8ffed9f2004e297f6c518d01ee8bc8de0d70c829
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/dcache.h>
43 #include <linux/file.h>
44 #include <linux/fdtable.h>
45 #include <linux/namei.h>
46 #include <linux/mount.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/audit.h>
74 #include <linux/string.h>
75 #include <linux/selinux.h>
76 #include <linux/mutex.h>
77 #include <linux/posix-timers.h>
78 #include <linux/syslog.h>
79
80 #include "avc.h"
81 #include "objsec.h"
82 #include "netif.h"
83 #include "netnode.h"
84 #include "netport.h"
85 #include "xfrm.h"
86 #include "netlabel.h"
87 #include "audit.h"
88
89 #define NUM_SEL_MNT_OPTS 5
90
91 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
92 extern struct security_operations *security_ops;
93
94 /* SECMARK reference count */
95 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
96
97 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
98 int selinux_enforcing;
99
100 static int __init enforcing_setup(char *str)
101 {
102         unsigned long enforcing;
103         if (!strict_strtoul(str, 0, &enforcing))
104                 selinux_enforcing = enforcing ? 1 : 0;
105         return 1;
106 }
107 __setup("enforcing=", enforcing_setup);
108 #endif
109
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113 static int __init selinux_enabled_setup(char *str)
114 {
115         unsigned long enabled;
116         if (!strict_strtoul(str, 0, &enabled))
117                 selinux_enabled = enabled ? 1 : 0;
118         return 1;
119 }
120 __setup("selinux=", selinux_enabled_setup);
121 #else
122 int selinux_enabled = 1;
123 #endif
124
125 static struct kmem_cache *sel_inode_cache;
126
127 /**
128  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
129  *
130  * Description:
131  * This function checks the SECMARK reference counter to see if any SECMARK
132  * targets are currently configured, if the reference counter is greater than
133  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
134  * enabled, false (0) if SECMARK is disabled.
135  *
136  */
137 static int selinux_secmark_enabled(void)
138 {
139         return (atomic_read(&selinux_secmark_refcount) > 0);
140 }
141
142 /*
143  * initialise the security for the init task
144  */
145 static void cred_init_security(void)
146 {
147         struct cred *cred = (struct cred *) current->real_cred;
148         struct task_security_struct *tsec;
149
150         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
151         if (!tsec)
152                 panic("SELinux:  Failed to initialize initial task.\n");
153
154         tsec->osid = tsec->sid = SECINITSID_KERNEL;
155         cred->security = tsec;
156 }
157
158 /*
159  * get the security ID of a set of credentials
160  */
161 static inline u32 cred_sid(const struct cred *cred)
162 {
163         const struct task_security_struct *tsec;
164
165         tsec = cred->security;
166         return tsec->sid;
167 }
168
169 /*
170  * get the objective security ID of a task
171  */
172 static inline u32 task_sid(const struct task_struct *task)
173 {
174         u32 sid;
175
176         rcu_read_lock();
177         sid = cred_sid(__task_cred(task));
178         rcu_read_unlock();
179         return sid;
180 }
181
182 /*
183  * get the subjective security ID of the current task
184  */
185 static inline u32 current_sid(void)
186 {
187         const struct task_security_struct *tsec = current_security();
188
189         return tsec->sid;
190 }
191
192 /* Allocate and free functions for each kind of security blob. */
193
194 static int inode_alloc_security(struct inode *inode)
195 {
196         struct inode_security_struct *isec;
197         u32 sid = current_sid();
198
199         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
200         if (!isec)
201                 return -ENOMEM;
202
203         mutex_init(&isec->lock);
204         INIT_LIST_HEAD(&isec->list);
205         isec->inode = inode;
206         isec->sid = SECINITSID_UNLABELED;
207         isec->sclass = SECCLASS_FILE;
208         isec->task_sid = sid;
209         inode->i_security = isec;
210
211         return 0;
212 }
213
214 static void inode_free_security(struct inode *inode)
215 {
216         struct inode_security_struct *isec = inode->i_security;
217         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
218
219         spin_lock(&sbsec->isec_lock);
220         if (!list_empty(&isec->list))
221                 list_del_init(&isec->list);
222         spin_unlock(&sbsec->isec_lock);
223
224         inode->i_security = NULL;
225         kmem_cache_free(sel_inode_cache, isec);
226 }
227
228 static int file_alloc_security(struct file *file)
229 {
230         struct file_security_struct *fsec;
231         u32 sid = current_sid();
232
233         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
234         if (!fsec)
235                 return -ENOMEM;
236
237         fsec->sid = sid;
238         fsec->fown_sid = sid;
239         file->f_security = fsec;
240
241         return 0;
242 }
243
244 static void file_free_security(struct file *file)
245 {
246         struct file_security_struct *fsec = file->f_security;
247         file->f_security = NULL;
248         kfree(fsec);
249 }
250
251 static int superblock_alloc_security(struct super_block *sb)
252 {
253         struct superblock_security_struct *sbsec;
254
255         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
256         if (!sbsec)
257                 return -ENOMEM;
258
259         mutex_init(&sbsec->lock);
260         INIT_LIST_HEAD(&sbsec->isec_head);
261         spin_lock_init(&sbsec->isec_lock);
262         sbsec->sb = sb;
263         sbsec->sid = SECINITSID_UNLABELED;
264         sbsec->def_sid = SECINITSID_FILE;
265         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
266         sb->s_security = sbsec;
267
268         return 0;
269 }
270
271 static void superblock_free_security(struct super_block *sb)
272 {
273         struct superblock_security_struct *sbsec = sb->s_security;
274         sb->s_security = NULL;
275         kfree(sbsec);
276 }
277
278 /* The security server must be initialized before
279    any labeling or access decisions can be provided. */
280 extern int ss_initialized;
281
282 /* The file system's label must be initialized prior to use. */
283
284 static const char *labeling_behaviors[6] = {
285         "uses xattr",
286         "uses transition SIDs",
287         "uses task SIDs",
288         "uses genfs_contexts",
289         "not configured for labeling",
290         "uses mountpoint labeling",
291 };
292
293 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
294
295 static inline int inode_doinit(struct inode *inode)
296 {
297         return inode_doinit_with_dentry(inode, NULL);
298 }
299
300 enum {
301         Opt_error = -1,
302         Opt_context = 1,
303         Opt_fscontext = 2,
304         Opt_defcontext = 3,
305         Opt_rootcontext = 4,
306         Opt_labelsupport = 5,
307 };
308
309 static const match_table_t tokens = {
310         {Opt_context, CONTEXT_STR "%s"},
311         {Opt_fscontext, FSCONTEXT_STR "%s"},
312         {Opt_defcontext, DEFCONTEXT_STR "%s"},
313         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
314         {Opt_labelsupport, LABELSUPP_STR},
315         {Opt_error, NULL},
316 };
317
318 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
319
320 static int may_context_mount_sb_relabel(u32 sid,
321                         struct superblock_security_struct *sbsec,
322                         const struct cred *cred)
323 {
324         const struct task_security_struct *tsec = cred->security;
325         int rc;
326
327         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
328                           FILESYSTEM__RELABELFROM, NULL);
329         if (rc)
330                 return rc;
331
332         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
333                           FILESYSTEM__RELABELTO, NULL);
334         return rc;
335 }
336
337 static int may_context_mount_inode_relabel(u32 sid,
338                         struct superblock_security_struct *sbsec,
339                         const struct cred *cred)
340 {
341         const struct task_security_struct *tsec = cred->security;
342         int rc;
343         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
344                           FILESYSTEM__RELABELFROM, NULL);
345         if (rc)
346                 return rc;
347
348         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
349                           FILESYSTEM__ASSOCIATE, NULL);
350         return rc;
351 }
352
353 static int sb_finish_set_opts(struct super_block *sb)
354 {
355         struct superblock_security_struct *sbsec = sb->s_security;
356         struct dentry *root = sb->s_root;
357         struct inode *root_inode = root->d_inode;
358         int rc = 0;
359
360         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
361                 /* Make sure that the xattr handler exists and that no
362                    error other than -ENODATA is returned by getxattr on
363                    the root directory.  -ENODATA is ok, as this may be
364                    the first boot of the SELinux kernel before we have
365                    assigned xattr values to the filesystem. */
366                 if (!root_inode->i_op->getxattr) {
367                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
368                                "xattr support\n", sb->s_id, sb->s_type->name);
369                         rc = -EOPNOTSUPP;
370                         goto out;
371                 }
372                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
373                 if (rc < 0 && rc != -ENODATA) {
374                         if (rc == -EOPNOTSUPP)
375                                 printk(KERN_WARNING "SELinux: (dev %s, type "
376                                        "%s) has no security xattr handler\n",
377                                        sb->s_id, sb->s_type->name);
378                         else
379                                 printk(KERN_WARNING "SELinux: (dev %s, type "
380                                        "%s) getxattr errno %d\n", sb->s_id,
381                                        sb->s_type->name, -rc);
382                         goto out;
383                 }
384         }
385
386         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
387
388         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
389                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
390                        sb->s_id, sb->s_type->name);
391         else
392                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
393                        sb->s_id, sb->s_type->name,
394                        labeling_behaviors[sbsec->behavior-1]);
395
396         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
397             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
398             sbsec->behavior == SECURITY_FS_USE_NONE ||
399             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
400                 sbsec->flags &= ~SE_SBLABELSUPP;
401
402         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
403         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
404                 sbsec->flags |= SE_SBLABELSUPP;
405
406         /* Initialize the root inode. */
407         rc = inode_doinit_with_dentry(root_inode, root);
408
409         /* Initialize any other inodes associated with the superblock, e.g.
410            inodes created prior to initial policy load or inodes created
411            during get_sb by a pseudo filesystem that directly
412            populates itself. */
413         spin_lock(&sbsec->isec_lock);
414 next_inode:
415         if (!list_empty(&sbsec->isec_head)) {
416                 struct inode_security_struct *isec =
417                                 list_entry(sbsec->isec_head.next,
418                                            struct inode_security_struct, list);
419                 struct inode *inode = isec->inode;
420                 spin_unlock(&sbsec->isec_lock);
421                 inode = igrab(inode);
422                 if (inode) {
423                         if (!IS_PRIVATE(inode))
424                                 inode_doinit(inode);
425                         iput(inode);
426                 }
427                 spin_lock(&sbsec->isec_lock);
428                 list_del_init(&isec->list);
429                 goto next_inode;
430         }
431         spin_unlock(&sbsec->isec_lock);
432 out:
433         return rc;
434 }
435
436 /*
437  * This function should allow an FS to ask what it's mount security
438  * options were so it can use those later for submounts, displaying
439  * mount options, or whatever.
440  */
441 static int selinux_get_mnt_opts(const struct super_block *sb,
442                                 struct security_mnt_opts *opts)
443 {
444         int rc = 0, i;
445         struct superblock_security_struct *sbsec = sb->s_security;
446         char *context = NULL;
447         u32 len;
448         char tmp;
449
450         security_init_mnt_opts(opts);
451
452         if (!(sbsec->flags & SE_SBINITIALIZED))
453                 return -EINVAL;
454
455         if (!ss_initialized)
456                 return -EINVAL;
457
458         tmp = sbsec->flags & SE_MNTMASK;
459         /* count the number of mount options for this sb */
460         for (i = 0; i < 8; i++) {
461                 if (tmp & 0x01)
462                         opts->num_mnt_opts++;
463                 tmp >>= 1;
464         }
465         /* Check if the Label support flag is set */
466         if (sbsec->flags & SE_SBLABELSUPP)
467                 opts->num_mnt_opts++;
468
469         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
470         if (!opts->mnt_opts) {
471                 rc = -ENOMEM;
472                 goto out_free;
473         }
474
475         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
476         if (!opts->mnt_opts_flags) {
477                 rc = -ENOMEM;
478                 goto out_free;
479         }
480
481         i = 0;
482         if (sbsec->flags & FSCONTEXT_MNT) {
483                 rc = security_sid_to_context(sbsec->sid, &context, &len);
484                 if (rc)
485                         goto out_free;
486                 opts->mnt_opts[i] = context;
487                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
488         }
489         if (sbsec->flags & CONTEXT_MNT) {
490                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
491                 if (rc)
492                         goto out_free;
493                 opts->mnt_opts[i] = context;
494                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
495         }
496         if (sbsec->flags & DEFCONTEXT_MNT) {
497                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
498                 if (rc)
499                         goto out_free;
500                 opts->mnt_opts[i] = context;
501                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
502         }
503         if (sbsec->flags & ROOTCONTEXT_MNT) {
504                 struct inode *root = sbsec->sb->s_root->d_inode;
505                 struct inode_security_struct *isec = root->i_security;
506
507                 rc = security_sid_to_context(isec->sid, &context, &len);
508                 if (rc)
509                         goto out_free;
510                 opts->mnt_opts[i] = context;
511                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
512         }
513         if (sbsec->flags & SE_SBLABELSUPP) {
514                 opts->mnt_opts[i] = NULL;
515                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
516         }
517
518         BUG_ON(i != opts->num_mnt_opts);
519
520         return 0;
521
522 out_free:
523         security_free_mnt_opts(opts);
524         return rc;
525 }
526
527 static int bad_option(struct superblock_security_struct *sbsec, char flag,
528                       u32 old_sid, u32 new_sid)
529 {
530         char mnt_flags = sbsec->flags & SE_MNTMASK;
531
532         /* check if the old mount command had the same options */
533         if (sbsec->flags & SE_SBINITIALIZED)
534                 if (!(sbsec->flags & flag) ||
535                     (old_sid != new_sid))
536                         return 1;
537
538         /* check if we were passed the same options twice,
539          * aka someone passed context=a,context=b
540          */
541         if (!(sbsec->flags & SE_SBINITIALIZED))
542                 if (mnt_flags & flag)
543                         return 1;
544         return 0;
545 }
546
547 /*
548  * Allow filesystems with binary mount data to explicitly set mount point
549  * labeling information.
550  */
551 static int selinux_set_mnt_opts(struct super_block *sb,
552                                 struct security_mnt_opts *opts)
553 {
554         const struct cred *cred = current_cred();
555         int rc = 0, i;
556         struct superblock_security_struct *sbsec = sb->s_security;
557         const char *name = sb->s_type->name;
558         struct inode *inode = sbsec->sb->s_root->d_inode;
559         struct inode_security_struct *root_isec = inode->i_security;
560         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
561         u32 defcontext_sid = 0;
562         char **mount_options = opts->mnt_opts;
563         int *flags = opts->mnt_opts_flags;
564         int num_opts = opts->num_mnt_opts;
565
566         mutex_lock(&sbsec->lock);
567
568         if (!ss_initialized) {
569                 if (!num_opts) {
570                         /* Defer initialization until selinux_complete_init,
571                            after the initial policy is loaded and the security
572                            server is ready to handle calls. */
573                         goto out;
574                 }
575                 rc = -EINVAL;
576                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
577                         "before the security server is initialized\n");
578                 goto out;
579         }
580
581         /*
582          * Binary mount data FS will come through this function twice.  Once
583          * from an explicit call and once from the generic calls from the vfs.
584          * Since the generic VFS calls will not contain any security mount data
585          * we need to skip the double mount verification.
586          *
587          * This does open a hole in which we will not notice if the first
588          * mount using this sb set explict options and a second mount using
589          * this sb does not set any security options.  (The first options
590          * will be used for both mounts)
591          */
592         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
593             && (num_opts == 0))
594                 goto out;
595
596         /*
597          * parse the mount options, check if they are valid sids.
598          * also check if someone is trying to mount the same sb more
599          * than once with different security options.
600          */
601         for (i = 0; i < num_opts; i++) {
602                 u32 sid;
603
604                 if (flags[i] == SE_SBLABELSUPP)
605                         continue;
606                 rc = security_context_to_sid(mount_options[i],
607                                              strlen(mount_options[i]), &sid);
608                 if (rc) {
609                         printk(KERN_WARNING "SELinux: security_context_to_sid"
610                                "(%s) failed for (dev %s, type %s) errno=%d\n",
611                                mount_options[i], sb->s_id, name, rc);
612                         goto out;
613                 }
614                 switch (flags[i]) {
615                 case FSCONTEXT_MNT:
616                         fscontext_sid = sid;
617
618                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
619                                         fscontext_sid))
620                                 goto out_double_mount;
621
622                         sbsec->flags |= FSCONTEXT_MNT;
623                         break;
624                 case CONTEXT_MNT:
625                         context_sid = sid;
626
627                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
628                                         context_sid))
629                                 goto out_double_mount;
630
631                         sbsec->flags |= CONTEXT_MNT;
632                         break;
633                 case ROOTCONTEXT_MNT:
634                         rootcontext_sid = sid;
635
636                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
637                                         rootcontext_sid))
638                                 goto out_double_mount;
639
640                         sbsec->flags |= ROOTCONTEXT_MNT;
641
642                         break;
643                 case DEFCONTEXT_MNT:
644                         defcontext_sid = sid;
645
646                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
647                                         defcontext_sid))
648                                 goto out_double_mount;
649
650                         sbsec->flags |= DEFCONTEXT_MNT;
651
652                         break;
653                 default:
654                         rc = -EINVAL;
655                         goto out;
656                 }
657         }
658
659         if (sbsec->flags & SE_SBINITIALIZED) {
660                 /* previously mounted with options, but not on this attempt? */
661                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
662                         goto out_double_mount;
663                 rc = 0;
664                 goto out;
665         }
666
667         if (strcmp(sb->s_type->name, "proc") == 0)
668                 sbsec->flags |= SE_SBPROC;
669
670         /* Determine the labeling behavior to use for this filesystem type. */
671         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
672         if (rc) {
673                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674                        __func__, sb->s_type->name, rc);
675                 goto out;
676         }
677
678         /* sets the context of the superblock for the fs being mounted. */
679         if (fscontext_sid) {
680                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
681                 if (rc)
682                         goto out;
683
684                 sbsec->sid = fscontext_sid;
685         }
686
687         /*
688          * Switch to using mount point labeling behavior.
689          * sets the label used on all file below the mountpoint, and will set
690          * the superblock context if not already set.
691          */
692         if (context_sid) {
693                 if (!fscontext_sid) {
694                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
695                                                           cred);
696                         if (rc)
697                                 goto out;
698                         sbsec->sid = context_sid;
699                 } else {
700                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
701                                                              cred);
702                         if (rc)
703                                 goto out;
704                 }
705                 if (!rootcontext_sid)
706                         rootcontext_sid = context_sid;
707
708                 sbsec->mntpoint_sid = context_sid;
709                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
710         }
711
712         if (rootcontext_sid) {
713                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
714                                                      cred);
715                 if (rc)
716                         goto out;
717
718                 root_isec->sid = rootcontext_sid;
719                 root_isec->initialized = 1;
720         }
721
722         if (defcontext_sid) {
723                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
724                         rc = -EINVAL;
725                         printk(KERN_WARNING "SELinux: defcontext option is "
726                                "invalid for this filesystem type\n");
727                         goto out;
728                 }
729
730                 if (defcontext_sid != sbsec->def_sid) {
731                         rc = may_context_mount_inode_relabel(defcontext_sid,
732                                                              sbsec, cred);
733                         if (rc)
734                                 goto out;
735                 }
736
737                 sbsec->def_sid = defcontext_sid;
738         }
739
740         rc = sb_finish_set_opts(sb);
741 out:
742         mutex_unlock(&sbsec->lock);
743         return rc;
744 out_double_mount:
745         rc = -EINVAL;
746         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
747                "security settings for (dev %s, type %s)\n", sb->s_id, name);
748         goto out;
749 }
750
751 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
752                                         struct super_block *newsb)
753 {
754         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
755         struct superblock_security_struct *newsbsec = newsb->s_security;
756
757         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
758         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
759         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
760
761         /*
762          * if the parent was able to be mounted it clearly had no special lsm
763          * mount options.  thus we can safely deal with this superblock later
764          */
765         if (!ss_initialized)
766                 return;
767
768         /* how can we clone if the old one wasn't set up?? */
769         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
770
771         /* if fs is reusing a sb, just let its options stand... */
772         if (newsbsec->flags & SE_SBINITIALIZED)
773                 return;
774
775         mutex_lock(&newsbsec->lock);
776
777         newsbsec->flags = oldsbsec->flags;
778
779         newsbsec->sid = oldsbsec->sid;
780         newsbsec->def_sid = oldsbsec->def_sid;
781         newsbsec->behavior = oldsbsec->behavior;
782
783         if (set_context) {
784                 u32 sid = oldsbsec->mntpoint_sid;
785
786                 if (!set_fscontext)
787                         newsbsec->sid = sid;
788                 if (!set_rootcontext) {
789                         struct inode *newinode = newsb->s_root->d_inode;
790                         struct inode_security_struct *newisec = newinode->i_security;
791                         newisec->sid = sid;
792                 }
793                 newsbsec->mntpoint_sid = sid;
794         }
795         if (set_rootcontext) {
796                 const struct inode *oldinode = oldsb->s_root->d_inode;
797                 const struct inode_security_struct *oldisec = oldinode->i_security;
798                 struct inode *newinode = newsb->s_root->d_inode;
799                 struct inode_security_struct *newisec = newinode->i_security;
800
801                 newisec->sid = oldisec->sid;
802         }
803
804         sb_finish_set_opts(newsb);
805         mutex_unlock(&newsbsec->lock);
806 }
807
808 static int selinux_parse_opts_str(char *options,
809                                   struct security_mnt_opts *opts)
810 {
811         char *p;
812         char *context = NULL, *defcontext = NULL;
813         char *fscontext = NULL, *rootcontext = NULL;
814         int rc, num_mnt_opts = 0;
815
816         opts->num_mnt_opts = 0;
817
818         /* Standard string-based options. */
819         while ((p = strsep(&options, "|")) != NULL) {
820                 int token;
821                 substring_t args[MAX_OPT_ARGS];
822
823                 if (!*p)
824                         continue;
825
826                 token = match_token(p, tokens, args);
827
828                 switch (token) {
829                 case Opt_context:
830                         if (context || defcontext) {
831                                 rc = -EINVAL;
832                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
833                                 goto out_err;
834                         }
835                         context = match_strdup(&args[0]);
836                         if (!context) {
837                                 rc = -ENOMEM;
838                                 goto out_err;
839                         }
840                         break;
841
842                 case Opt_fscontext:
843                         if (fscontext) {
844                                 rc = -EINVAL;
845                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
846                                 goto out_err;
847                         }
848                         fscontext = match_strdup(&args[0]);
849                         if (!fscontext) {
850                                 rc = -ENOMEM;
851                                 goto out_err;
852                         }
853                         break;
854
855                 case Opt_rootcontext:
856                         if (rootcontext) {
857                                 rc = -EINVAL;
858                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
859                                 goto out_err;
860                         }
861                         rootcontext = match_strdup(&args[0]);
862                         if (!rootcontext) {
863                                 rc = -ENOMEM;
864                                 goto out_err;
865                         }
866                         break;
867
868                 case Opt_defcontext:
869                         if (context || defcontext) {
870                                 rc = -EINVAL;
871                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
872                                 goto out_err;
873                         }
874                         defcontext = match_strdup(&args[0]);
875                         if (!defcontext) {
876                                 rc = -ENOMEM;
877                                 goto out_err;
878                         }
879                         break;
880                 case Opt_labelsupport:
881                         break;
882                 default:
883                         rc = -EINVAL;
884                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
885                         goto out_err;
886
887                 }
888         }
889
890         rc = -ENOMEM;
891         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
892         if (!opts->mnt_opts)
893                 goto out_err;
894
895         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
896         if (!opts->mnt_opts_flags) {
897                 kfree(opts->mnt_opts);
898                 goto out_err;
899         }
900
901         if (fscontext) {
902                 opts->mnt_opts[num_mnt_opts] = fscontext;
903                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
904         }
905         if (context) {
906                 opts->mnt_opts[num_mnt_opts] = context;
907                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
908         }
909         if (rootcontext) {
910                 opts->mnt_opts[num_mnt_opts] = rootcontext;
911                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
912         }
913         if (defcontext) {
914                 opts->mnt_opts[num_mnt_opts] = defcontext;
915                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
916         }
917
918         opts->num_mnt_opts = num_mnt_opts;
919         return 0;
920
921 out_err:
922         kfree(context);
923         kfree(defcontext);
924         kfree(fscontext);
925         kfree(rootcontext);
926         return rc;
927 }
928 /*
929  * string mount options parsing and call set the sbsec
930  */
931 static int superblock_doinit(struct super_block *sb, void *data)
932 {
933         int rc = 0;
934         char *options = data;
935         struct security_mnt_opts opts;
936
937         security_init_mnt_opts(&opts);
938
939         if (!data)
940                 goto out;
941
942         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
943
944         rc = selinux_parse_opts_str(options, &opts);
945         if (rc)
946                 goto out_err;
947
948 out:
949         rc = selinux_set_mnt_opts(sb, &opts);
950
951 out_err:
952         security_free_mnt_opts(&opts);
953         return rc;
954 }
955
956 static void selinux_write_opts(struct seq_file *m,
957                                struct security_mnt_opts *opts)
958 {
959         int i;
960         char *prefix;
961
962         for (i = 0; i < opts->num_mnt_opts; i++) {
963                 char *has_comma;
964
965                 if (opts->mnt_opts[i])
966                         has_comma = strchr(opts->mnt_opts[i], ',');
967                 else
968                         has_comma = NULL;
969
970                 switch (opts->mnt_opts_flags[i]) {
971                 case CONTEXT_MNT:
972                         prefix = CONTEXT_STR;
973                         break;
974                 case FSCONTEXT_MNT:
975                         prefix = FSCONTEXT_STR;
976                         break;
977                 case ROOTCONTEXT_MNT:
978                         prefix = ROOTCONTEXT_STR;
979                         break;
980                 case DEFCONTEXT_MNT:
981                         prefix = DEFCONTEXT_STR;
982                         break;
983                 case SE_SBLABELSUPP:
984                         seq_putc(m, ',');
985                         seq_puts(m, LABELSUPP_STR);
986                         continue;
987                 default:
988                         BUG();
989                 };
990                 /* we need a comma before each option */
991                 seq_putc(m, ',');
992                 seq_puts(m, prefix);
993                 if (has_comma)
994                         seq_putc(m, '\"');
995                 seq_puts(m, opts->mnt_opts[i]);
996                 if (has_comma)
997                         seq_putc(m, '\"');
998         }
999 }
1000
1001 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1002 {
1003         struct security_mnt_opts opts;
1004         int rc;
1005
1006         rc = selinux_get_mnt_opts(sb, &opts);
1007         if (rc) {
1008                 /* before policy load we may get EINVAL, don't show anything */
1009                 if (rc == -EINVAL)
1010                         rc = 0;
1011                 return rc;
1012         }
1013
1014         selinux_write_opts(m, &opts);
1015
1016         security_free_mnt_opts(&opts);
1017
1018         return rc;
1019 }
1020
1021 static inline u16 inode_mode_to_security_class(umode_t mode)
1022 {
1023         switch (mode & S_IFMT) {
1024         case S_IFSOCK:
1025                 return SECCLASS_SOCK_FILE;
1026         case S_IFLNK:
1027                 return SECCLASS_LNK_FILE;
1028         case S_IFREG:
1029                 return SECCLASS_FILE;
1030         case S_IFBLK:
1031                 return SECCLASS_BLK_FILE;
1032         case S_IFDIR:
1033                 return SECCLASS_DIR;
1034         case S_IFCHR:
1035                 return SECCLASS_CHR_FILE;
1036         case S_IFIFO:
1037                 return SECCLASS_FIFO_FILE;
1038
1039         }
1040
1041         return SECCLASS_FILE;
1042 }
1043
1044 static inline int default_protocol_stream(int protocol)
1045 {
1046         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1047 }
1048
1049 static inline int default_protocol_dgram(int protocol)
1050 {
1051         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1052 }
1053
1054 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1055 {
1056         switch (family) {
1057         case PF_UNIX:
1058                 switch (type) {
1059                 case SOCK_STREAM:
1060                 case SOCK_SEQPACKET:
1061                         return SECCLASS_UNIX_STREAM_SOCKET;
1062                 case SOCK_DGRAM:
1063                         return SECCLASS_UNIX_DGRAM_SOCKET;
1064                 }
1065                 break;
1066         case PF_INET:
1067         case PF_INET6:
1068                 switch (type) {
1069                 case SOCK_STREAM:
1070                         if (default_protocol_stream(protocol))
1071                                 return SECCLASS_TCP_SOCKET;
1072                         else
1073                                 return SECCLASS_RAWIP_SOCKET;
1074                 case SOCK_DGRAM:
1075                         if (default_protocol_dgram(protocol))
1076                                 return SECCLASS_UDP_SOCKET;
1077                         else
1078                                 return SECCLASS_RAWIP_SOCKET;
1079                 case SOCK_DCCP:
1080                         return SECCLASS_DCCP_SOCKET;
1081                 default:
1082                         return SECCLASS_RAWIP_SOCKET;
1083                 }
1084                 break;
1085         case PF_NETLINK:
1086                 switch (protocol) {
1087                 case NETLINK_ROUTE:
1088                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1089                 case NETLINK_FIREWALL:
1090                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1091                 case NETLINK_INET_DIAG:
1092                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1093                 case NETLINK_NFLOG:
1094                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1095                 case NETLINK_XFRM:
1096                         return SECCLASS_NETLINK_XFRM_SOCKET;
1097                 case NETLINK_SELINUX:
1098                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1099                 case NETLINK_AUDIT:
1100                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1101                 case NETLINK_IP6_FW:
1102                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1103                 case NETLINK_DNRTMSG:
1104                         return SECCLASS_NETLINK_DNRT_SOCKET;
1105                 case NETLINK_KOBJECT_UEVENT:
1106                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1107                 default:
1108                         return SECCLASS_NETLINK_SOCKET;
1109                 }
1110         case PF_PACKET:
1111                 return SECCLASS_PACKET_SOCKET;
1112         case PF_KEY:
1113                 return SECCLASS_KEY_SOCKET;
1114         case PF_APPLETALK:
1115                 return SECCLASS_APPLETALK_SOCKET;
1116         }
1117
1118         return SECCLASS_SOCKET;
1119 }
1120
1121 #ifdef CONFIG_PROC_FS
1122 static int selinux_proc_get_sid(struct dentry *dentry,
1123                                 u16 tclass,
1124                                 u32 *sid)
1125 {
1126         int rc;
1127         char *buffer, *path;
1128
1129         buffer = (char *)__get_free_page(GFP_KERNEL);
1130         if (!buffer)
1131                 return -ENOMEM;
1132
1133         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1134         if (IS_ERR(path))
1135                 rc = PTR_ERR(path);
1136         else {
1137                 /* each process gets a /proc/PID/ entry. Strip off the
1138                  * PID part to get a valid selinux labeling.
1139                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1140                 while (path[1] >= '0' && path[1] <= '9') {
1141                         path[1] = '/';
1142                         path++;
1143                 }
1144                 rc = security_genfs_sid("proc", path, tclass, sid);
1145         }
1146         free_page((unsigned long)buffer);
1147         return rc;
1148 }
1149 #else
1150 static int selinux_proc_get_sid(struct dentry *dentry,
1151                                 u16 tclass,
1152                                 u32 *sid)
1153 {
1154         return -EINVAL;
1155 }
1156 #endif
1157
1158 /* The inode's security attributes must be initialized before first use. */
1159 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1160 {
1161         struct superblock_security_struct *sbsec = NULL;
1162         struct inode_security_struct *isec = inode->i_security;
1163         u32 sid;
1164         struct dentry *dentry;
1165 #define INITCONTEXTLEN 255
1166         char *context = NULL;
1167         unsigned len = 0;
1168         int rc = 0;
1169
1170         if (isec->initialized)
1171                 goto out;
1172
1173         mutex_lock(&isec->lock);
1174         if (isec->initialized)
1175                 goto out_unlock;
1176
1177         sbsec = inode->i_sb->s_security;
1178         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1179                 /* Defer initialization until selinux_complete_init,
1180                    after the initial policy is loaded and the security
1181                    server is ready to handle calls. */
1182                 spin_lock(&sbsec->isec_lock);
1183                 if (list_empty(&isec->list))
1184                         list_add(&isec->list, &sbsec->isec_head);
1185                 spin_unlock(&sbsec->isec_lock);
1186                 goto out_unlock;
1187         }
1188
1189         switch (sbsec->behavior) {
1190         case SECURITY_FS_USE_XATTR:
1191                 if (!inode->i_op->getxattr) {
1192                         isec->sid = sbsec->def_sid;
1193                         break;
1194                 }
1195
1196                 /* Need a dentry, since the xattr API requires one.
1197                    Life would be simpler if we could just pass the inode. */
1198                 if (opt_dentry) {
1199                         /* Called from d_instantiate or d_splice_alias. */
1200                         dentry = dget(opt_dentry);
1201                 } else {
1202                         /* Called from selinux_complete_init, try to find a dentry. */
1203                         dentry = d_find_alias(inode);
1204                 }
1205                 if (!dentry) {
1206                         /*
1207                          * this is can be hit on boot when a file is accessed
1208                          * before the policy is loaded.  When we load policy we
1209                          * may find inodes that have no dentry on the
1210                          * sbsec->isec_head list.  No reason to complain as these
1211                          * will get fixed up the next time we go through
1212                          * inode_doinit with a dentry, before these inodes could
1213                          * be used again by userspace.
1214                          */
1215                         goto out_unlock;
1216                 }
1217
1218                 len = INITCONTEXTLEN;
1219                 context = kmalloc(len+1, GFP_NOFS);
1220                 if (!context) {
1221                         rc = -ENOMEM;
1222                         dput(dentry);
1223                         goto out_unlock;
1224                 }
1225                 context[len] = '\0';
1226                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1227                                            context, len);
1228                 if (rc == -ERANGE) {
1229                         kfree(context);
1230
1231                         /* Need a larger buffer.  Query for the right size. */
1232                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1233                                                    NULL, 0);
1234                         if (rc < 0) {
1235                                 dput(dentry);
1236                                 goto out_unlock;
1237                         }
1238                         len = rc;
1239                         context = kmalloc(len+1, GFP_NOFS);
1240                         if (!context) {
1241                                 rc = -ENOMEM;
1242                                 dput(dentry);
1243                                 goto out_unlock;
1244                         }
1245                         context[len] = '\0';
1246                         rc = inode->i_op->getxattr(dentry,
1247                                                    XATTR_NAME_SELINUX,
1248                                                    context, len);
1249                 }
1250                 dput(dentry);
1251                 if (rc < 0) {
1252                         if (rc != -ENODATA) {
1253                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1254                                        "%d for dev=%s ino=%ld\n", __func__,
1255                                        -rc, inode->i_sb->s_id, inode->i_ino);
1256                                 kfree(context);
1257                                 goto out_unlock;
1258                         }
1259                         /* Map ENODATA to the default file SID */
1260                         sid = sbsec->def_sid;
1261                         rc = 0;
1262                 } else {
1263                         rc = security_context_to_sid_default(context, rc, &sid,
1264                                                              sbsec->def_sid,
1265                                                              GFP_NOFS);
1266                         if (rc) {
1267                                 char *dev = inode->i_sb->s_id;
1268                                 unsigned long ino = inode->i_ino;
1269
1270                                 if (rc == -EINVAL) {
1271                                         if (printk_ratelimit())
1272                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1273                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1274                                                         "filesystem in question.\n", ino, dev, context);
1275                                 } else {
1276                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1277                                                "returned %d for dev=%s ino=%ld\n",
1278                                                __func__, context, -rc, dev, ino);
1279                                 }
1280                                 kfree(context);
1281                                 /* Leave with the unlabeled SID */
1282                                 rc = 0;
1283                                 break;
1284                         }
1285                 }
1286                 kfree(context);
1287                 isec->sid = sid;
1288                 break;
1289         case SECURITY_FS_USE_TASK:
1290                 isec->sid = isec->task_sid;
1291                 break;
1292         case SECURITY_FS_USE_TRANS:
1293                 /* Default to the fs SID. */
1294                 isec->sid = sbsec->sid;
1295
1296                 /* Try to obtain a transition SID. */
1297                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1298                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1299                                              isec->sclass, NULL, &sid);
1300                 if (rc)
1301                         goto out_unlock;
1302                 isec->sid = sid;
1303                 break;
1304         case SECURITY_FS_USE_MNTPOINT:
1305                 isec->sid = sbsec->mntpoint_sid;
1306                 break;
1307         default:
1308                 /* Default to the fs superblock SID. */
1309                 isec->sid = sbsec->sid;
1310
1311                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1312                         if (opt_dentry) {
1313                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1314                                 rc = selinux_proc_get_sid(opt_dentry,
1315                                                           isec->sclass,
1316                                                           &sid);
1317                                 if (rc)
1318                                         goto out_unlock;
1319                                 isec->sid = sid;
1320                         }
1321                 }
1322                 break;
1323         }
1324
1325         isec->initialized = 1;
1326
1327 out_unlock:
1328         mutex_unlock(&isec->lock);
1329 out:
1330         if (isec->sclass == SECCLASS_FILE)
1331                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1332         return rc;
1333 }
1334
1335 /* Convert a Linux signal to an access vector. */
1336 static inline u32 signal_to_av(int sig)
1337 {
1338         u32 perm = 0;
1339
1340         switch (sig) {
1341         case SIGCHLD:
1342                 /* Commonly granted from child to parent. */
1343                 perm = PROCESS__SIGCHLD;
1344                 break;
1345         case SIGKILL:
1346                 /* Cannot be caught or ignored */
1347                 perm = PROCESS__SIGKILL;
1348                 break;
1349         case SIGSTOP:
1350                 /* Cannot be caught or ignored */
1351                 perm = PROCESS__SIGSTOP;
1352                 break;
1353         default:
1354                 /* All other signals. */
1355                 perm = PROCESS__SIGNAL;
1356                 break;
1357         }
1358
1359         return perm;
1360 }
1361
1362 /*
1363  * Check permission between a pair of credentials
1364  * fork check, ptrace check, etc.
1365  */
1366 static int cred_has_perm(const struct cred *actor,
1367                          const struct cred *target,
1368                          u32 perms)
1369 {
1370         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1371
1372         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1373 }
1374
1375 /*
1376  * Check permission between a pair of tasks, e.g. signal checks,
1377  * fork check, ptrace check, etc.
1378  * tsk1 is the actor and tsk2 is the target
1379  * - this uses the default subjective creds of tsk1
1380  */
1381 static int task_has_perm(const struct task_struct *tsk1,
1382                          const struct task_struct *tsk2,
1383                          u32 perms)
1384 {
1385         const struct task_security_struct *__tsec1, *__tsec2;
1386         u32 sid1, sid2;
1387
1388         rcu_read_lock();
1389         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1390         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1391         rcu_read_unlock();
1392         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1393 }
1394
1395 /*
1396  * Check permission between current and another task, e.g. signal checks,
1397  * fork check, ptrace check, etc.
1398  * current is the actor and tsk2 is the target
1399  * - this uses current's subjective creds
1400  */
1401 static int current_has_perm(const struct task_struct *tsk,
1402                             u32 perms)
1403 {
1404         u32 sid, tsid;
1405
1406         sid = current_sid();
1407         tsid = task_sid(tsk);
1408         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1409 }
1410
1411 #if CAP_LAST_CAP > 63
1412 #error Fix SELinux to handle capabilities > 63.
1413 #endif
1414
1415 /* Check whether a task is allowed to use a capability. */
1416 static int task_has_capability(struct task_struct *tsk,
1417                                const struct cred *cred,
1418                                int cap, int audit)
1419 {
1420         struct common_audit_data ad;
1421         struct av_decision avd;
1422         u16 sclass;
1423         u32 sid = cred_sid(cred);
1424         u32 av = CAP_TO_MASK(cap);
1425         int rc;
1426
1427         COMMON_AUDIT_DATA_INIT(&ad, CAP);
1428         ad.tsk = tsk;
1429         ad.u.cap = cap;
1430
1431         switch (CAP_TO_INDEX(cap)) {
1432         case 0:
1433                 sclass = SECCLASS_CAPABILITY;
1434                 break;
1435         case 1:
1436                 sclass = SECCLASS_CAPABILITY2;
1437                 break;
1438         default:
1439                 printk(KERN_ERR
1440                        "SELinux:  out of range capability %d\n", cap);
1441                 BUG();
1442         }
1443
1444         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1445         if (audit == SECURITY_CAP_AUDIT)
1446                 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1447         return rc;
1448 }
1449
1450 /* Check whether a task is allowed to use a system operation. */
1451 static int task_has_system(struct task_struct *tsk,
1452                            u32 perms)
1453 {
1454         u32 sid = task_sid(tsk);
1455
1456         return avc_has_perm(sid, SECINITSID_KERNEL,
1457                             SECCLASS_SYSTEM, perms, NULL);
1458 }
1459
1460 /* Check whether a task has a particular permission to an inode.
1461    The 'adp' parameter is optional and allows other audit
1462    data to be passed (e.g. the dentry). */
1463 static int inode_has_perm(const struct cred *cred,
1464                           struct inode *inode,
1465                           u32 perms,
1466                           struct common_audit_data *adp)
1467 {
1468         struct inode_security_struct *isec;
1469         struct common_audit_data ad;
1470         u32 sid;
1471
1472         validate_creds(cred);
1473
1474         if (unlikely(IS_PRIVATE(inode)))
1475                 return 0;
1476
1477         sid = cred_sid(cred);
1478         isec = inode->i_security;
1479
1480         if (!adp) {
1481                 adp = &ad;
1482                 COMMON_AUDIT_DATA_INIT(&ad, FS);
1483                 ad.u.fs.inode = inode;
1484         }
1485
1486         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1487 }
1488
1489 /* Same as inode_has_perm, but pass explicit audit data containing
1490    the dentry to help the auditing code to more easily generate the
1491    pathname if needed. */
1492 static inline int dentry_has_perm(const struct cred *cred,
1493                                   struct vfsmount *mnt,
1494                                   struct dentry *dentry,
1495                                   u32 av)
1496 {
1497         struct inode *inode = dentry->d_inode;
1498         struct common_audit_data ad;
1499
1500         COMMON_AUDIT_DATA_INIT(&ad, FS);
1501         ad.u.fs.path.mnt = mnt;
1502         ad.u.fs.path.dentry = dentry;
1503         return inode_has_perm(cred, inode, av, &ad);
1504 }
1505
1506 /* Check whether a task can use an open file descriptor to
1507    access an inode in a given way.  Check access to the
1508    descriptor itself, and then use dentry_has_perm to
1509    check a particular permission to the file.
1510    Access to the descriptor is implicitly granted if it
1511    has the same SID as the process.  If av is zero, then
1512    access to the file is not checked, e.g. for cases
1513    where only the descriptor is affected like seek. */
1514 static int file_has_perm(const struct cred *cred,
1515                          struct file *file,
1516                          u32 av)
1517 {
1518         struct file_security_struct *fsec = file->f_security;
1519         struct inode *inode = file->f_path.dentry->d_inode;
1520         struct common_audit_data ad;
1521         u32 sid = cred_sid(cred);
1522         int rc;
1523
1524         COMMON_AUDIT_DATA_INIT(&ad, FS);
1525         ad.u.fs.path = file->f_path;
1526
1527         if (sid != fsec->sid) {
1528                 rc = avc_has_perm(sid, fsec->sid,
1529                                   SECCLASS_FD,
1530                                   FD__USE,
1531                                   &ad);
1532                 if (rc)
1533                         goto out;
1534         }
1535
1536         /* av is zero if only checking access to the descriptor. */
1537         rc = 0;
1538         if (av)
1539                 rc = inode_has_perm(cred, inode, av, &ad);
1540
1541 out:
1542         return rc;
1543 }
1544
1545 /* Check whether a task can create a file. */
1546 static int may_create(struct inode *dir,
1547                       struct dentry *dentry,
1548                       u16 tclass)
1549 {
1550         const struct task_security_struct *tsec = current_security();
1551         struct inode_security_struct *dsec;
1552         struct superblock_security_struct *sbsec;
1553         u32 sid, newsid;
1554         struct common_audit_data ad;
1555         int rc;
1556
1557         dsec = dir->i_security;
1558         sbsec = dir->i_sb->s_security;
1559
1560         sid = tsec->sid;
1561         newsid = tsec->create_sid;
1562
1563         COMMON_AUDIT_DATA_INIT(&ad, FS);
1564         ad.u.fs.path.dentry = dentry;
1565
1566         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1567                           DIR__ADD_NAME | DIR__SEARCH,
1568                           &ad);
1569         if (rc)
1570                 return rc;
1571
1572         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1573                 rc = security_transition_sid(sid, dsec->sid, tclass, NULL, &newsid);
1574                 if (rc)
1575                         return rc;
1576         }
1577
1578         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1579         if (rc)
1580                 return rc;
1581
1582         return avc_has_perm(newsid, sbsec->sid,
1583                             SECCLASS_FILESYSTEM,
1584                             FILESYSTEM__ASSOCIATE, &ad);
1585 }
1586
1587 /* Check whether a task can create a key. */
1588 static int may_create_key(u32 ksid,
1589                           struct task_struct *ctx)
1590 {
1591         u32 sid = task_sid(ctx);
1592
1593         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1594 }
1595
1596 #define MAY_LINK        0
1597 #define MAY_UNLINK      1
1598 #define MAY_RMDIR       2
1599
1600 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1601 static int may_link(struct inode *dir,
1602                     struct dentry *dentry,
1603                     int kind)
1604
1605 {
1606         struct inode_security_struct *dsec, *isec;
1607         struct common_audit_data ad;
1608         u32 sid = current_sid();
1609         u32 av;
1610         int rc;
1611
1612         dsec = dir->i_security;
1613         isec = dentry->d_inode->i_security;
1614
1615         COMMON_AUDIT_DATA_INIT(&ad, FS);
1616         ad.u.fs.path.dentry = dentry;
1617
1618         av = DIR__SEARCH;
1619         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1620         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1621         if (rc)
1622                 return rc;
1623
1624         switch (kind) {
1625         case MAY_LINK:
1626                 av = FILE__LINK;
1627                 break;
1628         case MAY_UNLINK:
1629                 av = FILE__UNLINK;
1630                 break;
1631         case MAY_RMDIR:
1632                 av = DIR__RMDIR;
1633                 break;
1634         default:
1635                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1636                         __func__, kind);
1637                 return 0;
1638         }
1639
1640         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1641         return rc;
1642 }
1643
1644 static inline int may_rename(struct inode *old_dir,
1645                              struct dentry *old_dentry,
1646                              struct inode *new_dir,
1647                              struct dentry *new_dentry)
1648 {
1649         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1650         struct common_audit_data ad;
1651         u32 sid = current_sid();
1652         u32 av;
1653         int old_is_dir, new_is_dir;
1654         int rc;
1655
1656         old_dsec = old_dir->i_security;
1657         old_isec = old_dentry->d_inode->i_security;
1658         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1659         new_dsec = new_dir->i_security;
1660
1661         COMMON_AUDIT_DATA_INIT(&ad, FS);
1662
1663         ad.u.fs.path.dentry = old_dentry;
1664         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1665                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1666         if (rc)
1667                 return rc;
1668         rc = avc_has_perm(sid, old_isec->sid,
1669                           old_isec->sclass, FILE__RENAME, &ad);
1670         if (rc)
1671                 return rc;
1672         if (old_is_dir && new_dir != old_dir) {
1673                 rc = avc_has_perm(sid, old_isec->sid,
1674                                   old_isec->sclass, DIR__REPARENT, &ad);
1675                 if (rc)
1676                         return rc;
1677         }
1678
1679         ad.u.fs.path.dentry = new_dentry;
1680         av = DIR__ADD_NAME | DIR__SEARCH;
1681         if (new_dentry->d_inode)
1682                 av |= DIR__REMOVE_NAME;
1683         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1684         if (rc)
1685                 return rc;
1686         if (new_dentry->d_inode) {
1687                 new_isec = new_dentry->d_inode->i_security;
1688                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1689                 rc = avc_has_perm(sid, new_isec->sid,
1690                                   new_isec->sclass,
1691                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1692                 if (rc)
1693                         return rc;
1694         }
1695
1696         return 0;
1697 }
1698
1699 /* Check whether a task can perform a filesystem operation. */
1700 static int superblock_has_perm(const struct cred *cred,
1701                                struct super_block *sb,
1702                                u32 perms,
1703                                struct common_audit_data *ad)
1704 {
1705         struct superblock_security_struct *sbsec;
1706         u32 sid = cred_sid(cred);
1707
1708         sbsec = sb->s_security;
1709         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1710 }
1711
1712 /* Convert a Linux mode and permission mask to an access vector. */
1713 static inline u32 file_mask_to_av(int mode, int mask)
1714 {
1715         u32 av = 0;
1716
1717         if ((mode & S_IFMT) != S_IFDIR) {
1718                 if (mask & MAY_EXEC)
1719                         av |= FILE__EXECUTE;
1720                 if (mask & MAY_READ)
1721                         av |= FILE__READ;
1722
1723                 if (mask & MAY_APPEND)
1724                         av |= FILE__APPEND;
1725                 else if (mask & MAY_WRITE)
1726                         av |= FILE__WRITE;
1727
1728         } else {
1729                 if (mask & MAY_EXEC)
1730                         av |= DIR__SEARCH;
1731                 if (mask & MAY_WRITE)
1732                         av |= DIR__WRITE;
1733                 if (mask & MAY_READ)
1734                         av |= DIR__READ;
1735         }
1736
1737         return av;
1738 }
1739
1740 /* Convert a Linux file to an access vector. */
1741 static inline u32 file_to_av(struct file *file)
1742 {
1743         u32 av = 0;
1744
1745         if (file->f_mode & FMODE_READ)
1746                 av |= FILE__READ;
1747         if (file->f_mode & FMODE_WRITE) {
1748                 if (file->f_flags & O_APPEND)
1749                         av |= FILE__APPEND;
1750                 else
1751                         av |= FILE__WRITE;
1752         }
1753         if (!av) {
1754                 /*
1755                  * Special file opened with flags 3 for ioctl-only use.
1756                  */
1757                 av = FILE__IOCTL;
1758         }
1759
1760         return av;
1761 }
1762
1763 /*
1764  * Convert a file to an access vector and include the correct open
1765  * open permission.
1766  */
1767 static inline u32 open_file_to_av(struct file *file)
1768 {
1769         u32 av = file_to_av(file);
1770
1771         if (selinux_policycap_openperm)
1772                 av |= FILE__OPEN;
1773
1774         return av;
1775 }
1776
1777 /* Hook functions begin here. */
1778
1779 static int selinux_ptrace_access_check(struct task_struct *child,
1780                                      unsigned int mode)
1781 {
1782         int rc;
1783
1784         rc = cap_ptrace_access_check(child, mode);
1785         if (rc)
1786                 return rc;
1787
1788         if (mode == PTRACE_MODE_READ) {
1789                 u32 sid = current_sid();
1790                 u32 csid = task_sid(child);
1791                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1792         }
1793
1794         return current_has_perm(child, PROCESS__PTRACE);
1795 }
1796
1797 static int selinux_ptrace_traceme(struct task_struct *parent)
1798 {
1799         int rc;
1800
1801         rc = cap_ptrace_traceme(parent);
1802         if (rc)
1803                 return rc;
1804
1805         return task_has_perm(parent, current, PROCESS__PTRACE);
1806 }
1807
1808 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1809                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1810 {
1811         int error;
1812
1813         error = current_has_perm(target, PROCESS__GETCAP);
1814         if (error)
1815                 return error;
1816
1817         return cap_capget(target, effective, inheritable, permitted);
1818 }
1819
1820 static int selinux_capset(struct cred *new, const struct cred *old,
1821                           const kernel_cap_t *effective,
1822                           const kernel_cap_t *inheritable,
1823                           const kernel_cap_t *permitted)
1824 {
1825         int error;
1826
1827         error = cap_capset(new, old,
1828                                       effective, inheritable, permitted);
1829         if (error)
1830                 return error;
1831
1832         return cred_has_perm(old, new, PROCESS__SETCAP);
1833 }
1834
1835 /*
1836  * (This comment used to live with the selinux_task_setuid hook,
1837  * which was removed).
1838  *
1839  * Since setuid only affects the current process, and since the SELinux
1840  * controls are not based on the Linux identity attributes, SELinux does not
1841  * need to control this operation.  However, SELinux does control the use of
1842  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1843  */
1844
1845 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1846                            int cap, int audit)
1847 {
1848         int rc;
1849
1850         rc = cap_capable(tsk, cred, cap, audit);
1851         if (rc)
1852                 return rc;
1853
1854         return task_has_capability(tsk, cred, cap, audit);
1855 }
1856
1857 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1858 {
1859         const struct cred *cred = current_cred();
1860         int rc = 0;
1861
1862         if (!sb)
1863                 return 0;
1864
1865         switch (cmds) {
1866         case Q_SYNC:
1867         case Q_QUOTAON:
1868         case Q_QUOTAOFF:
1869         case Q_SETINFO:
1870         case Q_SETQUOTA:
1871                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1872                 break;
1873         case Q_GETFMT:
1874         case Q_GETINFO:
1875         case Q_GETQUOTA:
1876                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1877                 break;
1878         default:
1879                 rc = 0;  /* let the kernel handle invalid cmds */
1880                 break;
1881         }
1882         return rc;
1883 }
1884
1885 static int selinux_quota_on(struct dentry *dentry)
1886 {
1887         const struct cred *cred = current_cred();
1888
1889         return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1890 }
1891
1892 static int selinux_syslog(int type)
1893 {
1894         int rc;
1895
1896         switch (type) {
1897         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1898         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1899                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1900                 break;
1901         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1902         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1903         /* Set level of messages printed to console */
1904         case SYSLOG_ACTION_CONSOLE_LEVEL:
1905                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1906                 break;
1907         case SYSLOG_ACTION_CLOSE:       /* Close log */
1908         case SYSLOG_ACTION_OPEN:        /* Open log */
1909         case SYSLOG_ACTION_READ:        /* Read from log */
1910         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1911         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1912         default:
1913                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1914                 break;
1915         }
1916         return rc;
1917 }
1918
1919 /*
1920  * Check that a process has enough memory to allocate a new virtual
1921  * mapping. 0 means there is enough memory for the allocation to
1922  * succeed and -ENOMEM implies there is not.
1923  *
1924  * Do not audit the selinux permission check, as this is applied to all
1925  * processes that allocate mappings.
1926  */
1927 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1928 {
1929         int rc, cap_sys_admin = 0;
1930
1931         rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
1932                              SECURITY_CAP_NOAUDIT);
1933         if (rc == 0)
1934                 cap_sys_admin = 1;
1935
1936         return __vm_enough_memory(mm, pages, cap_sys_admin);
1937 }
1938
1939 /* binprm security operations */
1940
1941 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1942 {
1943         const struct task_security_struct *old_tsec;
1944         struct task_security_struct *new_tsec;
1945         struct inode_security_struct *isec;
1946         struct common_audit_data ad;
1947         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1948         int rc;
1949
1950         rc = cap_bprm_set_creds(bprm);
1951         if (rc)
1952                 return rc;
1953
1954         /* SELinux context only depends on initial program or script and not
1955          * the script interpreter */
1956         if (bprm->cred_prepared)
1957                 return 0;
1958
1959         old_tsec = current_security();
1960         new_tsec = bprm->cred->security;
1961         isec = inode->i_security;
1962
1963         /* Default to the current task SID. */
1964         new_tsec->sid = old_tsec->sid;
1965         new_tsec->osid = old_tsec->sid;
1966
1967         /* Reset fs, key, and sock SIDs on execve. */
1968         new_tsec->create_sid = 0;
1969         new_tsec->keycreate_sid = 0;
1970         new_tsec->sockcreate_sid = 0;
1971
1972         if (old_tsec->exec_sid) {
1973                 new_tsec->sid = old_tsec->exec_sid;
1974                 /* Reset exec SID on execve. */
1975                 new_tsec->exec_sid = 0;
1976         } else {
1977                 /* Check for a default transition on this program. */
1978                 rc = security_transition_sid(old_tsec->sid, isec->sid,
1979                                              SECCLASS_PROCESS, NULL,
1980                                              &new_tsec->sid);
1981                 if (rc)
1982                         return rc;
1983         }
1984
1985         COMMON_AUDIT_DATA_INIT(&ad, FS);
1986         ad.u.fs.path = bprm->file->f_path;
1987
1988         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1989                 new_tsec->sid = old_tsec->sid;
1990
1991         if (new_tsec->sid == old_tsec->sid) {
1992                 rc = avc_has_perm(old_tsec->sid, isec->sid,
1993                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1994                 if (rc)
1995                         return rc;
1996         } else {
1997                 /* Check permissions for the transition. */
1998                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1999                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2000                 if (rc)
2001                         return rc;
2002
2003                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2004                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2005                 if (rc)
2006                         return rc;
2007
2008                 /* Check for shared state */
2009                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2010                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2011                                           SECCLASS_PROCESS, PROCESS__SHARE,
2012                                           NULL);
2013                         if (rc)
2014                                 return -EPERM;
2015                 }
2016
2017                 /* Make sure that anyone attempting to ptrace over a task that
2018                  * changes its SID has the appropriate permit */
2019                 if (bprm->unsafe &
2020                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2021                         struct task_struct *tracer;
2022                         struct task_security_struct *sec;
2023                         u32 ptsid = 0;
2024
2025                         rcu_read_lock();
2026                         tracer = tracehook_tracer_task(current);
2027                         if (likely(tracer != NULL)) {
2028                                 sec = __task_cred(tracer)->security;
2029                                 ptsid = sec->sid;
2030                         }
2031                         rcu_read_unlock();
2032
2033                         if (ptsid != 0) {
2034                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2035                                                   SECCLASS_PROCESS,
2036                                                   PROCESS__PTRACE, NULL);
2037                                 if (rc)
2038                                         return -EPERM;
2039                         }
2040                 }
2041
2042                 /* Clear any possibly unsafe personality bits on exec: */
2043                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2044         }
2045
2046         return 0;
2047 }
2048
2049 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2050 {
2051         const struct task_security_struct *tsec = current_security();
2052         u32 sid, osid;
2053         int atsecure = 0;
2054
2055         sid = tsec->sid;
2056         osid = tsec->osid;
2057
2058         if (osid != sid) {
2059                 /* Enable secure mode for SIDs transitions unless
2060                    the noatsecure permission is granted between
2061                    the two SIDs, i.e. ahp returns 0. */
2062                 atsecure = avc_has_perm(osid, sid,
2063                                         SECCLASS_PROCESS,
2064                                         PROCESS__NOATSECURE, NULL);
2065         }
2066
2067         return (atsecure || cap_bprm_secureexec(bprm));
2068 }
2069
2070 extern struct vfsmount *selinuxfs_mount;
2071 extern struct dentry *selinux_null;
2072
2073 /* Derived from fs/exec.c:flush_old_files. */
2074 static inline void flush_unauthorized_files(const struct cred *cred,
2075                                             struct files_struct *files)
2076 {
2077         struct common_audit_data ad;
2078         struct file *file, *devnull = NULL;
2079         struct tty_struct *tty;
2080         struct fdtable *fdt;
2081         long j = -1;
2082         int drop_tty = 0;
2083
2084         tty = get_current_tty();
2085         if (tty) {
2086                 spin_lock(&tty_files_lock);
2087                 if (!list_empty(&tty->tty_files)) {
2088                         struct tty_file_private *file_priv;
2089                         struct inode *inode;
2090
2091                         /* Revalidate access to controlling tty.
2092                            Use inode_has_perm on the tty inode directly rather
2093                            than using file_has_perm, as this particular open
2094                            file may belong to another process and we are only
2095                            interested in the inode-based check here. */
2096                         file_priv = list_first_entry(&tty->tty_files,
2097                                                 struct tty_file_private, list);
2098                         file = file_priv->file;
2099                         inode = file->f_path.dentry->d_inode;
2100                         if (inode_has_perm(cred, inode,
2101                                            FILE__READ | FILE__WRITE, NULL)) {
2102                                 drop_tty = 1;
2103                         }
2104                 }
2105                 spin_unlock(&tty_files_lock);
2106                 tty_kref_put(tty);
2107         }
2108         /* Reset controlling tty. */
2109         if (drop_tty)
2110                 no_tty();
2111
2112         /* Revalidate access to inherited open files. */
2113
2114         COMMON_AUDIT_DATA_INIT(&ad, FS);
2115
2116         spin_lock(&files->file_lock);
2117         for (;;) {
2118                 unsigned long set, i;
2119                 int fd;
2120
2121                 j++;
2122                 i = j * __NFDBITS;
2123                 fdt = files_fdtable(files);
2124                 if (i >= fdt->max_fds)
2125                         break;
2126                 set = fdt->open_fds->fds_bits[j];
2127                 if (!set)
2128                         continue;
2129                 spin_unlock(&files->file_lock);
2130                 for ( ; set ; i++, set >>= 1) {
2131                         if (set & 1) {
2132                                 file = fget(i);
2133                                 if (!file)
2134                                         continue;
2135                                 if (file_has_perm(cred,
2136                                                   file,
2137                                                   file_to_av(file))) {
2138                                         sys_close(i);
2139                                         fd = get_unused_fd();
2140                                         if (fd != i) {
2141                                                 if (fd >= 0)
2142                                                         put_unused_fd(fd);
2143                                                 fput(file);
2144                                                 continue;
2145                                         }
2146                                         if (devnull) {
2147                                                 get_file(devnull);
2148                                         } else {
2149                                                 devnull = dentry_open(
2150                                                         dget(selinux_null),
2151                                                         mntget(selinuxfs_mount),
2152                                                         O_RDWR, cred);
2153                                                 if (IS_ERR(devnull)) {
2154                                                         devnull = NULL;
2155                                                         put_unused_fd(fd);
2156                                                         fput(file);
2157                                                         continue;
2158                                                 }
2159                                         }
2160                                         fd_install(fd, devnull);
2161                                 }
2162                                 fput(file);
2163                         }
2164                 }
2165                 spin_lock(&files->file_lock);
2166
2167         }
2168         spin_unlock(&files->file_lock);
2169 }
2170
2171 /*
2172  * Prepare a process for imminent new credential changes due to exec
2173  */
2174 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2175 {
2176         struct task_security_struct *new_tsec;
2177         struct rlimit *rlim, *initrlim;
2178         int rc, i;
2179
2180         new_tsec = bprm->cred->security;
2181         if (new_tsec->sid == new_tsec->osid)
2182                 return;
2183
2184         /* Close files for which the new task SID is not authorized. */
2185         flush_unauthorized_files(bprm->cred, current->files);
2186
2187         /* Always clear parent death signal on SID transitions. */
2188         current->pdeath_signal = 0;
2189
2190         /* Check whether the new SID can inherit resource limits from the old
2191          * SID.  If not, reset all soft limits to the lower of the current
2192          * task's hard limit and the init task's soft limit.
2193          *
2194          * Note that the setting of hard limits (even to lower them) can be
2195          * controlled by the setrlimit check.  The inclusion of the init task's
2196          * soft limit into the computation is to avoid resetting soft limits
2197          * higher than the default soft limit for cases where the default is
2198          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2199          */
2200         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2201                           PROCESS__RLIMITINH, NULL);
2202         if (rc) {
2203                 /* protect against do_prlimit() */
2204                 task_lock(current);
2205                 for (i = 0; i < RLIM_NLIMITS; i++) {
2206                         rlim = current->signal->rlim + i;
2207                         initrlim = init_task.signal->rlim + i;
2208                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2209                 }
2210                 task_unlock(current);
2211                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2212         }
2213 }
2214
2215 /*
2216  * Clean up the process immediately after the installation of new credentials
2217  * due to exec
2218  */
2219 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2220 {
2221         const struct task_security_struct *tsec = current_security();
2222         struct itimerval itimer;
2223         u32 osid, sid;
2224         int rc, i;
2225
2226         osid = tsec->osid;
2227         sid = tsec->sid;
2228
2229         if (sid == osid)
2230                 return;
2231
2232         /* Check whether the new SID can inherit signal state from the old SID.
2233          * If not, clear itimers to avoid subsequent signal generation and
2234          * flush and unblock signals.
2235          *
2236          * This must occur _after_ the task SID has been updated so that any
2237          * kill done after the flush will be checked against the new SID.
2238          */
2239         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2240         if (rc) {
2241                 memset(&itimer, 0, sizeof itimer);
2242                 for (i = 0; i < 3; i++)
2243                         do_setitimer(i, &itimer, NULL);
2244                 spin_lock_irq(&current->sighand->siglock);
2245                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2246                         __flush_signals(current);
2247                         flush_signal_handlers(current, 1);
2248                         sigemptyset(&current->blocked);
2249                 }
2250                 spin_unlock_irq(&current->sighand->siglock);
2251         }
2252
2253         /* Wake up the parent if it is waiting so that it can recheck
2254          * wait permission to the new task SID. */
2255         read_lock(&tasklist_lock);
2256         __wake_up_parent(current, current->real_parent);
2257         read_unlock(&tasklist_lock);
2258 }
2259
2260 /* superblock security operations */
2261
2262 static int selinux_sb_alloc_security(struct super_block *sb)
2263 {
2264         return superblock_alloc_security(sb);
2265 }
2266
2267 static void selinux_sb_free_security(struct super_block *sb)
2268 {
2269         superblock_free_security(sb);
2270 }
2271
2272 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2273 {
2274         if (plen > olen)
2275                 return 0;
2276
2277         return !memcmp(prefix, option, plen);
2278 }
2279
2280 static inline int selinux_option(char *option, int len)
2281 {
2282         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2283                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2284                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2285                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2286                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2287 }
2288
2289 static inline void take_option(char **to, char *from, int *first, int len)
2290 {
2291         if (!*first) {
2292                 **to = ',';
2293                 *to += 1;
2294         } else
2295                 *first = 0;
2296         memcpy(*to, from, len);
2297         *to += len;
2298 }
2299
2300 static inline void take_selinux_option(char **to, char *from, int *first,
2301                                        int len)
2302 {
2303         int current_size = 0;
2304
2305         if (!*first) {
2306                 **to = '|';
2307                 *to += 1;
2308         } else
2309                 *first = 0;
2310
2311         while (current_size < len) {
2312                 if (*from != '"') {
2313                         **to = *from;
2314                         *to += 1;
2315                 }
2316                 from += 1;
2317                 current_size += 1;
2318         }
2319 }
2320
2321 static int selinux_sb_copy_data(char *orig, char *copy)
2322 {
2323         int fnosec, fsec, rc = 0;
2324         char *in_save, *in_curr, *in_end;
2325         char *sec_curr, *nosec_save, *nosec;
2326         int open_quote = 0;
2327
2328         in_curr = orig;
2329         sec_curr = copy;
2330
2331         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2332         if (!nosec) {
2333                 rc = -ENOMEM;
2334                 goto out;
2335         }
2336
2337         nosec_save = nosec;
2338         fnosec = fsec = 1;
2339         in_save = in_end = orig;
2340
2341         do {
2342                 if (*in_end == '"')
2343                         open_quote = !open_quote;
2344                 if ((*in_end == ',' && open_quote == 0) ||
2345                                 *in_end == '\0') {
2346                         int len = in_end - in_curr;
2347
2348                         if (selinux_option(in_curr, len))
2349                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2350                         else
2351                                 take_option(&nosec, in_curr, &fnosec, len);
2352
2353                         in_curr = in_end + 1;
2354                 }
2355         } while (*in_end++);
2356
2357         strcpy(in_save, nosec_save);
2358         free_page((unsigned long)nosec_save);
2359 out:
2360         return rc;
2361 }
2362
2363 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2364 {
2365         const struct cred *cred = current_cred();
2366         struct common_audit_data ad;
2367         int rc;
2368
2369         rc = superblock_doinit(sb, data);
2370         if (rc)
2371                 return rc;
2372
2373         /* Allow all mounts performed by the kernel */
2374         if (flags & MS_KERNMOUNT)
2375                 return 0;
2376
2377         COMMON_AUDIT_DATA_INIT(&ad, FS);
2378         ad.u.fs.path.dentry = sb->s_root;
2379         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2380 }
2381
2382 static int selinux_sb_statfs(struct dentry *dentry)
2383 {
2384         const struct cred *cred = current_cred();
2385         struct common_audit_data ad;
2386
2387         COMMON_AUDIT_DATA_INIT(&ad, FS);
2388         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2389         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2390 }
2391
2392 static int selinux_mount(char *dev_name,
2393                          struct path *path,
2394                          char *type,
2395                          unsigned long flags,
2396                          void *data)
2397 {
2398         const struct cred *cred = current_cred();
2399
2400         if (flags & MS_REMOUNT)
2401                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2402                                            FILESYSTEM__REMOUNT, NULL);
2403         else
2404                 return dentry_has_perm(cred, path->mnt, path->dentry,
2405                                        FILE__MOUNTON);
2406 }
2407
2408 static int selinux_umount(struct vfsmount *mnt, int flags)
2409 {
2410         const struct cred *cred = current_cred();
2411
2412         return superblock_has_perm(cred, mnt->mnt_sb,
2413                                    FILESYSTEM__UNMOUNT, NULL);
2414 }
2415
2416 /* inode security operations */
2417
2418 static int selinux_inode_alloc_security(struct inode *inode)
2419 {
2420         return inode_alloc_security(inode);
2421 }
2422
2423 static void selinux_inode_free_security(struct inode *inode)
2424 {
2425         inode_free_security(inode);
2426 }
2427
2428 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2429                                        const struct qstr *qstr, char **name,
2430                                        void **value, size_t *len)
2431 {
2432         const struct task_security_struct *tsec = current_security();
2433         struct inode_security_struct *dsec;
2434         struct superblock_security_struct *sbsec;
2435         u32 sid, newsid, clen;
2436         int rc;
2437         char *namep = NULL, *context;
2438
2439         dsec = dir->i_security;
2440         sbsec = dir->i_sb->s_security;
2441
2442         sid = tsec->sid;
2443         newsid = tsec->create_sid;
2444
2445         if ((sbsec->flags & SE_SBINITIALIZED) &&
2446             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2447                 newsid = sbsec->mntpoint_sid;
2448         else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2449                 rc = security_transition_sid(sid, dsec->sid,
2450                                              inode_mode_to_security_class(inode->i_mode),
2451                                              qstr, &newsid);
2452                 if (rc) {
2453                         printk(KERN_WARNING "%s:  "
2454                                "security_transition_sid failed, rc=%d (dev=%s "
2455                                "ino=%ld)\n",
2456                                __func__,
2457                                -rc, inode->i_sb->s_id, inode->i_ino);
2458                         return rc;
2459                 }
2460         }
2461
2462         /* Possibly defer initialization to selinux_complete_init. */
2463         if (sbsec->flags & SE_SBINITIALIZED) {
2464                 struct inode_security_struct *isec = inode->i_security;
2465                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2466                 isec->sid = newsid;
2467                 isec->initialized = 1;
2468         }
2469
2470         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2471                 return -EOPNOTSUPP;
2472
2473         if (name) {
2474                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2475                 if (!namep)
2476                         return -ENOMEM;
2477                 *name = namep;
2478         }
2479
2480         if (value && len) {
2481                 rc = security_sid_to_context_force(newsid, &context, &clen);
2482                 if (rc) {
2483                         kfree(namep);
2484                         return rc;
2485                 }
2486                 *value = context;
2487                 *len = clen;
2488         }
2489
2490         return 0;
2491 }
2492
2493 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2494 {
2495         return may_create(dir, dentry, SECCLASS_FILE);
2496 }
2497
2498 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2499 {
2500         return may_link(dir, old_dentry, MAY_LINK);
2501 }
2502
2503 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2504 {
2505         return may_link(dir, dentry, MAY_UNLINK);
2506 }
2507
2508 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2509 {
2510         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2511 }
2512
2513 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2514 {
2515         return may_create(dir, dentry, SECCLASS_DIR);
2516 }
2517
2518 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2519 {
2520         return may_link(dir, dentry, MAY_RMDIR);
2521 }
2522
2523 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2524 {
2525         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2526 }
2527
2528 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2529                                 struct inode *new_inode, struct dentry *new_dentry)
2530 {
2531         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2532 }
2533
2534 static int selinux_inode_readlink(struct dentry *dentry)
2535 {
2536         const struct cred *cred = current_cred();
2537
2538         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2539 }
2540
2541 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2542 {
2543         const struct cred *cred = current_cred();
2544
2545         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2546 }
2547
2548 static int selinux_inode_permission(struct inode *inode, int mask)
2549 {
2550         const struct cred *cred = current_cred();
2551         struct common_audit_data ad;
2552         u32 perms;
2553         bool from_access;
2554
2555         from_access = mask & MAY_ACCESS;
2556         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2557
2558         /* No permission to check.  Existence test. */
2559         if (!mask)
2560                 return 0;
2561
2562         COMMON_AUDIT_DATA_INIT(&ad, FS);
2563         ad.u.fs.inode = inode;
2564
2565         if (from_access)
2566                 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2567
2568         perms = file_mask_to_av(inode->i_mode, mask);
2569
2570         return inode_has_perm(cred, inode, perms, &ad);
2571 }
2572
2573 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2574 {
2575         const struct cred *cred = current_cred();
2576         unsigned int ia_valid = iattr->ia_valid;
2577
2578         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2579         if (ia_valid & ATTR_FORCE) {
2580                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2581                               ATTR_FORCE);
2582                 if (!ia_valid)
2583                         return 0;
2584         }
2585
2586         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2587                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2588                 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2589
2590         return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2591 }
2592
2593 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2594 {
2595         const struct cred *cred = current_cred();
2596
2597         return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2598 }
2599
2600 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2601 {
2602         const struct cred *cred = current_cred();
2603
2604         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2605                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2606                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2607                         if (!capable(CAP_SETFCAP))
2608                                 return -EPERM;
2609                 } else if (!capable(CAP_SYS_ADMIN)) {
2610                         /* A different attribute in the security namespace.
2611                            Restrict to administrator. */
2612                         return -EPERM;
2613                 }
2614         }
2615
2616         /* Not an attribute we recognize, so just check the
2617            ordinary setattr permission. */
2618         return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2619 }
2620
2621 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2622                                   const void *value, size_t size, int flags)
2623 {
2624         struct inode *inode = dentry->d_inode;
2625         struct inode_security_struct *isec = inode->i_security;
2626         struct superblock_security_struct *sbsec;
2627         struct common_audit_data ad;
2628         u32 newsid, sid = current_sid();
2629         int rc = 0;
2630
2631         if (strcmp(name, XATTR_NAME_SELINUX))
2632                 return selinux_inode_setotherxattr(dentry, name);
2633
2634         sbsec = inode->i_sb->s_security;
2635         if (!(sbsec->flags & SE_SBLABELSUPP))
2636                 return -EOPNOTSUPP;
2637
2638         if (!is_owner_or_cap(inode))
2639                 return -EPERM;
2640
2641         COMMON_AUDIT_DATA_INIT(&ad, FS);
2642         ad.u.fs.path.dentry = dentry;
2643
2644         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2645                           FILE__RELABELFROM, &ad);
2646         if (rc)
2647                 return rc;
2648
2649         rc = security_context_to_sid(value, size, &newsid);
2650         if (rc == -EINVAL) {
2651                 if (!capable(CAP_MAC_ADMIN))
2652                         return rc;
2653                 rc = security_context_to_sid_force(value, size, &newsid);
2654         }
2655         if (rc)
2656                 return rc;
2657
2658         rc = avc_has_perm(sid, newsid, isec->sclass,
2659                           FILE__RELABELTO, &ad);
2660         if (rc)
2661                 return rc;
2662
2663         rc = security_validate_transition(isec->sid, newsid, sid,
2664                                           isec->sclass);
2665         if (rc)
2666                 return rc;
2667
2668         return avc_has_perm(newsid,
2669                             sbsec->sid,
2670                             SECCLASS_FILESYSTEM,
2671                             FILESYSTEM__ASSOCIATE,
2672                             &ad);
2673 }
2674
2675 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2676                                         const void *value, size_t size,
2677                                         int flags)
2678 {
2679         struct inode *inode = dentry->d_inode;
2680         struct inode_security_struct *isec = inode->i_security;
2681         u32 newsid;
2682         int rc;
2683
2684         if (strcmp(name, XATTR_NAME_SELINUX)) {
2685                 /* Not an attribute we recognize, so nothing to do. */
2686                 return;
2687         }
2688
2689         rc = security_context_to_sid_force(value, size, &newsid);
2690         if (rc) {
2691                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2692                        "for (%s, %lu), rc=%d\n",
2693                        inode->i_sb->s_id, inode->i_ino, -rc);
2694                 return;
2695         }
2696
2697         isec->sid = newsid;
2698         return;
2699 }
2700
2701 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2702 {
2703         const struct cred *cred = current_cred();
2704
2705         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2706 }
2707
2708 static int selinux_inode_listxattr(struct dentry *dentry)
2709 {
2710         const struct cred *cred = current_cred();
2711
2712         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2713 }
2714
2715 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2716 {
2717         if (strcmp(name, XATTR_NAME_SELINUX))
2718                 return selinux_inode_setotherxattr(dentry, name);
2719
2720         /* No one is allowed to remove a SELinux security label.
2721            You can change the label, but all data must be labeled. */
2722         return -EACCES;
2723 }
2724
2725 /*
2726  * Copy the inode security context value to the user.
2727  *
2728  * Permission check is handled by selinux_inode_getxattr hook.
2729  */
2730 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2731 {
2732         u32 size;
2733         int error;
2734         char *context = NULL;
2735         struct inode_security_struct *isec = inode->i_security;
2736
2737         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2738                 return -EOPNOTSUPP;
2739
2740         /*
2741          * If the caller has CAP_MAC_ADMIN, then get the raw context
2742          * value even if it is not defined by current policy; otherwise,
2743          * use the in-core value under current policy.
2744          * Use the non-auditing forms of the permission checks since
2745          * getxattr may be called by unprivileged processes commonly
2746          * and lack of permission just means that we fall back to the
2747          * in-core context value, not a denial.
2748          */
2749         error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2750                                 SECURITY_CAP_NOAUDIT);
2751         if (!error)
2752                 error = security_sid_to_context_force(isec->sid, &context,
2753                                                       &size);
2754         else
2755                 error = security_sid_to_context(isec->sid, &context, &size);
2756         if (error)
2757                 return error;
2758         error = size;
2759         if (alloc) {
2760                 *buffer = context;
2761                 goto out_nofree;
2762         }
2763         kfree(context);
2764 out_nofree:
2765         return error;
2766 }
2767
2768 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2769                                      const void *value, size_t size, int flags)
2770 {
2771         struct inode_security_struct *isec = inode->i_security;
2772         u32 newsid;
2773         int rc;
2774
2775         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2776                 return -EOPNOTSUPP;
2777
2778         if (!value || !size)
2779                 return -EACCES;
2780
2781         rc = security_context_to_sid((void *)value, size, &newsid);
2782         if (rc)
2783                 return rc;
2784
2785         isec->sid = newsid;
2786         isec->initialized = 1;
2787         return 0;
2788 }
2789
2790 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2791 {
2792         const int len = sizeof(XATTR_NAME_SELINUX);
2793         if (buffer && len <= buffer_size)
2794                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2795         return len;
2796 }
2797
2798 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2799 {
2800         struct inode_security_struct *isec = inode->i_security;
2801         *secid = isec->sid;
2802 }
2803
2804 /* file security operations */
2805
2806 static int selinux_revalidate_file_permission(struct file *file, int mask)
2807 {
2808         const struct cred *cred = current_cred();
2809         struct inode *inode = file->f_path.dentry->d_inode;
2810
2811         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2812         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2813                 mask |= MAY_APPEND;
2814
2815         return file_has_perm(cred, file,
2816                              file_mask_to_av(inode->i_mode, mask));
2817 }
2818
2819 static int selinux_file_permission(struct file *file, int mask)
2820 {
2821         struct inode *inode = file->f_path.dentry->d_inode;
2822         struct file_security_struct *fsec = file->f_security;
2823         struct inode_security_struct *isec = inode->i_security;
2824         u32 sid = current_sid();
2825
2826         if (!mask)
2827                 /* No permission to check.  Existence test. */
2828                 return 0;
2829
2830         if (sid == fsec->sid && fsec->isid == isec->sid &&
2831             fsec->pseqno == avc_policy_seqno())
2832                 /* No change since dentry_open check. */
2833                 return 0;
2834
2835         return selinux_revalidate_file_permission(file, mask);
2836 }
2837
2838 static int selinux_file_alloc_security(struct file *file)
2839 {
2840         return file_alloc_security(file);
2841 }
2842
2843 static void selinux_file_free_security(struct file *file)
2844 {
2845         file_free_security(file);
2846 }
2847
2848 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2849                               unsigned long arg)
2850 {
2851         const struct cred *cred = current_cred();
2852         u32 av = 0;
2853
2854         if (_IOC_DIR(cmd) & _IOC_WRITE)
2855                 av |= FILE__WRITE;
2856         if (_IOC_DIR(cmd) & _IOC_READ)
2857                 av |= FILE__READ;
2858         if (!av)
2859                 av = FILE__IOCTL;
2860
2861         return file_has_perm(cred, file, av);
2862 }
2863
2864 static int default_noexec;
2865
2866 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2867 {
2868         const struct cred *cred = current_cred();
2869         int rc = 0;
2870
2871         if (default_noexec &&
2872             (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2873                 /*
2874                  * We are making executable an anonymous mapping or a
2875                  * private file mapping that will also be writable.
2876                  * This has an additional check.
2877                  */
2878                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
2879                 if (rc)
2880                         goto error;
2881         }
2882
2883         if (file) {
2884                 /* read access is always possible with a mapping */
2885                 u32 av = FILE__READ;
2886
2887                 /* write access only matters if the mapping is shared */
2888                 if (shared && (prot & PROT_WRITE))
2889                         av |= FILE__WRITE;
2890
2891                 if (prot & PROT_EXEC)
2892                         av |= FILE__EXECUTE;
2893
2894                 return file_has_perm(cred, file, av);
2895         }
2896
2897 error:
2898         return rc;
2899 }
2900
2901 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2902                              unsigned long prot, unsigned long flags,
2903                              unsigned long addr, unsigned long addr_only)
2904 {
2905         int rc = 0;
2906         u32 sid = current_sid();
2907
2908         /*
2909          * notice that we are intentionally putting the SELinux check before
2910          * the secondary cap_file_mmap check.  This is such a likely attempt
2911          * at bad behaviour/exploit that we always want to get the AVC, even
2912          * if DAC would have also denied the operation.
2913          */
2914         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
2915                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2916                                   MEMPROTECT__MMAP_ZERO, NULL);
2917                 if (rc)
2918                         return rc;
2919         }
2920
2921         /* do DAC check on address space usage */
2922         rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
2923         if (rc || addr_only)
2924                 return rc;
2925
2926         if (selinux_checkreqprot)
2927                 prot = reqprot;
2928
2929         return file_map_prot_check(file, prot,
2930                                    (flags & MAP_TYPE) == MAP_SHARED);
2931 }
2932
2933 static int selinux_file_mprotect(struct vm_area_struct *vma,
2934                                  unsigned long reqprot,
2935                                  unsigned long prot)
2936 {
2937         const struct cred *cred = current_cred();
2938
2939         if (selinux_checkreqprot)
2940                 prot = reqprot;
2941
2942         if (default_noexec &&
2943             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2944                 int rc = 0;
2945                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2946                     vma->vm_end <= vma->vm_mm->brk) {
2947                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
2948                 } else if (!vma->vm_file &&
2949                            vma->vm_start <= vma->vm_mm->start_stack &&
2950                            vma->vm_end >= vma->vm_mm->start_stack) {
2951                         rc = current_has_perm(current, PROCESS__EXECSTACK);
2952                 } else if (vma->vm_file && vma->anon_vma) {
2953                         /*
2954                          * We are making executable a file mapping that has
2955                          * had some COW done. Since pages might have been
2956                          * written, check ability to execute the possibly
2957                          * modified content.  This typically should only
2958                          * occur for text relocations.
2959                          */
2960                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
2961                 }
2962                 if (rc)
2963                         return rc;
2964         }
2965
2966         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2967 }
2968
2969 static int selinux_file_lock(struct file *file, unsigned int cmd)
2970 {
2971         const struct cred *cred = current_cred();
2972
2973         return file_has_perm(cred, file, FILE__LOCK);
2974 }
2975
2976 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2977                               unsigned long arg)
2978 {
2979         const struct cred *cred = current_cred();
2980         int err = 0;
2981
2982         switch (cmd) {
2983         case F_SETFL:
2984                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2985                         err = -EINVAL;
2986                         break;
2987                 }
2988
2989                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2990                         err = file_has_perm(cred, file, FILE__WRITE);
2991                         break;
2992                 }
2993                 /* fall through */
2994         case F_SETOWN:
2995         case F_SETSIG:
2996         case F_GETFL:
2997         case F_GETOWN:
2998         case F_GETSIG:
2999                 /* Just check FD__USE permission */
3000                 err = file_has_perm(cred, file, 0);
3001                 break;
3002         case F_GETLK:
3003         case F_SETLK:
3004         case F_SETLKW:
3005 #if BITS_PER_LONG == 32
3006         case F_GETLK64:
3007         case F_SETLK64:
3008         case F_SETLKW64:
3009 #endif
3010                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3011                         err = -EINVAL;
3012                         break;
3013                 }
3014                 err = file_has_perm(cred, file, FILE__LOCK);
3015                 break;
3016         }
3017
3018         return err;
3019 }
3020
3021 static int selinux_file_set_fowner(struct file *file)
3022 {
3023         struct file_security_struct *fsec;
3024
3025         fsec = file->f_security;
3026         fsec->fown_sid = current_sid();
3027
3028         return 0;
3029 }
3030
3031 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3032                                        struct fown_struct *fown, int signum)
3033 {
3034         struct file *file;
3035         u32 sid = task_sid(tsk);
3036         u32 perm;
3037         struct file_security_struct *fsec;
3038
3039         /* struct fown_struct is never outside the context of a struct file */
3040         file = container_of(fown, struct file, f_owner);
3041
3042         fsec = file->f_security;
3043
3044         if (!signum)
3045                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3046         else
3047                 perm = signal_to_av(signum);
3048
3049         return avc_has_perm(fsec->fown_sid, sid,
3050                             SECCLASS_PROCESS, perm, NULL);
3051 }
3052
3053 static int selinux_file_receive(struct file *file)
3054 {
3055         const struct cred *cred = current_cred();
3056
3057         return file_has_perm(cred, file, file_to_av(file));
3058 }
3059
3060 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3061 {
3062         struct file_security_struct *fsec;
3063         struct inode *inode;
3064         struct inode_security_struct *isec;
3065
3066         inode = file->f_path.dentry->d_inode;
3067         fsec = file->f_security;
3068         isec = inode->i_security;
3069         /*
3070          * Save inode label and policy sequence number
3071          * at open-time so that selinux_file_permission
3072          * can determine whether revalidation is necessary.
3073          * Task label is already saved in the file security
3074          * struct as its SID.
3075          */
3076         fsec->isid = isec->sid;
3077         fsec->pseqno = avc_policy_seqno();
3078         /*
3079          * Since the inode label or policy seqno may have changed
3080          * between the selinux_inode_permission check and the saving
3081          * of state above, recheck that access is still permitted.
3082          * Otherwise, access might never be revalidated against the
3083          * new inode label or new policy.
3084          * This check is not redundant - do not remove.
3085          */
3086         return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3087 }
3088
3089 /* task security operations */
3090
3091 static int selinux_task_create(unsigned long clone_flags)
3092 {
3093         return current_has_perm(current, PROCESS__FORK);
3094 }
3095
3096 /*
3097  * allocate the SELinux part of blank credentials
3098  */
3099 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3100 {
3101         struct task_security_struct *tsec;
3102
3103         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3104         if (!tsec)
3105                 return -ENOMEM;
3106
3107         cred->security = tsec;
3108         return 0;
3109 }
3110
3111 /*
3112  * detach and free the LSM part of a set of credentials
3113  */
3114 static void selinux_cred_free(struct cred *cred)
3115 {
3116         struct task_security_struct *tsec = cred->security;
3117
3118         BUG_ON((unsigned long) cred->security < PAGE_SIZE);
3119         cred->security = (void *) 0x7UL;
3120         kfree(tsec);
3121 }
3122
3123 /*
3124  * prepare a new set of credentials for modification
3125  */
3126 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3127                                 gfp_t gfp)
3128 {
3129         const struct task_security_struct *old_tsec;
3130         struct task_security_struct *tsec;
3131
3132         old_tsec = old->security;
3133
3134         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3135         if (!tsec)
3136                 return -ENOMEM;
3137
3138         new->security = tsec;
3139         return 0;
3140 }
3141
3142 /*
3143  * transfer the SELinux data to a blank set of creds
3144  */
3145 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3146 {
3147         const struct task_security_struct *old_tsec = old->security;
3148         struct task_security_struct *tsec = new->security;
3149
3150         *tsec = *old_tsec;
3151 }
3152
3153 /*
3154  * set the security data for a kernel service
3155  * - all the creation contexts are set to unlabelled
3156  */
3157 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3158 {
3159         struct task_security_struct *tsec = new->security;
3160         u32 sid = current_sid();
3161         int ret;
3162
3163         ret = avc_has_perm(sid, secid,
3164                            SECCLASS_KERNEL_SERVICE,
3165                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3166                            NULL);
3167         if (ret == 0) {
3168                 tsec->sid = secid;
3169                 tsec->create_sid = 0;
3170                 tsec->keycreate_sid = 0;
3171                 tsec->sockcreate_sid = 0;
3172         }
3173         return ret;
3174 }
3175
3176 /*
3177  * set the file creation context in a security record to the same as the
3178  * objective context of the specified inode
3179  */
3180 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3181 {
3182         struct inode_security_struct *isec = inode->i_security;
3183         struct task_security_struct *tsec = new->security;
3184         u32 sid = current_sid();
3185         int ret;
3186
3187         ret = avc_has_perm(sid, isec->sid,
3188                            SECCLASS_KERNEL_SERVICE,
3189                            KERNEL_SERVICE__CREATE_FILES_AS,
3190                            NULL);
3191
3192         if (ret == 0)
3193                 tsec->create_sid = isec->sid;
3194         return ret;
3195 }
3196
3197 static int selinux_kernel_module_request(char *kmod_name)
3198 {
3199         u32 sid;
3200         struct common_audit_data ad;
3201
3202         sid = task_sid(current);
3203
3204         COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3205         ad.u.kmod_name = kmod_name;
3206
3207         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3208                             SYSTEM__MODULE_REQUEST, &ad);
3209 }
3210
3211 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3212 {
3213         return current_has_perm(p, PROCESS__SETPGID);
3214 }
3215
3216 static int selinux_task_getpgid(struct task_struct *p)
3217 {
3218         return current_has_perm(p, PROCESS__GETPGID);
3219 }
3220
3221 static int selinux_task_getsid(struct task_struct *p)
3222 {
3223         return current_has_perm(p, PROCESS__GETSESSION);
3224 }
3225
3226 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3227 {
3228         *secid = task_sid(p);
3229 }
3230
3231 static int selinux_task_setnice(struct task_struct *p, int nice)
3232 {
3233         int rc;
3234
3235         rc = cap_task_setnice(p, nice);
3236         if (rc)
3237                 return rc;
3238
3239         return current_has_perm(p, PROCESS__SETSCHED);
3240 }
3241
3242 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3243 {
3244         int rc;
3245
3246         rc = cap_task_setioprio(p, ioprio);
3247         if (rc)
3248                 return rc;
3249
3250         return current_has_perm(p, PROCESS__SETSCHED);
3251 }
3252
3253 static int selinux_task_getioprio(struct task_struct *p)
3254 {
3255         return current_has_perm(p, PROCESS__GETSCHED);
3256 }
3257
3258 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3259                 struct rlimit *new_rlim)
3260 {
3261         struct rlimit *old_rlim = p->signal->rlim + resource;
3262
3263         /* Control the ability to change the hard limit (whether
3264            lowering or raising it), so that the hard limit can
3265            later be used as a safe reset point for the soft limit
3266            upon context transitions.  See selinux_bprm_committing_creds. */
3267         if (old_rlim->rlim_max != new_rlim->rlim_max)
3268                 return current_has_perm(p, PROCESS__SETRLIMIT);
3269
3270         return 0;
3271 }
3272
3273 static int selinux_task_setscheduler(struct task_struct *p)
3274 {
3275         int rc;
3276
3277         rc = cap_task_setscheduler(p);
3278         if (rc)
3279                 return rc;
3280
3281         return current_has_perm(p, PROCESS__SETSCHED);
3282 }
3283
3284 static int selinux_task_getscheduler(struct task_struct *p)
3285 {
3286         return current_has_perm(p, PROCESS__GETSCHED);
3287 }
3288
3289 static int selinux_task_movememory(struct task_struct *p)
3290 {
3291         return current_has_perm(p, PROCESS__SETSCHED);
3292 }
3293
3294 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3295                                 int sig, u32 secid)
3296 {
3297         u32 perm;
3298         int rc;
3299
3300         if (!sig)
3301                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3302         else
3303                 perm = signal_to_av(sig);
3304         if (secid)
3305                 rc = avc_has_perm(secid, task_sid(p),
3306                                   SECCLASS_PROCESS, perm, NULL);
3307         else
3308                 rc = current_has_perm(p, perm);
3309         return rc;
3310 }
3311
3312 static int selinux_task_wait(struct task_struct *p)
3313 {
3314         return task_has_perm(p, current, PROCESS__SIGCHLD);
3315 }
3316
3317 static void selinux_task_to_inode(struct task_struct *p,
3318                                   struct inode *inode)
3319 {
3320         struct inode_security_struct *isec = inode->i_security;
3321         u32 sid = task_sid(p);
3322
3323         isec->sid = sid;
3324         isec->initialized = 1;
3325 }
3326
3327 /* Returns error only if unable to parse addresses */
3328 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3329                         struct common_audit_data *ad, u8 *proto)
3330 {
3331         int offset, ihlen, ret = -EINVAL;
3332         struct iphdr _iph, *ih;
3333
3334         offset = skb_network_offset(skb);
3335         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3336         if (ih == NULL)
3337                 goto out;
3338
3339         ihlen = ih->ihl * 4;
3340         if (ihlen < sizeof(_iph))
3341                 goto out;
3342
3343         ad->u.net.v4info.saddr = ih->saddr;
3344         ad->u.net.v4info.daddr = ih->daddr;
3345         ret = 0;
3346
3347         if (proto)
3348                 *proto = ih->protocol;
3349
3350         switch (ih->protocol) {
3351         case IPPROTO_TCP: {
3352                 struct tcphdr _tcph, *th;
3353
3354                 if (ntohs(ih->frag_off) & IP_OFFSET)
3355                         break;
3356
3357                 offset += ihlen;
3358                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3359                 if (th == NULL)
3360                         break;
3361
3362                 ad->u.net.sport = th->source;
3363                 ad->u.net.dport = th->dest;
3364                 break;
3365         }
3366
3367         case IPPROTO_UDP: {
3368                 struct udphdr _udph, *uh;
3369
3370                 if (ntohs(ih->frag_off) & IP_OFFSET)
3371                         break;
3372
3373                 offset += ihlen;
3374                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3375                 if (uh == NULL)
3376                         break;
3377
3378                 ad->u.net.sport = uh->source;
3379                 ad->u.net.dport = uh->dest;
3380                 break;
3381         }
3382
3383         case IPPROTO_DCCP: {
3384                 struct dccp_hdr _dccph, *dh;
3385
3386                 if (ntohs(ih->frag_off) & IP_OFFSET)
3387                         break;
3388
3389                 offset += ihlen;
3390                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3391                 if (dh == NULL)
3392                         break;
3393
3394                 ad->u.net.sport = dh->dccph_sport;
3395                 ad->u.net.dport = dh->dccph_dport;
3396                 break;
3397         }
3398
3399         default:
3400                 break;
3401         }
3402 out:
3403         return ret;
3404 }
3405
3406 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3407
3408 /* Returns error only if unable to parse addresses */
3409 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3410                         struct common_audit_data *ad, u8 *proto)
3411 {
3412         u8 nexthdr;
3413         int ret = -EINVAL, offset;
3414         struct ipv6hdr _ipv6h, *ip6;
3415
3416         offset = skb_network_offset(skb);
3417         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3418         if (ip6 == NULL)
3419                 goto out;
3420
3421         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3422         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3423         ret = 0;
3424
3425         nexthdr = ip6->nexthdr;
3426         offset += sizeof(_ipv6h);
3427         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3428         if (offset < 0)
3429                 goto out;
3430
3431         if (proto)
3432                 *proto = nexthdr;
3433
3434         switch (nexthdr) {
3435         case IPPROTO_TCP: {
3436                 struct tcphdr _tcph, *th;
3437
3438                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3439                 if (th == NULL)
3440                         break;
3441
3442                 ad->u.net.sport = th->source;
3443                 ad->u.net.dport = th->dest;
3444                 break;
3445         }
3446
3447         case IPPROTO_UDP: {
3448                 struct udphdr _udph, *uh;
3449
3450                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3451                 if (uh == NULL)
3452                         break;
3453
3454                 ad->u.net.sport = uh->source;
3455                 ad->u.net.dport = uh->dest;
3456                 break;
3457         }
3458
3459         case IPPROTO_DCCP: {
3460                 struct dccp_hdr _dccph, *dh;
3461
3462                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3463                 if (dh == NULL)
3464                         break;
3465
3466                 ad->u.net.sport = dh->dccph_sport;
3467                 ad->u.net.dport = dh->dccph_dport;
3468                 break;
3469         }
3470
3471         /* includes fragments */
3472         default:
3473                 break;
3474         }
3475 out:
3476         return ret;
3477 }
3478
3479 #endif /* IPV6 */
3480
3481 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3482                              char **_addrp, int src, u8 *proto)
3483 {
3484         char *addrp;
3485         int ret;
3486
3487         switch (ad->u.net.family) {
3488         case PF_INET:
3489                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3490                 if (ret)
3491                         goto parse_error;
3492                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3493                                        &ad->u.net.v4info.daddr);
3494                 goto okay;
3495
3496 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3497         case PF_INET6:
3498                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3499                 if (ret)
3500                         goto parse_error;
3501                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3502                                        &ad->u.net.v6info.daddr);
3503                 goto okay;
3504 #endif  /* IPV6 */
3505         default:
3506                 addrp = NULL;
3507                 goto okay;
3508         }
3509
3510 parse_error:
3511         printk(KERN_WARNING
3512                "SELinux: failure in selinux_parse_skb(),"
3513                " unable to parse packet\n");
3514         return ret;
3515
3516 okay:
3517         if (_addrp)
3518                 *_addrp = addrp;
3519         return 0;
3520 }
3521
3522 /**
3523  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3524  * @skb: the packet
3525  * @family: protocol family
3526  * @sid: the packet's peer label SID
3527  *
3528  * Description:
3529  * Check the various different forms of network peer labeling and determine
3530  * the peer label/SID for the packet; most of the magic actually occurs in
3531  * the security server function security_net_peersid_cmp().  The function
3532  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3533  * or -EACCES if @sid is invalid due to inconsistencies with the different
3534  * peer labels.
3535  *
3536  */
3537 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3538 {
3539         int err;
3540         u32 xfrm_sid;
3541         u32 nlbl_sid;
3542         u32 nlbl_type;
3543
3544         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3545         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3546
3547         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3548         if (unlikely(err)) {
3549                 printk(KERN_WARNING
3550                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3551                        " unable to determine packet's peer label\n");
3552                 return -EACCES;
3553         }
3554
3555         return 0;
3556 }
3557
3558 /* socket security operations */
3559
3560 static u32 socket_sockcreate_sid(const struct task_security_struct *tsec)
3561 {
3562         return tsec->sockcreate_sid ? : tsec->sid;
3563 }
3564
3565 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3566 {
3567         struct sk_security_struct *sksec = sk->sk_security;
3568         struct common_audit_data ad;
3569         u32 tsid = task_sid(task);
3570
3571         if (sksec->sid == SECINITSID_KERNEL)
3572                 return 0;
3573
3574         COMMON_AUDIT_DATA_INIT(&ad, NET);
3575         ad.u.net.sk = sk;
3576
3577         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3578 }
3579
3580 static int selinux_socket_create(int family, int type,
3581                                  int protocol, int kern)
3582 {
3583         const struct task_security_struct *tsec = current_security();
3584         u32 newsid;
3585         u16 secclass;
3586
3587         if (kern)
3588                 return 0;
3589
3590         newsid = socket_sockcreate_sid(tsec);
3591         secclass = socket_type_to_security_class(family, type, protocol);
3592         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3593 }
3594
3595 static int selinux_socket_post_create(struct socket *sock, int family,
3596                                       int type, int protocol, int kern)
3597 {
3598         const struct task_security_struct *tsec = current_security();
3599         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3600         struct sk_security_struct *sksec;
3601         int err = 0;
3602
3603         if (kern)
3604                 isec->sid = SECINITSID_KERNEL;
3605         else
3606                 isec->sid = socket_sockcreate_sid(tsec);
3607
3608         isec->sclass = socket_type_to_security_class(family, type, protocol);
3609         isec->initialized = 1;
3610
3611         if (sock->sk) {
3612                 sksec = sock->sk->sk_security;
3613                 sksec->sid = isec->sid;
3614                 sksec->sclass = isec->sclass;
3615                 err = selinux_netlbl_socket_post_create(sock->sk, family);
3616         }
3617
3618         return err;
3619 }
3620
3621 /* Range of port numbers used to automatically bind.
3622    Need to determine whether we should perform a name_bind
3623    permission check between the socket and the port number. */
3624
3625 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3626 {
3627         struct sock *sk = sock->sk;
3628         u16 family;
3629         int err;
3630
3631         err = sock_has_perm(current, sk, SOCKET__BIND);
3632         if (err)
3633                 goto out;
3634
3635         /*
3636          * If PF_INET or PF_INET6, check name_bind permission for the port.
3637          * Multiple address binding for SCTP is not supported yet: we just
3638          * check the first address now.
3639          */
3640         family = sk->sk_family;
3641         if (family == PF_INET || family == PF_INET6) {
3642                 char *addrp;
3643                 struct sk_security_struct *sksec = sk->sk_security;
3644                 struct common_audit_data ad;
3645                 struct sockaddr_in *addr4 = NULL;
3646                 struct sockaddr_in6 *addr6 = NULL;
3647                 unsigned short snum;
3648                 u32 sid, node_perm;
3649
3650                 if (family == PF_INET) {
3651                         addr4 = (struct sockaddr_in *)address;
3652                         snum = ntohs(addr4->sin_port);
3653                         addrp = (char *)&addr4->sin_addr.s_addr;
3654                 } else {
3655                         addr6 = (struct sockaddr_in6 *)address;
3656                         snum = ntohs(addr6->sin6_port);
3657                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3658                 }
3659
3660                 if (snum) {
3661                         int low, high;
3662
3663                         inet_get_local_port_range(&low, &high);
3664
3665                         if (snum < max(PROT_SOCK, low) || snum > high) {
3666                                 err = sel_netport_sid(sk->sk_protocol,
3667                                                       snum, &sid);
3668                                 if (err)
3669                                         goto out;
3670                                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3671                                 ad.u.net.sport = htons(snum);
3672                                 ad.u.net.family = family;
3673                                 err = avc_has_perm(sksec->sid, sid,
3674                                                    sksec->sclass,
3675                                                    SOCKET__NAME_BIND, &ad);
3676                                 if (err)
3677                                         goto out;
3678                         }
3679                 }
3680
3681                 switch (sksec->sclass) {
3682                 case SECCLASS_TCP_SOCKET:
3683                         node_perm = TCP_SOCKET__NODE_BIND;
3684                         break;
3685
3686                 case SECCLASS_UDP_SOCKET:
3687                         node_perm = UDP_SOCKET__NODE_BIND;
3688                         break;
3689
3690                 case SECCLASS_DCCP_SOCKET:
3691                         node_perm = DCCP_SOCKET__NODE_BIND;
3692                         break;
3693
3694                 default:
3695                         node_perm = RAWIP_SOCKET__NODE_BIND;
3696                         break;
3697                 }
3698
3699                 err = sel_netnode_sid(addrp, family, &sid);
3700                 if (err)
3701                         goto out;
3702
3703                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3704                 ad.u.net.sport = htons(snum);
3705                 ad.u.net.family = family;
3706
3707                 if (family == PF_INET)
3708                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3709                 else
3710                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3711
3712                 err = avc_has_perm(sksec->sid, sid,
3713                                    sksec->sclass, node_perm, &ad);
3714                 if (err)
3715                         goto out;
3716         }
3717 out:
3718         return err;
3719 }
3720
3721 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3722 {
3723         struct sock *sk = sock->sk;
3724         struct sk_security_struct *sksec = sk->sk_security;
3725         int err;
3726
3727         err = sock_has_perm(current, sk, SOCKET__CONNECT);
3728         if (err)
3729                 return err;
3730
3731         /*
3732          * If a TCP or DCCP socket, check name_connect permission for the port.
3733          */
3734         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3735             sksec->sclass == SECCLASS_DCCP_SOCKET) {
3736                 struct common_audit_data ad;
3737                 struct sockaddr_in *addr4 = NULL;
3738                 struct sockaddr_in6 *addr6 = NULL;
3739                 unsigned short snum;
3740                 u32 sid, perm;
3741
3742                 if (sk->sk_family == PF_INET) {
3743                         addr4 = (struct sockaddr_in *)address;
3744                         if (addrlen < sizeof(struct sockaddr_in))
3745                                 return -EINVAL;
3746                         snum = ntohs(addr4->sin_port);
3747                 } else {
3748                         addr6 = (struct sockaddr_in6 *)address;
3749                         if (addrlen < SIN6_LEN_RFC2133)
3750                                 return -EINVAL;
3751                         snum = ntohs(addr6->sin6_port);
3752                 }
3753
3754                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3755                 if (err)
3756                         goto out;
3757
3758                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3759                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3760
3761                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3762                 ad.u.net.dport = htons(snum);
3763                 ad.u.net.family = sk->sk_family;
3764                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3765                 if (err)
3766                         goto out;
3767         }
3768
3769         err = selinux_netlbl_socket_connect(sk, address);
3770
3771 out:
3772         return err;
3773 }
3774
3775 static int selinux_socket_listen(struct socket *sock, int backlog)
3776 {
3777         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3778 }
3779
3780 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3781 {
3782         int err;
3783         struct inode_security_struct *isec;
3784         struct inode_security_struct *newisec;
3785
3786         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3787         if (err)
3788                 return err;
3789
3790         newisec = SOCK_INODE(newsock)->i_security;
3791
3792         isec = SOCK_INODE(sock)->i_security;
3793         newisec->sclass = isec->sclass;
3794         newisec->sid = isec->sid;
3795         newisec->initialized = 1;
3796
3797         return 0;
3798 }
3799
3800 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3801                                   int size)
3802 {
3803         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3804 }
3805
3806 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3807                                   int size, int flags)
3808 {
3809         return sock_has_perm(current, sock->sk, SOCKET__READ);
3810 }
3811
3812 static int selinux_socket_getsockname(struct socket *sock)
3813 {
3814         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3815 }
3816
3817 static int selinux_socket_getpeername(struct socket *sock)
3818 {
3819         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3820 }
3821
3822 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3823 {
3824         int err;
3825
3826         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3827         if (err)
3828                 return err;
3829
3830         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3831 }
3832
3833 static int selinux_socket_getsockopt(struct socket *sock, int level,
3834                                      int optname)
3835 {
3836         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
3837 }
3838
3839 static int selinux_socket_shutdown(struct socket *sock, int how)
3840 {
3841         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
3842 }
3843
3844 static int selinux_socket_unix_stream_connect(struct sock *sock,
3845                                               struct sock *other,
3846                                               struct sock *newsk)
3847 {
3848         struct sk_security_struct *sksec_sock = sock->sk_security;
3849         struct sk_security_struct *sksec_other = other->sk_security;
3850         struct sk_security_struct *sksec_new = newsk->sk_security;
3851         struct common_audit_data ad;
3852         int err;
3853
3854         COMMON_AUDIT_DATA_INIT(&ad, NET);
3855         ad.u.net.sk = other;
3856
3857         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
3858                            sksec_other->sclass,
3859                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3860         if (err)
3861                 return err;
3862
3863         /* server child socket */
3864         sksec_new->peer_sid = sksec_sock->sid;
3865         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
3866                                     &sksec_new->sid);
3867         if (err)
3868                 return err;
3869
3870         /* connecting socket */
3871         sksec_sock->peer_sid = sksec_new->sid;
3872
3873         return 0;
3874 }
3875
3876 static int selinux_socket_unix_may_send(struct socket *sock,
3877                                         struct socket *other)
3878 {
3879         struct sk_security_struct *ssec = sock->sk->sk_security;
3880         struct sk_security_struct *osec = other->sk->sk_security;
3881         struct common_audit_data ad;
3882
3883         COMMON_AUDIT_DATA_INIT(&ad, NET);
3884         ad.u.net.sk = other->sk;
3885
3886         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
3887                             &ad);
3888 }
3889
3890 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3891                                     u32 peer_sid,
3892                                     struct common_audit_data *ad)
3893 {
3894         int err;
3895         u32 if_sid;
3896         u32 node_sid;
3897
3898         err = sel_netif_sid(ifindex, &if_sid);
3899         if (err)
3900                 return err;
3901         err = avc_has_perm(peer_sid, if_sid,
3902                            SECCLASS_NETIF, NETIF__INGRESS, ad);
3903         if (err)
3904                 return err;
3905
3906         err = sel_netnode_sid(addrp, family, &node_sid);
3907         if (err)
3908                 return err;
3909         return avc_has_perm(peer_sid, node_sid,
3910                             SECCLASS_NODE, NODE__RECVFROM, ad);
3911 }
3912
3913 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3914                                        u16 family)
3915 {
3916         int err = 0;
3917         struct sk_security_struct *sksec = sk->sk_security;
3918         u32 sk_sid = sksec->sid;
3919         struct common_audit_data ad;
3920         char *addrp;
3921
3922         COMMON_AUDIT_DATA_INIT(&ad, NET);
3923         ad.u.net.netif = skb->skb_iif;
3924         ad.u.net.family = family;
3925         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
3926         if (err)
3927                 return err;
3928
3929         if (selinux_secmark_enabled()) {
3930                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3931                                    PACKET__RECV, &ad);
3932                 if (err)
3933                         return err;
3934         }
3935
3936         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
3937         if (err)
3938                 return err;
3939         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
3940
3941         return err;
3942 }
3943
3944 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3945 {
3946         int err;
3947         struct sk_security_struct *sksec = sk->sk_security;
3948         u16 family = sk->sk_family;
3949         u32 sk_sid = sksec->sid;
3950         struct common_audit_data ad;
3951         char *addrp;
3952         u8 secmark_active;
3953         u8 peerlbl_active;
3954
3955         if (family != PF_INET && family != PF_INET6)
3956                 return 0;
3957
3958         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3959         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
3960                 family = PF_INET;
3961
3962         /* If any sort of compatibility mode is enabled then handoff processing
3963          * to the selinux_sock_rcv_skb_compat() function to deal with the
3964          * special handling.  We do this in an attempt to keep this function
3965          * as fast and as clean as possible. */
3966         if (!selinux_policycap_netpeer)
3967                 return selinux_sock_rcv_skb_compat(sk, skb, family);
3968
3969         secmark_active = selinux_secmark_enabled();
3970         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
3971         if (!secmark_active && !peerlbl_active)
3972                 return 0;
3973
3974         COMMON_AUDIT_DATA_INIT(&ad, NET);
3975         ad.u.net.netif = skb->skb_iif;
3976         ad.u.net.family = family;
3977         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
3978         if (err)
3979                 return err;
3980
3981         if (peerlbl_active) {
3982                 u32 peer_sid;
3983
3984                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3985                 if (err)
3986                         return err;
3987                 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
3988                                                peer_sid, &ad);
3989                 if (err) {
3990                         selinux_netlbl_err(skb, err, 0);
3991                         return err;
3992                 }
3993                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
3994                                    PEER__RECV, &ad);
3995                 if (err)
3996                         selinux_netlbl_err(skb, err, 0);
3997         }
3998
3999         if (secmark_active) {
4000                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4001                                    PACKET__RECV, &ad);
4002                 if (err)
4003                         return err;
4004         }
4005
4006         return err;
4007 }
4008
4009 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4010                                             int __user *optlen, unsigned len)
4011 {
4012         int err = 0;
4013         char *scontext;
4014         u32 scontext_len;
4015         struct sk_security_struct *sksec = sock->sk->sk_security;
4016         u32 peer_sid = SECSID_NULL;
4017
4018         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4019             sksec->sclass == SECCLASS_TCP_SOCKET)
4020                 peer_sid = sksec->peer_sid;
4021         if (peer_sid == SECSID_NULL)
4022                 return -ENOPROTOOPT;
4023
4024         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4025         if (err)
4026                 return err;
4027
4028         if (scontext_len > len) {
4029                 err = -ERANGE;
4030                 goto out_len;
4031         }
4032
4033         if (copy_to_user(optval, scontext, scontext_len))
4034                 err = -EFAULT;
4035
4036 out_len:
4037         if (put_user(scontext_len, optlen))
4038                 err = -EFAULT;
4039         kfree(scontext);
4040         return err;
4041 }
4042
4043 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4044 {
4045         u32 peer_secid = SECSID_NULL;
4046         u16 family;
4047
4048         if (skb && skb->protocol == htons(ETH_P_IP))
4049                 family = PF_INET;
4050         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4051                 family = PF_INET6;
4052         else if (sock)
4053                 family = sock->sk->sk_family;
4054         else
4055                 goto out;
4056
4057         if (sock && family == PF_UNIX)
4058                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4059         else if (skb)
4060                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4061
4062 out:
4063         *secid = peer_secid;
4064         if (peer_secid == SECSID_NULL)
4065                 return -EINVAL;
4066         return 0;
4067 }
4068
4069 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4070 {
4071         struct sk_security_struct *sksec;
4072
4073         sksec = kzalloc(sizeof(*sksec), priority);
4074         if (!sksec)
4075                 return -ENOMEM;
4076
4077         sksec->peer_sid = SECINITSID_UNLABELED;
4078         sksec->sid = SECINITSID_UNLABELED;
4079         selinux_netlbl_sk_security_reset(sksec);
4080         sk->sk_security = sksec;
4081
4082         return 0;
4083 }
4084
4085 static void selinux_sk_free_security(struct sock *sk)
4086 {
4087         struct sk_security_struct *sksec = sk->sk_security;
4088
4089         sk->sk_security = NULL;
4090         selinux_netlbl_sk_security_free(sksec);
4091         kfree(sksec);
4092 }
4093
4094 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4095 {
4096         struct sk_security_struct *sksec = sk->sk_security;
4097         struct sk_security_struct *newsksec = newsk->sk_security;
4098
4099         newsksec->sid = sksec->sid;
4100         newsksec->peer_sid = sksec->peer_sid;
4101         newsksec->sclass = sksec->sclass;
4102
4103         selinux_netlbl_sk_security_reset(newsksec);
4104 }
4105
4106 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4107 {
4108         if (!sk)
4109                 *secid = SECINITSID_ANY_SOCKET;
4110         else {
4111                 struct sk_security_struct *sksec = sk->sk_security;
4112
4113                 *secid = sksec->sid;
4114         }
4115 }
4116
4117 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4118 {
4119         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4120         struct sk_security_struct *sksec = sk->sk_security;
4121
4122         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4123             sk->sk_family == PF_UNIX)
4124                 isec->sid = sksec->sid;
4125         sksec->sclass = isec->sclass;
4126 }
4127
4128 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4129                                      struct request_sock *req)
4130 {
4131         struct sk_security_struct *sksec = sk->sk_security;
4132         int err;
4133         u16 family = sk->sk_family;
4134         u32 newsid;
4135         u32 peersid;
4136
4137         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4138         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4139                 family = PF_INET;
4140
4141         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4142         if (err)
4143                 return err;
4144         if (peersid == SECSID_NULL) {
4145                 req->secid = sksec->sid;
4146                 req->peer_secid = SECSID_NULL;
4147         } else {
4148                 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4149                 if (err)
4150                         return err;
4151                 req->secid = newsid;
4152                 req->peer_secid = peersid;
4153         }
4154
4155         return selinux_netlbl_inet_conn_request(req, family);
4156 }
4157
4158 static void selinux_inet_csk_clone(struct sock *newsk,
4159                                    const struct request_sock *req)
4160 {
4161         struct sk_security_struct *newsksec = newsk->sk_security;
4162
4163         newsksec->sid = req->secid;
4164         newsksec->peer_sid = req->peer_secid;
4165         /* NOTE: Ideally, we should also get the isec->sid for the
4166            new socket in sync, but we don't have the isec available yet.
4167            So we will wait until sock_graft to do it, by which
4168            time it will have been created and available. */
4169
4170         /* We don't need to take any sort of lock here as we are the only
4171          * thread with access to newsksec */
4172         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4173 }
4174
4175 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4176 {
4177         u16 family = sk->sk_family;
4178         struct sk_security_struct *sksec = sk->sk_security;
4179
4180         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4181         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4182                 family = PF_INET;
4183
4184         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4185 }
4186
4187 static int selinux_secmark_relabel_packet(u32 sid)
4188 {
4189         const struct task_security_struct *__tsec;
4190         u32 tsid;
4191
4192         __tsec = current_security();
4193         tsid = __tsec->sid;
4194
4195         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4196 }
4197
4198 static void selinux_secmark_refcount_inc(void)
4199 {
4200         atomic_inc(&selinux_secmark_refcount);
4201 }
4202
4203 static void selinux_secmark_refcount_dec(void)
4204 {
4205         atomic_dec(&selinux_secmark_refcount);
4206 }
4207
4208 static void selinux_req_classify_flow(const struct request_sock *req,
4209                                       struct flowi *fl)
4210 {
4211         fl->secid = req->secid;
4212 }
4213
4214 static int selinux_tun_dev_create(void)
4215 {
4216         u32 sid = current_sid();
4217
4218         /* we aren't taking into account the "sockcreate" SID since the socket
4219          * that is being created here is not a socket in the traditional sense,
4220          * instead it is a private sock, accessible only to the kernel, and
4221          * representing a wide range of network traffic spanning multiple
4222          * connections unlike traditional sockets - check the TUN driver to
4223          * get a better understanding of why this socket is special */
4224
4225         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4226                             NULL);
4227 }
4228
4229 static void selinux_tun_dev_post_create(struct sock *sk)
4230 {
4231         struct sk_security_struct *sksec = sk->sk_security;
4232
4233         /* we don't currently perform any NetLabel based labeling here and it
4234          * isn't clear that we would want to do so anyway; while we could apply
4235          * labeling without the support of the TUN user the resulting labeled
4236          * traffic from the other end of the connection would almost certainly
4237          * cause confusion to the TUN user that had no idea network labeling
4238          * protocols were being used */
4239
4240         /* see the comments in selinux_tun_dev_create() about why we don't use
4241          * the sockcreate SID here */
4242
4243         sksec->sid = current_sid();
4244         sksec->sclass = SECCLASS_TUN_SOCKET;
4245 }
4246
4247 static int selinux_tun_dev_attach(struct sock *sk)
4248 {
4249         struct sk_security_struct *sksec = sk->sk_security;
4250         u32 sid = current_sid();
4251         int err;
4252
4253         err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4254                            TUN_SOCKET__RELABELFROM, NULL);
4255         if (err)
4256                 return err;
4257         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4258                            TUN_SOCKET__RELABELTO, NULL);
4259         if (err)
4260                 return err;
4261
4262         sksec->sid = sid;
4263
4264         return 0;
4265 }
4266
4267 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4268 {
4269         int err = 0;
4270         u32 perm;
4271         struct nlmsghdr *nlh;
4272         struct sk_security_struct *sksec = sk->sk_security;
4273
4274         if (skb->len < NLMSG_SPACE(0)) {
4275                 err = -EINVAL;
4276                 goto out;
4277         }
4278         nlh = nlmsg_hdr(skb);
4279
4280         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4281         if (err) {
4282                 if (err == -EINVAL) {
4283                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4284                                   "SELinux:  unrecognized netlink message"
4285                                   " type=%hu for sclass=%hu\n",
4286                                   nlh->nlmsg_type, sksec->sclass);
4287                         if (!selinux_enforcing || security_get_allow_unknown())
4288                                 err = 0;
4289                 }
4290
4291                 /* Ignore */
4292                 if (err == -ENOENT)
4293                         err = 0;
4294                 goto out;
4295         }
4296
4297         err = sock_has_perm(current, sk, perm);
4298 out:
4299         return err;
4300 }
4301
4302 #ifdef CONFIG_NETFILTER
4303
4304 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4305                                        u16 family)
4306 {
4307         int err;
4308         char *addrp;
4309         u32 peer_sid;
4310         struct common_audit_data ad;
4311         u8 secmark_active;
4312         u8 netlbl_active;
4313         u8 peerlbl_active;
4314
4315         if (!selinux_policycap_netpeer)
4316                 return NF_ACCEPT;
4317
4318         secmark_active = selinux_secmark_enabled();
4319         netlbl_active = netlbl_enabled();
4320         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4321         if (!secmark_active && !peerlbl_active)
4322                 return NF_ACCEPT;
4323
4324         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4325                 return NF_DROP;
4326
4327         COMMON_AUDIT_DATA_INIT(&ad, NET);
4328         ad.u.net.netif = ifindex;
4329         ad.u.net.family = family;
4330         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4331                 return NF_DROP;
4332
4333         if (peerlbl_active) {
4334                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4335                                                peer_sid, &ad);
4336                 if (err) {
4337                         selinux_netlbl_err(skb, err, 1);
4338                         return NF_DROP;
4339                 }
4340         }
4341
4342         if (secmark_active)
4343                 if (avc_has_perm(peer_sid, skb->secmark,
4344                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4345                         return NF_DROP;
4346
4347         if (netlbl_active)
4348                 /* we do this in the FORWARD path and not the POST_ROUTING
4349                  * path because we want to make sure we apply the necessary
4350                  * labeling before IPsec is applied so we can leverage AH
4351                  * protection */
4352                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4353                         return NF_DROP;
4354
4355         return NF_ACCEPT;
4356 }
4357
4358 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4359                                          struct sk_buff *skb,
4360                                          const struct net_device *in,
4361                                          const struct net_device *out,
4362                                          int (*okfn)(struct sk_buff *))
4363 {
4364         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4365 }
4366
4367 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4368 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4369                                          struct sk_buff *skb,
4370                                          const struct net_device *in,
4371                                          const struct net_device *out,
4372                                          int (*okfn)(struct sk_buff *))
4373 {
4374         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4375 }
4376 #endif  /* IPV6 */
4377
4378 static unsigned int selinux_ip_output(struct sk_buff *skb,
4379                                       u16 family)
4380 {
4381         u32 sid;
4382
4383         if (!netlbl_enabled())
4384                 return NF_ACCEPT;
4385
4386         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4387          * because we want to make sure we apply the necessary labeling
4388          * before IPsec is applied so we can leverage AH protection */
4389         if (skb->sk) {
4390                 struct sk_security_struct *sksec = skb->sk->sk_security;
4391                 sid = sksec->sid;
4392         } else
4393                 sid = SECINITSID_KERNEL;
4394         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4395                 return NF_DROP;
4396
4397         return NF_ACCEPT;
4398 }
4399
4400 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4401                                         struct sk_buff *skb,
4402                                         const struct net_device *in,
4403                                         const struct net_device *out,
4404                                         int (*okfn)(struct sk_buff *))
4405 {
4406         return selinux_ip_output(skb, PF_INET);
4407 }
4408
4409 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4410                                                 int ifindex,
4411                                                 u16 family)
4412 {
4413         struct sock *sk = skb->sk;
4414         struct sk_security_struct *sksec;
4415         struct common_audit_data ad;
4416         char *addrp;
4417         u8 proto;
4418
4419         if (sk == NULL)
4420                 return NF_ACCEPT;
4421         sksec = sk->sk_security;
4422
4423         COMMON_AUDIT_DATA_INIT(&ad, NET);
4424         ad.u.net.netif = ifindex;
4425         ad.u.net.family = family;
4426         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4427                 return NF_DROP;
4428
4429         if (selinux_secmark_enabled())
4430                 if (avc_has_perm(sksec->sid, skb->secmark,
4431                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4432                         return NF_DROP_ERR(-ECONNREFUSED);
4433
4434         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4435                 return NF_DROP_ERR(-ECONNREFUSED);
4436
4437         return NF_ACCEPT;
4438 }
4439
4440 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4441                                          u16 family)
4442 {
4443         u32 secmark_perm;
4444         u32 peer_sid;
4445         struct sock *sk;
4446         struct common_audit_data ad;
4447         char *addrp;
4448         u8 secmark_active;
4449         u8 peerlbl_active;
4450
4451         /* If any sort of compatibility mode is enabled then handoff processing
4452          * to the selinux_ip_postroute_compat() function to deal with the
4453          * special handling.  We do this in an attempt to keep this function
4454          * as fast and as clean as possible. */
4455         if (!selinux_policycap_netpeer)
4456                 return selinux_ip_postroute_compat(skb, ifindex, family);
4457 #ifdef CONFIG_XFRM
4458         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4459          * packet transformation so allow the packet to pass without any checks
4460          * since we'll have another chance to perform access control checks
4461          * when the packet is on it's final way out.
4462          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4463          *       is NULL, in this case go ahead and apply access control. */
4464         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4465                 return NF_ACCEPT;
4466 #endif
4467         secmark_active = selinux_secmark_enabled();
4468         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4469         if (!secmark_active && !peerlbl_active)
4470                 return NF_ACCEPT;
4471
4472         /* if the packet is being forwarded then get the peer label from the
4473          * packet itself; otherwise check to see if it is from a local
4474          * application or the kernel, if from an application get the peer label
4475          * from the sending socket, otherwise use the kernel's sid */
4476         sk = skb->sk;
4477         if (sk == NULL) {
4478                 if (skb->skb_iif) {
4479                         secmark_perm = PACKET__FORWARD_OUT;
4480                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4481                                 return NF_DROP;
4482                 } else {
4483                         secmark_perm = PACKET__SEND;
4484                         peer_sid = SECINITSID_KERNEL;
4485                 }
4486         } else {
4487                 struct sk_security_struct *sksec = sk->sk_security;
4488                 peer_sid = sksec->sid;
4489                 secmark_perm = PACKET__SEND;
4490         }
4491
4492         COMMON_AUDIT_DATA_INIT(&ad, NET);
4493         ad.u.net.netif = ifindex;
4494         ad.u.net.family = family;
4495         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4496                 return NF_DROP;
4497
4498         if (secmark_active)
4499                 if (avc_has_perm(peer_sid, skb->secmark,
4500                                  SECCLASS_PACKET, secmark_perm, &ad))
4501                         return NF_DROP_ERR(-ECONNREFUSED);
4502
4503         if (peerlbl_active) {
4504                 u32 if_sid;
4505                 u32 node_sid;
4506
4507                 if (sel_netif_sid(ifindex, &if_sid))
4508                         return NF_DROP;
4509                 if (avc_has_perm(peer_sid, if_sid,
4510                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4511                         return NF_DROP_ERR(-ECONNREFUSED);
4512
4513                 if (sel_netnode_sid(addrp, family, &node_sid))
4514                         return NF_DROP;
4515                 if (avc_has_perm(peer_sid, node_sid,
4516                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4517                         return NF_DROP_ERR(-ECONNREFUSED);
4518         }
4519
4520         return NF_ACCEPT;
4521 }
4522
4523 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4524                                            struct sk_buff *skb,
4525                                            const struct net_device *in,
4526                                            const struct net_device *out,
4527                                            int (*okfn)(struct sk_buff *))
4528 {
4529         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4530 }
4531
4532 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4533 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4534                                            struct sk_buff *skb,
4535                                            const struct net_device *in,
4536                                            const struct net_device *out,
4537                                            int (*okfn)(struct sk_buff *))
4538 {
4539         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4540 }
4541 #endif  /* IPV6 */
4542
4543 #endif  /* CONFIG_NETFILTER */
4544
4545 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4546 {
4547         int err;
4548
4549         err = cap_netlink_send(sk, skb);
4550         if (err)
4551                 return err;
4552
4553         return selinux_nlmsg_perm(sk, skb);
4554 }
4555
4556 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4557 {
4558         int err;
4559         struct common_audit_data ad;
4560
4561         err = cap_netlink_recv(skb, capability);
4562         if (err)
4563                 return err;
4564
4565         COMMON_AUDIT_DATA_INIT(&ad, CAP);
4566         ad.u.cap = capability;
4567
4568         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4569                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4570 }
4571
4572 static int ipc_alloc_security(struct task_struct *task,
4573                               struct kern_ipc_perm *perm,
4574                               u16 sclass)
4575 {
4576         struct ipc_security_struct *isec;
4577         u32 sid;
4578
4579         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4580         if (!isec)
4581                 return -ENOMEM;
4582
4583         sid = task_sid(task);
4584         isec->sclass = sclass;
4585         isec->sid = sid;
4586         perm->security = isec;
4587
4588         return 0;
4589 }
4590
4591 static void ipc_free_security(struct kern_ipc_perm *perm)
4592 {
4593         struct ipc_security_struct *isec = perm->security;
4594         perm->security = NULL;
4595         kfree(isec);
4596 }
4597
4598 static int msg_msg_alloc_security(struct msg_msg *msg)
4599 {
4600         struct msg_security_struct *msec;
4601
4602         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4603         if (!msec)
4604                 return -ENOMEM;
4605
4606         msec->sid = SECINITSID_UNLABELED;
4607         msg->security = msec;
4608
4609         return 0;
4610 }
4611
4612 static void msg_msg_free_security(struct msg_msg *msg)
4613 {
4614         struct msg_security_struct *msec = msg->security;
4615
4616         msg->security = NULL;
4617         kfree(msec);
4618 }
4619
4620 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4621                         u32 perms)
4622 {
4623         struct ipc_security_struct *isec;
4624         struct common_audit_data ad;
4625         u32 sid = current_sid();
4626
4627         isec = ipc_perms->security;
4628
4629         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4630         ad.u.ipc_id = ipc_perms->key;
4631
4632         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4633 }
4634
4635 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4636 {
4637         return msg_msg_alloc_security(msg);
4638 }
4639
4640 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4641 {
4642         msg_msg_free_security(msg);
4643 }
4644
4645 /* message queue security operations */
4646 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4647 {
4648         struct ipc_security_struct *isec;
4649         struct common_audit_data ad;
4650         u32 sid = current_sid();
4651         int rc;
4652
4653         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4654         if (rc)
4655                 return rc;
4656
4657         isec = msq->q_perm.security;
4658
4659         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4660         ad.u.ipc_id = msq->q_perm.key;
4661
4662         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4663                           MSGQ__CREATE, &ad);
4664         if (rc) {
4665                 ipc_free_security(&msq->q_perm);
4666                 return rc;
4667         }
4668         return 0;
4669 }
4670
4671 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4672 {
4673         ipc_free_security(&msq->q_perm);
4674 }
4675
4676 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4677 {
4678         struct ipc_security_struct *isec;
4679         struct common_audit_data ad;
4680         u32 sid = current_sid();
4681
4682         isec = msq->q_perm.security;
4683
4684         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4685         ad.u.ipc_id = msq->q_perm.key;
4686
4687         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4688                             MSGQ__ASSOCIATE, &ad);
4689 }
4690
4691 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4692 {
4693         int err;
4694         int perms;
4695
4696         switch (cmd) {
4697         case IPC_INFO:
4698         case MSG_INFO:
4699                 /* No specific object, just general system-wide information. */
4700                 return task_has_system(current, SYSTEM__IPC_INFO);
4701         case IPC_STAT:
4702         case MSG_STAT:
4703                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4704                 break;
4705         case IPC_SET:
4706                 perms = MSGQ__SETATTR;
4707                 break;
4708         case IPC_RMID:
4709                 perms = MSGQ__DESTROY;
4710                 break;
4711         default:
4712                 return 0;
4713         }
4714
4715         err = ipc_has_perm(&msq->q_perm, perms);
4716         return err;
4717 }
4718
4719 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4720 {
4721         struct ipc_security_struct *isec;
4722         struct msg_security_struct *msec;
4723         struct common_audit_data ad;
4724         u32 sid = current_sid();
4725         int rc;
4726
4727         isec = msq->q_perm.security;
4728         msec = msg->security;
4729
4730         /*
4731          * First time through, need to assign label to the message
4732          */
4733         if (msec->sid == SECINITSID_UNLABELED) {
4734                 /*
4735                  * Compute new sid based on current process and
4736                  * message queue this message will be stored in
4737                  */
4738                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4739                                              NULL, &msec->sid);
4740                 if (rc)
4741                         return rc;
4742         }
4743
4744         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4745         ad.u.ipc_id = msq->q_perm.key;
4746
4747         /* Can this process write to the queue? */
4748         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4749                           MSGQ__WRITE, &ad);
4750         if (!rc)
4751                 /* Can this process send the message */
4752                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4753                                   MSG__SEND, &ad);
4754         if (!rc)
4755                 /* Can the message be put in the queue? */
4756                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4757                                   MSGQ__ENQUEUE, &ad);
4758
4759         return rc;
4760 }
4761
4762 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4763                                     struct task_struct *target,
4764                                     long type, int mode)
4765 {
4766         struct ipc_security_struct *isec;
4767         struct msg_security_struct *msec;
4768         struct common_audit_data ad;
4769         u32 sid = task_sid(target);
4770         int rc;
4771
4772         isec = msq->q_perm.security;
4773         msec = msg->security;
4774
4775         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4776         ad.u.ipc_id = msq->q_perm.key;
4777
4778         rc = avc_has_perm(sid, isec->sid,
4779                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4780         if (!rc)
4781                 rc = avc_has_perm(sid, msec->sid,
4782                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4783         return rc;
4784 }
4785
4786 /* Shared Memory security operations */
4787 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4788 {
4789         struct ipc_security_struct *isec;
4790         struct common_audit_data ad;
4791         u32 sid = current_sid();
4792         int rc;
4793
4794         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4795         if (rc)
4796                 return rc;
4797
4798         isec = shp->shm_perm.security;
4799
4800         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4801         ad.u.ipc_id = shp->shm_perm.key;
4802
4803         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4804                           SHM__CREATE, &ad);
4805         if (rc) {
4806                 ipc_free_security(&shp->shm_perm);
4807                 return rc;
4808         }
4809         return 0;
4810 }
4811
4812 static void selinux_shm_free_security(struct shmid_kernel *shp)
4813 {
4814         ipc_free_security(&shp->shm_perm);
4815 }
4816
4817 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4818 {
4819         struct ipc_security_struct *isec;
4820         struct common_audit_data ad;
4821         u32 sid = current_sid();
4822
4823         isec = shp->shm_perm.security;
4824
4825         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4826         ad.u.ipc_id = shp->shm_perm.key;
4827
4828         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4829                             SHM__ASSOCIATE, &ad);
4830 }
4831
4832 /* Note, at this point, shp is locked down */
4833 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4834 {
4835         int perms;
4836         int err;
4837
4838         switch (cmd) {
4839         case IPC_INFO:
4840         case SHM_INFO:
4841                 /* No specific object, just general system-wide information. */
4842                 return task_has_system(current, SYSTEM__IPC_INFO);
4843         case IPC_STAT:
4844         case SHM_STAT:
4845                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4846                 break;
4847         case IPC_SET:
4848                 perms = SHM__SETATTR;
4849                 break;
4850         case SHM_LOCK:
4851         case SHM_UNLOCK:
4852                 perms = SHM__LOCK;
4853                 break;
4854         case IPC_RMID:
4855                 perms = SHM__DESTROY;
4856                 break;
4857         default:
4858                 return 0;
4859         }
4860
4861         err = ipc_has_perm(&shp->shm_perm, perms);
4862         return err;
4863 }
4864
4865 static int selinux_shm_shmat(struct shmid_kernel *shp,
4866                              char __user *shmaddr, int shmflg)
4867 {
4868         u32 perms;
4869
4870         if (shmflg & SHM_RDONLY)
4871                 perms = SHM__READ;
4872         else
4873                 perms = SHM__READ | SHM__WRITE;
4874
4875         return ipc_has_perm(&shp->shm_perm, perms);
4876 }
4877
4878 /* Semaphore security operations */
4879 static int selinux_sem_alloc_security(struct sem_array *sma)
4880 {
4881         struct ipc_security_struct *isec;
4882         struct common_audit_data ad;
4883         u32 sid = current_sid();
4884         int rc;
4885
4886         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4887         if (rc)
4888                 return rc;
4889
4890         isec = sma->sem_perm.security;
4891
4892         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4893         ad.u.ipc_id = sma->sem_perm.key;
4894
4895         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
4896                           SEM__CREATE, &ad);
4897         if (rc) {
4898                 ipc_free_security(&sma->sem_perm);
4899                 return rc;
4900         }
4901         return 0;
4902 }
4903
4904 static void selinux_sem_free_security(struct sem_array *sma)
4905 {
4906         ipc_free_security(&sma->sem_perm);
4907 }
4908
4909 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4910 {
4911         struct ipc_security_struct *isec;
4912         struct common_audit_data ad;
4913         u32 sid = current_sid();
4914
4915         isec = sma->sem_perm.security;
4916
4917         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4918         ad.u.ipc_id = sma->sem_perm.key;
4919
4920         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
4921                             SEM__ASSOCIATE, &ad);
4922 }
4923
4924 /* Note, at this point, sma is locked down */
4925 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4926 {
4927         int err;
4928         u32 perms;
4929
4930         switch (cmd) {
4931         case IPC_INFO:
4932         case SEM_INFO:
4933                 /* No specific object, just general system-wide information. */
4934                 return task_has_system(current, SYSTEM__IPC_INFO);
4935         case GETPID:
4936         case GETNCNT:
4937         case GETZCNT:
4938                 perms = SEM__GETATTR;
4939                 break;
4940         case GETVAL:
4941         case GETALL:
4942                 perms = SEM__READ;
4943                 break;
4944         case SETVAL:
4945         case SETALL:
4946                 perms = SEM__WRITE;
4947                 break;
4948         case IPC_RMID:
4949                 perms = SEM__DESTROY;
4950                 break;
4951         case IPC_SET:
4952                 perms = SEM__SETATTR;
4953                 break;
4954         case IPC_STAT:
4955         case SEM_STAT:
4956                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4957                 break;
4958         default:
4959                 return 0;
4960         }
4961
4962         err = ipc_has_perm(&sma->sem_perm, perms);
4963         return err;
4964 }
4965
4966 static int selinux_sem_semop(struct sem_array *sma,
4967                              struct sembuf *sops, unsigned nsops, int alter)
4968 {
4969         u32 perms;
4970
4971         if (alter)
4972                 perms = SEM__READ | SEM__WRITE;
4973         else
4974                 perms = SEM__READ;
4975
4976         return ipc_has_perm(&sma->sem_perm, perms);
4977 }
4978
4979 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4980 {
4981         u32 av = 0;
4982
4983         av = 0;
4984         if (flag & S_IRUGO)
4985                 av |= IPC__UNIX_READ;
4986         if (flag & S_IWUGO)
4987                 av |= IPC__UNIX_WRITE;
4988
4989         if (av == 0)
4990                 return 0;
4991
4992         return ipc_has_perm(ipcp, av);
4993 }
4994
4995 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
4996 {
4997         struct ipc_security_struct *isec = ipcp->security;
4998         *secid = isec->sid;
4999 }
5000
5001 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5002 {
5003         if (inode)
5004                 inode_doinit_with_dentry(inode, dentry);
5005 }
5006
5007 static int selinux_getprocattr(struct task_struct *p,
5008                                char *name, char **value)
5009 {
5010         const struct task_security_struct *__tsec;
5011         u32 sid;
5012         int error;
5013         unsigned len;
5014
5015         if (current != p) {
5016                 error = current_has_perm(p, PROCESS__GETATTR);
5017                 if (error)
5018                         return error;
5019         }
5020
5021         rcu_read_lock();
5022         __tsec = __task_cred(p)->security;
5023
5024         if (!strcmp(name, "current"))
5025                 sid = __tsec->sid;
5026         else if (!strcmp(name, "prev"))
5027                 sid = __tsec->osid;
5028         else if (!strcmp(name, "exec"))
5029                 sid = __tsec->exec_sid;
5030         else if (!strcmp(name, "fscreate"))
5031                 sid = __tsec->create_sid;
5032         else if (!strcmp(name, "keycreate"))
5033                 sid = __tsec->keycreate_sid;
5034         else if (!strcmp(name, "sockcreate"))
5035                 sid = __tsec->sockcreate_sid;
5036         else
5037                 goto invalid;
5038         rcu_read_unlock();
5039
5040         if (!sid)
5041                 return 0;
5042
5043         error = security_sid_to_context(sid, value, &len);
5044         if (error)
5045                 return error;
5046         return len;
5047
5048 invalid:
5049         rcu_read_unlock();
5050         return -EINVAL;
5051 }
5052
5053 static int selinux_setprocattr(struct task_struct *p,
5054                                char *name, void *value, size_t size)
5055 {
5056         struct task_security_struct *tsec;
5057         struct task_struct *tracer;
5058         struct cred *new;
5059         u32 sid = 0, ptsid;
5060         int error;
5061         char *str = value;
5062
5063         if (current != p) {
5064                 /* SELinux only allows a process to change its own
5065                    security attributes. */
5066                 return -EACCES;
5067         }
5068
5069         /*
5070          * Basic control over ability to set these attributes at all.
5071          * current == p, but we'll pass them separately in case the
5072          * above restriction is ever removed.
5073          */
5074         if (!strcmp(name, "exec"))
5075                 error = current_has_perm(p, PROCESS__SETEXEC);
5076         else if (!strcmp(name, "fscreate"))
5077                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5078         else if (!strcmp(name, "keycreate"))
5079                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5080         else if (!strcmp(name, "sockcreate"))
5081                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5082         else if (!strcmp(name, "current"))
5083                 error = current_has_perm(p, PROCESS__SETCURRENT);
5084         else
5085                 error = -EINVAL;
5086         if (error)
5087                 return error;
5088
5089         /* Obtain a SID for the context, if one was specified. */
5090         if (size && str[1] && str[1] != '\n') {
5091                 if (str[size-1] == '\n') {
5092                         str[size-1] = 0;
5093                         size--;
5094                 }
5095                 error = security_context_to_sid(value, size, &sid);
5096                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5097                         if (!capable(CAP_MAC_ADMIN))
5098                                 return error;
5099                         error = security_context_to_sid_force(value, size,
5100                                                               &sid);
5101                 }
5102                 if (error)
5103                         return error;
5104         }
5105
5106         new = prepare_creds();
5107         if (!new)
5108                 return -ENOMEM;
5109
5110         /* Permission checking based on the specified context is
5111            performed during the actual operation (execve,
5112            open/mkdir/...), when we know the full context of the
5113            operation.  See selinux_bprm_set_creds for the execve
5114            checks and may_create for the file creation checks. The
5115            operation will then fail if the context is not permitted. */
5116         tsec = new->security;
5117         if (!strcmp(name, "exec")) {
5118                 tsec->exec_sid = sid;
5119         } else if (!strcmp(name, "fscreate")) {
5120                 tsec->create_sid = sid;
5121         } else if (!strcmp(name, "keycreate")) {
5122                 error = may_create_key(sid, p);
5123                 if (error)
5124                         goto abort_change;
5125                 tsec->keycreate_sid = sid;
5126         } else if (!strcmp(name, "sockcreate")) {
5127                 tsec->sockcreate_sid = sid;
5128         } else if (!strcmp(name, "current")) {
5129                 error = -EINVAL;
5130                 if (sid == 0)
5131                         goto abort_change;
5132
5133                 /* Only allow single threaded processes to change context */
5134                 error = -EPERM;
5135                 if (!current_is_single_threaded()) {
5136                         error = security_bounded_transition(tsec->sid, sid);
5137                         if (error)
5138                                 goto abort_change;
5139                 }
5140
5141                 /* Check permissions for the transition. */
5142                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5143                                      PROCESS__DYNTRANSITION, NULL);
5144                 if (error)
5145                         goto abort_change;
5146
5147                 /* Check for ptracing, and update the task SID if ok.
5148                    Otherwise, leave SID unchanged and fail. */
5149                 ptsid = 0;
5150                 task_lock(p);
5151                 tracer = tracehook_tracer_task(p);
5152                 if (tracer)
5153                         ptsid = task_sid(tracer);
5154                 task_unlock(p);
5155
5156                 if (tracer) {
5157                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5158                                              PROCESS__PTRACE, NULL);
5159                         if (error)
5160                                 goto abort_change;
5161                 }
5162
5163                 tsec->sid = sid;
5164         } else {
5165                 error = -EINVAL;
5166                 goto abort_change;
5167         }
5168
5169         commit_creds(new);
5170         return size;
5171
5172 abort_change:
5173         abort_creds(new);
5174         return error;
5175 }
5176
5177 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5178 {
5179         return security_sid_to_context(secid, secdata, seclen);
5180 }
5181
5182 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5183 {
5184         return security_context_to_sid(secdata, seclen, secid);
5185 }
5186
5187 static void selinux_release_secctx(char *secdata, u32 seclen)
5188 {
5189         kfree(secdata);
5190 }
5191
5192 /*
5193  *      called with inode->i_mutex locked
5194  */
5195 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5196 {
5197         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5198 }
5199
5200 /*
5201  *      called with inode->i_mutex locked
5202  */
5203 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5204 {
5205         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5206 }
5207
5208 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5209 {
5210         int len = 0;
5211         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5212                                                 ctx, true);
5213         if (len < 0)
5214                 return len;
5215         *ctxlen = len;
5216         return 0;
5217 }
5218 #ifdef CONFIG_KEYS
5219
5220 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5221                              unsigned long flags)
5222 {
5223         const struct task_security_struct *tsec;
5224         struct key_security_struct *ksec;
5225
5226         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5227         if (!ksec)
5228                 return -ENOMEM;
5229
5230         tsec = cred->security;
5231         if (tsec->keycreate_sid)
5232                 ksec->sid = tsec->keycreate_sid;
5233         else
5234                 ksec->sid = tsec->sid;
5235
5236         k->security = ksec;
5237         return 0;
5238 }
5239
5240 static void selinux_key_free(struct key *k)
5241 {
5242         struct key_security_struct *ksec = k->security;
5243
5244         k->security = NULL;
5245         kfree(ksec);
5246 }
5247
5248 static int selinux_key_permission(key_ref_t key_ref,
5249                                   const struct cred *cred,
5250                                   key_perm_t perm)
5251 {
5252         struct key *key;
5253         struct key_security_struct *ksec;
5254         u32 sid;
5255
5256         /* if no specific permissions are requested, we skip the
5257            permission check. No serious, additional covert channels
5258            appear to be created. */
5259         if (perm == 0)
5260                 return 0;
5261
5262         sid = cred_sid(cred);
5263
5264         key = key_ref_to_ptr(key_ref);
5265         ksec = key->security;
5266
5267         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5268 }
5269
5270 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5271 {
5272         struct key_security_struct *ksec = key->security;
5273         char *context = NULL;
5274         unsigned len;
5275         int rc;
5276
5277         rc = security_sid_to_context(ksec->sid, &context, &len);
5278         if (!rc)
5279                 rc = len;
5280         *_buffer = context;
5281         return rc;
5282 }
5283
5284 #endif
5285
5286 static struct security_operations selinux_ops = {
5287         .name =                         "selinux",
5288
5289         .ptrace_access_check =          selinux_ptrace_access_check,
5290         .ptrace_traceme =               selinux_ptrace_traceme,
5291         .capget =                       selinux_capget,
5292         .capset =                       selinux_capset,
5293         .capable =                      selinux_capable,
5294         .quotactl =                     selinux_quotactl,
5295         .quota_on =                     selinux_quota_on,
5296         .syslog =                       selinux_syslog,
5297         .vm_enough_memory =             selinux_vm_enough_memory,
5298
5299         .netlink_send =                 selinux_netlink_send,
5300         .netlink_recv =                 selinux_netlink_recv,
5301
5302         .bprm_set_creds =               selinux_bprm_set_creds,
5303         .bprm_committing_creds =        selinux_bprm_committing_creds,
5304         .bprm_committed_creds =         selinux_bprm_committed_creds,
5305         .bprm_secureexec =              selinux_bprm_secureexec,
5306
5307         .sb_alloc_security =            selinux_sb_alloc_security,
5308         .sb_free_security =             selinux_sb_free_security,
5309         .sb_copy_data =                 selinux_sb_copy_data,
5310         .sb_kern_mount =                selinux_sb_kern_mount,
5311         .sb_show_options =              selinux_sb_show_options,
5312         .sb_statfs =                    selinux_sb_statfs,
5313         .sb_mount =                     selinux_mount,
5314         .sb_umount =                    selinux_umount,
5315         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5316         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5317         .sb_parse_opts_str =            selinux_parse_opts_str,
5318
5319
5320         .inode_alloc_security =         selinux_inode_alloc_security,
5321         .inode_free_security =          selinux_inode_free_security,
5322         .inode_init_security =          selinux_inode_init_security,
5323         .inode_create =                 selinux_inode_create,
5324         .inode_link =                   selinux_inode_link,
5325         .inode_unlink =                 selinux_inode_unlink,
5326         .inode_symlink =                selinux_inode_symlink,
5327         .inode_mkdir =                  selinux_inode_mkdir,
5328         .inode_rmdir =                  selinux_inode_rmdir,
5329         .inode_mknod =                  selinux_inode_mknod,
5330         .inode_rename =                 selinux_inode_rename,
5331         .inode_readlink =               selinux_inode_readlink,
5332         .inode_follow_link =            selinux_inode_follow_link,
5333         .inode_permission =             selinux_inode_permission,
5334         .inode_setattr =                selinux_inode_setattr,
5335         .inode_getattr =                selinux_inode_getattr,
5336         .inode_setxattr =               selinux_inode_setxattr,
5337         .inode_post_setxattr =          selinux_inode_post_setxattr,
5338         .inode_getxattr =               selinux_inode_getxattr,
5339         .inode_listxattr =              selinux_inode_listxattr,
5340         .inode_removexattr =            selinux_inode_removexattr,
5341         .inode_getsecurity =            selinux_inode_getsecurity,
5342         .inode_setsecurity =            selinux_inode_setsecurity,
5343         .inode_listsecurity =           selinux_inode_listsecurity,
5344         .inode_getsecid =               selinux_inode_getsecid,
5345
5346         .file_permission =              selinux_file_permission,
5347         .file_alloc_security =          selinux_file_alloc_security,
5348         .file_free_security =           selinux_file_free_security,
5349         .file_ioctl =                   selinux_file_ioctl,
5350         .file_mmap =                    selinux_file_mmap,
5351         .file_mprotect =                selinux_file_mprotect,
5352         .file_lock =                    selinux_file_lock,
5353         .file_fcntl =                   selinux_file_fcntl,
5354         .file_set_fowner =              selinux_file_set_fowner,
5355         .file_send_sigiotask =          selinux_file_send_sigiotask,
5356         .file_receive =                 selinux_file_receive,
5357
5358         .dentry_open =                  selinux_dentry_open,
5359
5360         .task_create =                  selinux_task_create,
5361         .cred_alloc_blank =             selinux_cred_alloc_blank,
5362         .cred_free =                    selinux_cred_free,
5363         .cred_prepare =                 selinux_cred_prepare,
5364         .cred_transfer =                selinux_cred_transfer,
5365         .kernel_act_as =                selinux_kernel_act_as,
5366         .kernel_create_files_as =       selinux_kernel_create_files_as,
5367         .kernel_module_request =        selinux_kernel_module_request,
5368         .task_setpgid =                 selinux_task_setpgid,
5369         .task_getpgid =                 selinux_task_getpgid,
5370         .task_getsid =                  selinux_task_getsid,
5371         .task_getsecid =                selinux_task_getsecid,
5372         .task_setnice =                 selinux_task_setnice,
5373         .task_setioprio =               selinux_task_setioprio,
5374         .task_getioprio =               selinux_task_getioprio,
5375         .task_setrlimit =               selinux_task_setrlimit,
5376         .task_setscheduler =            selinux_task_setscheduler,
5377         .task_getscheduler =            selinux_task_getscheduler,
5378         .task_movememory =              selinux_task_movememory,
5379         .task_kill =                    selinux_task_kill,
5380         .task_wait =                    selinux_task_wait,
5381         .task_to_inode =                selinux_task_to_inode,
5382
5383         .ipc_permission =               selinux_ipc_permission,
5384         .ipc_getsecid =                 selinux_ipc_getsecid,
5385
5386         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5387         .msg_msg_free_security =        selinux_msg_msg_free_security,
5388
5389         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5390         .msg_queue_free_security =      selinux_msg_queue_free_security,
5391         .msg_queue_associate =          selinux_msg_queue_associate,
5392         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5393         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5394         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5395
5396         .shm_alloc_security =           selinux_shm_alloc_security,
5397         .shm_free_security =            selinux_shm_free_security,
5398         .shm_associate =                selinux_shm_associate,
5399         .shm_shmctl =                   selinux_shm_shmctl,
5400         .shm_shmat =                    selinux_shm_shmat,
5401
5402         .sem_alloc_security =           selinux_sem_alloc_security,
5403         .sem_free_security =            selinux_sem_free_security,
5404         .sem_associate =                selinux_sem_associate,
5405         .sem_semctl =                   selinux_sem_semctl,
5406         .sem_semop =                    selinux_sem_semop,
5407
5408         .d_instantiate =                selinux_d_instantiate,
5409
5410         .getprocattr =                  selinux_getprocattr,
5411         .setprocattr =                  selinux_setprocattr,
5412
5413         .secid_to_secctx =              selinux_secid_to_secctx,
5414         .secctx_to_secid =              selinux_secctx_to_secid,
5415         .release_secctx =               selinux_release_secctx,
5416         .inode_notifysecctx =           selinux_inode_notifysecctx,
5417         .inode_setsecctx =              selinux_inode_setsecctx,
5418         .inode_getsecctx =              selinux_inode_getsecctx,
5419
5420         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5421         .unix_may_send =                selinux_socket_unix_may_send,
5422
5423         .socket_create =                selinux_socket_create,
5424         .socket_post_create =           selinux_socket_post_create,
5425         .socket_bind =                  selinux_socket_bind,
5426         .socket_connect =               selinux_socket_connect,
5427         .socket_listen =                selinux_socket_listen,
5428         .socket_accept =                selinux_socket_accept,
5429         .socket_sendmsg =               selinux_socket_sendmsg,
5430         .socket_recvmsg =               selinux_socket_recvmsg,
5431         .socket_getsockname =           selinux_socket_getsockname,
5432         .socket_getpeername =           selinux_socket_getpeername,
5433         .socket_getsockopt =            selinux_socket_getsockopt,
5434         .socket_setsockopt =            selinux_socket_setsockopt,
5435         .socket_shutdown =              selinux_socket_shutdown,
5436         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5437         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5438         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5439         .sk_alloc_security =            selinux_sk_alloc_security,
5440         .sk_free_security =             selinux_sk_free_security,
5441         .sk_clone_security =            selinux_sk_clone_security,
5442         .sk_getsecid =                  selinux_sk_getsecid,
5443         .sock_graft =                   selinux_sock_graft,
5444         .inet_conn_request =            selinux_inet_conn_request,
5445         .inet_csk_clone =               selinux_inet_csk_clone,
5446         .inet_conn_established =        selinux_inet_conn_established,
5447         .secmark_relabel_packet =       selinux_secmark_relabel_packet,
5448         .secmark_refcount_inc =         selinux_secmark_refcount_inc,
5449         .secmark_refcount_dec =         selinux_secmark_refcount_dec,
5450         .req_classify_flow =            selinux_req_classify_flow,
5451         .tun_dev_create =               selinux_tun_dev_create,
5452         .tun_dev_post_create =          selinux_tun_dev_post_create,
5453         .tun_dev_attach =               selinux_tun_dev_attach,
5454
5455 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5456         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5457         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5458         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5459         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5460         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5461         .xfrm_state_free_security =     selinux_xfrm_state_free,
5462         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5463         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5464         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5465         .xfrm_decode_session =          selinux_xfrm_decode_session,
5466 #endif
5467
5468 #ifdef CONFIG_KEYS
5469         .key_alloc =                    selinux_key_alloc,
5470         .key_free =                     selinux_key_free,
5471         .key_permission =               selinux_key_permission,
5472         .key_getsecurity =              selinux_key_getsecurity,
5473 #endif
5474
5475 #ifdef CONFIG_AUDIT
5476         .audit_rule_init =              selinux_audit_rule_init,
5477         .audit_rule_known =             selinux_audit_rule_known,
5478         .audit_rule_match =             selinux_audit_rule_match,
5479         .audit_rule_free =              selinux_audit_rule_free,
5480 #endif
5481 };
5482
5483 static __init int selinux_init(void)
5484 {
5485         if (!security_module_enable(&selinux_ops)) {
5486                 selinux_enabled = 0;
5487                 return 0;
5488         }
5489
5490         if (!selinux_enabled) {
5491                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5492                 return 0;
5493         }
5494
5495         printk(KERN_INFO "SELinux:  Initializing.\n");
5496
5497         /* Set the security state for the initial task. */
5498         cred_init_security();
5499
5500         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5501
5502         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5503                                             sizeof(struct inode_security_struct),
5504                                             0, SLAB_PANIC, NULL);
5505         avc_init();
5506
5507         if (register_security(&selinux_ops))
5508                 panic("SELinux: Unable to register with kernel.\n");
5509
5510         if (selinux_enforcing)
5511                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5512         else
5513                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5514
5515         return 0;
5516 }
5517
5518 static void delayed_superblock_init(struct super_block *sb, void *unused)
5519 {
5520         superblock_doinit(sb, NULL);
5521 }
5522
5523 void selinux_complete_init(void)
5524 {
5525         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5526
5527         /* Set up any superblocks initialized prior to the policy load. */
5528         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5529         iterate_supers(delayed_superblock_init, NULL);
5530 }
5531
5532 /* SELinux requires early initialization in order to label
5533    all processes and objects when they are created. */
5534 security_initcall(selinux_init);
5535
5536 #if defined(CONFIG_NETFILTER)
5537
5538 static struct nf_hook_ops selinux_ipv4_ops[] = {
5539         {
5540                 .hook =         selinux_ipv4_postroute,
5541                 .owner =        THIS_MODULE,
5542                 .pf =           PF_INET,
5543                 .hooknum =      NF_INET_POST_ROUTING,
5544                 .priority =     NF_IP_PRI_SELINUX_LAST,
5545         },
5546         {
5547                 .hook =         selinux_ipv4_forward,
5548                 .owner =        THIS_MODULE,
5549                 .pf =           PF_INET,
5550                 .hooknum =      NF_INET_FORWARD,
5551                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5552         },
5553         {
5554                 .hook =         selinux_ipv4_output,
5555                 .owner =        THIS_MODULE,
5556                 .pf =           PF_INET,
5557                 .hooknum =      NF_INET_LOCAL_OUT,
5558                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5559         }
5560 };
5561
5562 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5563
5564 static struct nf_hook_ops selinux_ipv6_ops[] = {
5565         {
5566                 .hook =         selinux_ipv6_postroute,
5567                 .owner =        THIS_MODULE,
5568                 .pf =           PF_INET6,
5569                 .hooknum =      NF_INET_POST_ROUTING,
5570                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5571         },
5572         {
5573                 .hook =         selinux_ipv6_forward,
5574                 .owner =        THIS_MODULE,
5575                 .pf =           PF_INET6,
5576                 .hooknum =      NF_INET_FORWARD,
5577                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5578         }
5579 };
5580
5581 #endif  /* IPV6 */
5582
5583 static int __init selinux_nf_ip_init(void)
5584 {
5585         int err = 0;
5586
5587         if (!selinux_enabled)
5588                 goto out;
5589
5590         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5591
5592         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5593         if (err)
5594                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5595
5596 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5597         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5598         if (err)
5599                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5600 #endif  /* IPV6 */
5601
5602 out:
5603         return err;
5604 }
5605
5606 __initcall(selinux_nf_ip_init);
5607
5608 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5609 static void selinux_nf_ip_exit(void)
5610 {
5611         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5612
5613         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5614 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5615         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5616 #endif  /* IPV6 */
5617 }
5618 #endif
5619
5620 #else /* CONFIG_NETFILTER */
5621
5622 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5623 #define selinux_nf_ip_exit()
5624 #endif
5625
5626 #endif /* CONFIG_NETFILTER */
5627
5628 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5629 static int selinux_disabled;
5630
5631 int selinux_disable(void)
5632 {
5633         extern void exit_sel_fs(void);
5634
5635         if (ss_initialized) {
5636                 /* Not permitted after initial policy load. */
5637                 return -EINVAL;
5638         }
5639
5640         if (selinux_disabled) {
5641                 /* Only do this once. */
5642                 return -EINVAL;
5643         }
5644
5645         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5646
5647         selinux_disabled = 1;
5648         selinux_enabled = 0;
5649
5650         reset_security_ops();
5651
5652         /* Try to destroy the avc node cache */
5653         avc_disable();
5654
5655         /* Unregister netfilter hooks. */
5656         selinux_nf_ip_exit();
5657
5658         /* Unregister selinuxfs. */
5659         exit_sel_fs();
5660
5661         return 0;
5662 }
5663 #endif