LSM: split LSM_AUDIT_DATA_FS into _PATH and _INODE
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/ext2_fs.h>
32 #include <linux/sched.h>
33 #include <linux/security.h>
34 #include <linux/xattr.h>
35 #include <linux/capability.h>
36 #include <linux/unistd.h>
37 #include <linux/mm.h>
38 #include <linux/mman.h>
39 #include <linux/slab.h>
40 #include <linux/pagemap.h>
41 #include <linux/proc_fs.h>
42 #include <linux/swap.h>
43 #include <linux/spinlock.h>
44 #include <linux/syscalls.h>
45 #include <linux/dcache.h>
46 #include <linux/file.h>
47 #include <linux/fdtable.h>
48 #include <linux/namei.h>
49 #include <linux/mount.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>             /* for local_port_range[] */
55 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <asm/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h>    /* for network interface checks */
64 #include <linux/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h>           /* for Unix socket types */
70 #include <net/af_unix.h>        /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82
83 #include "avc.h"
84 #include "objsec.h"
85 #include "netif.h"
86 #include "netnode.h"
87 #include "netport.h"
88 #include "xfrm.h"
89 #include "netlabel.h"
90 #include "audit.h"
91
92 #define NUM_SEL_MNT_OPTS 5
93
94 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
95 extern struct security_operations *security_ops;
96
97 /* SECMARK reference count */
98 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102
103 static int __init enforcing_setup(char *str)
104 {
105         unsigned long enforcing;
106         if (!strict_strtoul(str, 0, &enforcing))
107                 selinux_enforcing = enforcing ? 1 : 0;
108         return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116 static int __init selinux_enabled_setup(char *str)
117 {
118         unsigned long enabled;
119         if (!strict_strtoul(str, 0, &enabled))
120                 selinux_enabled = enabled ? 1 : 0;
121         return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127
128 static struct kmem_cache *sel_inode_cache;
129
130 /**
131  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
132  *
133  * Description:
134  * This function checks the SECMARK reference counter to see if any SECMARK
135  * targets are currently configured, if the reference counter is greater than
136  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
137  * enabled, false (0) if SECMARK is disabled.
138  *
139  */
140 static int selinux_secmark_enabled(void)
141 {
142         return (atomic_read(&selinux_secmark_refcount) > 0);
143 }
144
145 /*
146  * initialise the security for the init task
147  */
148 static void cred_init_security(void)
149 {
150         struct cred *cred = (struct cred *) current->real_cred;
151         struct task_security_struct *tsec;
152
153         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
154         if (!tsec)
155                 panic("SELinux:  Failed to initialize initial task.\n");
156
157         tsec->osid = tsec->sid = SECINITSID_KERNEL;
158         cred->security = tsec;
159 }
160
161 /*
162  * get the security ID of a set of credentials
163  */
164 static inline u32 cred_sid(const struct cred *cred)
165 {
166         const struct task_security_struct *tsec;
167
168         tsec = cred->security;
169         return tsec->sid;
170 }
171
172 /*
173  * get the objective security ID of a task
174  */
175 static inline u32 task_sid(const struct task_struct *task)
176 {
177         u32 sid;
178
179         rcu_read_lock();
180         sid = cred_sid(__task_cred(task));
181         rcu_read_unlock();
182         return sid;
183 }
184
185 /*
186  * get the subjective security ID of the current task
187  */
188 static inline u32 current_sid(void)
189 {
190         const struct task_security_struct *tsec = current_security();
191
192         return tsec->sid;
193 }
194
195 /* Allocate and free functions for each kind of security blob. */
196
197 static int inode_alloc_security(struct inode *inode)
198 {
199         struct inode_security_struct *isec;
200         u32 sid = current_sid();
201
202         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
203         if (!isec)
204                 return -ENOMEM;
205
206         mutex_init(&isec->lock);
207         INIT_LIST_HEAD(&isec->list);
208         isec->inode = inode;
209         isec->sid = SECINITSID_UNLABELED;
210         isec->sclass = SECCLASS_FILE;
211         isec->task_sid = sid;
212         inode->i_security = isec;
213
214         return 0;
215 }
216
217 static void inode_free_security(struct inode *inode)
218 {
219         struct inode_security_struct *isec = inode->i_security;
220         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
221
222         spin_lock(&sbsec->isec_lock);
223         if (!list_empty(&isec->list))
224                 list_del_init(&isec->list);
225         spin_unlock(&sbsec->isec_lock);
226
227         inode->i_security = NULL;
228         kmem_cache_free(sel_inode_cache, isec);
229 }
230
231 static int file_alloc_security(struct file *file)
232 {
233         struct file_security_struct *fsec;
234         u32 sid = current_sid();
235
236         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
237         if (!fsec)
238                 return -ENOMEM;
239
240         fsec->sid = sid;
241         fsec->fown_sid = sid;
242         file->f_security = fsec;
243
244         return 0;
245 }
246
247 static void file_free_security(struct file *file)
248 {
249         struct file_security_struct *fsec = file->f_security;
250         file->f_security = NULL;
251         kfree(fsec);
252 }
253
254 static int superblock_alloc_security(struct super_block *sb)
255 {
256         struct superblock_security_struct *sbsec;
257
258         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
259         if (!sbsec)
260                 return -ENOMEM;
261
262         mutex_init(&sbsec->lock);
263         INIT_LIST_HEAD(&sbsec->isec_head);
264         spin_lock_init(&sbsec->isec_lock);
265         sbsec->sb = sb;
266         sbsec->sid = SECINITSID_UNLABELED;
267         sbsec->def_sid = SECINITSID_FILE;
268         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
269         sb->s_security = sbsec;
270
271         return 0;
272 }
273
274 static void superblock_free_security(struct super_block *sb)
275 {
276         struct superblock_security_struct *sbsec = sb->s_security;
277         sb->s_security = NULL;
278         kfree(sbsec);
279 }
280
281 /* The security server must be initialized before
282    any labeling or access decisions can be provided. */
283 extern int ss_initialized;
284
285 /* The file system's label must be initialized prior to use. */
286
287 static const char *labeling_behaviors[6] = {
288         "uses xattr",
289         "uses transition SIDs",
290         "uses task SIDs",
291         "uses genfs_contexts",
292         "not configured for labeling",
293         "uses mountpoint labeling",
294 };
295
296 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
297
298 static inline int inode_doinit(struct inode *inode)
299 {
300         return inode_doinit_with_dentry(inode, NULL);
301 }
302
303 enum {
304         Opt_error = -1,
305         Opt_context = 1,
306         Opt_fscontext = 2,
307         Opt_defcontext = 3,
308         Opt_rootcontext = 4,
309         Opt_labelsupport = 5,
310 };
311
312 static const match_table_t tokens = {
313         {Opt_context, CONTEXT_STR "%s"},
314         {Opt_fscontext, FSCONTEXT_STR "%s"},
315         {Opt_defcontext, DEFCONTEXT_STR "%s"},
316         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
317         {Opt_labelsupport, LABELSUPP_STR},
318         {Opt_error, NULL},
319 };
320
321 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
322
323 static int may_context_mount_sb_relabel(u32 sid,
324                         struct superblock_security_struct *sbsec,
325                         const struct cred *cred)
326 {
327         const struct task_security_struct *tsec = cred->security;
328         int rc;
329
330         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
331                           FILESYSTEM__RELABELFROM, NULL);
332         if (rc)
333                 return rc;
334
335         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
336                           FILESYSTEM__RELABELTO, NULL);
337         return rc;
338 }
339
340 static int may_context_mount_inode_relabel(u32 sid,
341                         struct superblock_security_struct *sbsec,
342                         const struct cred *cred)
343 {
344         const struct task_security_struct *tsec = cred->security;
345         int rc;
346         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
347                           FILESYSTEM__RELABELFROM, NULL);
348         if (rc)
349                 return rc;
350
351         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
352                           FILESYSTEM__ASSOCIATE, NULL);
353         return rc;
354 }
355
356 static int sb_finish_set_opts(struct super_block *sb)
357 {
358         struct superblock_security_struct *sbsec = sb->s_security;
359         struct dentry *root = sb->s_root;
360         struct inode *root_inode = root->d_inode;
361         int rc = 0;
362
363         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
364                 /* Make sure that the xattr handler exists and that no
365                    error other than -ENODATA is returned by getxattr on
366                    the root directory.  -ENODATA is ok, as this may be
367                    the first boot of the SELinux kernel before we have
368                    assigned xattr values to the filesystem. */
369                 if (!root_inode->i_op->getxattr) {
370                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
371                                "xattr support\n", sb->s_id, sb->s_type->name);
372                         rc = -EOPNOTSUPP;
373                         goto out;
374                 }
375                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
376                 if (rc < 0 && rc != -ENODATA) {
377                         if (rc == -EOPNOTSUPP)
378                                 printk(KERN_WARNING "SELinux: (dev %s, type "
379                                        "%s) has no security xattr handler\n",
380                                        sb->s_id, sb->s_type->name);
381                         else
382                                 printk(KERN_WARNING "SELinux: (dev %s, type "
383                                        "%s) getxattr errno %d\n", sb->s_id,
384                                        sb->s_type->name, -rc);
385                         goto out;
386                 }
387         }
388
389         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
390
391         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
392                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
393                        sb->s_id, sb->s_type->name);
394         else
395                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
396                        sb->s_id, sb->s_type->name,
397                        labeling_behaviors[sbsec->behavior-1]);
398
399         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
400             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
401             sbsec->behavior == SECURITY_FS_USE_NONE ||
402             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403                 sbsec->flags &= ~SE_SBLABELSUPP;
404
405         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
406         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
407                 sbsec->flags |= SE_SBLABELSUPP;
408
409         /* Initialize the root inode. */
410         rc = inode_doinit_with_dentry(root_inode, root);
411
412         /* Initialize any other inodes associated with the superblock, e.g.
413            inodes created prior to initial policy load or inodes created
414            during get_sb by a pseudo filesystem that directly
415            populates itself. */
416         spin_lock(&sbsec->isec_lock);
417 next_inode:
418         if (!list_empty(&sbsec->isec_head)) {
419                 struct inode_security_struct *isec =
420                                 list_entry(sbsec->isec_head.next,
421                                            struct inode_security_struct, list);
422                 struct inode *inode = isec->inode;
423                 spin_unlock(&sbsec->isec_lock);
424                 inode = igrab(inode);
425                 if (inode) {
426                         if (!IS_PRIVATE(inode))
427                                 inode_doinit(inode);
428                         iput(inode);
429                 }
430                 spin_lock(&sbsec->isec_lock);
431                 list_del_init(&isec->list);
432                 goto next_inode;
433         }
434         spin_unlock(&sbsec->isec_lock);
435 out:
436         return rc;
437 }
438
439 /*
440  * This function should allow an FS to ask what it's mount security
441  * options were so it can use those later for submounts, displaying
442  * mount options, or whatever.
443  */
444 static int selinux_get_mnt_opts(const struct super_block *sb,
445                                 struct security_mnt_opts *opts)
446 {
447         int rc = 0, i;
448         struct superblock_security_struct *sbsec = sb->s_security;
449         char *context = NULL;
450         u32 len;
451         char tmp;
452
453         security_init_mnt_opts(opts);
454
455         if (!(sbsec->flags & SE_SBINITIALIZED))
456                 return -EINVAL;
457
458         if (!ss_initialized)
459                 return -EINVAL;
460
461         tmp = sbsec->flags & SE_MNTMASK;
462         /* count the number of mount options for this sb */
463         for (i = 0; i < 8; i++) {
464                 if (tmp & 0x01)
465                         opts->num_mnt_opts++;
466                 tmp >>= 1;
467         }
468         /* Check if the Label support flag is set */
469         if (sbsec->flags & SE_SBLABELSUPP)
470                 opts->num_mnt_opts++;
471
472         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
473         if (!opts->mnt_opts) {
474                 rc = -ENOMEM;
475                 goto out_free;
476         }
477
478         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
479         if (!opts->mnt_opts_flags) {
480                 rc = -ENOMEM;
481                 goto out_free;
482         }
483
484         i = 0;
485         if (sbsec->flags & FSCONTEXT_MNT) {
486                 rc = security_sid_to_context(sbsec->sid, &context, &len);
487                 if (rc)
488                         goto out_free;
489                 opts->mnt_opts[i] = context;
490                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
491         }
492         if (sbsec->flags & CONTEXT_MNT) {
493                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
494                 if (rc)
495                         goto out_free;
496                 opts->mnt_opts[i] = context;
497                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
498         }
499         if (sbsec->flags & DEFCONTEXT_MNT) {
500                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
501                 if (rc)
502                         goto out_free;
503                 opts->mnt_opts[i] = context;
504                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
505         }
506         if (sbsec->flags & ROOTCONTEXT_MNT) {
507                 struct inode *root = sbsec->sb->s_root->d_inode;
508                 struct inode_security_struct *isec = root->i_security;
509
510                 rc = security_sid_to_context(isec->sid, &context, &len);
511                 if (rc)
512                         goto out_free;
513                 opts->mnt_opts[i] = context;
514                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
515         }
516         if (sbsec->flags & SE_SBLABELSUPP) {
517                 opts->mnt_opts[i] = NULL;
518                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
519         }
520
521         BUG_ON(i != opts->num_mnt_opts);
522
523         return 0;
524
525 out_free:
526         security_free_mnt_opts(opts);
527         return rc;
528 }
529
530 static int bad_option(struct superblock_security_struct *sbsec, char flag,
531                       u32 old_sid, u32 new_sid)
532 {
533         char mnt_flags = sbsec->flags & SE_MNTMASK;
534
535         /* check if the old mount command had the same options */
536         if (sbsec->flags & SE_SBINITIALIZED)
537                 if (!(sbsec->flags & flag) ||
538                     (old_sid != new_sid))
539                         return 1;
540
541         /* check if we were passed the same options twice,
542          * aka someone passed context=a,context=b
543          */
544         if (!(sbsec->flags & SE_SBINITIALIZED))
545                 if (mnt_flags & flag)
546                         return 1;
547         return 0;
548 }
549
550 /*
551  * Allow filesystems with binary mount data to explicitly set mount point
552  * labeling information.
553  */
554 static int selinux_set_mnt_opts(struct super_block *sb,
555                                 struct security_mnt_opts *opts)
556 {
557         const struct cred *cred = current_cred();
558         int rc = 0, i;
559         struct superblock_security_struct *sbsec = sb->s_security;
560         const char *name = sb->s_type->name;
561         struct inode *inode = sbsec->sb->s_root->d_inode;
562         struct inode_security_struct *root_isec = inode->i_security;
563         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
564         u32 defcontext_sid = 0;
565         char **mount_options = opts->mnt_opts;
566         int *flags = opts->mnt_opts_flags;
567         int num_opts = opts->num_mnt_opts;
568
569         mutex_lock(&sbsec->lock);
570
571         if (!ss_initialized) {
572                 if (!num_opts) {
573                         /* Defer initialization until selinux_complete_init,
574                            after the initial policy is loaded and the security
575                            server is ready to handle calls. */
576                         goto out;
577                 }
578                 rc = -EINVAL;
579                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
580                         "before the security server is initialized\n");
581                 goto out;
582         }
583
584         /*
585          * Binary mount data FS will come through this function twice.  Once
586          * from an explicit call and once from the generic calls from the vfs.
587          * Since the generic VFS calls will not contain any security mount data
588          * we need to skip the double mount verification.
589          *
590          * This does open a hole in which we will not notice if the first
591          * mount using this sb set explict options and a second mount using
592          * this sb does not set any security options.  (The first options
593          * will be used for both mounts)
594          */
595         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
596             && (num_opts == 0))
597                 goto out;
598
599         /*
600          * parse the mount options, check if they are valid sids.
601          * also check if someone is trying to mount the same sb more
602          * than once with different security options.
603          */
604         for (i = 0; i < num_opts; i++) {
605                 u32 sid;
606
607                 if (flags[i] == SE_SBLABELSUPP)
608                         continue;
609                 rc = security_context_to_sid(mount_options[i],
610                                              strlen(mount_options[i]), &sid);
611                 if (rc) {
612                         printk(KERN_WARNING "SELinux: security_context_to_sid"
613                                "(%s) failed for (dev %s, type %s) errno=%d\n",
614                                mount_options[i], sb->s_id, name, rc);
615                         goto out;
616                 }
617                 switch (flags[i]) {
618                 case FSCONTEXT_MNT:
619                         fscontext_sid = sid;
620
621                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
622                                         fscontext_sid))
623                                 goto out_double_mount;
624
625                         sbsec->flags |= FSCONTEXT_MNT;
626                         break;
627                 case CONTEXT_MNT:
628                         context_sid = sid;
629
630                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
631                                         context_sid))
632                                 goto out_double_mount;
633
634                         sbsec->flags |= CONTEXT_MNT;
635                         break;
636                 case ROOTCONTEXT_MNT:
637                         rootcontext_sid = sid;
638
639                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
640                                         rootcontext_sid))
641                                 goto out_double_mount;
642
643                         sbsec->flags |= ROOTCONTEXT_MNT;
644
645                         break;
646                 case DEFCONTEXT_MNT:
647                         defcontext_sid = sid;
648
649                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
650                                         defcontext_sid))
651                                 goto out_double_mount;
652
653                         sbsec->flags |= DEFCONTEXT_MNT;
654
655                         break;
656                 default:
657                         rc = -EINVAL;
658                         goto out;
659                 }
660         }
661
662         if (sbsec->flags & SE_SBINITIALIZED) {
663                 /* previously mounted with options, but not on this attempt? */
664                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
665                         goto out_double_mount;
666                 rc = 0;
667                 goto out;
668         }
669
670         if (strcmp(sb->s_type->name, "proc") == 0)
671                 sbsec->flags |= SE_SBPROC;
672
673         /* Determine the labeling behavior to use for this filesystem type. */
674         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
675         if (rc) {
676                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
677                        __func__, sb->s_type->name, rc);
678                 goto out;
679         }
680
681         /* sets the context of the superblock for the fs being mounted. */
682         if (fscontext_sid) {
683                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
684                 if (rc)
685                         goto out;
686
687                 sbsec->sid = fscontext_sid;
688         }
689
690         /*
691          * Switch to using mount point labeling behavior.
692          * sets the label used on all file below the mountpoint, and will set
693          * the superblock context if not already set.
694          */
695         if (context_sid) {
696                 if (!fscontext_sid) {
697                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
698                                                           cred);
699                         if (rc)
700                                 goto out;
701                         sbsec->sid = context_sid;
702                 } else {
703                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
704                                                              cred);
705                         if (rc)
706                                 goto out;
707                 }
708                 if (!rootcontext_sid)
709                         rootcontext_sid = context_sid;
710
711                 sbsec->mntpoint_sid = context_sid;
712                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
713         }
714
715         if (rootcontext_sid) {
716                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
717                                                      cred);
718                 if (rc)
719                         goto out;
720
721                 root_isec->sid = rootcontext_sid;
722                 root_isec->initialized = 1;
723         }
724
725         if (defcontext_sid) {
726                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
727                         rc = -EINVAL;
728                         printk(KERN_WARNING "SELinux: defcontext option is "
729                                "invalid for this filesystem type\n");
730                         goto out;
731                 }
732
733                 if (defcontext_sid != sbsec->def_sid) {
734                         rc = may_context_mount_inode_relabel(defcontext_sid,
735                                                              sbsec, cred);
736                         if (rc)
737                                 goto out;
738                 }
739
740                 sbsec->def_sid = defcontext_sid;
741         }
742
743         rc = sb_finish_set_opts(sb);
744 out:
745         mutex_unlock(&sbsec->lock);
746         return rc;
747 out_double_mount:
748         rc = -EINVAL;
749         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
750                "security settings for (dev %s, type %s)\n", sb->s_id, name);
751         goto out;
752 }
753
754 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
755                                         struct super_block *newsb)
756 {
757         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
758         struct superblock_security_struct *newsbsec = newsb->s_security;
759
760         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
761         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
762         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
763
764         /*
765          * if the parent was able to be mounted it clearly had no special lsm
766          * mount options.  thus we can safely deal with this superblock later
767          */
768         if (!ss_initialized)
769                 return;
770
771         /* how can we clone if the old one wasn't set up?? */
772         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
773
774         /* if fs is reusing a sb, just let its options stand... */
775         if (newsbsec->flags & SE_SBINITIALIZED)
776                 return;
777
778         mutex_lock(&newsbsec->lock);
779
780         newsbsec->flags = oldsbsec->flags;
781
782         newsbsec->sid = oldsbsec->sid;
783         newsbsec->def_sid = oldsbsec->def_sid;
784         newsbsec->behavior = oldsbsec->behavior;
785
786         if (set_context) {
787                 u32 sid = oldsbsec->mntpoint_sid;
788
789                 if (!set_fscontext)
790                         newsbsec->sid = sid;
791                 if (!set_rootcontext) {
792                         struct inode *newinode = newsb->s_root->d_inode;
793                         struct inode_security_struct *newisec = newinode->i_security;
794                         newisec->sid = sid;
795                 }
796                 newsbsec->mntpoint_sid = sid;
797         }
798         if (set_rootcontext) {
799                 const struct inode *oldinode = oldsb->s_root->d_inode;
800                 const struct inode_security_struct *oldisec = oldinode->i_security;
801                 struct inode *newinode = newsb->s_root->d_inode;
802                 struct inode_security_struct *newisec = newinode->i_security;
803
804                 newisec->sid = oldisec->sid;
805         }
806
807         sb_finish_set_opts(newsb);
808         mutex_unlock(&newsbsec->lock);
809 }
810
811 static int selinux_parse_opts_str(char *options,
812                                   struct security_mnt_opts *opts)
813 {
814         char *p;
815         char *context = NULL, *defcontext = NULL;
816         char *fscontext = NULL, *rootcontext = NULL;
817         int rc, num_mnt_opts = 0;
818
819         opts->num_mnt_opts = 0;
820
821         /* Standard string-based options. */
822         while ((p = strsep(&options, "|")) != NULL) {
823                 int token;
824                 substring_t args[MAX_OPT_ARGS];
825
826                 if (!*p)
827                         continue;
828
829                 token = match_token(p, tokens, args);
830
831                 switch (token) {
832                 case Opt_context:
833                         if (context || defcontext) {
834                                 rc = -EINVAL;
835                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
836                                 goto out_err;
837                         }
838                         context = match_strdup(&args[0]);
839                         if (!context) {
840                                 rc = -ENOMEM;
841                                 goto out_err;
842                         }
843                         break;
844
845                 case Opt_fscontext:
846                         if (fscontext) {
847                                 rc = -EINVAL;
848                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
849                                 goto out_err;
850                         }
851                         fscontext = match_strdup(&args[0]);
852                         if (!fscontext) {
853                                 rc = -ENOMEM;
854                                 goto out_err;
855                         }
856                         break;
857
858                 case Opt_rootcontext:
859                         if (rootcontext) {
860                                 rc = -EINVAL;
861                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
862                                 goto out_err;
863                         }
864                         rootcontext = match_strdup(&args[0]);
865                         if (!rootcontext) {
866                                 rc = -ENOMEM;
867                                 goto out_err;
868                         }
869                         break;
870
871                 case Opt_defcontext:
872                         if (context || defcontext) {
873                                 rc = -EINVAL;
874                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
875                                 goto out_err;
876                         }
877                         defcontext = match_strdup(&args[0]);
878                         if (!defcontext) {
879                                 rc = -ENOMEM;
880                                 goto out_err;
881                         }
882                         break;
883                 case Opt_labelsupport:
884                         break;
885                 default:
886                         rc = -EINVAL;
887                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
888                         goto out_err;
889
890                 }
891         }
892
893         rc = -ENOMEM;
894         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
895         if (!opts->mnt_opts)
896                 goto out_err;
897
898         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
899         if (!opts->mnt_opts_flags) {
900                 kfree(opts->mnt_opts);
901                 goto out_err;
902         }
903
904         if (fscontext) {
905                 opts->mnt_opts[num_mnt_opts] = fscontext;
906                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
907         }
908         if (context) {
909                 opts->mnt_opts[num_mnt_opts] = context;
910                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
911         }
912         if (rootcontext) {
913                 opts->mnt_opts[num_mnt_opts] = rootcontext;
914                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
915         }
916         if (defcontext) {
917                 opts->mnt_opts[num_mnt_opts] = defcontext;
918                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
919         }
920
921         opts->num_mnt_opts = num_mnt_opts;
922         return 0;
923
924 out_err:
925         kfree(context);
926         kfree(defcontext);
927         kfree(fscontext);
928         kfree(rootcontext);
929         return rc;
930 }
931 /*
932  * string mount options parsing and call set the sbsec
933  */
934 static int superblock_doinit(struct super_block *sb, void *data)
935 {
936         int rc = 0;
937         char *options = data;
938         struct security_mnt_opts opts;
939
940         security_init_mnt_opts(&opts);
941
942         if (!data)
943                 goto out;
944
945         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
946
947         rc = selinux_parse_opts_str(options, &opts);
948         if (rc)
949                 goto out_err;
950
951 out:
952         rc = selinux_set_mnt_opts(sb, &opts);
953
954 out_err:
955         security_free_mnt_opts(&opts);
956         return rc;
957 }
958
959 static void selinux_write_opts(struct seq_file *m,
960                                struct security_mnt_opts *opts)
961 {
962         int i;
963         char *prefix;
964
965         for (i = 0; i < opts->num_mnt_opts; i++) {
966                 char *has_comma;
967
968                 if (opts->mnt_opts[i])
969                         has_comma = strchr(opts->mnt_opts[i], ',');
970                 else
971                         has_comma = NULL;
972
973                 switch (opts->mnt_opts_flags[i]) {
974                 case CONTEXT_MNT:
975                         prefix = CONTEXT_STR;
976                         break;
977                 case FSCONTEXT_MNT:
978                         prefix = FSCONTEXT_STR;
979                         break;
980                 case ROOTCONTEXT_MNT:
981                         prefix = ROOTCONTEXT_STR;
982                         break;
983                 case DEFCONTEXT_MNT:
984                         prefix = DEFCONTEXT_STR;
985                         break;
986                 case SE_SBLABELSUPP:
987                         seq_putc(m, ',');
988                         seq_puts(m, LABELSUPP_STR);
989                         continue;
990                 default:
991                         BUG();
992                         return;
993                 };
994                 /* we need a comma before each option */
995                 seq_putc(m, ',');
996                 seq_puts(m, prefix);
997                 if (has_comma)
998                         seq_putc(m, '\"');
999                 seq_puts(m, opts->mnt_opts[i]);
1000                 if (has_comma)
1001                         seq_putc(m, '\"');
1002         }
1003 }
1004
1005 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1006 {
1007         struct security_mnt_opts opts;
1008         int rc;
1009
1010         rc = selinux_get_mnt_opts(sb, &opts);
1011         if (rc) {
1012                 /* before policy load we may get EINVAL, don't show anything */
1013                 if (rc == -EINVAL)
1014                         rc = 0;
1015                 return rc;
1016         }
1017
1018         selinux_write_opts(m, &opts);
1019
1020         security_free_mnt_opts(&opts);
1021
1022         return rc;
1023 }
1024
1025 static inline u16 inode_mode_to_security_class(umode_t mode)
1026 {
1027         switch (mode & S_IFMT) {
1028         case S_IFSOCK:
1029                 return SECCLASS_SOCK_FILE;
1030         case S_IFLNK:
1031                 return SECCLASS_LNK_FILE;
1032         case S_IFREG:
1033                 return SECCLASS_FILE;
1034         case S_IFBLK:
1035                 return SECCLASS_BLK_FILE;
1036         case S_IFDIR:
1037                 return SECCLASS_DIR;
1038         case S_IFCHR:
1039                 return SECCLASS_CHR_FILE;
1040         case S_IFIFO:
1041                 return SECCLASS_FIFO_FILE;
1042
1043         }
1044
1045         return SECCLASS_FILE;
1046 }
1047
1048 static inline int default_protocol_stream(int protocol)
1049 {
1050         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1051 }
1052
1053 static inline int default_protocol_dgram(int protocol)
1054 {
1055         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1056 }
1057
1058 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1059 {
1060         switch (family) {
1061         case PF_UNIX:
1062                 switch (type) {
1063                 case SOCK_STREAM:
1064                 case SOCK_SEQPACKET:
1065                         return SECCLASS_UNIX_STREAM_SOCKET;
1066                 case SOCK_DGRAM:
1067                         return SECCLASS_UNIX_DGRAM_SOCKET;
1068                 }
1069                 break;
1070         case PF_INET:
1071         case PF_INET6:
1072                 switch (type) {
1073                 case SOCK_STREAM:
1074                         if (default_protocol_stream(protocol))
1075                                 return SECCLASS_TCP_SOCKET;
1076                         else
1077                                 return SECCLASS_RAWIP_SOCKET;
1078                 case SOCK_DGRAM:
1079                         if (default_protocol_dgram(protocol))
1080                                 return SECCLASS_UDP_SOCKET;
1081                         else
1082                                 return SECCLASS_RAWIP_SOCKET;
1083                 case SOCK_DCCP:
1084                         return SECCLASS_DCCP_SOCKET;
1085                 default:
1086                         return SECCLASS_RAWIP_SOCKET;
1087                 }
1088                 break;
1089         case PF_NETLINK:
1090                 switch (protocol) {
1091                 case NETLINK_ROUTE:
1092                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1093                 case NETLINK_FIREWALL:
1094                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1095                 case NETLINK_INET_DIAG:
1096                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1097                 case NETLINK_NFLOG:
1098                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1099                 case NETLINK_XFRM:
1100                         return SECCLASS_NETLINK_XFRM_SOCKET;
1101                 case NETLINK_SELINUX:
1102                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1103                 case NETLINK_AUDIT:
1104                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1105                 case NETLINK_IP6_FW:
1106                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1107                 case NETLINK_DNRTMSG:
1108                         return SECCLASS_NETLINK_DNRT_SOCKET;
1109                 case NETLINK_KOBJECT_UEVENT:
1110                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1111                 default:
1112                         return SECCLASS_NETLINK_SOCKET;
1113                 }
1114         case PF_PACKET:
1115                 return SECCLASS_PACKET_SOCKET;
1116         case PF_KEY:
1117                 return SECCLASS_KEY_SOCKET;
1118         case PF_APPLETALK:
1119                 return SECCLASS_APPLETALK_SOCKET;
1120         }
1121
1122         return SECCLASS_SOCKET;
1123 }
1124
1125 #ifdef CONFIG_PROC_FS
1126 static int selinux_proc_get_sid(struct dentry *dentry,
1127                                 u16 tclass,
1128                                 u32 *sid)
1129 {
1130         int rc;
1131         char *buffer, *path;
1132
1133         buffer = (char *)__get_free_page(GFP_KERNEL);
1134         if (!buffer)
1135                 return -ENOMEM;
1136
1137         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1138         if (IS_ERR(path))
1139                 rc = PTR_ERR(path);
1140         else {
1141                 /* each process gets a /proc/PID/ entry. Strip off the
1142                  * PID part to get a valid selinux labeling.
1143                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1144                 while (path[1] >= '0' && path[1] <= '9') {
1145                         path[1] = '/';
1146                         path++;
1147                 }
1148                 rc = security_genfs_sid("proc", path, tclass, sid);
1149         }
1150         free_page((unsigned long)buffer);
1151         return rc;
1152 }
1153 #else
1154 static int selinux_proc_get_sid(struct dentry *dentry,
1155                                 u16 tclass,
1156                                 u32 *sid)
1157 {
1158         return -EINVAL;
1159 }
1160 #endif
1161
1162 /* The inode's security attributes must be initialized before first use. */
1163 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1164 {
1165         struct superblock_security_struct *sbsec = NULL;
1166         struct inode_security_struct *isec = inode->i_security;
1167         u32 sid;
1168         struct dentry *dentry;
1169 #define INITCONTEXTLEN 255
1170         char *context = NULL;
1171         unsigned len = 0;
1172         int rc = 0;
1173
1174         if (isec->initialized)
1175                 goto out;
1176
1177         mutex_lock(&isec->lock);
1178         if (isec->initialized)
1179                 goto out_unlock;
1180
1181         sbsec = inode->i_sb->s_security;
1182         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1183                 /* Defer initialization until selinux_complete_init,
1184                    after the initial policy is loaded and the security
1185                    server is ready to handle calls. */
1186                 spin_lock(&sbsec->isec_lock);
1187                 if (list_empty(&isec->list))
1188                         list_add(&isec->list, &sbsec->isec_head);
1189                 spin_unlock(&sbsec->isec_lock);
1190                 goto out_unlock;
1191         }
1192
1193         switch (sbsec->behavior) {
1194         case SECURITY_FS_USE_XATTR:
1195                 if (!inode->i_op->getxattr) {
1196                         isec->sid = sbsec->def_sid;
1197                         break;
1198                 }
1199
1200                 /* Need a dentry, since the xattr API requires one.
1201                    Life would be simpler if we could just pass the inode. */
1202                 if (opt_dentry) {
1203                         /* Called from d_instantiate or d_splice_alias. */
1204                         dentry = dget(opt_dentry);
1205                 } else {
1206                         /* Called from selinux_complete_init, try to find a dentry. */
1207                         dentry = d_find_alias(inode);
1208                 }
1209                 if (!dentry) {
1210                         /*
1211                          * this is can be hit on boot when a file is accessed
1212                          * before the policy is loaded.  When we load policy we
1213                          * may find inodes that have no dentry on the
1214                          * sbsec->isec_head list.  No reason to complain as these
1215                          * will get fixed up the next time we go through
1216                          * inode_doinit with a dentry, before these inodes could
1217                          * be used again by userspace.
1218                          */
1219                         goto out_unlock;
1220                 }
1221
1222                 len = INITCONTEXTLEN;
1223                 context = kmalloc(len+1, GFP_NOFS);
1224                 if (!context) {
1225                         rc = -ENOMEM;
1226                         dput(dentry);
1227                         goto out_unlock;
1228                 }
1229                 context[len] = '\0';
1230                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1231                                            context, len);
1232                 if (rc == -ERANGE) {
1233                         kfree(context);
1234
1235                         /* Need a larger buffer.  Query for the right size. */
1236                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1237                                                    NULL, 0);
1238                         if (rc < 0) {
1239                                 dput(dentry);
1240                                 goto out_unlock;
1241                         }
1242                         len = rc;
1243                         context = kmalloc(len+1, GFP_NOFS);
1244                         if (!context) {
1245                                 rc = -ENOMEM;
1246                                 dput(dentry);
1247                                 goto out_unlock;
1248                         }
1249                         context[len] = '\0';
1250                         rc = inode->i_op->getxattr(dentry,
1251                                                    XATTR_NAME_SELINUX,
1252                                                    context, len);
1253                 }
1254                 dput(dentry);
1255                 if (rc < 0) {
1256                         if (rc != -ENODATA) {
1257                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1258                                        "%d for dev=%s ino=%ld\n", __func__,
1259                                        -rc, inode->i_sb->s_id, inode->i_ino);
1260                                 kfree(context);
1261                                 goto out_unlock;
1262                         }
1263                         /* Map ENODATA to the default file SID */
1264                         sid = sbsec->def_sid;
1265                         rc = 0;
1266                 } else {
1267                         rc = security_context_to_sid_default(context, rc, &sid,
1268                                                              sbsec->def_sid,
1269                                                              GFP_NOFS);
1270                         if (rc) {
1271                                 char *dev = inode->i_sb->s_id;
1272                                 unsigned long ino = inode->i_ino;
1273
1274                                 if (rc == -EINVAL) {
1275                                         if (printk_ratelimit())
1276                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1277                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1278                                                         "filesystem in question.\n", ino, dev, context);
1279                                 } else {
1280                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1281                                                "returned %d for dev=%s ino=%ld\n",
1282                                                __func__, context, -rc, dev, ino);
1283                                 }
1284                                 kfree(context);
1285                                 /* Leave with the unlabeled SID */
1286                                 rc = 0;
1287                                 break;
1288                         }
1289                 }
1290                 kfree(context);
1291                 isec->sid = sid;
1292                 break;
1293         case SECURITY_FS_USE_TASK:
1294                 isec->sid = isec->task_sid;
1295                 break;
1296         case SECURITY_FS_USE_TRANS:
1297                 /* Default to the fs SID. */
1298                 isec->sid = sbsec->sid;
1299
1300                 /* Try to obtain a transition SID. */
1301                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1302                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1303                                              isec->sclass, NULL, &sid);
1304                 if (rc)
1305                         goto out_unlock;
1306                 isec->sid = sid;
1307                 break;
1308         case SECURITY_FS_USE_MNTPOINT:
1309                 isec->sid = sbsec->mntpoint_sid;
1310                 break;
1311         default:
1312                 /* Default to the fs superblock SID. */
1313                 isec->sid = sbsec->sid;
1314
1315                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1316                         if (opt_dentry) {
1317                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1318                                 rc = selinux_proc_get_sid(opt_dentry,
1319                                                           isec->sclass,
1320                                                           &sid);
1321                                 if (rc)
1322                                         goto out_unlock;
1323                                 isec->sid = sid;
1324                         }
1325                 }
1326                 break;
1327         }
1328
1329         isec->initialized = 1;
1330
1331 out_unlock:
1332         mutex_unlock(&isec->lock);
1333 out:
1334         if (isec->sclass == SECCLASS_FILE)
1335                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1336         return rc;
1337 }
1338
1339 /* Convert a Linux signal to an access vector. */
1340 static inline u32 signal_to_av(int sig)
1341 {
1342         u32 perm = 0;
1343
1344         switch (sig) {
1345         case SIGCHLD:
1346                 /* Commonly granted from child to parent. */
1347                 perm = PROCESS__SIGCHLD;
1348                 break;
1349         case SIGKILL:
1350                 /* Cannot be caught or ignored */
1351                 perm = PROCESS__SIGKILL;
1352                 break;
1353         case SIGSTOP:
1354                 /* Cannot be caught or ignored */
1355                 perm = PROCESS__SIGSTOP;
1356                 break;
1357         default:
1358                 /* All other signals. */
1359                 perm = PROCESS__SIGNAL;
1360                 break;
1361         }
1362
1363         return perm;
1364 }
1365
1366 /*
1367  * Check permission between a pair of credentials
1368  * fork check, ptrace check, etc.
1369  */
1370 static int cred_has_perm(const struct cred *actor,
1371                          const struct cred *target,
1372                          u32 perms)
1373 {
1374         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1375
1376         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1377 }
1378
1379 /*
1380  * Check permission between a pair of tasks, e.g. signal checks,
1381  * fork check, ptrace check, etc.
1382  * tsk1 is the actor and tsk2 is the target
1383  * - this uses the default subjective creds of tsk1
1384  */
1385 static int task_has_perm(const struct task_struct *tsk1,
1386                          const struct task_struct *tsk2,
1387                          u32 perms)
1388 {
1389         const struct task_security_struct *__tsec1, *__tsec2;
1390         u32 sid1, sid2;
1391
1392         rcu_read_lock();
1393         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1394         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1395         rcu_read_unlock();
1396         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1397 }
1398
1399 /*
1400  * Check permission between current and another task, e.g. signal checks,
1401  * fork check, ptrace check, etc.
1402  * current is the actor and tsk2 is the target
1403  * - this uses current's subjective creds
1404  */
1405 static int current_has_perm(const struct task_struct *tsk,
1406                             u32 perms)
1407 {
1408         u32 sid, tsid;
1409
1410         sid = current_sid();
1411         tsid = task_sid(tsk);
1412         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1413 }
1414
1415 #if CAP_LAST_CAP > 63
1416 #error Fix SELinux to handle capabilities > 63.
1417 #endif
1418
1419 /* Check whether a task is allowed to use a capability. */
1420 static int task_has_capability(struct task_struct *tsk,
1421                                const struct cred *cred,
1422                                int cap, int audit)
1423 {
1424         struct common_audit_data ad;
1425         struct av_decision avd;
1426         u16 sclass;
1427         u32 sid = cred_sid(cred);
1428         u32 av = CAP_TO_MASK(cap);
1429         int rc;
1430
1431         COMMON_AUDIT_DATA_INIT(&ad, CAP);
1432         ad.tsk = tsk;
1433         ad.u.cap = cap;
1434
1435         switch (CAP_TO_INDEX(cap)) {
1436         case 0:
1437                 sclass = SECCLASS_CAPABILITY;
1438                 break;
1439         case 1:
1440                 sclass = SECCLASS_CAPABILITY2;
1441                 break;
1442         default:
1443                 printk(KERN_ERR
1444                        "SELinux:  out of range capability %d\n", cap);
1445                 BUG();
1446                 return -EINVAL;
1447         }
1448
1449         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1450         if (audit == SECURITY_CAP_AUDIT) {
1451                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1452                 if (rc2)
1453                         return rc2;
1454         }
1455         return rc;
1456 }
1457
1458 /* Check whether a task is allowed to use a system operation. */
1459 static int task_has_system(struct task_struct *tsk,
1460                            u32 perms)
1461 {
1462         u32 sid = task_sid(tsk);
1463
1464         return avc_has_perm(sid, SECINITSID_KERNEL,
1465                             SECCLASS_SYSTEM, perms, NULL);
1466 }
1467
1468 /* Check whether a task has a particular permission to an inode.
1469    The 'adp' parameter is optional and allows other audit
1470    data to be passed (e.g. the dentry). */
1471 static int inode_has_perm(const struct cred *cred,
1472                           struct inode *inode,
1473                           u32 perms,
1474                           struct common_audit_data *adp,
1475                           unsigned flags)
1476 {
1477         struct inode_security_struct *isec;
1478         struct common_audit_data ad;
1479         u32 sid;
1480
1481         validate_creds(cred);
1482
1483         if (unlikely(IS_PRIVATE(inode)))
1484                 return 0;
1485
1486         sid = cred_sid(cred);
1487         isec = inode->i_security;
1488
1489         if (!adp) {
1490                 adp = &ad;
1491                 COMMON_AUDIT_DATA_INIT(&ad, INODE);
1492                 ad.u.inode = inode;
1493         }
1494
1495         return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1496 }
1497
1498 /* Same as inode_has_perm, but pass explicit audit data containing
1499    the dentry to help the auditing code to more easily generate the
1500    pathname if needed. */
1501 static inline int dentry_has_perm(const struct cred *cred,
1502                                   struct vfsmount *mnt,
1503                                   struct dentry *dentry,
1504                                   u32 av)
1505 {
1506         struct inode *inode = dentry->d_inode;
1507         struct common_audit_data ad;
1508
1509         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1510         ad.u.path.mnt = mnt;
1511         ad.u.path.dentry = dentry;
1512         return inode_has_perm(cred, inode, av, &ad, 0);
1513 }
1514
1515 /* Check whether a task can use an open file descriptor to
1516    access an inode in a given way.  Check access to the
1517    descriptor itself, and then use dentry_has_perm to
1518    check a particular permission to the file.
1519    Access to the descriptor is implicitly granted if it
1520    has the same SID as the process.  If av is zero, then
1521    access to the file is not checked, e.g. for cases
1522    where only the descriptor is affected like seek. */
1523 static int file_has_perm(const struct cred *cred,
1524                          struct file *file,
1525                          u32 av)
1526 {
1527         struct file_security_struct *fsec = file->f_security;
1528         struct inode *inode = file->f_path.dentry->d_inode;
1529         struct common_audit_data ad;
1530         u32 sid = cred_sid(cred);
1531         int rc;
1532
1533         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1534         ad.u.path = file->f_path;
1535
1536         if (sid != fsec->sid) {
1537                 rc = avc_has_perm(sid, fsec->sid,
1538                                   SECCLASS_FD,
1539                                   FD__USE,
1540                                   &ad);
1541                 if (rc)
1542                         goto out;
1543         }
1544
1545         /* av is zero if only checking access to the descriptor. */
1546         rc = 0;
1547         if (av)
1548                 rc = inode_has_perm(cred, inode, av, &ad, 0);
1549
1550 out:
1551         return rc;
1552 }
1553
1554 /* Check whether a task can create a file. */
1555 static int may_create(struct inode *dir,
1556                       struct dentry *dentry,
1557                       u16 tclass)
1558 {
1559         const struct task_security_struct *tsec = current_security();
1560         struct inode_security_struct *dsec;
1561         struct superblock_security_struct *sbsec;
1562         u32 sid, newsid;
1563         struct common_audit_data ad;
1564         int rc;
1565
1566         dsec = dir->i_security;
1567         sbsec = dir->i_sb->s_security;
1568
1569         sid = tsec->sid;
1570         newsid = tsec->create_sid;
1571
1572         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1573         ad.u.path.dentry = dentry;
1574
1575         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1576                           DIR__ADD_NAME | DIR__SEARCH,
1577                           &ad);
1578         if (rc)
1579                 return rc;
1580
1581         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1582                 rc = security_transition_sid(sid, dsec->sid, tclass, NULL, &newsid);
1583                 if (rc)
1584                         return rc;
1585         }
1586
1587         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1588         if (rc)
1589                 return rc;
1590
1591         return avc_has_perm(newsid, sbsec->sid,
1592                             SECCLASS_FILESYSTEM,
1593                             FILESYSTEM__ASSOCIATE, &ad);
1594 }
1595
1596 /* Check whether a task can create a key. */
1597 static int may_create_key(u32 ksid,
1598                           struct task_struct *ctx)
1599 {
1600         u32 sid = task_sid(ctx);
1601
1602         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1603 }
1604
1605 #define MAY_LINK        0
1606 #define MAY_UNLINK      1
1607 #define MAY_RMDIR       2
1608
1609 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1610 static int may_link(struct inode *dir,
1611                     struct dentry *dentry,
1612                     int kind)
1613
1614 {
1615         struct inode_security_struct *dsec, *isec;
1616         struct common_audit_data ad;
1617         u32 sid = current_sid();
1618         u32 av;
1619         int rc;
1620
1621         dsec = dir->i_security;
1622         isec = dentry->d_inode->i_security;
1623
1624         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1625         ad.u.path.dentry = dentry;
1626
1627         av = DIR__SEARCH;
1628         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1629         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1630         if (rc)
1631                 return rc;
1632
1633         switch (kind) {
1634         case MAY_LINK:
1635                 av = FILE__LINK;
1636                 break;
1637         case MAY_UNLINK:
1638                 av = FILE__UNLINK;
1639                 break;
1640         case MAY_RMDIR:
1641                 av = DIR__RMDIR;
1642                 break;
1643         default:
1644                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1645                         __func__, kind);
1646                 return 0;
1647         }
1648
1649         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1650         return rc;
1651 }
1652
1653 static inline int may_rename(struct inode *old_dir,
1654                              struct dentry *old_dentry,
1655                              struct inode *new_dir,
1656                              struct dentry *new_dentry)
1657 {
1658         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1659         struct common_audit_data ad;
1660         u32 sid = current_sid();
1661         u32 av;
1662         int old_is_dir, new_is_dir;
1663         int rc;
1664
1665         old_dsec = old_dir->i_security;
1666         old_isec = old_dentry->d_inode->i_security;
1667         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1668         new_dsec = new_dir->i_security;
1669
1670         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1671
1672         ad.u.path.dentry = old_dentry;
1673         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1674                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1675         if (rc)
1676                 return rc;
1677         rc = avc_has_perm(sid, old_isec->sid,
1678                           old_isec->sclass, FILE__RENAME, &ad);
1679         if (rc)
1680                 return rc;
1681         if (old_is_dir && new_dir != old_dir) {
1682                 rc = avc_has_perm(sid, old_isec->sid,
1683                                   old_isec->sclass, DIR__REPARENT, &ad);
1684                 if (rc)
1685                         return rc;
1686         }
1687
1688         ad.u.path.dentry = new_dentry;
1689         av = DIR__ADD_NAME | DIR__SEARCH;
1690         if (new_dentry->d_inode)
1691                 av |= DIR__REMOVE_NAME;
1692         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1693         if (rc)
1694                 return rc;
1695         if (new_dentry->d_inode) {
1696                 new_isec = new_dentry->d_inode->i_security;
1697                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1698                 rc = avc_has_perm(sid, new_isec->sid,
1699                                   new_isec->sclass,
1700                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1701                 if (rc)
1702                         return rc;
1703         }
1704
1705         return 0;
1706 }
1707
1708 /* Check whether a task can perform a filesystem operation. */
1709 static int superblock_has_perm(const struct cred *cred,
1710                                struct super_block *sb,
1711                                u32 perms,
1712                                struct common_audit_data *ad)
1713 {
1714         struct superblock_security_struct *sbsec;
1715         u32 sid = cred_sid(cred);
1716
1717         sbsec = sb->s_security;
1718         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1719 }
1720
1721 /* Convert a Linux mode and permission mask to an access vector. */
1722 static inline u32 file_mask_to_av(int mode, int mask)
1723 {
1724         u32 av = 0;
1725
1726         if ((mode & S_IFMT) != S_IFDIR) {
1727                 if (mask & MAY_EXEC)
1728                         av |= FILE__EXECUTE;
1729                 if (mask & MAY_READ)
1730                         av |= FILE__READ;
1731
1732                 if (mask & MAY_APPEND)
1733                         av |= FILE__APPEND;
1734                 else if (mask & MAY_WRITE)
1735                         av |= FILE__WRITE;
1736
1737         } else {
1738                 if (mask & MAY_EXEC)
1739                         av |= DIR__SEARCH;
1740                 if (mask & MAY_WRITE)
1741                         av |= DIR__WRITE;
1742                 if (mask & MAY_READ)
1743                         av |= DIR__READ;
1744         }
1745
1746         return av;
1747 }
1748
1749 /* Convert a Linux file to an access vector. */
1750 static inline u32 file_to_av(struct file *file)
1751 {
1752         u32 av = 0;
1753
1754         if (file->f_mode & FMODE_READ)
1755                 av |= FILE__READ;
1756         if (file->f_mode & FMODE_WRITE) {
1757                 if (file->f_flags & O_APPEND)
1758                         av |= FILE__APPEND;
1759                 else
1760                         av |= FILE__WRITE;
1761         }
1762         if (!av) {
1763                 /*
1764                  * Special file opened with flags 3 for ioctl-only use.
1765                  */
1766                 av = FILE__IOCTL;
1767         }
1768
1769         return av;
1770 }
1771
1772 /*
1773  * Convert a file to an access vector and include the correct open
1774  * open permission.
1775  */
1776 static inline u32 open_file_to_av(struct file *file)
1777 {
1778         u32 av = file_to_av(file);
1779
1780         if (selinux_policycap_openperm)
1781                 av |= FILE__OPEN;
1782
1783         return av;
1784 }
1785
1786 /* Hook functions begin here. */
1787
1788 static int selinux_ptrace_access_check(struct task_struct *child,
1789                                      unsigned int mode)
1790 {
1791         int rc;
1792
1793         rc = cap_ptrace_access_check(child, mode);
1794         if (rc)
1795                 return rc;
1796
1797         if (mode == PTRACE_MODE_READ) {
1798                 u32 sid = current_sid();
1799                 u32 csid = task_sid(child);
1800                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1801         }
1802
1803         return current_has_perm(child, PROCESS__PTRACE);
1804 }
1805
1806 static int selinux_ptrace_traceme(struct task_struct *parent)
1807 {
1808         int rc;
1809
1810         rc = cap_ptrace_traceme(parent);
1811         if (rc)
1812                 return rc;
1813
1814         return task_has_perm(parent, current, PROCESS__PTRACE);
1815 }
1816
1817 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1818                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1819 {
1820         int error;
1821
1822         error = current_has_perm(target, PROCESS__GETCAP);
1823         if (error)
1824                 return error;
1825
1826         return cap_capget(target, effective, inheritable, permitted);
1827 }
1828
1829 static int selinux_capset(struct cred *new, const struct cred *old,
1830                           const kernel_cap_t *effective,
1831                           const kernel_cap_t *inheritable,
1832                           const kernel_cap_t *permitted)
1833 {
1834         int error;
1835
1836         error = cap_capset(new, old,
1837                                       effective, inheritable, permitted);
1838         if (error)
1839                 return error;
1840
1841         return cred_has_perm(old, new, PROCESS__SETCAP);
1842 }
1843
1844 /*
1845  * (This comment used to live with the selinux_task_setuid hook,
1846  * which was removed).
1847  *
1848  * Since setuid only affects the current process, and since the SELinux
1849  * controls are not based on the Linux identity attributes, SELinux does not
1850  * need to control this operation.  However, SELinux does control the use of
1851  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1852  */
1853
1854 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1855                            int cap, int audit)
1856 {
1857         int rc;
1858
1859         rc = cap_capable(tsk, cred, cap, audit);
1860         if (rc)
1861                 return rc;
1862
1863         return task_has_capability(tsk, cred, cap, audit);
1864 }
1865
1866 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1867 {
1868         const struct cred *cred = current_cred();
1869         int rc = 0;
1870
1871         if (!sb)
1872                 return 0;
1873
1874         switch (cmds) {
1875         case Q_SYNC:
1876         case Q_QUOTAON:
1877         case Q_QUOTAOFF:
1878         case Q_SETINFO:
1879         case Q_SETQUOTA:
1880                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1881                 break;
1882         case Q_GETFMT:
1883         case Q_GETINFO:
1884         case Q_GETQUOTA:
1885                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1886                 break;
1887         default:
1888                 rc = 0;  /* let the kernel handle invalid cmds */
1889                 break;
1890         }
1891         return rc;
1892 }
1893
1894 static int selinux_quota_on(struct dentry *dentry)
1895 {
1896         const struct cred *cred = current_cred();
1897
1898         return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1899 }
1900
1901 static int selinux_syslog(int type)
1902 {
1903         int rc;
1904
1905         switch (type) {
1906         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1907         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1908                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1909                 break;
1910         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1911         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1912         /* Set level of messages printed to console */
1913         case SYSLOG_ACTION_CONSOLE_LEVEL:
1914                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1915                 break;
1916         case SYSLOG_ACTION_CLOSE:       /* Close log */
1917         case SYSLOG_ACTION_OPEN:        /* Open log */
1918         case SYSLOG_ACTION_READ:        /* Read from log */
1919         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1920         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1921         default:
1922                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1923                 break;
1924         }
1925         return rc;
1926 }
1927
1928 /*
1929  * Check that a process has enough memory to allocate a new virtual
1930  * mapping. 0 means there is enough memory for the allocation to
1931  * succeed and -ENOMEM implies there is not.
1932  *
1933  * Do not audit the selinux permission check, as this is applied to all
1934  * processes that allocate mappings.
1935  */
1936 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1937 {
1938         int rc, cap_sys_admin = 0;
1939
1940         rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
1941                              SECURITY_CAP_NOAUDIT);
1942         if (rc == 0)
1943                 cap_sys_admin = 1;
1944
1945         return __vm_enough_memory(mm, pages, cap_sys_admin);
1946 }
1947
1948 /* binprm security operations */
1949
1950 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1951 {
1952         const struct task_security_struct *old_tsec;
1953         struct task_security_struct *new_tsec;
1954         struct inode_security_struct *isec;
1955         struct common_audit_data ad;
1956         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1957         int rc;
1958
1959         rc = cap_bprm_set_creds(bprm);
1960         if (rc)
1961                 return rc;
1962
1963         /* SELinux context only depends on initial program or script and not
1964          * the script interpreter */
1965         if (bprm->cred_prepared)
1966                 return 0;
1967
1968         old_tsec = current_security();
1969         new_tsec = bprm->cred->security;
1970         isec = inode->i_security;
1971
1972         /* Default to the current task SID. */
1973         new_tsec->sid = old_tsec->sid;
1974         new_tsec->osid = old_tsec->sid;
1975
1976         /* Reset fs, key, and sock SIDs on execve. */
1977         new_tsec->create_sid = 0;
1978         new_tsec->keycreate_sid = 0;
1979         new_tsec->sockcreate_sid = 0;
1980
1981         if (old_tsec->exec_sid) {
1982                 new_tsec->sid = old_tsec->exec_sid;
1983                 /* Reset exec SID on execve. */
1984                 new_tsec->exec_sid = 0;
1985         } else {
1986                 /* Check for a default transition on this program. */
1987                 rc = security_transition_sid(old_tsec->sid, isec->sid,
1988                                              SECCLASS_PROCESS, NULL,
1989                                              &new_tsec->sid);
1990                 if (rc)
1991                         return rc;
1992         }
1993
1994         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1995         ad.u.path = bprm->file->f_path;
1996
1997         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1998                 new_tsec->sid = old_tsec->sid;
1999
2000         if (new_tsec->sid == old_tsec->sid) {
2001                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2002                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2003                 if (rc)
2004                         return rc;
2005         } else {
2006                 /* Check permissions for the transition. */
2007                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2008                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2009                 if (rc)
2010                         return rc;
2011
2012                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2013                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2014                 if (rc)
2015                         return rc;
2016
2017                 /* Check for shared state */
2018                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2019                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2020                                           SECCLASS_PROCESS, PROCESS__SHARE,
2021                                           NULL);
2022                         if (rc)
2023                                 return -EPERM;
2024                 }
2025
2026                 /* Make sure that anyone attempting to ptrace over a task that
2027                  * changes its SID has the appropriate permit */
2028                 if (bprm->unsafe &
2029                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2030                         struct task_struct *tracer;
2031                         struct task_security_struct *sec;
2032                         u32 ptsid = 0;
2033
2034                         rcu_read_lock();
2035                         tracer = tracehook_tracer_task(current);
2036                         if (likely(tracer != NULL)) {
2037                                 sec = __task_cred(tracer)->security;
2038                                 ptsid = sec->sid;
2039                         }
2040                         rcu_read_unlock();
2041
2042                         if (ptsid != 0) {
2043                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2044                                                   SECCLASS_PROCESS,
2045                                                   PROCESS__PTRACE, NULL);
2046                                 if (rc)
2047                                         return -EPERM;
2048                         }
2049                 }
2050
2051                 /* Clear any possibly unsafe personality bits on exec: */
2052                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2053         }
2054
2055         return 0;
2056 }
2057
2058 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2059 {
2060         const struct task_security_struct *tsec = current_security();
2061         u32 sid, osid;
2062         int atsecure = 0;
2063
2064         sid = tsec->sid;
2065         osid = tsec->osid;
2066
2067         if (osid != sid) {
2068                 /* Enable secure mode for SIDs transitions unless
2069                    the noatsecure permission is granted between
2070                    the two SIDs, i.e. ahp returns 0. */
2071                 atsecure = avc_has_perm(osid, sid,
2072                                         SECCLASS_PROCESS,
2073                                         PROCESS__NOATSECURE, NULL);
2074         }
2075
2076         return (atsecure || cap_bprm_secureexec(bprm));
2077 }
2078
2079 extern struct vfsmount *selinuxfs_mount;
2080 extern struct dentry *selinux_null;
2081
2082 /* Derived from fs/exec.c:flush_old_files. */
2083 static inline void flush_unauthorized_files(const struct cred *cred,
2084                                             struct files_struct *files)
2085 {
2086         struct common_audit_data ad;
2087         struct file *file, *devnull = NULL;
2088         struct tty_struct *tty;
2089         struct fdtable *fdt;
2090         long j = -1;
2091         int drop_tty = 0;
2092
2093         tty = get_current_tty();
2094         if (tty) {
2095                 spin_lock(&tty_files_lock);
2096                 if (!list_empty(&tty->tty_files)) {
2097                         struct tty_file_private *file_priv;
2098                         struct inode *inode;
2099
2100                         /* Revalidate access to controlling tty.
2101                            Use inode_has_perm on the tty inode directly rather
2102                            than using file_has_perm, as this particular open
2103                            file may belong to another process and we are only
2104                            interested in the inode-based check here. */
2105                         file_priv = list_first_entry(&tty->tty_files,
2106                                                 struct tty_file_private, list);
2107                         file = file_priv->file;
2108                         inode = file->f_path.dentry->d_inode;
2109                         if (inode_has_perm(cred, inode,
2110                                            FILE__READ | FILE__WRITE, NULL, 0)) {
2111                                 drop_tty = 1;
2112                         }
2113                 }
2114                 spin_unlock(&tty_files_lock);
2115                 tty_kref_put(tty);
2116         }
2117         /* Reset controlling tty. */
2118         if (drop_tty)
2119                 no_tty();
2120
2121         /* Revalidate access to inherited open files. */
2122
2123         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2124
2125         spin_lock(&files->file_lock);
2126         for (;;) {
2127                 unsigned long set, i;
2128                 int fd;
2129
2130                 j++;
2131                 i = j * __NFDBITS;
2132                 fdt = files_fdtable(files);
2133                 if (i >= fdt->max_fds)
2134                         break;
2135                 set = fdt->open_fds->fds_bits[j];
2136                 if (!set)
2137                         continue;
2138                 spin_unlock(&files->file_lock);
2139                 for ( ; set ; i++, set >>= 1) {
2140                         if (set & 1) {
2141                                 file = fget(i);
2142                                 if (!file)
2143                                         continue;
2144                                 if (file_has_perm(cred,
2145                                                   file,
2146                                                   file_to_av(file))) {
2147                                         sys_close(i);
2148                                         fd = get_unused_fd();
2149                                         if (fd != i) {
2150                                                 if (fd >= 0)
2151                                                         put_unused_fd(fd);
2152                                                 fput(file);
2153                                                 continue;
2154                                         }
2155                                         if (devnull) {
2156                                                 get_file(devnull);
2157                                         } else {
2158                                                 devnull = dentry_open(
2159                                                         dget(selinux_null),
2160                                                         mntget(selinuxfs_mount),
2161                                                         O_RDWR, cred);
2162                                                 if (IS_ERR(devnull)) {
2163                                                         devnull = NULL;
2164                                                         put_unused_fd(fd);
2165                                                         fput(file);
2166                                                         continue;
2167                                                 }
2168                                         }
2169                                         fd_install(fd, devnull);
2170                                 }
2171                                 fput(file);
2172                         }
2173                 }
2174                 spin_lock(&files->file_lock);
2175
2176         }
2177         spin_unlock(&files->file_lock);
2178 }
2179
2180 /*
2181  * Prepare a process for imminent new credential changes due to exec
2182  */
2183 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2184 {
2185         struct task_security_struct *new_tsec;
2186         struct rlimit *rlim, *initrlim;
2187         int rc, i;
2188
2189         new_tsec = bprm->cred->security;
2190         if (new_tsec->sid == new_tsec->osid)
2191                 return;
2192
2193         /* Close files for which the new task SID is not authorized. */
2194         flush_unauthorized_files(bprm->cred, current->files);
2195
2196         /* Always clear parent death signal on SID transitions. */
2197         current->pdeath_signal = 0;
2198
2199         /* Check whether the new SID can inherit resource limits from the old
2200          * SID.  If not, reset all soft limits to the lower of the current
2201          * task's hard limit and the init task's soft limit.
2202          *
2203          * Note that the setting of hard limits (even to lower them) can be
2204          * controlled by the setrlimit check.  The inclusion of the init task's
2205          * soft limit into the computation is to avoid resetting soft limits
2206          * higher than the default soft limit for cases where the default is
2207          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2208          */
2209         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2210                           PROCESS__RLIMITINH, NULL);
2211         if (rc) {
2212                 /* protect against do_prlimit() */
2213                 task_lock(current);
2214                 for (i = 0; i < RLIM_NLIMITS; i++) {
2215                         rlim = current->signal->rlim + i;
2216                         initrlim = init_task.signal->rlim + i;
2217                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2218                 }
2219                 task_unlock(current);
2220                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2221         }
2222 }
2223
2224 /*
2225  * Clean up the process immediately after the installation of new credentials
2226  * due to exec
2227  */
2228 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2229 {
2230         const struct task_security_struct *tsec = current_security();
2231         struct itimerval itimer;
2232         u32 osid, sid;
2233         int rc, i;
2234
2235         osid = tsec->osid;
2236         sid = tsec->sid;
2237
2238         if (sid == osid)
2239                 return;
2240
2241         /* Check whether the new SID can inherit signal state from the old SID.
2242          * If not, clear itimers to avoid subsequent signal generation and
2243          * flush and unblock signals.
2244          *
2245          * This must occur _after_ the task SID has been updated so that any
2246          * kill done after the flush will be checked against the new SID.
2247          */
2248         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2249         if (rc) {
2250                 memset(&itimer, 0, sizeof itimer);
2251                 for (i = 0; i < 3; i++)
2252                         do_setitimer(i, &itimer, NULL);
2253                 spin_lock_irq(&current->sighand->siglock);
2254                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2255                         __flush_signals(current);
2256                         flush_signal_handlers(current, 1);
2257                         sigemptyset(&current->blocked);
2258                 }
2259                 spin_unlock_irq(&current->sighand->siglock);
2260         }
2261
2262         /* Wake up the parent if it is waiting so that it can recheck
2263          * wait permission to the new task SID. */
2264         read_lock(&tasklist_lock);
2265         __wake_up_parent(current, current->real_parent);
2266         read_unlock(&tasklist_lock);
2267 }
2268
2269 /* superblock security operations */
2270
2271 static int selinux_sb_alloc_security(struct super_block *sb)
2272 {
2273         return superblock_alloc_security(sb);
2274 }
2275
2276 static void selinux_sb_free_security(struct super_block *sb)
2277 {
2278         superblock_free_security(sb);
2279 }
2280
2281 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2282 {
2283         if (plen > olen)
2284                 return 0;
2285
2286         return !memcmp(prefix, option, plen);
2287 }
2288
2289 static inline int selinux_option(char *option, int len)
2290 {
2291         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2292                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2293                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2294                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2295                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2296 }
2297
2298 static inline void take_option(char **to, char *from, int *first, int len)
2299 {
2300         if (!*first) {
2301                 **to = ',';
2302                 *to += 1;
2303         } else
2304                 *first = 0;
2305         memcpy(*to, from, len);
2306         *to += len;
2307 }
2308
2309 static inline void take_selinux_option(char **to, char *from, int *first,
2310                                        int len)
2311 {
2312         int current_size = 0;
2313
2314         if (!*first) {
2315                 **to = '|';
2316                 *to += 1;
2317         } else
2318                 *first = 0;
2319
2320         while (current_size < len) {
2321                 if (*from != '"') {
2322                         **to = *from;
2323                         *to += 1;
2324                 }
2325                 from += 1;
2326                 current_size += 1;
2327         }
2328 }
2329
2330 static int selinux_sb_copy_data(char *orig, char *copy)
2331 {
2332         int fnosec, fsec, rc = 0;
2333         char *in_save, *in_curr, *in_end;
2334         char *sec_curr, *nosec_save, *nosec;
2335         int open_quote = 0;
2336
2337         in_curr = orig;
2338         sec_curr = copy;
2339
2340         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2341         if (!nosec) {
2342                 rc = -ENOMEM;
2343                 goto out;
2344         }
2345
2346         nosec_save = nosec;
2347         fnosec = fsec = 1;
2348         in_save = in_end = orig;
2349
2350         do {
2351                 if (*in_end == '"')
2352                         open_quote = !open_quote;
2353                 if ((*in_end == ',' && open_quote == 0) ||
2354                                 *in_end == '\0') {
2355                         int len = in_end - in_curr;
2356
2357                         if (selinux_option(in_curr, len))
2358                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2359                         else
2360                                 take_option(&nosec, in_curr, &fnosec, len);
2361
2362                         in_curr = in_end + 1;
2363                 }
2364         } while (*in_end++);
2365
2366         strcpy(in_save, nosec_save);
2367         free_page((unsigned long)nosec_save);
2368 out:
2369         return rc;
2370 }
2371
2372 static int selinux_sb_remount(struct super_block *sb, void *data)
2373 {
2374         int rc, i, *flags;
2375         struct security_mnt_opts opts;
2376         char *secdata, **mount_options;
2377         struct superblock_security_struct *sbsec = sb->s_security;
2378
2379         if (!(sbsec->flags & SE_SBINITIALIZED))
2380                 return 0;
2381
2382         if (!data)
2383                 return 0;
2384
2385         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2386                 return 0;
2387
2388         security_init_mnt_opts(&opts);
2389         secdata = alloc_secdata();
2390         if (!secdata)
2391                 return -ENOMEM;
2392         rc = selinux_sb_copy_data(data, secdata);
2393         if (rc)
2394                 goto out_free_secdata;
2395
2396         rc = selinux_parse_opts_str(secdata, &opts);
2397         if (rc)
2398                 goto out_free_secdata;
2399
2400         mount_options = opts.mnt_opts;
2401         flags = opts.mnt_opts_flags;
2402
2403         for (i = 0; i < opts.num_mnt_opts; i++) {
2404                 u32 sid;
2405                 size_t len;
2406
2407                 if (flags[i] == SE_SBLABELSUPP)
2408                         continue;
2409                 len = strlen(mount_options[i]);
2410                 rc = security_context_to_sid(mount_options[i], len, &sid);
2411                 if (rc) {
2412                         printk(KERN_WARNING "SELinux: security_context_to_sid"
2413                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2414                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2415                         goto out_free_opts;
2416                 }
2417                 rc = -EINVAL;
2418                 switch (flags[i]) {
2419                 case FSCONTEXT_MNT:
2420                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2421                                 goto out_bad_option;
2422                         break;
2423                 case CONTEXT_MNT:
2424                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2425                                 goto out_bad_option;
2426                         break;
2427                 case ROOTCONTEXT_MNT: {
2428                         struct inode_security_struct *root_isec;
2429                         root_isec = sb->s_root->d_inode->i_security;
2430
2431                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2432                                 goto out_bad_option;
2433                         break;
2434                 }
2435                 case DEFCONTEXT_MNT:
2436                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2437                                 goto out_bad_option;
2438                         break;
2439                 default:
2440                         goto out_free_opts;
2441                 }
2442         }
2443
2444         rc = 0;
2445 out_free_opts:
2446         security_free_mnt_opts(&opts);
2447 out_free_secdata:
2448         free_secdata(secdata);
2449         return rc;
2450 out_bad_option:
2451         printk(KERN_WARNING "SELinux: unable to change security options "
2452                "during remount (dev %s, type=%s)\n", sb->s_id,
2453                sb->s_type->name);
2454         goto out_free_opts;
2455 }
2456
2457 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2458 {
2459         const struct cred *cred = current_cred();
2460         struct common_audit_data ad;
2461         int rc;
2462
2463         rc = superblock_doinit(sb, data);
2464         if (rc)
2465                 return rc;
2466
2467         /* Allow all mounts performed by the kernel */
2468         if (flags & MS_KERNMOUNT)
2469                 return 0;
2470
2471         COMMON_AUDIT_DATA_INIT(&ad, PATH);
2472         ad.u.path.dentry = sb->s_root;
2473         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2474 }
2475
2476 static int selinux_sb_statfs(struct dentry *dentry)
2477 {
2478         const struct cred *cred = current_cred();
2479         struct common_audit_data ad;
2480
2481         COMMON_AUDIT_DATA_INIT(&ad, PATH);
2482         ad.u.path.dentry = dentry->d_sb->s_root;
2483         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2484 }
2485
2486 static int selinux_mount(char *dev_name,
2487                          struct path *path,
2488                          char *type,
2489                          unsigned long flags,
2490                          void *data)
2491 {
2492         const struct cred *cred = current_cred();
2493
2494         if (flags & MS_REMOUNT)
2495                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2496                                            FILESYSTEM__REMOUNT, NULL);
2497         else
2498                 return dentry_has_perm(cred, path->mnt, path->dentry,
2499                                        FILE__MOUNTON);
2500 }
2501
2502 static int selinux_umount(struct vfsmount *mnt, int flags)
2503 {
2504         const struct cred *cred = current_cred();
2505
2506         return superblock_has_perm(cred, mnt->mnt_sb,
2507                                    FILESYSTEM__UNMOUNT, NULL);
2508 }
2509
2510 /* inode security operations */
2511
2512 static int selinux_inode_alloc_security(struct inode *inode)
2513 {
2514         return inode_alloc_security(inode);
2515 }
2516
2517 static void selinux_inode_free_security(struct inode *inode)
2518 {
2519         inode_free_security(inode);
2520 }
2521
2522 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2523                                        const struct qstr *qstr, char **name,
2524                                        void **value, size_t *len)
2525 {
2526         const struct task_security_struct *tsec = current_security();
2527         struct inode_security_struct *dsec;
2528         struct superblock_security_struct *sbsec;
2529         u32 sid, newsid, clen;
2530         int rc;
2531         char *namep = NULL, *context;
2532
2533         dsec = dir->i_security;
2534         sbsec = dir->i_sb->s_security;
2535
2536         sid = tsec->sid;
2537         newsid = tsec->create_sid;
2538
2539         if ((sbsec->flags & SE_SBINITIALIZED) &&
2540             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2541                 newsid = sbsec->mntpoint_sid;
2542         else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2543                 rc = security_transition_sid(sid, dsec->sid,
2544                                              inode_mode_to_security_class(inode->i_mode),
2545                                              qstr, &newsid);
2546                 if (rc) {
2547                         printk(KERN_WARNING "%s:  "
2548                                "security_transition_sid failed, rc=%d (dev=%s "
2549                                "ino=%ld)\n",
2550                                __func__,
2551                                -rc, inode->i_sb->s_id, inode->i_ino);
2552                         return rc;
2553                 }
2554         }
2555
2556         /* Possibly defer initialization to selinux_complete_init. */
2557         if (sbsec->flags & SE_SBINITIALIZED) {
2558                 struct inode_security_struct *isec = inode->i_security;
2559                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2560                 isec->sid = newsid;
2561                 isec->initialized = 1;
2562         }
2563
2564         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2565                 return -EOPNOTSUPP;
2566
2567         if (name) {
2568                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2569                 if (!namep)
2570                         return -ENOMEM;
2571                 *name = namep;
2572         }
2573
2574         if (value && len) {
2575                 rc = security_sid_to_context_force(newsid, &context, &clen);
2576                 if (rc) {
2577                         kfree(namep);
2578                         return rc;
2579                 }
2580                 *value = context;
2581                 *len = clen;
2582         }
2583
2584         return 0;
2585 }
2586
2587 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2588 {
2589         return may_create(dir, dentry, SECCLASS_FILE);
2590 }
2591
2592 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2593 {
2594         return may_link(dir, old_dentry, MAY_LINK);
2595 }
2596
2597 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2598 {
2599         return may_link(dir, dentry, MAY_UNLINK);
2600 }
2601
2602 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2603 {
2604         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2605 }
2606
2607 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2608 {
2609         return may_create(dir, dentry, SECCLASS_DIR);
2610 }
2611
2612 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2613 {
2614         return may_link(dir, dentry, MAY_RMDIR);
2615 }
2616
2617 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2618 {
2619         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2620 }
2621
2622 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2623                                 struct inode *new_inode, struct dentry *new_dentry)
2624 {
2625         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2626 }
2627
2628 static int selinux_inode_readlink(struct dentry *dentry)
2629 {
2630         const struct cred *cred = current_cred();
2631
2632         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2633 }
2634
2635 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2636 {
2637         const struct cred *cred = current_cred();
2638
2639         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2640 }
2641
2642 static int selinux_inode_permission(struct inode *inode, int mask, unsigned flags)
2643 {
2644         const struct cred *cred = current_cred();
2645         struct common_audit_data ad;
2646         u32 perms;
2647         bool from_access;
2648
2649         from_access = mask & MAY_ACCESS;
2650         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2651
2652         /* No permission to check.  Existence test. */
2653         if (!mask)
2654                 return 0;
2655
2656         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2657         ad.u.inode = inode;
2658
2659         if (from_access)
2660                 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2661
2662         perms = file_mask_to_av(inode->i_mode, mask);
2663
2664         return inode_has_perm(cred, inode, perms, &ad, flags);
2665 }
2666
2667 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2668 {
2669         const struct cred *cred = current_cred();
2670         unsigned int ia_valid = iattr->ia_valid;
2671
2672         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2673         if (ia_valid & ATTR_FORCE) {
2674                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2675                               ATTR_FORCE);
2676                 if (!ia_valid)
2677                         return 0;
2678         }
2679
2680         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2681                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2682                 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2683
2684         return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2685 }
2686
2687 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2688 {
2689         const struct cred *cred = current_cred();
2690
2691         return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2692 }
2693
2694 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2695 {
2696         const struct cred *cred = current_cred();
2697
2698         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2699                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2700                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2701                         if (!capable(CAP_SETFCAP))
2702                                 return -EPERM;
2703                 } else if (!capable(CAP_SYS_ADMIN)) {
2704                         /* A different attribute in the security namespace.
2705                            Restrict to administrator. */
2706                         return -EPERM;
2707                 }
2708         }
2709
2710         /* Not an attribute we recognize, so just check the
2711            ordinary setattr permission. */
2712         return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2713 }
2714
2715 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2716                                   const void *value, size_t size, int flags)
2717 {
2718         struct inode *inode = dentry->d_inode;
2719         struct inode_security_struct *isec = inode->i_security;
2720         struct superblock_security_struct *sbsec;
2721         struct common_audit_data ad;
2722         u32 newsid, sid = current_sid();
2723         int rc = 0;
2724
2725         if (strcmp(name, XATTR_NAME_SELINUX))
2726                 return selinux_inode_setotherxattr(dentry, name);
2727
2728         sbsec = inode->i_sb->s_security;
2729         if (!(sbsec->flags & SE_SBLABELSUPP))
2730                 return -EOPNOTSUPP;
2731
2732         if (!is_owner_or_cap(inode))
2733                 return -EPERM;
2734
2735         COMMON_AUDIT_DATA_INIT(&ad, PATH);
2736         ad.u.path.dentry = dentry;
2737
2738         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2739                           FILE__RELABELFROM, &ad);
2740         if (rc)
2741                 return rc;
2742
2743         rc = security_context_to_sid(value, size, &newsid);
2744         if (rc == -EINVAL) {
2745                 if (!capable(CAP_MAC_ADMIN))
2746                         return rc;
2747                 rc = security_context_to_sid_force(value, size, &newsid);
2748         }
2749         if (rc)
2750                 return rc;
2751
2752         rc = avc_has_perm(sid, newsid, isec->sclass,
2753                           FILE__RELABELTO, &ad);
2754         if (rc)
2755                 return rc;
2756
2757         rc = security_validate_transition(isec->sid, newsid, sid,
2758                                           isec->sclass);
2759         if (rc)
2760                 return rc;
2761
2762         return avc_has_perm(newsid,
2763                             sbsec->sid,
2764                             SECCLASS_FILESYSTEM,
2765                             FILESYSTEM__ASSOCIATE,
2766                             &ad);
2767 }
2768
2769 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2770                                         const void *value, size_t size,
2771                                         int flags)
2772 {
2773         struct inode *inode = dentry->d_inode;
2774         struct inode_security_struct *isec = inode->i_security;
2775         u32 newsid;
2776         int rc;
2777
2778         if (strcmp(name, XATTR_NAME_SELINUX)) {
2779                 /* Not an attribute we recognize, so nothing to do. */
2780                 return;
2781         }
2782
2783         rc = security_context_to_sid_force(value, size, &newsid);
2784         if (rc) {
2785                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2786                        "for (%s, %lu), rc=%d\n",
2787                        inode->i_sb->s_id, inode->i_ino, -rc);
2788                 return;
2789         }
2790
2791         isec->sid = newsid;
2792         return;
2793 }
2794
2795 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2796 {
2797         const struct cred *cred = current_cred();
2798
2799         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2800 }
2801
2802 static int selinux_inode_listxattr(struct dentry *dentry)
2803 {
2804         const struct cred *cred = current_cred();
2805
2806         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2807 }
2808
2809 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2810 {
2811         if (strcmp(name, XATTR_NAME_SELINUX))
2812                 return selinux_inode_setotherxattr(dentry, name);
2813
2814         /* No one is allowed to remove a SELinux security label.
2815            You can change the label, but all data must be labeled. */
2816         return -EACCES;
2817 }
2818
2819 /*
2820  * Copy the inode security context value to the user.
2821  *
2822  * Permission check is handled by selinux_inode_getxattr hook.
2823  */
2824 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2825 {
2826         u32 size;
2827         int error;
2828         char *context = NULL;
2829         struct inode_security_struct *isec = inode->i_security;
2830
2831         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2832                 return -EOPNOTSUPP;
2833
2834         /*
2835          * If the caller has CAP_MAC_ADMIN, then get the raw context
2836          * value even if it is not defined by current policy; otherwise,
2837          * use the in-core value under current policy.
2838          * Use the non-auditing forms of the permission checks since
2839          * getxattr may be called by unprivileged processes commonly
2840          * and lack of permission just means that we fall back to the
2841          * in-core context value, not a denial.
2842          */
2843         error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2844                                 SECURITY_CAP_NOAUDIT);
2845         if (!error)
2846                 error = security_sid_to_context_force(isec->sid, &context,
2847                                                       &size);
2848         else
2849                 error = security_sid_to_context(isec->sid, &context, &size);
2850         if (error)
2851                 return error;
2852         error = size;
2853         if (alloc) {
2854                 *buffer = context;
2855                 goto out_nofree;
2856         }
2857         kfree(context);
2858 out_nofree:
2859         return error;
2860 }
2861
2862 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2863                                      const void *value, size_t size, int flags)
2864 {
2865         struct inode_security_struct *isec = inode->i_security;
2866         u32 newsid;
2867         int rc;
2868
2869         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2870                 return -EOPNOTSUPP;
2871
2872         if (!value || !size)
2873                 return -EACCES;
2874
2875         rc = security_context_to_sid((void *)value, size, &newsid);
2876         if (rc)
2877                 return rc;
2878
2879         isec->sid = newsid;
2880         isec->initialized = 1;
2881         return 0;
2882 }
2883
2884 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2885 {
2886         const int len = sizeof(XATTR_NAME_SELINUX);
2887         if (buffer && len <= buffer_size)
2888                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2889         return len;
2890 }
2891
2892 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2893 {
2894         struct inode_security_struct *isec = inode->i_security;
2895         *secid = isec->sid;
2896 }
2897
2898 /* file security operations */
2899
2900 static int selinux_revalidate_file_permission(struct file *file, int mask)
2901 {
2902         const struct cred *cred = current_cred();
2903         struct inode *inode = file->f_path.dentry->d_inode;
2904
2905         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2906         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2907                 mask |= MAY_APPEND;
2908
2909         return file_has_perm(cred, file,
2910                              file_mask_to_av(inode->i_mode, mask));
2911 }
2912
2913 static int selinux_file_permission(struct file *file, int mask)
2914 {
2915         struct inode *inode = file->f_path.dentry->d_inode;
2916         struct file_security_struct *fsec = file->f_security;
2917         struct inode_security_struct *isec = inode->i_security;
2918         u32 sid = current_sid();
2919
2920         if (!mask)
2921                 /* No permission to check.  Existence test. */
2922                 return 0;
2923
2924         if (sid == fsec->sid && fsec->isid == isec->sid &&
2925             fsec->pseqno == avc_policy_seqno())
2926                 /* No change since dentry_open check. */
2927                 return 0;
2928
2929         return selinux_revalidate_file_permission(file, mask);
2930 }
2931
2932 static int selinux_file_alloc_security(struct file *file)
2933 {
2934         return file_alloc_security(file);
2935 }
2936
2937 static void selinux_file_free_security(struct file *file)
2938 {
2939         file_free_security(file);
2940 }
2941
2942 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2943                               unsigned long arg)
2944 {
2945         const struct cred *cred = current_cred();
2946         int error = 0;
2947
2948         switch (cmd) {
2949         case FIONREAD:
2950         /* fall through */
2951         case FIBMAP:
2952         /* fall through */
2953         case FIGETBSZ:
2954         /* fall through */
2955         case EXT2_IOC_GETFLAGS:
2956         /* fall through */
2957         case EXT2_IOC_GETVERSION:
2958                 error = file_has_perm(cred, file, FILE__GETATTR);
2959                 break;
2960
2961         case EXT2_IOC_SETFLAGS:
2962         /* fall through */
2963         case EXT2_IOC_SETVERSION:
2964                 error = file_has_perm(cred, file, FILE__SETATTR);
2965                 break;
2966
2967         /* sys_ioctl() checks */
2968         case FIONBIO:
2969         /* fall through */
2970         case FIOASYNC:
2971                 error = file_has_perm(cred, file, 0);
2972                 break;
2973
2974         case KDSKBENT:
2975         case KDSKBSENT:
2976                 error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
2977                                             SECURITY_CAP_AUDIT);
2978                 break;
2979
2980         /* default case assumes that the command will go
2981          * to the file's ioctl() function.
2982          */
2983         default:
2984                 error = file_has_perm(cred, file, FILE__IOCTL);
2985         }
2986         return error;
2987 }
2988
2989 static int default_noexec;
2990
2991 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2992 {
2993         const struct cred *cred = current_cred();
2994         int rc = 0;
2995
2996         if (default_noexec &&
2997             (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2998                 /*
2999                  * We are making executable an anonymous mapping or a
3000                  * private file mapping that will also be writable.
3001                  * This has an additional check.
3002                  */
3003                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3004                 if (rc)
3005                         goto error;
3006         }
3007
3008         if (file) {
3009                 /* read access is always possible with a mapping */
3010                 u32 av = FILE__READ;
3011
3012                 /* write access only matters if the mapping is shared */
3013                 if (shared && (prot & PROT_WRITE))
3014                         av |= FILE__WRITE;
3015
3016                 if (prot & PROT_EXEC)
3017                         av |= FILE__EXECUTE;
3018
3019                 return file_has_perm(cred, file, av);
3020         }
3021
3022 error:
3023         return rc;
3024 }
3025
3026 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3027                              unsigned long prot, unsigned long flags,
3028                              unsigned long addr, unsigned long addr_only)
3029 {
3030         int rc = 0;
3031         u32 sid = current_sid();
3032
3033         /*
3034          * notice that we are intentionally putting the SELinux check before
3035          * the secondary cap_file_mmap check.  This is such a likely attempt
3036          * at bad behaviour/exploit that we always want to get the AVC, even
3037          * if DAC would have also denied the operation.
3038          */
3039         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3040                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3041                                   MEMPROTECT__MMAP_ZERO, NULL);
3042                 if (rc)
3043                         return rc;
3044         }
3045
3046         /* do DAC check on address space usage */
3047         rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3048         if (rc || addr_only)
3049                 return rc;
3050
3051         if (selinux_checkreqprot)
3052                 prot = reqprot;
3053
3054         return file_map_prot_check(file, prot,
3055                                    (flags & MAP_TYPE) == MAP_SHARED);
3056 }
3057
3058 static int selinux_file_mprotect(struct vm_area_struct *vma,
3059                                  unsigned long reqprot,
3060                                  unsigned long prot)
3061 {
3062         const struct cred *cred = current_cred();
3063
3064         if (selinux_checkreqprot)
3065                 prot = reqprot;
3066
3067         if (default_noexec &&
3068             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3069                 int rc = 0;
3070                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3071                     vma->vm_end <= vma->vm_mm->brk) {
3072                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3073                 } else if (!vma->vm_file &&
3074                            vma->vm_start <= vma->vm_mm->start_stack &&
3075                            vma->vm_end >= vma->vm_mm->start_stack) {
3076                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3077                 } else if (vma->vm_file && vma->anon_vma) {
3078                         /*
3079                          * We are making executable a file mapping that has
3080                          * had some COW done. Since pages might have been
3081                          * written, check ability to execute the possibly
3082                          * modified content.  This typically should only
3083                          * occur for text relocations.
3084                          */
3085                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3086                 }
3087                 if (rc)
3088                         return rc;
3089         }
3090
3091         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3092 }
3093
3094 static int selinux_file_lock(struct file *file, unsigned int cmd)
3095 {
3096         const struct cred *cred = current_cred();
3097
3098         return file_has_perm(cred, file, FILE__LOCK);
3099 }
3100
3101 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3102                               unsigned long arg)
3103 {
3104         const struct cred *cred = current_cred();
3105         int err = 0;
3106
3107         switch (cmd) {
3108         case F_SETFL:
3109                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3110                         err = -EINVAL;
3111                         break;
3112                 }
3113
3114                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3115                         err = file_has_perm(cred, file, FILE__WRITE);
3116                         break;
3117                 }
3118                 /* fall through */
3119         case F_SETOWN:
3120         case F_SETSIG:
3121         case F_GETFL:
3122         case F_GETOWN:
3123         case F_GETSIG:
3124                 /* Just check FD__USE permission */
3125                 err = file_has_perm(cred, file, 0);
3126                 break;
3127         case F_GETLK:
3128         case F_SETLK:
3129         case F_SETLKW:
3130 #if BITS_PER_LONG == 32
3131         case F_GETLK64:
3132         case F_SETLK64:
3133         case F_SETLKW64:
3134 #endif
3135                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3136                         err = -EINVAL;
3137                         break;
3138                 }
3139                 err = file_has_perm(cred, file, FILE__LOCK);
3140                 break;
3141         }
3142
3143         return err;
3144 }
3145
3146 static int selinux_file_set_fowner(struct file *file)
3147 {
3148         struct file_security_struct *fsec;
3149
3150         fsec = file->f_security;
3151         fsec->fown_sid = current_sid();
3152
3153         return 0;
3154 }
3155
3156 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3157                                        struct fown_struct *fown, int signum)
3158 {
3159         struct file *file;
3160         u32 sid = task_sid(tsk);
3161         u32 perm;
3162         struct file_security_struct *fsec;
3163
3164         /* struct fown_struct is never outside the context of a struct file */
3165         file = container_of(fown, struct file, f_owner);
3166
3167         fsec = file->f_security;
3168
3169         if (!signum)
3170                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3171         else
3172                 perm = signal_to_av(signum);
3173
3174         return avc_has_perm(fsec->fown_sid, sid,
3175                             SECCLASS_PROCESS, perm, NULL);
3176 }
3177
3178 static int selinux_file_receive(struct file *file)
3179 {
3180         const struct cred *cred = current_cred();
3181
3182         return file_has_perm(cred, file, file_to_av(file));
3183 }
3184
3185 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3186 {
3187         struct file_security_struct *fsec;
3188         struct inode *inode;
3189         struct inode_security_struct *isec;
3190
3191         inode = file->f_path.dentry->d_inode;
3192         fsec = file->f_security;
3193         isec = inode->i_security;
3194         /*
3195          * Save inode label and policy sequence number
3196          * at open-time so that selinux_file_permission
3197          * can determine whether revalidation is necessary.
3198          * Task label is already saved in the file security
3199          * struct as its SID.
3200          */
3201         fsec->isid = isec->sid;
3202         fsec->pseqno = avc_policy_seqno();
3203         /*
3204          * Since the inode label or policy seqno may have changed
3205          * between the selinux_inode_permission check and the saving
3206          * of state above, recheck that access is still permitted.
3207          * Otherwise, access might never be revalidated against the
3208          * new inode label or new policy.
3209          * This check is not redundant - do not remove.
3210          */
3211         return inode_has_perm(cred, inode, open_file_to_av(file), NULL, 0);
3212 }
3213
3214 /* task security operations */
3215
3216 static int selinux_task_create(unsigned long clone_flags)
3217 {
3218         return current_has_perm(current, PROCESS__FORK);
3219 }
3220
3221 /*
3222  * allocate the SELinux part of blank credentials
3223  */
3224 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3225 {
3226         struct task_security_struct *tsec;
3227
3228         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3229         if (!tsec)
3230                 return -ENOMEM;
3231
3232         cred->security = tsec;
3233         return 0;
3234 }
3235
3236 /*
3237  * detach and free the LSM part of a set of credentials
3238  */
3239 static void selinux_cred_free(struct cred *cred)
3240 {
3241         struct task_security_struct *tsec = cred->security;
3242
3243         /*
3244          * cred->security == NULL if security_cred_alloc_blank() or
3245          * security_prepare_creds() returned an error.
3246          */
3247         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3248         cred->security = (void *) 0x7UL;
3249         kfree(tsec);
3250 }
3251
3252 /*
3253  * prepare a new set of credentials for modification
3254  */
3255 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3256                                 gfp_t gfp)
3257 {
3258         const struct task_security_struct *old_tsec;
3259         struct task_security_struct *tsec;
3260
3261         old_tsec = old->security;
3262
3263         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3264         if (!tsec)
3265                 return -ENOMEM;
3266
3267         new->security = tsec;
3268         return 0;
3269 }
3270
3271 /*
3272  * transfer the SELinux data to a blank set of creds
3273  */
3274 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3275 {
3276         const struct task_security_struct *old_tsec = old->security;
3277         struct task_security_struct *tsec = new->security;
3278
3279         *tsec = *old_tsec;
3280 }
3281
3282 /*
3283  * set the security data for a kernel service
3284  * - all the creation contexts are set to unlabelled
3285  */
3286 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3287 {
3288         struct task_security_struct *tsec = new->security;
3289         u32 sid = current_sid();
3290         int ret;
3291
3292         ret = avc_has_perm(sid, secid,
3293                            SECCLASS_KERNEL_SERVICE,
3294                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3295                            NULL);
3296         if (ret == 0) {
3297                 tsec->sid = secid;
3298                 tsec->create_sid = 0;
3299                 tsec->keycreate_sid = 0;
3300                 tsec->sockcreate_sid = 0;
3301         }
3302         return ret;
3303 }
3304
3305 /*
3306  * set the file creation context in a security record to the same as the
3307  * objective context of the specified inode
3308  */
3309 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3310 {
3311         struct inode_security_struct *isec = inode->i_security;
3312         struct task_security_struct *tsec = new->security;
3313         u32 sid = current_sid();
3314         int ret;
3315
3316         ret = avc_has_perm(sid, isec->sid,
3317                            SECCLASS_KERNEL_SERVICE,
3318                            KERNEL_SERVICE__CREATE_FILES_AS,
3319                            NULL);
3320
3321         if (ret == 0)
3322                 tsec->create_sid = isec->sid;
3323         return ret;
3324 }
3325
3326 static int selinux_kernel_module_request(char *kmod_name)
3327 {
3328         u32 sid;
3329         struct common_audit_data ad;
3330
3331         sid = task_sid(current);
3332
3333         COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3334         ad.u.kmod_name = kmod_name;
3335
3336         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3337                             SYSTEM__MODULE_REQUEST, &ad);
3338 }
3339
3340 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3341 {
3342         return current_has_perm(p, PROCESS__SETPGID);
3343 }
3344
3345 static int selinux_task_getpgid(struct task_struct *p)
3346 {
3347         return current_has_perm(p, PROCESS__GETPGID);
3348 }
3349
3350 static int selinux_task_getsid(struct task_struct *p)
3351 {
3352         return current_has_perm(p, PROCESS__GETSESSION);
3353 }
3354
3355 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3356 {
3357         *secid = task_sid(p);
3358 }
3359
3360 static int selinux_task_setnice(struct task_struct *p, int nice)
3361 {
3362         int rc;
3363
3364         rc = cap_task_setnice(p, nice);
3365         if (rc)
3366                 return rc;
3367
3368         return current_has_perm(p, PROCESS__SETSCHED);
3369 }
3370
3371 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3372 {
3373         int rc;
3374
3375         rc = cap_task_setioprio(p, ioprio);
3376         if (rc)
3377                 return rc;
3378
3379         return current_has_perm(p, PROCESS__SETSCHED);
3380 }
3381
3382 static int selinux_task_getioprio(struct task_struct *p)
3383 {
3384         return current_has_perm(p, PROCESS__GETSCHED);
3385 }
3386
3387 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3388                 struct rlimit *new_rlim)
3389 {
3390         struct rlimit *old_rlim = p->signal->rlim + resource;
3391
3392         /* Control the ability to change the hard limit (whether
3393            lowering or raising it), so that the hard limit can
3394            later be used as a safe reset point for the soft limit
3395            upon context transitions.  See selinux_bprm_committing_creds. */
3396         if (old_rlim->rlim_max != new_rlim->rlim_max)
3397                 return current_has_perm(p, PROCESS__SETRLIMIT);
3398
3399         return 0;
3400 }
3401
3402 static int selinux_task_setscheduler(struct task_struct *p)
3403 {
3404         int rc;
3405
3406         rc = cap_task_setscheduler(p);
3407         if (rc)
3408                 return rc;
3409
3410         return current_has_perm(p, PROCESS__SETSCHED);
3411 }
3412
3413 static int selinux_task_getscheduler(struct task_struct *p)
3414 {
3415         return current_has_perm(p, PROCESS__GETSCHED);
3416 }
3417
3418 static int selinux_task_movememory(struct task_struct *p)
3419 {
3420         return current_has_perm(p, PROCESS__SETSCHED);
3421 }
3422
3423 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3424                                 int sig, u32 secid)
3425 {
3426         u32 perm;
3427         int rc;
3428
3429         if (!sig)
3430                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3431         else
3432                 perm = signal_to_av(sig);
3433         if (secid)
3434                 rc = avc_has_perm(secid, task_sid(p),
3435                                   SECCLASS_PROCESS, perm, NULL);
3436         else
3437                 rc = current_has_perm(p, perm);
3438         return rc;
3439 }
3440
3441 static int selinux_task_wait(struct task_struct *p)
3442 {
3443         return task_has_perm(p, current, PROCESS__SIGCHLD);
3444 }
3445
3446 static void selinux_task_to_inode(struct task_struct *p,
3447                                   struct inode *inode)
3448 {
3449         struct inode_security_struct *isec = inode->i_security;
3450         u32 sid = task_sid(p);
3451
3452         isec->sid = sid;
3453         isec->initialized = 1;
3454 }
3455
3456 /* Returns error only if unable to parse addresses */
3457 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3458                         struct common_audit_data *ad, u8 *proto)
3459 {
3460         int offset, ihlen, ret = -EINVAL;
3461         struct iphdr _iph, *ih;
3462
3463         offset = skb_network_offset(skb);
3464         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3465         if (ih == NULL)
3466                 goto out;
3467
3468         ihlen = ih->ihl * 4;
3469         if (ihlen < sizeof(_iph))
3470                 goto out;
3471
3472         ad->u.net.v4info.saddr = ih->saddr;
3473         ad->u.net.v4info.daddr = ih->daddr;
3474         ret = 0;
3475
3476         if (proto)
3477                 *proto = ih->protocol;
3478
3479         switch (ih->protocol) {
3480         case IPPROTO_TCP: {
3481                 struct tcphdr _tcph, *th;
3482
3483                 if (ntohs(ih->frag_off) & IP_OFFSET)
3484                         break;
3485
3486                 offset += ihlen;
3487                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3488                 if (th == NULL)
3489                         break;
3490
3491                 ad->u.net.sport = th->source;
3492                 ad->u.net.dport = th->dest;
3493                 break;
3494         }
3495
3496         case IPPROTO_UDP: {
3497                 struct udphdr _udph, *uh;
3498
3499                 if (ntohs(ih->frag_off) & IP_OFFSET)
3500                         break;
3501
3502                 offset += ihlen;
3503                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3504                 if (uh == NULL)
3505                         break;
3506
3507                 ad->u.net.sport = uh->source;
3508                 ad->u.net.dport = uh->dest;
3509                 break;
3510         }
3511
3512         case IPPROTO_DCCP: {
3513                 struct dccp_hdr _dccph, *dh;
3514
3515                 if (ntohs(ih->frag_off) & IP_OFFSET)
3516                         break;
3517
3518                 offset += ihlen;
3519                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3520                 if (dh == NULL)
3521                         break;
3522
3523                 ad->u.net.sport = dh->dccph_sport;
3524                 ad->u.net.dport = dh->dccph_dport;
3525                 break;
3526         }
3527
3528         default:
3529                 break;
3530         }
3531 out:
3532         return ret;
3533 }
3534
3535 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3536
3537 /* Returns error only if unable to parse addresses */
3538 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3539                         struct common_audit_data *ad, u8 *proto)
3540 {
3541         u8 nexthdr;
3542         int ret = -EINVAL, offset;
3543         struct ipv6hdr _ipv6h, *ip6;
3544
3545         offset = skb_network_offset(skb);
3546         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3547         if (ip6 == NULL)
3548                 goto out;
3549
3550         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3551         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3552         ret = 0;
3553
3554         nexthdr = ip6->nexthdr;
3555         offset += sizeof(_ipv6h);
3556         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3557         if (offset < 0)
3558                 goto out;
3559
3560         if (proto)
3561                 *proto = nexthdr;
3562
3563         switch (nexthdr) {
3564         case IPPROTO_TCP: {
3565                 struct tcphdr _tcph, *th;
3566
3567                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3568                 if (th == NULL)
3569                         break;
3570
3571                 ad->u.net.sport = th->source;
3572                 ad->u.net.dport = th->dest;
3573                 break;
3574         }
3575
3576         case IPPROTO_UDP: {
3577                 struct udphdr _udph, *uh;
3578
3579                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3580                 if (uh == NULL)
3581                         break;
3582
3583                 ad->u.net.sport = uh->source;
3584                 ad->u.net.dport = uh->dest;
3585                 break;
3586         }
3587
3588         case IPPROTO_DCCP: {
3589                 struct dccp_hdr _dccph, *dh;
3590
3591                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3592                 if (dh == NULL)
3593                         break;
3594
3595                 ad->u.net.sport = dh->dccph_sport;
3596                 ad->u.net.dport = dh->dccph_dport;
3597                 break;
3598         }
3599
3600         /* includes fragments */
3601         default:
3602                 break;
3603         }
3604 out:
3605         return ret;
3606 }
3607
3608 #endif /* IPV6 */
3609
3610 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3611                              char **_addrp, int src, u8 *proto)
3612 {
3613         char *addrp;
3614         int ret;
3615
3616         switch (ad->u.net.family) {
3617         case PF_INET:
3618                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3619                 if (ret)
3620                         goto parse_error;
3621                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3622                                        &ad->u.net.v4info.daddr);
3623                 goto okay;
3624
3625 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3626         case PF_INET6:
3627                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3628                 if (ret)
3629                         goto parse_error;
3630                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3631                                        &ad->u.net.v6info.daddr);
3632                 goto okay;
3633 #endif  /* IPV6 */
3634         default:
3635                 addrp = NULL;
3636                 goto okay;
3637         }
3638
3639 parse_error:
3640         printk(KERN_WARNING
3641                "SELinux: failure in selinux_parse_skb(),"
3642                " unable to parse packet\n");
3643         return ret;
3644
3645 okay:
3646         if (_addrp)
3647                 *_addrp = addrp;
3648         return 0;
3649 }
3650
3651 /**
3652  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3653  * @skb: the packet
3654  * @family: protocol family
3655  * @sid: the packet's peer label SID
3656  *
3657  * Description:
3658  * Check the various different forms of network peer labeling and determine
3659  * the peer label/SID for the packet; most of the magic actually occurs in
3660  * the security server function security_net_peersid_cmp().  The function
3661  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3662  * or -EACCES if @sid is invalid due to inconsistencies with the different
3663  * peer labels.
3664  *
3665  */
3666 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3667 {
3668         int err;
3669         u32 xfrm_sid;
3670         u32 nlbl_sid;
3671         u32 nlbl_type;
3672
3673         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3674         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3675
3676         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3677         if (unlikely(err)) {
3678                 printk(KERN_WARNING
3679                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3680                        " unable to determine packet's peer label\n");
3681                 return -EACCES;
3682         }
3683
3684         return 0;
3685 }
3686
3687 /* socket security operations */
3688
3689 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3690                                  u16 secclass, u32 *socksid)
3691 {
3692         if (tsec->sockcreate_sid > SECSID_NULL) {
3693                 *socksid = tsec->sockcreate_sid;
3694                 return 0;
3695         }
3696
3697         return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3698                                        socksid);
3699 }
3700
3701 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3702 {
3703         struct sk_security_struct *sksec = sk->sk_security;
3704         struct common_audit_data ad;
3705         u32 tsid = task_sid(task);
3706
3707         if (sksec->sid == SECINITSID_KERNEL)
3708                 return 0;
3709
3710         COMMON_AUDIT_DATA_INIT(&ad, NET);
3711         ad.u.net.sk = sk;
3712
3713         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3714 }
3715
3716 static int selinux_socket_create(int family, int type,
3717                                  int protocol, int kern)
3718 {
3719         const struct task_security_struct *tsec = current_security();
3720         u32 newsid;
3721         u16 secclass;
3722         int rc;
3723
3724         if (kern)
3725                 return 0;
3726
3727         secclass = socket_type_to_security_class(family, type, protocol);
3728         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3729         if (rc)
3730                 return rc;
3731
3732         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3733 }
3734
3735 static int selinux_socket_post_create(struct socket *sock, int family,
3736                                       int type, int protocol, int kern)
3737 {
3738         const struct task_security_struct *tsec = current_security();
3739         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3740         struct sk_security_struct *sksec;
3741         int err = 0;
3742
3743         isec->sclass = socket_type_to_security_class(family, type, protocol);
3744
3745         if (kern)
3746                 isec->sid = SECINITSID_KERNEL;
3747         else {
3748                 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3749                 if (err)
3750                         return err;
3751         }
3752
3753         isec->initialized = 1;
3754
3755         if (sock->sk) {
3756                 sksec = sock->sk->sk_security;
3757                 sksec->sid = isec->sid;
3758                 sksec->sclass = isec->sclass;
3759                 err = selinux_netlbl_socket_post_create(sock->sk, family);
3760         }
3761
3762         return err;
3763 }
3764
3765 /* Range of port numbers used to automatically bind.
3766    Need to determine whether we should perform a name_bind
3767    permission check between the socket and the port number. */
3768
3769 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3770 {
3771         struct sock *sk = sock->sk;
3772         u16 family;
3773         int err;
3774
3775         err = sock_has_perm(current, sk, SOCKET__BIND);
3776         if (err)
3777                 goto out;
3778
3779         /*
3780          * If PF_INET or PF_INET6, check name_bind permission for the port.
3781          * Multiple address binding for SCTP is not supported yet: we just
3782          * check the first address now.
3783          */
3784         family = sk->sk_family;
3785         if (family == PF_INET || family == PF_INET6) {
3786                 char *addrp;
3787                 struct sk_security_struct *sksec = sk->sk_security;
3788                 struct common_audit_data ad;
3789                 struct sockaddr_in *addr4 = NULL;
3790                 struct sockaddr_in6 *addr6 = NULL;
3791                 unsigned short snum;
3792                 u32 sid, node_perm;
3793
3794                 if (family == PF_INET) {
3795                         addr4 = (struct sockaddr_in *)address;
3796                         snum = ntohs(addr4->sin_port);
3797                         addrp = (char *)&addr4->sin_addr.s_addr;
3798                 } else {
3799                         addr6 = (struct sockaddr_in6 *)address;
3800                         snum = ntohs(addr6->sin6_port);
3801                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3802                 }
3803
3804                 if (snum) {
3805                         int low, high;
3806
3807                         inet_get_local_port_range(&low, &high);
3808
3809                         if (snum < max(PROT_SOCK, low) || snum > high) {
3810                                 err = sel_netport_sid(sk->sk_protocol,
3811                                                       snum, &sid);
3812                                 if (err)
3813                                         goto out;
3814                                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3815                                 ad.u.net.sport = htons(snum);
3816                                 ad.u.net.family = family;
3817                                 err = avc_has_perm(sksec->sid, sid,
3818                                                    sksec->sclass,
3819                                                    SOCKET__NAME_BIND, &ad);
3820                                 if (err)
3821                                         goto out;
3822                         }
3823                 }
3824
3825                 switch (sksec->sclass) {
3826                 case SECCLASS_TCP_SOCKET:
3827                         node_perm = TCP_SOCKET__NODE_BIND;
3828                         break;
3829
3830                 case SECCLASS_UDP_SOCKET:
3831                         node_perm = UDP_SOCKET__NODE_BIND;
3832                         break;
3833
3834                 case SECCLASS_DCCP_SOCKET:
3835                         node_perm = DCCP_SOCKET__NODE_BIND;
3836                         break;
3837
3838                 default:
3839                         node_perm = RAWIP_SOCKET__NODE_BIND;
3840                         break;
3841                 }
3842
3843                 err = sel_netnode_sid(addrp, family, &sid);
3844                 if (err)
3845                         goto out;
3846
3847                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3848                 ad.u.net.sport = htons(snum);
3849                 ad.u.net.family = family;
3850
3851                 if (family == PF_INET)
3852                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3853                 else
3854                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3855
3856                 err = avc_has_perm(sksec->sid, sid,
3857                                    sksec->sclass, node_perm, &ad);
3858                 if (err)
3859                         goto out;
3860         }
3861 out:
3862         return err;
3863 }
3864
3865 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3866 {
3867         struct sock *sk = sock->sk;
3868         struct sk_security_struct *sksec = sk->sk_security;
3869         int err;
3870
3871         err = sock_has_perm(current, sk, SOCKET__CONNECT);
3872         if (err)
3873                 return err;
3874
3875         /*
3876          * If a TCP or DCCP socket, check name_connect permission for the port.
3877          */
3878         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3879             sksec->sclass == SECCLASS_DCCP_SOCKET) {
3880                 struct common_audit_data ad;
3881                 struct sockaddr_in *addr4 = NULL;
3882                 struct sockaddr_in6 *addr6 = NULL;
3883                 unsigned short snum;
3884                 u32 sid, perm;
3885
3886                 if (sk->sk_family == PF_INET) {
3887                         addr4 = (struct sockaddr_in *)address;
3888                         if (addrlen < sizeof(struct sockaddr_in))
3889                                 return -EINVAL;
3890                         snum = ntohs(addr4->sin_port);
3891                 } else {
3892                         addr6 = (struct sockaddr_in6 *)address;
3893                         if (addrlen < SIN6_LEN_RFC2133)
3894                                 return -EINVAL;
3895                         snum = ntohs(addr6->sin6_port);
3896                 }
3897
3898                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3899                 if (err)
3900                         goto out;
3901
3902                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3903                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3904
3905                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3906                 ad.u.net.dport = htons(snum);
3907                 ad.u.net.family = sk->sk_family;
3908                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3909                 if (err)
3910                         goto out;
3911         }
3912
3913         err = selinux_netlbl_socket_connect(sk, address);
3914
3915 out:
3916         return err;
3917 }
3918
3919 static int selinux_socket_listen(struct socket *sock, int backlog)
3920 {
3921         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3922 }
3923
3924 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3925 {
3926         int err;
3927         struct inode_security_struct *isec;
3928         struct inode_security_struct *newisec;
3929
3930         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3931         if (err)
3932                 return err;
3933
3934         newisec = SOCK_INODE(newsock)->i_security;
3935
3936         isec = SOCK_INODE(sock)->i_security;
3937         newisec->sclass = isec->sclass;
3938         newisec->sid = isec->sid;
3939         newisec->initialized = 1;
3940
3941         return 0;
3942 }
3943
3944 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3945                                   int size)
3946 {
3947         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3948 }
3949
3950 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3951                                   int size, int flags)
3952 {
3953         return sock_has_perm(current, sock->sk, SOCKET__READ);
3954 }
3955
3956 static int selinux_socket_getsockname(struct socket *sock)
3957 {
3958         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3959 }
3960
3961 static int selinux_socket_getpeername(struct socket *sock)
3962 {
3963         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3964 }
3965
3966 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3967 {
3968         int err;
3969
3970         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3971         if (err)
3972                 return err;
3973
3974         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3975 }
3976
3977 static int selinux_socket_getsockopt(struct socket *sock, int level,
3978                                      int optname)
3979 {
3980         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
3981 }
3982
3983 static int selinux_socket_shutdown(struct socket *sock, int how)
3984 {
3985         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
3986 }
3987
3988 static int selinux_socket_unix_stream_connect(struct sock *sock,
3989                                               struct sock *other,
3990                                               struct sock *newsk)
3991 {
3992         struct sk_security_struct *sksec_sock = sock->sk_security;
3993         struct sk_security_struct *sksec_other = other->sk_security;
3994         struct sk_security_struct *sksec_new = newsk->sk_security;
3995         struct common_audit_data ad;
3996         int err;
3997
3998         COMMON_AUDIT_DATA_INIT(&ad, NET);
3999         ad.u.net.sk = other;
4000
4001         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4002                            sksec_other->sclass,
4003                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4004         if (err)
4005                 return err;
4006
4007         /* server child socket */
4008         sksec_new->peer_sid = sksec_sock->sid;
4009         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4010                                     &sksec_new->sid);
4011         if (err)
4012                 return err;
4013
4014         /* connecting socket */
4015         sksec_sock->peer_sid = sksec_new->sid;
4016
4017         return 0;
4018 }
4019
4020 static int selinux_socket_unix_may_send(struct socket *sock,
4021                                         struct socket *other)
4022 {
4023         struct sk_security_struct *ssec = sock->sk->sk_security;
4024         struct sk_security_struct *osec = other->sk->sk_security;
4025         struct common_audit_data ad;
4026
4027         COMMON_AUDIT_DATA_INIT(&ad, NET);
4028         ad.u.net.sk = other->sk;
4029
4030         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4031                             &ad);
4032 }
4033
4034 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4035                                     u32 peer_sid,
4036                                     struct common_audit_data *ad)
4037 {
4038         int err;
4039         u32 if_sid;
4040         u32 node_sid;
4041
4042         err = sel_netif_sid(ifindex, &if_sid);
4043         if (err)
4044                 return err;
4045         err = avc_has_perm(peer_sid, if_sid,
4046                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4047         if (err)
4048                 return err;
4049
4050         err = sel_netnode_sid(addrp, family, &node_sid);
4051         if (err)
4052                 return err;
4053         return avc_has_perm(peer_sid, node_sid,
4054                             SECCLASS_NODE, NODE__RECVFROM, ad);
4055 }
4056
4057 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4058                                        u16 family)
4059 {
4060         int err = 0;
4061         struct sk_security_struct *sksec = sk->sk_security;
4062         u32 sk_sid = sksec->sid;
4063         struct common_audit_data ad;
4064         char *addrp;
4065
4066         COMMON_AUDIT_DATA_INIT(&ad, NET);
4067         ad.u.net.netif = skb->skb_iif;
4068         ad.u.net.family = family;
4069         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4070         if (err)
4071                 return err;
4072
4073         if (selinux_secmark_enabled()) {
4074                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4075                                    PACKET__RECV, &ad);
4076                 if (err)
4077                         return err;
4078         }
4079
4080         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4081         if (err)
4082                 return err;
4083         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4084
4085         return err;
4086 }
4087
4088 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4089 {
4090         int err;
4091         struct sk_security_struct *sksec = sk->sk_security;
4092         u16 family = sk->sk_family;
4093         u32 sk_sid = sksec->sid;
4094         struct common_audit_data ad;
4095         char *addrp;
4096         u8 secmark_active;
4097         u8 peerlbl_active;
4098
4099         if (family != PF_INET && family != PF_INET6)
4100                 return 0;
4101
4102         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4103         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4104                 family = PF_INET;
4105
4106         /* If any sort of compatibility mode is enabled then handoff processing
4107          * to the selinux_sock_rcv_skb_compat() function to deal with the
4108          * special handling.  We do this in an attempt to keep this function
4109          * as fast and as clean as possible. */
4110         if (!selinux_policycap_netpeer)
4111                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4112
4113         secmark_active = selinux_secmark_enabled();
4114         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4115         if (!secmark_active && !peerlbl_active)
4116                 return 0;
4117
4118         COMMON_AUDIT_DATA_INIT(&ad, NET);
4119         ad.u.net.netif = skb->skb_iif;
4120         ad.u.net.family = family;
4121         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4122         if (err)
4123                 return err;
4124
4125         if (peerlbl_active) {
4126                 u32 peer_sid;
4127
4128                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4129                 if (err)
4130                         return err;
4131                 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4132                                                peer_sid, &ad);
4133                 if (err) {
4134                         selinux_netlbl_err(skb, err, 0);
4135                         return err;
4136                 }
4137                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4138                                    PEER__RECV, &ad);
4139                 if (err)
4140                         selinux_netlbl_err(skb, err, 0);
4141         }
4142
4143         if (secmark_active) {
4144                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4145                                    PACKET__RECV, &ad);
4146                 if (err)
4147                         return err;
4148         }
4149
4150         return err;
4151 }
4152
4153 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4154                                             int __user *optlen, unsigned len)
4155 {
4156         int err = 0;
4157         char *scontext;
4158         u32 scontext_len;
4159         struct sk_security_struct *sksec = sock->sk->sk_security;
4160         u32 peer_sid = SECSID_NULL;
4161
4162         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4163             sksec->sclass == SECCLASS_TCP_SOCKET)
4164                 peer_sid = sksec->peer_sid;
4165         if (peer_sid == SECSID_NULL)
4166                 return -ENOPROTOOPT;
4167
4168         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4169         if (err)
4170                 return err;
4171
4172         if (scontext_len > len) {
4173                 err = -ERANGE;
4174                 goto out_len;
4175         }
4176
4177         if (copy_to_user(optval, scontext, scontext_len))
4178                 err = -EFAULT;
4179
4180 out_len:
4181         if (put_user(scontext_len, optlen))
4182                 err = -EFAULT;
4183         kfree(scontext);
4184         return err;
4185 }
4186
4187 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4188 {
4189         u32 peer_secid = SECSID_NULL;
4190         u16 family;
4191
4192         if (skb && skb->protocol == htons(ETH_P_IP))
4193                 family = PF_INET;
4194         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4195                 family = PF_INET6;
4196         else if (sock)
4197                 family = sock->sk->sk_family;
4198         else
4199                 goto out;
4200
4201         if (sock && family == PF_UNIX)
4202                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4203         else if (skb)
4204                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4205
4206 out:
4207         *secid = peer_secid;
4208         if (peer_secid == SECSID_NULL)
4209                 return -EINVAL;
4210         return 0;
4211 }
4212
4213 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4214 {
4215         struct sk_security_struct *sksec;
4216
4217         sksec = kzalloc(sizeof(*sksec), priority);
4218         if (!sksec)
4219                 return -ENOMEM;
4220
4221         sksec->peer_sid = SECINITSID_UNLABELED;
4222         sksec->sid = SECINITSID_UNLABELED;
4223         selinux_netlbl_sk_security_reset(sksec);
4224         sk->sk_security = sksec;
4225
4226         return 0;
4227 }
4228
4229 static void selinux_sk_free_security(struct sock *sk)
4230 {
4231         struct sk_security_struct *sksec = sk->sk_security;
4232
4233         sk->sk_security = NULL;
4234         selinux_netlbl_sk_security_free(sksec);
4235         kfree(sksec);
4236 }
4237
4238 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4239 {
4240         struct sk_security_struct *sksec = sk->sk_security;
4241         struct sk_security_struct *newsksec = newsk->sk_security;
4242
4243         newsksec->sid = sksec->sid;
4244         newsksec->peer_sid = sksec->peer_sid;
4245         newsksec->sclass = sksec->sclass;
4246
4247         selinux_netlbl_sk_security_reset(newsksec);
4248 }
4249
4250 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4251 {
4252         if (!sk)
4253                 *secid = SECINITSID_ANY_SOCKET;
4254         else {
4255                 struct sk_security_struct *sksec = sk->sk_security;
4256
4257                 *secid = sksec->sid;
4258         }
4259 }
4260
4261 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4262 {
4263         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4264         struct sk_security_struct *sksec = sk->sk_security;
4265
4266         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4267             sk->sk_family == PF_UNIX)
4268                 isec->sid = sksec->sid;
4269         sksec->sclass = isec->sclass;
4270 }
4271
4272 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4273                                      struct request_sock *req)
4274 {
4275         struct sk_security_struct *sksec = sk->sk_security;
4276         int err;
4277         u16 family = sk->sk_family;
4278         u32 newsid;
4279         u32 peersid;
4280
4281         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4282         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4283                 family = PF_INET;
4284
4285         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4286         if (err)
4287                 return err;
4288         if (peersid == SECSID_NULL) {
4289                 req->secid = sksec->sid;
4290                 req->peer_secid = SECSID_NULL;
4291         } else {
4292                 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4293                 if (err)
4294                         return err;
4295                 req->secid = newsid;
4296                 req->peer_secid = peersid;
4297         }
4298
4299         return selinux_netlbl_inet_conn_request(req, family);
4300 }
4301
4302 static void selinux_inet_csk_clone(struct sock *newsk,
4303                                    const struct request_sock *req)
4304 {
4305         struct sk_security_struct *newsksec = newsk->sk_security;
4306
4307         newsksec->sid = req->secid;
4308         newsksec->peer_sid = req->peer_secid;
4309         /* NOTE: Ideally, we should also get the isec->sid for the
4310            new socket in sync, but we don't have the isec available yet.
4311            So we will wait until sock_graft to do it, by which
4312            time it will have been created and available. */
4313
4314         /* We don't need to take any sort of lock here as we are the only
4315          * thread with access to newsksec */
4316         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4317 }
4318
4319 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4320 {
4321         u16 family = sk->sk_family;
4322         struct sk_security_struct *sksec = sk->sk_security;
4323
4324         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4325         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4326                 family = PF_INET;
4327
4328         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4329 }
4330
4331 static int selinux_secmark_relabel_packet(u32 sid)
4332 {
4333         const struct task_security_struct *__tsec;
4334         u32 tsid;
4335
4336         __tsec = current_security();
4337         tsid = __tsec->sid;
4338
4339         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4340 }
4341
4342 static void selinux_secmark_refcount_inc(void)
4343 {
4344         atomic_inc(&selinux_secmark_refcount);
4345 }
4346
4347 static void selinux_secmark_refcount_dec(void)
4348 {
4349         atomic_dec(&selinux_secmark_refcount);
4350 }
4351
4352 static void selinux_req_classify_flow(const struct request_sock *req,
4353                                       struct flowi *fl)
4354 {
4355         fl->secid = req->secid;
4356 }
4357
4358 static int selinux_tun_dev_create(void)
4359 {
4360         u32 sid = current_sid();
4361
4362         /* we aren't taking into account the "sockcreate" SID since the socket
4363          * that is being created here is not a socket in the traditional sense,
4364          * instead it is a private sock, accessible only to the kernel, and
4365          * representing a wide range of network traffic spanning multiple
4366          * connections unlike traditional sockets - check the TUN driver to
4367          * get a better understanding of why this socket is special */
4368
4369         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4370                             NULL);
4371 }
4372
4373 static void selinux_tun_dev_post_create(struct sock *sk)
4374 {
4375         struct sk_security_struct *sksec = sk->sk_security;
4376
4377         /* we don't currently perform any NetLabel based labeling here and it
4378          * isn't clear that we would want to do so anyway; while we could apply
4379          * labeling without the support of the TUN user the resulting labeled
4380          * traffic from the other end of the connection would almost certainly
4381          * cause confusion to the TUN user that had no idea network labeling
4382          * protocols were being used */
4383
4384         /* see the comments in selinux_tun_dev_create() about why we don't use
4385          * the sockcreate SID here */
4386
4387         sksec->sid = current_sid();
4388         sksec->sclass = SECCLASS_TUN_SOCKET;
4389 }
4390
4391 static int selinux_tun_dev_attach(struct sock *sk)
4392 {
4393         struct sk_security_struct *sksec = sk->sk_security;
4394         u32 sid = current_sid();
4395         int err;
4396
4397         err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4398                            TUN_SOCKET__RELABELFROM, NULL);
4399         if (err)
4400                 return err;
4401         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4402                            TUN_SOCKET__RELABELTO, NULL);
4403         if (err)
4404                 return err;
4405
4406         sksec->sid = sid;
4407
4408         return 0;
4409 }
4410
4411 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4412 {
4413         int err = 0;
4414         u32 perm;
4415         struct nlmsghdr *nlh;
4416         struct sk_security_struct *sksec = sk->sk_security;
4417
4418         if (skb->len < NLMSG_SPACE(0)) {
4419                 err = -EINVAL;
4420                 goto out;
4421         }
4422         nlh = nlmsg_hdr(skb);
4423
4424         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4425         if (err) {
4426                 if (err == -EINVAL) {
4427                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4428                                   "SELinux:  unrecognized netlink message"
4429                                   " type=%hu for sclass=%hu\n",
4430                                   nlh->nlmsg_type, sksec->sclass);
4431                         if (!selinux_enforcing || security_get_allow_unknown())
4432                                 err = 0;
4433                 }
4434
4435                 /* Ignore */
4436                 if (err == -ENOENT)
4437                         err = 0;
4438                 goto out;
4439         }
4440
4441         err = sock_has_perm(current, sk, perm);
4442 out:
4443         return err;
4444 }
4445
4446 #ifdef CONFIG_NETFILTER
4447
4448 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4449                                        u16 family)
4450 {
4451         int err;
4452         char *addrp;
4453         u32 peer_sid;
4454         struct common_audit_data ad;
4455         u8 secmark_active;
4456         u8 netlbl_active;
4457         u8 peerlbl_active;
4458
4459         if (!selinux_policycap_netpeer)
4460                 return NF_ACCEPT;
4461
4462         secmark_active = selinux_secmark_enabled();
4463         netlbl_active = netlbl_enabled();
4464         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4465         if (!secmark_active && !peerlbl_active)
4466                 return NF_ACCEPT;
4467
4468         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4469                 return NF_DROP;
4470
4471         COMMON_AUDIT_DATA_INIT(&ad, NET);
4472         ad.u.net.netif = ifindex;
4473         ad.u.net.family = family;
4474         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4475                 return NF_DROP;
4476
4477         if (peerlbl_active) {
4478                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4479                                                peer_sid, &ad);
4480                 if (err) {
4481                         selinux_netlbl_err(skb, err, 1);
4482                         return NF_DROP;
4483                 }
4484         }
4485
4486         if (secmark_active)
4487                 if (avc_has_perm(peer_sid, skb->secmark,
4488                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4489                         return NF_DROP;
4490
4491         if (netlbl_active)
4492                 /* we do this in the FORWARD path and not the POST_ROUTING
4493                  * path because we want to make sure we apply the necessary
4494                  * labeling before IPsec is applied so we can leverage AH
4495                  * protection */
4496                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4497                         return NF_DROP;
4498
4499         return NF_ACCEPT;
4500 }
4501
4502 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4503                                          struct sk_buff *skb,
4504                                          const struct net_device *in,
4505                                          const struct net_device *out,
4506                                          int (*okfn)(struct sk_buff *))
4507 {
4508         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4509 }
4510
4511 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4512 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4513                                          struct sk_buff *skb,
4514                                          const struct net_device *in,
4515                                          const struct net_device *out,
4516                                          int (*okfn)(struct sk_buff *))
4517 {
4518         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4519 }
4520 #endif  /* IPV6 */
4521
4522 static unsigned int selinux_ip_output(struct sk_buff *skb,
4523                                       u16 family)
4524 {
4525         u32 sid;
4526
4527         if (!netlbl_enabled())
4528                 return NF_ACCEPT;
4529
4530         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4531          * because we want to make sure we apply the necessary labeling
4532          * before IPsec is applied so we can leverage AH protection */
4533         if (skb->sk) {
4534                 struct sk_security_struct *sksec = skb->sk->sk_security;
4535                 sid = sksec->sid;
4536         } else
4537                 sid = SECINITSID_KERNEL;
4538         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4539                 return NF_DROP;
4540
4541         return NF_ACCEPT;
4542 }
4543
4544 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4545                                         struct sk_buff *skb,
4546                                         const struct net_device *in,
4547                                         const struct net_device *out,
4548                                         int (*okfn)(struct sk_buff *))
4549 {
4550         return selinux_ip_output(skb, PF_INET);
4551 }
4552
4553 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4554                                                 int ifindex,
4555                                                 u16 family)
4556 {
4557         struct sock *sk = skb->sk;
4558         struct sk_security_struct *sksec;
4559         struct common_audit_data ad;
4560         char *addrp;
4561         u8 proto;
4562
4563         if (sk == NULL)
4564                 return NF_ACCEPT;
4565         sksec = sk->sk_security;
4566
4567         COMMON_AUDIT_DATA_INIT(&ad, NET);
4568         ad.u.net.netif = ifindex;
4569         ad.u.net.family = family;
4570         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4571                 return NF_DROP;
4572
4573         if (selinux_secmark_enabled())
4574                 if (avc_has_perm(sksec->sid, skb->secmark,
4575                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4576                         return NF_DROP_ERR(-ECONNREFUSED);
4577
4578         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4579                 return NF_DROP_ERR(-ECONNREFUSED);
4580
4581         return NF_ACCEPT;
4582 }
4583
4584 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4585                                          u16 family)
4586 {
4587         u32 secmark_perm;
4588         u32 peer_sid;
4589         struct sock *sk;
4590         struct common_audit_data ad;
4591         char *addrp;
4592         u8 secmark_active;
4593         u8 peerlbl_active;
4594
4595         /* If any sort of compatibility mode is enabled then handoff processing
4596          * to the selinux_ip_postroute_compat() function to deal with the
4597          * special handling.  We do this in an attempt to keep this function
4598          * as fast and as clean as possible. */
4599         if (!selinux_policycap_netpeer)
4600                 return selinux_ip_postroute_compat(skb, ifindex, family);
4601 #ifdef CONFIG_XFRM
4602         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4603          * packet transformation so allow the packet to pass without any checks
4604          * since we'll have another chance to perform access control checks
4605          * when the packet is on it's final way out.
4606          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4607          *       is NULL, in this case go ahead and apply access control. */
4608         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4609                 return NF_ACCEPT;
4610 #endif
4611         secmark_active = selinux_secmark_enabled();
4612         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4613         if (!secmark_active && !peerlbl_active)
4614                 return NF_ACCEPT;
4615
4616         /* if the packet is being forwarded then get the peer label from the
4617          * packet itself; otherwise check to see if it is from a local
4618          * application or the kernel, if from an application get the peer label
4619          * from the sending socket, otherwise use the kernel's sid */
4620         sk = skb->sk;
4621         if (sk == NULL) {
4622                 if (skb->skb_iif) {
4623                         secmark_perm = PACKET__FORWARD_OUT;
4624                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4625                                 return NF_DROP;
4626                 } else {
4627                         secmark_perm = PACKET__SEND;
4628                         peer_sid = SECINITSID_KERNEL;
4629                 }
4630         } else {
4631                 struct sk_security_struct *sksec = sk->sk_security;
4632                 peer_sid = sksec->sid;
4633                 secmark_perm = PACKET__SEND;
4634         }
4635
4636         COMMON_AUDIT_DATA_INIT(&ad, NET);
4637         ad.u.net.netif = ifindex;
4638         ad.u.net.family = family;
4639         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4640                 return NF_DROP;
4641
4642         if (secmark_active)
4643                 if (avc_has_perm(peer_sid, skb->secmark,
4644                                  SECCLASS_PACKET, secmark_perm, &ad))
4645                         return NF_DROP_ERR(-ECONNREFUSED);
4646
4647         if (peerlbl_active) {
4648                 u32 if_sid;
4649                 u32 node_sid;
4650
4651                 if (sel_netif_sid(ifindex, &if_sid))
4652                         return NF_DROP;
4653                 if (avc_has_perm(peer_sid, if_sid,
4654                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4655                         return NF_DROP_ERR(-ECONNREFUSED);
4656
4657                 if (sel_netnode_sid(addrp, family, &node_sid))
4658                         return NF_DROP;
4659                 if (avc_has_perm(peer_sid, node_sid,
4660                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4661                         return NF_DROP_ERR(-ECONNREFUSED);
4662         }
4663
4664         return NF_ACCEPT;
4665 }
4666
4667 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4668                                            struct sk_buff *skb,
4669                                            const struct net_device *in,
4670                                            const struct net_device *out,
4671                                            int (*okfn)(struct sk_buff *))
4672 {
4673         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4674 }
4675
4676 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4677 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4678                                            struct sk_buff *skb,
4679                                            const struct net_device *in,
4680                                            const struct net_device *out,
4681                                            int (*okfn)(struct sk_buff *))
4682 {
4683         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4684 }
4685 #endif  /* IPV6 */
4686
4687 #endif  /* CONFIG_NETFILTER */
4688
4689 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4690 {
4691         int err;
4692
4693         err = cap_netlink_send(sk, skb);
4694         if (err)
4695                 return err;
4696
4697         return selinux_nlmsg_perm(sk, skb);
4698 }
4699
4700 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4701 {
4702         int err;
4703         struct common_audit_data ad;
4704
4705         err = cap_netlink_recv(skb, capability);
4706         if (err)
4707                 return err;
4708
4709         COMMON_AUDIT_DATA_INIT(&ad, CAP);
4710         ad.u.cap = capability;
4711
4712         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4713                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4714 }
4715
4716 static int ipc_alloc_security(struct task_struct *task,
4717                               struct kern_ipc_perm *perm,
4718                               u16 sclass)
4719 {
4720         struct ipc_security_struct *isec;
4721         u32 sid;
4722
4723         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4724         if (!isec)
4725                 return -ENOMEM;
4726
4727         sid = task_sid(task);
4728         isec->sclass = sclass;
4729         isec->sid = sid;
4730         perm->security = isec;
4731
4732         return 0;
4733 }
4734
4735 static void ipc_free_security(struct kern_ipc_perm *perm)
4736 {
4737         struct ipc_security_struct *isec = perm->security;
4738         perm->security = NULL;
4739         kfree(isec);
4740 }
4741
4742 static int msg_msg_alloc_security(struct msg_msg *msg)
4743 {
4744         struct msg_security_struct *msec;
4745
4746         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4747         if (!msec)
4748                 return -ENOMEM;
4749
4750         msec->sid = SECINITSID_UNLABELED;
4751         msg->security = msec;
4752
4753         return 0;
4754 }
4755
4756 static void msg_msg_free_security(struct msg_msg *msg)
4757 {
4758         struct msg_security_struct *msec = msg->security;
4759
4760         msg->security = NULL;
4761         kfree(msec);
4762 }
4763
4764 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4765                         u32 perms)
4766 {
4767         struct ipc_security_struct *isec;
4768         struct common_audit_data ad;
4769         u32 sid = current_sid();
4770
4771         isec = ipc_perms->security;
4772
4773         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4774         ad.u.ipc_id = ipc_perms->key;
4775
4776         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4777 }
4778
4779 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4780 {
4781         return msg_msg_alloc_security(msg);
4782 }
4783
4784 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4785 {
4786         msg_msg_free_security(msg);
4787 }
4788
4789 /* message queue security operations */
4790 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4791 {
4792         struct ipc_security_struct *isec;
4793         struct common_audit_data ad;
4794         u32 sid = current_sid();
4795         int rc;
4796
4797         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4798         if (rc)
4799                 return rc;
4800
4801         isec = msq->q_perm.security;
4802
4803         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4804         ad.u.ipc_id = msq->q_perm.key;
4805
4806         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4807                           MSGQ__CREATE, &ad);
4808         if (rc) {
4809                 ipc_free_security(&msq->q_perm);
4810                 return rc;
4811         }
4812         return 0;
4813 }
4814
4815 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4816 {
4817         ipc_free_security(&msq->q_perm);
4818 }
4819
4820 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4821 {
4822         struct ipc_security_struct *isec;
4823         struct common_audit_data ad;
4824         u32 sid = current_sid();
4825
4826         isec = msq->q_perm.security;
4827
4828         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4829         ad.u.ipc_id = msq->q_perm.key;
4830
4831         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4832                             MSGQ__ASSOCIATE, &ad);
4833 }
4834
4835 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4836 {
4837         int err;
4838         int perms;
4839
4840         switch (cmd) {
4841         case IPC_INFO:
4842         case MSG_INFO:
4843                 /* No specific object, just general system-wide information. */
4844                 return task_has_system(current, SYSTEM__IPC_INFO);
4845         case IPC_STAT:
4846         case MSG_STAT:
4847                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4848                 break;
4849         case IPC_SET:
4850                 perms = MSGQ__SETATTR;
4851                 break;
4852         case IPC_RMID:
4853                 perms = MSGQ__DESTROY;
4854                 break;
4855         default:
4856                 return 0;
4857         }
4858
4859         err = ipc_has_perm(&msq->q_perm, perms);
4860         return err;
4861 }
4862
4863 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4864 {
4865         struct ipc_security_struct *isec;
4866         struct msg_security_struct *msec;
4867         struct common_audit_data ad;
4868         u32 sid = current_sid();
4869         int rc;
4870
4871         isec = msq->q_perm.security;
4872         msec = msg->security;
4873
4874         /*
4875          * First time through, need to assign label to the message
4876          */
4877         if (msec->sid == SECINITSID_UNLABELED) {
4878                 /*
4879                  * Compute new sid based on current process and
4880                  * message queue this message will be stored in
4881                  */
4882                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4883                                              NULL, &msec->sid);
4884                 if (rc)
4885                         return rc;
4886         }
4887
4888         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4889         ad.u.ipc_id = msq->q_perm.key;
4890
4891         /* Can this process write to the queue? */
4892         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4893                           MSGQ__WRITE, &ad);
4894         if (!rc)
4895                 /* Can this process send the message */
4896                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4897                                   MSG__SEND, &ad);
4898         if (!rc)
4899                 /* Can the message be put in the queue? */
4900                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4901                                   MSGQ__ENQUEUE, &ad);
4902
4903         return rc;
4904 }
4905
4906 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4907                                     struct task_struct *target,
4908                                     long type, int mode)
4909 {
4910         struct ipc_security_struct *isec;
4911         struct msg_security_struct *msec;
4912         struct common_audit_data ad;
4913         u32 sid = task_sid(target);
4914         int rc;
4915
4916         isec = msq->q_perm.security;
4917         msec = msg->security;
4918
4919         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4920         ad.u.ipc_id = msq->q_perm.key;
4921
4922         rc = avc_has_perm(sid, isec->sid,
4923                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4924         if (!rc)
4925                 rc = avc_has_perm(sid, msec->sid,
4926                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4927         return rc;
4928 }
4929
4930 /* Shared Memory security operations */
4931 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4932 {
4933         struct ipc_security_struct *isec;
4934         struct common_audit_data ad;
4935         u32 sid = current_sid();
4936         int rc;
4937
4938         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4939         if (rc)
4940                 return rc;
4941
4942         isec = shp->shm_perm.security;
4943
4944         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4945         ad.u.ipc_id = shp->shm_perm.key;
4946
4947         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4948                           SHM__CREATE, &ad);
4949         if (rc) {
4950                 ipc_free_security(&shp->shm_perm);
4951                 return rc;
4952         }
4953         return 0;
4954 }
4955
4956 static void selinux_shm_free_security(struct shmid_kernel *shp)
4957 {
4958         ipc_free_security(&shp->shm_perm);
4959 }
4960
4961 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4962 {
4963         struct ipc_security_struct *isec;
4964         struct common_audit_data ad;
4965         u32 sid = current_sid();
4966
4967         isec = shp->shm_perm.security;
4968
4969         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4970         ad.u.ipc_id = shp->shm_perm.key;
4971
4972         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4973                             SHM__ASSOCIATE, &ad);
4974 }
4975
4976 /* Note, at this point, shp is locked down */
4977 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4978 {
4979         int perms;
4980         int err;
4981
4982         switch (cmd) {
4983         case IPC_INFO:
4984         case SHM_INFO:
4985                 /* No specific object, just general system-wide information. */
4986                 return task_has_system(current, SYSTEM__IPC_INFO);
4987         case IPC_STAT:
4988         case SHM_STAT:
4989                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4990                 break;
4991         case IPC_SET:
4992                 perms = SHM__SETATTR;
4993                 break;
4994         case SHM_LOCK:
4995         case SHM_UNLOCK:
4996                 perms = SHM__LOCK;
4997                 break;
4998         case IPC_RMID:
4999                 perms = SHM__DESTROY;
5000                 break;
5001         default:
5002                 return 0;
5003         }
5004
5005         err = ipc_has_perm(&shp->shm_perm, perms);
5006         return err;
5007 }
5008
5009 static int selinux_shm_shmat(struct shmid_kernel *shp,
5010                              char __user *shmaddr, int shmflg)
5011 {
5012         u32 perms;
5013
5014         if (shmflg & SHM_RDONLY)
5015                 perms = SHM__READ;
5016         else
5017                 perms = SHM__READ | SHM__WRITE;
5018
5019         return ipc_has_perm(&shp->shm_perm, perms);
5020 }
5021
5022 /* Semaphore security operations */
5023 static int selinux_sem_alloc_security(struct sem_array *sma)
5024 {
5025         struct ipc_security_struct *isec;
5026         struct common_audit_data ad;
5027         u32 sid = current_sid();
5028         int rc;
5029
5030         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5031         if (rc)
5032                 return rc;
5033
5034         isec = sma->sem_perm.security;
5035
5036         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5037         ad.u.ipc_id = sma->sem_perm.key;
5038
5039         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5040                           SEM__CREATE, &ad);
5041         if (rc) {
5042                 ipc_free_security(&sma->sem_perm);
5043                 return rc;
5044         }
5045         return 0;
5046 }
5047
5048 static void selinux_sem_free_security(struct sem_array *sma)
5049 {
5050         ipc_free_security(&sma->sem_perm);
5051 }
5052
5053 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5054 {
5055         struct ipc_security_struct *isec;
5056         struct common_audit_data ad;
5057         u32 sid = current_sid();
5058
5059         isec = sma->sem_perm.security;
5060
5061         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5062         ad.u.ipc_id = sma->sem_perm.key;
5063
5064         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5065                             SEM__ASSOCIATE, &ad);
5066 }
5067
5068 /* Note, at this point, sma is locked down */
5069 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5070 {
5071         int err;
5072         u32 perms;
5073
5074         switch (cmd) {
5075         case IPC_INFO:
5076         case SEM_INFO:
5077                 /* No specific object, just general system-wide information. */
5078                 return task_has_system(current, SYSTEM__IPC_INFO);
5079         case GETPID:
5080         case GETNCNT:
5081         case GETZCNT:
5082                 perms = SEM__GETATTR;
5083                 break;
5084         case GETVAL:
5085         case GETALL:
5086                 perms = SEM__READ;
5087                 break;
5088         case SETVAL:
5089         case SETALL:
5090                 perms = SEM__WRITE;
5091                 break;
5092         case IPC_RMID:
5093                 perms = SEM__DESTROY;
5094                 break;
5095         case IPC_SET:
5096                 perms = SEM__SETATTR;
5097                 break;
5098         case IPC_STAT:
5099         case SEM_STAT:
5100                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5101                 break;
5102         default:
5103                 return 0;
5104         }
5105
5106         err = ipc_has_perm(&sma->sem_perm, perms);
5107         return err;
5108 }
5109
5110 static int selinux_sem_semop(struct sem_array *sma,
5111                              struct sembuf *sops, unsigned nsops, int alter)
5112 {
5113         u32 perms;
5114
5115         if (alter)
5116                 perms = SEM__READ | SEM__WRITE;
5117         else
5118                 perms = SEM__READ;
5119
5120         return ipc_has_perm(&sma->sem_perm, perms);
5121 }
5122
5123 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5124 {
5125         u32 av = 0;
5126
5127         av = 0;
5128         if (flag & S_IRUGO)
5129                 av |= IPC__UNIX_READ;
5130         if (flag & S_IWUGO)
5131                 av |= IPC__UNIX_WRITE;
5132
5133         if (av == 0)
5134                 return 0;
5135
5136         return ipc_has_perm(ipcp, av);
5137 }
5138
5139 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5140 {
5141         struct ipc_security_struct *isec = ipcp->security;
5142         *secid = isec->sid;
5143 }
5144
5145 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5146 {
5147         if (inode)
5148                 inode_doinit_with_dentry(inode, dentry);
5149 }
5150
5151 static int selinux_getprocattr(struct task_struct *p,
5152                                char *name, char **value)
5153 {
5154         const struct task_security_struct *__tsec;
5155         u32 sid;
5156         int error;
5157         unsigned len;
5158
5159         if (current != p) {
5160                 error = current_has_perm(p, PROCESS__GETATTR);
5161                 if (error)
5162                         return error;
5163         }
5164
5165         rcu_read_lock();
5166         __tsec = __task_cred(p)->security;
5167
5168         if (!strcmp(name, "current"))
5169                 sid = __tsec->sid;
5170         else if (!strcmp(name, "prev"))
5171                 sid = __tsec->osid;
5172         else if (!strcmp(name, "exec"))
5173                 sid = __tsec->exec_sid;
5174         else if (!strcmp(name, "fscreate"))
5175                 sid = __tsec->create_sid;
5176         else if (!strcmp(name, "keycreate"))
5177                 sid = __tsec->keycreate_sid;
5178         else if (!strcmp(name, "sockcreate"))
5179                 sid = __tsec->sockcreate_sid;
5180         else
5181                 goto invalid;
5182         rcu_read_unlock();
5183
5184         if (!sid)
5185                 return 0;
5186
5187         error = security_sid_to_context(sid, value, &len);
5188         if (error)
5189                 return error;
5190         return len;
5191
5192 invalid:
5193         rcu_read_unlock();
5194         return -EINVAL;
5195 }
5196
5197 static int selinux_setprocattr(struct task_struct *p,
5198                                char *name, void *value, size_t size)
5199 {
5200         struct task_security_struct *tsec;
5201         struct task_struct *tracer;
5202         struct cred *new;
5203         u32 sid = 0, ptsid;
5204         int error;
5205         char *str = value;
5206
5207         if (current != p) {
5208                 /* SELinux only allows a process to change its own
5209                    security attributes. */
5210                 return -EACCES;
5211         }
5212
5213         /*
5214          * Basic control over ability to set these attributes at all.
5215          * current == p, but we'll pass them separately in case the
5216          * above restriction is ever removed.
5217          */
5218         if (!strcmp(name, "exec"))
5219                 error = current_has_perm(p, PROCESS__SETEXEC);
5220         else if (!strcmp(name, "fscreate"))
5221                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5222         else if (!strcmp(name, "keycreate"))
5223                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5224         else if (!strcmp(name, "sockcreate"))
5225                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5226         else if (!strcmp(name, "current"))
5227                 error = current_has_perm(p, PROCESS__SETCURRENT);
5228         else
5229                 error = -EINVAL;
5230         if (error)
5231                 return error;
5232
5233         /* Obtain a SID for the context, if one was specified. */
5234         if (size && str[1] && str[1] != '\n') {
5235                 if (str[size-1] == '\n') {
5236                         str[size-1] = 0;
5237                         size--;
5238                 }
5239                 error = security_context_to_sid(value, size, &sid);
5240                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5241                         if (!capable(CAP_MAC_ADMIN))
5242                                 return error;
5243                         error = security_context_to_sid_force(value, size,
5244                                                               &sid);
5245                 }
5246                 if (error)
5247                         return error;
5248         }
5249
5250         new = prepare_creds();
5251         if (!new)
5252                 return -ENOMEM;
5253
5254         /* Permission checking based on the specified context is
5255            performed during the actual operation (execve,
5256            open/mkdir/...), when we know the full context of the
5257            operation.  See selinux_bprm_set_creds for the execve
5258            checks and may_create for the file creation checks. The
5259            operation will then fail if the context is not permitted. */
5260         tsec = new->security;
5261         if (!strcmp(name, "exec")) {
5262                 tsec->exec_sid = sid;
5263         } else if (!strcmp(name, "fscreate")) {
5264                 tsec->create_sid = sid;
5265         } else if (!strcmp(name, "keycreate")) {
5266                 error = may_create_key(sid, p);
5267                 if (error)
5268                         goto abort_change;
5269                 tsec->keycreate_sid = sid;
5270         } else if (!strcmp(name, "sockcreate")) {
5271                 tsec->sockcreate_sid = sid;
5272         } else if (!strcmp(name, "current")) {
5273                 error = -EINVAL;
5274                 if (sid == 0)
5275                         goto abort_change;
5276
5277                 /* Only allow single threaded processes to change context */
5278                 error = -EPERM;
5279                 if (!current_is_single_threaded()) {
5280                         error = security_bounded_transition(tsec->sid, sid);
5281                         if (error)
5282                                 goto abort_change;
5283                 }
5284
5285                 /* Check permissions for the transition. */
5286                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5287                                      PROCESS__DYNTRANSITION, NULL);
5288                 if (error)
5289                         goto abort_change;
5290
5291                 /* Check for ptracing, and update the task SID if ok.
5292                    Otherwise, leave SID unchanged and fail. */
5293                 ptsid = 0;
5294                 task_lock(p);
5295                 tracer = tracehook_tracer_task(p);
5296                 if (tracer)
5297                         ptsid = task_sid(tracer);
5298                 task_unlock(p);
5299
5300                 if (tracer) {
5301                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5302                                              PROCESS__PTRACE, NULL);
5303                         if (error)
5304                                 goto abort_change;
5305                 }
5306
5307                 tsec->sid = sid;
5308         } else {
5309                 error = -EINVAL;
5310                 goto abort_change;
5311         }
5312
5313         commit_creds(new);
5314         return size;
5315
5316 abort_change:
5317         abort_creds(new);
5318         return error;
5319 }
5320
5321 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5322 {
5323         return security_sid_to_context(secid, secdata, seclen);
5324 }
5325
5326 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5327 {
5328         return security_context_to_sid(secdata, seclen, secid);
5329 }
5330
5331 static void selinux_release_secctx(char *secdata, u32 seclen)
5332 {
5333         kfree(secdata);
5334 }
5335
5336 /*
5337  *      called with inode->i_mutex locked
5338  */
5339 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5340 {
5341         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5342 }
5343
5344 /*
5345  *      called with inode->i_mutex locked
5346  */
5347 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5348 {
5349         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5350 }
5351
5352 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5353 {
5354         int len = 0;
5355         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5356                                                 ctx, true);
5357         if (len < 0)
5358                 return len;
5359         *ctxlen = len;
5360         return 0;
5361 }
5362 #ifdef CONFIG_KEYS
5363
5364 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5365                              unsigned long flags)
5366 {
5367         const struct task_security_struct *tsec;
5368         struct key_security_struct *ksec;
5369
5370         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5371         if (!ksec)
5372                 return -ENOMEM;
5373
5374         tsec = cred->security;
5375         if (tsec->keycreate_sid)
5376                 ksec->sid = tsec->keycreate_sid;
5377         else
5378                 ksec->sid = tsec->sid;
5379
5380         k->security = ksec;
5381         return 0;
5382 }
5383
5384 static void selinux_key_free(struct key *k)
5385 {
5386         struct key_security_struct *ksec = k->security;
5387
5388         k->security = NULL;
5389         kfree(ksec);
5390 }
5391
5392 static int selinux_key_permission(key_ref_t key_ref,
5393                                   const struct cred *cred,
5394                                   key_perm_t perm)
5395 {
5396         struct key *key;
5397         struct key_security_struct *ksec;
5398         u32 sid;
5399
5400         /* if no specific permissions are requested, we skip the
5401            permission check. No serious, additional covert channels
5402            appear to be created. */
5403         if (perm == 0)
5404                 return 0;
5405
5406         sid = cred_sid(cred);
5407
5408         key = key_ref_to_ptr(key_ref);
5409         ksec = key->security;
5410
5411         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5412 }
5413
5414 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5415 {
5416         struct key_security_struct *ksec = key->security;
5417         char *context = NULL;
5418         unsigned len;
5419         int rc;
5420
5421         rc = security_sid_to_context(ksec->sid, &context, &len);
5422         if (!rc)
5423                 rc = len;
5424         *_buffer = context;
5425         return rc;
5426 }
5427
5428 #endif
5429
5430 static struct security_operations selinux_ops = {
5431         .name =                         "selinux",
5432
5433         .ptrace_access_check =          selinux_ptrace_access_check,
5434         .ptrace_traceme =               selinux_ptrace_traceme,
5435         .capget =                       selinux_capget,
5436         .capset =                       selinux_capset,
5437         .capable =                      selinux_capable,
5438         .quotactl =                     selinux_quotactl,
5439         .quota_on =                     selinux_quota_on,
5440         .syslog =                       selinux_syslog,
5441         .vm_enough_memory =             selinux_vm_enough_memory,
5442
5443         .netlink_send =                 selinux_netlink_send,
5444         .netlink_recv =                 selinux_netlink_recv,
5445
5446         .bprm_set_creds =               selinux_bprm_set_creds,
5447         .bprm_committing_creds =        selinux_bprm_committing_creds,
5448         .bprm_committed_creds =         selinux_bprm_committed_creds,
5449         .bprm_secureexec =              selinux_bprm_secureexec,
5450
5451         .sb_alloc_security =            selinux_sb_alloc_security,
5452         .sb_free_security =             selinux_sb_free_security,
5453         .sb_copy_data =                 selinux_sb_copy_data,
5454         .sb_remount =                   selinux_sb_remount,
5455         .sb_kern_mount =                selinux_sb_kern_mount,
5456         .sb_show_options =              selinux_sb_show_options,
5457         .sb_statfs =                    selinux_sb_statfs,
5458         .sb_mount =                     selinux_mount,
5459         .sb_umount =                    selinux_umount,
5460         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5461         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5462         .sb_parse_opts_str =            selinux_parse_opts_str,
5463
5464
5465         .inode_alloc_security =         selinux_inode_alloc_security,
5466         .inode_free_security =          selinux_inode_free_security,
5467         .inode_init_security =          selinux_inode_init_security,
5468         .inode_create =                 selinux_inode_create,
5469         .inode_link =                   selinux_inode_link,
5470         .inode_unlink =                 selinux_inode_unlink,
5471         .inode_symlink =                selinux_inode_symlink,
5472         .inode_mkdir =                  selinux_inode_mkdir,
5473         .inode_rmdir =                  selinux_inode_rmdir,
5474         .inode_mknod =                  selinux_inode_mknod,
5475         .inode_rename =                 selinux_inode_rename,
5476         .inode_readlink =               selinux_inode_readlink,
5477         .inode_follow_link =            selinux_inode_follow_link,
5478         .inode_permission =             selinux_inode_permission,
5479         .inode_setattr =                selinux_inode_setattr,
5480         .inode_getattr =                selinux_inode_getattr,
5481         .inode_setxattr =               selinux_inode_setxattr,
5482         .inode_post_setxattr =          selinux_inode_post_setxattr,
5483         .inode_getxattr =               selinux_inode_getxattr,
5484         .inode_listxattr =              selinux_inode_listxattr,
5485         .inode_removexattr =            selinux_inode_removexattr,
5486         .inode_getsecurity =            selinux_inode_getsecurity,
5487         .inode_setsecurity =            selinux_inode_setsecurity,
5488         .inode_listsecurity =           selinux_inode_listsecurity,
5489         .inode_getsecid =               selinux_inode_getsecid,
5490
5491         .file_permission =              selinux_file_permission,
5492         .file_alloc_security =          selinux_file_alloc_security,
5493         .file_free_security =           selinux_file_free_security,
5494         .file_ioctl =                   selinux_file_ioctl,
5495         .file_mmap =                    selinux_file_mmap,
5496         .file_mprotect =                selinux_file_mprotect,
5497         .file_lock =                    selinux_file_lock,
5498         .file_fcntl =                   selinux_file_fcntl,
5499         .file_set_fowner =              selinux_file_set_fowner,
5500         .file_send_sigiotask =          selinux_file_send_sigiotask,
5501         .file_receive =                 selinux_file_receive,
5502
5503         .dentry_open =                  selinux_dentry_open,
5504
5505         .task_create =                  selinux_task_create,
5506         .cred_alloc_blank =             selinux_cred_alloc_blank,
5507         .cred_free =                    selinux_cred_free,
5508         .cred_prepare =                 selinux_cred_prepare,
5509         .cred_transfer =                selinux_cred_transfer,
5510         .kernel_act_as =                selinux_kernel_act_as,
5511         .kernel_create_files_as =       selinux_kernel_create_files_as,
5512         .kernel_module_request =        selinux_kernel_module_request,
5513         .task_setpgid =                 selinux_task_setpgid,
5514         .task_getpgid =                 selinux_task_getpgid,
5515         .task_getsid =                  selinux_task_getsid,
5516         .task_getsecid =                selinux_task_getsecid,
5517         .task_setnice =                 selinux_task_setnice,
5518         .task_setioprio =               selinux_task_setioprio,
5519         .task_getioprio =               selinux_task_getioprio,
5520         .task_setrlimit =               selinux_task_setrlimit,
5521         .task_setscheduler =            selinux_task_setscheduler,
5522         .task_getscheduler =            selinux_task_getscheduler,
5523         .task_movememory =              selinux_task_movememory,
5524         .task_kill =                    selinux_task_kill,
5525         .task_wait =                    selinux_task_wait,
5526         .task_to_inode =                selinux_task_to_inode,
5527
5528         .ipc_permission =               selinux_ipc_permission,
5529         .ipc_getsecid =                 selinux_ipc_getsecid,
5530
5531         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5532         .msg_msg_free_security =        selinux_msg_msg_free_security,
5533
5534         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5535         .msg_queue_free_security =      selinux_msg_queue_free_security,
5536         .msg_queue_associate =          selinux_msg_queue_associate,
5537         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5538         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5539         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5540
5541         .shm_alloc_security =           selinux_shm_alloc_security,
5542         .shm_free_security =            selinux_shm_free_security,
5543         .shm_associate =                selinux_shm_associate,
5544         .shm_shmctl =                   selinux_shm_shmctl,
5545         .shm_shmat =                    selinux_shm_shmat,
5546
5547         .sem_alloc_security =           selinux_sem_alloc_security,
5548         .sem_free_security =            selinux_sem_free_security,
5549         .sem_associate =                selinux_sem_associate,
5550         .sem_semctl =                   selinux_sem_semctl,
5551         .sem_semop =                    selinux_sem_semop,
5552
5553         .d_instantiate =                selinux_d_instantiate,
5554
5555         .getprocattr =                  selinux_getprocattr,
5556         .setprocattr =                  selinux_setprocattr,
5557
5558         .secid_to_secctx =              selinux_secid_to_secctx,
5559         .secctx_to_secid =              selinux_secctx_to_secid,
5560         .release_secctx =               selinux_release_secctx,
5561         .inode_notifysecctx =           selinux_inode_notifysecctx,
5562         .inode_setsecctx =              selinux_inode_setsecctx,
5563         .inode_getsecctx =              selinux_inode_getsecctx,
5564
5565         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5566         .unix_may_send =                selinux_socket_unix_may_send,
5567
5568         .socket_create =                selinux_socket_create,
5569         .socket_post_create =           selinux_socket_post_create,
5570         .socket_bind =                  selinux_socket_bind,
5571         .socket_connect =               selinux_socket_connect,
5572         .socket_listen =                selinux_socket_listen,
5573         .socket_accept =                selinux_socket_accept,
5574         .socket_sendmsg =               selinux_socket_sendmsg,
5575         .socket_recvmsg =               selinux_socket_recvmsg,
5576         .socket_getsockname =           selinux_socket_getsockname,
5577         .socket_getpeername =           selinux_socket_getpeername,
5578         .socket_getsockopt =            selinux_socket_getsockopt,
5579         .socket_setsockopt =            selinux_socket_setsockopt,
5580         .socket_shutdown =              selinux_socket_shutdown,
5581         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5582         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5583         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5584         .sk_alloc_security =            selinux_sk_alloc_security,
5585         .sk_free_security =             selinux_sk_free_security,
5586         .sk_clone_security =            selinux_sk_clone_security,
5587         .sk_getsecid =                  selinux_sk_getsecid,
5588         .sock_graft =                   selinux_sock_graft,
5589         .inet_conn_request =            selinux_inet_conn_request,
5590         .inet_csk_clone =               selinux_inet_csk_clone,
5591         .inet_conn_established =        selinux_inet_conn_established,
5592         .secmark_relabel_packet =       selinux_secmark_relabel_packet,
5593         .secmark_refcount_inc =         selinux_secmark_refcount_inc,
5594         .secmark_refcount_dec =         selinux_secmark_refcount_dec,
5595         .req_classify_flow =            selinux_req_classify_flow,
5596         .tun_dev_create =               selinux_tun_dev_create,
5597         .tun_dev_post_create =          selinux_tun_dev_post_create,
5598         .tun_dev_attach =               selinux_tun_dev_attach,
5599
5600 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5601         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5602         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5603         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5604         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5605         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5606         .xfrm_state_free_security =     selinux_xfrm_state_free,
5607         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5608         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5609         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5610         .xfrm_decode_session =          selinux_xfrm_decode_session,
5611 #endif
5612
5613 #ifdef CONFIG_KEYS
5614         .key_alloc =                    selinux_key_alloc,
5615         .key_free =                     selinux_key_free,
5616         .key_permission =               selinux_key_permission,
5617         .key_getsecurity =              selinux_key_getsecurity,
5618 #endif
5619
5620 #ifdef CONFIG_AUDIT
5621         .audit_rule_init =              selinux_audit_rule_init,
5622         .audit_rule_known =             selinux_audit_rule_known,
5623         .audit_rule_match =             selinux_audit_rule_match,
5624         .audit_rule_free =              selinux_audit_rule_free,
5625 #endif
5626 };
5627
5628 static __init int selinux_init(void)
5629 {
5630         if (!security_module_enable(&selinux_ops)) {
5631                 selinux_enabled = 0;
5632                 return 0;
5633         }
5634
5635         if (!selinux_enabled) {
5636                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5637                 return 0;
5638         }
5639
5640         printk(KERN_INFO "SELinux:  Initializing.\n");
5641
5642         /* Set the security state for the initial task. */
5643         cred_init_security();
5644
5645         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5646
5647         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5648                                             sizeof(struct inode_security_struct),
5649                                             0, SLAB_PANIC, NULL);
5650         avc_init();
5651
5652         if (register_security(&selinux_ops))
5653                 panic("SELinux: Unable to register with kernel.\n");
5654
5655         if (selinux_enforcing)
5656                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5657         else
5658                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5659
5660         return 0;
5661 }
5662
5663 static void delayed_superblock_init(struct super_block *sb, void *unused)
5664 {
5665         superblock_doinit(sb, NULL);
5666 }
5667
5668 void selinux_complete_init(void)
5669 {
5670         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5671
5672         /* Set up any superblocks initialized prior to the policy load. */
5673         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5674         iterate_supers(delayed_superblock_init, NULL);
5675 }
5676
5677 /* SELinux requires early initialization in order to label
5678    all processes and objects when they are created. */
5679 security_initcall(selinux_init);
5680
5681 #if defined(CONFIG_NETFILTER)
5682
5683 static struct nf_hook_ops selinux_ipv4_ops[] = {
5684         {
5685                 .hook =         selinux_ipv4_postroute,
5686                 .owner =        THIS_MODULE,
5687                 .pf =           PF_INET,
5688                 .hooknum =      NF_INET_POST_ROUTING,
5689                 .priority =     NF_IP_PRI_SELINUX_LAST,
5690         },
5691         {
5692                 .hook =         selinux_ipv4_forward,
5693                 .owner =        THIS_MODULE,
5694                 .pf =           PF_INET,
5695                 .hooknum =      NF_INET_FORWARD,
5696                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5697         },
5698         {
5699                 .hook =         selinux_ipv4_output,
5700                 .owner =        THIS_MODULE,
5701                 .pf =           PF_INET,
5702                 .hooknum =      NF_INET_LOCAL_OUT,
5703                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5704         }
5705 };
5706
5707 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5708
5709 static struct nf_hook_ops selinux_ipv6_ops[] = {
5710         {
5711                 .hook =         selinux_ipv6_postroute,
5712                 .owner =        THIS_MODULE,
5713                 .pf =           PF_INET6,
5714                 .hooknum =      NF_INET_POST_ROUTING,
5715                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5716         },
5717         {
5718                 .hook =         selinux_ipv6_forward,
5719                 .owner =        THIS_MODULE,
5720                 .pf =           PF_INET6,
5721                 .hooknum =      NF_INET_FORWARD,
5722                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5723         }
5724 };
5725
5726 #endif  /* IPV6 */
5727
5728 static int __init selinux_nf_ip_init(void)
5729 {
5730         int err = 0;
5731
5732         if (!selinux_enabled)
5733                 goto out;
5734
5735         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5736
5737         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5738         if (err)
5739                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5740
5741 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5742         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5743         if (err)
5744                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5745 #endif  /* IPV6 */
5746
5747 out:
5748         return err;
5749 }
5750
5751 __initcall(selinux_nf_ip_init);
5752
5753 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5754 static void selinux_nf_ip_exit(void)
5755 {
5756         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5757
5758         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5759 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5760         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5761 #endif  /* IPV6 */
5762 }
5763 #endif
5764
5765 #else /* CONFIG_NETFILTER */
5766
5767 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5768 #define selinux_nf_ip_exit()
5769 #endif
5770
5771 #endif /* CONFIG_NETFILTER */
5772
5773 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5774 static int selinux_disabled;
5775
5776 int selinux_disable(void)
5777 {
5778         extern void exit_sel_fs(void);
5779
5780         if (ss_initialized) {
5781                 /* Not permitted after initial policy load. */
5782                 return -EINVAL;
5783         }
5784
5785         if (selinux_disabled) {
5786                 /* Only do this once. */
5787                 return -EINVAL;
5788         }
5789
5790         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5791
5792         selinux_disabled = 1;
5793         selinux_enabled = 0;
5794
5795         reset_security_ops();
5796
5797         /* Try to destroy the avc node cache */
5798         avc_disable();
5799
5800         /* Unregister netfilter hooks. */
5801         selinux_nf_ip_exit();
5802
5803         /* Unregister selinuxfs. */
5804         exit_sel_fs();
5805
5806         return 0;
5807 }
5808 #endif