c8b359fc294929d81cfd4ec5b96de243604716a3
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/dcache.h>
43 #include <linux/file.h>
44 #include <linux/fdtable.h>
45 #include <linux/namei.h>
46 #include <linux/mount.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/audit.h>
74 #include <linux/string.h>
75 #include <linux/selinux.h>
76 #include <linux/mutex.h>
77 #include <linux/posix-timers.h>
78 #include <linux/syslog.h>
79
80 #include "avc.h"
81 #include "objsec.h"
82 #include "netif.h"
83 #include "netnode.h"
84 #include "netport.h"
85 #include "xfrm.h"
86 #include "netlabel.h"
87 #include "audit.h"
88
89 #define NUM_SEL_MNT_OPTS 5
90
91 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
92 extern struct security_operations *security_ops;
93
94 /* SECMARK reference count */
95 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
96
97 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
98 int selinux_enforcing;
99
100 static int __init enforcing_setup(char *str)
101 {
102         unsigned long enforcing;
103         if (!strict_strtoul(str, 0, &enforcing))
104                 selinux_enforcing = enforcing ? 1 : 0;
105         return 1;
106 }
107 __setup("enforcing=", enforcing_setup);
108 #endif
109
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113 static int __init selinux_enabled_setup(char *str)
114 {
115         unsigned long enabled;
116         if (!strict_strtoul(str, 0, &enabled))
117                 selinux_enabled = enabled ? 1 : 0;
118         return 1;
119 }
120 __setup("selinux=", selinux_enabled_setup);
121 #else
122 int selinux_enabled = 1;
123 #endif
124
125 static struct kmem_cache *sel_inode_cache;
126
127 /**
128  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
129  *
130  * Description:
131  * This function checks the SECMARK reference counter to see if any SECMARK
132  * targets are currently configured, if the reference counter is greater than
133  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
134  * enabled, false (0) if SECMARK is disabled.
135  *
136  */
137 static int selinux_secmark_enabled(void)
138 {
139         return (atomic_read(&selinux_secmark_refcount) > 0);
140 }
141
142 /*
143  * initialise the security for the init task
144  */
145 static void cred_init_security(void)
146 {
147         struct cred *cred = (struct cred *) current->real_cred;
148         struct task_security_struct *tsec;
149
150         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
151         if (!tsec)
152                 panic("SELinux:  Failed to initialize initial task.\n");
153
154         tsec->osid = tsec->sid = SECINITSID_KERNEL;
155         cred->security = tsec;
156 }
157
158 /*
159  * get the security ID of a set of credentials
160  */
161 static inline u32 cred_sid(const struct cred *cred)
162 {
163         const struct task_security_struct *tsec;
164
165         tsec = cred->security;
166         return tsec->sid;
167 }
168
169 /*
170  * get the objective security ID of a task
171  */
172 static inline u32 task_sid(const struct task_struct *task)
173 {
174         u32 sid;
175
176         rcu_read_lock();
177         sid = cred_sid(__task_cred(task));
178         rcu_read_unlock();
179         return sid;
180 }
181
182 /*
183  * get the subjective security ID of the current task
184  */
185 static inline u32 current_sid(void)
186 {
187         const struct task_security_struct *tsec = current_security();
188
189         return tsec->sid;
190 }
191
192 /* Allocate and free functions for each kind of security blob. */
193
194 static int inode_alloc_security(struct inode *inode)
195 {
196         struct inode_security_struct *isec;
197         u32 sid = current_sid();
198
199         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
200         if (!isec)
201                 return -ENOMEM;
202
203         mutex_init(&isec->lock);
204         INIT_LIST_HEAD(&isec->list);
205         isec->inode = inode;
206         isec->sid = SECINITSID_UNLABELED;
207         isec->sclass = SECCLASS_FILE;
208         isec->task_sid = sid;
209         inode->i_security = isec;
210
211         return 0;
212 }
213
214 static void inode_free_security(struct inode *inode)
215 {
216         struct inode_security_struct *isec = inode->i_security;
217         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
218
219         spin_lock(&sbsec->isec_lock);
220         if (!list_empty(&isec->list))
221                 list_del_init(&isec->list);
222         spin_unlock(&sbsec->isec_lock);
223
224         inode->i_security = NULL;
225         kmem_cache_free(sel_inode_cache, isec);
226 }
227
228 static int file_alloc_security(struct file *file)
229 {
230         struct file_security_struct *fsec;
231         u32 sid = current_sid();
232
233         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
234         if (!fsec)
235                 return -ENOMEM;
236
237         fsec->sid = sid;
238         fsec->fown_sid = sid;
239         file->f_security = fsec;
240
241         return 0;
242 }
243
244 static void file_free_security(struct file *file)
245 {
246         struct file_security_struct *fsec = file->f_security;
247         file->f_security = NULL;
248         kfree(fsec);
249 }
250
251 static int superblock_alloc_security(struct super_block *sb)
252 {
253         struct superblock_security_struct *sbsec;
254
255         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
256         if (!sbsec)
257                 return -ENOMEM;
258
259         mutex_init(&sbsec->lock);
260         INIT_LIST_HEAD(&sbsec->isec_head);
261         spin_lock_init(&sbsec->isec_lock);
262         sbsec->sb = sb;
263         sbsec->sid = SECINITSID_UNLABELED;
264         sbsec->def_sid = SECINITSID_FILE;
265         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
266         sb->s_security = sbsec;
267
268         return 0;
269 }
270
271 static void superblock_free_security(struct super_block *sb)
272 {
273         struct superblock_security_struct *sbsec = sb->s_security;
274         sb->s_security = NULL;
275         kfree(sbsec);
276 }
277
278 /* The security server must be initialized before
279    any labeling or access decisions can be provided. */
280 extern int ss_initialized;
281
282 /* The file system's label must be initialized prior to use. */
283
284 static const char *labeling_behaviors[6] = {
285         "uses xattr",
286         "uses transition SIDs",
287         "uses task SIDs",
288         "uses genfs_contexts",
289         "not configured for labeling",
290         "uses mountpoint labeling",
291 };
292
293 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
294
295 static inline int inode_doinit(struct inode *inode)
296 {
297         return inode_doinit_with_dentry(inode, NULL);
298 }
299
300 enum {
301         Opt_error = -1,
302         Opt_context = 1,
303         Opt_fscontext = 2,
304         Opt_defcontext = 3,
305         Opt_rootcontext = 4,
306         Opt_labelsupport = 5,
307 };
308
309 static const match_table_t tokens = {
310         {Opt_context, CONTEXT_STR "%s"},
311         {Opt_fscontext, FSCONTEXT_STR "%s"},
312         {Opt_defcontext, DEFCONTEXT_STR "%s"},
313         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
314         {Opt_labelsupport, LABELSUPP_STR},
315         {Opt_error, NULL},
316 };
317
318 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
319
320 static int may_context_mount_sb_relabel(u32 sid,
321                         struct superblock_security_struct *sbsec,
322                         const struct cred *cred)
323 {
324         const struct task_security_struct *tsec = cred->security;
325         int rc;
326
327         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
328                           FILESYSTEM__RELABELFROM, NULL);
329         if (rc)
330                 return rc;
331
332         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
333                           FILESYSTEM__RELABELTO, NULL);
334         return rc;
335 }
336
337 static int may_context_mount_inode_relabel(u32 sid,
338                         struct superblock_security_struct *sbsec,
339                         const struct cred *cred)
340 {
341         const struct task_security_struct *tsec = cred->security;
342         int rc;
343         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
344                           FILESYSTEM__RELABELFROM, NULL);
345         if (rc)
346                 return rc;
347
348         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
349                           FILESYSTEM__ASSOCIATE, NULL);
350         return rc;
351 }
352
353 static int sb_finish_set_opts(struct super_block *sb)
354 {
355         struct superblock_security_struct *sbsec = sb->s_security;
356         struct dentry *root = sb->s_root;
357         struct inode *root_inode = root->d_inode;
358         int rc = 0;
359
360         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
361                 /* Make sure that the xattr handler exists and that no
362                    error other than -ENODATA is returned by getxattr on
363                    the root directory.  -ENODATA is ok, as this may be
364                    the first boot of the SELinux kernel before we have
365                    assigned xattr values to the filesystem. */
366                 if (!root_inode->i_op->getxattr) {
367                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
368                                "xattr support\n", sb->s_id, sb->s_type->name);
369                         rc = -EOPNOTSUPP;
370                         goto out;
371                 }
372                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
373                 if (rc < 0 && rc != -ENODATA) {
374                         if (rc == -EOPNOTSUPP)
375                                 printk(KERN_WARNING "SELinux: (dev %s, type "
376                                        "%s) has no security xattr handler\n",
377                                        sb->s_id, sb->s_type->name);
378                         else
379                                 printk(KERN_WARNING "SELinux: (dev %s, type "
380                                        "%s) getxattr errno %d\n", sb->s_id,
381                                        sb->s_type->name, -rc);
382                         goto out;
383                 }
384         }
385
386         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
387
388         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
389                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
390                        sb->s_id, sb->s_type->name);
391         else
392                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
393                        sb->s_id, sb->s_type->name,
394                        labeling_behaviors[sbsec->behavior-1]);
395
396         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
397             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
398             sbsec->behavior == SECURITY_FS_USE_NONE ||
399             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
400                 sbsec->flags &= ~SE_SBLABELSUPP;
401
402         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
403         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
404                 sbsec->flags |= SE_SBLABELSUPP;
405
406         /* Initialize the root inode. */
407         rc = inode_doinit_with_dentry(root_inode, root);
408
409         /* Initialize any other inodes associated with the superblock, e.g.
410            inodes created prior to initial policy load or inodes created
411            during get_sb by a pseudo filesystem that directly
412            populates itself. */
413         spin_lock(&sbsec->isec_lock);
414 next_inode:
415         if (!list_empty(&sbsec->isec_head)) {
416                 struct inode_security_struct *isec =
417                                 list_entry(sbsec->isec_head.next,
418                                            struct inode_security_struct, list);
419                 struct inode *inode = isec->inode;
420                 spin_unlock(&sbsec->isec_lock);
421                 inode = igrab(inode);
422                 if (inode) {
423                         if (!IS_PRIVATE(inode))
424                                 inode_doinit(inode);
425                         iput(inode);
426                 }
427                 spin_lock(&sbsec->isec_lock);
428                 list_del_init(&isec->list);
429                 goto next_inode;
430         }
431         spin_unlock(&sbsec->isec_lock);
432 out:
433         return rc;
434 }
435
436 /*
437  * This function should allow an FS to ask what it's mount security
438  * options were so it can use those later for submounts, displaying
439  * mount options, or whatever.
440  */
441 static int selinux_get_mnt_opts(const struct super_block *sb,
442                                 struct security_mnt_opts *opts)
443 {
444         int rc = 0, i;
445         struct superblock_security_struct *sbsec = sb->s_security;
446         char *context = NULL;
447         u32 len;
448         char tmp;
449
450         security_init_mnt_opts(opts);
451
452         if (!(sbsec->flags & SE_SBINITIALIZED))
453                 return -EINVAL;
454
455         if (!ss_initialized)
456                 return -EINVAL;
457
458         tmp = sbsec->flags & SE_MNTMASK;
459         /* count the number of mount options for this sb */
460         for (i = 0; i < 8; i++) {
461                 if (tmp & 0x01)
462                         opts->num_mnt_opts++;
463                 tmp >>= 1;
464         }
465         /* Check if the Label support flag is set */
466         if (sbsec->flags & SE_SBLABELSUPP)
467                 opts->num_mnt_opts++;
468
469         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
470         if (!opts->mnt_opts) {
471                 rc = -ENOMEM;
472                 goto out_free;
473         }
474
475         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
476         if (!opts->mnt_opts_flags) {
477                 rc = -ENOMEM;
478                 goto out_free;
479         }
480
481         i = 0;
482         if (sbsec->flags & FSCONTEXT_MNT) {
483                 rc = security_sid_to_context(sbsec->sid, &context, &len);
484                 if (rc)
485                         goto out_free;
486                 opts->mnt_opts[i] = context;
487                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
488         }
489         if (sbsec->flags & CONTEXT_MNT) {
490                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
491                 if (rc)
492                         goto out_free;
493                 opts->mnt_opts[i] = context;
494                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
495         }
496         if (sbsec->flags & DEFCONTEXT_MNT) {
497                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
498                 if (rc)
499                         goto out_free;
500                 opts->mnt_opts[i] = context;
501                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
502         }
503         if (sbsec->flags & ROOTCONTEXT_MNT) {
504                 struct inode *root = sbsec->sb->s_root->d_inode;
505                 struct inode_security_struct *isec = root->i_security;
506
507                 rc = security_sid_to_context(isec->sid, &context, &len);
508                 if (rc)
509                         goto out_free;
510                 opts->mnt_opts[i] = context;
511                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
512         }
513         if (sbsec->flags & SE_SBLABELSUPP) {
514                 opts->mnt_opts[i] = NULL;
515                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
516         }
517
518         BUG_ON(i != opts->num_mnt_opts);
519
520         return 0;
521
522 out_free:
523         security_free_mnt_opts(opts);
524         return rc;
525 }
526
527 static int bad_option(struct superblock_security_struct *sbsec, char flag,
528                       u32 old_sid, u32 new_sid)
529 {
530         char mnt_flags = sbsec->flags & SE_MNTMASK;
531
532         /* check if the old mount command had the same options */
533         if (sbsec->flags & SE_SBINITIALIZED)
534                 if (!(sbsec->flags & flag) ||
535                     (old_sid != new_sid))
536                         return 1;
537
538         /* check if we were passed the same options twice,
539          * aka someone passed context=a,context=b
540          */
541         if (!(sbsec->flags & SE_SBINITIALIZED))
542                 if (mnt_flags & flag)
543                         return 1;
544         return 0;
545 }
546
547 /*
548  * Allow filesystems with binary mount data to explicitly set mount point
549  * labeling information.
550  */
551 static int selinux_set_mnt_opts(struct super_block *sb,
552                                 struct security_mnt_opts *opts)
553 {
554         const struct cred *cred = current_cred();
555         int rc = 0, i;
556         struct superblock_security_struct *sbsec = sb->s_security;
557         const char *name = sb->s_type->name;
558         struct inode *inode = sbsec->sb->s_root->d_inode;
559         struct inode_security_struct *root_isec = inode->i_security;
560         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
561         u32 defcontext_sid = 0;
562         char **mount_options = opts->mnt_opts;
563         int *flags = opts->mnt_opts_flags;
564         int num_opts = opts->num_mnt_opts;
565
566         mutex_lock(&sbsec->lock);
567
568         if (!ss_initialized) {
569                 if (!num_opts) {
570                         /* Defer initialization until selinux_complete_init,
571                            after the initial policy is loaded and the security
572                            server is ready to handle calls. */
573                         goto out;
574                 }
575                 rc = -EINVAL;
576                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
577                         "before the security server is initialized\n");
578                 goto out;
579         }
580
581         /*
582          * Binary mount data FS will come through this function twice.  Once
583          * from an explicit call and once from the generic calls from the vfs.
584          * Since the generic VFS calls will not contain any security mount data
585          * we need to skip the double mount verification.
586          *
587          * This does open a hole in which we will not notice if the first
588          * mount using this sb set explict options and a second mount using
589          * this sb does not set any security options.  (The first options
590          * will be used for both mounts)
591          */
592         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
593             && (num_opts == 0))
594                 goto out;
595
596         /*
597          * parse the mount options, check if they are valid sids.
598          * also check if someone is trying to mount the same sb more
599          * than once with different security options.
600          */
601         for (i = 0; i < num_opts; i++) {
602                 u32 sid;
603
604                 if (flags[i] == SE_SBLABELSUPP)
605                         continue;
606                 rc = security_context_to_sid(mount_options[i],
607                                              strlen(mount_options[i]), &sid);
608                 if (rc) {
609                         printk(KERN_WARNING "SELinux: security_context_to_sid"
610                                "(%s) failed for (dev %s, type %s) errno=%d\n",
611                                mount_options[i], sb->s_id, name, rc);
612                         goto out;
613                 }
614                 switch (flags[i]) {
615                 case FSCONTEXT_MNT:
616                         fscontext_sid = sid;
617
618                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
619                                         fscontext_sid))
620                                 goto out_double_mount;
621
622                         sbsec->flags |= FSCONTEXT_MNT;
623                         break;
624                 case CONTEXT_MNT:
625                         context_sid = sid;
626
627                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
628                                         context_sid))
629                                 goto out_double_mount;
630
631                         sbsec->flags |= CONTEXT_MNT;
632                         break;
633                 case ROOTCONTEXT_MNT:
634                         rootcontext_sid = sid;
635
636                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
637                                         rootcontext_sid))
638                                 goto out_double_mount;
639
640                         sbsec->flags |= ROOTCONTEXT_MNT;
641
642                         break;
643                 case DEFCONTEXT_MNT:
644                         defcontext_sid = sid;
645
646                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
647                                         defcontext_sid))
648                                 goto out_double_mount;
649
650                         sbsec->flags |= DEFCONTEXT_MNT;
651
652                         break;
653                 default:
654                         rc = -EINVAL;
655                         goto out;
656                 }
657         }
658
659         if (sbsec->flags & SE_SBINITIALIZED) {
660                 /* previously mounted with options, but not on this attempt? */
661                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
662                         goto out_double_mount;
663                 rc = 0;
664                 goto out;
665         }
666
667         if (strcmp(sb->s_type->name, "proc") == 0)
668                 sbsec->flags |= SE_SBPROC;
669
670         /* Determine the labeling behavior to use for this filesystem type. */
671         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
672         if (rc) {
673                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674                        __func__, sb->s_type->name, rc);
675                 goto out;
676         }
677
678         /* sets the context of the superblock for the fs being mounted. */
679         if (fscontext_sid) {
680                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
681                 if (rc)
682                         goto out;
683
684                 sbsec->sid = fscontext_sid;
685         }
686
687         /*
688          * Switch to using mount point labeling behavior.
689          * sets the label used on all file below the mountpoint, and will set
690          * the superblock context if not already set.
691          */
692         if (context_sid) {
693                 if (!fscontext_sid) {
694                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
695                                                           cred);
696                         if (rc)
697                                 goto out;
698                         sbsec->sid = context_sid;
699                 } else {
700                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
701                                                              cred);
702                         if (rc)
703                                 goto out;
704                 }
705                 if (!rootcontext_sid)
706                         rootcontext_sid = context_sid;
707
708                 sbsec->mntpoint_sid = context_sid;
709                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
710         }
711
712         if (rootcontext_sid) {
713                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
714                                                      cred);
715                 if (rc)
716                         goto out;
717
718                 root_isec->sid = rootcontext_sid;
719                 root_isec->initialized = 1;
720         }
721
722         if (defcontext_sid) {
723                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
724                         rc = -EINVAL;
725                         printk(KERN_WARNING "SELinux: defcontext option is "
726                                "invalid for this filesystem type\n");
727                         goto out;
728                 }
729
730                 if (defcontext_sid != sbsec->def_sid) {
731                         rc = may_context_mount_inode_relabel(defcontext_sid,
732                                                              sbsec, cred);
733                         if (rc)
734                                 goto out;
735                 }
736
737                 sbsec->def_sid = defcontext_sid;
738         }
739
740         rc = sb_finish_set_opts(sb);
741 out:
742         mutex_unlock(&sbsec->lock);
743         return rc;
744 out_double_mount:
745         rc = -EINVAL;
746         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
747                "security settings for (dev %s, type %s)\n", sb->s_id, name);
748         goto out;
749 }
750
751 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
752                                         struct super_block *newsb)
753 {
754         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
755         struct superblock_security_struct *newsbsec = newsb->s_security;
756
757         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
758         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
759         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
760
761         /*
762          * if the parent was able to be mounted it clearly had no special lsm
763          * mount options.  thus we can safely deal with this superblock later
764          */
765         if (!ss_initialized)
766                 return;
767
768         /* how can we clone if the old one wasn't set up?? */
769         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
770
771         /* if fs is reusing a sb, just let its options stand... */
772         if (newsbsec->flags & SE_SBINITIALIZED)
773                 return;
774
775         mutex_lock(&newsbsec->lock);
776
777         newsbsec->flags = oldsbsec->flags;
778
779         newsbsec->sid = oldsbsec->sid;
780         newsbsec->def_sid = oldsbsec->def_sid;
781         newsbsec->behavior = oldsbsec->behavior;
782
783         if (set_context) {
784                 u32 sid = oldsbsec->mntpoint_sid;
785
786                 if (!set_fscontext)
787                         newsbsec->sid = sid;
788                 if (!set_rootcontext) {
789                         struct inode *newinode = newsb->s_root->d_inode;
790                         struct inode_security_struct *newisec = newinode->i_security;
791                         newisec->sid = sid;
792                 }
793                 newsbsec->mntpoint_sid = sid;
794         }
795         if (set_rootcontext) {
796                 const struct inode *oldinode = oldsb->s_root->d_inode;
797                 const struct inode_security_struct *oldisec = oldinode->i_security;
798                 struct inode *newinode = newsb->s_root->d_inode;
799                 struct inode_security_struct *newisec = newinode->i_security;
800
801                 newisec->sid = oldisec->sid;
802         }
803
804         sb_finish_set_opts(newsb);
805         mutex_unlock(&newsbsec->lock);
806 }
807
808 static int selinux_parse_opts_str(char *options,
809                                   struct security_mnt_opts *opts)
810 {
811         char *p;
812         char *context = NULL, *defcontext = NULL;
813         char *fscontext = NULL, *rootcontext = NULL;
814         int rc, num_mnt_opts = 0;
815
816         opts->num_mnt_opts = 0;
817
818         /* Standard string-based options. */
819         while ((p = strsep(&options, "|")) != NULL) {
820                 int token;
821                 substring_t args[MAX_OPT_ARGS];
822
823                 if (!*p)
824                         continue;
825
826                 token = match_token(p, tokens, args);
827
828                 switch (token) {
829                 case Opt_context:
830                         if (context || defcontext) {
831                                 rc = -EINVAL;
832                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
833                                 goto out_err;
834                         }
835                         context = match_strdup(&args[0]);
836                         if (!context) {
837                                 rc = -ENOMEM;
838                                 goto out_err;
839                         }
840                         break;
841
842                 case Opt_fscontext:
843                         if (fscontext) {
844                                 rc = -EINVAL;
845                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
846                                 goto out_err;
847                         }
848                         fscontext = match_strdup(&args[0]);
849                         if (!fscontext) {
850                                 rc = -ENOMEM;
851                                 goto out_err;
852                         }
853                         break;
854
855                 case Opt_rootcontext:
856                         if (rootcontext) {
857                                 rc = -EINVAL;
858                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
859                                 goto out_err;
860                         }
861                         rootcontext = match_strdup(&args[0]);
862                         if (!rootcontext) {
863                                 rc = -ENOMEM;
864                                 goto out_err;
865                         }
866                         break;
867
868                 case Opt_defcontext:
869                         if (context || defcontext) {
870                                 rc = -EINVAL;
871                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
872                                 goto out_err;
873                         }
874                         defcontext = match_strdup(&args[0]);
875                         if (!defcontext) {
876                                 rc = -ENOMEM;
877                                 goto out_err;
878                         }
879                         break;
880                 case Opt_labelsupport:
881                         break;
882                 default:
883                         rc = -EINVAL;
884                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
885                         goto out_err;
886
887                 }
888         }
889
890         rc = -ENOMEM;
891         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
892         if (!opts->mnt_opts)
893                 goto out_err;
894
895         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
896         if (!opts->mnt_opts_flags) {
897                 kfree(opts->mnt_opts);
898                 goto out_err;
899         }
900
901         if (fscontext) {
902                 opts->mnt_opts[num_mnt_opts] = fscontext;
903                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
904         }
905         if (context) {
906                 opts->mnt_opts[num_mnt_opts] = context;
907                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
908         }
909         if (rootcontext) {
910                 opts->mnt_opts[num_mnt_opts] = rootcontext;
911                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
912         }
913         if (defcontext) {
914                 opts->mnt_opts[num_mnt_opts] = defcontext;
915                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
916         }
917
918         opts->num_mnt_opts = num_mnt_opts;
919         return 0;
920
921 out_err:
922         kfree(context);
923         kfree(defcontext);
924         kfree(fscontext);
925         kfree(rootcontext);
926         return rc;
927 }
928 /*
929  * string mount options parsing and call set the sbsec
930  */
931 static int superblock_doinit(struct super_block *sb, void *data)
932 {
933         int rc = 0;
934         char *options = data;
935         struct security_mnt_opts opts;
936
937         security_init_mnt_opts(&opts);
938
939         if (!data)
940                 goto out;
941
942         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
943
944         rc = selinux_parse_opts_str(options, &opts);
945         if (rc)
946                 goto out_err;
947
948 out:
949         rc = selinux_set_mnt_opts(sb, &opts);
950
951 out_err:
952         security_free_mnt_opts(&opts);
953         return rc;
954 }
955
956 static void selinux_write_opts(struct seq_file *m,
957                                struct security_mnt_opts *opts)
958 {
959         int i;
960         char *prefix;
961
962         for (i = 0; i < opts->num_mnt_opts; i++) {
963                 char *has_comma;
964
965                 if (opts->mnt_opts[i])
966                         has_comma = strchr(opts->mnt_opts[i], ',');
967                 else
968                         has_comma = NULL;
969
970                 switch (opts->mnt_opts_flags[i]) {
971                 case CONTEXT_MNT:
972                         prefix = CONTEXT_STR;
973                         break;
974                 case FSCONTEXT_MNT:
975                         prefix = FSCONTEXT_STR;
976                         break;
977                 case ROOTCONTEXT_MNT:
978                         prefix = ROOTCONTEXT_STR;
979                         break;
980                 case DEFCONTEXT_MNT:
981                         prefix = DEFCONTEXT_STR;
982                         break;
983                 case SE_SBLABELSUPP:
984                         seq_putc(m, ',');
985                         seq_puts(m, LABELSUPP_STR);
986                         continue;
987                 default:
988                         BUG();
989                 };
990                 /* we need a comma before each option */
991                 seq_putc(m, ',');
992                 seq_puts(m, prefix);
993                 if (has_comma)
994                         seq_putc(m, '\"');
995                 seq_puts(m, opts->mnt_opts[i]);
996                 if (has_comma)
997                         seq_putc(m, '\"');
998         }
999 }
1000
1001 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1002 {
1003         struct security_mnt_opts opts;
1004         int rc;
1005
1006         rc = selinux_get_mnt_opts(sb, &opts);
1007         if (rc) {
1008                 /* before policy load we may get EINVAL, don't show anything */
1009                 if (rc == -EINVAL)
1010                         rc = 0;
1011                 return rc;
1012         }
1013
1014         selinux_write_opts(m, &opts);
1015
1016         security_free_mnt_opts(&opts);
1017
1018         return rc;
1019 }
1020
1021 static inline u16 inode_mode_to_security_class(umode_t mode)
1022 {
1023         switch (mode & S_IFMT) {
1024         case S_IFSOCK:
1025                 return SECCLASS_SOCK_FILE;
1026         case S_IFLNK:
1027                 return SECCLASS_LNK_FILE;
1028         case S_IFREG:
1029                 return SECCLASS_FILE;
1030         case S_IFBLK:
1031                 return SECCLASS_BLK_FILE;
1032         case S_IFDIR:
1033                 return SECCLASS_DIR;
1034         case S_IFCHR:
1035                 return SECCLASS_CHR_FILE;
1036         case S_IFIFO:
1037                 return SECCLASS_FIFO_FILE;
1038
1039         }
1040
1041         return SECCLASS_FILE;
1042 }
1043
1044 static inline int default_protocol_stream(int protocol)
1045 {
1046         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1047 }
1048
1049 static inline int default_protocol_dgram(int protocol)
1050 {
1051         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1052 }
1053
1054 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1055 {
1056         switch (family) {
1057         case PF_UNIX:
1058                 switch (type) {
1059                 case SOCK_STREAM:
1060                 case SOCK_SEQPACKET:
1061                         return SECCLASS_UNIX_STREAM_SOCKET;
1062                 case SOCK_DGRAM:
1063                         return SECCLASS_UNIX_DGRAM_SOCKET;
1064                 }
1065                 break;
1066         case PF_INET:
1067         case PF_INET6:
1068                 switch (type) {
1069                 case SOCK_STREAM:
1070                         if (default_protocol_stream(protocol))
1071                                 return SECCLASS_TCP_SOCKET;
1072                         else
1073                                 return SECCLASS_RAWIP_SOCKET;
1074                 case SOCK_DGRAM:
1075                         if (default_protocol_dgram(protocol))
1076                                 return SECCLASS_UDP_SOCKET;
1077                         else
1078                                 return SECCLASS_RAWIP_SOCKET;
1079                 case SOCK_DCCP:
1080                         return SECCLASS_DCCP_SOCKET;
1081                 default:
1082                         return SECCLASS_RAWIP_SOCKET;
1083                 }
1084                 break;
1085         case PF_NETLINK:
1086                 switch (protocol) {
1087                 case NETLINK_ROUTE:
1088                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1089                 case NETLINK_FIREWALL:
1090                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1091                 case NETLINK_INET_DIAG:
1092                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1093                 case NETLINK_NFLOG:
1094                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1095                 case NETLINK_XFRM:
1096                         return SECCLASS_NETLINK_XFRM_SOCKET;
1097                 case NETLINK_SELINUX:
1098                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1099                 case NETLINK_AUDIT:
1100                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1101                 case NETLINK_IP6_FW:
1102                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1103                 case NETLINK_DNRTMSG:
1104                         return SECCLASS_NETLINK_DNRT_SOCKET;
1105                 case NETLINK_KOBJECT_UEVENT:
1106                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1107                 default:
1108                         return SECCLASS_NETLINK_SOCKET;
1109                 }
1110         case PF_PACKET:
1111                 return SECCLASS_PACKET_SOCKET;
1112         case PF_KEY:
1113                 return SECCLASS_KEY_SOCKET;
1114         case PF_APPLETALK:
1115                 return SECCLASS_APPLETALK_SOCKET;
1116         }
1117
1118         return SECCLASS_SOCKET;
1119 }
1120
1121 #ifdef CONFIG_PROC_FS
1122 static int selinux_proc_get_sid(struct dentry *dentry,
1123                                 u16 tclass,
1124                                 u32 *sid)
1125 {
1126         int rc;
1127         char *buffer, *path;
1128
1129         buffer = (char *)__get_free_page(GFP_KERNEL);
1130         if (!buffer)
1131                 return -ENOMEM;
1132
1133         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1134         if (IS_ERR(path))
1135                 rc = PTR_ERR(path);
1136         else {
1137                 /* each process gets a /proc/PID/ entry. Strip off the
1138                  * PID part to get a valid selinux labeling.
1139                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1140                 while (path[1] >= '0' && path[1] <= '9') {
1141                         path[1] = '/';
1142                         path++;
1143                 }
1144                 rc = security_genfs_sid("proc", path, tclass, sid);
1145         }
1146         free_page((unsigned long)buffer);
1147         return rc;
1148 }
1149 #else
1150 static int selinux_proc_get_sid(struct dentry *dentry,
1151                                 u16 tclass,
1152                                 u32 *sid)
1153 {
1154         return -EINVAL;
1155 }
1156 #endif
1157
1158 /* The inode's security attributes must be initialized before first use. */
1159 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1160 {
1161         struct superblock_security_struct *sbsec = NULL;
1162         struct inode_security_struct *isec = inode->i_security;
1163         u32 sid;
1164         struct dentry *dentry;
1165 #define INITCONTEXTLEN 255
1166         char *context = NULL;
1167         unsigned len = 0;
1168         int rc = 0;
1169
1170         if (isec->initialized)
1171                 goto out;
1172
1173         mutex_lock(&isec->lock);
1174         if (isec->initialized)
1175                 goto out_unlock;
1176
1177         sbsec = inode->i_sb->s_security;
1178         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1179                 /* Defer initialization until selinux_complete_init,
1180                    after the initial policy is loaded and the security
1181                    server is ready to handle calls. */
1182                 spin_lock(&sbsec->isec_lock);
1183                 if (list_empty(&isec->list))
1184                         list_add(&isec->list, &sbsec->isec_head);
1185                 spin_unlock(&sbsec->isec_lock);
1186                 goto out_unlock;
1187         }
1188
1189         switch (sbsec->behavior) {
1190         case SECURITY_FS_USE_XATTR:
1191                 if (!inode->i_op->getxattr) {
1192                         isec->sid = sbsec->def_sid;
1193                         break;
1194                 }
1195
1196                 /* Need a dentry, since the xattr API requires one.
1197                    Life would be simpler if we could just pass the inode. */
1198                 if (opt_dentry) {
1199                         /* Called from d_instantiate or d_splice_alias. */
1200                         dentry = dget(opt_dentry);
1201                 } else {
1202                         /* Called from selinux_complete_init, try to find a dentry. */
1203                         dentry = d_find_alias(inode);
1204                 }
1205                 if (!dentry) {
1206                         /*
1207                          * this is can be hit on boot when a file is accessed
1208                          * before the policy is loaded.  When we load policy we
1209                          * may find inodes that have no dentry on the
1210                          * sbsec->isec_head list.  No reason to complain as these
1211                          * will get fixed up the next time we go through
1212                          * inode_doinit with a dentry, before these inodes could
1213                          * be used again by userspace.
1214                          */
1215                         goto out_unlock;
1216                 }
1217
1218                 len = INITCONTEXTLEN;
1219                 context = kmalloc(len+1, GFP_NOFS);
1220                 if (!context) {
1221                         rc = -ENOMEM;
1222                         dput(dentry);
1223                         goto out_unlock;
1224                 }
1225                 context[len] = '\0';
1226                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1227                                            context, len);
1228                 if (rc == -ERANGE) {
1229                         kfree(context);
1230
1231                         /* Need a larger buffer.  Query for the right size. */
1232                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1233                                                    NULL, 0);
1234                         if (rc < 0) {
1235                                 dput(dentry);
1236                                 goto out_unlock;
1237                         }
1238                         len = rc;
1239                         context = kmalloc(len+1, GFP_NOFS);
1240                         if (!context) {
1241                                 rc = -ENOMEM;
1242                                 dput(dentry);
1243                                 goto out_unlock;
1244                         }
1245                         context[len] = '\0';
1246                         rc = inode->i_op->getxattr(dentry,
1247                                                    XATTR_NAME_SELINUX,
1248                                                    context, len);
1249                 }
1250                 dput(dentry);
1251                 if (rc < 0) {
1252                         if (rc != -ENODATA) {
1253                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1254                                        "%d for dev=%s ino=%ld\n", __func__,
1255                                        -rc, inode->i_sb->s_id, inode->i_ino);
1256                                 kfree(context);
1257                                 goto out_unlock;
1258                         }
1259                         /* Map ENODATA to the default file SID */
1260                         sid = sbsec->def_sid;
1261                         rc = 0;
1262                 } else {
1263                         rc = security_context_to_sid_default(context, rc, &sid,
1264                                                              sbsec->def_sid,
1265                                                              GFP_NOFS);
1266                         if (rc) {
1267                                 char *dev = inode->i_sb->s_id;
1268                                 unsigned long ino = inode->i_ino;
1269
1270                                 if (rc == -EINVAL) {
1271                                         if (printk_ratelimit())
1272                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1273                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1274                                                         "filesystem in question.\n", ino, dev, context);
1275                                 } else {
1276                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1277                                                "returned %d for dev=%s ino=%ld\n",
1278                                                __func__, context, -rc, dev, ino);
1279                                 }
1280                                 kfree(context);
1281                                 /* Leave with the unlabeled SID */
1282                                 rc = 0;
1283                                 break;
1284                         }
1285                 }
1286                 kfree(context);
1287                 isec->sid = sid;
1288                 break;
1289         case SECURITY_FS_USE_TASK:
1290                 isec->sid = isec->task_sid;
1291                 break;
1292         case SECURITY_FS_USE_TRANS:
1293                 /* Default to the fs SID. */
1294                 isec->sid = sbsec->sid;
1295
1296                 /* Try to obtain a transition SID. */
1297                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1298                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1299                                              isec->sclass, NULL, &sid);
1300                 if (rc)
1301                         goto out_unlock;
1302                 isec->sid = sid;
1303                 break;
1304         case SECURITY_FS_USE_MNTPOINT:
1305                 isec->sid = sbsec->mntpoint_sid;
1306                 break;
1307         default:
1308                 /* Default to the fs superblock SID. */
1309                 isec->sid = sbsec->sid;
1310
1311                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1312                         if (opt_dentry) {
1313                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1314                                 rc = selinux_proc_get_sid(opt_dentry,
1315                                                           isec->sclass,
1316                                                           &sid);
1317                                 if (rc)
1318                                         goto out_unlock;
1319                                 isec->sid = sid;
1320                         }
1321                 }
1322                 break;
1323         }
1324
1325         isec->initialized = 1;
1326
1327 out_unlock:
1328         mutex_unlock(&isec->lock);
1329 out:
1330         if (isec->sclass == SECCLASS_FILE)
1331                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1332         return rc;
1333 }
1334
1335 /* Convert a Linux signal to an access vector. */
1336 static inline u32 signal_to_av(int sig)
1337 {
1338         u32 perm = 0;
1339
1340         switch (sig) {
1341         case SIGCHLD:
1342                 /* Commonly granted from child to parent. */
1343                 perm = PROCESS__SIGCHLD;
1344                 break;
1345         case SIGKILL:
1346                 /* Cannot be caught or ignored */
1347                 perm = PROCESS__SIGKILL;
1348                 break;
1349         case SIGSTOP:
1350                 /* Cannot be caught or ignored */
1351                 perm = PROCESS__SIGSTOP;
1352                 break;
1353         default:
1354                 /* All other signals. */
1355                 perm = PROCESS__SIGNAL;
1356                 break;
1357         }
1358
1359         return perm;
1360 }
1361
1362 /*
1363  * Check permission between a pair of credentials
1364  * fork check, ptrace check, etc.
1365  */
1366 static int cred_has_perm(const struct cred *actor,
1367                          const struct cred *target,
1368                          u32 perms)
1369 {
1370         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1371
1372         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1373 }
1374
1375 /*
1376  * Check permission between a pair of tasks, e.g. signal checks,
1377  * fork check, ptrace check, etc.
1378  * tsk1 is the actor and tsk2 is the target
1379  * - this uses the default subjective creds of tsk1
1380  */
1381 static int task_has_perm(const struct task_struct *tsk1,
1382                          const struct task_struct *tsk2,
1383                          u32 perms)
1384 {
1385         const struct task_security_struct *__tsec1, *__tsec2;
1386         u32 sid1, sid2;
1387
1388         rcu_read_lock();
1389         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1390         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1391         rcu_read_unlock();
1392         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1393 }
1394
1395 /*
1396  * Check permission between current and another task, e.g. signal checks,
1397  * fork check, ptrace check, etc.
1398  * current is the actor and tsk2 is the target
1399  * - this uses current's subjective creds
1400  */
1401 static int current_has_perm(const struct task_struct *tsk,
1402                             u32 perms)
1403 {
1404         u32 sid, tsid;
1405
1406         sid = current_sid();
1407         tsid = task_sid(tsk);
1408         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1409 }
1410
1411 #if CAP_LAST_CAP > 63
1412 #error Fix SELinux to handle capabilities > 63.
1413 #endif
1414
1415 /* Check whether a task is allowed to use a capability. */
1416 static int task_has_capability(struct task_struct *tsk,
1417                                const struct cred *cred,
1418                                int cap, int audit)
1419 {
1420         struct common_audit_data ad;
1421         struct av_decision avd;
1422         u16 sclass;
1423         u32 sid = cred_sid(cred);
1424         u32 av = CAP_TO_MASK(cap);
1425         int rc;
1426
1427         COMMON_AUDIT_DATA_INIT(&ad, CAP);
1428         ad.tsk = tsk;
1429         ad.u.cap = cap;
1430
1431         switch (CAP_TO_INDEX(cap)) {
1432         case 0:
1433                 sclass = SECCLASS_CAPABILITY;
1434                 break;
1435         case 1:
1436                 sclass = SECCLASS_CAPABILITY2;
1437                 break;
1438         default:
1439                 printk(KERN_ERR
1440                        "SELinux:  out of range capability %d\n", cap);
1441                 BUG();
1442         }
1443
1444         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1445         if (audit == SECURITY_CAP_AUDIT)
1446                 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1447         return rc;
1448 }
1449
1450 /* Check whether a task is allowed to use a system operation. */
1451 static int task_has_system(struct task_struct *tsk,
1452                            u32 perms)
1453 {
1454         u32 sid = task_sid(tsk);
1455
1456         return avc_has_perm(sid, SECINITSID_KERNEL,
1457                             SECCLASS_SYSTEM, perms, NULL);
1458 }
1459
1460 /* Check whether a task has a particular permission to an inode.
1461    The 'adp' parameter is optional and allows other audit
1462    data to be passed (e.g. the dentry). */
1463 static int inode_has_perm(const struct cred *cred,
1464                           struct inode *inode,
1465                           u32 perms,
1466                           struct common_audit_data *adp)
1467 {
1468         struct inode_security_struct *isec;
1469         struct common_audit_data ad;
1470         u32 sid;
1471
1472         validate_creds(cred);
1473
1474         if (unlikely(IS_PRIVATE(inode)))
1475                 return 0;
1476
1477         sid = cred_sid(cred);
1478         isec = inode->i_security;
1479
1480         if (!adp) {
1481                 adp = &ad;
1482                 COMMON_AUDIT_DATA_INIT(&ad, FS);
1483                 ad.u.fs.inode = inode;
1484         }
1485
1486         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1487 }
1488
1489 /* Same as inode_has_perm, but pass explicit audit data containing
1490    the dentry to help the auditing code to more easily generate the
1491    pathname if needed. */
1492 static inline int dentry_has_perm(const struct cred *cred,
1493                                   struct vfsmount *mnt,
1494                                   struct dentry *dentry,
1495                                   u32 av)
1496 {
1497         struct inode *inode = dentry->d_inode;
1498         struct common_audit_data ad;
1499
1500         COMMON_AUDIT_DATA_INIT(&ad, FS);
1501         ad.u.fs.path.mnt = mnt;
1502         ad.u.fs.path.dentry = dentry;
1503         return inode_has_perm(cred, inode, av, &ad);
1504 }
1505
1506 /* Check whether a task can use an open file descriptor to
1507    access an inode in a given way.  Check access to the
1508    descriptor itself, and then use dentry_has_perm to
1509    check a particular permission to the file.
1510    Access to the descriptor is implicitly granted if it
1511    has the same SID as the process.  If av is zero, then
1512    access to the file is not checked, e.g. for cases
1513    where only the descriptor is affected like seek. */
1514 static int file_has_perm(const struct cred *cred,
1515                          struct file *file,
1516                          u32 av)
1517 {
1518         struct file_security_struct *fsec = file->f_security;
1519         struct inode *inode = file->f_path.dentry->d_inode;
1520         struct common_audit_data ad;
1521         u32 sid = cred_sid(cred);
1522         int rc;
1523
1524         COMMON_AUDIT_DATA_INIT(&ad, FS);
1525         ad.u.fs.path = file->f_path;
1526
1527         if (sid != fsec->sid) {
1528                 rc = avc_has_perm(sid, fsec->sid,
1529                                   SECCLASS_FD,
1530                                   FD__USE,
1531                                   &ad);
1532                 if (rc)
1533                         goto out;
1534         }
1535
1536         /* av is zero if only checking access to the descriptor. */
1537         rc = 0;
1538         if (av)
1539                 rc = inode_has_perm(cred, inode, av, &ad);
1540
1541 out:
1542         return rc;
1543 }
1544
1545 /* Check whether a task can create a file. */
1546 static int may_create(struct inode *dir,
1547                       struct dentry *dentry,
1548                       u16 tclass)
1549 {
1550         const struct task_security_struct *tsec = current_security();
1551         struct inode_security_struct *dsec;
1552         struct superblock_security_struct *sbsec;
1553         u32 sid, newsid;
1554         struct common_audit_data ad;
1555         int rc;
1556
1557         dsec = dir->i_security;
1558         sbsec = dir->i_sb->s_security;
1559
1560         sid = tsec->sid;
1561         newsid = tsec->create_sid;
1562
1563         COMMON_AUDIT_DATA_INIT(&ad, FS);
1564         ad.u.fs.path.dentry = dentry;
1565
1566         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1567                           DIR__ADD_NAME | DIR__SEARCH,
1568                           &ad);
1569         if (rc)
1570                 return rc;
1571
1572         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1573                 rc = security_transition_sid(sid, dsec->sid, tclass, NULL, &newsid);
1574                 if (rc)
1575                         return rc;
1576         }
1577
1578         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1579         if (rc)
1580                 return rc;
1581
1582         return avc_has_perm(newsid, sbsec->sid,
1583                             SECCLASS_FILESYSTEM,
1584                             FILESYSTEM__ASSOCIATE, &ad);
1585 }
1586
1587 /* Check whether a task can create a key. */
1588 static int may_create_key(u32 ksid,
1589                           struct task_struct *ctx)
1590 {
1591         u32 sid = task_sid(ctx);
1592
1593         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1594 }
1595
1596 #define MAY_LINK        0
1597 #define MAY_UNLINK      1
1598 #define MAY_RMDIR       2
1599
1600 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1601 static int may_link(struct inode *dir,
1602                     struct dentry *dentry,
1603                     int kind)
1604
1605 {
1606         struct inode_security_struct *dsec, *isec;
1607         struct common_audit_data ad;
1608         u32 sid = current_sid();
1609         u32 av;
1610         int rc;
1611
1612         dsec = dir->i_security;
1613         isec = dentry->d_inode->i_security;
1614
1615         COMMON_AUDIT_DATA_INIT(&ad, FS);
1616         ad.u.fs.path.dentry = dentry;
1617
1618         av = DIR__SEARCH;
1619         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1620         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1621         if (rc)
1622                 return rc;
1623
1624         switch (kind) {
1625         case MAY_LINK:
1626                 av = FILE__LINK;
1627                 break;
1628         case MAY_UNLINK:
1629                 av = FILE__UNLINK;
1630                 break;
1631         case MAY_RMDIR:
1632                 av = DIR__RMDIR;
1633                 break;
1634         default:
1635                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1636                         __func__, kind);
1637                 return 0;
1638         }
1639
1640         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1641         return rc;
1642 }
1643
1644 static inline int may_rename(struct inode *old_dir,
1645                              struct dentry *old_dentry,
1646                              struct inode *new_dir,
1647                              struct dentry *new_dentry)
1648 {
1649         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1650         struct common_audit_data ad;
1651         u32 sid = current_sid();
1652         u32 av;
1653         int old_is_dir, new_is_dir;
1654         int rc;
1655
1656         old_dsec = old_dir->i_security;
1657         old_isec = old_dentry->d_inode->i_security;
1658         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1659         new_dsec = new_dir->i_security;
1660
1661         COMMON_AUDIT_DATA_INIT(&ad, FS);
1662
1663         ad.u.fs.path.dentry = old_dentry;
1664         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1665                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1666         if (rc)
1667                 return rc;
1668         rc = avc_has_perm(sid, old_isec->sid,
1669                           old_isec->sclass, FILE__RENAME, &ad);
1670         if (rc)
1671                 return rc;
1672         if (old_is_dir && new_dir != old_dir) {
1673                 rc = avc_has_perm(sid, old_isec->sid,
1674                                   old_isec->sclass, DIR__REPARENT, &ad);
1675                 if (rc)
1676                         return rc;
1677         }
1678
1679         ad.u.fs.path.dentry = new_dentry;
1680         av = DIR__ADD_NAME | DIR__SEARCH;
1681         if (new_dentry->d_inode)
1682                 av |= DIR__REMOVE_NAME;
1683         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1684         if (rc)
1685                 return rc;
1686         if (new_dentry->d_inode) {
1687                 new_isec = new_dentry->d_inode->i_security;
1688                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1689                 rc = avc_has_perm(sid, new_isec->sid,
1690                                   new_isec->sclass,
1691                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1692                 if (rc)
1693                         return rc;
1694         }
1695
1696         return 0;
1697 }
1698
1699 /* Check whether a task can perform a filesystem operation. */
1700 static int superblock_has_perm(const struct cred *cred,
1701                                struct super_block *sb,
1702                                u32 perms,
1703                                struct common_audit_data *ad)
1704 {
1705         struct superblock_security_struct *sbsec;
1706         u32 sid = cred_sid(cred);
1707
1708         sbsec = sb->s_security;
1709         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1710 }
1711
1712 /* Convert a Linux mode and permission mask to an access vector. */
1713 static inline u32 file_mask_to_av(int mode, int mask)
1714 {
1715         u32 av = 0;
1716
1717         if ((mode & S_IFMT) != S_IFDIR) {
1718                 if (mask & MAY_EXEC)
1719                         av |= FILE__EXECUTE;
1720                 if (mask & MAY_READ)
1721                         av |= FILE__READ;
1722
1723                 if (mask & MAY_APPEND)
1724                         av |= FILE__APPEND;
1725                 else if (mask & MAY_WRITE)
1726                         av |= FILE__WRITE;
1727
1728         } else {
1729                 if (mask & MAY_EXEC)
1730                         av |= DIR__SEARCH;
1731                 if (mask & MAY_WRITE)
1732                         av |= DIR__WRITE;
1733                 if (mask & MAY_READ)
1734                         av |= DIR__READ;
1735         }
1736
1737         return av;
1738 }
1739
1740 /* Convert a Linux file to an access vector. */
1741 static inline u32 file_to_av(struct file *file)
1742 {
1743         u32 av = 0;
1744
1745         if (file->f_mode & FMODE_READ)
1746                 av |= FILE__READ;
1747         if (file->f_mode & FMODE_WRITE) {
1748                 if (file->f_flags & O_APPEND)
1749                         av |= FILE__APPEND;
1750                 else
1751                         av |= FILE__WRITE;
1752         }
1753         if (!av) {
1754                 /*
1755                  * Special file opened with flags 3 for ioctl-only use.
1756                  */
1757                 av = FILE__IOCTL;
1758         }
1759
1760         return av;
1761 }
1762
1763 /*
1764  * Convert a file to an access vector and include the correct open
1765  * open permission.
1766  */
1767 static inline u32 open_file_to_av(struct file *file)
1768 {
1769         u32 av = file_to_av(file);
1770
1771         if (selinux_policycap_openperm)
1772                 av |= FILE__OPEN;
1773
1774         return av;
1775 }
1776
1777 /* Hook functions begin here. */
1778
1779 static int selinux_ptrace_access_check(struct task_struct *child,
1780                                      unsigned int mode)
1781 {
1782         int rc;
1783
1784         rc = cap_ptrace_access_check(child, mode);
1785         if (rc)
1786                 return rc;
1787
1788         if (mode == PTRACE_MODE_READ) {
1789                 u32 sid = current_sid();
1790                 u32 csid = task_sid(child);
1791                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1792         }
1793
1794         return current_has_perm(child, PROCESS__PTRACE);
1795 }
1796
1797 static int selinux_ptrace_traceme(struct task_struct *parent)
1798 {
1799         int rc;
1800
1801         rc = cap_ptrace_traceme(parent);
1802         if (rc)
1803                 return rc;
1804
1805         return task_has_perm(parent, current, PROCESS__PTRACE);
1806 }
1807
1808 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1809                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1810 {
1811         int error;
1812
1813         error = current_has_perm(target, PROCESS__GETCAP);
1814         if (error)
1815                 return error;
1816
1817         return cap_capget(target, effective, inheritable, permitted);
1818 }
1819
1820 static int selinux_capset(struct cred *new, const struct cred *old,
1821                           const kernel_cap_t *effective,
1822                           const kernel_cap_t *inheritable,
1823                           const kernel_cap_t *permitted)
1824 {
1825         int error;
1826
1827         error = cap_capset(new, old,
1828                                       effective, inheritable, permitted);
1829         if (error)
1830                 return error;
1831
1832         return cred_has_perm(old, new, PROCESS__SETCAP);
1833 }
1834
1835 /*
1836  * (This comment used to live with the selinux_task_setuid hook,
1837  * which was removed).
1838  *
1839  * Since setuid only affects the current process, and since the SELinux
1840  * controls are not based on the Linux identity attributes, SELinux does not
1841  * need to control this operation.  However, SELinux does control the use of
1842  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1843  */
1844
1845 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1846                            int cap, int audit)
1847 {
1848         int rc;
1849
1850         rc = cap_capable(tsk, cred, cap, audit);
1851         if (rc)
1852                 return rc;
1853
1854         return task_has_capability(tsk, cred, cap, audit);
1855 }
1856
1857 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1858 {
1859         const struct cred *cred = current_cred();
1860         int rc = 0;
1861
1862         if (!sb)
1863                 return 0;
1864
1865         switch (cmds) {
1866         case Q_SYNC:
1867         case Q_QUOTAON:
1868         case Q_QUOTAOFF:
1869         case Q_SETINFO:
1870         case Q_SETQUOTA:
1871                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1872                 break;
1873         case Q_GETFMT:
1874         case Q_GETINFO:
1875         case Q_GETQUOTA:
1876                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1877                 break;
1878         default:
1879                 rc = 0;  /* let the kernel handle invalid cmds */
1880                 break;
1881         }
1882         return rc;
1883 }
1884
1885 static int selinux_quota_on(struct dentry *dentry)
1886 {
1887         const struct cred *cred = current_cred();
1888
1889         return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1890 }
1891
1892 static int selinux_syslog(int type)
1893 {
1894         int rc;
1895
1896         switch (type) {
1897         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1898         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1899                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1900                 break;
1901         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1902         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1903         /* Set level of messages printed to console */
1904         case SYSLOG_ACTION_CONSOLE_LEVEL:
1905                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1906                 break;
1907         case SYSLOG_ACTION_CLOSE:       /* Close log */
1908         case SYSLOG_ACTION_OPEN:        /* Open log */
1909         case SYSLOG_ACTION_READ:        /* Read from log */
1910         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1911         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1912         default:
1913                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1914                 break;
1915         }
1916         return rc;
1917 }
1918
1919 /*
1920  * Check that a process has enough memory to allocate a new virtual
1921  * mapping. 0 means there is enough memory for the allocation to
1922  * succeed and -ENOMEM implies there is not.
1923  *
1924  * Do not audit the selinux permission check, as this is applied to all
1925  * processes that allocate mappings.
1926  */
1927 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1928 {
1929         int rc, cap_sys_admin = 0;
1930
1931         rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
1932                              SECURITY_CAP_NOAUDIT);
1933         if (rc == 0)
1934                 cap_sys_admin = 1;
1935
1936         return __vm_enough_memory(mm, pages, cap_sys_admin);
1937 }
1938
1939 /* binprm security operations */
1940
1941 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1942 {
1943         const struct task_security_struct *old_tsec;
1944         struct task_security_struct *new_tsec;
1945         struct inode_security_struct *isec;
1946         struct common_audit_data ad;
1947         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1948         int rc;
1949
1950         rc = cap_bprm_set_creds(bprm);
1951         if (rc)
1952                 return rc;
1953
1954         /* SELinux context only depends on initial program or script and not
1955          * the script interpreter */
1956         if (bprm->cred_prepared)
1957                 return 0;
1958
1959         old_tsec = current_security();
1960         new_tsec = bprm->cred->security;
1961         isec = inode->i_security;
1962
1963         /* Default to the current task SID. */
1964         new_tsec->sid = old_tsec->sid;
1965         new_tsec->osid = old_tsec->sid;
1966
1967         /* Reset fs, key, and sock SIDs on execve. */
1968         new_tsec->create_sid = 0;
1969         new_tsec->keycreate_sid = 0;
1970         new_tsec->sockcreate_sid = 0;
1971
1972         if (old_tsec->exec_sid) {
1973                 new_tsec->sid = old_tsec->exec_sid;
1974                 /* Reset exec SID on execve. */
1975                 new_tsec->exec_sid = 0;
1976         } else {
1977                 /* Check for a default transition on this program. */
1978                 rc = security_transition_sid(old_tsec->sid, isec->sid,
1979                                              SECCLASS_PROCESS, NULL,
1980                                              &new_tsec->sid);
1981                 if (rc)
1982                         return rc;
1983         }
1984
1985         COMMON_AUDIT_DATA_INIT(&ad, FS);
1986         ad.u.fs.path = bprm->file->f_path;
1987
1988         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1989                 new_tsec->sid = old_tsec->sid;
1990
1991         if (new_tsec->sid == old_tsec->sid) {
1992                 rc = avc_has_perm(old_tsec->sid, isec->sid,
1993                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1994                 if (rc)
1995                         return rc;
1996         } else {
1997                 /* Check permissions for the transition. */
1998                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1999                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2000                 if (rc)
2001                         return rc;
2002
2003                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2004                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2005                 if (rc)
2006                         return rc;
2007
2008                 /* Check for shared state */
2009                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2010                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2011                                           SECCLASS_PROCESS, PROCESS__SHARE,
2012                                           NULL);
2013                         if (rc)
2014                                 return -EPERM;
2015                 }
2016
2017                 /* Make sure that anyone attempting to ptrace over a task that
2018                  * changes its SID has the appropriate permit */
2019                 if (bprm->unsafe &
2020                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2021                         struct task_struct *tracer;
2022                         struct task_security_struct *sec;
2023                         u32 ptsid = 0;
2024
2025                         rcu_read_lock();
2026                         tracer = tracehook_tracer_task(current);
2027                         if (likely(tracer != NULL)) {
2028                                 sec = __task_cred(tracer)->security;
2029                                 ptsid = sec->sid;
2030                         }
2031                         rcu_read_unlock();
2032
2033                         if (ptsid != 0) {
2034                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2035                                                   SECCLASS_PROCESS,
2036                                                   PROCESS__PTRACE, NULL);
2037                                 if (rc)
2038                                         return -EPERM;
2039                         }
2040                 }
2041
2042                 /* Clear any possibly unsafe personality bits on exec: */
2043                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2044         }
2045
2046         return 0;
2047 }
2048
2049 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2050 {
2051         const struct task_security_struct *tsec = current_security();
2052         u32 sid, osid;
2053         int atsecure = 0;
2054
2055         sid = tsec->sid;
2056         osid = tsec->osid;
2057
2058         if (osid != sid) {
2059                 /* Enable secure mode for SIDs transitions unless
2060                    the noatsecure permission is granted between
2061                    the two SIDs, i.e. ahp returns 0. */
2062                 atsecure = avc_has_perm(osid, sid,
2063                                         SECCLASS_PROCESS,
2064                                         PROCESS__NOATSECURE, NULL);
2065         }
2066
2067         return (atsecure || cap_bprm_secureexec(bprm));
2068 }
2069
2070 extern struct vfsmount *selinuxfs_mount;
2071 extern struct dentry *selinux_null;
2072
2073 /* Derived from fs/exec.c:flush_old_files. */
2074 static inline void flush_unauthorized_files(const struct cred *cred,
2075                                             struct files_struct *files)
2076 {
2077         struct common_audit_data ad;
2078         struct file *file, *devnull = NULL;
2079         struct tty_struct *tty;
2080         struct fdtable *fdt;
2081         long j = -1;
2082         int drop_tty = 0;
2083
2084         tty = get_current_tty();
2085         if (tty) {
2086                 spin_lock(&tty_files_lock);
2087                 if (!list_empty(&tty->tty_files)) {
2088                         struct tty_file_private *file_priv;
2089                         struct inode *inode;
2090
2091                         /* Revalidate access to controlling tty.
2092                            Use inode_has_perm on the tty inode directly rather
2093                            than using file_has_perm, as this particular open
2094                            file may belong to another process and we are only
2095                            interested in the inode-based check here. */
2096                         file_priv = list_first_entry(&tty->tty_files,
2097                                                 struct tty_file_private, list);
2098                         file = file_priv->file;
2099                         inode = file->f_path.dentry->d_inode;
2100                         if (inode_has_perm(cred, inode,
2101                                            FILE__READ | FILE__WRITE, NULL)) {
2102                                 drop_tty = 1;
2103                         }
2104                 }
2105                 spin_unlock(&tty_files_lock);
2106                 tty_kref_put(tty);
2107         }
2108         /* Reset controlling tty. */
2109         if (drop_tty)
2110                 no_tty();
2111
2112         /* Revalidate access to inherited open files. */
2113
2114         COMMON_AUDIT_DATA_INIT(&ad, FS);
2115
2116         spin_lock(&files->file_lock);
2117         for (;;) {
2118                 unsigned long set, i;
2119                 int fd;
2120
2121                 j++;
2122                 i = j * __NFDBITS;
2123                 fdt = files_fdtable(files);
2124                 if (i >= fdt->max_fds)
2125                         break;
2126                 set = fdt->open_fds->fds_bits[j];
2127                 if (!set)
2128                         continue;
2129                 spin_unlock(&files->file_lock);
2130                 for ( ; set ; i++, set >>= 1) {
2131                         if (set & 1) {
2132                                 file = fget(i);
2133                                 if (!file)
2134                                         continue;
2135                                 if (file_has_perm(cred,
2136                                                   file,
2137                                                   file_to_av(file))) {
2138                                         sys_close(i);
2139                                         fd = get_unused_fd();
2140                                         if (fd != i) {
2141                                                 if (fd >= 0)
2142                                                         put_unused_fd(fd);
2143                                                 fput(file);
2144                                                 continue;
2145                                         }
2146                                         if (devnull) {
2147                                                 get_file(devnull);
2148                                         } else {
2149                                                 devnull = dentry_open(
2150                                                         dget(selinux_null),
2151                                                         mntget(selinuxfs_mount),
2152                                                         O_RDWR, cred);
2153                                                 if (IS_ERR(devnull)) {
2154                                                         devnull = NULL;
2155                                                         put_unused_fd(fd);
2156                                                         fput(file);
2157                                                         continue;
2158                                                 }
2159                                         }
2160                                         fd_install(fd, devnull);
2161                                 }
2162                                 fput(file);
2163                         }
2164                 }
2165                 spin_lock(&files->file_lock);
2166
2167         }
2168         spin_unlock(&files->file_lock);
2169 }
2170
2171 /*
2172  * Prepare a process for imminent new credential changes due to exec
2173  */
2174 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2175 {
2176         struct task_security_struct *new_tsec;
2177         struct rlimit *rlim, *initrlim;
2178         int rc, i;
2179
2180         new_tsec = bprm->cred->security;
2181         if (new_tsec->sid == new_tsec->osid)
2182                 return;
2183
2184         /* Close files for which the new task SID is not authorized. */
2185         flush_unauthorized_files(bprm->cred, current->files);
2186
2187         /* Always clear parent death signal on SID transitions. */
2188         current->pdeath_signal = 0;
2189
2190         /* Check whether the new SID can inherit resource limits from the old
2191          * SID.  If not, reset all soft limits to the lower of the current
2192          * task's hard limit and the init task's soft limit.
2193          *
2194          * Note that the setting of hard limits (even to lower them) can be
2195          * controlled by the setrlimit check.  The inclusion of the init task's
2196          * soft limit into the computation is to avoid resetting soft limits
2197          * higher than the default soft limit for cases where the default is
2198          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2199          */
2200         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2201                           PROCESS__RLIMITINH, NULL);
2202         if (rc) {
2203                 /* protect against do_prlimit() */
2204                 task_lock(current);
2205                 for (i = 0; i < RLIM_NLIMITS; i++) {
2206                         rlim = current->signal->rlim + i;
2207                         initrlim = init_task.signal->rlim + i;
2208                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2209                 }
2210                 task_unlock(current);
2211                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2212         }
2213 }
2214
2215 /*
2216  * Clean up the process immediately after the installation of new credentials
2217  * due to exec
2218  */
2219 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2220 {
2221         const struct task_security_struct *tsec = current_security();
2222         struct itimerval itimer;
2223         u32 osid, sid;
2224         int rc, i;
2225
2226         osid = tsec->osid;
2227         sid = tsec->sid;
2228
2229         if (sid == osid)
2230                 return;
2231
2232         /* Check whether the new SID can inherit signal state from the old SID.
2233          * If not, clear itimers to avoid subsequent signal generation and
2234          * flush and unblock signals.
2235          *
2236          * This must occur _after_ the task SID has been updated so that any
2237          * kill done after the flush will be checked against the new SID.
2238          */
2239         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2240         if (rc) {
2241                 memset(&itimer, 0, sizeof itimer);
2242                 for (i = 0; i < 3; i++)
2243                         do_setitimer(i, &itimer, NULL);
2244                 spin_lock_irq(&current->sighand->siglock);
2245                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2246                         __flush_signals(current);
2247                         flush_signal_handlers(current, 1);
2248                         sigemptyset(&current->blocked);
2249                 }
2250                 spin_unlock_irq(&current->sighand->siglock);
2251         }
2252
2253         /* Wake up the parent if it is waiting so that it can recheck
2254          * wait permission to the new task SID. */
2255         read_lock(&tasklist_lock);
2256         __wake_up_parent(current, current->real_parent);
2257         read_unlock(&tasklist_lock);
2258 }
2259
2260 /* superblock security operations */
2261
2262 static int selinux_sb_alloc_security(struct super_block *sb)
2263 {
2264         return superblock_alloc_security(sb);
2265 }
2266
2267 static void selinux_sb_free_security(struct super_block *sb)
2268 {
2269         superblock_free_security(sb);
2270 }
2271
2272 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2273 {
2274         if (plen > olen)
2275                 return 0;
2276
2277         return !memcmp(prefix, option, plen);
2278 }
2279
2280 static inline int selinux_option(char *option, int len)
2281 {
2282         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2283                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2284                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2285                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2286                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2287 }
2288
2289 static inline void take_option(char **to, char *from, int *first, int len)
2290 {
2291         if (!*first) {
2292                 **to = ',';
2293                 *to += 1;
2294         } else
2295                 *first = 0;
2296         memcpy(*to, from, len);
2297         *to += len;
2298 }
2299
2300 static inline void take_selinux_option(char **to, char *from, int *first,
2301                                        int len)
2302 {
2303         int current_size = 0;
2304
2305         if (!*first) {
2306                 **to = '|';
2307                 *to += 1;
2308         } else
2309                 *first = 0;
2310
2311         while (current_size < len) {
2312                 if (*from != '"') {
2313                         **to = *from;
2314                         *to += 1;
2315                 }
2316                 from += 1;
2317                 current_size += 1;
2318         }
2319 }
2320
2321 static int selinux_sb_copy_data(char *orig, char *copy)
2322 {
2323         int fnosec, fsec, rc = 0;
2324         char *in_save, *in_curr, *in_end;
2325         char *sec_curr, *nosec_save, *nosec;
2326         int open_quote = 0;
2327
2328         in_curr = orig;
2329         sec_curr = copy;
2330
2331         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2332         if (!nosec) {
2333                 rc = -ENOMEM;
2334                 goto out;
2335         }
2336
2337         nosec_save = nosec;
2338         fnosec = fsec = 1;
2339         in_save = in_end = orig;
2340
2341         do {
2342                 if (*in_end == '"')
2343                         open_quote = !open_quote;
2344                 if ((*in_end == ',' && open_quote == 0) ||
2345                                 *in_end == '\0') {
2346                         int len = in_end - in_curr;
2347
2348                         if (selinux_option(in_curr, len))
2349                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2350                         else
2351                                 take_option(&nosec, in_curr, &fnosec, len);
2352
2353                         in_curr = in_end + 1;
2354                 }
2355         } while (*in_end++);
2356
2357         strcpy(in_save, nosec_save);
2358         free_page((unsigned long)nosec_save);
2359 out:
2360         return rc;
2361 }
2362
2363 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2364 {
2365         const struct cred *cred = current_cred();
2366         struct common_audit_data ad;
2367         int rc;
2368
2369         rc = superblock_doinit(sb, data);
2370         if (rc)
2371                 return rc;
2372
2373         /* Allow all mounts performed by the kernel */
2374         if (flags & MS_KERNMOUNT)
2375                 return 0;
2376
2377         COMMON_AUDIT_DATA_INIT(&ad, FS);
2378         ad.u.fs.path.dentry = sb->s_root;
2379         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2380 }
2381
2382 static int selinux_sb_statfs(struct dentry *dentry)
2383 {
2384         const struct cred *cred = current_cred();
2385         struct common_audit_data ad;
2386
2387         COMMON_AUDIT_DATA_INIT(&ad, FS);
2388         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2389         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2390 }
2391
2392 static int selinux_mount(char *dev_name,
2393                          struct path *path,
2394                          char *type,
2395                          unsigned long flags,
2396                          void *data)
2397 {
2398         const struct cred *cred = current_cred();
2399
2400         if (flags & MS_REMOUNT)
2401                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2402                                            FILESYSTEM__REMOUNT, NULL);
2403         else
2404                 return dentry_has_perm(cred, path->mnt, path->dentry,
2405                                        FILE__MOUNTON);
2406 }
2407
2408 static int selinux_umount(struct vfsmount *mnt, int flags)
2409 {
2410         const struct cred *cred = current_cred();
2411
2412         return superblock_has_perm(cred, mnt->mnt_sb,
2413                                    FILESYSTEM__UNMOUNT, NULL);
2414 }
2415
2416 /* inode security operations */
2417
2418 static int selinux_inode_alloc_security(struct inode *inode)
2419 {
2420         return inode_alloc_security(inode);
2421 }
2422
2423 static void selinux_inode_free_security(struct inode *inode)
2424 {
2425         inode_free_security(inode);
2426 }
2427
2428 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2429                                        const struct qstr *qstr, char **name,
2430                                        void **value, size_t *len)
2431 {
2432         const struct task_security_struct *tsec = current_security();
2433         struct inode_security_struct *dsec;
2434         struct superblock_security_struct *sbsec;
2435         u32 sid, newsid, clen;
2436         int rc;
2437         char *namep = NULL, *context;
2438
2439         dsec = dir->i_security;
2440         sbsec = dir->i_sb->s_security;
2441
2442         sid = tsec->sid;
2443         newsid = tsec->create_sid;
2444
2445         if ((sbsec->flags & SE_SBINITIALIZED) &&
2446             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2447                 newsid = sbsec->mntpoint_sid;
2448         else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2449                 rc = security_transition_sid(sid, dsec->sid,
2450                                              inode_mode_to_security_class(inode->i_mode),
2451                                              qstr, &newsid);
2452                 if (rc) {
2453                         printk(KERN_WARNING "%s:  "
2454                                "security_transition_sid failed, rc=%d (dev=%s "
2455                                "ino=%ld)\n",
2456                                __func__,
2457                                -rc, inode->i_sb->s_id, inode->i_ino);
2458                         return rc;
2459                 }
2460         }
2461
2462         /* Possibly defer initialization to selinux_complete_init. */
2463         if (sbsec->flags & SE_SBINITIALIZED) {
2464                 struct inode_security_struct *isec = inode->i_security;
2465                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2466                 isec->sid = newsid;
2467                 isec->initialized = 1;
2468         }
2469
2470         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2471                 return -EOPNOTSUPP;
2472
2473         if (name) {
2474                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2475                 if (!namep)
2476                         return -ENOMEM;
2477                 *name = namep;
2478         }
2479
2480         if (value && len) {
2481                 rc = security_sid_to_context_force(newsid, &context, &clen);
2482                 if (rc) {
2483                         kfree(namep);
2484                         return rc;
2485                 }
2486                 *value = context;
2487                 *len = clen;
2488         }
2489
2490         return 0;
2491 }
2492
2493 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2494 {
2495         return may_create(dir, dentry, SECCLASS_FILE);
2496 }
2497
2498 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2499 {
2500         return may_link(dir, old_dentry, MAY_LINK);
2501 }
2502
2503 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2504 {
2505         return may_link(dir, dentry, MAY_UNLINK);
2506 }
2507
2508 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2509 {
2510         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2511 }
2512
2513 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2514 {
2515         return may_create(dir, dentry, SECCLASS_DIR);
2516 }
2517
2518 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2519 {
2520         return may_link(dir, dentry, MAY_RMDIR);
2521 }
2522
2523 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2524 {
2525         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2526 }
2527
2528 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2529                                 struct inode *new_inode, struct dentry *new_dentry)
2530 {
2531         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2532 }
2533
2534 static int selinux_inode_readlink(struct dentry *dentry)
2535 {
2536         const struct cred *cred = current_cred();
2537
2538         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2539 }
2540
2541 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2542 {
2543         const struct cred *cred = current_cred();
2544
2545         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2546 }
2547
2548 static int selinux_inode_permission(struct inode *inode, int mask)
2549 {
2550         const struct cred *cred = current_cred();
2551         struct common_audit_data ad;
2552         u32 perms;
2553         bool from_access;
2554
2555         from_access = mask & MAY_ACCESS;
2556         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2557
2558         /* No permission to check.  Existence test. */
2559         if (!mask)
2560                 return 0;
2561
2562         COMMON_AUDIT_DATA_INIT(&ad, FS);
2563         ad.u.fs.inode = inode;
2564
2565         if (from_access)
2566                 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2567
2568         perms = file_mask_to_av(inode->i_mode, mask);
2569
2570         return inode_has_perm(cred, inode, perms, &ad);
2571 }
2572
2573 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2574 {
2575         const struct cred *cred = current_cred();
2576         unsigned int ia_valid = iattr->ia_valid;
2577
2578         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2579         if (ia_valid & ATTR_FORCE) {
2580                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2581                               ATTR_FORCE);
2582                 if (!ia_valid)
2583                         return 0;
2584         }
2585
2586         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2587                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2588                 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2589
2590         return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2591 }
2592
2593 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2594 {
2595         const struct cred *cred = current_cred();
2596
2597         return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2598 }
2599
2600 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2601 {
2602         const struct cred *cred = current_cred();
2603
2604         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2605                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2606                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2607                         if (!capable(CAP_SETFCAP))
2608                                 return -EPERM;
2609                 } else if (!capable(CAP_SYS_ADMIN)) {
2610                         /* A different attribute in the security namespace.
2611                            Restrict to administrator. */
2612                         return -EPERM;
2613                 }
2614         }
2615
2616         /* Not an attribute we recognize, so just check the
2617            ordinary setattr permission. */
2618         return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2619 }
2620
2621 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2622                                   const void *value, size_t size, int flags)
2623 {
2624         struct inode *inode = dentry->d_inode;
2625         struct inode_security_struct *isec = inode->i_security;
2626         struct superblock_security_struct *sbsec;
2627         struct common_audit_data ad;
2628         u32 newsid, sid = current_sid();
2629         int rc = 0;
2630
2631         if (strcmp(name, XATTR_NAME_SELINUX))
2632                 return selinux_inode_setotherxattr(dentry, name);
2633
2634         sbsec = inode->i_sb->s_security;
2635         if (!(sbsec->flags & SE_SBLABELSUPP))
2636                 return -EOPNOTSUPP;
2637
2638         if (!is_owner_or_cap(inode))
2639                 return -EPERM;
2640
2641         COMMON_AUDIT_DATA_INIT(&ad, FS);
2642         ad.u.fs.path.dentry = dentry;
2643
2644         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2645                           FILE__RELABELFROM, &ad);
2646         if (rc)
2647                 return rc;
2648
2649         rc = security_context_to_sid(value, size, &newsid);
2650         if (rc == -EINVAL) {
2651                 if (!capable(CAP_MAC_ADMIN))
2652                         return rc;
2653                 rc = security_context_to_sid_force(value, size, &newsid);
2654         }
2655         if (rc)
2656                 return rc;
2657
2658         rc = avc_has_perm(sid, newsid, isec->sclass,
2659                           FILE__RELABELTO, &ad);
2660         if (rc)
2661                 return rc;
2662
2663         rc = security_validate_transition(isec->sid, newsid, sid,
2664                                           isec->sclass);
2665         if (rc)
2666                 return rc;
2667
2668         return avc_has_perm(newsid,
2669                             sbsec->sid,
2670                             SECCLASS_FILESYSTEM,
2671                             FILESYSTEM__ASSOCIATE,
2672                             &ad);
2673 }
2674
2675 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2676                                         const void *value, size_t size,
2677                                         int flags)
2678 {
2679         struct inode *inode = dentry->d_inode;
2680         struct inode_security_struct *isec = inode->i_security;
2681         u32 newsid;
2682         int rc;
2683
2684         if (strcmp(name, XATTR_NAME_SELINUX)) {
2685                 /* Not an attribute we recognize, so nothing to do. */
2686                 return;
2687         }
2688
2689         rc = security_context_to_sid_force(value, size, &newsid);
2690         if (rc) {
2691                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2692                        "for (%s, %lu), rc=%d\n",
2693                        inode->i_sb->s_id, inode->i_ino, -rc);
2694                 return;
2695         }
2696
2697         isec->sid = newsid;
2698         return;
2699 }
2700
2701 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2702 {
2703         const struct cred *cred = current_cred();
2704
2705         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2706 }
2707
2708 static int selinux_inode_listxattr(struct dentry *dentry)
2709 {
2710         const struct cred *cred = current_cred();
2711
2712         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2713 }
2714
2715 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2716 {
2717         if (strcmp(name, XATTR_NAME_SELINUX))
2718                 return selinux_inode_setotherxattr(dentry, name);
2719
2720         /* No one is allowed to remove a SELinux security label.
2721            You can change the label, but all data must be labeled. */
2722         return -EACCES;
2723 }
2724
2725 /*
2726  * Copy the inode security context value to the user.
2727  *
2728  * Permission check is handled by selinux_inode_getxattr hook.
2729  */
2730 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2731 {
2732         u32 size;
2733         int error;
2734         char *context = NULL;
2735         struct inode_security_struct *isec = inode->i_security;
2736
2737         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2738                 return -EOPNOTSUPP;
2739
2740         /*
2741          * If the caller has CAP_MAC_ADMIN, then get the raw context
2742          * value even if it is not defined by current policy; otherwise,
2743          * use the in-core value under current policy.
2744          * Use the non-auditing forms of the permission checks since
2745          * getxattr may be called by unprivileged processes commonly
2746          * and lack of permission just means that we fall back to the
2747          * in-core context value, not a denial.
2748          */
2749         error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2750                                 SECURITY_CAP_NOAUDIT);
2751         if (!error)
2752                 error = security_sid_to_context_force(isec->sid, &context,
2753                                                       &size);
2754         else
2755                 error = security_sid_to_context(isec->sid, &context, &size);
2756         if (error)
2757                 return error;
2758         error = size;
2759         if (alloc) {
2760                 *buffer = context;
2761                 goto out_nofree;
2762         }
2763         kfree(context);
2764 out_nofree:
2765         return error;
2766 }
2767
2768 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2769                                      const void *value, size_t size, int flags)
2770 {
2771         struct inode_security_struct *isec = inode->i_security;
2772         u32 newsid;
2773         int rc;
2774
2775         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2776                 return -EOPNOTSUPP;
2777
2778         if (!value || !size)
2779                 return -EACCES;
2780
2781         rc = security_context_to_sid((void *)value, size, &newsid);
2782         if (rc)
2783                 return rc;
2784
2785         isec->sid = newsid;
2786         isec->initialized = 1;
2787         return 0;
2788 }
2789
2790 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2791 {
2792         const int len = sizeof(XATTR_NAME_SELINUX);
2793         if (buffer && len <= buffer_size)
2794                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2795         return len;
2796 }
2797
2798 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2799 {
2800         struct inode_security_struct *isec = inode->i_security;
2801         *secid = isec->sid;
2802 }
2803
2804 /* file security operations */
2805
2806 static int selinux_revalidate_file_permission(struct file *file, int mask)
2807 {
2808         const struct cred *cred = current_cred();
2809         struct inode *inode = file->f_path.dentry->d_inode;
2810
2811         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2812         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2813                 mask |= MAY_APPEND;
2814
2815         return file_has_perm(cred, file,
2816                              file_mask_to_av(inode->i_mode, mask));
2817 }
2818
2819 static int selinux_file_permission(struct file *file, int mask)
2820 {
2821         struct inode *inode = file->f_path.dentry->d_inode;
2822         struct file_security_struct *fsec = file->f_security;
2823         struct inode_security_struct *isec = inode->i_security;
2824         u32 sid = current_sid();
2825
2826         if (!mask)
2827                 /* No permission to check.  Existence test. */
2828                 return 0;
2829
2830         if (sid == fsec->sid && fsec->isid == isec->sid &&
2831             fsec->pseqno == avc_policy_seqno())
2832                 /* No change since dentry_open check. */
2833                 return 0;
2834
2835         return selinux_revalidate_file_permission(file, mask);
2836 }
2837
2838 static int selinux_file_alloc_security(struct file *file)
2839 {
2840         return file_alloc_security(file);
2841 }
2842
2843 static void selinux_file_free_security(struct file *file)
2844 {
2845         file_free_security(file);
2846 }
2847
2848 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2849                               unsigned long arg)
2850 {
2851         const struct cred *cred = current_cred();
2852         u32 av = 0;
2853
2854         if (_IOC_DIR(cmd) & _IOC_WRITE)
2855                 av |= FILE__WRITE;
2856         if (_IOC_DIR(cmd) & _IOC_READ)
2857                 av |= FILE__READ;
2858         if (!av)
2859                 av = FILE__IOCTL;
2860
2861         return file_has_perm(cred, file, av);
2862 }
2863
2864 static int default_noexec;
2865
2866 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2867 {
2868         const struct cred *cred = current_cred();
2869         int rc = 0;
2870
2871         if (default_noexec &&
2872             (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2873                 /*
2874                  * We are making executable an anonymous mapping or a
2875                  * private file mapping that will also be writable.
2876                  * This has an additional check.
2877                  */
2878                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
2879                 if (rc)
2880                         goto error;
2881         }
2882
2883         if (file) {
2884                 /* read access is always possible with a mapping */
2885                 u32 av = FILE__READ;
2886
2887                 /* write access only matters if the mapping is shared */
2888                 if (shared && (prot & PROT_WRITE))
2889                         av |= FILE__WRITE;
2890
2891                 if (prot & PROT_EXEC)
2892                         av |= FILE__EXECUTE;
2893
2894                 return file_has_perm(cred, file, av);
2895         }
2896
2897 error:
2898         return rc;
2899 }
2900
2901 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2902                              unsigned long prot, unsigned long flags,
2903                              unsigned long addr, unsigned long addr_only)
2904 {
2905         int rc = 0;
2906         u32 sid = current_sid();
2907
2908         /*
2909          * notice that we are intentionally putting the SELinux check before
2910          * the secondary cap_file_mmap check.  This is such a likely attempt
2911          * at bad behaviour/exploit that we always want to get the AVC, even
2912          * if DAC would have also denied the operation.
2913          */
2914         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
2915                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2916                                   MEMPROTECT__MMAP_ZERO, NULL);
2917                 if (rc)
2918                         return rc;
2919         }
2920
2921         /* do DAC check on address space usage */
2922         rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
2923         if (rc || addr_only)
2924                 return rc;
2925
2926         if (selinux_checkreqprot)
2927                 prot = reqprot;
2928
2929         return file_map_prot_check(file, prot,
2930                                    (flags & MAP_TYPE) == MAP_SHARED);
2931 }
2932
2933 static int selinux_file_mprotect(struct vm_area_struct *vma,
2934                                  unsigned long reqprot,
2935                                  unsigned long prot)
2936 {
2937         const struct cred *cred = current_cred();
2938
2939         if (selinux_checkreqprot)
2940                 prot = reqprot;
2941
2942         if (default_noexec &&
2943             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2944                 int rc = 0;
2945                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2946                     vma->vm_end <= vma->vm_mm->brk) {
2947                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
2948                 } else if (!vma->vm_file &&
2949                            vma->vm_start <= vma->vm_mm->start_stack &&
2950                            vma->vm_end >= vma->vm_mm->start_stack) {
2951                         rc = current_has_perm(current, PROCESS__EXECSTACK);
2952                 } else if (vma->vm_file && vma->anon_vma) {
2953                         /*
2954                          * We are making executable a file mapping that has
2955                          * had some COW done. Since pages might have been
2956                          * written, check ability to execute the possibly
2957                          * modified content.  This typically should only
2958                          * occur for text relocations.
2959                          */
2960                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
2961                 }
2962                 if (rc)
2963                         return rc;
2964         }
2965
2966         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2967 }
2968
2969 static int selinux_file_lock(struct file *file, unsigned int cmd)
2970 {
2971         const struct cred *cred = current_cred();
2972
2973         return file_has_perm(cred, file, FILE__LOCK);
2974 }
2975
2976 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2977                               unsigned long arg)
2978 {
2979         const struct cred *cred = current_cred();
2980         int err = 0;
2981
2982         switch (cmd) {
2983         case F_SETFL:
2984                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2985                         err = -EINVAL;
2986                         break;
2987                 }
2988
2989                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2990                         err = file_has_perm(cred, file, FILE__WRITE);
2991                         break;
2992                 }
2993                 /* fall through */
2994         case F_SETOWN:
2995         case F_SETSIG:
2996         case F_GETFL:
2997         case F_GETOWN:
2998         case F_GETSIG:
2999                 /* Just check FD__USE permission */
3000                 err = file_has_perm(cred, file, 0);
3001                 break;
3002         case F_GETLK:
3003         case F_SETLK:
3004         case F_SETLKW:
3005 #if BITS_PER_LONG == 32
3006         case F_GETLK64:
3007         case F_SETLK64:
3008         case F_SETLKW64:
3009 #endif
3010                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3011                         err = -EINVAL;
3012                         break;
3013                 }
3014                 err = file_has_perm(cred, file, FILE__LOCK);
3015                 break;
3016         }
3017
3018         return err;
3019 }
3020
3021 static int selinux_file_set_fowner(struct file *file)
3022 {
3023         struct file_security_struct *fsec;
3024
3025         fsec = file->f_security;
3026         fsec->fown_sid = current_sid();
3027
3028         return 0;
3029 }
3030
3031 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3032                                        struct fown_struct *fown, int signum)
3033 {
3034         struct file *file;
3035         u32 sid = task_sid(tsk);
3036         u32 perm;
3037         struct file_security_struct *fsec;
3038
3039         /* struct fown_struct is never outside the context of a struct file */
3040         file = container_of(fown, struct file, f_owner);
3041
3042         fsec = file->f_security;
3043
3044         if (!signum)
3045                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3046         else
3047                 perm = signal_to_av(signum);
3048
3049         return avc_has_perm(fsec->fown_sid, sid,
3050                             SECCLASS_PROCESS, perm, NULL);
3051 }
3052
3053 static int selinux_file_receive(struct file *file)
3054 {
3055         const struct cred *cred = current_cred();
3056
3057         return file_has_perm(cred, file, file_to_av(file));
3058 }
3059
3060 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3061 {
3062         struct file_security_struct *fsec;
3063         struct inode *inode;
3064         struct inode_security_struct *isec;
3065
3066         inode = file->f_path.dentry->d_inode;
3067         fsec = file->f_security;
3068         isec = inode->i_security;
3069         /*
3070          * Save inode label and policy sequence number
3071          * at open-time so that selinux_file_permission
3072          * can determine whether revalidation is necessary.
3073          * Task label is already saved in the file security
3074          * struct as its SID.
3075          */
3076         fsec->isid = isec->sid;
3077         fsec->pseqno = avc_policy_seqno();
3078         /*
3079          * Since the inode label or policy seqno may have changed
3080          * between the selinux_inode_permission check and the saving
3081          * of state above, recheck that access is still permitted.
3082          * Otherwise, access might never be revalidated against the
3083          * new inode label or new policy.
3084          * This check is not redundant - do not remove.
3085          */
3086         return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3087 }
3088
3089 /* task security operations */
3090
3091 static int selinux_task_create(unsigned long clone_flags)
3092 {
3093         return current_has_perm(current, PROCESS__FORK);
3094 }
3095
3096 /*
3097  * allocate the SELinux part of blank credentials
3098  */
3099 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3100 {
3101         struct task_security_struct *tsec;
3102
3103         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3104         if (!tsec)
3105                 return -ENOMEM;
3106
3107         cred->security = tsec;
3108         return 0;
3109 }
3110
3111 /*
3112  * detach and free the LSM part of a set of credentials
3113  */
3114 static void selinux_cred_free(struct cred *cred)
3115 {
3116         struct task_security_struct *tsec = cred->security;
3117
3118         BUG_ON((unsigned long) cred->security < PAGE_SIZE);
3119         cred->security = (void *) 0x7UL;
3120         kfree(tsec);
3121 }
3122
3123 /*
3124  * prepare a new set of credentials for modification
3125  */
3126 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3127                                 gfp_t gfp)
3128 {
3129         const struct task_security_struct *old_tsec;
3130         struct task_security_struct *tsec;
3131
3132         old_tsec = old->security;
3133
3134         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3135         if (!tsec)
3136                 return -ENOMEM;
3137
3138         new->security = tsec;
3139         return 0;
3140 }
3141
3142 /*
3143  * transfer the SELinux data to a blank set of creds
3144  */
3145 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3146 {
3147         const struct task_security_struct *old_tsec = old->security;
3148         struct task_security_struct *tsec = new->security;
3149
3150         *tsec = *old_tsec;
3151 }
3152
3153 /*
3154  * set the security data for a kernel service
3155  * - all the creation contexts are set to unlabelled
3156  */
3157 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3158 {
3159         struct task_security_struct *tsec = new->security;
3160         u32 sid = current_sid();
3161         int ret;
3162
3163         ret = avc_has_perm(sid, secid,
3164                            SECCLASS_KERNEL_SERVICE,
3165                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3166                            NULL);
3167         if (ret == 0) {
3168                 tsec->sid = secid;
3169                 tsec->create_sid = 0;
3170                 tsec->keycreate_sid = 0;
3171                 tsec->sockcreate_sid = 0;
3172         }
3173         return ret;
3174 }
3175
3176 /*
3177  * set the file creation context in a security record to the same as the
3178  * objective context of the specified inode
3179  */
3180 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3181 {
3182         struct inode_security_struct *isec = inode->i_security;
3183         struct task_security_struct *tsec = new->security;
3184         u32 sid = current_sid();
3185         int ret;
3186
3187         ret = avc_has_perm(sid, isec->sid,
3188                            SECCLASS_KERNEL_SERVICE,
3189                            KERNEL_SERVICE__CREATE_FILES_AS,
3190                            NULL);
3191
3192         if (ret == 0)
3193                 tsec->create_sid = isec->sid;
3194         return ret;
3195 }
3196
3197 static int selinux_kernel_module_request(char *kmod_name)
3198 {
3199         u32 sid;
3200         struct common_audit_data ad;
3201
3202         sid = task_sid(current);
3203
3204         COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3205         ad.u.kmod_name = kmod_name;
3206
3207         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3208                             SYSTEM__MODULE_REQUEST, &ad);
3209 }
3210
3211 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3212 {
3213         return current_has_perm(p, PROCESS__SETPGID);
3214 }
3215
3216 static int selinux_task_getpgid(struct task_struct *p)
3217 {
3218         return current_has_perm(p, PROCESS__GETPGID);
3219 }
3220
3221 static int selinux_task_getsid(struct task_struct *p)
3222 {
3223         return current_has_perm(p, PROCESS__GETSESSION);
3224 }
3225
3226 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3227 {
3228         *secid = task_sid(p);
3229 }
3230
3231 static int selinux_task_setnice(struct task_struct *p, int nice)
3232 {
3233         int rc;
3234
3235         rc = cap_task_setnice(p, nice);
3236         if (rc)
3237                 return rc;
3238
3239         return current_has_perm(p, PROCESS__SETSCHED);
3240 }
3241
3242 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3243 {
3244         int rc;
3245
3246         rc = cap_task_setioprio(p, ioprio);
3247         if (rc)
3248                 return rc;
3249
3250         return current_has_perm(p, PROCESS__SETSCHED);
3251 }
3252
3253 static int selinux_task_getioprio(struct task_struct *p)
3254 {
3255         return current_has_perm(p, PROCESS__GETSCHED);
3256 }
3257
3258 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3259                 struct rlimit *new_rlim)
3260 {
3261         struct rlimit *old_rlim = p->signal->rlim + resource;
3262
3263         /* Control the ability to change the hard limit (whether
3264            lowering or raising it), so that the hard limit can
3265            later be used as a safe reset point for the soft limit
3266            upon context transitions.  See selinux_bprm_committing_creds. */
3267         if (old_rlim->rlim_max != new_rlim->rlim_max)
3268                 return current_has_perm(p, PROCESS__SETRLIMIT);
3269
3270         return 0;
3271 }
3272
3273 static int selinux_task_setscheduler(struct task_struct *p)
3274 {
3275         int rc;
3276
3277         rc = cap_task_setscheduler(p);
3278         if (rc)
3279                 return rc;
3280
3281         return current_has_perm(p, PROCESS__SETSCHED);
3282 }
3283
3284 static int selinux_task_getscheduler(struct task_struct *p)
3285 {
3286         return current_has_perm(p, PROCESS__GETSCHED);
3287 }
3288
3289 static int selinux_task_movememory(struct task_struct *p)
3290 {
3291         return current_has_perm(p, PROCESS__SETSCHED);
3292 }
3293
3294 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3295                                 int sig, u32 secid)
3296 {
3297         u32 perm;
3298         int rc;
3299
3300         if (!sig)
3301                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3302         else
3303                 perm = signal_to_av(sig);
3304         if (secid)
3305                 rc = avc_has_perm(secid, task_sid(p),
3306                                   SECCLASS_PROCESS, perm, NULL);
3307         else
3308                 rc = current_has_perm(p, perm);
3309         return rc;
3310 }
3311
3312 static int selinux_task_wait(struct task_struct *p)
3313 {
3314         return task_has_perm(p, current, PROCESS__SIGCHLD);
3315 }
3316
3317 static void selinux_task_to_inode(struct task_struct *p,
3318                                   struct inode *inode)
3319 {
3320         struct inode_security_struct *isec = inode->i_security;
3321         u32 sid = task_sid(p);
3322
3323         isec->sid = sid;
3324         isec->initialized = 1;
3325 }
3326
3327 /* Returns error only if unable to parse addresses */
3328 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3329                         struct common_audit_data *ad, u8 *proto)
3330 {
3331         int offset, ihlen, ret = -EINVAL;
3332         struct iphdr _iph, *ih;
3333
3334         offset = skb_network_offset(skb);
3335         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3336         if (ih == NULL)
3337                 goto out;
3338
3339         ihlen = ih->ihl * 4;
3340         if (ihlen < sizeof(_iph))
3341                 goto out;
3342
3343         ad->u.net.v4info.saddr = ih->saddr;
3344         ad->u.net.v4info.daddr = ih->daddr;
3345         ret = 0;
3346
3347         if (proto)
3348                 *proto = ih->protocol;
3349
3350         switch (ih->protocol) {
3351         case IPPROTO_TCP: {
3352                 struct tcphdr _tcph, *th;
3353
3354                 if (ntohs(ih->frag_off) & IP_OFFSET)
3355                         break;
3356
3357                 offset += ihlen;
3358                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3359                 if (th == NULL)
3360                         break;
3361
3362                 ad->u.net.sport = th->source;
3363                 ad->u.net.dport = th->dest;
3364                 break;
3365         }
3366
3367         case IPPROTO_UDP: {
3368                 struct udphdr _udph, *uh;
3369
3370                 if (ntohs(ih->frag_off) & IP_OFFSET)
3371                         break;
3372
3373                 offset += ihlen;
3374                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3375                 if (uh == NULL)
3376                         break;
3377
3378                 ad->u.net.sport = uh->source;
3379                 ad->u.net.dport = uh->dest;
3380                 break;
3381         }
3382
3383         case IPPROTO_DCCP: {
3384                 struct dccp_hdr _dccph, *dh;
3385
3386                 if (ntohs(ih->frag_off) & IP_OFFSET)
3387                         break;
3388
3389                 offset += ihlen;
3390                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3391                 if (dh == NULL)
3392                         break;
3393
3394                 ad->u.net.sport = dh->dccph_sport;
3395                 ad->u.net.dport = dh->dccph_dport;
3396                 break;
3397         }
3398
3399         default:
3400                 break;
3401         }
3402 out:
3403         return ret;
3404 }
3405
3406 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3407
3408 /* Returns error only if unable to parse addresses */
3409 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3410                         struct common_audit_data *ad, u8 *proto)
3411 {
3412         u8 nexthdr;
3413         int ret = -EINVAL, offset;
3414         struct ipv6hdr _ipv6h, *ip6;
3415
3416         offset = skb_network_offset(skb);
3417         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3418         if (ip6 == NULL)
3419                 goto out;
3420
3421         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3422         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3423         ret = 0;
3424
3425         nexthdr = ip6->nexthdr;
3426         offset += sizeof(_ipv6h);
3427         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3428         if (offset < 0)
3429                 goto out;
3430
3431         if (proto)
3432                 *proto = nexthdr;
3433
3434         switch (nexthdr) {
3435         case IPPROTO_TCP: {
3436                 struct tcphdr _tcph, *th;
3437
3438                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3439                 if (th == NULL)
3440                         break;
3441
3442                 ad->u.net.sport = th->source;
3443                 ad->u.net.dport = th->dest;
3444                 break;
3445         }
3446
3447         case IPPROTO_UDP: {
3448                 struct udphdr _udph, *uh;
3449
3450                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3451                 if (uh == NULL)
3452                         break;
3453
3454                 ad->u.net.sport = uh->source;
3455                 ad->u.net.dport = uh->dest;
3456                 break;
3457         }
3458
3459         case IPPROTO_DCCP: {
3460                 struct dccp_hdr _dccph, *dh;
3461
3462                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3463                 if (dh == NULL)
3464                         break;
3465
3466                 ad->u.net.sport = dh->dccph_sport;
3467                 ad->u.net.dport = dh->dccph_dport;
3468                 break;
3469         }
3470
3471         /* includes fragments */
3472         default:
3473                 break;
3474         }
3475 out:
3476         return ret;
3477 }
3478
3479 #endif /* IPV6 */
3480
3481 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3482                              char **_addrp, int src, u8 *proto)
3483 {
3484         char *addrp;
3485         int ret;
3486
3487         switch (ad->u.net.family) {
3488         case PF_INET:
3489                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3490                 if (ret)
3491                         goto parse_error;
3492                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3493                                        &ad->u.net.v4info.daddr);
3494                 goto okay;
3495
3496 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3497         case PF_INET6:
3498                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3499                 if (ret)
3500                         goto parse_error;
3501                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3502                                        &ad->u.net.v6info.daddr);
3503                 goto okay;
3504 #endif  /* IPV6 */
3505         default:
3506                 addrp = NULL;
3507                 goto okay;
3508         }
3509
3510 parse_error:
3511         printk(KERN_WARNING
3512                "SELinux: failure in selinux_parse_skb(),"
3513                " unable to parse packet\n");
3514         return ret;
3515
3516 okay:
3517         if (_addrp)
3518                 *_addrp = addrp;
3519         return 0;
3520 }
3521
3522 /**
3523  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3524  * @skb: the packet
3525  * @family: protocol family
3526  * @sid: the packet's peer label SID
3527  *
3528  * Description:
3529  * Check the various different forms of network peer labeling and determine
3530  * the peer label/SID for the packet; most of the magic actually occurs in
3531  * the security server function security_net_peersid_cmp().  The function
3532  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3533  * or -EACCES if @sid is invalid due to inconsistencies with the different
3534  * peer labels.
3535  *
3536  */
3537 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3538 {
3539         int err;
3540         u32 xfrm_sid;
3541         u32 nlbl_sid;
3542         u32 nlbl_type;
3543
3544         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3545         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3546
3547         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3548         if (unlikely(err)) {
3549                 printk(KERN_WARNING
3550                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3551                        " unable to determine packet's peer label\n");
3552                 return -EACCES;
3553         }
3554
3555         return 0;
3556 }
3557
3558 /* socket security operations */
3559
3560 static u32 socket_sockcreate_sid(const struct task_security_struct *tsec)
3561 {
3562         return tsec->sockcreate_sid ? : tsec->sid;
3563 }
3564
3565 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3566 {
3567         struct sk_security_struct *sksec = sk->sk_security;
3568         struct common_audit_data ad;
3569         u32 tsid = task_sid(task);
3570
3571         if (sksec->sid == SECINITSID_KERNEL)
3572                 return 0;
3573
3574         COMMON_AUDIT_DATA_INIT(&ad, NET);
3575         ad.u.net.sk = sk;
3576
3577         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3578 }
3579
3580 static int selinux_socket_create(int family, int type,
3581                                  int protocol, int kern)
3582 {
3583         const struct task_security_struct *tsec = current_security();
3584         u32 newsid;
3585         u16 secclass;
3586
3587         if (kern)
3588                 return 0;
3589
3590         newsid = socket_sockcreate_sid(tsec);
3591         secclass = socket_type_to_security_class(family, type, protocol);
3592         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3593 }
3594
3595 static int selinux_socket_post_create(struct socket *sock, int family,
3596                                       int type, int protocol, int kern)
3597 {
3598         const struct task_security_struct *tsec = current_security();
3599         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3600         struct sk_security_struct *sksec;
3601         int err = 0;
3602
3603         if (kern)
3604                 isec->sid = SECINITSID_KERNEL;
3605         else
3606                 isec->sid = socket_sockcreate_sid(tsec);
3607
3608         isec->sclass = socket_type_to_security_class(family, type, protocol);
3609         isec->initialized = 1;
3610
3611         if (sock->sk) {
3612                 sksec = sock->sk->sk_security;
3613                 sksec->sid = isec->sid;
3614                 sksec->sclass = isec->sclass;
3615                 err = selinux_netlbl_socket_post_create(sock->sk, family);
3616         }
3617
3618         return err;
3619 }
3620
3621 /* Range of port numbers used to automatically bind.
3622    Need to determine whether we should perform a name_bind
3623    permission check between the socket and the port number. */
3624
3625 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3626 {
3627         struct sock *sk = sock->sk;
3628         u16 family;
3629         int err;
3630
3631         err = sock_has_perm(current, sk, SOCKET__BIND);
3632         if (err)
3633                 goto out;
3634
3635         /*
3636          * If PF_INET or PF_INET6, check name_bind permission for the port.
3637          * Multiple address binding for SCTP is not supported yet: we just
3638          * check the first address now.
3639          */
3640         family = sk->sk_family;
3641         if (family == PF_INET || family == PF_INET6) {
3642                 char *addrp;
3643                 struct sk_security_struct *sksec = sk->sk_security;
3644                 struct common_audit_data ad;
3645                 struct sockaddr_in *addr4 = NULL;
3646                 struct sockaddr_in6 *addr6 = NULL;
3647                 unsigned short snum;
3648                 u32 sid, node_perm;
3649
3650                 if (family == PF_INET) {
3651                         addr4 = (struct sockaddr_in *)address;
3652                         snum = ntohs(addr4->sin_port);
3653                         addrp = (char *)&addr4->sin_addr.s_addr;
3654                 } else {
3655                         addr6 = (struct sockaddr_in6 *)address;
3656                         snum = ntohs(addr6->sin6_port);
3657                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3658                 }
3659
3660                 if (snum) {
3661                         int low, high;
3662
3663                         inet_get_local_port_range(&low, &high);
3664
3665                         if (snum < max(PROT_SOCK, low) || snum > high) {
3666                                 err = sel_netport_sid(sk->sk_protocol,
3667                                                       snum, &sid);
3668                                 if (err)
3669                                         goto out;
3670                                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3671                                 ad.u.net.sport = htons(snum);
3672                                 ad.u.net.family = family;
3673                                 err = avc_has_perm(sksec->sid, sid,
3674                                                    sksec->sclass,
3675                                                    SOCKET__NAME_BIND, &ad);
3676                                 if (err)
3677                                         goto out;
3678                         }
3679                 }
3680
3681                 switch (sksec->sclass) {
3682                 case SECCLASS_TCP_SOCKET:
3683                         node_perm = TCP_SOCKET__NODE_BIND;
3684                         break;
3685
3686                 case SECCLASS_UDP_SOCKET:
3687                         node_perm = UDP_SOCKET__NODE_BIND;
3688                         break;
3689
3690                 case SECCLASS_DCCP_SOCKET:
3691                         node_perm = DCCP_SOCKET__NODE_BIND;
3692                         break;
3693
3694                 default:
3695                         node_perm = RAWIP_SOCKET__NODE_BIND;
3696                         break;
3697                 }
3698
3699                 err = sel_netnode_sid(addrp, family, &sid);
3700                 if (err)
3701                         goto out;
3702
3703                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3704                 ad.u.net.sport = htons(snum);
3705                 ad.u.net.family = family;
3706
3707                 if (family == PF_INET)
3708                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3709                 else
3710                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3711
3712                 err = avc_has_perm(sksec->sid, sid,
3713                                    sksec->sclass, node_perm, &ad);
3714                 if (err)
3715                         goto out;
3716         }
3717 out:
3718         return err;
3719 }
3720
3721 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3722 {
3723         struct sock *sk = sock->sk;
3724         struct sk_security_struct *sksec = sk->sk_security;
3725         int err;
3726
3727         err = sock_has_perm(current, sk, SOCKET__CONNECT);
3728         if (err)
3729                 return err;
3730
3731         /*
3732          * If a TCP or DCCP socket, check name_connect permission for the port.
3733          */
3734         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3735             sksec->sclass == SECCLASS_DCCP_SOCKET) {
3736                 struct common_audit_data ad;
3737                 struct sockaddr_in *addr4 = NULL;
3738                 struct sockaddr_in6 *addr6 = NULL;
3739                 unsigned short snum;
3740                 u32 sid, perm;
3741
3742                 if (sk->sk_family == PF_INET) {
3743                         addr4 = (struct sockaddr_in *)address;
3744                         if (addrlen < sizeof(struct sockaddr_in))
3745                                 return -EINVAL;
3746                         snum = ntohs(addr4->sin_port);
3747                 } else {
3748                         addr6 = (struct sockaddr_in6 *)address;
3749                         if (addrlen < SIN6_LEN_RFC2133)
3750                                 return -EINVAL;
3751                         snum = ntohs(addr6->sin6_port);
3752                 }
3753
3754                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3755                 if (err)
3756                         goto out;
3757
3758                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3759                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3760
3761                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3762                 ad.u.net.dport = htons(snum);
3763                 ad.u.net.family = sk->sk_family;
3764                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3765                 if (err)
3766                         goto out;
3767         }
3768
3769         err = selinux_netlbl_socket_connect(sk, address);
3770
3771 out:
3772         return err;
3773 }
3774
3775 static int selinux_socket_listen(struct socket *sock, int backlog)
3776 {
3777         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3778 }
3779
3780 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3781 {
3782         int err;
3783         struct inode_security_struct *isec;
3784         struct inode_security_struct *newisec;
3785
3786         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3787         if (err)
3788                 return err;
3789
3790         newisec = SOCK_INODE(newsock)->i_security;
3791
3792         isec = SOCK_INODE(sock)->i_security;
3793         newisec->sclass = isec->sclass;
3794         newisec->sid = isec->sid;
3795         newisec->initialized = 1;
3796
3797         return 0;
3798 }
3799
3800 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3801                                   int size)
3802 {
3803         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3804 }
3805
3806 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3807                                   int size, int flags)
3808 {
3809         return sock_has_perm(current, sock->sk, SOCKET__READ);
3810 }
3811
3812 static int selinux_socket_getsockname(struct socket *sock)
3813 {
3814         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3815 }
3816
3817 static int selinux_socket_getpeername(struct socket *sock)
3818 {
3819         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3820 }
3821
3822 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3823 {
3824         int err;
3825
3826         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3827         if (err)
3828                 return err;
3829
3830         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3831 }
3832
3833 static int selinux_socket_getsockopt(struct socket *sock, int level,
3834                                      int optname)
3835 {
3836         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
3837 }
3838
3839 static int selinux_socket_shutdown(struct socket *sock, int how)
3840 {
3841         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
3842 }
3843
3844 static int selinux_socket_unix_stream_connect(struct sock *sock,
3845                                               struct sock *other,
3846                                               struct sock *newsk)
3847 {
3848         struct sk_security_struct *sksec_sock = sock->sk_security;
3849         struct sk_security_struct *sksec_other = other->sk_security;
3850         struct sk_security_struct *sksec_new = newsk->sk_security;
3851         struct common_audit_data ad;
3852         int err;
3853
3854         COMMON_AUDIT_DATA_INIT(&ad, NET);
3855         ad.u.net.sk = other;
3856
3857         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
3858                            sksec_other->sclass,
3859                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3860         if (err)
3861                 return err;
3862
3863         /* server child socket */
3864         sksec_new->peer_sid = sksec_sock->sid;
3865         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
3866                                     &sksec_new->sid);
3867         if (err)
3868                 return err;
3869
3870         /* connecting socket */
3871         sksec_sock->peer_sid = sksec_new->sid;
3872
3873         return 0;
3874 }
3875
3876 static int selinux_socket_unix_may_send(struct socket *sock,
3877                                         struct socket *other)
3878 {
3879         struct sk_security_struct *ssec = sock->sk->sk_security;
3880         struct sk_security_struct *osec = other->sk->sk_security;
3881         struct common_audit_data ad;
3882
3883         COMMON_AUDIT_DATA_INIT(&ad, NET);
3884         ad.u.net.sk = other->sk;
3885
3886         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
3887                             &ad);
3888 }
3889
3890 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3891                                     u32 peer_sid,
3892                                     struct common_audit_data *ad)
3893 {
3894         int err;
3895         u32 if_sid;
3896         u32 node_sid;
3897
3898         err = sel_netif_sid(ifindex, &if_sid);
3899         if (err)
3900                 return err;
3901         err = avc_has_perm(peer_sid, if_sid,
3902                            SECCLASS_NETIF, NETIF__INGRESS, ad);
3903         if (err)
3904                 return err;
3905
3906         err = sel_netnode_sid(addrp, family, &node_sid);
3907         if (err)
3908                 return err;
3909         return avc_has_perm(peer_sid, node_sid,
3910                             SECCLASS_NODE, NODE__RECVFROM, ad);
3911 }
3912
3913 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3914                                        u16 family)
3915 {
3916         int err = 0;
3917         struct sk_security_struct *sksec = sk->sk_security;
3918         u32 peer_sid;
3919         u32 sk_sid = sksec->sid;
3920         struct common_audit_data ad;
3921         char *addrp;
3922
3923         COMMON_AUDIT_DATA_INIT(&ad, NET);
3924         ad.u.net.netif = skb->skb_iif;
3925         ad.u.net.family = family;
3926         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
3927         if (err)
3928                 return err;
3929
3930         if (selinux_secmark_enabled()) {
3931                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3932                                    PACKET__RECV, &ad);
3933                 if (err)
3934                         return err;
3935         }
3936
3937         if (selinux_policycap_netpeer) {
3938                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3939                 if (err)
3940                         return err;
3941                 err = avc_has_perm(sk_sid, peer_sid,
3942                                    SECCLASS_PEER, PEER__RECV, &ad);
3943                 if (err)
3944                         selinux_netlbl_err(skb, err, 0);
3945         } else {
3946                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
3947                 if (err)
3948                         return err;
3949                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
3950         }
3951
3952         return err;
3953 }
3954
3955 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3956 {
3957         int err;
3958         struct sk_security_struct *sksec = sk->sk_security;
3959         u16 family = sk->sk_family;
3960         u32 sk_sid = sksec->sid;
3961         struct common_audit_data ad;
3962         char *addrp;
3963         u8 secmark_active;
3964         u8 peerlbl_active;
3965
3966         if (family != PF_INET && family != PF_INET6)
3967                 return 0;
3968
3969         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3970         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
3971                 family = PF_INET;
3972
3973         /* If any sort of compatibility mode is enabled then handoff processing
3974          * to the selinux_sock_rcv_skb_compat() function to deal with the
3975          * special handling.  We do this in an attempt to keep this function
3976          * as fast and as clean as possible. */
3977         if (!selinux_policycap_netpeer)
3978                 return selinux_sock_rcv_skb_compat(sk, skb, family);
3979
3980         secmark_active = selinux_secmark_enabled();
3981         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
3982         if (!secmark_active && !peerlbl_active)
3983                 return 0;
3984
3985         COMMON_AUDIT_DATA_INIT(&ad, NET);
3986         ad.u.net.netif = skb->skb_iif;
3987         ad.u.net.family = family;
3988         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
3989         if (err)
3990                 return err;
3991
3992         if (peerlbl_active) {
3993                 u32 peer_sid;
3994
3995                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3996                 if (err)
3997                         return err;
3998                 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
3999                                                peer_sid, &ad);
4000                 if (err) {
4001                         selinux_netlbl_err(skb, err, 0);
4002                         return err;
4003                 }
4004                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4005                                    PEER__RECV, &ad);
4006                 if (err)
4007                         selinux_netlbl_err(skb, err, 0);
4008         }
4009
4010         if (secmark_active) {
4011                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4012                                    PACKET__RECV, &ad);
4013                 if (err)
4014                         return err;
4015         }
4016
4017         return err;
4018 }
4019
4020 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4021                                             int __user *optlen, unsigned len)
4022 {
4023         int err = 0;
4024         char *scontext;
4025         u32 scontext_len;
4026         struct sk_security_struct *sksec = sock->sk->sk_security;
4027         u32 peer_sid = SECSID_NULL;
4028
4029         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4030             sksec->sclass == SECCLASS_TCP_SOCKET)
4031                 peer_sid = sksec->peer_sid;
4032         if (peer_sid == SECSID_NULL)
4033                 return -ENOPROTOOPT;
4034
4035         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4036         if (err)
4037                 return err;
4038
4039         if (scontext_len > len) {
4040                 err = -ERANGE;
4041                 goto out_len;
4042         }
4043
4044         if (copy_to_user(optval, scontext, scontext_len))
4045                 err = -EFAULT;
4046
4047 out_len:
4048         if (put_user(scontext_len, optlen))
4049                 err = -EFAULT;
4050         kfree(scontext);
4051         return err;
4052 }
4053
4054 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4055 {
4056         u32 peer_secid = SECSID_NULL;
4057         u16 family;
4058
4059         if (skb && skb->protocol == htons(ETH_P_IP))
4060                 family = PF_INET;
4061         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4062                 family = PF_INET6;
4063         else if (sock)
4064                 family = sock->sk->sk_family;
4065         else
4066                 goto out;
4067
4068         if (sock && family == PF_UNIX)
4069                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4070         else if (skb)
4071                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4072
4073 out:
4074         *secid = peer_secid;
4075         if (peer_secid == SECSID_NULL)
4076                 return -EINVAL;
4077         return 0;
4078 }
4079
4080 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4081 {
4082         struct sk_security_struct *sksec;
4083
4084         sksec = kzalloc(sizeof(*sksec), priority);
4085         if (!sksec)
4086                 return -ENOMEM;
4087
4088         sksec->peer_sid = SECINITSID_UNLABELED;
4089         sksec->sid = SECINITSID_UNLABELED;
4090         selinux_netlbl_sk_security_reset(sksec);
4091         sk->sk_security = sksec;
4092
4093         return 0;
4094 }
4095
4096 static void selinux_sk_free_security(struct sock *sk)
4097 {
4098         struct sk_security_struct *sksec = sk->sk_security;
4099
4100         sk->sk_security = NULL;
4101         selinux_netlbl_sk_security_free(sksec);
4102         kfree(sksec);
4103 }
4104
4105 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4106 {
4107         struct sk_security_struct *sksec = sk->sk_security;
4108         struct sk_security_struct *newsksec = newsk->sk_security;
4109
4110         newsksec->sid = sksec->sid;
4111         newsksec->peer_sid = sksec->peer_sid;
4112         newsksec->sclass = sksec->sclass;
4113
4114         selinux_netlbl_sk_security_reset(newsksec);
4115 }
4116
4117 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4118 {
4119         if (!sk)
4120                 *secid = SECINITSID_ANY_SOCKET;
4121         else {
4122                 struct sk_security_struct *sksec = sk->sk_security;
4123
4124                 *secid = sksec->sid;
4125         }
4126 }
4127
4128 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4129 {
4130         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4131         struct sk_security_struct *sksec = sk->sk_security;
4132
4133         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4134             sk->sk_family == PF_UNIX)
4135                 isec->sid = sksec->sid;
4136         sksec->sclass = isec->sclass;
4137 }
4138
4139 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4140                                      struct request_sock *req)
4141 {
4142         struct sk_security_struct *sksec = sk->sk_security;
4143         int err;
4144         u16 family = sk->sk_family;
4145         u32 newsid;
4146         u32 peersid;
4147
4148         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4149         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4150                 family = PF_INET;
4151
4152         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4153         if (err)
4154                 return err;
4155         if (peersid == SECSID_NULL) {
4156                 req->secid = sksec->sid;
4157                 req->peer_secid = SECSID_NULL;
4158         } else {
4159                 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4160                 if (err)
4161                         return err;
4162                 req->secid = newsid;
4163                 req->peer_secid = peersid;
4164         }
4165
4166         return selinux_netlbl_inet_conn_request(req, family);
4167 }
4168
4169 static void selinux_inet_csk_clone(struct sock *newsk,
4170                                    const struct request_sock *req)
4171 {
4172         struct sk_security_struct *newsksec = newsk->sk_security;
4173
4174         newsksec->sid = req->secid;
4175         newsksec->peer_sid = req->peer_secid;
4176         /* NOTE: Ideally, we should also get the isec->sid for the
4177            new socket in sync, but we don't have the isec available yet.
4178            So we will wait until sock_graft to do it, by which
4179            time it will have been created and available. */
4180
4181         /* We don't need to take any sort of lock here as we are the only
4182          * thread with access to newsksec */
4183         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4184 }
4185
4186 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4187 {
4188         u16 family = sk->sk_family;
4189         struct sk_security_struct *sksec = sk->sk_security;
4190
4191         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4192         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4193                 family = PF_INET;
4194
4195         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4196 }
4197
4198 static int selinux_secmark_relabel_packet(u32 sid)
4199 {
4200         const struct task_security_struct *__tsec;
4201         u32 tsid;
4202
4203         __tsec = current_security();
4204         tsid = __tsec->sid;
4205
4206         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4207 }
4208
4209 static void selinux_secmark_refcount_inc(void)
4210 {
4211         atomic_inc(&selinux_secmark_refcount);
4212 }
4213
4214 static void selinux_secmark_refcount_dec(void)
4215 {
4216         atomic_dec(&selinux_secmark_refcount);
4217 }
4218
4219 static void selinux_req_classify_flow(const struct request_sock *req,
4220                                       struct flowi *fl)
4221 {
4222         fl->secid = req->secid;
4223 }
4224
4225 static int selinux_tun_dev_create(void)
4226 {
4227         u32 sid = current_sid();
4228
4229         /* we aren't taking into account the "sockcreate" SID since the socket
4230          * that is being created here is not a socket in the traditional sense,
4231          * instead it is a private sock, accessible only to the kernel, and
4232          * representing a wide range of network traffic spanning multiple
4233          * connections unlike traditional sockets - check the TUN driver to
4234          * get a better understanding of why this socket is special */
4235
4236         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4237                             NULL);
4238 }
4239
4240 static void selinux_tun_dev_post_create(struct sock *sk)
4241 {
4242         struct sk_security_struct *sksec = sk->sk_security;
4243
4244         /* we don't currently perform any NetLabel based labeling here and it
4245          * isn't clear that we would want to do so anyway; while we could apply
4246          * labeling without the support of the TUN user the resulting labeled
4247          * traffic from the other end of the connection would almost certainly
4248          * cause confusion to the TUN user that had no idea network labeling
4249          * protocols were being used */
4250
4251         /* see the comments in selinux_tun_dev_create() about why we don't use
4252          * the sockcreate SID here */
4253
4254         sksec->sid = current_sid();
4255         sksec->sclass = SECCLASS_TUN_SOCKET;
4256 }
4257
4258 static int selinux_tun_dev_attach(struct sock *sk)
4259 {
4260         struct sk_security_struct *sksec = sk->sk_security;
4261         u32 sid = current_sid();
4262         int err;
4263
4264         err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4265                            TUN_SOCKET__RELABELFROM, NULL);
4266         if (err)
4267                 return err;
4268         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4269                            TUN_SOCKET__RELABELTO, NULL);
4270         if (err)
4271                 return err;
4272
4273         sksec->sid = sid;
4274
4275         return 0;
4276 }
4277
4278 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4279 {
4280         int err = 0;
4281         u32 perm;
4282         struct nlmsghdr *nlh;
4283         struct sk_security_struct *sksec = sk->sk_security;
4284
4285         if (skb->len < NLMSG_SPACE(0)) {
4286                 err = -EINVAL;
4287                 goto out;
4288         }
4289         nlh = nlmsg_hdr(skb);
4290
4291         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4292         if (err) {
4293                 if (err == -EINVAL) {
4294                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4295                                   "SELinux:  unrecognized netlink message"
4296                                   " type=%hu for sclass=%hu\n",
4297                                   nlh->nlmsg_type, sksec->sclass);
4298                         if (!selinux_enforcing || security_get_allow_unknown())
4299                                 err = 0;
4300                 }
4301
4302                 /* Ignore */
4303                 if (err == -ENOENT)
4304                         err = 0;
4305                 goto out;
4306         }
4307
4308         err = sock_has_perm(current, sk, perm);
4309 out:
4310         return err;
4311 }
4312
4313 #ifdef CONFIG_NETFILTER
4314
4315 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4316                                        u16 family)
4317 {
4318         int err;
4319         char *addrp;
4320         u32 peer_sid;
4321         struct common_audit_data ad;
4322         u8 secmark_active;
4323         u8 netlbl_active;
4324         u8 peerlbl_active;
4325
4326         if (!selinux_policycap_netpeer)
4327                 return NF_ACCEPT;
4328
4329         secmark_active = selinux_secmark_enabled();
4330         netlbl_active = netlbl_enabled();
4331         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4332         if (!secmark_active && !peerlbl_active)
4333                 return NF_ACCEPT;
4334
4335         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4336                 return NF_DROP;
4337
4338         COMMON_AUDIT_DATA_INIT(&ad, NET);
4339         ad.u.net.netif = ifindex;
4340         ad.u.net.family = family;
4341         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4342                 return NF_DROP;
4343
4344         if (peerlbl_active) {
4345                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4346                                                peer_sid, &ad);
4347                 if (err) {
4348                         selinux_netlbl_err(skb, err, 1);
4349                         return NF_DROP;
4350                 }
4351         }
4352
4353         if (secmark_active)
4354                 if (avc_has_perm(peer_sid, skb->secmark,
4355                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4356                         return NF_DROP;
4357
4358         if (netlbl_active)
4359                 /* we do this in the FORWARD path and not the POST_ROUTING
4360                  * path because we want to make sure we apply the necessary
4361                  * labeling before IPsec is applied so we can leverage AH
4362                  * protection */
4363                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4364                         return NF_DROP;
4365
4366         return NF_ACCEPT;
4367 }
4368
4369 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4370                                          struct sk_buff *skb,
4371                                          const struct net_device *in,
4372                                          const struct net_device *out,
4373                                          int (*okfn)(struct sk_buff *))
4374 {
4375         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4376 }
4377
4378 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4379 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4380                                          struct sk_buff *skb,
4381                                          const struct net_device *in,
4382                                          const struct net_device *out,
4383                                          int (*okfn)(struct sk_buff *))
4384 {
4385         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4386 }
4387 #endif  /* IPV6 */
4388
4389 static unsigned int selinux_ip_output(struct sk_buff *skb,
4390                                       u16 family)
4391 {
4392         u32 sid;
4393
4394         if (!netlbl_enabled())
4395                 return NF_ACCEPT;
4396
4397         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4398          * because we want to make sure we apply the necessary labeling
4399          * before IPsec is applied so we can leverage AH protection */
4400         if (skb->sk) {
4401                 struct sk_security_struct *sksec = skb->sk->sk_security;
4402                 sid = sksec->sid;
4403         } else
4404                 sid = SECINITSID_KERNEL;
4405         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4406                 return NF_DROP;
4407
4408         return NF_ACCEPT;
4409 }
4410
4411 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4412                                         struct sk_buff *skb,
4413                                         const struct net_device *in,
4414                                         const struct net_device *out,
4415                                         int (*okfn)(struct sk_buff *))
4416 {
4417         return selinux_ip_output(skb, PF_INET);
4418 }
4419
4420 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4421                                                 int ifindex,
4422                                                 u16 family)
4423 {
4424         struct sock *sk = skb->sk;
4425         struct sk_security_struct *sksec;
4426         struct common_audit_data ad;
4427         char *addrp;
4428         u8 proto;
4429
4430         if (sk == NULL)
4431                 return NF_ACCEPT;
4432         sksec = sk->sk_security;
4433
4434         COMMON_AUDIT_DATA_INIT(&ad, NET);
4435         ad.u.net.netif = ifindex;
4436         ad.u.net.family = family;
4437         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4438                 return NF_DROP;
4439
4440         if (selinux_secmark_enabled())
4441                 if (avc_has_perm(sksec->sid, skb->secmark,
4442                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4443                         return NF_DROP_ERR(-ECONNREFUSED);
4444
4445         if (selinux_policycap_netpeer)
4446                 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4447                         return NF_DROP_ERR(-ECONNREFUSED);
4448
4449         return NF_ACCEPT;
4450 }
4451
4452 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4453                                          u16 family)
4454 {
4455         u32 secmark_perm;
4456         u32 peer_sid;
4457         struct sock *sk;
4458         struct common_audit_data ad;
4459         char *addrp;
4460         u8 secmark_active;
4461         u8 peerlbl_active;
4462
4463         /* If any sort of compatibility mode is enabled then handoff processing
4464          * to the selinux_ip_postroute_compat() function to deal with the
4465          * special handling.  We do this in an attempt to keep this function
4466          * as fast and as clean as possible. */
4467         if (!selinux_policycap_netpeer)
4468                 return selinux_ip_postroute_compat(skb, ifindex, family);
4469 #ifdef CONFIG_XFRM
4470         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4471          * packet transformation so allow the packet to pass without any checks
4472          * since we'll have another chance to perform access control checks
4473          * when the packet is on it's final way out.
4474          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4475          *       is NULL, in this case go ahead and apply access control. */
4476         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4477                 return NF_ACCEPT;
4478 #endif
4479         secmark_active = selinux_secmark_enabled();
4480         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4481         if (!secmark_active && !peerlbl_active)
4482                 return NF_ACCEPT;
4483
4484         /* if the packet is being forwarded then get the peer label from the
4485          * packet itself; otherwise check to see if it is from a local
4486          * application or the kernel, if from an application get the peer label
4487          * from the sending socket, otherwise use the kernel's sid */
4488         sk = skb->sk;
4489         if (sk == NULL) {
4490                 switch (family) {
4491                 case PF_INET:
4492                         if (IPCB(skb)->flags & IPSKB_FORWARDED)
4493                                 secmark_perm = PACKET__FORWARD_OUT;
4494                         else
4495                                 secmark_perm = PACKET__SEND;
4496                         break;
4497                 case PF_INET6:
4498                         if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
4499                                 secmark_perm = PACKET__FORWARD_OUT;
4500                         else
4501                                 secmark_perm = PACKET__SEND;
4502                         break;
4503                 default:
4504                         return NF_DROP_ERR(-ECONNREFUSED);
4505                 }
4506                 if (secmark_perm == PACKET__FORWARD_OUT) {
4507                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4508                                 return NF_DROP;
4509                 } else
4510                         peer_sid = SECINITSID_KERNEL;
4511         } else {
4512                 struct sk_security_struct *sksec = sk->sk_security;
4513                 peer_sid = sksec->sid;
4514                 secmark_perm = PACKET__SEND;
4515         }
4516
4517         COMMON_AUDIT_DATA_INIT(&ad, NET);
4518         ad.u.net.netif = ifindex;
4519         ad.u.net.family = family;
4520         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4521                 return NF_DROP;
4522
4523         if (secmark_active)
4524                 if (avc_has_perm(peer_sid, skb->secmark,
4525                                  SECCLASS_PACKET, secmark_perm, &ad))
4526                         return NF_DROP_ERR(-ECONNREFUSED);
4527
4528         if (peerlbl_active) {
4529                 u32 if_sid;
4530                 u32 node_sid;
4531
4532                 if (sel_netif_sid(ifindex, &if_sid))
4533                         return NF_DROP;
4534                 if (avc_has_perm(peer_sid, if_sid,
4535                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4536                         return NF_DROP_ERR(-ECONNREFUSED);
4537
4538                 if (sel_netnode_sid(addrp, family, &node_sid))
4539                         return NF_DROP;
4540                 if (avc_has_perm(peer_sid, node_sid,
4541                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4542                         return NF_DROP_ERR(-ECONNREFUSED);
4543         }
4544
4545         return NF_ACCEPT;
4546 }
4547
4548 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4549                                            struct sk_buff *skb,
4550                                            const struct net_device *in,
4551                                            const struct net_device *out,
4552                                            int (*okfn)(struct sk_buff *))
4553 {
4554         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4555 }
4556
4557 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4558 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4559                                            struct sk_buff *skb,
4560                                            const struct net_device *in,
4561                                            const struct net_device *out,
4562                                            int (*okfn)(struct sk_buff *))
4563 {
4564         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4565 }
4566 #endif  /* IPV6 */
4567
4568 #endif  /* CONFIG_NETFILTER */
4569
4570 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4571 {
4572         int err;
4573
4574         err = cap_netlink_send(sk, skb);
4575         if (err)
4576                 return err;
4577
4578         return selinux_nlmsg_perm(sk, skb);
4579 }
4580
4581 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4582 {
4583         int err;
4584         struct common_audit_data ad;
4585
4586         err = cap_netlink_recv(skb, capability);
4587         if (err)
4588                 return err;
4589
4590         COMMON_AUDIT_DATA_INIT(&ad, CAP);
4591         ad.u.cap = capability;
4592
4593         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4594                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4595 }
4596
4597 static int ipc_alloc_security(struct task_struct *task,
4598                               struct kern_ipc_perm *perm,
4599                               u16 sclass)
4600 {
4601         struct ipc_security_struct *isec;
4602         u32 sid;
4603
4604         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4605         if (!isec)
4606                 return -ENOMEM;
4607
4608         sid = task_sid(task);
4609         isec->sclass = sclass;
4610         isec->sid = sid;
4611         perm->security = isec;
4612
4613         return 0;
4614 }
4615
4616 static void ipc_free_security(struct kern_ipc_perm *perm)
4617 {
4618         struct ipc_security_struct *isec = perm->security;
4619         perm->security = NULL;
4620         kfree(isec);
4621 }
4622
4623 static int msg_msg_alloc_security(struct msg_msg *msg)
4624 {
4625         struct msg_security_struct *msec;
4626
4627         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4628         if (!msec)
4629                 return -ENOMEM;
4630
4631         msec->sid = SECINITSID_UNLABELED;
4632         msg->security = msec;
4633
4634         return 0;
4635 }
4636
4637 static void msg_msg_free_security(struct msg_msg *msg)
4638 {
4639         struct msg_security_struct *msec = msg->security;
4640
4641         msg->security = NULL;
4642         kfree(msec);
4643 }
4644
4645 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4646                         u32 perms)
4647 {
4648         struct ipc_security_struct *isec;
4649         struct common_audit_data ad;
4650         u32 sid = current_sid();
4651
4652         isec = ipc_perms->security;
4653
4654         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4655         ad.u.ipc_id = ipc_perms->key;
4656
4657         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4658 }
4659
4660 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4661 {
4662         return msg_msg_alloc_security(msg);
4663 }
4664
4665 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4666 {
4667         msg_msg_free_security(msg);
4668 }
4669
4670 /* message queue security operations */
4671 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4672 {
4673         struct ipc_security_struct *isec;
4674         struct common_audit_data ad;
4675         u32 sid = current_sid();
4676         int rc;
4677
4678         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4679         if (rc)
4680                 return rc;
4681
4682         isec = msq->q_perm.security;
4683
4684         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4685         ad.u.ipc_id = msq->q_perm.key;
4686
4687         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4688                           MSGQ__CREATE, &ad);
4689         if (rc) {
4690                 ipc_free_security(&msq->q_perm);
4691                 return rc;
4692         }
4693         return 0;
4694 }
4695
4696 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4697 {
4698         ipc_free_security(&msq->q_perm);
4699 }
4700
4701 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4702 {
4703         struct ipc_security_struct *isec;
4704         struct common_audit_data ad;
4705         u32 sid = current_sid();
4706
4707         isec = msq->q_perm.security;
4708
4709         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4710         ad.u.ipc_id = msq->q_perm.key;
4711
4712         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4713                             MSGQ__ASSOCIATE, &ad);
4714 }
4715
4716 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4717 {
4718         int err;
4719         int perms;
4720
4721         switch (cmd) {
4722         case IPC_INFO:
4723         case MSG_INFO:
4724                 /* No specific object, just general system-wide information. */
4725                 return task_has_system(current, SYSTEM__IPC_INFO);
4726         case IPC_STAT:
4727         case MSG_STAT:
4728                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4729                 break;
4730         case IPC_SET:
4731                 perms = MSGQ__SETATTR;
4732                 break;
4733         case IPC_RMID:
4734                 perms = MSGQ__DESTROY;
4735                 break;
4736         default:
4737                 return 0;
4738         }
4739
4740         err = ipc_has_perm(&msq->q_perm, perms);
4741         return err;
4742 }
4743
4744 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4745 {
4746         struct ipc_security_struct *isec;
4747         struct msg_security_struct *msec;
4748         struct common_audit_data ad;
4749         u32 sid = current_sid();
4750         int rc;
4751
4752         isec = msq->q_perm.security;
4753         msec = msg->security;
4754
4755         /*
4756          * First time through, need to assign label to the message
4757          */
4758         if (msec->sid == SECINITSID_UNLABELED) {
4759                 /*
4760                  * Compute new sid based on current process and
4761                  * message queue this message will be stored in
4762                  */
4763                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4764                                              NULL, &msec->sid);
4765                 if (rc)
4766                         return rc;
4767         }
4768
4769         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4770         ad.u.ipc_id = msq->q_perm.key;
4771
4772         /* Can this process write to the queue? */
4773         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4774                           MSGQ__WRITE, &ad);
4775         if (!rc)
4776                 /* Can this process send the message */
4777                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4778                                   MSG__SEND, &ad);
4779         if (!rc)
4780                 /* Can the message be put in the queue? */
4781                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4782                                   MSGQ__ENQUEUE, &ad);
4783
4784         return rc;
4785 }
4786
4787 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4788                                     struct task_struct *target,
4789                                     long type, int mode)
4790 {
4791         struct ipc_security_struct *isec;
4792         struct msg_security_struct *msec;
4793         struct common_audit_data ad;
4794         u32 sid = task_sid(target);
4795         int rc;
4796
4797         isec = msq->q_perm.security;
4798         msec = msg->security;
4799
4800         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4801         ad.u.ipc_id = msq->q_perm.key;
4802
4803         rc = avc_has_perm(sid, isec->sid,
4804                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4805         if (!rc)
4806                 rc = avc_has_perm(sid, msec->sid,
4807                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4808         return rc;
4809 }
4810
4811 /* Shared Memory security operations */
4812 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4813 {
4814         struct ipc_security_struct *isec;
4815         struct common_audit_data ad;
4816         u32 sid = current_sid();
4817         int rc;
4818
4819         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4820         if (rc)
4821                 return rc;
4822
4823         isec = shp->shm_perm.security;
4824
4825         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4826         ad.u.ipc_id = shp->shm_perm.key;
4827
4828         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4829                           SHM__CREATE, &ad);
4830         if (rc) {
4831                 ipc_free_security(&shp->shm_perm);
4832                 return rc;
4833         }
4834         return 0;
4835 }
4836
4837 static void selinux_shm_free_security(struct shmid_kernel *shp)
4838 {
4839         ipc_free_security(&shp->shm_perm);
4840 }
4841
4842 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4843 {
4844         struct ipc_security_struct *isec;
4845         struct common_audit_data ad;
4846         u32 sid = current_sid();
4847
4848         isec = shp->shm_perm.security;
4849
4850         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4851         ad.u.ipc_id = shp->shm_perm.key;
4852
4853         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4854                             SHM__ASSOCIATE, &ad);
4855 }
4856
4857 /* Note, at this point, shp is locked down */
4858 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4859 {
4860         int perms;
4861         int err;
4862
4863         switch (cmd) {
4864         case IPC_INFO:
4865         case SHM_INFO:
4866                 /* No specific object, just general system-wide information. */
4867                 return task_has_system(current, SYSTEM__IPC_INFO);
4868         case IPC_STAT:
4869         case SHM_STAT:
4870                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4871                 break;
4872         case IPC_SET:
4873                 perms = SHM__SETATTR;
4874                 break;
4875         case SHM_LOCK:
4876         case SHM_UNLOCK:
4877                 perms = SHM__LOCK;
4878                 break;
4879         case IPC_RMID:
4880                 perms = SHM__DESTROY;
4881                 break;
4882         default:
4883                 return 0;
4884         }
4885
4886         err = ipc_has_perm(&shp->shm_perm, perms);
4887         return err;
4888 }
4889
4890 static int selinux_shm_shmat(struct shmid_kernel *shp,
4891                              char __user *shmaddr, int shmflg)
4892 {
4893         u32 perms;
4894
4895         if (shmflg & SHM_RDONLY)
4896                 perms = SHM__READ;
4897         else
4898                 perms = SHM__READ | SHM__WRITE;
4899
4900         return ipc_has_perm(&shp->shm_perm, perms);
4901 }
4902
4903 /* Semaphore security operations */
4904 static int selinux_sem_alloc_security(struct sem_array *sma)
4905 {
4906         struct ipc_security_struct *isec;
4907         struct common_audit_data ad;
4908         u32 sid = current_sid();
4909         int rc;
4910
4911         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4912         if (rc)
4913                 return rc;
4914
4915         isec = sma->sem_perm.security;
4916
4917         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4918         ad.u.ipc_id = sma->sem_perm.key;
4919
4920         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
4921                           SEM__CREATE, &ad);
4922         if (rc) {
4923                 ipc_free_security(&sma->sem_perm);
4924                 return rc;
4925         }
4926         return 0;
4927 }
4928
4929 static void selinux_sem_free_security(struct sem_array *sma)
4930 {
4931         ipc_free_security(&sma->sem_perm);
4932 }
4933
4934 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4935 {
4936         struct ipc_security_struct *isec;
4937         struct common_audit_data ad;
4938         u32 sid = current_sid();
4939
4940         isec = sma->sem_perm.security;
4941
4942         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4943         ad.u.ipc_id = sma->sem_perm.key;
4944
4945         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
4946                             SEM__ASSOCIATE, &ad);
4947 }
4948
4949 /* Note, at this point, sma is locked down */
4950 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4951 {
4952         int err;
4953         u32 perms;
4954
4955         switch (cmd) {
4956         case IPC_INFO:
4957         case SEM_INFO:
4958                 /* No specific object, just general system-wide information. */
4959                 return task_has_system(current, SYSTEM__IPC_INFO);
4960         case GETPID:
4961         case GETNCNT:
4962         case GETZCNT:
4963                 perms = SEM__GETATTR;
4964                 break;
4965         case GETVAL:
4966         case GETALL:
4967                 perms = SEM__READ;
4968                 break;
4969         case SETVAL:
4970         case SETALL:
4971                 perms = SEM__WRITE;
4972                 break;
4973         case IPC_RMID:
4974                 perms = SEM__DESTROY;
4975                 break;
4976         case IPC_SET:
4977                 perms = SEM__SETATTR;
4978                 break;
4979         case IPC_STAT:
4980         case SEM_STAT:
4981                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4982                 break;
4983         default:
4984                 return 0;
4985         }
4986
4987         err = ipc_has_perm(&sma->sem_perm, perms);
4988         return err;
4989 }
4990
4991 static int selinux_sem_semop(struct sem_array *sma,
4992                              struct sembuf *sops, unsigned nsops, int alter)
4993 {
4994         u32 perms;
4995
4996         if (alter)
4997                 perms = SEM__READ | SEM__WRITE;
4998         else
4999                 perms = SEM__READ;
5000
5001         return ipc_has_perm(&sma->sem_perm, perms);
5002 }
5003
5004 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5005 {
5006         u32 av = 0;
5007
5008         av = 0;
5009         if (flag & S_IRUGO)
5010                 av |= IPC__UNIX_READ;
5011         if (flag & S_IWUGO)
5012                 av |= IPC__UNIX_WRITE;
5013
5014         if (av == 0)
5015                 return 0;
5016
5017         return ipc_has_perm(ipcp, av);
5018 }
5019
5020 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5021 {
5022         struct ipc_security_struct *isec = ipcp->security;
5023         *secid = isec->sid;
5024 }
5025
5026 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5027 {
5028         if (inode)
5029                 inode_doinit_with_dentry(inode, dentry);
5030 }
5031
5032 static int selinux_getprocattr(struct task_struct *p,
5033                                char *name, char **value)
5034 {
5035         const struct task_security_struct *__tsec;
5036         u32 sid;
5037         int error;
5038         unsigned len;
5039
5040         if (current != p) {
5041                 error = current_has_perm(p, PROCESS__GETATTR);
5042                 if (error)
5043                         return error;
5044         }
5045
5046         rcu_read_lock();
5047         __tsec = __task_cred(p)->security;
5048
5049         if (!strcmp(name, "current"))
5050                 sid = __tsec->sid;
5051         else if (!strcmp(name, "prev"))
5052                 sid = __tsec->osid;
5053         else if (!strcmp(name, "exec"))
5054                 sid = __tsec->exec_sid;
5055         else if (!strcmp(name, "fscreate"))
5056                 sid = __tsec->create_sid;
5057         else if (!strcmp(name, "keycreate"))
5058                 sid = __tsec->keycreate_sid;
5059         else if (!strcmp(name, "sockcreate"))
5060                 sid = __tsec->sockcreate_sid;
5061         else
5062                 goto invalid;
5063         rcu_read_unlock();
5064
5065         if (!sid)
5066                 return 0;
5067
5068         error = security_sid_to_context(sid, value, &len);
5069         if (error)
5070                 return error;
5071         return len;
5072
5073 invalid:
5074         rcu_read_unlock();
5075         return -EINVAL;
5076 }
5077
5078 static int selinux_setprocattr(struct task_struct *p,
5079                                char *name, void *value, size_t size)
5080 {
5081         struct task_security_struct *tsec;
5082         struct task_struct *tracer;
5083         struct cred *new;
5084         u32 sid = 0, ptsid;
5085         int error;
5086         char *str = value;
5087
5088         if (current != p) {
5089                 /* SELinux only allows a process to change its own
5090                    security attributes. */
5091                 return -EACCES;
5092         }
5093
5094         /*
5095          * Basic control over ability to set these attributes at all.
5096          * current == p, but we'll pass them separately in case the
5097          * above restriction is ever removed.
5098          */
5099         if (!strcmp(name, "exec"))
5100                 error = current_has_perm(p, PROCESS__SETEXEC);
5101         else if (!strcmp(name, "fscreate"))
5102                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5103         else if (!strcmp(name, "keycreate"))
5104                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5105         else if (!strcmp(name, "sockcreate"))
5106                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5107         else if (!strcmp(name, "current"))
5108                 error = current_has_perm(p, PROCESS__SETCURRENT);
5109         else
5110                 error = -EINVAL;
5111         if (error)
5112                 return error;
5113
5114         /* Obtain a SID for the context, if one was specified. */
5115         if (size && str[1] && str[1] != '\n') {
5116                 if (str[size-1] == '\n') {
5117                         str[size-1] = 0;
5118                         size--;
5119                 }
5120                 error = security_context_to_sid(value, size, &sid);
5121                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5122                         if (!capable(CAP_MAC_ADMIN))
5123                                 return error;
5124                         error = security_context_to_sid_force(value, size,
5125                                                               &sid);
5126                 }
5127                 if (error)
5128                         return error;
5129         }
5130
5131         new = prepare_creds();
5132         if (!new)
5133                 return -ENOMEM;
5134
5135         /* Permission checking based on the specified context is
5136            performed during the actual operation (execve,
5137            open/mkdir/...), when we know the full context of the
5138            operation.  See selinux_bprm_set_creds for the execve
5139            checks and may_create for the file creation checks. The
5140            operation will then fail if the context is not permitted. */
5141         tsec = new->security;
5142         if (!strcmp(name, "exec")) {
5143                 tsec->exec_sid = sid;
5144         } else if (!strcmp(name, "fscreate")) {
5145                 tsec->create_sid = sid;
5146         } else if (!strcmp(name, "keycreate")) {
5147                 error = may_create_key(sid, p);
5148                 if (error)
5149                         goto abort_change;
5150                 tsec->keycreate_sid = sid;
5151         } else if (!strcmp(name, "sockcreate")) {
5152                 tsec->sockcreate_sid = sid;
5153         } else if (!strcmp(name, "current")) {
5154                 error = -EINVAL;
5155                 if (sid == 0)
5156                         goto abort_change;
5157
5158                 /* Only allow single threaded processes to change context */
5159                 error = -EPERM;
5160                 if (!current_is_single_threaded()) {
5161                         error = security_bounded_transition(tsec->sid, sid);
5162                         if (error)
5163                                 goto abort_change;
5164                 }
5165
5166                 /* Check permissions for the transition. */
5167                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5168                                      PROCESS__DYNTRANSITION, NULL);
5169                 if (error)
5170                         goto abort_change;
5171
5172                 /* Check for ptracing, and update the task SID if ok.
5173                    Otherwise, leave SID unchanged and fail. */
5174                 ptsid = 0;
5175                 task_lock(p);
5176                 tracer = tracehook_tracer_task(p);
5177                 if (tracer)
5178                         ptsid = task_sid(tracer);
5179                 task_unlock(p);
5180
5181                 if (tracer) {
5182                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5183                                              PROCESS__PTRACE, NULL);
5184                         if (error)
5185                                 goto abort_change;
5186                 }
5187
5188                 tsec->sid = sid;
5189         } else {
5190                 error = -EINVAL;
5191                 goto abort_change;
5192         }
5193
5194         commit_creds(new);
5195         return size;
5196
5197 abort_change:
5198         abort_creds(new);
5199         return error;
5200 }
5201
5202 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5203 {
5204         return security_sid_to_context(secid, secdata, seclen);
5205 }
5206
5207 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5208 {
5209         return security_context_to_sid(secdata, seclen, secid);
5210 }
5211
5212 static void selinux_release_secctx(char *secdata, u32 seclen)
5213 {
5214         kfree(secdata);
5215 }
5216
5217 /*
5218  *      called with inode->i_mutex locked
5219  */
5220 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5221 {
5222         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5223 }
5224
5225 /*
5226  *      called with inode->i_mutex locked
5227  */
5228 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5229 {
5230         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5231 }
5232
5233 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5234 {
5235         int len = 0;
5236         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5237                                                 ctx, true);
5238         if (len < 0)
5239                 return len;
5240         *ctxlen = len;
5241         return 0;
5242 }
5243 #ifdef CONFIG_KEYS
5244
5245 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5246                              unsigned long flags)
5247 {
5248         const struct task_security_struct *tsec;
5249         struct key_security_struct *ksec;
5250
5251         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5252         if (!ksec)
5253                 return -ENOMEM;
5254
5255         tsec = cred->security;
5256         if (tsec->keycreate_sid)
5257                 ksec->sid = tsec->keycreate_sid;
5258         else
5259                 ksec->sid = tsec->sid;
5260
5261         k->security = ksec;
5262         return 0;
5263 }
5264
5265 static void selinux_key_free(struct key *k)
5266 {
5267         struct key_security_struct *ksec = k->security;
5268
5269         k->security = NULL;
5270         kfree(ksec);
5271 }
5272
5273 static int selinux_key_permission(key_ref_t key_ref,
5274                                   const struct cred *cred,
5275                                   key_perm_t perm)
5276 {
5277         struct key *key;
5278         struct key_security_struct *ksec;
5279         u32 sid;
5280
5281         /* if no specific permissions are requested, we skip the
5282            permission check. No serious, additional covert channels
5283            appear to be created. */
5284         if (perm == 0)
5285                 return 0;
5286
5287         sid = cred_sid(cred);
5288
5289         key = key_ref_to_ptr(key_ref);
5290         ksec = key->security;
5291
5292         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5293 }
5294
5295 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5296 {
5297         struct key_security_struct *ksec = key->security;
5298         char *context = NULL;
5299         unsigned len;
5300         int rc;
5301
5302         rc = security_sid_to_context(ksec->sid, &context, &len);
5303         if (!rc)
5304                 rc = len;
5305         *_buffer = context;
5306         return rc;
5307 }
5308
5309 #endif
5310
5311 static struct security_operations selinux_ops = {
5312         .name =                         "selinux",
5313
5314         .ptrace_access_check =          selinux_ptrace_access_check,
5315         .ptrace_traceme =               selinux_ptrace_traceme,
5316         .capget =                       selinux_capget,
5317         .capset =                       selinux_capset,
5318         .capable =                      selinux_capable,
5319         .quotactl =                     selinux_quotactl,
5320         .quota_on =                     selinux_quota_on,
5321         .syslog =                       selinux_syslog,
5322         .vm_enough_memory =             selinux_vm_enough_memory,
5323
5324         .netlink_send =                 selinux_netlink_send,
5325         .netlink_recv =                 selinux_netlink_recv,
5326
5327         .bprm_set_creds =               selinux_bprm_set_creds,
5328         .bprm_committing_creds =        selinux_bprm_committing_creds,
5329         .bprm_committed_creds =         selinux_bprm_committed_creds,
5330         .bprm_secureexec =              selinux_bprm_secureexec,
5331
5332         .sb_alloc_security =            selinux_sb_alloc_security,
5333         .sb_free_security =             selinux_sb_free_security,
5334         .sb_copy_data =                 selinux_sb_copy_data,
5335         .sb_kern_mount =                selinux_sb_kern_mount,
5336         .sb_show_options =              selinux_sb_show_options,
5337         .sb_statfs =                    selinux_sb_statfs,
5338         .sb_mount =                     selinux_mount,
5339         .sb_umount =                    selinux_umount,
5340         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5341         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5342         .sb_parse_opts_str =            selinux_parse_opts_str,
5343
5344
5345         .inode_alloc_security =         selinux_inode_alloc_security,
5346         .inode_free_security =          selinux_inode_free_security,
5347         .inode_init_security =          selinux_inode_init_security,
5348         .inode_create =                 selinux_inode_create,
5349         .inode_link =                   selinux_inode_link,
5350         .inode_unlink =                 selinux_inode_unlink,
5351         .inode_symlink =                selinux_inode_symlink,
5352         .inode_mkdir =                  selinux_inode_mkdir,
5353         .inode_rmdir =                  selinux_inode_rmdir,
5354         .inode_mknod =                  selinux_inode_mknod,
5355         .inode_rename =                 selinux_inode_rename,
5356         .inode_readlink =               selinux_inode_readlink,
5357         .inode_follow_link =            selinux_inode_follow_link,
5358         .inode_permission =             selinux_inode_permission,
5359         .inode_setattr =                selinux_inode_setattr,
5360         .inode_getattr =                selinux_inode_getattr,
5361         .inode_setxattr =               selinux_inode_setxattr,
5362         .inode_post_setxattr =          selinux_inode_post_setxattr,
5363         .inode_getxattr =               selinux_inode_getxattr,
5364         .inode_listxattr =              selinux_inode_listxattr,
5365         .inode_removexattr =            selinux_inode_removexattr,
5366         .inode_getsecurity =            selinux_inode_getsecurity,
5367         .inode_setsecurity =            selinux_inode_setsecurity,
5368         .inode_listsecurity =           selinux_inode_listsecurity,
5369         .inode_getsecid =               selinux_inode_getsecid,
5370
5371         .file_permission =              selinux_file_permission,
5372         .file_alloc_security =          selinux_file_alloc_security,
5373         .file_free_security =           selinux_file_free_security,
5374         .file_ioctl =                   selinux_file_ioctl,
5375         .file_mmap =                    selinux_file_mmap,
5376         .file_mprotect =                selinux_file_mprotect,
5377         .file_lock =                    selinux_file_lock,
5378         .file_fcntl =                   selinux_file_fcntl,
5379         .file_set_fowner =              selinux_file_set_fowner,
5380         .file_send_sigiotask =          selinux_file_send_sigiotask,
5381         .file_receive =                 selinux_file_receive,
5382
5383         .dentry_open =                  selinux_dentry_open,
5384
5385         .task_create =                  selinux_task_create,
5386         .cred_alloc_blank =             selinux_cred_alloc_blank,
5387         .cred_free =                    selinux_cred_free,
5388         .cred_prepare =                 selinux_cred_prepare,
5389         .cred_transfer =                selinux_cred_transfer,
5390         .kernel_act_as =                selinux_kernel_act_as,
5391         .kernel_create_files_as =       selinux_kernel_create_files_as,
5392         .kernel_module_request =        selinux_kernel_module_request,
5393         .task_setpgid =                 selinux_task_setpgid,
5394         .task_getpgid =                 selinux_task_getpgid,
5395         .task_getsid =                  selinux_task_getsid,
5396         .task_getsecid =                selinux_task_getsecid,
5397         .task_setnice =                 selinux_task_setnice,
5398         .task_setioprio =               selinux_task_setioprio,
5399         .task_getioprio =               selinux_task_getioprio,
5400         .task_setrlimit =               selinux_task_setrlimit,
5401         .task_setscheduler =            selinux_task_setscheduler,
5402         .task_getscheduler =            selinux_task_getscheduler,
5403         .task_movememory =              selinux_task_movememory,
5404         .task_kill =                    selinux_task_kill,
5405         .task_wait =                    selinux_task_wait,
5406         .task_to_inode =                selinux_task_to_inode,
5407
5408         .ipc_permission =               selinux_ipc_permission,
5409         .ipc_getsecid =                 selinux_ipc_getsecid,
5410
5411         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5412         .msg_msg_free_security =        selinux_msg_msg_free_security,
5413
5414         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5415         .msg_queue_free_security =      selinux_msg_queue_free_security,
5416         .msg_queue_associate =          selinux_msg_queue_associate,
5417         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5418         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5419         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5420
5421         .shm_alloc_security =           selinux_shm_alloc_security,
5422         .shm_free_security =            selinux_shm_free_security,
5423         .shm_associate =                selinux_shm_associate,
5424         .shm_shmctl =                   selinux_shm_shmctl,
5425         .shm_shmat =                    selinux_shm_shmat,
5426
5427         .sem_alloc_security =           selinux_sem_alloc_security,
5428         .sem_free_security =            selinux_sem_free_security,
5429         .sem_associate =                selinux_sem_associate,
5430         .sem_semctl =                   selinux_sem_semctl,
5431         .sem_semop =                    selinux_sem_semop,
5432
5433         .d_instantiate =                selinux_d_instantiate,
5434
5435         .getprocattr =                  selinux_getprocattr,
5436         .setprocattr =                  selinux_setprocattr,
5437
5438         .secid_to_secctx =              selinux_secid_to_secctx,
5439         .secctx_to_secid =              selinux_secctx_to_secid,
5440         .release_secctx =               selinux_release_secctx,
5441         .inode_notifysecctx =           selinux_inode_notifysecctx,
5442         .inode_setsecctx =              selinux_inode_setsecctx,
5443         .inode_getsecctx =              selinux_inode_getsecctx,
5444
5445         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5446         .unix_may_send =                selinux_socket_unix_may_send,
5447
5448         .socket_create =                selinux_socket_create,
5449         .socket_post_create =           selinux_socket_post_create,
5450         .socket_bind =                  selinux_socket_bind,
5451         .socket_connect =               selinux_socket_connect,
5452         .socket_listen =                selinux_socket_listen,
5453         .socket_accept =                selinux_socket_accept,
5454         .socket_sendmsg =               selinux_socket_sendmsg,
5455         .socket_recvmsg =               selinux_socket_recvmsg,
5456         .socket_getsockname =           selinux_socket_getsockname,
5457         .socket_getpeername =           selinux_socket_getpeername,
5458         .socket_getsockopt =            selinux_socket_getsockopt,
5459         .socket_setsockopt =            selinux_socket_setsockopt,
5460         .socket_shutdown =              selinux_socket_shutdown,
5461         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5462         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5463         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5464         .sk_alloc_security =            selinux_sk_alloc_security,
5465         .sk_free_security =             selinux_sk_free_security,
5466         .sk_clone_security =            selinux_sk_clone_security,
5467         .sk_getsecid =                  selinux_sk_getsecid,
5468         .sock_graft =                   selinux_sock_graft,
5469         .inet_conn_request =            selinux_inet_conn_request,
5470         .inet_csk_clone =               selinux_inet_csk_clone,
5471         .inet_conn_established =        selinux_inet_conn_established,
5472         .secmark_relabel_packet =       selinux_secmark_relabel_packet,
5473         .secmark_refcount_inc =         selinux_secmark_refcount_inc,
5474         .secmark_refcount_dec =         selinux_secmark_refcount_dec,
5475         .req_classify_flow =            selinux_req_classify_flow,
5476         .tun_dev_create =               selinux_tun_dev_create,
5477         .tun_dev_post_create =          selinux_tun_dev_post_create,
5478         .tun_dev_attach =               selinux_tun_dev_attach,
5479
5480 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5481         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5482         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5483         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5484         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5485         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5486         .xfrm_state_free_security =     selinux_xfrm_state_free,
5487         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5488         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5489         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5490         .xfrm_decode_session =          selinux_xfrm_decode_session,
5491 #endif
5492
5493 #ifdef CONFIG_KEYS
5494         .key_alloc =                    selinux_key_alloc,
5495         .key_free =                     selinux_key_free,
5496         .key_permission =               selinux_key_permission,
5497         .key_getsecurity =              selinux_key_getsecurity,
5498 #endif
5499
5500 #ifdef CONFIG_AUDIT
5501         .audit_rule_init =              selinux_audit_rule_init,
5502         .audit_rule_known =             selinux_audit_rule_known,
5503         .audit_rule_match =             selinux_audit_rule_match,
5504         .audit_rule_free =              selinux_audit_rule_free,
5505 #endif
5506 };
5507
5508 static __init int selinux_init(void)
5509 {
5510         if (!security_module_enable(&selinux_ops)) {
5511                 selinux_enabled = 0;
5512                 return 0;
5513         }
5514
5515         if (!selinux_enabled) {
5516                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5517                 return 0;
5518         }
5519
5520         printk(KERN_INFO "SELinux:  Initializing.\n");
5521
5522         /* Set the security state for the initial task. */
5523         cred_init_security();
5524
5525         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5526
5527         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5528                                             sizeof(struct inode_security_struct),
5529                                             0, SLAB_PANIC, NULL);
5530         avc_init();
5531
5532         if (register_security(&selinux_ops))
5533                 panic("SELinux: Unable to register with kernel.\n");
5534
5535         if (selinux_enforcing)
5536                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5537         else
5538                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5539
5540         return 0;
5541 }
5542
5543 static void delayed_superblock_init(struct super_block *sb, void *unused)
5544 {
5545         superblock_doinit(sb, NULL);
5546 }
5547
5548 void selinux_complete_init(void)
5549 {
5550         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5551
5552         /* Set up any superblocks initialized prior to the policy load. */
5553         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5554         iterate_supers(delayed_superblock_init, NULL);
5555 }
5556
5557 /* SELinux requires early initialization in order to label
5558    all processes and objects when they are created. */
5559 security_initcall(selinux_init);
5560
5561 #if defined(CONFIG_NETFILTER)
5562
5563 static struct nf_hook_ops selinux_ipv4_ops[] = {
5564         {
5565                 .hook =         selinux_ipv4_postroute,
5566                 .owner =        THIS_MODULE,
5567                 .pf =           PF_INET,
5568                 .hooknum =      NF_INET_POST_ROUTING,
5569                 .priority =     NF_IP_PRI_SELINUX_LAST,
5570         },
5571         {
5572                 .hook =         selinux_ipv4_forward,
5573                 .owner =        THIS_MODULE,
5574                 .pf =           PF_INET,
5575                 .hooknum =      NF_INET_FORWARD,
5576                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5577         },
5578         {
5579                 .hook =         selinux_ipv4_output,
5580                 .owner =        THIS_MODULE,
5581                 .pf =           PF_INET,
5582                 .hooknum =      NF_INET_LOCAL_OUT,
5583                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5584         }
5585 };
5586
5587 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5588
5589 static struct nf_hook_ops selinux_ipv6_ops[] = {
5590         {
5591                 .hook =         selinux_ipv6_postroute,
5592                 .owner =        THIS_MODULE,
5593                 .pf =           PF_INET6,
5594                 .hooknum =      NF_INET_POST_ROUTING,
5595                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5596         },
5597         {
5598                 .hook =         selinux_ipv6_forward,
5599                 .owner =        THIS_MODULE,
5600                 .pf =           PF_INET6,
5601                 .hooknum =      NF_INET_FORWARD,
5602                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5603         }
5604 };
5605
5606 #endif  /* IPV6 */
5607
5608 static int __init selinux_nf_ip_init(void)
5609 {
5610         int err = 0;
5611
5612         if (!selinux_enabled)
5613                 goto out;
5614
5615         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5616
5617         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5618         if (err)
5619                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5620
5621 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5622         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5623         if (err)
5624                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5625 #endif  /* IPV6 */
5626
5627 out:
5628         return err;
5629 }
5630
5631 __initcall(selinux_nf_ip_init);
5632
5633 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5634 static void selinux_nf_ip_exit(void)
5635 {
5636         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5637
5638         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5639 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5640         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5641 #endif  /* IPV6 */
5642 }
5643 #endif
5644
5645 #else /* CONFIG_NETFILTER */
5646
5647 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5648 #define selinux_nf_ip_exit()
5649 #endif
5650
5651 #endif /* CONFIG_NETFILTER */
5652
5653 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5654 static int selinux_disabled;
5655
5656 int selinux_disable(void)
5657 {
5658         extern void exit_sel_fs(void);
5659
5660         if (ss_initialized) {
5661                 /* Not permitted after initial policy load. */
5662                 return -EINVAL;
5663         }
5664
5665         if (selinux_disabled) {
5666                 /* Only do this once. */
5667                 return -EINVAL;
5668         }
5669
5670         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5671
5672         selinux_disabled = 1;
5673         selinux_enabled = 0;
5674
5675         reset_security_ops();
5676
5677         /* Try to destroy the avc node cache */
5678         avc_disable();
5679
5680         /* Unregister netfilter hooks. */
5681         selinux_nf_ip_exit();
5682
5683         /* Unregister selinuxfs. */
5684         exit_sel_fs();
5685
5686         return 0;
5687 }
5688 #endif