capabilities: remove the task from capable LSM hook entirely
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/ext2_fs.h>
32 #include <linux/sched.h>
33 #include <linux/security.h>
34 #include <linux/xattr.h>
35 #include <linux/capability.h>
36 #include <linux/unistd.h>
37 #include <linux/mm.h>
38 #include <linux/mman.h>
39 #include <linux/slab.h>
40 #include <linux/pagemap.h>
41 #include <linux/proc_fs.h>
42 #include <linux/swap.h>
43 #include <linux/spinlock.h>
44 #include <linux/syscalls.h>
45 #include <linux/dcache.h>
46 #include <linux/file.h>
47 #include <linux/fdtable.h>
48 #include <linux/namei.h>
49 #include <linux/mount.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>             /* for local_port_range[] */
55 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h>    /* for network interface checks */
64 #include <linux/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h>           /* for Unix socket types */
70 #include <net/af_unix.h>        /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83
84 #include "avc.h"
85 #include "objsec.h"
86 #include "netif.h"
87 #include "netnode.h"
88 #include "netport.h"
89 #include "xfrm.h"
90 #include "netlabel.h"
91 #include "audit.h"
92 #include "avc_ss.h"
93
94 #define NUM_SEL_MNT_OPTS 5
95
96 extern struct security_operations *security_ops;
97
98 /* SECMARK reference count */
99 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103
104 static int __init enforcing_setup(char *str)
105 {
106         unsigned long enforcing;
107         if (!strict_strtoul(str, 0, &enforcing))
108                 selinux_enforcing = enforcing ? 1 : 0;
109         return 1;
110 }
111 __setup("enforcing=", enforcing_setup);
112 #endif
113
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117 static int __init selinux_enabled_setup(char *str)
118 {
119         unsigned long enabled;
120         if (!strict_strtoul(str, 0, &enabled))
121                 selinux_enabled = enabled ? 1 : 0;
122         return 1;
123 }
124 __setup("selinux=", selinux_enabled_setup);
125 #else
126 int selinux_enabled = 1;
127 #endif
128
129 static struct kmem_cache *sel_inode_cache;
130
131 /**
132  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133  *
134  * Description:
135  * This function checks the SECMARK reference counter to see if any SECMARK
136  * targets are currently configured, if the reference counter is greater than
137  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
138  * enabled, false (0) if SECMARK is disabled.
139  *
140  */
141 static int selinux_secmark_enabled(void)
142 {
143         return (atomic_read(&selinux_secmark_refcount) > 0);
144 }
145
146 /*
147  * initialise the security for the init task
148  */
149 static void cred_init_security(void)
150 {
151         struct cred *cred = (struct cred *) current->real_cred;
152         struct task_security_struct *tsec;
153
154         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
155         if (!tsec)
156                 panic("SELinux:  Failed to initialize initial task.\n");
157
158         tsec->osid = tsec->sid = SECINITSID_KERNEL;
159         cred->security = tsec;
160 }
161
162 /*
163  * get the security ID of a set of credentials
164  */
165 static inline u32 cred_sid(const struct cred *cred)
166 {
167         const struct task_security_struct *tsec;
168
169         tsec = cred->security;
170         return tsec->sid;
171 }
172
173 /*
174  * get the objective security ID of a task
175  */
176 static inline u32 task_sid(const struct task_struct *task)
177 {
178         u32 sid;
179
180         rcu_read_lock();
181         sid = cred_sid(__task_cred(task));
182         rcu_read_unlock();
183         return sid;
184 }
185
186 /*
187  * get the subjective security ID of the current task
188  */
189 static inline u32 current_sid(void)
190 {
191         const struct task_security_struct *tsec = current_security();
192
193         return tsec->sid;
194 }
195
196 /* Allocate and free functions for each kind of security blob. */
197
198 static int inode_alloc_security(struct inode *inode)
199 {
200         struct inode_security_struct *isec;
201         u32 sid = current_sid();
202
203         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
204         if (!isec)
205                 return -ENOMEM;
206
207         mutex_init(&isec->lock);
208         INIT_LIST_HEAD(&isec->list);
209         isec->inode = inode;
210         isec->sid = SECINITSID_UNLABELED;
211         isec->sclass = SECCLASS_FILE;
212         isec->task_sid = sid;
213         inode->i_security = isec;
214
215         return 0;
216 }
217
218 static void inode_free_security(struct inode *inode)
219 {
220         struct inode_security_struct *isec = inode->i_security;
221         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
222
223         spin_lock(&sbsec->isec_lock);
224         if (!list_empty(&isec->list))
225                 list_del_init(&isec->list);
226         spin_unlock(&sbsec->isec_lock);
227
228         inode->i_security = NULL;
229         kmem_cache_free(sel_inode_cache, isec);
230 }
231
232 static int file_alloc_security(struct file *file)
233 {
234         struct file_security_struct *fsec;
235         u32 sid = current_sid();
236
237         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
238         if (!fsec)
239                 return -ENOMEM;
240
241         fsec->sid = sid;
242         fsec->fown_sid = sid;
243         file->f_security = fsec;
244
245         return 0;
246 }
247
248 static void file_free_security(struct file *file)
249 {
250         struct file_security_struct *fsec = file->f_security;
251         file->f_security = NULL;
252         kfree(fsec);
253 }
254
255 static int superblock_alloc_security(struct super_block *sb)
256 {
257         struct superblock_security_struct *sbsec;
258
259         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
260         if (!sbsec)
261                 return -ENOMEM;
262
263         mutex_init(&sbsec->lock);
264         INIT_LIST_HEAD(&sbsec->isec_head);
265         spin_lock_init(&sbsec->isec_lock);
266         sbsec->sb = sb;
267         sbsec->sid = SECINITSID_UNLABELED;
268         sbsec->def_sid = SECINITSID_FILE;
269         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
270         sb->s_security = sbsec;
271
272         return 0;
273 }
274
275 static void superblock_free_security(struct super_block *sb)
276 {
277         struct superblock_security_struct *sbsec = sb->s_security;
278         sb->s_security = NULL;
279         kfree(sbsec);
280 }
281
282 /* The file system's label must be initialized prior to use. */
283
284 static const char *labeling_behaviors[6] = {
285         "uses xattr",
286         "uses transition SIDs",
287         "uses task SIDs",
288         "uses genfs_contexts",
289         "not configured for labeling",
290         "uses mountpoint labeling",
291 };
292
293 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
294
295 static inline int inode_doinit(struct inode *inode)
296 {
297         return inode_doinit_with_dentry(inode, NULL);
298 }
299
300 enum {
301         Opt_error = -1,
302         Opt_context = 1,
303         Opt_fscontext = 2,
304         Opt_defcontext = 3,
305         Opt_rootcontext = 4,
306         Opt_labelsupport = 5,
307 };
308
309 static const match_table_t tokens = {
310         {Opt_context, CONTEXT_STR "%s"},
311         {Opt_fscontext, FSCONTEXT_STR "%s"},
312         {Opt_defcontext, DEFCONTEXT_STR "%s"},
313         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
314         {Opt_labelsupport, LABELSUPP_STR},
315         {Opt_error, NULL},
316 };
317
318 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
319
320 static int may_context_mount_sb_relabel(u32 sid,
321                         struct superblock_security_struct *sbsec,
322                         const struct cred *cred)
323 {
324         const struct task_security_struct *tsec = cred->security;
325         int rc;
326
327         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
328                           FILESYSTEM__RELABELFROM, NULL);
329         if (rc)
330                 return rc;
331
332         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
333                           FILESYSTEM__RELABELTO, NULL);
334         return rc;
335 }
336
337 static int may_context_mount_inode_relabel(u32 sid,
338                         struct superblock_security_struct *sbsec,
339                         const struct cred *cred)
340 {
341         const struct task_security_struct *tsec = cred->security;
342         int rc;
343         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
344                           FILESYSTEM__RELABELFROM, NULL);
345         if (rc)
346                 return rc;
347
348         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
349                           FILESYSTEM__ASSOCIATE, NULL);
350         return rc;
351 }
352
353 static int sb_finish_set_opts(struct super_block *sb)
354 {
355         struct superblock_security_struct *sbsec = sb->s_security;
356         struct dentry *root = sb->s_root;
357         struct inode *root_inode = root->d_inode;
358         int rc = 0;
359
360         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
361                 /* Make sure that the xattr handler exists and that no
362                    error other than -ENODATA is returned by getxattr on
363                    the root directory.  -ENODATA is ok, as this may be
364                    the first boot of the SELinux kernel before we have
365                    assigned xattr values to the filesystem. */
366                 if (!root_inode->i_op->getxattr) {
367                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
368                                "xattr support\n", sb->s_id, sb->s_type->name);
369                         rc = -EOPNOTSUPP;
370                         goto out;
371                 }
372                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
373                 if (rc < 0 && rc != -ENODATA) {
374                         if (rc == -EOPNOTSUPP)
375                                 printk(KERN_WARNING "SELinux: (dev %s, type "
376                                        "%s) has no security xattr handler\n",
377                                        sb->s_id, sb->s_type->name);
378                         else
379                                 printk(KERN_WARNING "SELinux: (dev %s, type "
380                                        "%s) getxattr errno %d\n", sb->s_id,
381                                        sb->s_type->name, -rc);
382                         goto out;
383                 }
384         }
385
386         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
387
388         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
389                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
390                        sb->s_id, sb->s_type->name);
391         else
392                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
393                        sb->s_id, sb->s_type->name,
394                        labeling_behaviors[sbsec->behavior-1]);
395
396         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
397             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
398             sbsec->behavior == SECURITY_FS_USE_NONE ||
399             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
400                 sbsec->flags &= ~SE_SBLABELSUPP;
401
402         /* Special handling for sysfs. Is genfs but also has setxattr handler*/
403         if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
404                 sbsec->flags |= SE_SBLABELSUPP;
405
406         /* Initialize the root inode. */
407         rc = inode_doinit_with_dentry(root_inode, root);
408
409         /* Initialize any other inodes associated with the superblock, e.g.
410            inodes created prior to initial policy load or inodes created
411            during get_sb by a pseudo filesystem that directly
412            populates itself. */
413         spin_lock(&sbsec->isec_lock);
414 next_inode:
415         if (!list_empty(&sbsec->isec_head)) {
416                 struct inode_security_struct *isec =
417                                 list_entry(sbsec->isec_head.next,
418                                            struct inode_security_struct, list);
419                 struct inode *inode = isec->inode;
420                 spin_unlock(&sbsec->isec_lock);
421                 inode = igrab(inode);
422                 if (inode) {
423                         if (!IS_PRIVATE(inode))
424                                 inode_doinit(inode);
425                         iput(inode);
426                 }
427                 spin_lock(&sbsec->isec_lock);
428                 list_del_init(&isec->list);
429                 goto next_inode;
430         }
431         spin_unlock(&sbsec->isec_lock);
432 out:
433         return rc;
434 }
435
436 /*
437  * This function should allow an FS to ask what it's mount security
438  * options were so it can use those later for submounts, displaying
439  * mount options, or whatever.
440  */
441 static int selinux_get_mnt_opts(const struct super_block *sb,
442                                 struct security_mnt_opts *opts)
443 {
444         int rc = 0, i;
445         struct superblock_security_struct *sbsec = sb->s_security;
446         char *context = NULL;
447         u32 len;
448         char tmp;
449
450         security_init_mnt_opts(opts);
451
452         if (!(sbsec->flags & SE_SBINITIALIZED))
453                 return -EINVAL;
454
455         if (!ss_initialized)
456                 return -EINVAL;
457
458         tmp = sbsec->flags & SE_MNTMASK;
459         /* count the number of mount options for this sb */
460         for (i = 0; i < 8; i++) {
461                 if (tmp & 0x01)
462                         opts->num_mnt_opts++;
463                 tmp >>= 1;
464         }
465         /* Check if the Label support flag is set */
466         if (sbsec->flags & SE_SBLABELSUPP)
467                 opts->num_mnt_opts++;
468
469         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
470         if (!opts->mnt_opts) {
471                 rc = -ENOMEM;
472                 goto out_free;
473         }
474
475         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
476         if (!opts->mnt_opts_flags) {
477                 rc = -ENOMEM;
478                 goto out_free;
479         }
480
481         i = 0;
482         if (sbsec->flags & FSCONTEXT_MNT) {
483                 rc = security_sid_to_context(sbsec->sid, &context, &len);
484                 if (rc)
485                         goto out_free;
486                 opts->mnt_opts[i] = context;
487                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
488         }
489         if (sbsec->flags & CONTEXT_MNT) {
490                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
491                 if (rc)
492                         goto out_free;
493                 opts->mnt_opts[i] = context;
494                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
495         }
496         if (sbsec->flags & DEFCONTEXT_MNT) {
497                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
498                 if (rc)
499                         goto out_free;
500                 opts->mnt_opts[i] = context;
501                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
502         }
503         if (sbsec->flags & ROOTCONTEXT_MNT) {
504                 struct inode *root = sbsec->sb->s_root->d_inode;
505                 struct inode_security_struct *isec = root->i_security;
506
507                 rc = security_sid_to_context(isec->sid, &context, &len);
508                 if (rc)
509                         goto out_free;
510                 opts->mnt_opts[i] = context;
511                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
512         }
513         if (sbsec->flags & SE_SBLABELSUPP) {
514                 opts->mnt_opts[i] = NULL;
515                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
516         }
517
518         BUG_ON(i != opts->num_mnt_opts);
519
520         return 0;
521
522 out_free:
523         security_free_mnt_opts(opts);
524         return rc;
525 }
526
527 static int bad_option(struct superblock_security_struct *sbsec, char flag,
528                       u32 old_sid, u32 new_sid)
529 {
530         char mnt_flags = sbsec->flags & SE_MNTMASK;
531
532         /* check if the old mount command had the same options */
533         if (sbsec->flags & SE_SBINITIALIZED)
534                 if (!(sbsec->flags & flag) ||
535                     (old_sid != new_sid))
536                         return 1;
537
538         /* check if we were passed the same options twice,
539          * aka someone passed context=a,context=b
540          */
541         if (!(sbsec->flags & SE_SBINITIALIZED))
542                 if (mnt_flags & flag)
543                         return 1;
544         return 0;
545 }
546
547 /*
548  * Allow filesystems with binary mount data to explicitly set mount point
549  * labeling information.
550  */
551 static int selinux_set_mnt_opts(struct super_block *sb,
552                                 struct security_mnt_opts *opts)
553 {
554         const struct cred *cred = current_cred();
555         int rc = 0, i;
556         struct superblock_security_struct *sbsec = sb->s_security;
557         const char *name = sb->s_type->name;
558         struct inode *inode = sbsec->sb->s_root->d_inode;
559         struct inode_security_struct *root_isec = inode->i_security;
560         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
561         u32 defcontext_sid = 0;
562         char **mount_options = opts->mnt_opts;
563         int *flags = opts->mnt_opts_flags;
564         int num_opts = opts->num_mnt_opts;
565
566         mutex_lock(&sbsec->lock);
567
568         if (!ss_initialized) {
569                 if (!num_opts) {
570                         /* Defer initialization until selinux_complete_init,
571                            after the initial policy is loaded and the security
572                            server is ready to handle calls. */
573                         goto out;
574                 }
575                 rc = -EINVAL;
576                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
577                         "before the security server is initialized\n");
578                 goto out;
579         }
580
581         /*
582          * Binary mount data FS will come through this function twice.  Once
583          * from an explicit call and once from the generic calls from the vfs.
584          * Since the generic VFS calls will not contain any security mount data
585          * we need to skip the double mount verification.
586          *
587          * This does open a hole in which we will not notice if the first
588          * mount using this sb set explict options and a second mount using
589          * this sb does not set any security options.  (The first options
590          * will be used for both mounts)
591          */
592         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
593             && (num_opts == 0))
594                 goto out;
595
596         /*
597          * parse the mount options, check if they are valid sids.
598          * also check if someone is trying to mount the same sb more
599          * than once with different security options.
600          */
601         for (i = 0; i < num_opts; i++) {
602                 u32 sid;
603
604                 if (flags[i] == SE_SBLABELSUPP)
605                         continue;
606                 rc = security_context_to_sid(mount_options[i],
607                                              strlen(mount_options[i]), &sid);
608                 if (rc) {
609                         printk(KERN_WARNING "SELinux: security_context_to_sid"
610                                "(%s) failed for (dev %s, type %s) errno=%d\n",
611                                mount_options[i], sb->s_id, name, rc);
612                         goto out;
613                 }
614                 switch (flags[i]) {
615                 case FSCONTEXT_MNT:
616                         fscontext_sid = sid;
617
618                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
619                                         fscontext_sid))
620                                 goto out_double_mount;
621
622                         sbsec->flags |= FSCONTEXT_MNT;
623                         break;
624                 case CONTEXT_MNT:
625                         context_sid = sid;
626
627                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
628                                         context_sid))
629                                 goto out_double_mount;
630
631                         sbsec->flags |= CONTEXT_MNT;
632                         break;
633                 case ROOTCONTEXT_MNT:
634                         rootcontext_sid = sid;
635
636                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
637                                         rootcontext_sid))
638                                 goto out_double_mount;
639
640                         sbsec->flags |= ROOTCONTEXT_MNT;
641
642                         break;
643                 case DEFCONTEXT_MNT:
644                         defcontext_sid = sid;
645
646                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
647                                         defcontext_sid))
648                                 goto out_double_mount;
649
650                         sbsec->flags |= DEFCONTEXT_MNT;
651
652                         break;
653                 default:
654                         rc = -EINVAL;
655                         goto out;
656                 }
657         }
658
659         if (sbsec->flags & SE_SBINITIALIZED) {
660                 /* previously mounted with options, but not on this attempt? */
661                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
662                         goto out_double_mount;
663                 rc = 0;
664                 goto out;
665         }
666
667         if (strcmp(sb->s_type->name, "proc") == 0)
668                 sbsec->flags |= SE_SBPROC;
669
670         /* Determine the labeling behavior to use for this filesystem type. */
671         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
672         if (rc) {
673                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674                        __func__, sb->s_type->name, rc);
675                 goto out;
676         }
677
678         /* sets the context of the superblock for the fs being mounted. */
679         if (fscontext_sid) {
680                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
681                 if (rc)
682                         goto out;
683
684                 sbsec->sid = fscontext_sid;
685         }
686
687         /*
688          * Switch to using mount point labeling behavior.
689          * sets the label used on all file below the mountpoint, and will set
690          * the superblock context if not already set.
691          */
692         if (context_sid) {
693                 if (!fscontext_sid) {
694                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
695                                                           cred);
696                         if (rc)
697                                 goto out;
698                         sbsec->sid = context_sid;
699                 } else {
700                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
701                                                              cred);
702                         if (rc)
703                                 goto out;
704                 }
705                 if (!rootcontext_sid)
706                         rootcontext_sid = context_sid;
707
708                 sbsec->mntpoint_sid = context_sid;
709                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
710         }
711
712         if (rootcontext_sid) {
713                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
714                                                      cred);
715                 if (rc)
716                         goto out;
717
718                 root_isec->sid = rootcontext_sid;
719                 root_isec->initialized = 1;
720         }
721
722         if (defcontext_sid) {
723                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
724                         rc = -EINVAL;
725                         printk(KERN_WARNING "SELinux: defcontext option is "
726                                "invalid for this filesystem type\n");
727                         goto out;
728                 }
729
730                 if (defcontext_sid != sbsec->def_sid) {
731                         rc = may_context_mount_inode_relabel(defcontext_sid,
732                                                              sbsec, cred);
733                         if (rc)
734                                 goto out;
735                 }
736
737                 sbsec->def_sid = defcontext_sid;
738         }
739
740         rc = sb_finish_set_opts(sb);
741 out:
742         mutex_unlock(&sbsec->lock);
743         return rc;
744 out_double_mount:
745         rc = -EINVAL;
746         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
747                "security settings for (dev %s, type %s)\n", sb->s_id, name);
748         goto out;
749 }
750
751 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
752                                         struct super_block *newsb)
753 {
754         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
755         struct superblock_security_struct *newsbsec = newsb->s_security;
756
757         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
758         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
759         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
760
761         /*
762          * if the parent was able to be mounted it clearly had no special lsm
763          * mount options.  thus we can safely deal with this superblock later
764          */
765         if (!ss_initialized)
766                 return;
767
768         /* how can we clone if the old one wasn't set up?? */
769         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
770
771         /* if fs is reusing a sb, just let its options stand... */
772         if (newsbsec->flags & SE_SBINITIALIZED)
773                 return;
774
775         mutex_lock(&newsbsec->lock);
776
777         newsbsec->flags = oldsbsec->flags;
778
779         newsbsec->sid = oldsbsec->sid;
780         newsbsec->def_sid = oldsbsec->def_sid;
781         newsbsec->behavior = oldsbsec->behavior;
782
783         if (set_context) {
784                 u32 sid = oldsbsec->mntpoint_sid;
785
786                 if (!set_fscontext)
787                         newsbsec->sid = sid;
788                 if (!set_rootcontext) {
789                         struct inode *newinode = newsb->s_root->d_inode;
790                         struct inode_security_struct *newisec = newinode->i_security;
791                         newisec->sid = sid;
792                 }
793                 newsbsec->mntpoint_sid = sid;
794         }
795         if (set_rootcontext) {
796                 const struct inode *oldinode = oldsb->s_root->d_inode;
797                 const struct inode_security_struct *oldisec = oldinode->i_security;
798                 struct inode *newinode = newsb->s_root->d_inode;
799                 struct inode_security_struct *newisec = newinode->i_security;
800
801                 newisec->sid = oldisec->sid;
802         }
803
804         sb_finish_set_opts(newsb);
805         mutex_unlock(&newsbsec->lock);
806 }
807
808 static int selinux_parse_opts_str(char *options,
809                                   struct security_mnt_opts *opts)
810 {
811         char *p;
812         char *context = NULL, *defcontext = NULL;
813         char *fscontext = NULL, *rootcontext = NULL;
814         int rc, num_mnt_opts = 0;
815
816         opts->num_mnt_opts = 0;
817
818         /* Standard string-based options. */
819         while ((p = strsep(&options, "|")) != NULL) {
820                 int token;
821                 substring_t args[MAX_OPT_ARGS];
822
823                 if (!*p)
824                         continue;
825
826                 token = match_token(p, tokens, args);
827
828                 switch (token) {
829                 case Opt_context:
830                         if (context || defcontext) {
831                                 rc = -EINVAL;
832                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
833                                 goto out_err;
834                         }
835                         context = match_strdup(&args[0]);
836                         if (!context) {
837                                 rc = -ENOMEM;
838                                 goto out_err;
839                         }
840                         break;
841
842                 case Opt_fscontext:
843                         if (fscontext) {
844                                 rc = -EINVAL;
845                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
846                                 goto out_err;
847                         }
848                         fscontext = match_strdup(&args[0]);
849                         if (!fscontext) {
850                                 rc = -ENOMEM;
851                                 goto out_err;
852                         }
853                         break;
854
855                 case Opt_rootcontext:
856                         if (rootcontext) {
857                                 rc = -EINVAL;
858                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
859                                 goto out_err;
860                         }
861                         rootcontext = match_strdup(&args[0]);
862                         if (!rootcontext) {
863                                 rc = -ENOMEM;
864                                 goto out_err;
865                         }
866                         break;
867
868                 case Opt_defcontext:
869                         if (context || defcontext) {
870                                 rc = -EINVAL;
871                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
872                                 goto out_err;
873                         }
874                         defcontext = match_strdup(&args[0]);
875                         if (!defcontext) {
876                                 rc = -ENOMEM;
877                                 goto out_err;
878                         }
879                         break;
880                 case Opt_labelsupport:
881                         break;
882                 default:
883                         rc = -EINVAL;
884                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
885                         goto out_err;
886
887                 }
888         }
889
890         rc = -ENOMEM;
891         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
892         if (!opts->mnt_opts)
893                 goto out_err;
894
895         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
896         if (!opts->mnt_opts_flags) {
897                 kfree(opts->mnt_opts);
898                 goto out_err;
899         }
900
901         if (fscontext) {
902                 opts->mnt_opts[num_mnt_opts] = fscontext;
903                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
904         }
905         if (context) {
906                 opts->mnt_opts[num_mnt_opts] = context;
907                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
908         }
909         if (rootcontext) {
910                 opts->mnt_opts[num_mnt_opts] = rootcontext;
911                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
912         }
913         if (defcontext) {
914                 opts->mnt_opts[num_mnt_opts] = defcontext;
915                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
916         }
917
918         opts->num_mnt_opts = num_mnt_opts;
919         return 0;
920
921 out_err:
922         kfree(context);
923         kfree(defcontext);
924         kfree(fscontext);
925         kfree(rootcontext);
926         return rc;
927 }
928 /*
929  * string mount options parsing and call set the sbsec
930  */
931 static int superblock_doinit(struct super_block *sb, void *data)
932 {
933         int rc = 0;
934         char *options = data;
935         struct security_mnt_opts opts;
936
937         security_init_mnt_opts(&opts);
938
939         if (!data)
940                 goto out;
941
942         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
943
944         rc = selinux_parse_opts_str(options, &opts);
945         if (rc)
946                 goto out_err;
947
948 out:
949         rc = selinux_set_mnt_opts(sb, &opts);
950
951 out_err:
952         security_free_mnt_opts(&opts);
953         return rc;
954 }
955
956 static void selinux_write_opts(struct seq_file *m,
957                                struct security_mnt_opts *opts)
958 {
959         int i;
960         char *prefix;
961
962         for (i = 0; i < opts->num_mnt_opts; i++) {
963                 char *has_comma;
964
965                 if (opts->mnt_opts[i])
966                         has_comma = strchr(opts->mnt_opts[i], ',');
967                 else
968                         has_comma = NULL;
969
970                 switch (opts->mnt_opts_flags[i]) {
971                 case CONTEXT_MNT:
972                         prefix = CONTEXT_STR;
973                         break;
974                 case FSCONTEXT_MNT:
975                         prefix = FSCONTEXT_STR;
976                         break;
977                 case ROOTCONTEXT_MNT:
978                         prefix = ROOTCONTEXT_STR;
979                         break;
980                 case DEFCONTEXT_MNT:
981                         prefix = DEFCONTEXT_STR;
982                         break;
983                 case SE_SBLABELSUPP:
984                         seq_putc(m, ',');
985                         seq_puts(m, LABELSUPP_STR);
986                         continue;
987                 default:
988                         BUG();
989                         return;
990                 };
991                 /* we need a comma before each option */
992                 seq_putc(m, ',');
993                 seq_puts(m, prefix);
994                 if (has_comma)
995                         seq_putc(m, '\"');
996                 seq_puts(m, opts->mnt_opts[i]);
997                 if (has_comma)
998                         seq_putc(m, '\"');
999         }
1000 }
1001
1002 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1003 {
1004         struct security_mnt_opts opts;
1005         int rc;
1006
1007         rc = selinux_get_mnt_opts(sb, &opts);
1008         if (rc) {
1009                 /* before policy load we may get EINVAL, don't show anything */
1010                 if (rc == -EINVAL)
1011                         rc = 0;
1012                 return rc;
1013         }
1014
1015         selinux_write_opts(m, &opts);
1016
1017         security_free_mnt_opts(&opts);
1018
1019         return rc;
1020 }
1021
1022 static inline u16 inode_mode_to_security_class(umode_t mode)
1023 {
1024         switch (mode & S_IFMT) {
1025         case S_IFSOCK:
1026                 return SECCLASS_SOCK_FILE;
1027         case S_IFLNK:
1028                 return SECCLASS_LNK_FILE;
1029         case S_IFREG:
1030                 return SECCLASS_FILE;
1031         case S_IFBLK:
1032                 return SECCLASS_BLK_FILE;
1033         case S_IFDIR:
1034                 return SECCLASS_DIR;
1035         case S_IFCHR:
1036                 return SECCLASS_CHR_FILE;
1037         case S_IFIFO:
1038                 return SECCLASS_FIFO_FILE;
1039
1040         }
1041
1042         return SECCLASS_FILE;
1043 }
1044
1045 static inline int default_protocol_stream(int protocol)
1046 {
1047         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1048 }
1049
1050 static inline int default_protocol_dgram(int protocol)
1051 {
1052         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1053 }
1054
1055 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1056 {
1057         switch (family) {
1058         case PF_UNIX:
1059                 switch (type) {
1060                 case SOCK_STREAM:
1061                 case SOCK_SEQPACKET:
1062                         return SECCLASS_UNIX_STREAM_SOCKET;
1063                 case SOCK_DGRAM:
1064                         return SECCLASS_UNIX_DGRAM_SOCKET;
1065                 }
1066                 break;
1067         case PF_INET:
1068         case PF_INET6:
1069                 switch (type) {
1070                 case SOCK_STREAM:
1071                         if (default_protocol_stream(protocol))
1072                                 return SECCLASS_TCP_SOCKET;
1073                         else
1074                                 return SECCLASS_RAWIP_SOCKET;
1075                 case SOCK_DGRAM:
1076                         if (default_protocol_dgram(protocol))
1077                                 return SECCLASS_UDP_SOCKET;
1078                         else
1079                                 return SECCLASS_RAWIP_SOCKET;
1080                 case SOCK_DCCP:
1081                         return SECCLASS_DCCP_SOCKET;
1082                 default:
1083                         return SECCLASS_RAWIP_SOCKET;
1084                 }
1085                 break;
1086         case PF_NETLINK:
1087                 switch (protocol) {
1088                 case NETLINK_ROUTE:
1089                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1090                 case NETLINK_FIREWALL:
1091                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1092                 case NETLINK_INET_DIAG:
1093                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1094                 case NETLINK_NFLOG:
1095                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1096                 case NETLINK_XFRM:
1097                         return SECCLASS_NETLINK_XFRM_SOCKET;
1098                 case NETLINK_SELINUX:
1099                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1100                 case NETLINK_AUDIT:
1101                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1102                 case NETLINK_IP6_FW:
1103                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1104                 case NETLINK_DNRTMSG:
1105                         return SECCLASS_NETLINK_DNRT_SOCKET;
1106                 case NETLINK_KOBJECT_UEVENT:
1107                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1108                 default:
1109                         return SECCLASS_NETLINK_SOCKET;
1110                 }
1111         case PF_PACKET:
1112                 return SECCLASS_PACKET_SOCKET;
1113         case PF_KEY:
1114                 return SECCLASS_KEY_SOCKET;
1115         case PF_APPLETALK:
1116                 return SECCLASS_APPLETALK_SOCKET;
1117         }
1118
1119         return SECCLASS_SOCKET;
1120 }
1121
1122 #ifdef CONFIG_PROC_FS
1123 static int selinux_proc_get_sid(struct dentry *dentry,
1124                                 u16 tclass,
1125                                 u32 *sid)
1126 {
1127         int rc;
1128         char *buffer, *path;
1129
1130         buffer = (char *)__get_free_page(GFP_KERNEL);
1131         if (!buffer)
1132                 return -ENOMEM;
1133
1134         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1135         if (IS_ERR(path))
1136                 rc = PTR_ERR(path);
1137         else {
1138                 /* each process gets a /proc/PID/ entry. Strip off the
1139                  * PID part to get a valid selinux labeling.
1140                  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1141                 while (path[1] >= '0' && path[1] <= '9') {
1142                         path[1] = '/';
1143                         path++;
1144                 }
1145                 rc = security_genfs_sid("proc", path, tclass, sid);
1146         }
1147         free_page((unsigned long)buffer);
1148         return rc;
1149 }
1150 #else
1151 static int selinux_proc_get_sid(struct dentry *dentry,
1152                                 u16 tclass,
1153                                 u32 *sid)
1154 {
1155         return -EINVAL;
1156 }
1157 #endif
1158
1159 /* The inode's security attributes must be initialized before first use. */
1160 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1161 {
1162         struct superblock_security_struct *sbsec = NULL;
1163         struct inode_security_struct *isec = inode->i_security;
1164         u32 sid;
1165         struct dentry *dentry;
1166 #define INITCONTEXTLEN 255
1167         char *context = NULL;
1168         unsigned len = 0;
1169         int rc = 0;
1170
1171         if (isec->initialized)
1172                 goto out;
1173
1174         mutex_lock(&isec->lock);
1175         if (isec->initialized)
1176                 goto out_unlock;
1177
1178         sbsec = inode->i_sb->s_security;
1179         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1180                 /* Defer initialization until selinux_complete_init,
1181                    after the initial policy is loaded and the security
1182                    server is ready to handle calls. */
1183                 spin_lock(&sbsec->isec_lock);
1184                 if (list_empty(&isec->list))
1185                         list_add(&isec->list, &sbsec->isec_head);
1186                 spin_unlock(&sbsec->isec_lock);
1187                 goto out_unlock;
1188         }
1189
1190         switch (sbsec->behavior) {
1191         case SECURITY_FS_USE_XATTR:
1192                 if (!inode->i_op->getxattr) {
1193                         isec->sid = sbsec->def_sid;
1194                         break;
1195                 }
1196
1197                 /* Need a dentry, since the xattr API requires one.
1198                    Life would be simpler if we could just pass the inode. */
1199                 if (opt_dentry) {
1200                         /* Called from d_instantiate or d_splice_alias. */
1201                         dentry = dget(opt_dentry);
1202                 } else {
1203                         /* Called from selinux_complete_init, try to find a dentry. */
1204                         dentry = d_find_alias(inode);
1205                 }
1206                 if (!dentry) {
1207                         /*
1208                          * this is can be hit on boot when a file is accessed
1209                          * before the policy is loaded.  When we load policy we
1210                          * may find inodes that have no dentry on the
1211                          * sbsec->isec_head list.  No reason to complain as these
1212                          * will get fixed up the next time we go through
1213                          * inode_doinit with a dentry, before these inodes could
1214                          * be used again by userspace.
1215                          */
1216                         goto out_unlock;
1217                 }
1218
1219                 len = INITCONTEXTLEN;
1220                 context = kmalloc(len+1, GFP_NOFS);
1221                 if (!context) {
1222                         rc = -ENOMEM;
1223                         dput(dentry);
1224                         goto out_unlock;
1225                 }
1226                 context[len] = '\0';
1227                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1228                                            context, len);
1229                 if (rc == -ERANGE) {
1230                         kfree(context);
1231
1232                         /* Need a larger buffer.  Query for the right size. */
1233                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1234                                                    NULL, 0);
1235                         if (rc < 0) {
1236                                 dput(dentry);
1237                                 goto out_unlock;
1238                         }
1239                         len = rc;
1240                         context = kmalloc(len+1, GFP_NOFS);
1241                         if (!context) {
1242                                 rc = -ENOMEM;
1243                                 dput(dentry);
1244                                 goto out_unlock;
1245                         }
1246                         context[len] = '\0';
1247                         rc = inode->i_op->getxattr(dentry,
1248                                                    XATTR_NAME_SELINUX,
1249                                                    context, len);
1250                 }
1251                 dput(dentry);
1252                 if (rc < 0) {
1253                         if (rc != -ENODATA) {
1254                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1255                                        "%d for dev=%s ino=%ld\n", __func__,
1256                                        -rc, inode->i_sb->s_id, inode->i_ino);
1257                                 kfree(context);
1258                                 goto out_unlock;
1259                         }
1260                         /* Map ENODATA to the default file SID */
1261                         sid = sbsec->def_sid;
1262                         rc = 0;
1263                 } else {
1264                         rc = security_context_to_sid_default(context, rc, &sid,
1265                                                              sbsec->def_sid,
1266                                                              GFP_NOFS);
1267                         if (rc) {
1268                                 char *dev = inode->i_sb->s_id;
1269                                 unsigned long ino = inode->i_ino;
1270
1271                                 if (rc == -EINVAL) {
1272                                         if (printk_ratelimit())
1273                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1274                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1275                                                         "filesystem in question.\n", ino, dev, context);
1276                                 } else {
1277                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1278                                                "returned %d for dev=%s ino=%ld\n",
1279                                                __func__, context, -rc, dev, ino);
1280                                 }
1281                                 kfree(context);
1282                                 /* Leave with the unlabeled SID */
1283                                 rc = 0;
1284                                 break;
1285                         }
1286                 }
1287                 kfree(context);
1288                 isec->sid = sid;
1289                 break;
1290         case SECURITY_FS_USE_TASK:
1291                 isec->sid = isec->task_sid;
1292                 break;
1293         case SECURITY_FS_USE_TRANS:
1294                 /* Default to the fs SID. */
1295                 isec->sid = sbsec->sid;
1296
1297                 /* Try to obtain a transition SID. */
1298                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1299                 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1300                                              isec->sclass, NULL, &sid);
1301                 if (rc)
1302                         goto out_unlock;
1303                 isec->sid = sid;
1304                 break;
1305         case SECURITY_FS_USE_MNTPOINT:
1306                 isec->sid = sbsec->mntpoint_sid;
1307                 break;
1308         default:
1309                 /* Default to the fs superblock SID. */
1310                 isec->sid = sbsec->sid;
1311
1312                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1313                         if (opt_dentry) {
1314                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1315                                 rc = selinux_proc_get_sid(opt_dentry,
1316                                                           isec->sclass,
1317                                                           &sid);
1318                                 if (rc)
1319                                         goto out_unlock;
1320                                 isec->sid = sid;
1321                         }
1322                 }
1323                 break;
1324         }
1325
1326         isec->initialized = 1;
1327
1328 out_unlock:
1329         mutex_unlock(&isec->lock);
1330 out:
1331         if (isec->sclass == SECCLASS_FILE)
1332                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333         return rc;
1334 }
1335
1336 /* Convert a Linux signal to an access vector. */
1337 static inline u32 signal_to_av(int sig)
1338 {
1339         u32 perm = 0;
1340
1341         switch (sig) {
1342         case SIGCHLD:
1343                 /* Commonly granted from child to parent. */
1344                 perm = PROCESS__SIGCHLD;
1345                 break;
1346         case SIGKILL:
1347                 /* Cannot be caught or ignored */
1348                 perm = PROCESS__SIGKILL;
1349                 break;
1350         case SIGSTOP:
1351                 /* Cannot be caught or ignored */
1352                 perm = PROCESS__SIGSTOP;
1353                 break;
1354         default:
1355                 /* All other signals. */
1356                 perm = PROCESS__SIGNAL;
1357                 break;
1358         }
1359
1360         return perm;
1361 }
1362
1363 /*
1364  * Check permission between a pair of credentials
1365  * fork check, ptrace check, etc.
1366  */
1367 static int cred_has_perm(const struct cred *actor,
1368                          const struct cred *target,
1369                          u32 perms)
1370 {
1371         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1372
1373         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1374 }
1375
1376 /*
1377  * Check permission between a pair of tasks, e.g. signal checks,
1378  * fork check, ptrace check, etc.
1379  * tsk1 is the actor and tsk2 is the target
1380  * - this uses the default subjective creds of tsk1
1381  */
1382 static int task_has_perm(const struct task_struct *tsk1,
1383                          const struct task_struct *tsk2,
1384                          u32 perms)
1385 {
1386         const struct task_security_struct *__tsec1, *__tsec2;
1387         u32 sid1, sid2;
1388
1389         rcu_read_lock();
1390         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1391         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1392         rcu_read_unlock();
1393         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1394 }
1395
1396 /*
1397  * Check permission between current and another task, e.g. signal checks,
1398  * fork check, ptrace check, etc.
1399  * current is the actor and tsk2 is the target
1400  * - this uses current's subjective creds
1401  */
1402 static int current_has_perm(const struct task_struct *tsk,
1403                             u32 perms)
1404 {
1405         u32 sid, tsid;
1406
1407         sid = current_sid();
1408         tsid = task_sid(tsk);
1409         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1410 }
1411
1412 #if CAP_LAST_CAP > 63
1413 #error Fix SELinux to handle capabilities > 63.
1414 #endif
1415
1416 /* Check whether a task is allowed to use a capability. */
1417 static int cred_has_capability(const struct cred *cred,
1418                                int cap, int audit)
1419 {
1420         struct common_audit_data ad;
1421         struct av_decision avd;
1422         u16 sclass;
1423         u32 sid = cred_sid(cred);
1424         u32 av = CAP_TO_MASK(cap);
1425         int rc;
1426
1427         COMMON_AUDIT_DATA_INIT(&ad, CAP);
1428         ad.tsk = current;
1429         ad.u.cap = cap;
1430
1431         switch (CAP_TO_INDEX(cap)) {
1432         case 0:
1433                 sclass = SECCLASS_CAPABILITY;
1434                 break;
1435         case 1:
1436                 sclass = SECCLASS_CAPABILITY2;
1437                 break;
1438         default:
1439                 printk(KERN_ERR
1440                        "SELinux:  out of range capability %d\n", cap);
1441                 BUG();
1442                 return -EINVAL;
1443         }
1444
1445         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1446         if (audit == SECURITY_CAP_AUDIT) {
1447                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1448                 if (rc2)
1449                         return rc2;
1450         }
1451         return rc;
1452 }
1453
1454 /* Check whether a task is allowed to use a system operation. */
1455 static int task_has_system(struct task_struct *tsk,
1456                            u32 perms)
1457 {
1458         u32 sid = task_sid(tsk);
1459
1460         return avc_has_perm(sid, SECINITSID_KERNEL,
1461                             SECCLASS_SYSTEM, perms, NULL);
1462 }
1463
1464 /* Check whether a task has a particular permission to an inode.
1465    The 'adp' parameter is optional and allows other audit
1466    data to be passed (e.g. the dentry). */
1467 static int inode_has_perm(const struct cred *cred,
1468                           struct inode *inode,
1469                           u32 perms,
1470                           struct common_audit_data *adp,
1471                           unsigned flags)
1472 {
1473         struct inode_security_struct *isec;
1474         u32 sid;
1475
1476         validate_creds(cred);
1477
1478         if (unlikely(IS_PRIVATE(inode)))
1479                 return 0;
1480
1481         sid = cred_sid(cred);
1482         isec = inode->i_security;
1483
1484         return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1485 }
1486
1487 static int inode_has_perm_noadp(const struct cred *cred,
1488                                 struct inode *inode,
1489                                 u32 perms,
1490                                 unsigned flags)
1491 {
1492         struct common_audit_data ad;
1493
1494         COMMON_AUDIT_DATA_INIT(&ad, INODE);
1495         ad.u.inode = inode;
1496         return inode_has_perm(cred, inode, perms, &ad, flags);
1497 }
1498
1499 /* Same as inode_has_perm, but pass explicit audit data containing
1500    the dentry to help the auditing code to more easily generate the
1501    pathname if needed. */
1502 static inline int dentry_has_perm(const struct cred *cred,
1503                                   struct dentry *dentry,
1504                                   u32 av)
1505 {
1506         struct inode *inode = dentry->d_inode;
1507         struct common_audit_data ad;
1508
1509         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1510         ad.u.dentry = dentry;
1511         return inode_has_perm(cred, inode, av, &ad, 0);
1512 }
1513
1514 /* Same as inode_has_perm, but pass explicit audit data containing
1515    the path to help the auditing code to more easily generate the
1516    pathname if needed. */
1517 static inline int path_has_perm(const struct cred *cred,
1518                                 struct path *path,
1519                                 u32 av)
1520 {
1521         struct inode *inode = path->dentry->d_inode;
1522         struct common_audit_data ad;
1523
1524         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1525         ad.u.path = *path;
1526         return inode_has_perm(cred, inode, av, &ad, 0);
1527 }
1528
1529 /* Check whether a task can use an open file descriptor to
1530    access an inode in a given way.  Check access to the
1531    descriptor itself, and then use dentry_has_perm to
1532    check a particular permission to the file.
1533    Access to the descriptor is implicitly granted if it
1534    has the same SID as the process.  If av is zero, then
1535    access to the file is not checked, e.g. for cases
1536    where only the descriptor is affected like seek. */
1537 static int file_has_perm(const struct cred *cred,
1538                          struct file *file,
1539                          u32 av)
1540 {
1541         struct file_security_struct *fsec = file->f_security;
1542         struct inode *inode = file->f_path.dentry->d_inode;
1543         struct common_audit_data ad;
1544         u32 sid = cred_sid(cred);
1545         int rc;
1546
1547         COMMON_AUDIT_DATA_INIT(&ad, PATH);
1548         ad.u.path = file->f_path;
1549
1550         if (sid != fsec->sid) {
1551                 rc = avc_has_perm(sid, fsec->sid,
1552                                   SECCLASS_FD,
1553                                   FD__USE,
1554                                   &ad);
1555                 if (rc)
1556                         goto out;
1557         }
1558
1559         /* av is zero if only checking access to the descriptor. */
1560         rc = 0;
1561         if (av)
1562                 rc = inode_has_perm(cred, inode, av, &ad, 0);
1563
1564 out:
1565         return rc;
1566 }
1567
1568 /* Check whether a task can create a file. */
1569 static int may_create(struct inode *dir,
1570                       struct dentry *dentry,
1571                       u16 tclass)
1572 {
1573         const struct task_security_struct *tsec = current_security();
1574         struct inode_security_struct *dsec;
1575         struct superblock_security_struct *sbsec;
1576         u32 sid, newsid;
1577         struct common_audit_data ad;
1578         int rc;
1579
1580         dsec = dir->i_security;
1581         sbsec = dir->i_sb->s_security;
1582
1583         sid = tsec->sid;
1584         newsid = tsec->create_sid;
1585
1586         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1587         ad.u.dentry = dentry;
1588
1589         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1590                           DIR__ADD_NAME | DIR__SEARCH,
1591                           &ad);
1592         if (rc)
1593                 return rc;
1594
1595         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1596                 rc = security_transition_sid(sid, dsec->sid, tclass,
1597                                              &dentry->d_name, &newsid);
1598                 if (rc)
1599                         return rc;
1600         }
1601
1602         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1603         if (rc)
1604                 return rc;
1605
1606         return avc_has_perm(newsid, sbsec->sid,
1607                             SECCLASS_FILESYSTEM,
1608                             FILESYSTEM__ASSOCIATE, &ad);
1609 }
1610
1611 /* Check whether a task can create a key. */
1612 static int may_create_key(u32 ksid,
1613                           struct task_struct *ctx)
1614 {
1615         u32 sid = task_sid(ctx);
1616
1617         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1618 }
1619
1620 #define MAY_LINK        0
1621 #define MAY_UNLINK      1
1622 #define MAY_RMDIR       2
1623
1624 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1625 static int may_link(struct inode *dir,
1626                     struct dentry *dentry,
1627                     int kind)
1628
1629 {
1630         struct inode_security_struct *dsec, *isec;
1631         struct common_audit_data ad;
1632         u32 sid = current_sid();
1633         u32 av;
1634         int rc;
1635
1636         dsec = dir->i_security;
1637         isec = dentry->d_inode->i_security;
1638
1639         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1640         ad.u.dentry = dentry;
1641
1642         av = DIR__SEARCH;
1643         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1644         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1645         if (rc)
1646                 return rc;
1647
1648         switch (kind) {
1649         case MAY_LINK:
1650                 av = FILE__LINK;
1651                 break;
1652         case MAY_UNLINK:
1653                 av = FILE__UNLINK;
1654                 break;
1655         case MAY_RMDIR:
1656                 av = DIR__RMDIR;
1657                 break;
1658         default:
1659                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1660                         __func__, kind);
1661                 return 0;
1662         }
1663
1664         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1665         return rc;
1666 }
1667
1668 static inline int may_rename(struct inode *old_dir,
1669                              struct dentry *old_dentry,
1670                              struct inode *new_dir,
1671                              struct dentry *new_dentry)
1672 {
1673         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1674         struct common_audit_data ad;
1675         u32 sid = current_sid();
1676         u32 av;
1677         int old_is_dir, new_is_dir;
1678         int rc;
1679
1680         old_dsec = old_dir->i_security;
1681         old_isec = old_dentry->d_inode->i_security;
1682         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1683         new_dsec = new_dir->i_security;
1684
1685         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1686
1687         ad.u.dentry = old_dentry;
1688         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1689                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1690         if (rc)
1691                 return rc;
1692         rc = avc_has_perm(sid, old_isec->sid,
1693                           old_isec->sclass, FILE__RENAME, &ad);
1694         if (rc)
1695                 return rc;
1696         if (old_is_dir && new_dir != old_dir) {
1697                 rc = avc_has_perm(sid, old_isec->sid,
1698                                   old_isec->sclass, DIR__REPARENT, &ad);
1699                 if (rc)
1700                         return rc;
1701         }
1702
1703         ad.u.dentry = new_dentry;
1704         av = DIR__ADD_NAME | DIR__SEARCH;
1705         if (new_dentry->d_inode)
1706                 av |= DIR__REMOVE_NAME;
1707         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1708         if (rc)
1709                 return rc;
1710         if (new_dentry->d_inode) {
1711                 new_isec = new_dentry->d_inode->i_security;
1712                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1713                 rc = avc_has_perm(sid, new_isec->sid,
1714                                   new_isec->sclass,
1715                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1716                 if (rc)
1717                         return rc;
1718         }
1719
1720         return 0;
1721 }
1722
1723 /* Check whether a task can perform a filesystem operation. */
1724 static int superblock_has_perm(const struct cred *cred,
1725                                struct super_block *sb,
1726                                u32 perms,
1727                                struct common_audit_data *ad)
1728 {
1729         struct superblock_security_struct *sbsec;
1730         u32 sid = cred_sid(cred);
1731
1732         sbsec = sb->s_security;
1733         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1734 }
1735
1736 /* Convert a Linux mode and permission mask to an access vector. */
1737 static inline u32 file_mask_to_av(int mode, int mask)
1738 {
1739         u32 av = 0;
1740
1741         if ((mode & S_IFMT) != S_IFDIR) {
1742                 if (mask & MAY_EXEC)
1743                         av |= FILE__EXECUTE;
1744                 if (mask & MAY_READ)
1745                         av |= FILE__READ;
1746
1747                 if (mask & MAY_APPEND)
1748                         av |= FILE__APPEND;
1749                 else if (mask & MAY_WRITE)
1750                         av |= FILE__WRITE;
1751
1752         } else {
1753                 if (mask & MAY_EXEC)
1754                         av |= DIR__SEARCH;
1755                 if (mask & MAY_WRITE)
1756                         av |= DIR__WRITE;
1757                 if (mask & MAY_READ)
1758                         av |= DIR__READ;
1759         }
1760
1761         return av;
1762 }
1763
1764 /* Convert a Linux file to an access vector. */
1765 static inline u32 file_to_av(struct file *file)
1766 {
1767         u32 av = 0;
1768
1769         if (file->f_mode & FMODE_READ)
1770                 av |= FILE__READ;
1771         if (file->f_mode & FMODE_WRITE) {
1772                 if (file->f_flags & O_APPEND)
1773                         av |= FILE__APPEND;
1774                 else
1775                         av |= FILE__WRITE;
1776         }
1777         if (!av) {
1778                 /*
1779                  * Special file opened with flags 3 for ioctl-only use.
1780                  */
1781                 av = FILE__IOCTL;
1782         }
1783
1784         return av;
1785 }
1786
1787 /*
1788  * Convert a file to an access vector and include the correct open
1789  * open permission.
1790  */
1791 static inline u32 open_file_to_av(struct file *file)
1792 {
1793         u32 av = file_to_av(file);
1794
1795         if (selinux_policycap_openperm)
1796                 av |= FILE__OPEN;
1797
1798         return av;
1799 }
1800
1801 /* Hook functions begin here. */
1802
1803 static int selinux_ptrace_access_check(struct task_struct *child,
1804                                      unsigned int mode)
1805 {
1806         int rc;
1807
1808         rc = cap_ptrace_access_check(child, mode);
1809         if (rc)
1810                 return rc;
1811
1812         if (mode == PTRACE_MODE_READ) {
1813                 u32 sid = current_sid();
1814                 u32 csid = task_sid(child);
1815                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1816         }
1817
1818         return current_has_perm(child, PROCESS__PTRACE);
1819 }
1820
1821 static int selinux_ptrace_traceme(struct task_struct *parent)
1822 {
1823         int rc;
1824
1825         rc = cap_ptrace_traceme(parent);
1826         if (rc)
1827                 return rc;
1828
1829         return task_has_perm(parent, current, PROCESS__PTRACE);
1830 }
1831
1832 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1833                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1834 {
1835         int error;
1836
1837         error = current_has_perm(target, PROCESS__GETCAP);
1838         if (error)
1839                 return error;
1840
1841         return cap_capget(target, effective, inheritable, permitted);
1842 }
1843
1844 static int selinux_capset(struct cred *new, const struct cred *old,
1845                           const kernel_cap_t *effective,
1846                           const kernel_cap_t *inheritable,
1847                           const kernel_cap_t *permitted)
1848 {
1849         int error;
1850
1851         error = cap_capset(new, old,
1852                                       effective, inheritable, permitted);
1853         if (error)
1854                 return error;
1855
1856         return cred_has_perm(old, new, PROCESS__SETCAP);
1857 }
1858
1859 /*
1860  * (This comment used to live with the selinux_task_setuid hook,
1861  * which was removed).
1862  *
1863  * Since setuid only affects the current process, and since the SELinux
1864  * controls are not based on the Linux identity attributes, SELinux does not
1865  * need to control this operation.  However, SELinux does control the use of
1866  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1867  */
1868
1869 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1870                            int cap, int audit)
1871 {
1872         int rc;
1873
1874         rc = cap_capable(cred, ns, cap, audit);
1875         if (rc)
1876                 return rc;
1877
1878         return cred_has_capability(cred, cap, audit);
1879 }
1880
1881 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1882 {
1883         const struct cred *cred = current_cred();
1884         int rc = 0;
1885
1886         if (!sb)
1887                 return 0;
1888
1889         switch (cmds) {
1890         case Q_SYNC:
1891         case Q_QUOTAON:
1892         case Q_QUOTAOFF:
1893         case Q_SETINFO:
1894         case Q_SETQUOTA:
1895                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1896                 break;
1897         case Q_GETFMT:
1898         case Q_GETINFO:
1899         case Q_GETQUOTA:
1900                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1901                 break;
1902         default:
1903                 rc = 0;  /* let the kernel handle invalid cmds */
1904                 break;
1905         }
1906         return rc;
1907 }
1908
1909 static int selinux_quota_on(struct dentry *dentry)
1910 {
1911         const struct cred *cred = current_cred();
1912
1913         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1914 }
1915
1916 static int selinux_syslog(int type)
1917 {
1918         int rc;
1919
1920         switch (type) {
1921         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
1922         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1923                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1924                 break;
1925         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1926         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
1927         /* Set level of messages printed to console */
1928         case SYSLOG_ACTION_CONSOLE_LEVEL:
1929                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1930                 break;
1931         case SYSLOG_ACTION_CLOSE:       /* Close log */
1932         case SYSLOG_ACTION_OPEN:        /* Open log */
1933         case SYSLOG_ACTION_READ:        /* Read from log */
1934         case SYSLOG_ACTION_READ_CLEAR:  /* Read/clear last kernel messages */
1935         case SYSLOG_ACTION_CLEAR:       /* Clear ring buffer */
1936         default:
1937                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1938                 break;
1939         }
1940         return rc;
1941 }
1942
1943 /*
1944  * Check that a process has enough memory to allocate a new virtual
1945  * mapping. 0 means there is enough memory for the allocation to
1946  * succeed and -ENOMEM implies there is not.
1947  *
1948  * Do not audit the selinux permission check, as this is applied to all
1949  * processes that allocate mappings.
1950  */
1951 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1952 {
1953         int rc, cap_sys_admin = 0;
1954
1955         rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1956                              SECURITY_CAP_NOAUDIT);
1957         if (rc == 0)
1958                 cap_sys_admin = 1;
1959
1960         return __vm_enough_memory(mm, pages, cap_sys_admin);
1961 }
1962
1963 /* binprm security operations */
1964
1965 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1966 {
1967         const struct task_security_struct *old_tsec;
1968         struct task_security_struct *new_tsec;
1969         struct inode_security_struct *isec;
1970         struct common_audit_data ad;
1971         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1972         int rc;
1973
1974         rc = cap_bprm_set_creds(bprm);
1975         if (rc)
1976                 return rc;
1977
1978         /* SELinux context only depends on initial program or script and not
1979          * the script interpreter */
1980         if (bprm->cred_prepared)
1981                 return 0;
1982
1983         old_tsec = current_security();
1984         new_tsec = bprm->cred->security;
1985         isec = inode->i_security;
1986
1987         /* Default to the current task SID. */
1988         new_tsec->sid = old_tsec->sid;
1989         new_tsec->osid = old_tsec->sid;
1990
1991         /* Reset fs, key, and sock SIDs on execve. */
1992         new_tsec->create_sid = 0;
1993         new_tsec->keycreate_sid = 0;
1994         new_tsec->sockcreate_sid = 0;
1995
1996         if (old_tsec->exec_sid) {
1997                 new_tsec->sid = old_tsec->exec_sid;
1998                 /* Reset exec SID on execve. */
1999                 new_tsec->exec_sid = 0;
2000         } else {
2001                 /* Check for a default transition on this program. */
2002                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2003                                              SECCLASS_PROCESS, NULL,
2004                                              &new_tsec->sid);
2005                 if (rc)
2006                         return rc;
2007         }
2008
2009         COMMON_AUDIT_DATA_INIT(&ad, PATH);
2010         ad.u.path = bprm->file->f_path;
2011
2012         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2013                 new_tsec->sid = old_tsec->sid;
2014
2015         if (new_tsec->sid == old_tsec->sid) {
2016                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2017                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2018                 if (rc)
2019                         return rc;
2020         } else {
2021                 /* Check permissions for the transition. */
2022                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2023                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2024                 if (rc)
2025                         return rc;
2026
2027                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2028                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2029                 if (rc)
2030                         return rc;
2031
2032                 /* Check for shared state */
2033                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2034                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2035                                           SECCLASS_PROCESS, PROCESS__SHARE,
2036                                           NULL);
2037                         if (rc)
2038                                 return -EPERM;
2039                 }
2040
2041                 /* Make sure that anyone attempting to ptrace over a task that
2042                  * changes its SID has the appropriate permit */
2043                 if (bprm->unsafe &
2044                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2045                         struct task_struct *tracer;
2046                         struct task_security_struct *sec;
2047                         u32 ptsid = 0;
2048
2049                         rcu_read_lock();
2050                         tracer = ptrace_parent(current);
2051                         if (likely(tracer != NULL)) {
2052                                 sec = __task_cred(tracer)->security;
2053                                 ptsid = sec->sid;
2054                         }
2055                         rcu_read_unlock();
2056
2057                         if (ptsid != 0) {
2058                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2059                                                   SECCLASS_PROCESS,
2060                                                   PROCESS__PTRACE, NULL);
2061                                 if (rc)
2062                                         return -EPERM;
2063                         }
2064                 }
2065
2066                 /* Clear any possibly unsafe personality bits on exec: */
2067                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2068         }
2069
2070         return 0;
2071 }
2072
2073 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2074 {
2075         const struct task_security_struct *tsec = current_security();
2076         u32 sid, osid;
2077         int atsecure = 0;
2078
2079         sid = tsec->sid;
2080         osid = tsec->osid;
2081
2082         if (osid != sid) {
2083                 /* Enable secure mode for SIDs transitions unless
2084                    the noatsecure permission is granted between
2085                    the two SIDs, i.e. ahp returns 0. */
2086                 atsecure = avc_has_perm(osid, sid,
2087                                         SECCLASS_PROCESS,
2088                                         PROCESS__NOATSECURE, NULL);
2089         }
2090
2091         return (atsecure || cap_bprm_secureexec(bprm));
2092 }
2093
2094 /* Derived from fs/exec.c:flush_old_files. */
2095 static inline void flush_unauthorized_files(const struct cred *cred,
2096                                             struct files_struct *files)
2097 {
2098         struct common_audit_data ad;
2099         struct file *file, *devnull = NULL;
2100         struct tty_struct *tty;
2101         struct fdtable *fdt;
2102         long j = -1;
2103         int drop_tty = 0;
2104
2105         tty = get_current_tty();
2106         if (tty) {
2107                 spin_lock(&tty_files_lock);
2108                 if (!list_empty(&tty->tty_files)) {
2109                         struct tty_file_private *file_priv;
2110                         struct inode *inode;
2111
2112                         /* Revalidate access to controlling tty.
2113                            Use inode_has_perm on the tty inode directly rather
2114                            than using file_has_perm, as this particular open
2115                            file may belong to another process and we are only
2116                            interested in the inode-based check here. */
2117                         file_priv = list_first_entry(&tty->tty_files,
2118                                                 struct tty_file_private, list);
2119                         file = file_priv->file;
2120                         inode = file->f_path.dentry->d_inode;
2121                         if (inode_has_perm_noadp(cred, inode,
2122                                            FILE__READ | FILE__WRITE, 0)) {
2123                                 drop_tty = 1;
2124                         }
2125                 }
2126                 spin_unlock(&tty_files_lock);
2127                 tty_kref_put(tty);
2128         }
2129         /* Reset controlling tty. */
2130         if (drop_tty)
2131                 no_tty();
2132
2133         /* Revalidate access to inherited open files. */
2134
2135         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2136
2137         spin_lock(&files->file_lock);
2138         for (;;) {
2139                 unsigned long set, i;
2140                 int fd;
2141
2142                 j++;
2143                 i = j * __NFDBITS;
2144                 fdt = files_fdtable(files);
2145                 if (i >= fdt->max_fds)
2146                         break;
2147                 set = fdt->open_fds->fds_bits[j];
2148                 if (!set)
2149                         continue;
2150                 spin_unlock(&files->file_lock);
2151                 for ( ; set ; i++, set >>= 1) {
2152                         if (set & 1) {
2153                                 file = fget(i);
2154                                 if (!file)
2155                                         continue;
2156                                 if (file_has_perm(cred,
2157                                                   file,
2158                                                   file_to_av(file))) {
2159                                         sys_close(i);
2160                                         fd = get_unused_fd();
2161                                         if (fd != i) {
2162                                                 if (fd >= 0)
2163                                                         put_unused_fd(fd);
2164                                                 fput(file);
2165                                                 continue;
2166                                         }
2167                                         if (devnull) {
2168                                                 get_file(devnull);
2169                                         } else {
2170                                                 devnull = dentry_open(
2171                                                         dget(selinux_null),
2172                                                         mntget(selinuxfs_mount),
2173                                                         O_RDWR, cred);
2174                                                 if (IS_ERR(devnull)) {
2175                                                         devnull = NULL;
2176                                                         put_unused_fd(fd);
2177                                                         fput(file);
2178                                                         continue;
2179                                                 }
2180                                         }
2181                                         fd_install(fd, devnull);
2182                                 }
2183                                 fput(file);
2184                         }
2185                 }
2186                 spin_lock(&files->file_lock);
2187
2188         }
2189         spin_unlock(&files->file_lock);
2190 }
2191
2192 /*
2193  * Prepare a process for imminent new credential changes due to exec
2194  */
2195 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2196 {
2197         struct task_security_struct *new_tsec;
2198         struct rlimit *rlim, *initrlim;
2199         int rc, i;
2200
2201         new_tsec = bprm->cred->security;
2202         if (new_tsec->sid == new_tsec->osid)
2203                 return;
2204
2205         /* Close files for which the new task SID is not authorized. */
2206         flush_unauthorized_files(bprm->cred, current->files);
2207
2208         /* Always clear parent death signal on SID transitions. */
2209         current->pdeath_signal = 0;
2210
2211         /* Check whether the new SID can inherit resource limits from the old
2212          * SID.  If not, reset all soft limits to the lower of the current
2213          * task's hard limit and the init task's soft limit.
2214          *
2215          * Note that the setting of hard limits (even to lower them) can be
2216          * controlled by the setrlimit check.  The inclusion of the init task's
2217          * soft limit into the computation is to avoid resetting soft limits
2218          * higher than the default soft limit for cases where the default is
2219          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2220          */
2221         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2222                           PROCESS__RLIMITINH, NULL);
2223         if (rc) {
2224                 /* protect against do_prlimit() */
2225                 task_lock(current);
2226                 for (i = 0; i < RLIM_NLIMITS; i++) {
2227                         rlim = current->signal->rlim + i;
2228                         initrlim = init_task.signal->rlim + i;
2229                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2230                 }
2231                 task_unlock(current);
2232                 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2233         }
2234 }
2235
2236 /*
2237  * Clean up the process immediately after the installation of new credentials
2238  * due to exec
2239  */
2240 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2241 {
2242         const struct task_security_struct *tsec = current_security();
2243         struct itimerval itimer;
2244         u32 osid, sid;
2245         int rc, i;
2246
2247         osid = tsec->osid;
2248         sid = tsec->sid;
2249
2250         if (sid == osid)
2251                 return;
2252
2253         /* Check whether the new SID can inherit signal state from the old SID.
2254          * If not, clear itimers to avoid subsequent signal generation and
2255          * flush and unblock signals.
2256          *
2257          * This must occur _after_ the task SID has been updated so that any
2258          * kill done after the flush will be checked against the new SID.
2259          */
2260         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2261         if (rc) {
2262                 memset(&itimer, 0, sizeof itimer);
2263                 for (i = 0; i < 3; i++)
2264                         do_setitimer(i, &itimer, NULL);
2265                 spin_lock_irq(&current->sighand->siglock);
2266                 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2267                         __flush_signals(current);
2268                         flush_signal_handlers(current, 1);
2269                         sigemptyset(&current->blocked);
2270                 }
2271                 spin_unlock_irq(&current->sighand->siglock);
2272         }
2273
2274         /* Wake up the parent if it is waiting so that it can recheck
2275          * wait permission to the new task SID. */
2276         read_lock(&tasklist_lock);
2277         __wake_up_parent(current, current->real_parent);
2278         read_unlock(&tasklist_lock);
2279 }
2280
2281 /* superblock security operations */
2282
2283 static int selinux_sb_alloc_security(struct super_block *sb)
2284 {
2285         return superblock_alloc_security(sb);
2286 }
2287
2288 static void selinux_sb_free_security(struct super_block *sb)
2289 {
2290         superblock_free_security(sb);
2291 }
2292
2293 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2294 {
2295         if (plen > olen)
2296                 return 0;
2297
2298         return !memcmp(prefix, option, plen);
2299 }
2300
2301 static inline int selinux_option(char *option, int len)
2302 {
2303         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2304                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2305                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2306                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2307                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2308 }
2309
2310 static inline void take_option(char **to, char *from, int *first, int len)
2311 {
2312         if (!*first) {
2313                 **to = ',';
2314                 *to += 1;
2315         } else
2316                 *first = 0;
2317         memcpy(*to, from, len);
2318         *to += len;
2319 }
2320
2321 static inline void take_selinux_option(char **to, char *from, int *first,
2322                                        int len)
2323 {
2324         int current_size = 0;
2325
2326         if (!*first) {
2327                 **to = '|';
2328                 *to += 1;
2329         } else
2330                 *first = 0;
2331
2332         while (current_size < len) {
2333                 if (*from != '"') {
2334                         **to = *from;
2335                         *to += 1;
2336                 }
2337                 from += 1;
2338                 current_size += 1;
2339         }
2340 }
2341
2342 static int selinux_sb_copy_data(char *orig, char *copy)
2343 {
2344         int fnosec, fsec, rc = 0;
2345         char *in_save, *in_curr, *in_end;
2346         char *sec_curr, *nosec_save, *nosec;
2347         int open_quote = 0;
2348
2349         in_curr = orig;
2350         sec_curr = copy;
2351
2352         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2353         if (!nosec) {
2354                 rc = -ENOMEM;
2355                 goto out;
2356         }
2357
2358         nosec_save = nosec;
2359         fnosec = fsec = 1;
2360         in_save = in_end = orig;
2361
2362         do {
2363                 if (*in_end == '"')
2364                         open_quote = !open_quote;
2365                 if ((*in_end == ',' && open_quote == 0) ||
2366                                 *in_end == '\0') {
2367                         int len = in_end - in_curr;
2368
2369                         if (selinux_option(in_curr, len))
2370                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2371                         else
2372                                 take_option(&nosec, in_curr, &fnosec, len);
2373
2374                         in_curr = in_end + 1;
2375                 }
2376         } while (*in_end++);
2377
2378         strcpy(in_save, nosec_save);
2379         free_page((unsigned long)nosec_save);
2380 out:
2381         return rc;
2382 }
2383
2384 static int selinux_sb_remount(struct super_block *sb, void *data)
2385 {
2386         int rc, i, *flags;
2387         struct security_mnt_opts opts;
2388         char *secdata, **mount_options;
2389         struct superblock_security_struct *sbsec = sb->s_security;
2390
2391         if (!(sbsec->flags & SE_SBINITIALIZED))
2392                 return 0;
2393
2394         if (!data)
2395                 return 0;
2396
2397         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2398                 return 0;
2399
2400         security_init_mnt_opts(&opts);
2401         secdata = alloc_secdata();
2402         if (!secdata)
2403                 return -ENOMEM;
2404         rc = selinux_sb_copy_data(data, secdata);
2405         if (rc)
2406                 goto out_free_secdata;
2407
2408         rc = selinux_parse_opts_str(secdata, &opts);
2409         if (rc)
2410                 goto out_free_secdata;
2411
2412         mount_options = opts.mnt_opts;
2413         flags = opts.mnt_opts_flags;
2414
2415         for (i = 0; i < opts.num_mnt_opts; i++) {
2416                 u32 sid;
2417                 size_t len;
2418
2419                 if (flags[i] == SE_SBLABELSUPP)
2420                         continue;
2421                 len = strlen(mount_options[i]);
2422                 rc = security_context_to_sid(mount_options[i], len, &sid);
2423                 if (rc) {
2424                         printk(KERN_WARNING "SELinux: security_context_to_sid"
2425                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2426                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2427                         goto out_free_opts;
2428                 }
2429                 rc = -EINVAL;
2430                 switch (flags[i]) {
2431                 case FSCONTEXT_MNT:
2432                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2433                                 goto out_bad_option;
2434                         break;
2435                 case CONTEXT_MNT:
2436                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2437                                 goto out_bad_option;
2438                         break;
2439                 case ROOTCONTEXT_MNT: {
2440                         struct inode_security_struct *root_isec;
2441                         root_isec = sb->s_root->d_inode->i_security;
2442
2443                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2444                                 goto out_bad_option;
2445                         break;
2446                 }
2447                 case DEFCONTEXT_MNT:
2448                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2449                                 goto out_bad_option;
2450                         break;
2451                 default:
2452                         goto out_free_opts;
2453                 }
2454         }
2455
2456         rc = 0;
2457 out_free_opts:
2458         security_free_mnt_opts(&opts);
2459 out_free_secdata:
2460         free_secdata(secdata);
2461         return rc;
2462 out_bad_option:
2463         printk(KERN_WARNING "SELinux: unable to change security options "
2464                "during remount (dev %s, type=%s)\n", sb->s_id,
2465                sb->s_type->name);
2466         goto out_free_opts;
2467 }
2468
2469 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2470 {
2471         const struct cred *cred = current_cred();
2472         struct common_audit_data ad;
2473         int rc;
2474
2475         rc = superblock_doinit(sb, data);
2476         if (rc)
2477                 return rc;
2478
2479         /* Allow all mounts performed by the kernel */
2480         if (flags & MS_KERNMOUNT)
2481                 return 0;
2482
2483         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2484         ad.u.dentry = sb->s_root;
2485         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2486 }
2487
2488 static int selinux_sb_statfs(struct dentry *dentry)
2489 {
2490         const struct cred *cred = current_cred();
2491         struct common_audit_data ad;
2492
2493         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2494         ad.u.dentry = dentry->d_sb->s_root;
2495         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2496 }
2497
2498 static int selinux_mount(char *dev_name,
2499                          struct path *path,
2500                          char *type,
2501                          unsigned long flags,
2502                          void *data)
2503 {
2504         const struct cred *cred = current_cred();
2505
2506         if (flags & MS_REMOUNT)
2507                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2508                                            FILESYSTEM__REMOUNT, NULL);
2509         else
2510                 return path_has_perm(cred, path, FILE__MOUNTON);
2511 }
2512
2513 static int selinux_umount(struct vfsmount *mnt, int flags)
2514 {
2515         const struct cred *cred = current_cred();
2516
2517         return superblock_has_perm(cred, mnt->mnt_sb,
2518                                    FILESYSTEM__UNMOUNT, NULL);
2519 }
2520
2521 /* inode security operations */
2522
2523 static int selinux_inode_alloc_security(struct inode *inode)
2524 {
2525         return inode_alloc_security(inode);
2526 }
2527
2528 static void selinux_inode_free_security(struct inode *inode)
2529 {
2530         inode_free_security(inode);
2531 }
2532
2533 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2534                                        const struct qstr *qstr, char **name,
2535                                        void **value, size_t *len)
2536 {
2537         const struct task_security_struct *tsec = current_security();
2538         struct inode_security_struct *dsec;
2539         struct superblock_security_struct *sbsec;
2540         u32 sid, newsid, clen;
2541         int rc;
2542         char *namep = NULL, *context;
2543
2544         dsec = dir->i_security;
2545         sbsec = dir->i_sb->s_security;
2546
2547         sid = tsec->sid;
2548         newsid = tsec->create_sid;
2549
2550         if ((sbsec->flags & SE_SBINITIALIZED) &&
2551             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2552                 newsid = sbsec->mntpoint_sid;
2553         else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2554                 rc = security_transition_sid(sid, dsec->sid,
2555                                              inode_mode_to_security_class(inode->i_mode),
2556                                              qstr, &newsid);
2557                 if (rc) {
2558                         printk(KERN_WARNING "%s:  "
2559                                "security_transition_sid failed, rc=%d (dev=%s "
2560                                "ino=%ld)\n",
2561                                __func__,
2562                                -rc, inode->i_sb->s_id, inode->i_ino);
2563                         return rc;
2564                 }
2565         }
2566
2567         /* Possibly defer initialization to selinux_complete_init. */
2568         if (sbsec->flags & SE_SBINITIALIZED) {
2569                 struct inode_security_struct *isec = inode->i_security;
2570                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2571                 isec->sid = newsid;
2572                 isec->initialized = 1;
2573         }
2574
2575         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2576                 return -EOPNOTSUPP;
2577
2578         if (name) {
2579                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2580                 if (!namep)
2581                         return -ENOMEM;
2582                 *name = namep;
2583         }
2584
2585         if (value && len) {
2586                 rc = security_sid_to_context_force(newsid, &context, &clen);
2587                 if (rc) {
2588                         kfree(namep);
2589                         return rc;
2590                 }
2591                 *value = context;
2592                 *len = clen;
2593         }
2594
2595         return 0;
2596 }
2597
2598 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2599 {
2600         return may_create(dir, dentry, SECCLASS_FILE);
2601 }
2602
2603 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2604 {
2605         return may_link(dir, old_dentry, MAY_LINK);
2606 }
2607
2608 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2609 {
2610         return may_link(dir, dentry, MAY_UNLINK);
2611 }
2612
2613 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2614 {
2615         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2616 }
2617
2618 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2619 {
2620         return may_create(dir, dentry, SECCLASS_DIR);
2621 }
2622
2623 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2624 {
2625         return may_link(dir, dentry, MAY_RMDIR);
2626 }
2627
2628 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2629 {
2630         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2631 }
2632
2633 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2634                                 struct inode *new_inode, struct dentry *new_dentry)
2635 {
2636         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2637 }
2638
2639 static int selinux_inode_readlink(struct dentry *dentry)
2640 {
2641         const struct cred *cred = current_cred();
2642
2643         return dentry_has_perm(cred, dentry, FILE__READ);
2644 }
2645
2646 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2647 {
2648         const struct cred *cred = current_cred();
2649
2650         return dentry_has_perm(cred, dentry, FILE__READ);
2651 }
2652
2653 static int selinux_inode_permission(struct inode *inode, int mask)
2654 {
2655         const struct cred *cred = current_cred();
2656         struct common_audit_data ad;
2657         u32 perms;
2658         bool from_access;
2659         unsigned flags = mask & MAY_NOT_BLOCK;
2660
2661         from_access = mask & MAY_ACCESS;
2662         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2663
2664         /* No permission to check.  Existence test. */
2665         if (!mask)
2666                 return 0;
2667
2668         COMMON_AUDIT_DATA_INIT(&ad, INODE);
2669         ad.u.inode = inode;
2670
2671         if (from_access)
2672                 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2673
2674         perms = file_mask_to_av(inode->i_mode, mask);
2675
2676         return inode_has_perm(cred, inode, perms, &ad, flags);
2677 }
2678
2679 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2680 {
2681         const struct cred *cred = current_cred();
2682         unsigned int ia_valid = iattr->ia_valid;
2683
2684         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2685         if (ia_valid & ATTR_FORCE) {
2686                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2687                               ATTR_FORCE);
2688                 if (!ia_valid)
2689                         return 0;
2690         }
2691
2692         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2693                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2694                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2695
2696         return dentry_has_perm(cred, dentry, FILE__WRITE);
2697 }
2698
2699 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2700 {
2701         const struct cred *cred = current_cred();
2702         struct path path;
2703
2704         path.dentry = dentry;
2705         path.mnt = mnt;
2706
2707         return path_has_perm(cred, &path, FILE__GETATTR);
2708 }
2709
2710 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2711 {
2712         const struct cred *cred = current_cred();
2713
2714         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2715                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2716                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2717                         if (!capable(CAP_SETFCAP))
2718                                 return -EPERM;
2719                 } else if (!capable(CAP_SYS_ADMIN)) {
2720                         /* A different attribute in the security namespace.
2721                            Restrict to administrator. */
2722                         return -EPERM;
2723                 }
2724         }
2725
2726         /* Not an attribute we recognize, so just check the
2727            ordinary setattr permission. */
2728         return dentry_has_perm(cred, dentry, FILE__SETATTR);
2729 }
2730
2731 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2732                                   const void *value, size_t size, int flags)
2733 {
2734         struct inode *inode = dentry->d_inode;
2735         struct inode_security_struct *isec = inode->i_security;
2736         struct superblock_security_struct *sbsec;
2737         struct common_audit_data ad;
2738         u32 newsid, sid = current_sid();
2739         int rc = 0;
2740
2741         if (strcmp(name, XATTR_NAME_SELINUX))
2742                 return selinux_inode_setotherxattr(dentry, name);
2743
2744         sbsec = inode->i_sb->s_security;
2745         if (!(sbsec->flags & SE_SBLABELSUPP))
2746                 return -EOPNOTSUPP;
2747
2748         if (!inode_owner_or_capable(inode))
2749                 return -EPERM;
2750
2751         COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2752         ad.u.dentry = dentry;
2753
2754         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2755                           FILE__RELABELFROM, &ad);
2756         if (rc)
2757                 return rc;
2758
2759         rc = security_context_to_sid(value, size, &newsid);
2760         if (rc == -EINVAL) {
2761                 if (!capable(CAP_MAC_ADMIN))
2762                         return rc;
2763                 rc = security_context_to_sid_force(value, size, &newsid);
2764         }
2765         if (rc)
2766                 return rc;
2767
2768         rc = avc_has_perm(sid, newsid, isec->sclass,
2769                           FILE__RELABELTO, &ad);
2770         if (rc)
2771                 return rc;
2772
2773         rc = security_validate_transition(isec->sid, newsid, sid,
2774                                           isec->sclass);
2775         if (rc)
2776                 return rc;
2777
2778         return avc_has_perm(newsid,
2779                             sbsec->sid,
2780                             SECCLASS_FILESYSTEM,
2781                             FILESYSTEM__ASSOCIATE,
2782                             &ad);
2783 }
2784
2785 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2786                                         const void *value, size_t size,
2787                                         int flags)
2788 {
2789         struct inode *inode = dentry->d_inode;
2790         struct inode_security_struct *isec = inode->i_security;
2791         u32 newsid;
2792         int rc;
2793
2794         if (strcmp(name, XATTR_NAME_SELINUX)) {
2795                 /* Not an attribute we recognize, so nothing to do. */
2796                 return;
2797         }
2798
2799         rc = security_context_to_sid_force(value, size, &newsid);
2800         if (rc) {
2801                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2802                        "for (%s, %lu), rc=%d\n",
2803                        inode->i_sb->s_id, inode->i_ino, -rc);
2804                 return;
2805         }
2806
2807         isec->sid = newsid;
2808         return;
2809 }
2810
2811 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2812 {
2813         const struct cred *cred = current_cred();
2814
2815         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2816 }
2817
2818 static int selinux_inode_listxattr(struct dentry *dentry)
2819 {
2820         const struct cred *cred = current_cred();
2821
2822         return dentry_has_perm(cred, dentry, FILE__GETATTR);
2823 }
2824
2825 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2826 {
2827         if (strcmp(name, XATTR_NAME_SELINUX))
2828                 return selinux_inode_setotherxattr(dentry, name);
2829
2830         /* No one is allowed to remove a SELinux security label.
2831            You can change the label, but all data must be labeled. */
2832         return -EACCES;
2833 }
2834
2835 /*
2836  * Copy the inode security context value to the user.
2837  *
2838  * Permission check is handled by selinux_inode_getxattr hook.
2839  */
2840 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2841 {
2842         u32 size;
2843         int error;
2844         char *context = NULL;
2845         struct inode_security_struct *isec = inode->i_security;
2846
2847         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2848                 return -EOPNOTSUPP;
2849
2850         /*
2851          * If the caller has CAP_MAC_ADMIN, then get the raw context
2852          * value even if it is not defined by current policy; otherwise,
2853          * use the in-core value under current policy.
2854          * Use the non-auditing forms of the permission checks since
2855          * getxattr may be called by unprivileged processes commonly
2856          * and lack of permission just means that we fall back to the
2857          * in-core context value, not a denial.
2858          */
2859         error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2860                                 SECURITY_CAP_NOAUDIT);
2861         if (!error)
2862                 error = security_sid_to_context_force(isec->sid, &context,
2863                                                       &size);
2864         else
2865                 error = security_sid_to_context(isec->sid, &context, &size);
2866         if (error)
2867                 return error;
2868         error = size;
2869         if (alloc) {
2870                 *buffer = context;
2871                 goto out_nofree;
2872         }
2873         kfree(context);
2874 out_nofree:
2875         return error;
2876 }
2877
2878 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2879                                      const void *value, size_t size, int flags)
2880 {
2881         struct inode_security_struct *isec = inode->i_security;
2882         u32 newsid;
2883         int rc;
2884
2885         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2886                 return -EOPNOTSUPP;
2887
2888         if (!value || !size)
2889                 return -EACCES;
2890
2891         rc = security_context_to_sid((void *)value, size, &newsid);
2892         if (rc)
2893                 return rc;
2894
2895         isec->sid = newsid;
2896         isec->initialized = 1;
2897         return 0;
2898 }
2899
2900 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2901 {
2902         const int len = sizeof(XATTR_NAME_SELINUX);
2903         if (buffer && len <= buffer_size)
2904                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2905         return len;
2906 }
2907
2908 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2909 {
2910         struct inode_security_struct *isec = inode->i_security;
2911         *secid = isec->sid;
2912 }
2913
2914 /* file security operations */
2915
2916 static int selinux_revalidate_file_permission(struct file *file, int mask)
2917 {
2918         const struct cred *cred = current_cred();
2919         struct inode *inode = file->f_path.dentry->d_inode;
2920
2921         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2922         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2923                 mask |= MAY_APPEND;
2924
2925         return file_has_perm(cred, file,
2926                              file_mask_to_av(inode->i_mode, mask));
2927 }
2928
2929 static int selinux_file_permission(struct file *file, int mask)
2930 {
2931         struct inode *inode = file->f_path.dentry->d_inode;
2932         struct file_security_struct *fsec = file->f_security;
2933         struct inode_security_struct *isec = inode->i_security;
2934         u32 sid = current_sid();
2935
2936         if (!mask)
2937                 /* No permission to check.  Existence test. */
2938                 return 0;
2939
2940         if (sid == fsec->sid && fsec->isid == isec->sid &&
2941             fsec->pseqno == avc_policy_seqno())
2942                 /* No change since dentry_open check. */
2943                 return 0;
2944
2945         return selinux_revalidate_file_permission(file, mask);
2946 }
2947
2948 static int selinux_file_alloc_security(struct file *file)
2949 {
2950         return file_alloc_security(file);
2951 }
2952
2953 static void selinux_file_free_security(struct file *file)
2954 {
2955         file_free_security(file);
2956 }
2957
2958 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2959                               unsigned long arg)
2960 {
2961         const struct cred *cred = current_cred();
2962         int error = 0;
2963
2964         switch (cmd) {
2965         case FIONREAD:
2966         /* fall through */
2967         case FIBMAP:
2968         /* fall through */
2969         case FIGETBSZ:
2970         /* fall through */
2971         case EXT2_IOC_GETFLAGS:
2972         /* fall through */
2973         case EXT2_IOC_GETVERSION:
2974                 error = file_has_perm(cred, file, FILE__GETATTR);
2975                 break;
2976
2977         case EXT2_IOC_SETFLAGS:
2978         /* fall through */
2979         case EXT2_IOC_SETVERSION:
2980                 error = file_has_perm(cred, file, FILE__SETATTR);
2981                 break;
2982
2983         /* sys_ioctl() checks */
2984         case FIONBIO:
2985         /* fall through */
2986         case FIOASYNC:
2987                 error = file_has_perm(cred, file, 0);
2988                 break;
2989
2990         case KDSKBENT:
2991         case KDSKBSENT:
2992                 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
2993                                             SECURITY_CAP_AUDIT);
2994                 break;
2995
2996         /* default case assumes that the command will go
2997          * to the file's ioctl() function.
2998          */
2999         default:
3000                 error = file_has_perm(cred, file, FILE__IOCTL);
3001         }
3002         return error;
3003 }
3004
3005 static int default_noexec;
3006
3007 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3008 {
3009         const struct cred *cred = current_cred();
3010         int rc = 0;
3011
3012         if (default_noexec &&
3013             (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3014                 /*
3015                  * We are making executable an anonymous mapping or a
3016                  * private file mapping that will also be writable.
3017                  * This has an additional check.
3018                  */
3019                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3020                 if (rc)
3021                         goto error;
3022         }
3023
3024         if (file) {
3025                 /* read access is always possible with a mapping */
3026                 u32 av = FILE__READ;
3027
3028                 /* write access only matters if the mapping is shared */
3029                 if (shared && (prot & PROT_WRITE))
3030                         av |= FILE__WRITE;
3031
3032                 if (prot & PROT_EXEC)
3033                         av |= FILE__EXECUTE;
3034
3035                 return file_has_perm(cred, file, av);
3036         }
3037
3038 error:
3039         return rc;
3040 }
3041
3042 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3043                              unsigned long prot, unsigned long flags,
3044                              unsigned long addr, unsigned long addr_only)
3045 {
3046         int rc = 0;
3047         u32 sid = current_sid();
3048
3049         /*
3050          * notice that we are intentionally putting the SELinux check before
3051          * the secondary cap_file_mmap check.  This is such a likely attempt
3052          * at bad behaviour/exploit that we always want to get the AVC, even
3053          * if DAC would have also denied the operation.
3054          */
3055         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3056                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3057                                   MEMPROTECT__MMAP_ZERO, NULL);
3058                 if (rc)
3059                         return rc;
3060         }
3061
3062         /* do DAC check on address space usage */
3063         rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3064         if (rc || addr_only)
3065                 return rc;
3066
3067         if (selinux_checkreqprot)
3068                 prot = reqprot;
3069
3070         return file_map_prot_check(file, prot,
3071                                    (flags & MAP_TYPE) == MAP_SHARED);
3072 }
3073
3074 static int selinux_file_mprotect(struct vm_area_struct *vma,
3075                                  unsigned long reqprot,
3076                                  unsigned long prot)
3077 {
3078         const struct cred *cred = current_cred();
3079
3080         if (selinux_checkreqprot)
3081                 prot = reqprot;
3082
3083         if (default_noexec &&
3084             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3085                 int rc = 0;
3086                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3087                     vma->vm_end <= vma->vm_mm->brk) {
3088                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3089                 } else if (!vma->vm_file &&
3090                            vma->vm_start <= vma->vm_mm->start_stack &&
3091                            vma->vm_end >= vma->vm_mm->start_stack) {
3092                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3093                 } else if (vma->vm_file && vma->anon_vma) {
3094                         /*
3095                          * We are making executable a file mapping that has
3096                          * had some COW done. Since pages might have been
3097                          * written, check ability to execute the possibly
3098                          * modified content.  This typically should only
3099                          * occur for text relocations.
3100                          */
3101                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3102                 }
3103                 if (rc)
3104                         return rc;
3105         }
3106
3107         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3108 }
3109
3110 static int selinux_file_lock(struct file *file, unsigned int cmd)
3111 {
3112         const struct cred *cred = current_cred();
3113
3114         return file_has_perm(cred, file, FILE__LOCK);
3115 }
3116
3117 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3118                               unsigned long arg)
3119 {
3120         const struct cred *cred = current_cred();
3121         int err = 0;
3122
3123         switch (cmd) {
3124         case F_SETFL:
3125                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3126                         err = -EINVAL;
3127                         break;
3128                 }
3129
3130                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3131                         err = file_has_perm(cred, file, FILE__WRITE);
3132                         break;
3133                 }
3134                 /* fall through */
3135         case F_SETOWN:
3136         case F_SETSIG:
3137         case F_GETFL:
3138         case F_GETOWN:
3139         case F_GETSIG:
3140                 /* Just check FD__USE permission */
3141                 err = file_has_perm(cred, file, 0);
3142                 break;
3143         case F_GETLK:
3144         case F_SETLK:
3145         case F_SETLKW:
3146 #if BITS_PER_LONG == 32
3147         case F_GETLK64:
3148         case F_SETLK64:
3149         case F_SETLKW64:
3150 #endif
3151                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3152                         err = -EINVAL;
3153                         break;
3154                 }
3155                 err = file_has_perm(cred, file, FILE__LOCK);
3156                 break;
3157         }
3158
3159         return err;
3160 }
3161
3162 static int selinux_file_set_fowner(struct file *file)
3163 {
3164         struct file_security_struct *fsec;
3165
3166         fsec = file->f_security;
3167         fsec->fown_sid = current_sid();
3168
3169         return 0;
3170 }
3171
3172 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3173                                        struct fown_struct *fown, int signum)
3174 {
3175         struct file *file;
3176         u32 sid = task_sid(tsk);
3177         u32 perm;
3178         struct file_security_struct *fsec;
3179
3180         /* struct fown_struct is never outside the context of a struct file */
3181         file = container_of(fown, struct file, f_owner);
3182
3183         fsec = file->f_security;
3184
3185         if (!signum)
3186                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3187         else
3188                 perm = signal_to_av(signum);
3189
3190         return avc_has_perm(fsec->fown_sid, sid,
3191                             SECCLASS_PROCESS, perm, NULL);
3192 }
3193
3194 static int selinux_file_receive(struct file *file)
3195 {
3196         const struct cred *cred = current_cred();
3197
3198         return file_has_perm(cred, file, file_to_av(file));
3199 }
3200
3201 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3202 {
3203         struct file_security_struct *fsec;
3204         struct inode *inode;
3205         struct inode_security_struct *isec;
3206
3207         inode = file->f_path.dentry->d_inode;
3208         fsec = file->f_security;
3209         isec = inode->i_security;
3210         /*
3211          * Save inode label and policy sequence number
3212          * at open-time so that selinux_file_permission
3213          * can determine whether revalidation is necessary.
3214          * Task label is already saved in the file security
3215          * struct as its SID.
3216          */
3217         fsec->isid = isec->sid;
3218         fsec->pseqno = avc_policy_seqno();
3219         /*
3220          * Since the inode label or policy seqno may have changed
3221          * between the selinux_inode_permission check and the saving
3222          * of state above, recheck that access is still permitted.
3223          * Otherwise, access might never be revalidated against the
3224          * new inode label or new policy.
3225          * This check is not redundant - do not remove.
3226          */
3227         return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0);
3228 }
3229
3230 /* task security operations */
3231
3232 static int selinux_task_create(unsigned long clone_flags)
3233 {
3234         return current_has_perm(current, PROCESS__FORK);
3235 }
3236
3237 /*
3238  * allocate the SELinux part of blank credentials
3239  */
3240 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3241 {
3242         struct task_security_struct *tsec;
3243
3244         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3245         if (!tsec)
3246                 return -ENOMEM;
3247
3248         cred->security = tsec;
3249         return 0;
3250 }
3251
3252 /*
3253  * detach and free the LSM part of a set of credentials
3254  */
3255 static void selinux_cred_free(struct cred *cred)
3256 {
3257         struct task_security_struct *tsec = cred->security;
3258
3259         /*
3260          * cred->security == NULL if security_cred_alloc_blank() or
3261          * security_prepare_creds() returned an error.
3262          */
3263         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3264         cred->security = (void *) 0x7UL;
3265         kfree(tsec);
3266 }
3267
3268 /*
3269  * prepare a new set of credentials for modification
3270  */
3271 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3272                                 gfp_t gfp)
3273 {
3274         const struct task_security_struct *old_tsec;
3275         struct task_security_struct *tsec;
3276
3277         old_tsec = old->security;
3278
3279         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3280         if (!tsec)
3281                 return -ENOMEM;
3282
3283         new->security = tsec;
3284         return 0;
3285 }
3286
3287 /*
3288  * transfer the SELinux data to a blank set of creds
3289  */
3290 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3291 {
3292         const struct task_security_struct *old_tsec = old->security;
3293         struct task_security_struct *tsec = new->security;
3294
3295         *tsec = *old_tsec;
3296 }
3297
3298 /*
3299  * set the security data for a kernel service
3300  * - all the creation contexts are set to unlabelled
3301  */
3302 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3303 {
3304         struct task_security_struct *tsec = new->security;
3305         u32 sid = current_sid();
3306         int ret;
3307
3308         ret = avc_has_perm(sid, secid,
3309                            SECCLASS_KERNEL_SERVICE,
3310                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3311                            NULL);
3312         if (ret == 0) {
3313                 tsec->sid = secid;
3314                 tsec->create_sid = 0;
3315                 tsec->keycreate_sid = 0;
3316                 tsec->sockcreate_sid = 0;
3317         }
3318         return ret;
3319 }
3320
3321 /*
3322  * set the file creation context in a security record to the same as the
3323  * objective context of the specified inode
3324  */
3325 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3326 {
3327         struct inode_security_struct *isec = inode->i_security;
3328         struct task_security_struct *tsec = new->security;
3329         u32 sid = current_sid();
3330         int ret;
3331
3332         ret = avc_has_perm(sid, isec->sid,
3333                            SECCLASS_KERNEL_SERVICE,
3334                            KERNEL_SERVICE__CREATE_FILES_AS,
3335                            NULL);
3336
3337         if (ret == 0)
3338                 tsec->create_sid = isec->sid;
3339         return ret;
3340 }
3341
3342 static int selinux_kernel_module_request(char *kmod_name)
3343 {
3344         u32 sid;
3345         struct common_audit_data ad;
3346
3347         sid = task_sid(current);
3348
3349         COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3350         ad.u.kmod_name = kmod_name;
3351
3352         return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3353                             SYSTEM__MODULE_REQUEST, &ad);
3354 }
3355
3356 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3357 {
3358         return current_has_perm(p, PROCESS__SETPGID);
3359 }
3360
3361 static int selinux_task_getpgid(struct task_struct *p)
3362 {
3363         return current_has_perm(p, PROCESS__GETPGID);
3364 }
3365
3366 static int selinux_task_getsid(struct task_struct *p)
3367 {
3368         return current_has_perm(p, PROCESS__GETSESSION);
3369 }
3370
3371 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3372 {
3373         *secid = task_sid(p);
3374 }
3375
3376 static int selinux_task_setnice(struct task_struct *p, int nice)
3377 {
3378         int rc;
3379
3380         rc = cap_task_setnice(p, nice);
3381         if (rc)
3382                 return rc;
3383
3384         return current_has_perm(p, PROCESS__SETSCHED);
3385 }
3386
3387 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3388 {
3389         int rc;
3390
3391         rc = cap_task_setioprio(p, ioprio);
3392         if (rc)
3393                 return rc;
3394
3395         return current_has_perm(p, PROCESS__SETSCHED);
3396 }
3397
3398 static int selinux_task_getioprio(struct task_struct *p)
3399 {
3400         return current_has_perm(p, PROCESS__GETSCHED);
3401 }
3402
3403 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3404                 struct rlimit *new_rlim)
3405 {
3406         struct rlimit *old_rlim = p->signal->rlim + resource;
3407
3408         /* Control the ability to change the hard limit (whether
3409            lowering or raising it), so that the hard limit can
3410            later be used as a safe reset point for the soft limit
3411            upon context transitions.  See selinux_bprm_committing_creds. */
3412         if (old_rlim->rlim_max != new_rlim->rlim_max)
3413                 return current_has_perm(p, PROCESS__SETRLIMIT);
3414
3415         return 0;
3416 }
3417
3418 static int selinux_task_setscheduler(struct task_struct *p)
3419 {
3420         int rc;
3421
3422         rc = cap_task_setscheduler(p);
3423         if (rc)
3424                 return rc;
3425
3426         return current_has_perm(p, PROCESS__SETSCHED);
3427 }
3428
3429 static int selinux_task_getscheduler(struct task_struct *p)
3430 {
3431         return current_has_perm(p, PROCESS__GETSCHED);
3432 }
3433
3434 static int selinux_task_movememory(struct task_struct *p)
3435 {
3436         return current_has_perm(p, PROCESS__SETSCHED);
3437 }
3438
3439 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3440                                 int sig, u32 secid)
3441 {
3442         u32 perm;
3443         int rc;
3444
3445         if (!sig)
3446                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3447         else
3448                 perm = signal_to_av(sig);
3449         if (secid)
3450                 rc = avc_has_perm(secid, task_sid(p),
3451                                   SECCLASS_PROCESS, perm, NULL);
3452         else
3453                 rc = current_has_perm(p, perm);
3454         return rc;
3455 }
3456
3457 static int selinux_task_wait(struct task_struct *p)
3458 {
3459         return task_has_perm(p, current, PROCESS__SIGCHLD);
3460 }
3461
3462 static void selinux_task_to_inode(struct task_struct *p,
3463                                   struct inode *inode)
3464 {
3465         struct inode_security_struct *isec = inode->i_security;
3466         u32 sid = task_sid(p);
3467
3468         isec->sid = sid;
3469         isec->initialized = 1;
3470 }
3471
3472 /* Returns error only if unable to parse addresses */
3473 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3474                         struct common_audit_data *ad, u8 *proto)
3475 {
3476         int offset, ihlen, ret = -EINVAL;
3477         struct iphdr _iph, *ih;
3478
3479         offset = skb_network_offset(skb);
3480         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3481         if (ih == NULL)
3482                 goto out;
3483
3484         ihlen = ih->ihl * 4;
3485         if (ihlen < sizeof(_iph))
3486                 goto out;
3487
3488         ad->u.net.v4info.saddr = ih->saddr;
3489         ad->u.net.v4info.daddr = ih->daddr;
3490         ret = 0;
3491
3492         if (proto)
3493                 *proto = ih->protocol;
3494
3495         switch (ih->protocol) {
3496         case IPPROTO_TCP: {
3497                 struct tcphdr _tcph, *th;
3498
3499                 if (ntohs(ih->frag_off) & IP_OFFSET)
3500                         break;
3501
3502                 offset += ihlen;
3503                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3504                 if (th == NULL)
3505                         break;
3506
3507                 ad->u.net.sport = th->source;
3508                 ad->u.net.dport = th->dest;
3509                 break;
3510         }
3511
3512         case IPPROTO_UDP: {
3513                 struct udphdr _udph, *uh;
3514
3515                 if (ntohs(ih->frag_off) & IP_OFFSET)
3516                         break;
3517
3518                 offset += ihlen;
3519                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3520                 if (uh == NULL)
3521                         break;
3522
3523                 ad->u.net.sport = uh->source;
3524                 ad->u.net.dport = uh->dest;
3525                 break;
3526         }
3527
3528         case IPPROTO_DCCP: {
3529                 struct dccp_hdr _dccph, *dh;
3530
3531                 if (ntohs(ih->frag_off) & IP_OFFSET)
3532                         break;
3533
3534                 offset += ihlen;
3535                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3536                 if (dh == NULL)
3537                         break;
3538
3539                 ad->u.net.sport = dh->dccph_sport;
3540                 ad->u.net.dport = dh->dccph_dport;
3541                 break;
3542         }
3543
3544         default:
3545                 break;
3546         }
3547 out:
3548         return ret;
3549 }
3550
3551 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3552
3553 /* Returns error only if unable to parse addresses */
3554 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3555                         struct common_audit_data *ad, u8 *proto)
3556 {
3557         u8 nexthdr;
3558         int ret = -EINVAL, offset;
3559         struct ipv6hdr _ipv6h, *ip6;
3560
3561         offset = skb_network_offset(skb);
3562         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3563         if (ip6 == NULL)
3564                 goto out;
3565
3566         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3567         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3568         ret = 0;
3569
3570         nexthdr = ip6->nexthdr;
3571         offset += sizeof(_ipv6h);
3572         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3573         if (offset < 0)
3574                 goto out;
3575
3576         if (proto)
3577                 *proto = nexthdr;
3578
3579         switch (nexthdr) {
3580         case IPPROTO_TCP: {
3581                 struct tcphdr _tcph, *th;
3582
3583                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3584                 if (th == NULL)
3585                         break;
3586
3587                 ad->u.net.sport = th->source;
3588                 ad->u.net.dport = th->dest;
3589                 break;
3590         }
3591
3592         case IPPROTO_UDP: {
3593                 struct udphdr _udph, *uh;
3594
3595                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3596                 if (uh == NULL)
3597                         break;
3598
3599                 ad->u.net.sport = uh->source;
3600                 ad->u.net.dport = uh->dest;
3601                 break;
3602         }
3603
3604         case IPPROTO_DCCP: {
3605                 struct dccp_hdr _dccph, *dh;
3606
3607                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3608                 if (dh == NULL)
3609                         break;
3610
3611                 ad->u.net.sport = dh->dccph_sport;
3612                 ad->u.net.dport = dh->dccph_dport;
3613                 break;
3614         }
3615
3616         /* includes fragments */
3617         default:
3618                 break;
3619         }
3620 out:
3621         return ret;
3622 }
3623
3624 #endif /* IPV6 */
3625
3626 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3627                              char **_addrp, int src, u8 *proto)
3628 {
3629         char *addrp;
3630         int ret;
3631
3632         switch (ad->u.net.family) {
3633         case PF_INET:
3634                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3635                 if (ret)
3636                         goto parse_error;
3637                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3638                                        &ad->u.net.v4info.daddr);
3639                 goto okay;
3640
3641 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3642         case PF_INET6:
3643                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3644                 if (ret)
3645                         goto parse_error;
3646                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3647                                        &ad->u.net.v6info.daddr);
3648                 goto okay;
3649 #endif  /* IPV6 */
3650         default:
3651                 addrp = NULL;
3652                 goto okay;
3653         }
3654
3655 parse_error:
3656         printk(KERN_WARNING
3657                "SELinux: failure in selinux_parse_skb(),"
3658                " unable to parse packet\n");
3659         return ret;
3660
3661 okay:
3662         if (_addrp)
3663                 *_addrp = addrp;
3664         return 0;
3665 }
3666
3667 /**
3668  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3669  * @skb: the packet
3670  * @family: protocol family
3671  * @sid: the packet's peer label SID
3672  *
3673  * Description:
3674  * Check the various different forms of network peer labeling and determine
3675  * the peer label/SID for the packet; most of the magic actually occurs in
3676  * the security server function security_net_peersid_cmp().  The function
3677  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3678  * or -EACCES if @sid is invalid due to inconsistencies with the different
3679  * peer labels.
3680  *
3681  */
3682 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3683 {
3684         int err;
3685         u32 xfrm_sid;
3686         u32 nlbl_sid;
3687         u32 nlbl_type;
3688
3689         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3690         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3691
3692         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3693         if (unlikely(err)) {
3694                 printk(KERN_WARNING
3695                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3696                        " unable to determine packet's peer label\n");
3697                 return -EACCES;
3698         }
3699
3700         return 0;
3701 }
3702
3703 /* socket security operations */
3704
3705 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3706                                  u16 secclass, u32 *socksid)
3707 {
3708         if (tsec->sockcreate_sid > SECSID_NULL) {
3709                 *socksid = tsec->sockcreate_sid;
3710                 return 0;
3711         }
3712
3713         return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3714                                        socksid);
3715 }
3716
3717 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3718 {
3719         struct sk_security_struct *sksec = sk->sk_security;
3720         struct common_audit_data ad;
3721         u32 tsid = task_sid(task);
3722
3723         if (sksec->sid == SECINITSID_KERNEL)
3724                 return 0;
3725
3726         COMMON_AUDIT_DATA_INIT(&ad, NET);
3727         ad.u.net.sk = sk;
3728
3729         return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3730 }
3731
3732 static int selinux_socket_create(int family, int type,
3733                                  int protocol, int kern)
3734 {
3735         const struct task_security_struct *tsec = current_security();
3736         u32 newsid;
3737         u16 secclass;
3738         int rc;
3739
3740         if (kern)
3741                 return 0;
3742
3743         secclass = socket_type_to_security_class(family, type, protocol);
3744         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3745         if (rc)
3746                 return rc;
3747
3748         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3749 }
3750
3751 static int selinux_socket_post_create(struct socket *sock, int family,
3752                                       int type, int protocol, int kern)
3753 {
3754         const struct task_security_struct *tsec = current_security();
3755         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3756         struct sk_security_struct *sksec;
3757         int err = 0;
3758
3759         isec->sclass = socket_type_to_security_class(family, type, protocol);
3760
3761         if (kern)
3762                 isec->sid = SECINITSID_KERNEL;
3763         else {
3764                 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3765                 if (err)
3766                         return err;
3767         }
3768
3769         isec->initialized = 1;
3770
3771         if (sock->sk) {
3772                 sksec = sock->sk->sk_security;
3773                 sksec->sid = isec->sid;
3774                 sksec->sclass = isec->sclass;
3775                 err = selinux_netlbl_socket_post_create(sock->sk, family);
3776         }
3777
3778         return err;
3779 }
3780
3781 /* Range of port numbers used to automatically bind.
3782    Need to determine whether we should perform a name_bind
3783    permission check between the socket and the port number. */
3784
3785 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3786 {
3787         struct sock *sk = sock->sk;
3788         u16 family;
3789         int err;
3790
3791         err = sock_has_perm(current, sk, SOCKET__BIND);
3792         if (err)
3793                 goto out;
3794
3795         /*
3796          * If PF_INET or PF_INET6, check name_bind permission for the port.
3797          * Multiple address binding for SCTP is not supported yet: we just
3798          * check the first address now.
3799          */
3800         family = sk->sk_family;
3801         if (family == PF_INET || family == PF_INET6) {
3802                 char *addrp;
3803                 struct sk_security_struct *sksec = sk->sk_security;
3804                 struct common_audit_data ad;
3805                 struct sockaddr_in *addr4 = NULL;
3806                 struct sockaddr_in6 *addr6 = NULL;
3807                 unsigned short snum;
3808                 u32 sid, node_perm;
3809
3810                 if (family == PF_INET) {
3811                         addr4 = (struct sockaddr_in *)address;
3812                         snum = ntohs(addr4->sin_port);
3813                         addrp = (char *)&addr4->sin_addr.s_addr;
3814                 } else {
3815                         addr6 = (struct sockaddr_in6 *)address;
3816                         snum = ntohs(addr6->sin6_port);
3817                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3818                 }
3819
3820                 if (snum) {
3821                         int low, high;
3822
3823                         inet_get_local_port_range(&low, &high);
3824
3825                         if (snum < max(PROT_SOCK, low) || snum > high) {
3826                                 err = sel_netport_sid(sk->sk_protocol,
3827                                                       snum, &sid);
3828                                 if (err)
3829                                         goto out;
3830                                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3831                                 ad.u.net.sport = htons(snum);
3832                                 ad.u.net.family = family;
3833                                 err = avc_has_perm(sksec->sid, sid,
3834                                                    sksec->sclass,
3835                                                    SOCKET__NAME_BIND, &ad);
3836                                 if (err)
3837                                         goto out;
3838                         }
3839                 }
3840
3841                 switch (sksec->sclass) {
3842                 case SECCLASS_TCP_SOCKET:
3843                         node_perm = TCP_SOCKET__NODE_BIND;
3844                         break;
3845
3846                 case SECCLASS_UDP_SOCKET:
3847                         node_perm = UDP_SOCKET__NODE_BIND;
3848                         break;
3849
3850                 case SECCLASS_DCCP_SOCKET:
3851                         node_perm = DCCP_SOCKET__NODE_BIND;
3852                         break;
3853
3854                 default:
3855                         node_perm = RAWIP_SOCKET__NODE_BIND;
3856                         break;
3857                 }
3858
3859                 err = sel_netnode_sid(addrp, family, &sid);
3860                 if (err)
3861                         goto out;
3862
3863                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3864                 ad.u.net.sport = htons(snum);
3865                 ad.u.net.family = family;
3866
3867                 if (family == PF_INET)
3868                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3869                 else
3870                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3871
3872                 err = avc_has_perm(sksec->sid, sid,
3873                                    sksec->sclass, node_perm, &ad);
3874                 if (err)
3875                         goto out;
3876         }
3877 out:
3878         return err;
3879 }
3880
3881 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3882 {
3883         struct sock *sk = sock->sk;
3884         struct sk_security_struct *sksec = sk->sk_security;
3885         int err;
3886
3887         err = sock_has_perm(current, sk, SOCKET__CONNECT);
3888         if (err)
3889                 return err;
3890
3891         /*
3892          * If a TCP or DCCP socket, check name_connect permission for the port.
3893          */
3894         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3895             sksec->sclass == SECCLASS_DCCP_SOCKET) {
3896                 struct common_audit_data ad;
3897                 struct sockaddr_in *addr4 = NULL;
3898                 struct sockaddr_in6 *addr6 = NULL;
3899                 unsigned short snum;
3900                 u32 sid, perm;
3901
3902                 if (sk->sk_family == PF_INET) {
3903                         addr4 = (struct sockaddr_in *)address;
3904                         if (addrlen < sizeof(struct sockaddr_in))
3905                                 return -EINVAL;
3906                         snum = ntohs(addr4->sin_port);
3907                 } else {
3908                         addr6 = (struct sockaddr_in6 *)address;
3909                         if (addrlen < SIN6_LEN_RFC2133)
3910                                 return -EINVAL;
3911                         snum = ntohs(addr6->sin6_port);
3912                 }
3913
3914                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3915                 if (err)
3916                         goto out;
3917
3918                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3919                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3920
3921                 COMMON_AUDIT_DATA_INIT(&ad, NET);
3922                 ad.u.net.dport = htons(snum);
3923                 ad.u.net.family = sk->sk_family;
3924                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3925                 if (err)
3926                         goto out;
3927         }
3928
3929         err = selinux_netlbl_socket_connect(sk, address);
3930
3931 out:
3932         return err;
3933 }
3934
3935 static int selinux_socket_listen(struct socket *sock, int backlog)
3936 {
3937         return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3938 }
3939
3940 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3941 {
3942         int err;
3943         struct inode_security_struct *isec;
3944         struct inode_security_struct *newisec;
3945
3946         err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3947         if (err)
3948                 return err;
3949
3950         newisec = SOCK_INODE(newsock)->i_security;
3951
3952         isec = SOCK_INODE(sock)->i_security;
3953         newisec->sclass = isec->sclass;
3954         newisec->sid = isec->sid;
3955         newisec->initialized = 1;
3956
3957         return 0;
3958 }
3959
3960 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3961                                   int size)
3962 {
3963         return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3964 }
3965
3966 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3967                                   int size, int flags)
3968 {
3969         return sock_has_perm(current, sock->sk, SOCKET__READ);
3970 }
3971
3972 static int selinux_socket_getsockname(struct socket *sock)
3973 {
3974         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3975 }
3976
3977 static int selinux_socket_getpeername(struct socket *sock)
3978 {
3979         return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3980 }
3981
3982 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3983 {
3984         int err;
3985
3986         err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3987         if (err)
3988                 return err;
3989
3990         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3991 }
3992
3993 static int selinux_socket_getsockopt(struct socket *sock, int level,
3994                                      int optname)
3995 {
3996         return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
3997 }
3998
3999 static int selinux_socket_shutdown(struct socket *sock, int how)
4000 {
4001         return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4002 }
4003
4004 static int selinux_socket_unix_stream_connect(struct sock *sock,
4005                                               struct sock *other,
4006                                               struct sock *newsk)
4007 {
4008         struct sk_security_struct *sksec_sock = sock->sk_security;
4009         struct sk_security_struct *sksec_other = other->sk_security;
4010         struct sk_security_struct *sksec_new = newsk->sk_security;
4011         struct common_audit_data ad;
4012         int err;
4013
4014         COMMON_AUDIT_DATA_INIT(&ad, NET);
4015         ad.u.net.sk = other;
4016
4017         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4018                            sksec_other->sclass,
4019                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4020         if (err)
4021                 return err;
4022
4023         /* server child socket */
4024         sksec_new->peer_sid = sksec_sock->sid;
4025         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4026                                     &sksec_new->sid);
4027         if (err)
4028                 return err;
4029
4030         /* connecting socket */
4031         sksec_sock->peer_sid = sksec_new->sid;
4032
4033         return 0;
4034 }
4035
4036 static int selinux_socket_unix_may_send(struct socket *sock,
4037                                         struct socket *other)
4038 {
4039         struct sk_security_struct *ssec = sock->sk->sk_security;
4040         struct sk_security_struct *osec = other->sk->sk_security;
4041         struct common_audit_data ad;
4042
4043         COMMON_AUDIT_DATA_INIT(&ad, NET);
4044         ad.u.net.sk = other->sk;
4045
4046         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4047                             &ad);
4048 }
4049
4050 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4051                                     u32 peer_sid,
4052                                     struct common_audit_data *ad)
4053 {
4054         int err;
4055         u32 if_sid;
4056         u32 node_sid;
4057
4058         err = sel_netif_sid(ifindex, &if_sid);
4059         if (err)
4060                 return err;
4061         err = avc_has_perm(peer_sid, if_sid,
4062                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4063         if (err)
4064                 return err;
4065
4066         err = sel_netnode_sid(addrp, family, &node_sid);
4067         if (err)
4068                 return err;
4069         return avc_has_perm(peer_sid, node_sid,
4070                             SECCLASS_NODE, NODE__RECVFROM, ad);
4071 }
4072
4073 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4074                                        u16 family)
4075 {
4076         int err = 0;
4077         struct sk_security_struct *sksec = sk->sk_security;
4078         u32 sk_sid = sksec->sid;
4079         struct common_audit_data ad;
4080         char *addrp;
4081
4082         COMMON_AUDIT_DATA_INIT(&ad, NET);
4083         ad.u.net.netif = skb->skb_iif;
4084         ad.u.net.family = family;
4085         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4086         if (err)
4087                 return err;
4088
4089         if (selinux_secmark_enabled()) {
4090                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4091                                    PACKET__RECV, &ad);
4092                 if (err)
4093                         return err;
4094         }
4095
4096         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4097         if (err)
4098                 return err;
4099         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4100
4101         return err;
4102 }
4103
4104 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4105 {
4106         int err;
4107         struct sk_security_struct *sksec = sk->sk_security;
4108         u16 family = sk->sk_family;
4109         u32 sk_sid = sksec->sid;
4110         struct common_audit_data ad;
4111         char *addrp;
4112         u8 secmark_active;
4113         u8 peerlbl_active;
4114
4115         if (family != PF_INET && family != PF_INET6)
4116                 return 0;
4117
4118         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4119         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4120                 family = PF_INET;
4121
4122         /* If any sort of compatibility mode is enabled then handoff processing
4123          * to the selinux_sock_rcv_skb_compat() function to deal with the
4124          * special handling.  We do this in an attempt to keep this function
4125          * as fast and as clean as possible. */
4126         if (!selinux_policycap_netpeer)
4127                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4128
4129         secmark_active = selinux_secmark_enabled();
4130         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4131         if (!secmark_active && !peerlbl_active)
4132                 return 0;
4133
4134         COMMON_AUDIT_DATA_INIT(&ad, NET);
4135         ad.u.net.netif = skb->skb_iif;
4136         ad.u.net.family = family;
4137         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4138         if (err)
4139                 return err;
4140
4141         if (peerlbl_active) {
4142                 u32 peer_sid;
4143
4144                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4145                 if (err)
4146                         return err;
4147                 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4148                                                peer_sid, &ad);
4149                 if (err) {
4150                         selinux_netlbl_err(skb, err, 0);
4151                         return err;
4152                 }
4153                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4154                                    PEER__RECV, &ad);
4155                 if (err)
4156                         selinux_netlbl_err(skb, err, 0);
4157         }
4158
4159         if (secmark_active) {
4160                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4161                                    PACKET__RECV, &ad);
4162                 if (err)
4163                         return err;
4164         }
4165
4166         return err;
4167 }
4168
4169 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4170                                             int __user *optlen, unsigned len)
4171 {
4172         int err = 0;
4173         char *scontext;
4174         u32 scontext_len;
4175         struct sk_security_struct *sksec = sock->sk->sk_security;
4176         u32 peer_sid = SECSID_NULL;
4177
4178         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4179             sksec->sclass == SECCLASS_TCP_SOCKET)
4180                 peer_sid = sksec->peer_sid;
4181         if (peer_sid == SECSID_NULL)
4182                 return -ENOPROTOOPT;
4183
4184         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4185         if (err)
4186                 return err;
4187
4188         if (scontext_len > len) {
4189                 err = -ERANGE;
4190                 goto out_len;
4191         }
4192
4193         if (copy_to_user(optval, scontext, scontext_len))
4194                 err = -EFAULT;
4195
4196 out_len:
4197         if (put_user(scontext_len, optlen))
4198                 err = -EFAULT;
4199         kfree(scontext);
4200         return err;
4201 }
4202
4203 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4204 {
4205         u32 peer_secid = SECSID_NULL;
4206         u16 family;
4207
4208         if (skb && skb->protocol == htons(ETH_P_IP))
4209                 family = PF_INET;
4210         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4211                 family = PF_INET6;
4212         else if (sock)
4213                 family = sock->sk->sk_family;
4214         else
4215                 goto out;
4216
4217         if (sock && family == PF_UNIX)
4218                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4219         else if (skb)
4220                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4221
4222 out:
4223         *secid = peer_secid;
4224         if (peer_secid == SECSID_NULL)
4225                 return -EINVAL;
4226         return 0;
4227 }
4228
4229 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4230 {
4231         struct sk_security_struct *sksec;
4232
4233         sksec = kzalloc(sizeof(*sksec), priority);
4234         if (!sksec)
4235                 return -ENOMEM;
4236
4237         sksec->peer_sid = SECINITSID_UNLABELED;
4238         sksec->sid = SECINITSID_UNLABELED;
4239         selinux_netlbl_sk_security_reset(sksec);
4240         sk->sk_security = sksec;
4241
4242         return 0;
4243 }
4244
4245 static void selinux_sk_free_security(struct sock *sk)
4246 {
4247         struct sk_security_struct *sksec = sk->sk_security;
4248
4249         sk->sk_security = NULL;
4250         selinux_netlbl_sk_security_free(sksec);
4251         kfree(sksec);
4252 }
4253
4254 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4255 {
4256         struct sk_security_struct *sksec = sk->sk_security;
4257         struct sk_security_struct *newsksec = newsk->sk_security;
4258
4259         newsksec->sid = sksec->sid;
4260         newsksec->peer_sid = sksec->peer_sid;
4261         newsksec->sclass = sksec->sclass;
4262
4263         selinux_netlbl_sk_security_reset(newsksec);
4264 }
4265
4266 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4267 {
4268         if (!sk)
4269                 *secid = SECINITSID_ANY_SOCKET;
4270         else {
4271                 struct sk_security_struct *sksec = sk->sk_security;
4272
4273                 *secid = sksec->sid;
4274         }
4275 }
4276
4277 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4278 {
4279         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4280         struct sk_security_struct *sksec = sk->sk_security;
4281
4282         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4283             sk->sk_family == PF_UNIX)
4284                 isec->sid = sksec->sid;
4285         sksec->sclass = isec->sclass;
4286 }
4287
4288 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4289                                      struct request_sock *req)
4290 {
4291         struct sk_security_struct *sksec = sk->sk_security;
4292         int err;
4293         u16 family = sk->sk_family;
4294         u32 newsid;
4295         u32 peersid;
4296
4297         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4298         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4299                 family = PF_INET;
4300
4301         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4302         if (err)
4303                 return err;
4304         if (peersid == SECSID_NULL) {
4305                 req->secid = sksec->sid;
4306                 req->peer_secid = SECSID_NULL;
4307         } else {
4308                 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4309                 if (err)
4310                         return err;
4311                 req->secid = newsid;
4312                 req->peer_secid = peersid;
4313         }
4314
4315         return selinux_netlbl_inet_conn_request(req, family);
4316 }
4317
4318 static void selinux_inet_csk_clone(struct sock *newsk,
4319                                    const struct request_sock *req)
4320 {
4321         struct sk_security_struct *newsksec = newsk->sk_security;
4322
4323         newsksec->sid = req->secid;
4324         newsksec->peer_sid = req->peer_secid;
4325         /* NOTE: Ideally, we should also get the isec->sid for the
4326            new socket in sync, but we don't have the isec available yet.
4327            So we will wait until sock_graft to do it, by which
4328            time it will have been created and available. */
4329
4330         /* We don't need to take any sort of lock here as we are the only
4331          * thread with access to newsksec */
4332         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4333 }
4334
4335 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4336 {
4337         u16 family = sk->sk_family;
4338         struct sk_security_struct *sksec = sk->sk_security;
4339
4340         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4341         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4342                 family = PF_INET;
4343
4344         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4345 }
4346
4347 static int selinux_secmark_relabel_packet(u32 sid)
4348 {
4349         const struct task_security_struct *__tsec;
4350         u32 tsid;
4351
4352         __tsec = current_security();
4353         tsid = __tsec->sid;
4354
4355         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4356 }
4357
4358 static void selinux_secmark_refcount_inc(void)
4359 {
4360         atomic_inc(&selinux_secmark_refcount);
4361 }
4362
4363 static void selinux_secmark_refcount_dec(void)
4364 {
4365         atomic_dec(&selinux_secmark_refcount);
4366 }
4367
4368 static void selinux_req_classify_flow(const struct request_sock *req,
4369                                       struct flowi *fl)
4370 {
4371         fl->flowi_secid = req->secid;
4372 }
4373
4374 static int selinux_tun_dev_create(void)
4375 {
4376         u32 sid = current_sid();
4377
4378         /* we aren't taking into account the "sockcreate" SID since the socket
4379          * that is being created here is not a socket in the traditional sense,
4380          * instead it is a private sock, accessible only to the kernel, and
4381          * representing a wide range of network traffic spanning multiple
4382          * connections unlike traditional sockets - check the TUN driver to
4383          * get a better understanding of why this socket is special */
4384
4385         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4386                             NULL);
4387 }
4388
4389 static void selinux_tun_dev_post_create(struct sock *sk)
4390 {
4391         struct sk_security_struct *sksec = sk->sk_security;
4392
4393         /* we don't currently perform any NetLabel based labeling here and it
4394          * isn't clear that we would want to do so anyway; while we could apply
4395          * labeling without the support of the TUN user the resulting labeled
4396          * traffic from the other end of the connection would almost certainly
4397          * cause confusion to the TUN user that had no idea network labeling
4398          * protocols were being used */
4399
4400         /* see the comments in selinux_tun_dev_create() about why we don't use
4401          * the sockcreate SID here */
4402
4403         sksec->sid = current_sid();
4404         sksec->sclass = SECCLASS_TUN_SOCKET;
4405 }
4406
4407 static int selinux_tun_dev_attach(struct sock *sk)
4408 {
4409         struct sk_security_struct *sksec = sk->sk_security;
4410         u32 sid = current_sid();
4411         int err;
4412
4413         err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4414                            TUN_SOCKET__RELABELFROM, NULL);
4415         if (err)
4416                 return err;
4417         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4418                            TUN_SOCKET__RELABELTO, NULL);
4419         if (err)
4420                 return err;
4421
4422         sksec->sid = sid;
4423
4424         return 0;
4425 }
4426
4427 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4428 {
4429         int err = 0;
4430         u32 perm;
4431         struct nlmsghdr *nlh;
4432         struct sk_security_struct *sksec = sk->sk_security;
4433
4434         if (skb->len < NLMSG_SPACE(0)) {
4435                 err = -EINVAL;
4436                 goto out;
4437         }
4438         nlh = nlmsg_hdr(skb);
4439
4440         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4441         if (err) {
4442                 if (err == -EINVAL) {
4443                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4444                                   "SELinux:  unrecognized netlink message"
4445                                   " type=%hu for sclass=%hu\n",
4446                                   nlh->nlmsg_type, sksec->sclass);
4447                         if (!selinux_enforcing || security_get_allow_unknown())
4448                                 err = 0;
4449                 }
4450
4451                 /* Ignore */
4452                 if (err == -ENOENT)
4453                         err = 0;
4454                 goto out;
4455         }
4456
4457         err = sock_has_perm(current, sk, perm);
4458 out:
4459         return err;
4460 }
4461
4462 #ifdef CONFIG_NETFILTER
4463
4464 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4465                                        u16 family)
4466 {
4467         int err;
4468         char *addrp;
4469         u32 peer_sid;
4470         struct common_audit_data ad;
4471         u8 secmark_active;
4472         u8 netlbl_active;
4473         u8 peerlbl_active;
4474
4475         if (!selinux_policycap_netpeer)
4476                 return NF_ACCEPT;
4477
4478         secmark_active = selinux_secmark_enabled();
4479         netlbl_active = netlbl_enabled();
4480         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4481         if (!secmark_active && !peerlbl_active)
4482                 return NF_ACCEPT;
4483
4484         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4485                 return NF_DROP;
4486
4487         COMMON_AUDIT_DATA_INIT(&ad, NET);
4488         ad.u.net.netif = ifindex;
4489         ad.u.net.family = family;
4490         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4491                 return NF_DROP;
4492
4493         if (peerlbl_active) {
4494                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4495                                                peer_sid, &ad);
4496                 if (err) {
4497                         selinux_netlbl_err(skb, err, 1);
4498                         return NF_DROP;
4499                 }
4500         }
4501
4502         if (secmark_active)
4503                 if (avc_has_perm(peer_sid, skb->secmark,
4504                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4505                         return NF_DROP;
4506
4507         if (netlbl_active)
4508                 /* we do this in the FORWARD path and not the POST_ROUTING
4509                  * path because we want to make sure we apply the necessary
4510                  * labeling before IPsec is applied so we can leverage AH
4511                  * protection */
4512                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4513                         return NF_DROP;
4514
4515         return NF_ACCEPT;
4516 }
4517
4518 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4519                                          struct sk_buff *skb,
4520                                          const struct net_device *in,
4521                                          const struct net_device *out,
4522                                          int (*okfn)(struct sk_buff *))
4523 {
4524         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4525 }
4526
4527 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4528 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4529                                          struct sk_buff *skb,
4530                                          const struct net_device *in,
4531                                          const struct net_device *out,
4532                                          int (*okfn)(struct sk_buff *))
4533 {
4534         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4535 }
4536 #endif  /* IPV6 */
4537
4538 static unsigned int selinux_ip_output(struct sk_buff *skb,
4539                                       u16 family)
4540 {
4541         u32 sid;
4542
4543         if (!netlbl_enabled())
4544                 return NF_ACCEPT;
4545
4546         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4547          * because we want to make sure we apply the necessary labeling
4548          * before IPsec is applied so we can leverage AH protection */
4549         if (skb->sk) {
4550                 struct sk_security_struct *sksec = skb->sk->sk_security;
4551                 sid = sksec->sid;
4552         } else
4553                 sid = SECINITSID_KERNEL;
4554         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4555                 return NF_DROP;
4556
4557         return NF_ACCEPT;
4558 }
4559
4560 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4561                                         struct sk_buff *skb,
4562                                         const struct net_device *in,
4563                                         const struct net_device *out,
4564                                         int (*okfn)(struct sk_buff *))
4565 {
4566         return selinux_ip_output(skb, PF_INET);
4567 }
4568
4569 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4570                                                 int ifindex,
4571                                                 u16 family)
4572 {
4573         struct sock *sk = skb->sk;
4574         struct sk_security_struct *sksec;
4575         struct common_audit_data ad;
4576         char *addrp;
4577         u8 proto;
4578
4579         if (sk == NULL)
4580                 return NF_ACCEPT;
4581         sksec = sk->sk_security;
4582
4583         COMMON_AUDIT_DATA_INIT(&ad, NET);
4584         ad.u.net.netif = ifindex;
4585         ad.u.net.family = family;
4586         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4587                 return NF_DROP;
4588
4589         if (selinux_secmark_enabled())
4590                 if (avc_has_perm(sksec->sid, skb->secmark,
4591                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4592                         return NF_DROP_ERR(-ECONNREFUSED);
4593
4594         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4595                 return NF_DROP_ERR(-ECONNREFUSED);
4596
4597         return NF_ACCEPT;
4598 }
4599
4600 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4601                                          u16 family)
4602 {
4603         u32 secmark_perm;
4604         u32 peer_sid;
4605         struct sock *sk;
4606         struct common_audit_data ad;
4607         char *addrp;
4608         u8 secmark_active;
4609         u8 peerlbl_active;
4610
4611         /* If any sort of compatibility mode is enabled then handoff processing
4612          * to the selinux_ip_postroute_compat() function to deal with the
4613          * special handling.  We do this in an attempt to keep this function
4614          * as fast and as clean as possible. */
4615         if (!selinux_policycap_netpeer)
4616                 return selinux_ip_postroute_compat(skb, ifindex, family);
4617 #ifdef CONFIG_XFRM
4618         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4619          * packet transformation so allow the packet to pass without any checks
4620          * since we'll have another chance to perform access control checks
4621          * when the packet is on it's final way out.
4622          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4623          *       is NULL, in this case go ahead and apply access control. */
4624         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4625                 return NF_ACCEPT;
4626 #endif
4627         secmark_active = selinux_secmark_enabled();
4628         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4629         if (!secmark_active && !peerlbl_active)
4630                 return NF_ACCEPT;
4631
4632         /* if the packet is being forwarded then get the peer label from the
4633          * packet itself; otherwise check to see if it is from a local
4634          * application or the kernel, if from an application get the peer label
4635          * from the sending socket, otherwise use the kernel's sid */
4636         sk = skb->sk;
4637         if (sk == NULL) {
4638                 if (skb->skb_iif) {
4639                         secmark_perm = PACKET__FORWARD_OUT;
4640                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4641                                 return NF_DROP;
4642                 } else {
4643                         secmark_perm = PACKET__SEND;
4644                         peer_sid = SECINITSID_KERNEL;
4645                 }
4646         } else {
4647                 struct sk_security_struct *sksec = sk->sk_security;
4648                 peer_sid = sksec->sid;
4649                 secmark_perm = PACKET__SEND;
4650         }
4651
4652         COMMON_AUDIT_DATA_INIT(&ad, NET);
4653         ad.u.net.netif = ifindex;
4654         ad.u.net.family = family;
4655         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4656                 return NF_DROP;
4657
4658         if (secmark_active)
4659                 if (avc_has_perm(peer_sid, skb->secmark,
4660                                  SECCLASS_PACKET, secmark_perm, &ad))
4661                         return NF_DROP_ERR(-ECONNREFUSED);
4662
4663         if (peerlbl_active) {
4664                 u32 if_sid;
4665                 u32 node_sid;
4666
4667                 if (sel_netif_sid(ifindex, &if_sid))
4668                         return NF_DROP;
4669                 if (avc_has_perm(peer_sid, if_sid,
4670                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4671                         return NF_DROP_ERR(-ECONNREFUSED);
4672
4673                 if (sel_netnode_sid(addrp, family, &node_sid))
4674                         return NF_DROP;
4675                 if (avc_has_perm(peer_sid, node_sid,
4676                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4677                         return NF_DROP_ERR(-ECONNREFUSED);
4678         }
4679
4680         return NF_ACCEPT;
4681 }
4682
4683 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4684                                            struct sk_buff *skb,
4685                                            const struct net_device *in,
4686                                            const struct net_device *out,
4687                                            int (*okfn)(struct sk_buff *))
4688 {
4689         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4690 }
4691
4692 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4693 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4694                                            struct sk_buff *skb,
4695                                            const struct net_device *in,
4696                                            const struct net_device *out,
4697                                            int (*okfn)(struct sk_buff *))
4698 {
4699         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4700 }
4701 #endif  /* IPV6 */
4702
4703 #endif  /* CONFIG_NETFILTER */
4704
4705 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4706 {
4707         int err;
4708
4709         err = cap_netlink_send(sk, skb);
4710         if (err)
4711                 return err;
4712
4713         return selinux_nlmsg_perm(sk, skb);
4714 }
4715
4716 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4717 {
4718         int err;
4719         struct common_audit_data ad;
4720         u32 sid;
4721
4722         err = cap_netlink_recv(skb, capability);
4723         if (err)
4724                 return err;
4725
4726         COMMON_AUDIT_DATA_INIT(&ad, CAP);
4727         ad.u.cap = capability;
4728
4729         security_task_getsecid(current, &sid);
4730         return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
4731                             CAP_TO_MASK(capability), &ad);
4732 }
4733
4734 static int ipc_alloc_security(struct task_struct *task,
4735                               struct kern_ipc_perm *perm,
4736                               u16 sclass)
4737 {
4738         struct ipc_security_struct *isec;
4739         u32 sid;
4740
4741         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4742         if (!isec)
4743                 return -ENOMEM;
4744
4745         sid = task_sid(task);
4746         isec->sclass = sclass;
4747         isec->sid = sid;
4748         perm->security = isec;
4749
4750         return 0;
4751 }
4752
4753 static void ipc_free_security(struct kern_ipc_perm *perm)
4754 {
4755         struct ipc_security_struct *isec = perm->security;
4756         perm->security = NULL;
4757         kfree(isec);
4758 }
4759
4760 static int msg_msg_alloc_security(struct msg_msg *msg)
4761 {
4762         struct msg_security_struct *msec;
4763
4764         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4765         if (!msec)
4766                 return -ENOMEM;
4767
4768         msec->sid = SECINITSID_UNLABELED;
4769         msg->security = msec;
4770
4771         return 0;
4772 }
4773
4774 static void msg_msg_free_security(struct msg_msg *msg)
4775 {
4776         struct msg_security_struct *msec = msg->security;
4777
4778         msg->security = NULL;
4779         kfree(msec);
4780 }
4781
4782 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4783                         u32 perms)
4784 {
4785         struct ipc_security_struct *isec;
4786         struct common_audit_data ad;
4787         u32 sid = current_sid();
4788
4789         isec = ipc_perms->security;
4790
4791         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4792         ad.u.ipc_id = ipc_perms->key;
4793
4794         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4795 }
4796
4797 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4798 {
4799         return msg_msg_alloc_security(msg);
4800 }
4801
4802 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4803 {
4804         msg_msg_free_security(msg);
4805 }
4806
4807 /* message queue security operations */
4808 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4809 {
4810         struct ipc_security_struct *isec;
4811         struct common_audit_data ad;
4812         u32 sid = current_sid();
4813         int rc;
4814
4815         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4816         if (rc)
4817                 return rc;
4818
4819         isec = msq->q_perm.security;
4820
4821         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4822         ad.u.ipc_id = msq->q_perm.key;
4823
4824         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4825                           MSGQ__CREATE, &ad);
4826         if (rc) {
4827                 ipc_free_security(&msq->q_perm);
4828                 return rc;
4829         }
4830         return 0;
4831 }
4832
4833 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4834 {
4835         ipc_free_security(&msq->q_perm);
4836 }
4837
4838 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4839 {
4840         struct ipc_security_struct *isec;
4841         struct common_audit_data ad;
4842         u32 sid = current_sid();
4843
4844         isec = msq->q_perm.security;
4845
4846         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4847         ad.u.ipc_id = msq->q_perm.key;
4848
4849         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4850                             MSGQ__ASSOCIATE, &ad);
4851 }
4852
4853 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4854 {
4855         int err;
4856         int perms;
4857
4858         switch (cmd) {
4859         case IPC_INFO:
4860         case MSG_INFO:
4861                 /* No specific object, just general system-wide information. */
4862                 return task_has_system(current, SYSTEM__IPC_INFO);
4863         case IPC_STAT:
4864         case MSG_STAT:
4865                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4866                 break;
4867         case IPC_SET:
4868                 perms = MSGQ__SETATTR;
4869                 break;
4870         case IPC_RMID:
4871                 perms = MSGQ__DESTROY;
4872                 break;
4873         default:
4874                 return 0;
4875         }
4876
4877         err = ipc_has_perm(&msq->q_perm, perms);
4878         return err;
4879 }
4880
4881 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4882 {
4883         struct ipc_security_struct *isec;
4884         struct msg_security_struct *msec;
4885         struct common_audit_data ad;
4886         u32 sid = current_sid();
4887         int rc;
4888
4889         isec = msq->q_perm.security;
4890         msec = msg->security;
4891
4892         /*
4893          * First time through, need to assign label to the message
4894          */
4895         if (msec->sid == SECINITSID_UNLABELED) {
4896                 /*
4897                  * Compute new sid based on current process and
4898                  * message queue this message will be stored in
4899                  */
4900                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4901                                              NULL, &msec->sid);
4902                 if (rc)
4903                         return rc;
4904         }
4905
4906         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4907         ad.u.ipc_id = msq->q_perm.key;
4908
4909         /* Can this process write to the queue? */
4910         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4911                           MSGQ__WRITE, &ad);
4912         if (!rc)
4913                 /* Can this process send the message */
4914                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4915                                   MSG__SEND, &ad);
4916         if (!rc)
4917                 /* Can the message be put in the queue? */
4918                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4919                                   MSGQ__ENQUEUE, &ad);
4920
4921         return rc;
4922 }
4923
4924 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4925                                     struct task_struct *target,
4926                                     long type, int mode)
4927 {
4928         struct ipc_security_struct *isec;
4929         struct msg_security_struct *msec;
4930         struct common_audit_data ad;
4931         u32 sid = task_sid(target);
4932         int rc;
4933
4934         isec = msq->q_perm.security;
4935         msec = msg->security;
4936
4937         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4938         ad.u.ipc_id = msq->q_perm.key;
4939
4940         rc = avc_has_perm(sid, isec->sid,
4941                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4942         if (!rc)
4943                 rc = avc_has_perm(sid, msec->sid,
4944                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4945         return rc;
4946 }
4947
4948 /* Shared Memory security operations */
4949 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4950 {
4951         struct ipc_security_struct *isec;
4952         struct common_audit_data ad;
4953         u32 sid = current_sid();
4954         int rc;
4955
4956         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4957         if (rc)
4958                 return rc;
4959
4960         isec = shp->shm_perm.security;
4961
4962         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4963         ad.u.ipc_id = shp->shm_perm.key;
4964
4965         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4966                           SHM__CREATE, &ad);
4967         if (rc) {
4968                 ipc_free_security(&shp->shm_perm);
4969                 return rc;
4970         }
4971         return 0;
4972 }
4973
4974 static void selinux_shm_free_security(struct shmid_kernel *shp)
4975 {
4976         ipc_free_security(&shp->shm_perm);
4977 }
4978
4979 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4980 {
4981         struct ipc_security_struct *isec;
4982         struct common_audit_data ad;
4983         u32 sid = current_sid();
4984
4985         isec = shp->shm_perm.security;
4986
4987         COMMON_AUDIT_DATA_INIT(&ad, IPC);
4988         ad.u.ipc_id = shp->shm_perm.key;
4989
4990         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4991                             SHM__ASSOCIATE, &ad);
4992 }
4993
4994 /* Note, at this point, shp is locked down */
4995 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4996 {
4997         int perms;
4998         int err;
4999
5000         switch (cmd) {
5001         case IPC_INFO:
5002         case SHM_INFO:
5003                 /* No specific object, just general system-wide information. */
5004                 return task_has_system(current, SYSTEM__IPC_INFO);
5005         case IPC_STAT:
5006         case SHM_STAT:
5007                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5008                 break;
5009         case IPC_SET:
5010                 perms = SHM__SETATTR;
5011                 break;
5012         case SHM_LOCK:
5013         case SHM_UNLOCK:
5014                 perms = SHM__LOCK;
5015                 break;
5016         case IPC_RMID:
5017                 perms = SHM__DESTROY;
5018                 break;
5019         default:
5020                 return 0;
5021         }
5022
5023         err = ipc_has_perm(&shp->shm_perm, perms);
5024         return err;
5025 }
5026
5027 static int selinux_shm_shmat(struct shmid_kernel *shp,
5028                              char __user *shmaddr, int shmflg)
5029 {
5030         u32 perms;
5031
5032         if (shmflg & SHM_RDONLY)
5033                 perms = SHM__READ;
5034         else
5035                 perms = SHM__READ | SHM__WRITE;
5036
5037         return ipc_has_perm(&shp->shm_perm, perms);
5038 }
5039
5040 /* Semaphore security operations */
5041 static int selinux_sem_alloc_security(struct sem_array *sma)
5042 {
5043         struct ipc_security_struct *isec;
5044         struct common_audit_data ad;
5045         u32 sid = current_sid();
5046         int rc;
5047
5048         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5049         if (rc)
5050                 return rc;
5051
5052         isec = sma->sem_perm.security;
5053
5054         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5055         ad.u.ipc_id = sma->sem_perm.key;
5056
5057         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5058                           SEM__CREATE, &ad);
5059         if (rc) {
5060                 ipc_free_security(&sma->sem_perm);
5061                 return rc;
5062         }
5063         return 0;
5064 }
5065
5066 static void selinux_sem_free_security(struct sem_array *sma)
5067 {
5068         ipc_free_security(&sma->sem_perm);
5069 }
5070
5071 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5072 {
5073         struct ipc_security_struct *isec;
5074         struct common_audit_data ad;
5075         u32 sid = current_sid();
5076
5077         isec = sma->sem_perm.security;
5078
5079         COMMON_AUDIT_DATA_INIT(&ad, IPC);
5080         ad.u.ipc_id = sma->sem_perm.key;
5081
5082         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5083                             SEM__ASSOCIATE, &ad);
5084 }
5085
5086 /* Note, at this point, sma is locked down */
5087 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5088 {
5089         int err;
5090         u32 perms;
5091
5092         switch (cmd) {
5093         case IPC_INFO:
5094         case SEM_INFO:
5095                 /* No specific object, just general system-wide information. */
5096                 return task_has_system(current, SYSTEM__IPC_INFO);
5097         case GETPID:
5098         case GETNCNT:
5099         case GETZCNT:
5100                 perms = SEM__GETATTR;
5101                 break;
5102         case GETVAL:
5103         case GETALL:
5104                 perms = SEM__READ;
5105                 break;
5106         case SETVAL:
5107         case SETALL:
5108                 perms = SEM__WRITE;
5109                 break;
5110         case IPC_RMID:
5111                 perms = SEM__DESTROY;
5112                 break;
5113         case IPC_SET:
5114                 perms = SEM__SETATTR;
5115                 break;
5116         case IPC_STAT:
5117         case SEM_STAT:
5118                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5119                 break;
5120         default:
5121                 return 0;
5122         }
5123
5124         err = ipc_has_perm(&sma->sem_perm, perms);
5125         return err;
5126 }
5127
5128 static int selinux_sem_semop(struct sem_array *sma,
5129                              struct sembuf *sops, unsigned nsops, int alter)
5130 {
5131         u32 perms;
5132
5133         if (alter)
5134                 perms = SEM__READ | SEM__WRITE;
5135         else
5136                 perms = SEM__READ;
5137
5138         return ipc_has_perm(&sma->sem_perm, perms);
5139 }
5140
5141 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5142 {
5143         u32 av = 0;
5144
5145         av = 0;
5146         if (flag & S_IRUGO)
5147                 av |= IPC__UNIX_READ;
5148         if (flag & S_IWUGO)
5149                 av |= IPC__UNIX_WRITE;
5150
5151         if (av == 0)
5152                 return 0;
5153
5154         return ipc_has_perm(ipcp, av);
5155 }
5156
5157 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5158 {
5159         struct ipc_security_struct *isec = ipcp->security;
5160         *secid = isec->sid;
5161 }
5162
5163 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5164 {
5165         if (inode)
5166                 inode_doinit_with_dentry(inode, dentry);
5167 }
5168
5169 static int selinux_getprocattr(struct task_struct *p,
5170                                char *name, char **value)
5171 {
5172         const struct task_security_struct *__tsec;
5173         u32 sid;
5174         int error;
5175         unsigned len;
5176
5177         if (current != p) {
5178                 error = current_has_perm(p, PROCESS__GETATTR);
5179                 if (error)
5180                         return error;
5181         }
5182
5183         rcu_read_lock();
5184         __tsec = __task_cred(p)->security;
5185
5186         if (!strcmp(name, "current"))
5187                 sid = __tsec->sid;
5188         else if (!strcmp(name, "prev"))
5189                 sid = __tsec->osid;
5190         else if (!strcmp(name, "exec"))
5191                 sid = __tsec->exec_sid;
5192         else if (!strcmp(name, "fscreate"))
5193                 sid = __tsec->create_sid;
5194         else if (!strcmp(name, "keycreate"))
5195                 sid = __tsec->keycreate_sid;
5196         else if (!strcmp(name, "sockcreate"))
5197                 sid = __tsec->sockcreate_sid;
5198         else
5199                 goto invalid;
5200         rcu_read_unlock();
5201
5202         if (!sid)
5203                 return 0;
5204
5205         error = security_sid_to_context(sid, value, &len);
5206         if (error)
5207                 return error;
5208         return len;
5209
5210 invalid:
5211         rcu_read_unlock();
5212         return -EINVAL;
5213 }
5214
5215 static int selinux_setprocattr(struct task_struct *p,
5216                                char *name, void *value, size_t size)
5217 {
5218         struct task_security_struct *tsec;
5219         struct task_struct *tracer;
5220         struct cred *new;
5221         u32 sid = 0, ptsid;
5222         int error;
5223         char *str = value;
5224
5225         if (current != p) {
5226                 /* SELinux only allows a process to change its own
5227                    security attributes. */
5228                 return -EACCES;
5229         }
5230
5231         /*
5232          * Basic control over ability to set these attributes at all.
5233          * current == p, but we'll pass them separately in case the
5234          * above restriction is ever removed.
5235          */
5236         if (!strcmp(name, "exec"))
5237                 error = current_has_perm(p, PROCESS__SETEXEC);
5238         else if (!strcmp(name, "fscreate"))
5239                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5240         else if (!strcmp(name, "keycreate"))
5241                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5242         else if (!strcmp(name, "sockcreate"))
5243                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5244         else if (!strcmp(name, "current"))
5245                 error = current_has_perm(p, PROCESS__SETCURRENT);
5246         else
5247                 error = -EINVAL;
5248         if (error)
5249                 return error;
5250
5251         /* Obtain a SID for the context, if one was specified. */
5252         if (size && str[1] && str[1] != '\n') {
5253                 if (str[size-1] == '\n') {
5254                         str[size-1] = 0;
5255                         size--;
5256                 }
5257                 error = security_context_to_sid(value, size, &sid);
5258                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5259                         if (!capable(CAP_MAC_ADMIN))
5260                                 return error;
5261                         error = security_context_to_sid_force(value, size,
5262                                                               &sid);
5263                 }
5264                 if (error)
5265                         return error;
5266         }
5267
5268         new = prepare_creds();
5269         if (!new)
5270                 return -ENOMEM;
5271
5272         /* Permission checking based on the specified context is
5273            performed during the actual operation (execve,
5274            open/mkdir/...), when we know the full context of the
5275            operation.  See selinux_bprm_set_creds for the execve
5276            checks and may_create for the file creation checks. The
5277            operation will then fail if the context is not permitted. */
5278         tsec = new->security;
5279         if (!strcmp(name, "exec")) {
5280                 tsec->exec_sid = sid;
5281         } else if (!strcmp(name, "fscreate")) {
5282                 tsec->create_sid = sid;
5283         } else if (!strcmp(name, "keycreate")) {
5284                 error = may_create_key(sid, p);
5285                 if (error)
5286                         goto abort_change;
5287                 tsec->keycreate_sid = sid;
5288         } else if (!strcmp(name, "sockcreate")) {
5289                 tsec->sockcreate_sid = sid;
5290         } else if (!strcmp(name, "current")) {
5291                 error = -EINVAL;
5292                 if (sid == 0)
5293                         goto abort_change;
5294
5295                 /* Only allow single threaded processes to change context */
5296                 error = -EPERM;
5297                 if (!current_is_single_threaded()) {
5298                         error = security_bounded_transition(tsec->sid, sid);
5299                         if (error)
5300                                 goto abort_change;
5301                 }
5302
5303                 /* Check permissions for the transition. */
5304                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5305                                      PROCESS__DYNTRANSITION, NULL);
5306                 if (error)
5307                         goto abort_change;
5308
5309                 /* Check for ptracing, and update the task SID if ok.
5310                    Otherwise, leave SID unchanged and fail. */
5311                 ptsid = 0;
5312                 task_lock(p);
5313                 tracer = ptrace_parent(p);
5314                 if (tracer)
5315                         ptsid = task_sid(tracer);
5316                 task_unlock(p);
5317
5318                 if (tracer) {
5319                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5320                                              PROCESS__PTRACE, NULL);
5321                         if (error)
5322                                 goto abort_change;
5323                 }
5324
5325                 tsec->sid = sid;
5326         } else {
5327                 error = -EINVAL;
5328                 goto abort_change;
5329         }
5330
5331         commit_creds(new);
5332         return size;
5333
5334 abort_change:
5335         abort_creds(new);
5336         return error;
5337 }
5338
5339 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5340 {
5341         return security_sid_to_context(secid, secdata, seclen);
5342 }
5343
5344 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5345 {
5346         return security_context_to_sid(secdata, seclen, secid);
5347 }
5348
5349 static void selinux_release_secctx(char *secdata, u32 seclen)
5350 {
5351         kfree(secdata);
5352 }
5353
5354 /*
5355  *      called with inode->i_mutex locked
5356  */
5357 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5358 {
5359         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5360 }
5361
5362 /*
5363  *      called with inode->i_mutex locked
5364  */
5365 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5366 {
5367         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5368 }
5369
5370 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5371 {
5372         int len = 0;
5373         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5374                                                 ctx, true);
5375         if (len < 0)
5376                 return len;
5377         *ctxlen = len;
5378         return 0;
5379 }
5380 #ifdef CONFIG_KEYS
5381
5382 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5383                              unsigned long flags)
5384 {
5385         const struct task_security_struct *tsec;
5386         struct key_security_struct *ksec;
5387
5388         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5389         if (!ksec)
5390                 return -ENOMEM;
5391
5392         tsec = cred->security;
5393         if (tsec->keycreate_sid)
5394                 ksec->sid = tsec->keycreate_sid;
5395         else
5396                 ksec->sid = tsec->sid;
5397
5398         k->security = ksec;
5399         return 0;
5400 }
5401
5402 static void selinux_key_free(struct key *k)
5403 {
5404         struct key_security_struct *ksec = k->security;
5405
5406         k->security = NULL;
5407         kfree(ksec);
5408 }
5409
5410 static int selinux_key_permission(key_ref_t key_ref,
5411                                   const struct cred *cred,
5412                                   key_perm_t perm)
5413 {
5414         struct key *key;
5415         struct key_security_struct *ksec;
5416         u32 sid;
5417
5418         /* if no specific permissions are requested, we skip the
5419            permission check. No serious, additional covert channels
5420            appear to be created. */
5421         if (perm == 0)
5422                 return 0;
5423
5424         sid = cred_sid(cred);
5425
5426         key = key_ref_to_ptr(key_ref);
5427         ksec = key->security;
5428
5429         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5430 }
5431
5432 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5433 {
5434         struct key_security_struct *ksec = key->security;
5435         char *context = NULL;
5436         unsigned len;
5437         int rc;
5438
5439         rc = security_sid_to_context(ksec->sid, &context, &len);
5440         if (!rc)
5441                 rc = len;
5442         *_buffer = context;
5443         return rc;
5444 }
5445
5446 #endif
5447
5448 static struct security_operations selinux_ops = {
5449         .name =                         "selinux",
5450
5451         .ptrace_access_check =          selinux_ptrace_access_check,
5452         .ptrace_traceme =               selinux_ptrace_traceme,
5453         .capget =                       selinux_capget,
5454         .capset =                       selinux_capset,
5455         .capable =                      selinux_capable,
5456         .quotactl =                     selinux_quotactl,
5457         .quota_on =                     selinux_quota_on,
5458         .syslog =                       selinux_syslog,
5459         .vm_enough_memory =             selinux_vm_enough_memory,
5460
5461         .netlink_send =                 selinux_netlink_send,
5462         .netlink_recv =                 selinux_netlink_recv,
5463
5464         .bprm_set_creds =               selinux_bprm_set_creds,
5465         .bprm_committing_creds =        selinux_bprm_committing_creds,
5466         .bprm_committed_creds =         selinux_bprm_committed_creds,
5467         .bprm_secureexec =              selinux_bprm_secureexec,
5468
5469         .sb_alloc_security =            selinux_sb_alloc_security,
5470         .sb_free_security =             selinux_sb_free_security,
5471         .sb_copy_data =                 selinux_sb_copy_data,
5472         .sb_remount =                   selinux_sb_remount,
5473         .sb_kern_mount =                selinux_sb_kern_mount,
5474         .sb_show_options =              selinux_sb_show_options,
5475         .sb_statfs =                    selinux_sb_statfs,
5476         .sb_mount =                     selinux_mount,
5477         .sb_umount =                    selinux_umount,
5478         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5479         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5480         .sb_parse_opts_str =            selinux_parse_opts_str,
5481
5482
5483         .inode_alloc_security =         selinux_inode_alloc_security,
5484         .inode_free_security =          selinux_inode_free_security,
5485         .inode_init_security =          selinux_inode_init_security,
5486         .inode_create =                 selinux_inode_create,
5487         .inode_link =                   selinux_inode_link,
5488         .inode_unlink =                 selinux_inode_unlink,
5489         .inode_symlink =                selinux_inode_symlink,
5490         .inode_mkdir =                  selinux_inode_mkdir,
5491         .inode_rmdir =                  selinux_inode_rmdir,
5492         .inode_mknod =                  selinux_inode_mknod,
5493         .inode_rename =                 selinux_inode_rename,
5494         .inode_readlink =               selinux_inode_readlink,
5495         .inode_follow_link =            selinux_inode_follow_link,
5496         .inode_permission =             selinux_inode_permission,
5497         .inode_setattr =                selinux_inode_setattr,
5498         .inode_getattr =                selinux_inode_getattr,
5499         .inode_setxattr =               selinux_inode_setxattr,
5500         .inode_post_setxattr =          selinux_inode_post_setxattr,
5501         .inode_getxattr =               selinux_inode_getxattr,
5502         .inode_listxattr =              selinux_inode_listxattr,
5503         .inode_removexattr =            selinux_inode_removexattr,
5504         .inode_getsecurity =            selinux_inode_getsecurity,
5505         .inode_setsecurity =            selinux_inode_setsecurity,
5506         .inode_listsecurity =           selinux_inode_listsecurity,
5507         .inode_getsecid =               selinux_inode_getsecid,
5508
5509         .file_permission =              selinux_file_permission,
5510         .file_alloc_security =          selinux_file_alloc_security,
5511         .file_free_security =           selinux_file_free_security,
5512         .file_ioctl =                   selinux_file_ioctl,
5513         .file_mmap =                    selinux_file_mmap,
5514         .file_mprotect =                selinux_file_mprotect,
5515         .file_lock =                    selinux_file_lock,
5516         .file_fcntl =                   selinux_file_fcntl,
5517         .file_set_fowner =              selinux_file_set_fowner,
5518         .file_send_sigiotask =          selinux_file_send_sigiotask,
5519         .file_receive =                 selinux_file_receive,
5520
5521         .dentry_open =                  selinux_dentry_open,
5522
5523         .task_create =                  selinux_task_create,
5524         .cred_alloc_blank =             selinux_cred_alloc_blank,
5525         .cred_free =                    selinux_cred_free,
5526         .cred_prepare =                 selinux_cred_prepare,
5527         .cred_transfer =                selinux_cred_transfer,
5528         .kernel_act_as =                selinux_kernel_act_as,
5529         .kernel_create_files_as =       selinux_kernel_create_files_as,
5530         .kernel_module_request =        selinux_kernel_module_request,
5531         .task_setpgid =                 selinux_task_setpgid,
5532         .task_getpgid =                 selinux_task_getpgid,
5533         .task_getsid =                  selinux_task_getsid,
5534         .task_getsecid =                selinux_task_getsecid,
5535         .task_setnice =                 selinux_task_setnice,
5536         .task_setioprio =               selinux_task_setioprio,
5537         .task_getioprio =               selinux_task_getioprio,
5538         .task_setrlimit =               selinux_task_setrlimit,
5539         .task_setscheduler =            selinux_task_setscheduler,
5540         .task_getscheduler =            selinux_task_getscheduler,
5541         .task_movememory =              selinux_task_movememory,
5542         .task_kill =                    selinux_task_kill,
5543         .task_wait =                    selinux_task_wait,
5544         .task_to_inode =                selinux_task_to_inode,
5545
5546         .ipc_permission =               selinux_ipc_permission,
5547         .ipc_getsecid =                 selinux_ipc_getsecid,
5548
5549         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5550         .msg_msg_free_security =        selinux_msg_msg_free_security,
5551
5552         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5553         .msg_queue_free_security =      selinux_msg_queue_free_security,
5554         .msg_queue_associate =          selinux_msg_queue_associate,
5555         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5556         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5557         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5558
5559         .shm_alloc_security =           selinux_shm_alloc_security,
5560         .shm_free_security =            selinux_shm_free_security,
5561         .shm_associate =                selinux_shm_associate,
5562         .shm_shmctl =                   selinux_shm_shmctl,
5563         .shm_shmat =                    selinux_shm_shmat,
5564
5565         .sem_alloc_security =           selinux_sem_alloc_security,
5566         .sem_free_security =            selinux_sem_free_security,
5567         .sem_associate =                selinux_sem_associate,
5568         .sem_semctl =                   selinux_sem_semctl,
5569         .sem_semop =                    selinux_sem_semop,
5570
5571         .d_instantiate =                selinux_d_instantiate,
5572
5573         .getprocattr =                  selinux_getprocattr,
5574         .setprocattr =                  selinux_setprocattr,
5575
5576         .secid_to_secctx =              selinux_secid_to_secctx,
5577         .secctx_to_secid =              selinux_secctx_to_secid,
5578         .release_secctx =               selinux_release_secctx,
5579         .inode_notifysecctx =           selinux_inode_notifysecctx,
5580         .inode_setsecctx =              selinux_inode_setsecctx,
5581         .inode_getsecctx =              selinux_inode_getsecctx,
5582
5583         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5584         .unix_may_send =                selinux_socket_unix_may_send,
5585
5586         .socket_create =                selinux_socket_create,
5587         .socket_post_create =           selinux_socket_post_create,
5588         .socket_bind =                  selinux_socket_bind,
5589         .socket_connect =               selinux_socket_connect,
5590         .socket_listen =                selinux_socket_listen,
5591         .socket_accept =                selinux_socket_accept,
5592         .socket_sendmsg =               selinux_socket_sendmsg,
5593         .socket_recvmsg =               selinux_socket_recvmsg,
5594         .socket_getsockname =           selinux_socket_getsockname,
5595         .socket_getpeername =           selinux_socket_getpeername,
5596         .socket_getsockopt =            selinux_socket_getsockopt,
5597         .socket_setsockopt =            selinux_socket_setsockopt,
5598         .socket_shutdown =              selinux_socket_shutdown,
5599         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5600         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5601         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5602         .sk_alloc_security =            selinux_sk_alloc_security,
5603         .sk_free_security =             selinux_sk_free_security,
5604         .sk_clone_security =            selinux_sk_clone_security,
5605         .sk_getsecid =                  selinux_sk_getsecid,
5606         .sock_graft =                   selinux_sock_graft,
5607         .inet_conn_request =            selinux_inet_conn_request,
5608         .inet_csk_clone =               selinux_inet_csk_clone,
5609         .inet_conn_established =        selinux_inet_conn_established,
5610         .secmark_relabel_packet =       selinux_secmark_relabel_packet,
5611         .secmark_refcount_inc =         selinux_secmark_refcount_inc,
5612         .secmark_refcount_dec =         selinux_secmark_refcount_dec,
5613         .req_classify_flow =            selinux_req_classify_flow,
5614         .tun_dev_create =               selinux_tun_dev_create,
5615         .tun_dev_post_create =          selinux_tun_dev_post_create,
5616         .tun_dev_attach =               selinux_tun_dev_attach,
5617
5618 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5619         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5620         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5621         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5622         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5623         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5624         .xfrm_state_free_security =     selinux_xfrm_state_free,
5625         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5626         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5627         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5628         .xfrm_decode_session =          selinux_xfrm_decode_session,
5629 #endif
5630
5631 #ifdef CONFIG_KEYS
5632         .key_alloc =                    selinux_key_alloc,
5633         .key_free =                     selinux_key_free,
5634         .key_permission =               selinux_key_permission,
5635         .key_getsecurity =              selinux_key_getsecurity,
5636 #endif
5637
5638 #ifdef CONFIG_AUDIT
5639         .audit_rule_init =              selinux_audit_rule_init,
5640         .audit_rule_known =             selinux_audit_rule_known,
5641         .audit_rule_match =             selinux_audit_rule_match,
5642         .audit_rule_free =              selinux_audit_rule_free,
5643 #endif
5644 };
5645
5646 static __init int selinux_init(void)
5647 {
5648         if (!security_module_enable(&selinux_ops)) {
5649                 selinux_enabled = 0;
5650                 return 0;
5651         }
5652
5653         if (!selinux_enabled) {
5654                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5655                 return 0;
5656         }
5657
5658         printk(KERN_INFO "SELinux:  Initializing.\n");
5659
5660         /* Set the security state for the initial task. */
5661         cred_init_security();
5662
5663         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5664
5665         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5666                                             sizeof(struct inode_security_struct),
5667                                             0, SLAB_PANIC, NULL);
5668         avc_init();
5669
5670         if (register_security(&selinux_ops))
5671                 panic("SELinux: Unable to register with kernel.\n");
5672
5673         if (selinux_enforcing)
5674                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5675         else
5676                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5677
5678         return 0;
5679 }
5680
5681 static void delayed_superblock_init(struct super_block *sb, void *unused)
5682 {
5683         superblock_doinit(sb, NULL);
5684 }
5685
5686 void selinux_complete_init(void)
5687 {
5688         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5689
5690         /* Set up any superblocks initialized prior to the policy load. */
5691         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5692         iterate_supers(delayed_superblock_init, NULL);
5693 }
5694
5695 /* SELinux requires early initialization in order to label
5696    all processes and objects when they are created. */
5697 security_initcall(selinux_init);
5698
5699 #if defined(CONFIG_NETFILTER)
5700
5701 static struct nf_hook_ops selinux_ipv4_ops[] = {
5702         {
5703                 .hook =         selinux_ipv4_postroute,
5704                 .owner =        THIS_MODULE,
5705                 .pf =           PF_INET,
5706                 .hooknum =      NF_INET_POST_ROUTING,
5707                 .priority =     NF_IP_PRI_SELINUX_LAST,
5708         },
5709         {
5710                 .hook =         selinux_ipv4_forward,
5711                 .owner =        THIS_MODULE,
5712                 .pf =           PF_INET,
5713                 .hooknum =      NF_INET_FORWARD,
5714                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5715         },
5716         {
5717                 .hook =         selinux_ipv4_output,
5718                 .owner =        THIS_MODULE,
5719                 .pf =           PF_INET,
5720                 .hooknum =      NF_INET_LOCAL_OUT,
5721                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5722         }
5723 };
5724
5725 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5726
5727 static struct nf_hook_ops selinux_ipv6_ops[] = {
5728         {
5729                 .hook =         selinux_ipv6_postroute,
5730                 .owner =        THIS_MODULE,
5731                 .pf =           PF_INET6,
5732                 .hooknum =      NF_INET_POST_ROUTING,
5733                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5734         },
5735         {
5736                 .hook =         selinux_ipv6_forward,
5737                 .owner =        THIS_MODULE,
5738                 .pf =           PF_INET6,
5739                 .hooknum =      NF_INET_FORWARD,
5740                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5741         }
5742 };
5743
5744 #endif  /* IPV6 */
5745
5746 static int __init selinux_nf_ip_init(void)
5747 {
5748         int err = 0;
5749
5750         if (!selinux_enabled)
5751                 goto out;
5752
5753         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5754
5755         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5756         if (err)
5757                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5758
5759 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5760         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5761         if (err)
5762                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5763 #endif  /* IPV6 */
5764
5765 out:
5766         return err;
5767 }
5768
5769 __initcall(selinux_nf_ip_init);
5770
5771 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5772 static void selinux_nf_ip_exit(void)
5773 {
5774         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5775
5776         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5777 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5778         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5779 #endif  /* IPV6 */
5780 }
5781 #endif
5782
5783 #else /* CONFIG_NETFILTER */
5784
5785 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5786 #define selinux_nf_ip_exit()
5787 #endif
5788
5789 #endif /* CONFIG_NETFILTER */
5790
5791 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5792 static int selinux_disabled;
5793
5794 int selinux_disable(void)
5795 {
5796         if (ss_initialized) {
5797                 /* Not permitted after initial policy load. */
5798                 return -EINVAL;
5799         }
5800
5801         if (selinux_disabled) {
5802                 /* Only do this once. */
5803                 return -EINVAL;
5804         }
5805
5806         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5807
5808         selinux_disabled = 1;
5809         selinux_enabled = 0;
5810
5811         reset_security_ops();
5812
5813         /* Try to destroy the avc node cache */
5814         avc_disable();
5815
5816         /* Unregister netfilter hooks. */
5817         selinux_nf_ip_exit();
5818
5819         /* Unregister selinuxfs. */
5820         exit_sel_fs();
5821
5822         return 0;
5823 }
5824 #endif