3327
3328 static int selinux_kernel_module_request(char *kmod_name)
3329 {
3330         u32 sid;
3331         struct common_audit_data ad;
3332
3333         sid = task_sid(current);
3334
3335         COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3336         ad.u.kmod_name = kmod_name;
3337
3338         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3339                             SYSTEM__MODULE_REQUEST, &ad);
3340 }
3341
3342 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3343 {
3344         return current_has_perm(p, PROCESS__SETPGID);
3345 }
3346
3347 static int selinux_task_getpgid(struct task_struct *p)
3348 {
3349         return current_has_perm(p, PROCESS__GETPGID);
3350 }
3351
3352 static int selinux_task_getsid(struct task_struct *p)
3353 {
3354         return current_has_perm(p, PROCESS__GETSESSION);
3355 }
3356
3357 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3358 {
3359         *secid = task_sid(p);
3360 }
3361
3362 static int selinux_task_setnice(struct task_struct *p, int nice)
3363 {
3364         int rc;
3365
3366         rc = cap_task_setnice(p, nice);
3367         if (rc)
3368                 return rc;
3369
3370         return current_has_perm(p, PROCESS__SETSCHED);
3371 }
3372
3373 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3374 {
3375         int rc;
3376
3377         rc = cap_task_setioprio(p, ioprio);
3378         if (rc)
3379                 return rc;
3380
3381         return current_has_perm(p, PROCESS__SETSCHED);
3382 }
3383
3384 static int selinux_task_getioprio(struct task_struct *p)
3385 {
3386         return current_has_perm(p, PROCESS__GETSCHED);
3387 }
3388
3389 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3390                 struct rlimit *new_rlim)
3391 {
3392         struct rlimit *old_rlim = p->signal->rlim + resource;
3393
3394         /* Control the ability to change the hard limit (whether
3395            lowering or raising it), so that the hard limit can
3396            later be used as a safe reset point for the soft limit
3397            upon context transitions.  See selinux_bprm_committing_creds. */
3398         if (old_rlim->rlim_max != new_rlim->rlim_max)
3399                 return current_has_perm(p, PROCESS__SETRLIMIT);
3400
3401         return 0;
3402 }
3403
3404 static int selinux_task_setscheduler(struct task_struct *p)
3405 {
3406         int rc;
3407
3408         rc = cap_task_setscheduler(p);
3409         if (rc)
3410                 return rc;
3411
3412         return current_has_perm(p, PROCESS__SETSCHED);
3413 }
3414
3415 static int selinux_task_getscheduler(struct task_struct *p)
3416 {
3417         return current_has_perm(p, PROCESS__GETSCHED);
3418 }
3419
3420 static int selinux_task_movememory(struct task_struct *p)
3421 {
3422         return current_has_perm(p, PROCESS__SETSCHED);
3423 }
3424
3425 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3426                                 int sig, u32 secid)
3427 {
3428         u32 perm;
3429         int rc;
3430
3431         if (!sig)
3432                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3433         else
3434                 perm = signal_to_av(sig);
3435         if (secid)
3436                 rc = avc_has_perm(secid, task_sid(p),
3437                                   SECCLASS_PROCESS, perm, NULL);
3438         else
3439                 rc = current_has_perm(p, perm);
3440         return rc;
3441 }
3442
3443 static int selinux_task_wait(struct task_struct *p)
3444 {
3445         return task_has_perm(p, current, PROCESS__SIGCHLD);
3446 }
3447
3448 static void selinux_task_to_inode(struct task_struct *p,
3449                                   struct inode *inode)
3450 {
3451         struct inode_security_struct *isec = inode->i_security;
3452         u32 sid = task_sid(p);
3453
3454         isec->sid = sid;
3455         isec->initialized = 1;
3456 }
3457
3458 /* Returns error only if unable to parse addresses */
3459 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3460                         struct common_audit_data *ad, u8 *proto)
3461 {
3462         int offset, ihlen, ret = -EINVAL;
3463         struct iphdr _iph, *ih;
3464
3465         offset = skb_network_offset(skb);
3466         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3467         if (ih == NULL)
3468                 goto out;
3469
3470         ihlen = ih->ihl * 4;
3471         if (ihlen < sizeof(_iph))
3472                 goto out;
3473
3474         ad->u.net.v4info.saddr = ih->saddr;
3475         ad->u.net.v4info.daddr = ih->daddr;
3476         ret = 0;
3477
3478         if (proto)
3479                 *proto = ih->protocol;
3480
3481         switch (ih->protocol) {
3482         case IPPROTO_TCP: {
3483                 struct tcphdr _tcph, *th;
3484
3485                 if (ntohs(ih->frag_off) & IP_OFFSET)
3486                         break;
3487
3488                 offset += ihlen;
3489                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3490                 if (th == NULL)
3491                         break;
3492
3493                 ad->u.net.sport = th->source;
3494                 ad->u.net.dport = th->dest;
3495                 break;
3496         }
3497
3498         case IPPROTO_UDP: {
3499                 struct udphdr _udph, *uh;
3500
3501                 if (ntohs(ih->frag_off) & IP_OFFSET)
3502                         break;
3503
3504                 offset += ihlen;
3505                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3506                 if (uh == NULL)
3507                         break;
3508
3509                 ad->u.net.sport = uh->source;
3510                 ad->u.net.dport = uh->dest;
3511                 break;
3512         }
3513
3514         case IPPROTO_DCCP: {
3515                 struct dccp_hdr _dccph, *dh;
3516
3517                 if (ntohs(ih->frag_off) & IP_OFFSET)
3518                         break;
3519
3520                 offset += ihlen;
3521                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3522                 if (dh == NULL)
3523                         break;
3524
3525                 ad->u.net.sport = dh->dccph_sport;
3526                 ad->u.net.dport = dh->dccph_dport;
3527                 break;
3528         }
3529
3530         default:
3531                 break;
3532         }
3533 out:
3534         return ret;
3535 }
3536
3537 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3538
3539 /* Returns error only if unable to parse addresses */
3540 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3541                         struct common_audit_data *ad, u8 *proto)
3542 {
3543         u8 nexthdr;
3544         int ret = -EINVAL, offset;
3545         struct ipv6hdr _ipv6h, *ip6;
3546
3547         offset = skb_network_offset(skb);
3548         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3549         if (ip6 == NULL)
3550                 goto out;
3551
3552         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3553         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3554         ret = 0;
3555
3556         nexthdr = ip6->nexthdr;
3557         offset += sizeof(_ipv6h);
3558         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3559         if (offset < 0)
3560                 goto out;
3561
3562         if (proto)
3563                 *proto = nexthdr;
3564
3565         switch (nexthdr) {
3566         case IPPROTO_TCP: {
3567                 struct tcphdr _tcph, *th;
3568
3569                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3570                 if (th == NULL)
3571                         break;
3572
3573                 ad->u.net.sport = th->source;
3574                 ad->u.net.dport = th->dest;
3575                 break;
3576         }
3577
3578         case IPPROTO_UDP: {
3579                 struct udphdr _udph, *uh;
3580
3581                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3582                 if (uh == NULL)
3583                         break;
3584
3585                 ad->u.net.sport = uh->source;
3586                 ad->u.net.dport = uh->dest;
3587                 break;
3588         }
3589
3590         case IPPROTO_DCCP: {
3591                 struct dccp_hdr _dccph, *dh;
3592
3593                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3594                 if (dh == NULL)
3595                         break;
3596
3597                 ad->u.net.sport = dh->dccph_sport;
3598                 ad->u.net.dport = dh->dccph_dport;
3599                 break;
3600         }
3601
3602         /* includes fragments */
3603         default:
3604                 break;
3605         }
3606 out:
3607         return ret;
3608 }
3609
3610 #endif /* IPV6 */
3611
3612 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3613                              char **_addrp, int src, u8 *proto)
3614 {
3615         char *addrp;
3616         int ret;
3617
3618         switch (ad->u.net.family) {
3619         case PF_INET:
3620                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3621                 if (ret)
3622                         goto parse_error;
3623                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3624                                        &ad->u.net.v4info.daddr);
3625                 goto okay;
3626
3627 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3628         case PF_INET6:
3629                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3630                 if (ret)
3631                         goto parse_error;
3632                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3633                                        &ad->u.net.v6info.daddr);
3634                 goto okay;
3635 #endif  /* IPV6 */
3636         default:
3637                 addrp = NULL;
3638                 goto okay;
3639         }
3640
3641 parse_error:
3642         printk(KERN_WARNING
3643                "SELinux: failure in selinux_parse_skb(),"
3644                " unable to parse packet\n");
3645         return ret;
3646
3647 okay:
3648         if (_addrp)
3649                 *_addrp = addrp;
3650         return 0;
3651 }
3652
3653 /**
3654  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3655  * @skb: the packet
3656  * @family: protocol family
3657  * @sid: the packet's peer label SID
3658  *
3659  * Description:
3660  * Check the various different forms of network peer labeling and determine
3661  * the peer label/SID for the packet; most of the magic actually occurs in
3662  * the security server function security_net_peersid_cmp().  The function
3663  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3664  * or -EACCES if @sid is invalid due to inconsistencies with the different
3665  * peer labels.
3666  *
3667  */
3668 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3669 {
3670         int err;
3671         u32 xfrm_sid;
3672         u32 nlbl_sid;
3673         u32 nlbl_type;
3674
3675         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3676         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3677
3678         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3679         if (unlikely(err)) {
3680                 printk(KERN_WARNING
3681                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3682                        " unable to determine packet's peer label\n");
3683                 return -EACCES;
3684         }
3685
3686         return 0;
3687 }
3688
3689 /* socket security operations */
3690
3691 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3692                                  u16 secclass, u32 *socksid)
3693 {
3694         if (tsec->sockcreate_sid > SECSID_NULL) {
3695                 *socksid = tsec->sockcreate_sid;
3696                 return 0;
3697         }
3698
3699         return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3700                                        socksid);
3701 }
3702
3703 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3704 {
3705         struct sk_security_struct *sksec = sk->sk_security;
3706         struct common_audit_data ad;
3707         u32 tsid = task_sid(task);
3708
3709         if (sksec->sid == SECINITSID_KERNEL)
3710                 return 0;
3711
3712         COMMON_AUDIT_DATA_INIT(&ad, NET);
3713         ad.u.net.sk = sk;
3714
3715         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3716 }
3717
3718 static int selinux_socket_create(int family, int type,
3719                                  int protocol, int kern)
3720 {
3721         const struct task_security_struct *tsec = current_security();
3722         u32 newsid;
3723         u16 secclass;
3724         int rc;
3725
3726         if (kern)
3727                 return 0;
3728
3729         secclass = socket_type_to_security_class(family, type, protocol);
3730         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3731         if (rc)
3732                 return rc;
3733
3734         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3735 }
3736
3737 static int selinux_socket_post_create(struct socket *sock, int family,
3738                                       int type, int protocol, int kern)
3739 {
3740         const struct task_security_struct *tsec = current_security();
3741         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3742         struct sk_security_struct *sksec;
3743         int err = 0;
3744
3745         isec->sclass = socket_type_to_security_class(family, type, protocol);
3746
3747         if (kern)
3748                 isec->sid = SECINITSID_KERNEL;
3749         else {
3750                 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3751                 if (err)
3752                         return err;
3753         }
3754
3755         isec->initialized = 1;
3756
3757         if (sock->sk) {
3758                 sksec = sock->sk->sk_security;
3759                 sksec->sid = isec->sid;
3760                 sksec->sclass = isec->sclass;
3761                 err = selinux_netlbl_socket_post_create(sock->sk, family);
3762         }
3763
3764         return err;
3765 }
3766
3767 /* Range of port numbers used to automatically bind.
3768    Need to determine whether we should perform a name_bind
3769    permission check between the socket and the port number. */
3770
3771 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3772 {
3773         struct sock *sk = sock->sk;
3774         u16 family;
3775         int err;
3776
3777         err = sock_has_perm(current, sk, SOCKET__BIND);
3778         if (err)
3779                 goto out;
3780
3781         /*
3782          * If PF_INET or PF_INET6, check name_bind permission for the port.
3783          * Multiple address binding for SCTP is not supported yet: we just
3784          * check the first address now.
3785          */
3786         family = sk->sk_family;
3787         if (family == PF_INET || family == PF_INET6) {
3788                 char *addrp;
3789                 struct sk_security_struct *sksec = sk->sk_security;
3790                 struct common_audit_data ad;
3791                 struct sockaddr_in *addr4 = NULL;
3792                 struct sockaddr_in6 *addr6 = NULL;
3793                 unsigned short snum;
3794                 u32 sid, node_perm;
3795
3796                 if (family == PF_INET) {
3797                         addr4 = (struct sockaddr_in *)address;
3798                         snum = ntohs(addr4->sin_port);
3799                         addrp = (char *)&addr4->sin_addr.s_addr;
3800                 } else {
3801                         addr6 = (struct sockaddr_in6 *)address;
3802                         snum = ntohs(addr6->sin6_port);
3803                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3804                 }
3805
3806                 if (snum) {
3807                         int low, high;
3808
3809                         inet_get_local_port_range(&low, &high);
3810
3811                         if (snum < max(PROT_SOCK, low) || snum > high) {
3812                                 err = sel_netport_sid(sk->sk_protocol,
3813                                                       snum, &sid);
3814                                 if (err)
3815                                         goto out;
3816                                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3817                                 ad.u.net.sport = htons(snum);
3818                                 ad.u.net.family = family;
3819                                 err = avc_has_perm(sksec->sid, sid,
3820                                                    sksec->sclass,
3821                                                    SOCKET__NAME_BIND, &ad);
3822                                 if (err)
3823                                         goto out;
3824                         }
3825                 }
3826
3827                 switch (sksec->sclass) {
3828                 case SECCLASS_TCP_SOCKET:
3829                         node_perm = TCP_SOCKET__NODE_BIND;
3830                         break;
3831
3832                 case SECCLASS_UDP_SOCKET:
3833                         node_perm = UDP_SOCKET__NODE_BIND;
3834                         break;
3835
3836                 case SECCLASS_DCCP_SOCKET:
3837                         node_perm = DCCP_SOCKET__NODE_BIND;
3838                         break;
3839
3840                 default:
3841                         node_perm = RAWIP_SOCKET__NODE_BIND;
3842                         break;
3843                 }
3844
3845                 err = sel_netnode_sid(addrp, family, &sid);
3846                 if (err)
3847                         goto out;
3848
3849                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3850                 ad.u.net.sport = htons(snum);
3851                 ad.u.net.family = family;
3852
3853                 if (family == PF_INET)
3854                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3855                 else
3856                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3857
3858                 err = avc_has_perm(sksec->sid, sid,
3859                                    sksec->sclass, node_perm, &ad);
3860                 if (err)
3861                         goto out;
3862         }
3863 out:
3864         return err;
3865 }
3866
3867 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3868 {
3869         struct sock *sk = sock->sk;
3870         struct sk_security_struct *sksec = sk->sk_security;
3871         int err;
3872
3873         err = sock_has_perm(current, sk, SOCKET__CONNECT);
3874         if (err)
3875                 return err;
3876
3877         /*
3878          * If a TCP or DCCP socket, check name_connect permission for the port.
3879          */
3880         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3881             sksec->sclass == SECCLASS_DCCP_SOCKET) {
3882                 struct common_audit_data ad;
3883                 struct sockaddr_in *addr4 = NULL;
3884                 struct sockaddr_in6 *addr6 = NULL;
3885                 unsigned short snum;
3886                 u32 sid, perm;
3887
3888                 if (sk->sk_family == PF_INET) {
3889                         addr4 = (struct sockaddr_in *)address;
3890                         if (addrlen < sizeof(struct sockaddr_in))
3891                                 return -EINVAL;
3892                         snum = ntohs(addr4->sin_port);
3893                 } else {
3894                         addr6 = (struct sockaddr_in6 *)address;
3895                         if (addrlen < SIN6_LEN_RFC2133)
3896                                 return -EINVAL;
3897                         snum = ntohs(addr6->sin6_port);
3898                 }
3899
3900                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3901                 if (err)
3902                         goto out;
3903
3904                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3905                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3906
3907                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3908                 ad.u.net.dport = htons(snum);
3909                 ad.u.net.family = sk->sk_family;
3910                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3911                 if (err)
3912                         goto out;
3913         }
3914
3915         err = selinux_netlbl_socket_connect(sk, address);
3916
3917 out:
3918         return err;
3919 }
3920
3921 static int selinux_socket_listen(struct socket *sock, int backlog)
3922 {
3923         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3924 }
3925
3926 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3927 {
3928         int err;
3929         struct inode_security_struct *isec;
3930         struct inode_security_struct *newisec;
3931
3932         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3933         if (err)
3934                 return err;
3935
3936         newisec = SOCK_INODE(newsock)->i_security;
3937
3938         isec = SOCK_INODE(sock)->i_security;
3939         newisec->sclass = isec->sclass;
3940         newisec->sid = isec->sid;
3941         newisec->initialized = 1;
3942
3943         return 0;
3944 }
3945
3946 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3947                                   int size)
3948 {
3949         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3950 }
3951
3952 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3953                                   int size, int flags)
3954 {
3955         return sock_has_perm(current, sock->sk, SOCKET__READ);
3956 }
3957
3958 static int selinux_socket_getsockname(struct socket *sock)
3959 {
3960         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3961 }
3962
3963 static int selinux_socket_getpeername(struct socket *sock)
3964 {
3965         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3966 }
3967
3968 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3969 {
3970         int err;
3971
3972         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3973         if (err)
3974                 return err;
3975
3976         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3977 }
3978
3979 static int selinux_socket_getsockopt(struct socket *sock, int level,
3980                                      int optname)
3981 {
3982         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
3983 }
3984
3985 static int selinux_socket_shutdown(struct socket *sock, int how)
3986 {
3987         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
3988 }
3989
3990 static int selinux_socket_unix_stream_connect(struct sock *sock,
3991                                               struct sock *other,
3992                                               struct sock *newsk)
3993 {
3994         struct sk_security_struct *sksec_sock = sock->sk_security;
3995         struct sk_security_struct *sksec_other = other->sk_security;
3996         struct sk_security_struct *sksec_new = newsk->sk_security;
3997         struct common_audit_data ad;
3998         int err;
3999
4000         COMMON_AUDIT_DATA_INIT(&ad, NET);
4001         ad.u.net.sk = other;
4002
4003         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4004                            sksec_other->sclass,
4005                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4006         if (err)
4007                 return err;
4008
4009         /* server child socket */
4010         sksec_new->peer_sid = sksec_sock->sid;
4011         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4012                                     &sksec_new->sid);
4013         if (err)
4014                 return err;
4015
4016         /* connecting socket */
4017         sksec_sock->peer_sid = sksec_new->sid;
4018
4019         return 0;
4020 }
4021
4022 static int selinux_socket_unix_may_send(struct socket *sock,
4023                                         struct socket *other)
4024 {
4025         struct sk_security_struct *ssec = sock->sk->sk_security;
4026         struct sk_security_struct *osec = other->sk->sk_security;
4027         struct common_audit_data ad;
4028
4029         COMMON_AUDIT_DATA_INIT(&ad, NET);
4030         ad.u.net.sk = other->sk;
4031
4032         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4033                             &ad);
4034 }
4035
4036 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4037                                     u32 peer_sid,
4038                                     struct common_audit_data *ad)
4039 {
4040         int err;
4041         u32 if_sid;
4042         u32 node_sid;
4043
4044         err = sel_netif_sid(ifindex, &if_sid);
4045         if (err)
4046                 return err;
4047         err = avc_has_perm(peer_sid, if_sid,
4048                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4049         if (err)
4050                 return err;
4051
4052         err = sel_netnode_sid(addrp, family, &node_sid);
4053         if (err)
4054                 return err;
4055         return avc_has_perm(peer_sid, node_sid,
4056                             SECCLASS_NODE, NODE__RECVFROM, ad);
4057 }
4058
4059 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4060                                        u16 family)
4061 {
4062         int err = 0;
4063         struct sk_security_struct *sksec = sk->sk_security;
4064         u32 sk_sid = sksec->sid;
4065         struct common_audit_data ad;
4066         char *addrp;
4067
4068         COMMON_AUDIT_DATA_INIT(&ad, NET);
4069         ad.u.net.netif = skb->skb_iif;
4070         ad.u.net.family = family;
4071         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4072         if (err)
4073                 return err;
4074
4075         if (selinux_secmark_enabled()) {
4076                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4077                                    PACKET__RECV, &ad);
4078                 if (err)
4079                         return err;
4080         }
4081
4082         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4083         if (err)
4084                 return err;
4085         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4086
4087         return err;
4088 }
4089
4090 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4091 {
4092         int err;
4093         struct sk_security_struct *sksec = sk->sk_security;
4094         u16 family = sk->sk_family;
4095         u32 sk_sid = sksec->sid;
4096         struct common_audit_data ad;
4097         char *addrp;
4098         u8 secmark_active;
4099         u8 peerlbl_active;
4100
4101         if (family != PF_INET && family != PF_INET6)
4102                 return 0;
4103
4104         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4105         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4106                 family = PF_INET;
4107
4108         /* If any sort of compatibility mode is enabled then handoff processing
4109          * to the selinux_sock_rcv_skb_compat() function to deal with the
4110          * special handling.  We do this in an attempt to keep this function
4111          * as fast and as clean as possible. */
4112         if (!selinux_policycap_netpeer)
4113                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4114
4115         secmark_active = selinux_secmark_enabled();
4116         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4117         if (!secmark_active && !peerlbl_active)
4118                 return 0;
4119
4120         COMMON_AUDIT_DATA_INIT(&ad, NET);
4121         ad.u.net.netif = skb->skb_iif;
4122         ad.u.net.family = family;
4123         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4124         if (err)
4125                 return err;
4126
4127         if (peerlbl_active) {
4128                 u32 peer_sid;
4129
4130                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4131                 if (err)
4132                         return err;
4133                 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4134                                                peer_sid, &ad);
4135                 if (err) {
4136                         selinux_netlbl_err(skb, err, 0);
4137                         return err;
4138                 }
4139                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4140                                    PEER__RECV, &ad);
4141                 if (err)
4142                         selinux_netlbl_err(skb, err, 0);
4143         }
4144
4145         if (secmark_active) {
4146                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4147                                    PACKET__RECV, &ad);
4148                 if (err)
4149                         return err;
4150         }
4151
4152         return err;
4153 }
4154
4155 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4156                                             int __user *optlen, unsigned len)
4157 {
4158         int err = 0;
4159         char *scontext;
4160         u32 scontext_len;
4161         struct sk_security_struct *sksec = sock->sk->sk_security;
4162         u32 peer_sid = SECSID_NULL;
4163
4164         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4165             sksec->sclass == SECCLASS_TCP_SOCKET)
4166                 peer_sid = sksec->peer_sid;
4167         if (peer_sid == SECSID_NULL)
4168                 return -ENOPROTOOPT;
4169
4170         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4171         if (err)
4172                 return err;
4173
4174         if (scontext_len > len) {
4175                 err = -ERANGE;
4176                 goto out_len;
4177         }
4178
4179         if (copy_to_user(optval, scontext, scontext_len))
4180                 err = -EFAULT;
4181
4182 out_len:
4183         if (put_user(scontext_len, optlen))
4184                 err = -EFAULT;
4185         kfree(scontext);
4186         return err;
4187 }
4188
4189 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4190 {
4191         u32 peer_secid = SECSID_NULL;
4192         u16 family;
4193
4194         if (skb && skb->protocol == htons(ETH_P_IP))
4195                 family = PF_INET;
4196         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4197                 family = PF_INET6;
4198         else if (sock)
4199                 family = sock->sk->sk_family;
4200         else
4201                 goto out;
4202
4203         if (sock && family == PF_UNIX)
4204                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4205         else if (skb)
4206                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4207
4208 out:
4209         *secid = peer_secid;
4210         if (peer_secid == SECSID_NULL)
4211                 return -EINVAL;
4212         return 0;
4213 }
4214
4215 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4216 {
4217         struct sk_security_struct *sksec;
4218
4219         sksec = kzalloc(sizeof(*sksec), priority);
4220         if (!sksec)
4221                 return -ENOMEM;
4222
4223         sksec->peer_sid = SECINITSID_UNLABELED;
4224         sksec->sid = SECINITSID_UNLABELED;
4225         selinux_netlbl_sk_security_reset(sksec);
4226         sk->sk_security = sksec;
4227
4228         return 0;
4229 }
4230
4231 static void selinux_sk_free_security(struct sock *sk)
4232 {
4233         struct sk_security_struct *sksec = sk->sk_security;
4234
4235         sk->sk_security = NULL;
4236         selinux_netlbl_sk_security_free(sksec);
4237         kfree(sksec);
4238 }
4239
4240 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4241 {
4242         struct sk_security_struct *sksec = sk->sk_security;
4243         struct sk_security_struct *newsksec = newsk->sk_security;
4244
4245         newsksec->sid = sksec->sid;
4246         newsksec->peer_sid = sksec->peer_sid;
4247         newsksec->sclass = sksec->sclass;
4248
4249         selinux_netlbl_sk_security_reset(newsksec);
4250 }
4251
4252 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4253 {
4254         if (!sk)
4255                 *secid = SECINITSID_ANY_SOCKET;
4256         else {
4257                 struct sk_security_struct *sksec = sk->sk_security;
4258
4259                 *secid = sksec->sid;
4260         }
4261 }
4262
4263 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4264 {
4265         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4266         struct sk_security_struct *sksec = sk->sk_security;
4267
4268         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4269             sk->sk_family == PF_UNIX)
4270                 isec->sid = sksec->sid;
4271         sksec->sclass = isec->sclass;
4272 }
4273
4274 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4275                                      struct request_sock *req)
4276 {
4277         struct sk_security_struct *sksec = sk->sk_security;
4278         int err;
4279         u16 family = sk->sk_family;
4280         u32 newsid;
4281         u32 peersid;
4282
4283         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4284         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4285                 family = PF_INET;
4286
4287         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4288         if (err)
4289                 return err;
4290         if (peersid == SECSID_NULL) {
4291                 req->secid = sksec->sid;
4292                 req->peer_secid = SECSID_NULL;
4293         } else {
4294                 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4295                 if (err)
4296                         return err;
4297                 req->secid = newsid;
4298                 req->peer_secid = peersid;
4299         }
4300
4301         return selinux_netlbl_inet_conn_request(req, family);
4302 }
4303
4304 static void selinux_inet_csk_clone(struct sock *newsk,
4305                                    const struct request_sock *req)
4306 {
4307         struct sk_security_struct *newsksec = newsk->sk_security;
4308
4309         newsksec->sid = req->secid;
4310         newsksec->peer_sid = req->peer_secid;
4311         /* NOTE: Ideally, we should also get the isec->sid for the
4312            new socket in sync, but we don't have the isec available yet.
4313            So we will wait until sock_graft to do it, by which
4314            time it will have been created and available. */
4315
4316         /* We don't need to take any sort of lock here as we are the only
4317          * thread with access to newsksec */
4318         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4319 }
4320
4321 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4322 {
4323         u16 family = sk->sk_family;
4324         struct sk_security_struct *sksec = sk->sk_security;
4325
4326         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4327         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4328                 family = PF_INET;
4329
4330         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4331 }
4332
4333 static int selinux_secmark_relabel_packet(u32 sid)
4334 {
4335         const struct task_security_struct *__tsec;
4336         u32 tsid;
4337
4338         __tsec = current_security();
4339         tsid = __tsec->sid;
4340
4341         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4342 }
4343
4344 static void selinux_secmark_refcount_inc(void)
4345 {
4346         atomic_inc(&selinux_secmark_refcount);
4347 }
4348
4349 static void selinux_secmark_refcount_dec(void)
4350 {
4351         atomic_dec(&selinux_secmark_refcount);
4352 }
4353
4354 static void selinux_req_classify_flow(const struct request_sock *req,
4355                                       struct flowi *fl)
4356 {
4357         fl->flowi_secid = req->secid;
4358 }
4359
4360 static int selinux_tun_dev_create(void)
4361 {
4362         u32 sid = current_sid();
4363
4364         /* we aren't taking into account the "sockcreate" SID since the socket
4365          * that is being created here is not a socket in the traditional sense,
4366          * instead it is a private sock, accessible only to the kernel, and
4367          * representing a wide range of network traffic spanning multiple
4368          * connections unlike traditional sockets - check the TUN driver to
4369          * get a better understanding of why this socket is special */
4370
4371         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4372                             NULL);
4373 }
4374
4375 static void selinux_tun_dev_post_create(struct sock *sk)
4376 {
4377         struct sk_security_struct *sksec = sk->sk_security;
4378
4379         /* we don't currently perform any NetLabel based labeling here and it
4380          * isn't clear that we would want to do so anyway; while we could apply
4381          * labeling without the support of the TUN user the resulting labeled
4382          * traffic from the other end of the connection would almost certainly
4383          * cause confusion to the TUN user that had no idea network labeling
4384          * protocols were being used */
4385
4386         /* see the comments in selinux_tun_dev_create() about why we don't use
4387          * the sockcreate SID here */
4388
4389         sksec->sid = current_sid();
4390         sksec->sclass = SECCLASS_TUN_SOCKET;
4391 }
4392
4393 static int selinux_tun_dev_attach(struct sock *sk)
4394 {
4395         struct sk_security_struct *sksec = sk->sk_security;
4396         u32 sid = current_sid();
4397         int err;
4398
4399         err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4400                            TUN_SOCKET__RELABELFROM, NULL);
4401         if (err)
4402                 return err;
4403         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4404                            TUN_SOCKET__RELABELTO, NULL);
4405         if (err)
4406                 return err;
4407
4408         sksec->sid = sid;
4409
4410         return 0;
4411 }
4412
4413 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4414 {
4415         int err = 0;
4416         u32 perm;
4417         struct nlmsghdr *nlh;
4418         struct sk_security_struct *sksec = sk->sk_security;
4419
4420         if (skb->len < NLMSG_SPACE(0)) {
4421                 err = -EINVAL;
4422                 goto out;
4423         }
4424         nlh = nlmsg_hdr(skb);
4425
4426         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4427         if (err) {
4428                 if (err == -EINVAL) {
4429                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4430                                   "SELinux:  unrecognized netlink message"
4431                                   " type=%hu for sclass=%hu\n",
4432                                   nlh->nlmsg_type, sksec->sclass);
4433                         if (!selinux_enforcing || security_get_allow_unknown())
4434                                 err = 0;
4435                 }
4436
4437                 /* Ignore */
4438                 if (err == -ENOENT)
4439                         err = 0;
4440                 goto out;
4441         }
4442
4443         err = sock_has_perm(current, sk, perm);
4444 out:
4445         return err;
4446 }
4447
4448 #ifdef CONFIG_NETFILTER
4449
4450 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4451                                        u16 family)
4452 {
4453         int err;
4454         char *addrp;
4455         u32 peer_sid;
4456         struct common_audit_data ad;
4457         u8 secmark_active;
4458         u8 netlbl_active;
4459         u8 peerlbl_active;
4460
4461         if (!selinux_policycap_netpeer)
4462                 return NF_ACCEPT;
4463
4464         secmark_active = selinux_secmark_enabled();
4465         netlbl_active = netlbl_enabled();
4466         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4467         if (!secmark_active && !peerlbl_active)
4468                 return NF_ACCEPT;
4469
4470         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4471                 return NF_DROP;
4472
4473         COMMON_AUDIT_DATA_INIT(&ad, NET);
4474         ad.u.net.netif = ifindex;
4475         ad.u.net.family = family;
4476         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4477                 return NF_DROP;
4478
4479         if (peerlbl_active) {
4480                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4481                                                peer_sid, &ad);
4482                 if (err) {
4483                         selinux_netlbl_err(skb, err, 1);
4484                         return NF_DROP;
4485                 }
4486         }
4487
4488         if (secmark_active)
4489                 if (avc_has_perm(peer_sid, skb->secmark,
4490                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4491                         return NF_DROP;
4492
4493         if (netlbl_active)
4494                 /* we do this in the FORWARD path and not the POST_ROUTING
4495                  * path because we want to make sure we apply the necessary
4496                  * labeling before IPsec is applied so we can leverage AH
4497                  * protection */
4498                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4499                         return NF_DROP;
4500
4501         return NF_ACCEPT;
4502 }
4503
4504 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4505                                          struct sk_buff *skb,
4506                                          const struct net_device *in,
4507                                          const struct net_device *out,
4508                                          int (*okfn)(struct sk_buff *))
4509 {
4510         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4511 }
4512
4513 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4514 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4515                                          struct sk_buff *skb,
4516                                          const struct net_device *in,
4517                                          const struct net_device *out,
4518                                          int (*okfn)(struct sk_buff *))
4519 {
4520         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4521 }
4522 #endif  /* IPV6 */
4523
4524 static unsigned int selinux_ip_output(struct sk_buff *skb,
4525                                       u16 family)
4526 {
4527         u32 sid;
4528
4529         if (!netlbl_enabled())
4530                 return NF_ACCEPT;
4531
4532         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4533          * because we want to make sure we apply the necessary labeling
4534          * before IPsec is applied so we can leverage AH protection */
4535         if (skb->sk) {
4536                 struct sk_security_struct *sksec = skb->sk->sk_security;
4537                 sid = sksec->sid;
4538         } else
4539                 sid = SECINITSID_KERNEL;
4540         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4541                 return NF_DROP;
4542
4543         return NF_ACCEPT;
4544 }
4545
4546 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4547                                         struct sk_buff *skb,
4548                                         const struct net_device *in,
4549                                         const struct net_device *out,
4550                                         int (*okfn)(struct sk_buff *))
4551 {
4552         return selinux_ip_output(skb, PF_INET);
4553 }
4554
4555 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4556                                                 int ifindex,
4557                                                 u16 family)
4558 {
4559         struct sock *sk = skb->sk;
4560         struct sk_security_struct *sksec;
4561         struct common_audit_data ad;
4562         char *addrp;
4563         u8 proto;
4564
4565         if (sk == NULL)
4566                 return NF_ACCEPT;
4567         sksec = sk->sk_security;
4568
4569         COMMON_AUDIT_DATA_INIT(&ad, NET);
4570         ad.u.net.netif = ifindex;
4571         ad.u.net.family = family;
4572         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4573                 return NF_DROP;
4574
4575         if (selinux_secmark_enabled())
4576                 if (avc_has_perm(sksec->sid, skb->secmark,
4577                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4578                         return NF_DROP_ERR(-ECONNREFUSED);
4579
4580         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4581                 return NF_DROP_ERR(-ECONNREFUSED);
4582
4583         return NF_ACCEPT;
4584 }
4585
4586 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4587                                          u16 family)
4588 {
4589         u32 secmark_perm;
4590         u32 peer_sid;
4591         struct sock *sk;
4592         struct common_audit_data ad;
4593         char *addrp;
4594         u8 secmark_active;
4595         u8 peerlbl_active;
4596
4597         /* If any sort of compatibility mode is enabled then handoff processing
4598          * to the selinux_ip_postroute_compat() function to deal with the
4599          * special handling.  We do this in an attempt to keep this function
4600          * as fast and as clean as possible. */
4601         if (!selinux_policycap_netpeer)
4602                 return selinux_ip_postroute_compat(skb, ifindex, family);
4603 #ifdef CONFIG_XFRM
4604         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4605          * packet transformation so allow the packet to pass without any checks
4606          * since we'll have another chance to perform access control checks
4607          * when the packet is on it's final way out.
4608          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4609          *       is NULL, in this case go ahead and apply access control. */
4610         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4611                 return NF_ACCEPT;
4612 #endif
4613         secmark_active = selinux_secmark_enabled();
4614         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4615         if (!secmark_active && !peerlbl_active)
4616                 return NF_ACCEPT;
4617
4618         /* if the packet is being forwarded then get the peer label from the
4619          * packet itself; otherwise check to see if it is from a local
4620          * application or the kernel, if from an application get the peer label
4621          * from the sending socket, otherwise use the kernel's sid */
4622         sk = skb->sk;
4623         if (sk == NULL) {
4624                 if (skb->skb_iif) {
4625                         secmark_perm = PACKET__FORWARD_OUT;
4626                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4627                                 return NF_DROP;
4628                 } else {
4629                         secmark_perm = PACKET__SEND;
4630                         peer_sid = SECINITSID_KERNEL;
4631                 }
4632         } else {
4633                 struct sk_security_struct *sksec = sk->sk_security;
4634                 peer_sid = sksec->sid;
4635                 secmark_perm = PACKET__SEND;
4636         }
4637
4638         COMMON_AUDIT_DATA_INIT(&ad, NET);
4639         ad.u.net.netif = ifindex;
4640         ad.u.net.family = family;
4641         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4642                 return NF_DROP;
4643
4644         if (secmark_active)
4645                 if (avc_has_perm(peer_sid, skb->secmark,
4646                                  SECCLASS_PACKET, secmark_perm, &ad))
4647                         return NF_DROP_ERR(-ECONNREFUSED);
4648
4649         if (peerlbl_active) {
4650                 u32 if_sid;
4651                 u32 node_sid;
4652
4653                 if (sel_netif_sid(ifindex, &if_sid))
4654                         return NF_DROP;
4655                 if (avc_has_perm(peer_sid, if_sid,
4656                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4657                         return NF_DROP_ERR(-ECONNREFUSED);
4658
4659                 if (sel_netnode_sid(addrp, family, &node_sid))
4660                         return NF_DROP;
4661                 if (avc_has_perm(peer_sid, node_sid,
4662                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4663                         return NF_DROP_ERR(-ECONNREFUSED);
4664         }
4665
4666         return NF_ACCEPT;
4667 }
4668
4669 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4670                                            struct sk_buff *skb,
4671                                            const struct net_device *in,
4672                                            const struct net_device *out,
4673                                            int (*okfn)(struct sk_buff *))
4674 {
4675         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4676 }
4677
4678 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4679 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4680                                            struct sk_buff *skb,
4681                                            const struct net_device *in,
4682                                            const struct net_device *out,
4683                                            int (*okfn)(struct sk_buff *))
4684 {
4685         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4686 }
4687 #endif  /* IPV6 */
4688
4689 #endif  /* CONFIG_NETFILTER */
4690
4691 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4692 {
4693         int err;
4694
4695         err = cap_netlink_send(sk, skb);
4696         if (err)
4697                 return err;
4698
4699         return selinux_nlmsg_perm(sk, skb);
4700 }
4701
4702 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4703 {
4704         int err;
4705         struct common_audit_data ad;
4706         u32 sid;
4707
4708         err = cap_netlink_recv(skb, capability);
4709         if (err)
4710                 return err;
4711
4712         COMMON_AUDIT_DATA_INIT(&ad, CAP);
4713         ad.u.cap = capability;
4714
4715         security_task_getsecid(current, &sid);
4716         return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
4717                             CAP_TO_MASK(capability), &ad);
4718 }
4719
4720 static int ipc_alloc_security(struct task_struct *task,
4721                               struct kern_ipc_perm *perm,
4722                               u16 sclass)
4723 {
4724         struct ipc_security_struct *isec;
4725         u32 sid;
4726
4727         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4728         if (!isec)
4729                 return -ENOMEM;
4730
4731         sid = task_sid(task);
4732         isec->sclass = sclass;
4733         isec->sid = sid;
4734         perm->security = isec;
4735
4736         return 0;
4737 }
4738
4739 static void ipc_free_security(struct kern_ipc_perm *perm)
4740 {
4741         struct ipc_security_struct *isec = perm->security;
4742         perm->security = NULL;
4743         kfree(isec);
4744 }
4745
4746 static int msg_msg_alloc_security(struct msg_msg *msg)
4747 {
4748         struct msg_security_struct *msec;
4749
4750         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4751         if (!msec)
4752                 return -ENOMEM;
4753
4754         msec->sid = SECINITSID_UNLABELED;
4755         msg->security = msec;
4756
4757         return 0;
4758 }
4759
4760 static void msg_msg_free_security(struct msg_msg *msg)
4761 {
4762         struct msg_security_struct *msec = msg->security;
4763
4764         msg->security = NULL;
4765         kfree(msec);
4766 }
4767
4768 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4769                         u32 perms)
4770 {
4771         struct ipc_security_struct *isec;
4772         struct common_audit_data ad;
4773         u32 sid = current_sid();
4774
4775         isec = ipc_perms->security;
4776
4777         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4778         ad.u.ipc_id = ipc_perms->key;
4779
4780         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4781 }
4782
4783 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4784 {
4785         return msg_msg_alloc_security(msg);
4786 }
4787
4788 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4789 {
4790         msg_msg_free_security(msg);
4791 }
4792
4793 /* message queue security operations */
4794 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4795 {
4796         struct ipc_security_struct *isec;
4797         struct common_audit_data ad;
4798         u32 sid = current_sid();
4799         int rc;
4800
4801         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4802         if (rc)
4803                 return rc;
4804
4805         isec = msq->q_perm.security;
4806
4807         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4808         ad.u.ipc_id = msq->q_perm.key;
4809
4810         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4811                           MSGQ__CREATE, &ad);
4812         if (rc) {
4813                 ipc_free_security(&msq->q_perm);
4814                 return rc;
4815         }
4816         return 0;
4817 }
4818
4819 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4820 {
4821         ipc_free_security(&msq->q_perm);
4822 }
4823
4824 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4825 {
4826         struct ipc_security_struct *isec;
4827         struct common_audit_data ad;
4828         u32 sid = current_sid();
4829
4830         isec = msq->q_perm.security;
4831
4832         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4833         ad.u.ipc_id = msq->q_perm.key;
4834
4835         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4836                             MSGQ__ASSOCIATE, &ad);
4837 }
4838
4839 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4840 {
4841         int err;
4842         int perms;
4843
4844         switch (cmd) {
4845         case IPC_INFO:
4846         case MSG_INFO:
4847                 /* No specific object, just general system-wide information. */
4848                 return task_has_system(current, SYSTEM__IPC_INFO);
4849         case IPC_STAT:
4850         case MSG_STAT:
4851                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4852                 break;
4853         case IPC_SET:
4854                 perms = MSGQ__SETATTR;
4855                 break;
4856         case IPC_RMID:
4857                 perms = MSGQ__DESTROY;
4858                 break;
4859         default:
4860                 return 0;
4861         }
4862
4863         err = ipc_has_perm(&msq->q_perm, perms);
4864         return err;
4865 }
4866
4867 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4868 {
4869         struct ipc_security_struct *isec;
4870         struct msg_security_struct *msec;
4871         struct common_audit_data ad;
4872         u32 sid = current_sid();
4873         int rc;
4874
4875         isec = msq->q_perm.security;
4876         msec = msg->security;
4877
4878         /*
4879          * First time through, need to assign label to the message
4880          */
4881         if (msec->sid == SECINITSID_UNLABELED) {
4882                 /*
4883                  * Compute new sid based on current process and
4884                  * message queue this message will be stored in
4885                  */
4886                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4887                                              NULL, &msec->sid);
4888                 if (rc)
4889                         return rc;
4890         }
4891
4892         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4893         ad.u.ipc_id = msq->q_perm.key;
4894
4895         /* Can this process write to the queue? */
4896         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4897                           MSGQ__WRITE, &ad);
4898         if (!rc)
4899                 /* Can this process send the message */
4900                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4901                                   MSG__SEND, &ad);
4902         if (!rc)
4903                 /* Can the message be put in the queue? */
4904                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4905                                   MSGQ__ENQUEUE, &ad);
4906
4907         return rc;
4908 }
4909
4910 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4911                                     struct task_struct *target,
4912                                     long type, int mode)
4913 {
4914         struct ipc_security_struct *isec;
4915         struct msg_security_struct *msec;
4916         struct common_audit_data ad;
4917         u32 sid = task_sid(target);
4918         int rc;
4919
4920         isec = msq->q_perm.security;
4921         msec = msg->security;
4922
4923         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4924         ad.u.ipc_id = msq->q_perm.key;
4925
4926         rc = avc_has_perm(sid, isec->sid,
4927                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4928         if (!rc)
4929                 rc = avc_has_perm(sid, msec->sid,
4930                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4931         return rc;
4932 }
4933
4934 /* Shared Memory security operations */
4935 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4936 {
4937         struct ipc_security_struct *isec;
4938         struct common_audit_data ad;
4939         u32 sid = current_sid();
4940         int rc;
4941
4942         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4943         if (rc)
4944                 return rc;
4945
4946         isec = shp->shm_perm.security;
4947
4948         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4949         ad.u.ipc_id = shp->shm_perm.key;
4950
4951         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4952                           SHM__CREATE, &ad);
4953         if (rc) {
4954                 ipc_free_security(&shp->shm_perm);
4955                 return rc;
4956         }
4957         return 0;
4958 }
4959
4960 static void selinux_shm_free_security(struct shmid_kernel *shp)
4961 {
4962         ipc_free_security(&shp->shm_perm);
4963 }
4964
4965 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4966 {
4967         struct ipc_security_struct *isec;
4968         struct common_audit_data ad;
4969         u32 sid = current_sid();
4970
4971         isec = shp->shm_perm.security;
4972
4973         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4974         ad.u.ipc_id = shp->shm_perm.key;
4975
4976         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4977                             SHM__ASSOCIATE, &ad);
4978 }
4979
4980 /* Note, at this point, shp is locked down */
4981 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4982 {
4983         int perms;
4984         int err;
4985
4986         switch (cmd) {
4987         case IPC_INFO:
4988         case SHM_INFO:
4989                 /* No specific object, just general system-wide information. */
4990                 return task_has_system(current, SYSTEM__IPC_INFO);
4991         case IPC_STAT:
4992         case SHM_STAT:
4993                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4994                 break;
4995         case IPC_SET:
4996                 perms = SHM__SETATTR;
4997                 break;
4998         case SHM_LOCK:
4999         case SHM_UNLOCK:
5000                 perms = SHM__LOCK;
5001                 break;
5002         case IPC_RMID:
5003                 perms = SHM__DESTROY;
5004                 break;
5005         default:
5006                 return 0;
5007         }
5008
5009         err = ipc_has_perm(&shp->shm_perm, perms);
5010         return err;
5011 }
5012
5013 static int selinux_shm_shmat(struct shmid_kernel *shp,
5014                              char __user *shmaddr, int shmflg)
5015 {
5016         u32 perms;
5017
5018         if (shmflg & SHM_RDONLY)
5019                 perms = SHM__READ;
5020         else
5021                 perms = SHM__READ | SHM__WRITE;
5022
5023         return ipc_has_perm(&shp->shm_perm, perms);
5024 }
5025
5026 /* Semaphore security operations */
5027 static int selinux_sem_alloc_security(struct sem_array *sma)
5028 {
5029         struct ipc_security_struct *isec;
5030         struct common_audit_data ad;
5031         u32 sid = current_sid();
5032         int rc;
5033
5034         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5035         if (rc)
5036                 return rc;
5037
5038         isec = sma->sem_perm.security;
5039
5040         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5041         ad.u.ipc_id = sma->sem_perm.key;
5042
5043         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5044                           SEM__CREATE, &ad);
5045         if (rc) {
5046                 ipc_free_security(&sma->sem_perm);
5047                 return rc;
5048         }
5049         return 0;
5050 }
5051
5052 static void selinux_sem_free_security(struct sem_array *sma)
5053 {
5054         ipc_free_security(&sma->sem_perm);
5055 }
5056
5057 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5058 {
5059         struct ipc_security_struct *isec;
5060         struct common_audit_data ad;
5061         u32 sid = current_sid();
5062
5063         isec = sma->sem_perm.security;
5064
5065         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5066         ad.u.ipc_id = sma->sem_perm.key;
5067
5068         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5069                             SEM__ASSOCIATE, &ad);
5070 }
5071
5072 /* Note, at this point, sma is locked down */
5073 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5074 {
5075         int err;
5076         u32 perms;
5077
5078         switch (cmd) {
5079         case IPC_INFO:
5080         case SEM_INFO:
5081                 /* No specific object, just general system-wide information. */
5082                 return task_has_system(current, SYSTEM__IPC_INFO);
5083         case GETPID:
5084         case GETNCNT:
5085         case GETZCNT:
5086                 perms = SEM__GETATTR;
5087                 break;
5088         case GETVAL:
5089         case GETALL:
5090                 perms = SEM__READ;
5091                 break;
5092         case SETVAL:
5093         case SETALL:
5094                 perms = SEM__WRITE;
5095                 break;
5096         case IPC_RMID:
5097                 perms = SEM__DESTROY;
5098                 break;
5099         case IPC_SET:
5100                 perms = SEM__SETATTR;
5101                 break;
5102         case IPC_STAT:
5103         case SEM_STAT:
5104                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5105                 break;
5106         default:
5107                 return 0;
5108         }
5109
5110         err = ipc_has_perm(&sma->sem_perm, perms);
5111         return err;
5112 }
5113
5114 static int selinux_sem_semop(struct sem_array *sma,
5115                              struct sembuf *sops, unsigned nsops, int alter)
5116 {
5117         u32 perms;
5118
5119         if (alter)
5120                 perms = SEM__READ | SEM__WRITE;
5121         else
5122                 perms = SEM__READ;
5123
5124         return ipc_has_perm(&sma->sem_perm, perms);
5125 }
5126
5127 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5128 {
5129         u32 av = 0;
5130
5131         av = 0;
5132         if (flag & S_IRUGO)
5133                 av |= IPC__UNIX_READ;
5134         if (flag & S_IWUGO)
5135                 av |= IPC__UNIX_WRITE;
5136
5137         if (av == 0)
5138                 return 0;
5139
5140         return ipc_has_perm(ipcp, av);
5141 }
5142
5143 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5144 {
5145         struct ipc_security_struct *isec = ipcp->security;
5146         *secid = isec->sid;
5147 }
5148
5149 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5150 {
5151         if (inode)
5152                 inode_doinit_with_dentry(inode, dentry);
5153 }
5154
5155 static int selinux_getprocattr(struct task_struct *p,
5156                                char *name, char **value)
5157 {
5158         const struct task_security_struct *__tsec;
5159         u32 sid;
5160         int error;
5161         unsigned len;
5162
5163         if (current != p) {
5164                 error = current_has_perm(p, PROCESS__GETATTR);
5165                 if (error)
5166                         return error;
5167         }
5168
5169         rcu_read_lock();
5170         __tsec = __task_cred(p)->security;
5171
5172         if (!strcmp(name, "current"))
5173                 sid = __tsec->sid;
5174         else if (!strcmp(name, "prev"))
5175                 sid = __tsec->osid;
5176         else if (!strcmp(name, "exec"))
5177                 sid = __tsec->exec_sid;
5178         else if (!strcmp(name, "fscreate"))
5179                 sid = __tsec->create_sid;
5180         else if (!strcmp(name, "keycreate"))
5181                 sid = __tsec->keycreate_sid;
5182         else if (!strcmp(name, "sockcreate"))
5183                 sid = __tsec->sockcreate_sid;
5184         else
5185                 goto invalid;
5186         rcu_read_unlock();
5187
5188         if (!sid)
5189                 return 0;
5190
5191         error = security_sid_to_context(sid, value, &len);
5192         if (error)
5193                 return error;
5194         return len;
5195
5196 invalid:
5197         rcu_read_unlock();
5198         return -EINVAL;
5199 }
5200
5201 static int selinux_setprocattr(struct task_struct *p,
5202                                char *name, void *value, size_t size)
5203 {
5204         struct task_security_struct *tsec;
5205         struct task_struct *tracer;
5206         struct cred *new;
5207         u32 sid = 0, ptsid;
5208         int error;
5209         char *str = value;
5210
5211         if (current != p) {
5212                 /* SELinux only allows a process to change its own
5213                    security attributes. */
5214                 return -EACCES;
5215         }
5216
5217         /*
5218          * Basic control over ability to set these attributes at all.
5219          * current == p, but we'll pass them separately in case the
5220          * above restriction is ever removed.
5221          */
5222         if (!strcmp(name, "exec"))
5223                 error = current_has_perm(p, PROCESS__SETEXEC);
5224         else if (!strcmp(name, "fscreate"))
5225                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5226         else if (!strcmp(name, "keycreate"))
5227                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5228         else if (!strcmp(name, "sockcreate"))
5229                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5230         else if (!strcmp(name, "current"))
5231                 error = current_has_perm(p, PROCESS__SETCURRENT);
5232         else
5233                 error = -EINVAL;
5234         if (error)
5235                 return error;
5236
5237         /* Obtain a SID for the context, if one was specified. */
5238         if (size && str[1] && str[1] != '\n') {
5239                 if (str[size-1] == '\n') {
5240                         str[size-1] = 0;
5241                         size--;
5242                 }
5243                 error = security_context_to_sid(value, size, &sid);
5244                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5245                         if (!capable(CAP_MAC_ADMIN))
5246                                 return error;
5247                         error = security_context_to_sid_force(value, size,
5248                                                               &sid);
5249                 }
5250                 if (error)
5251                         return error;
5252         }
5253
5254         new = prepare_creds();
5255         if (!new)
5256                 return -ENOMEM;
5257
5258         /* Permission checking based on the specified context is
5259            performed during the actual operation (execve,
5260            open/mkdir/...), when we know the full context of the
5261            operation.  See selinux_bprm_set_creds for the execve
5262            checks and may_create for the file creation checks. The
5263            operation will then fail if the context is not permitted. */
5264         tsec = new->security;
5265         if (!strcmp(name, "exec")) {
5266                 tsec->exec_sid = sid;
5267         } else if (!strcmp(name, "fscreate")) {
5268                 tsec->create_sid = sid;
5269         } else if (!strcmp(name, "keycreate")) {
5270                 error = may_create_key(sid, p);
5271                 if (error)
5272                         goto abort_change;
5273                 tsec->keycreate_sid = sid;
5274         } else if (!strcmp(name, "sockcreate")) {
5275                 tsec->sockcreate_sid = sid;
5276         } else if (!strcmp(name, "current")) {
5277                 error = -EINVAL;
5278                 if (sid == 0)
5279                         goto abort_change;
5280
5281                 /* Only allow single threaded processes to change context */
5282                 error = -EPERM;
5283                 if (!current_is_single_threaded()) {
5284                         error = security_bounded_transition(tsec->sid, sid);
5285                         if (error)
5286                                 goto abort_change;
5287                 }
5288
5289                 /* Check permissions for the transition. */
5290                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5291                                      PROCESS__DYNTRANSITION, NULL);
5292                 if (error)
5293                         goto abort_change;
5294
5295                 /* Check for ptracing, and update the task SID if ok.
5296                    Otherwise, leave SID unchanged and fail. */
5297                 ptsid = 0;
5298                 task_lock(p);
5299                 tracer = tracehook_tracer_task(p);
5300                 if (tracer)
5301                         ptsid = task_sid(tracer);
5302                 task_unlock(p);
5303
5304                 if (tracer) {
5305                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5306                                              PROCESS__PTRACE, NULL);
5307                         if (error)
5308                                 goto abort_change;
5309                 }
5310
5311                 tsec->sid = sid;
5312         } else {
5313                 error = -EINVAL;
5314                 goto abort_change;
5315         }
5316
5317         commit_creds(new);
5318         return size;
5319
5320 abort_change:
5321         abort_creds(new);
5322         return error;
5323 }
5324
5325 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5326 {
5327         return security_sid_to_context(secid, secdata, seclen);
5328 }
5329
5330 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5331 {
5332         return security_context_to_sid(secdata, seclen, secid);
5333 }
5334
5335 static void selinux_release_secctx(char *secdata, u32 seclen)
5336 {
5337         kfree(secdata);
5338 }
5339
5340 /*
5341  *      called with inode->i_mutex locked
5342  */
5343 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5344 {
5345         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5346 }
5347
5348 /*
5349  *      called with inode->i_mutex locked
5350  */
5351 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5352 {
5353         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5354 }
5355
5356 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5357 {
5358         int len = 0;
5359         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5360                                                 ctx, true);
5361         if (len < 0)
5362                 return len;
5363         *ctxlen = len;
5364         return 0;
5365 }
5366 #ifdef CONFIG_KEYS
5367
5368 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5369                              unsigned long flags)
5370 {
5371         const struct task_security_struct *tsec;
5372         struct key_security_struct *ksec;
5373
5374         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5375         if (!ksec)
5376                 return -ENOMEM;
5377
5378         tsec = cred->security;
5379         if (tsec->keycreate_sid)
5380                 ksec->sid = tsec->keycreate_sid;
5381         else
5382                 ksec->sid = tsec->sid;
5383
5384         k->security = ksec;
5385         return 0;
5386 }
5387
5388 static void selinux_key_free(struct key *k)
5389 {
5390         struct key_security_struct *ksec = k->security;
5391
5392         k->security = NULL;
5393         kfree(ksec);
5394 }
5395
5396 static int selinux_key_permission(key_ref_t key_ref,
5397                                   const struct cred *cred,
5398                                   key_perm_t perm)
5399 {
5400         struct key *key;
5401         struct key_security_struct *ksec;
5402         u32 sid;
5403
5404         /* if no specific permissions are requested, we skip the
5405            permission check. No serious, additional covert channels
5406            appear to be created. */
5407         if (perm == 0)
5408                 return 0;
5409
5410         sid = cred_sid(cred);
5411
5412         key = key_ref_to_ptr(key_ref);
5413         ksec = key->security;
5414
5415         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5416 }
5417
5418 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5419 {
5420         struct key_security_struct *ksec = key->security;
5421         char *context = NULL;
5422         unsigned len;
5423         int rc;
5424
5425         rc = security_sid_to_context(ksec->sid, &context, &len);
5426         if (!rc)
5427                 rc = len;
5428         *_buffer = context;
5429         return rc;
5430 }
5431
5432 #endif
5433
5434 static struct security_operations selinux_ops = {
5435         .name =                         "selinux",
5436
5437         .ptrace_access_check =          selinux_ptrace_access_check,
5438         .ptrace_traceme =               selinux_ptrace_traceme,
5439         .capget =                       selinux_capget,
5440         .capset =                       selinux_capset,
5441         .capable =                      selinux_capable,
5442         .quotactl =                     selinux_quotactl,
5443         .quota_on =                     selinux_quota_on,
5444         .syslog =                       selinux_syslog,
5445         .vm_enough_memory =             selinux_vm_enough_memory,
5446
5447         .netlink_send =                 selinux_netlink_send,
5448         .netlink_recv =                 selinux_netlink_recv,
5449
5450         .bprm_set_creds =               selinux_bprm_set_creds,
5451         .bprm_committing_creds =        selinux_bprm_committing_creds,
5452         .bprm_committed_creds =         selinux_bprm_committed_creds,
5453         .bprm_secureexec =              selinux_bprm_secureexec,
5454
5455         .sb_alloc_security =            selinux_sb_alloc_security,
5456         .sb_free_security =             selinux_sb_free_security,
5457         .sb_copy_data =                 selinux_sb_copy_data,
5458         .sb_remount =                   selinux_sb_remount,
5459         .sb_kern_mount =                selinux_sb_kern_mount,
5460         .sb_show_options =              selinux_sb_show_options,
5461         .sb_statfs =                    selinux_sb_statfs,
5462         .sb_mount =                     selinux_mount,
5463         .sb_umount =                    selinux_umount,
5464         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5465         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5466         .sb_parse_opts_str =            selinux_parse_opts_str,
5467
5468
5469         .inode_alloc_security =         selinux_inode_alloc_security,
5470         .inode_free_security =          selinux_inode_free_security,
5471         .inode_init_security =          selinux_inode_init_security,
5472         .inode_create =                 selinux_inode_create,
5473         .inode_link =                   selinux_inode_link,
5474         .inode_unlink =                 selinux_inode_unlink,
5475         .inode_symlink =                selinux_inode_symlink,
5476         .inode_mkdir =                  selinux_inode_mkdir,
5477         .inode_rmdir =                  selinux_inode_rmdir,
5478         .inode_mknod =                  selinux_inode_mknod,
5479         .inode_rename =                 selinux_inode_rename,
5480         .inode_readlink =               selinux_inode_readlink,
5481         .inode_follow_link =            selinux_inode_follow_link,
5482         .inode_permission =             selinux_inode_permission,
5483         .inode_setattr =                selinux_inode_setattr,
5484         .inode_getattr =                selinux_inode_getattr,
5485         .inode_setxattr =               selinux_inode_setxattr,
5486         .inode_post_setxattr =          selinux_inode_post_setxattr,
5487         .inode_getxattr =               selinux_inode_getxattr,
5488         .inode_listxattr =              selinux_inode_listxattr,
5489         .inode_removexattr =            selinux_inode_removexattr,
5490         .inode_getsecurity =            selinux_inode_getsecurity,
5491         .inode_setsecurity =            selinux_inode_setsecurity,
5492         .inode_listsecurity =           selinux_inode_listsecurity,
5493         .inode_getsecid =               selinux_inode_getsecid,
5494
5495         .file_permission =              selinux_file_permission,
5496         .file_alloc_security =          selinux_file_alloc_security,
5497         .file_free_security =           selinux_file_free_security,
5498         .file_ioctl =                   selinux_file_ioctl,
5499         .file_mmap =                    selinux_file_mmap,
5500         .file_mprotect =                selinux_file_mprotect,
5501         .file_lock =                    selinux_file_lock,
5502         .file_fcntl =                   selinux_file_fcntl,
5503         .file_set_fowner =              selinux_file_set_fowner,
5504         .file_send_sigiotask =          selinux_file_send_sigiotask,
5505         .file_receive =                 selinux_file_receive,
5506
5507         .dentry_open =                  selinux_dentry_open,
5508
5509         .task_create =                  selinux_task_create,
5510         .cred_alloc_blank =             selinux_cred_alloc_blank,
5511         .cred_free =                    selinux_cred_free,
5512         .cred_prepare =                 selinux_cred_prepare,
5513         .cred_transfer =                selinux_cred_transfer,
5514         .kernel_act_as =                selinux_kernel_act_as,
5515         .kernel_create_files_as =       selinux_kernel_create_files_as,
5516         .kernel_module_request =        selinux_kernel_module_request,
5517         .task_setpgid =                 selinux_task_setpgid,
5518         .task_getpgid =                 selinux_task_getpgid,
5519         .task_getsid =                  selinux_task_getsid,
5520         .task_getsecid =                selinux_task_getsecid,
5521         .task_setnice =                 selinux_task_setnice,
5522         .task_setioprio =               selinux_task_setioprio,
5523         .task_getioprio =               selinux_task_getioprio,
5524         .task_setrlimit =               selinux_task_setrlimit,
5525         .task_setscheduler =            selinux_task_setscheduler,
5526         .task_getscheduler =            selinux_task_getscheduler,
5527         .task_movememory =              selinux_task_movememory,
5528         .task_kill =                    selinux_task_kill,
5529         .task_wait =                    selinux_task_wait,
5530         .task_to_inode =                selinux_task_to_inode,
5531
5532         .ipc_permission =               selinux_ipc_permission,
5533         .ipc_getsecid =                 selinux_ipc_getsecid,
5534
5535         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5536         .msg_msg_free_security =        selinux_msg_msg_free_security,
5537
5538         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5539         .msg_queue_free_security =      selinux_msg_queue_free_security,
5540         .msg_queue_associate =          selinux_msg_queue_associate,
5541         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5542         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5543         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5544
5545         .shm_alloc_security =           selinux_shm_alloc_security,
5546         .shm_free_security =            selinux_shm_free_security,
5547         .shm_associate =                selinux_shm_associate,
5548         .shm_shmctl =                   selinux_shm_shmctl,
5549         .shm_shmat =                    selinux_shm_shmat,
5550
5551         .sem_alloc_security =           selinux_sem_alloc_security,
5552         .sem_free_security =            selinux_sem_free_security,
5553         .sem_associate =                selinux_sem_associate,
5554         .sem_semctl =                   selinux_sem_semctl,
5555         .sem_semop =                    selinux_sem_semop,
5556
5557         .d_instantiate =                selinux_d_instantiate,
5558
5559         .getprocattr =                  selinux_getprocattr,
5560         .setprocattr =                  selinux_setprocattr,
5561
5562         .secid_to_secctx =              selinux_secid_to_secctx,
5563         .secctx_to_secid =              selinux_secctx_to_secid,
5564         .release_secctx =               selinux_release_secctx,
5565         .inode_notifysecctx =           selinux_inode_notifysecctx,
5566         .inode_setsecctx =              selinux_inode_setsecctx,
5567         .inode_getsecctx =              selinux_inode_getsecctx,
5568
5569         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5570         .unix_may_send =                selinux_socket_unix_may_send,
5571
5572         .socket_create =                selinux_socket_create,
5573         .socket_post_create =           selinux_socket_post_create,
5574         .socket_bind =                  selinux_socket_bind,
5575         .socket_connect =               selinux_socket_connect,
5576         .socket_listen =                selinux_socket_listen,
5577         .socket_accept =                selinux_socket_accept,
5578         .socket_sendmsg =               selinux_socket_sendmsg,
5579         .socket_recvmsg =               selinux_socket_recvmsg,
5580         .socket_getsockname =           selinux_socket_getsockname,
5581         .socket_getpeername =           selinux_socket_getpeername,
5582         .socket_getsockopt =            selinux_socket_getsockopt,
5583         .socket_setsockopt =            selinux_socket_setsockopt,
5584         .socket_shutdown =              selinux_socket_shutdown,
5585         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5586         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5587         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5588         .sk_alloc_security =            selinux_sk_alloc_security,
5589         .sk_free_security =             selinux_sk_free_security,
5590         .sk_clone_security =            selinux_sk_clone_security,
5591         .sk_getsecid =                  selinux_sk_getsecid,
5592         .sock_graft =                   selinux_sock_graft,
5593         .inet_conn_request =            selinux_inet_conn_request,
5594         .inet_csk_clone =               selinux_inet_csk_clone,
5595         .inet_conn_established =        selinux_inet_conn_established,
5596         .secmark_relabel_packet =       selinux_secmark_relabel_packet,
5597         .secmark_refcount_inc =         selinux_secmark_refcount_inc,
5598         .secmark_refcount_dec =         selinux_secmark_refcount_dec,
5599         .req_classify_flow =            selinux_req_classify_flow,
5600         .tun_dev_create =               selinux_tun_dev_create,
5601         .tun_dev_post_create =          selinux_tun_dev_post_create,
5602         .tun_dev_attach =               selinux_tun_dev_attach,
5603
5604 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5605         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5606         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5607         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5608         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5609         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5610         .xfrm_state_free_security =     selinux_xfrm_state_free,
5611         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5612         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5613         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5614         .xfrm_decode_session =          selinux_xfrm_decode_session,
5615 #endif
5616
5617 #ifdef CONFIG_KEYS
5618         .key_alloc =                    selinux_key_alloc,
5619         .key_free =                     selinux_key_free,
5620         .key_permission =               selinux_key_permission,
5621         .key_getsecurity =              selinux_key_getsecurity,
5622 #endif
5623
5624 #ifdef CONFIG_AUDIT
5625         .audit_rule_init =              selinux_audit_rule_init,
5626         .audit_rule_known =             selinux_audit_rule_known,
5627         .audit_rule_match =             selinux_audit_rule_match,
5628         .audit_rule_free =              selinux_audit_rule_free,
5629 #endif
5630 };
5631
5632 static __init int selinux_init(void)
5633 {
5634         if (!security_module_enable(&selinux_ops)) {
5635                 selinux_enabled = 0;
5636                 return 0;
5637         }
5638
5639         if (!selinux_enabled) {
5640                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5641                 return 0;
5642         }
5643
5644         printk(KERN_INFO "SELinux:  Initializing.\n");
5645
5646         /* Set the security state for the initial task. */
5647         cred_init_security();
5648
5649         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5650
5651         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5652                                             sizeof(struct inode_security_struct),
5653                                             0, SLAB_PANIC, NULL);
5654         avc_init();
5655
5656         if (register_security(&selinux_ops))
5657                 panic("SELinux: Unable to register with kernel.\n");
5658
5659         if (selinux_enforcing)
5660                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5661         else
5662                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5663
5664         return 0;
5665 }
5666
5667 static void delayed_superblock_init(struct super_block *sb, void *unused)
5668 {
5669         superblock_doinit(sb, NULL);
5670 }
5671
5672 void selinux_complete_init(void)
5673 {
5674         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5675
5676         /* Set up any superblocks initialized prior to the policy load. */
5677         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5678         iterate_supers(delayed_superblock_init, NULL);
5679 }
5680
5681 /* SELinux requires early initialization in order to label
5682    all processes and objects when they are created. */
5683 security_initcall(selinux_init);
5684
5685 #if defined(CONFIG_NETFILTER)
5686
5687 static struct nf_hook_ops selinux_ipv4_ops[] = {
5688         {
5689                 .hook =         selinux_ipv4_postroute,
5690                 .owner =        THIS_MODULE,
5691                 .pf =           PF_INET,
5692                 .hooknum =      NF_INET_POST_ROUTING,
5693                 .priority =     NF_IP_PRI_SELINUX_LAST,
5694         },
5695         {
5696                 .hook =         selinux_ipv4_forward,
5697                 .owner =        THIS_MODULE,
5698                 .pf =           PF_INET,
5699                 .hooknum =      NF_INET_FORWARD,
5700                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5701         },
5702         {
5703                 .hook =         selinux_ipv4_output,
5704                 .owner =        THIS_MODULE,
5705                 .pf =           PF_INET,
5706                 .hooknum =      NF_INET_LOCAL_OUT,
5707                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5708         }
5709 };
5710
5711 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5712
5713 static struct nf_hook_ops selinux_ipv6_ops[] = {
5714         {
5715                 .hook =         selinux_ipv6_postroute,
5716                 .owner =        THIS_MODULE,
5717                 .pf =           PF_INET6,
5718                 .hooknum =      NF_INET_POST_ROUTING,
5719                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5720         },
5721         {
5722                 .hook =         selinux_ipv6_forward,
5723                 .owner =        THIS_MODULE,
5724                 .pf =           PF_INET6,
5725                 .hooknum =      NF_INET_FORWARD,
5726                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5727         }
5728 };
5729
5730 #endif  /* IPV6 */
5731
5732 static int __init selinux_nf_ip_init(void)
5733 {
5734         int err = 0;
5735
5736         if (!selinux_enabled)
5737                 goto out;
5738
5739         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5740
5741         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5742         if (err)
5743                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5744
5745 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5746         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5747         if (err)
5748                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5749 #endif  /* IPV6 */
5750
5751 out:
5752         return err;
5753 }
5754
5755 __initcall(selinux_nf_ip_init);
5756
5757 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5758 static void selinux_nf_ip_exit(void)
5759 {
5760         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5761
5762         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5763 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5764         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5765 #endif  /* IPV6 */
5766 }
5767 #endif
5768
5769 #else /* CONFIG_NETFILTER */
5770
5771 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5772 #define selinux_nf_ip_exit()
5773 #endif
5774
5775 #endif /* CONFIG_NETFILTER */
5776
5777 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5778 static int selinux_disabled;
5779
5780 int selinux_disable(void)
5781 {
5782         extern void exit_sel_fs(void);
5783
5784         if (ss_initialized) {
5785                 /* Not permitted after initial policy load. */
5786                 return -EINVAL;
5787         }
5788
5789         if (selinux_disabled) {
5790                 /* Only do this once. */
5791                 return -EINVAL;
5792         }
5793
5794         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5795
5796         selinux_disabled = 1;
5797         selinux_enabled = 0;
5798
5799         reset_security_ops();
5800
5801         /* Try to destroy the avc node cache */
5802         avc_disable();
5803
5804         /* Unregister netfilter hooks. */
5805         selinux_nf_ip_exit();
5806
5807         /* Unregister selinuxfs. */
5808         exit_sel_fs();
5809
5810         return 0;
5811 }
5812 #endif