SELinux: open perm for sock files
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17  *              Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78 #include <linux/posix-timers.h>
79
80 #include "avc.h"
81 #include "objsec.h"
82 #include "netif.h"
83 #include "netnode.h"
84 #include "netport.h"
85 #include "xfrm.h"
86 #include "netlabel.h"
87 #include "audit.h"
88
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91
92 #define NUM_SEL_MNT_OPTS 5
93
94 extern unsigned int policydb_loaded_version;
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern int selinux_compat_net;
97 extern struct security_operations *security_ops;
98
99 /* SECMARK reference count */
100 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
104
105 static int __init enforcing_setup(char *str)
106 {
107         unsigned long enforcing;
108         if (!strict_strtoul(str, 0, &enforcing))
109                 selinux_enforcing = enforcing ? 1 : 0;
110         return 1;
111 }
112 __setup("enforcing=", enforcing_setup);
113 #endif
114
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117
118 static int __init selinux_enabled_setup(char *str)
119 {
120         unsigned long enabled;
121         if (!strict_strtoul(str, 0, &enabled))
122                 selinux_enabled = enabled ? 1 : 0;
123         return 1;
124 }
125 __setup("selinux=", selinux_enabled_setup);
126 #else
127 int selinux_enabled = 1;
128 #endif
129
130
131 /*
132  * Minimal support for a secondary security module,
133  * just to allow the use of the capability module.
134  */
135 static struct security_operations *secondary_ops;
136
137 /* Lists of inode and superblock security structures initialized
138    before the policy was loaded. */
139 static LIST_HEAD(superblock_security_head);
140 static DEFINE_SPINLOCK(sb_security_lock);
141
142 static struct kmem_cache *sel_inode_cache;
143
144 /**
145  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
146  *
147  * Description:
148  * This function checks the SECMARK reference counter to see if any SECMARK
149  * targets are currently configured, if the reference counter is greater than
150  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
151  * enabled, false (0) if SECMARK is disabled.
152  *
153  */
154 static int selinux_secmark_enabled(void)
155 {
156         return (atomic_read(&selinux_secmark_refcount) > 0);
157 }
158
159 /*
160  * initialise the security for the init task
161  */
162 static void cred_init_security(void)
163 {
164         struct cred *cred = (struct cred *) current->real_cred;
165         struct task_security_struct *tsec;
166
167         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
168         if (!tsec)
169                 panic("SELinux:  Failed to initialize initial task.\n");
170
171         tsec->osid = tsec->sid = SECINITSID_KERNEL;
172         cred->security = tsec;
173 }
174
175 /*
176  * get the security ID of a set of credentials
177  */
178 static inline u32 cred_sid(const struct cred *cred)
179 {
180         const struct task_security_struct *tsec;
181
182         tsec = cred->security;
183         return tsec->sid;
184 }
185
186 /*
187  * get the objective security ID of a task
188  */
189 static inline u32 task_sid(const struct task_struct *task)
190 {
191         u32 sid;
192
193         rcu_read_lock();
194         sid = cred_sid(__task_cred(task));
195         rcu_read_unlock();
196         return sid;
197 }
198
199 /*
200  * get the subjective security ID of the current task
201  */
202 static inline u32 current_sid(void)
203 {
204         const struct task_security_struct *tsec = current_cred()->security;
205
206         return tsec->sid;
207 }
208
209 /* Allocate and free functions for each kind of security blob. */
210
211 static int inode_alloc_security(struct inode *inode)
212 {
213         struct inode_security_struct *isec;
214         u32 sid = current_sid();
215
216         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
217         if (!isec)
218                 return -ENOMEM;
219
220         mutex_init(&isec->lock);
221         INIT_LIST_HEAD(&isec->list);
222         isec->inode = inode;
223         isec->sid = SECINITSID_UNLABELED;
224         isec->sclass = SECCLASS_FILE;
225         isec->task_sid = sid;
226         inode->i_security = isec;
227
228         return 0;
229 }
230
231 static void inode_free_security(struct inode *inode)
232 {
233         struct inode_security_struct *isec = inode->i_security;
234         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
235
236         spin_lock(&sbsec->isec_lock);
237         if (!list_empty(&isec->list))
238                 list_del_init(&isec->list);
239         spin_unlock(&sbsec->isec_lock);
240
241         inode->i_security = NULL;
242         kmem_cache_free(sel_inode_cache, isec);
243 }
244
245 static int file_alloc_security(struct file *file)
246 {
247         struct file_security_struct *fsec;
248         u32 sid = current_sid();
249
250         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
251         if (!fsec)
252                 return -ENOMEM;
253
254         fsec->sid = sid;
255         fsec->fown_sid = sid;
256         file->f_security = fsec;
257
258         return 0;
259 }
260
261 static void file_free_security(struct file *file)
262 {
263         struct file_security_struct *fsec = file->f_security;
264         file->f_security = NULL;
265         kfree(fsec);
266 }
267
268 static int superblock_alloc_security(struct super_block *sb)
269 {
270         struct superblock_security_struct *sbsec;
271
272         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
273         if (!sbsec)
274                 return -ENOMEM;
275
276         mutex_init(&sbsec->lock);
277         INIT_LIST_HEAD(&sbsec->list);
278         INIT_LIST_HEAD(&sbsec->isec_head);
279         spin_lock_init(&sbsec->isec_lock);
280         sbsec->sb = sb;
281         sbsec->sid = SECINITSID_UNLABELED;
282         sbsec->def_sid = SECINITSID_FILE;
283         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
284         sb->s_security = sbsec;
285
286         return 0;
287 }
288
289 static void superblock_free_security(struct super_block *sb)
290 {
291         struct superblock_security_struct *sbsec = sb->s_security;
292
293         spin_lock(&sb_security_lock);
294         if (!list_empty(&sbsec->list))
295                 list_del_init(&sbsec->list);
296         spin_unlock(&sb_security_lock);
297
298         sb->s_security = NULL;
299         kfree(sbsec);
300 }
301
302 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
303 {
304         struct sk_security_struct *ssec;
305
306         ssec = kzalloc(sizeof(*ssec), priority);
307         if (!ssec)
308                 return -ENOMEM;
309
310         ssec->peer_sid = SECINITSID_UNLABELED;
311         ssec->sid = SECINITSID_UNLABELED;
312         sk->sk_security = ssec;
313
314         selinux_netlbl_sk_security_reset(ssec, family);
315
316         return 0;
317 }
318
319 static void sk_free_security(struct sock *sk)
320 {
321         struct sk_security_struct *ssec = sk->sk_security;
322
323         sk->sk_security = NULL;
324         selinux_netlbl_sk_security_free(ssec);
325         kfree(ssec);
326 }
327
328 /* The security server must be initialized before
329    any labeling or access decisions can be provided. */
330 extern int ss_initialized;
331
332 /* The file system's label must be initialized prior to use. */
333
334 static char *labeling_behaviors[6] = {
335         "uses xattr",
336         "uses transition SIDs",
337         "uses task SIDs",
338         "uses genfs_contexts",
339         "not configured for labeling",
340         "uses mountpoint labeling",
341 };
342
343 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
344
345 static inline int inode_doinit(struct inode *inode)
346 {
347         return inode_doinit_with_dentry(inode, NULL);
348 }
349
350 enum {
351         Opt_error = -1,
352         Opt_context = 1,
353         Opt_fscontext = 2,
354         Opt_defcontext = 3,
355         Opt_rootcontext = 4,
356         Opt_labelsupport = 5,
357 };
358
359 static const match_table_t tokens = {
360         {Opt_context, CONTEXT_STR "%s"},
361         {Opt_fscontext, FSCONTEXT_STR "%s"},
362         {Opt_defcontext, DEFCONTEXT_STR "%s"},
363         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
364         {Opt_labelsupport, LABELSUPP_STR},
365         {Opt_error, NULL},
366 };
367
368 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
369
370 static int may_context_mount_sb_relabel(u32 sid,
371                         struct superblock_security_struct *sbsec,
372                         const struct cred *cred)
373 {
374         const struct task_security_struct *tsec = cred->security;
375         int rc;
376
377         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
378                           FILESYSTEM__RELABELFROM, NULL);
379         if (rc)
380                 return rc;
381
382         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
383                           FILESYSTEM__RELABELTO, NULL);
384         return rc;
385 }
386
387 static int may_context_mount_inode_relabel(u32 sid,
388                         struct superblock_security_struct *sbsec,
389                         const struct cred *cred)
390 {
391         const struct task_security_struct *tsec = cred->security;
392         int rc;
393         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
394                           FILESYSTEM__RELABELFROM, NULL);
395         if (rc)
396                 return rc;
397
398         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
399                           FILESYSTEM__ASSOCIATE, NULL);
400         return rc;
401 }
402
403 static int sb_finish_set_opts(struct super_block *sb)
404 {
405         struct superblock_security_struct *sbsec = sb->s_security;
406         struct dentry *root = sb->s_root;
407         struct inode *root_inode = root->d_inode;
408         int rc = 0;
409
410         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
411                 /* Make sure that the xattr handler exists and that no
412                    error other than -ENODATA is returned by getxattr on
413                    the root directory.  -ENODATA is ok, as this may be
414                    the first boot of the SELinux kernel before we have
415                    assigned xattr values to the filesystem. */
416                 if (!root_inode->i_op->getxattr) {
417                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
418                                "xattr support\n", sb->s_id, sb->s_type->name);
419                         rc = -EOPNOTSUPP;
420                         goto out;
421                 }
422                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
423                 if (rc < 0 && rc != -ENODATA) {
424                         if (rc == -EOPNOTSUPP)
425                                 printk(KERN_WARNING "SELinux: (dev %s, type "
426                                        "%s) has no security xattr handler\n",
427                                        sb->s_id, sb->s_type->name);
428                         else
429                                 printk(KERN_WARNING "SELinux: (dev %s, type "
430                                        "%s) getxattr errno %d\n", sb->s_id,
431                                        sb->s_type->name, -rc);
432                         goto out;
433                 }
434         }
435
436         sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
437
438         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
439                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
440                        sb->s_id, sb->s_type->name);
441         else
442                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
443                        sb->s_id, sb->s_type->name,
444                        labeling_behaviors[sbsec->behavior-1]);
445
446         if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
447             sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
448             sbsec->behavior == SECURITY_FS_USE_NONE ||
449             sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
450                 sbsec->flags &= ~SE_SBLABELSUPP;
451
452         /* Initialize the root inode. */
453         rc = inode_doinit_with_dentry(root_inode, root);
454
455         /* Initialize any other inodes associated with the superblock, e.g.
456            inodes created prior to initial policy load or inodes created
457            during get_sb by a pseudo filesystem that directly
458            populates itself. */
459         spin_lock(&sbsec->isec_lock);
460 next_inode:
461         if (!list_empty(&sbsec->isec_head)) {
462                 struct inode_security_struct *isec =
463                                 list_entry(sbsec->isec_head.next,
464                                            struct inode_security_struct, list);
465                 struct inode *inode = isec->inode;
466                 spin_unlock(&sbsec->isec_lock);
467                 inode = igrab(inode);
468                 if (inode) {
469                         if (!IS_PRIVATE(inode))
470                                 inode_doinit(inode);
471                         iput(inode);
472                 }
473                 spin_lock(&sbsec->isec_lock);
474                 list_del_init(&isec->list);
475                 goto next_inode;
476         }
477         spin_unlock(&sbsec->isec_lock);
478 out:
479         return rc;
480 }
481
482 /*
483  * This function should allow an FS to ask what it's mount security
484  * options were so it can use those later for submounts, displaying
485  * mount options, or whatever.
486  */
487 static int selinux_get_mnt_opts(const struct super_block *sb,
488                                 struct security_mnt_opts *opts)
489 {
490         int rc = 0, i;
491         struct superblock_security_struct *sbsec = sb->s_security;
492         char *context = NULL;
493         u32 len;
494         char tmp;
495
496         security_init_mnt_opts(opts);
497
498         if (!(sbsec->flags & SE_SBINITIALIZED))
499                 return -EINVAL;
500
501         if (!ss_initialized)
502                 return -EINVAL;
503
504         tmp = sbsec->flags & SE_MNTMASK;
505         /* count the number of mount options for this sb */
506         for (i = 0; i < 8; i++) {
507                 if (tmp & 0x01)
508                         opts->num_mnt_opts++;
509                 tmp >>= 1;
510         }
511         /* Check if the Label support flag is set */
512         if (sbsec->flags & SE_SBLABELSUPP)
513                 opts->num_mnt_opts++;
514
515         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
516         if (!opts->mnt_opts) {
517                 rc = -ENOMEM;
518                 goto out_free;
519         }
520
521         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
522         if (!opts->mnt_opts_flags) {
523                 rc = -ENOMEM;
524                 goto out_free;
525         }
526
527         i = 0;
528         if (sbsec->flags & FSCONTEXT_MNT) {
529                 rc = security_sid_to_context(sbsec->sid, &context, &len);
530                 if (rc)
531                         goto out_free;
532                 opts->mnt_opts[i] = context;
533                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
534         }
535         if (sbsec->flags & CONTEXT_MNT) {
536                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
537                 if (rc)
538                         goto out_free;
539                 opts->mnt_opts[i] = context;
540                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
541         }
542         if (sbsec->flags & DEFCONTEXT_MNT) {
543                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
544                 if (rc)
545                         goto out_free;
546                 opts->mnt_opts[i] = context;
547                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
548         }
549         if (sbsec->flags & ROOTCONTEXT_MNT) {
550                 struct inode *root = sbsec->sb->s_root->d_inode;
551                 struct inode_security_struct *isec = root->i_security;
552
553                 rc = security_sid_to_context(isec->sid, &context, &len);
554                 if (rc)
555                         goto out_free;
556                 opts->mnt_opts[i] = context;
557                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
558         }
559         if (sbsec->flags & SE_SBLABELSUPP) {
560                 opts->mnt_opts[i] = NULL;
561                 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
562         }
563
564         BUG_ON(i != opts->num_mnt_opts);
565
566         return 0;
567
568 out_free:
569         security_free_mnt_opts(opts);
570         return rc;
571 }
572
573 static int bad_option(struct superblock_security_struct *sbsec, char flag,
574                       u32 old_sid, u32 new_sid)
575 {
576         char mnt_flags = sbsec->flags & SE_MNTMASK;
577
578         /* check if the old mount command had the same options */
579         if (sbsec->flags & SE_SBINITIALIZED)
580                 if (!(sbsec->flags & flag) ||
581                     (old_sid != new_sid))
582                         return 1;
583
584         /* check if we were passed the same options twice,
585          * aka someone passed context=a,context=b
586          */
587         if (!(sbsec->flags & SE_SBINITIALIZED))
588                 if (mnt_flags & flag)
589                         return 1;
590         return 0;
591 }
592
593 /*
594  * Allow filesystems with binary mount data to explicitly set mount point
595  * labeling information.
596  */
597 static int selinux_set_mnt_opts(struct super_block *sb,
598                                 struct security_mnt_opts *opts)
599 {
600         const struct cred *cred = current_cred();
601         int rc = 0, i;
602         struct superblock_security_struct *sbsec = sb->s_security;
603         const char *name = sb->s_type->name;
604         struct inode *inode = sbsec->sb->s_root->d_inode;
605         struct inode_security_struct *root_isec = inode->i_security;
606         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
607         u32 defcontext_sid = 0;
608         char **mount_options = opts->mnt_opts;
609         int *flags = opts->mnt_opts_flags;
610         int num_opts = opts->num_mnt_opts;
611
612         mutex_lock(&sbsec->lock);
613
614         if (!ss_initialized) {
615                 if (!num_opts) {
616                         /* Defer initialization until selinux_complete_init,
617                            after the initial policy is loaded and the security
618                            server is ready to handle calls. */
619                         spin_lock(&sb_security_lock);
620                         if (list_empty(&sbsec->list))
621                                 list_add(&sbsec->list, &superblock_security_head);
622                         spin_unlock(&sb_security_lock);
623                         goto out;
624                 }
625                 rc = -EINVAL;
626                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
627                         "before the security server is initialized\n");
628                 goto out;
629         }
630
631         /*
632          * Binary mount data FS will come through this function twice.  Once
633          * from an explicit call and once from the generic calls from the vfs.
634          * Since the generic VFS calls will not contain any security mount data
635          * we need to skip the double mount verification.
636          *
637          * This does open a hole in which we will not notice if the first
638          * mount using this sb set explict options and a second mount using
639          * this sb does not set any security options.  (The first options
640          * will be used for both mounts)
641          */
642         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
643             && (num_opts == 0))
644                 goto out;
645
646         /*
647          * parse the mount options, check if they are valid sids.
648          * also check if someone is trying to mount the same sb more
649          * than once with different security options.
650          */
651         for (i = 0; i < num_opts; i++) {
652                 u32 sid;
653
654                 if (flags[i] == SE_SBLABELSUPP)
655                         continue;
656                 rc = security_context_to_sid(mount_options[i],
657                                              strlen(mount_options[i]), &sid);
658                 if (rc) {
659                         printk(KERN_WARNING "SELinux: security_context_to_sid"
660                                "(%s) failed for (dev %s, type %s) errno=%d\n",
661                                mount_options[i], sb->s_id, name, rc);
662                         goto out;
663                 }
664                 switch (flags[i]) {
665                 case FSCONTEXT_MNT:
666                         fscontext_sid = sid;
667
668                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
669                                         fscontext_sid))
670                                 goto out_double_mount;
671
672                         sbsec->flags |= FSCONTEXT_MNT;
673                         break;
674                 case CONTEXT_MNT:
675                         context_sid = sid;
676
677                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
678                                         context_sid))
679                                 goto out_double_mount;
680
681                         sbsec->flags |= CONTEXT_MNT;
682                         break;
683                 case ROOTCONTEXT_MNT:
684                         rootcontext_sid = sid;
685
686                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
687                                         rootcontext_sid))
688                                 goto out_double_mount;
689
690                         sbsec->flags |= ROOTCONTEXT_MNT;
691
692                         break;
693                 case DEFCONTEXT_MNT:
694                         defcontext_sid = sid;
695
696                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
697                                         defcontext_sid))
698                                 goto out_double_mount;
699
700                         sbsec->flags |= DEFCONTEXT_MNT;
701
702                         break;
703                 default:
704                         rc = -EINVAL;
705                         goto out;
706                 }
707         }
708
709         if (sbsec->flags & SE_SBINITIALIZED) {
710                 /* previously mounted with options, but not on this attempt? */
711                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
712                         goto out_double_mount;
713                 rc = 0;
714                 goto out;
715         }
716
717         if (strcmp(sb->s_type->name, "proc") == 0)
718                 sbsec->flags |= SE_SBPROC;
719
720         /* Determine the labeling behavior to use for this filesystem type. */
721         rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
722         if (rc) {
723                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
724                        __func__, sb->s_type->name, rc);
725                 goto out;
726         }
727
728         /* sets the context of the superblock for the fs being mounted. */
729         if (fscontext_sid) {
730                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
731                 if (rc)
732                         goto out;
733
734                 sbsec->sid = fscontext_sid;
735         }
736
737         /*
738          * Switch to using mount point labeling behavior.
739          * sets the label used on all file below the mountpoint, and will set
740          * the superblock context if not already set.
741          */
742         if (context_sid) {
743                 if (!fscontext_sid) {
744                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
745                                                           cred);
746                         if (rc)
747                                 goto out;
748                         sbsec->sid = context_sid;
749                 } else {
750                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
751                                                              cred);
752                         if (rc)
753                                 goto out;
754                 }
755                 if (!rootcontext_sid)
756                         rootcontext_sid = context_sid;
757
758                 sbsec->mntpoint_sid = context_sid;
759                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
760         }
761
762         if (rootcontext_sid) {
763                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
764                                                      cred);
765                 if (rc)
766                         goto out;
767
768                 root_isec->sid = rootcontext_sid;
769                 root_isec->initialized = 1;
770         }
771
772         if (defcontext_sid) {
773                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
774                         rc = -EINVAL;
775                         printk(KERN_WARNING "SELinux: defcontext option is "
776                                "invalid for this filesystem type\n");
777                         goto out;
778                 }
779
780                 if (defcontext_sid != sbsec->def_sid) {
781                         rc = may_context_mount_inode_relabel(defcontext_sid,
782                                                              sbsec, cred);
783                         if (rc)
784                                 goto out;
785                 }
786
787                 sbsec->def_sid = defcontext_sid;
788         }
789
790         rc = sb_finish_set_opts(sb);
791 out:
792         mutex_unlock(&sbsec->lock);
793         return rc;
794 out_double_mount:
795         rc = -EINVAL;
796         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
797                "security settings for (dev %s, type %s)\n", sb->s_id, name);
798         goto out;
799 }
800
801 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
802                                         struct super_block *newsb)
803 {
804         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
805         struct superblock_security_struct *newsbsec = newsb->s_security;
806
807         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
808         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
809         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
810
811         /*
812          * if the parent was able to be mounted it clearly had no special lsm
813          * mount options.  thus we can safely put this sb on the list and deal
814          * with it later
815          */
816         if (!ss_initialized) {
817                 spin_lock(&sb_security_lock);
818                 if (list_empty(&newsbsec->list))
819                         list_add(&newsbsec->list, &superblock_security_head);
820                 spin_unlock(&sb_security_lock);
821                 return;
822         }
823
824         /* how can we clone if the old one wasn't set up?? */
825         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
826
827         /* if fs is reusing a sb, just let its options stand... */
828         if (newsbsec->flags & SE_SBINITIALIZED)
829                 return;
830
831         mutex_lock(&newsbsec->lock);
832
833         newsbsec->flags = oldsbsec->flags;
834
835         newsbsec->sid = oldsbsec->sid;
836         newsbsec->def_sid = oldsbsec->def_sid;
837         newsbsec->behavior = oldsbsec->behavior;
838
839         if (set_context) {
840                 u32 sid = oldsbsec->mntpoint_sid;
841
842                 if (!set_fscontext)
843                         newsbsec->sid = sid;
844                 if (!set_rootcontext) {
845                         struct inode *newinode = newsb->s_root->d_inode;
846                         struct inode_security_struct *newisec = newinode->i_security;
847                         newisec->sid = sid;
848                 }
849                 newsbsec->mntpoint_sid = sid;
850         }
851         if (set_rootcontext) {
852                 const struct inode *oldinode = oldsb->s_root->d_inode;
853                 const struct inode_security_struct *oldisec = oldinode->i_security;
854                 struct inode *newinode = newsb->s_root->d_inode;
855                 struct inode_security_struct *newisec = newinode->i_security;
856
857                 newisec->sid = oldisec->sid;
858         }
859
860         sb_finish_set_opts(newsb);
861         mutex_unlock(&newsbsec->lock);
862 }
863
864 static int selinux_parse_opts_str(char *options,
865                                   struct security_mnt_opts *opts)
866 {
867         char *p;
868         char *context = NULL, *defcontext = NULL;
869         char *fscontext = NULL, *rootcontext = NULL;
870         int rc, num_mnt_opts = 0;
871
872         opts->num_mnt_opts = 0;
873
874         /* Standard string-based options. */
875         while ((p = strsep(&options, "|")) != NULL) {
876                 int token;
877                 substring_t args[MAX_OPT_ARGS];
878
879                 if (!*p)
880                         continue;
881
882                 token = match_token(p, tokens, args);
883
884                 switch (token) {
885                 case Opt_context:
886                         if (context || defcontext) {
887                                 rc = -EINVAL;
888                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
889                                 goto out_err;
890                         }
891                         context = match_strdup(&args[0]);
892                         if (!context) {
893                                 rc = -ENOMEM;
894                                 goto out_err;
895                         }
896                         break;
897
898                 case Opt_fscontext:
899                         if (fscontext) {
900                                 rc = -EINVAL;
901                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
902                                 goto out_err;
903                         }
904                         fscontext = match_strdup(&args[0]);
905                         if (!fscontext) {
906                                 rc = -ENOMEM;
907                                 goto out_err;
908                         }
909                         break;
910
911                 case Opt_rootcontext:
912                         if (rootcontext) {
913                                 rc = -EINVAL;
914                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
915                                 goto out_err;
916                         }
917                         rootcontext = match_strdup(&args[0]);
918                         if (!rootcontext) {
919                                 rc = -ENOMEM;
920                                 goto out_err;
921                         }
922                         break;
923
924                 case Opt_defcontext:
925                         if (context || defcontext) {
926                                 rc = -EINVAL;
927                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
928                                 goto out_err;
929                         }
930                         defcontext = match_strdup(&args[0]);
931                         if (!defcontext) {
932                                 rc = -ENOMEM;
933                                 goto out_err;
934                         }
935                         break;
936                 case Opt_labelsupport:
937                         break;
938                 default:
939                         rc = -EINVAL;
940                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
941                         goto out_err;
942
943                 }
944         }
945
946         rc = -ENOMEM;
947         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
948         if (!opts->mnt_opts)
949                 goto out_err;
950
951         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
952         if (!opts->mnt_opts_flags) {
953                 kfree(opts->mnt_opts);
954                 goto out_err;
955         }
956
957         if (fscontext) {
958                 opts->mnt_opts[num_mnt_opts] = fscontext;
959                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
960         }
961         if (context) {
962                 opts->mnt_opts[num_mnt_opts] = context;
963                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
964         }
965         if (rootcontext) {
966                 opts->mnt_opts[num_mnt_opts] = rootcontext;
967                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
968         }
969         if (defcontext) {
970                 opts->mnt_opts[num_mnt_opts] = defcontext;
971                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
972         }
973
974         opts->num_mnt_opts = num_mnt_opts;
975         return 0;
976
977 out_err:
978         kfree(context);
979         kfree(defcontext);
980         kfree(fscontext);
981         kfree(rootcontext);
982         return rc;
983 }
984 /*
985  * string mount options parsing and call set the sbsec
986  */
987 static int superblock_doinit(struct super_block *sb, void *data)
988 {
989         int rc = 0;
990         char *options = data;
991         struct security_mnt_opts opts;
992
993         security_init_mnt_opts(&opts);
994
995         if (!data)
996                 goto out;
997
998         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
999
1000         rc = selinux_parse_opts_str(options, &opts);
1001         if (rc)
1002                 goto out_err;
1003
1004 out:
1005         rc = selinux_set_mnt_opts(sb, &opts);
1006
1007 out_err:
1008         security_free_mnt_opts(&opts);
1009         return rc;
1010 }
1011
1012 static void selinux_write_opts(struct seq_file *m,
1013                                struct security_mnt_opts *opts)
1014 {
1015         int i;
1016         char *prefix;
1017
1018         for (i = 0; i < opts->num_mnt_opts; i++) {
1019                 char *has_comma;
1020
1021                 if (opts->mnt_opts[i])
1022                         has_comma = strchr(opts->mnt_opts[i], ',');
1023                 else
1024                         has_comma = NULL;
1025
1026                 switch (opts->mnt_opts_flags[i]) {
1027                 case CONTEXT_MNT:
1028                         prefix = CONTEXT_STR;
1029                         break;
1030                 case FSCONTEXT_MNT:
1031                         prefix = FSCONTEXT_STR;
1032                         break;
1033                 case ROOTCONTEXT_MNT:
1034                         prefix = ROOTCONTEXT_STR;
1035                         break;
1036                 case DEFCONTEXT_MNT:
1037                         prefix = DEFCONTEXT_STR;
1038                         break;
1039                 case SE_SBLABELSUPP:
1040                         seq_putc(m, ',');
1041                         seq_puts(m, LABELSUPP_STR);
1042                         continue;
1043                 default:
1044                         BUG();
1045                 };
1046                 /* we need a comma before each option */
1047                 seq_putc(m, ',');
1048                 seq_puts(m, prefix);
1049                 if (has_comma)
1050                         seq_putc(m, '\"');
1051                 seq_puts(m, opts->mnt_opts[i]);
1052                 if (has_comma)
1053                         seq_putc(m, '\"');
1054         }
1055 }
1056
1057 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1058 {
1059         struct security_mnt_opts opts;
1060         int rc;
1061
1062         rc = selinux_get_mnt_opts(sb, &opts);
1063         if (rc) {
1064                 /* before policy load we may get EINVAL, don't show anything */
1065                 if (rc == -EINVAL)
1066                         rc = 0;
1067                 return rc;
1068         }
1069
1070         selinux_write_opts(m, &opts);
1071
1072         security_free_mnt_opts(&opts);
1073
1074         return rc;
1075 }
1076
1077 static inline u16 inode_mode_to_security_class(umode_t mode)
1078 {
1079         switch (mode & S_IFMT) {
1080         case S_IFSOCK:
1081                 return SECCLASS_SOCK_FILE;
1082         case S_IFLNK:
1083                 return SECCLASS_LNK_FILE;
1084         case S_IFREG:
1085                 return SECCLASS_FILE;
1086         case S_IFBLK:
1087                 return SECCLASS_BLK_FILE;
1088         case S_IFDIR:
1089                 return SECCLASS_DIR;
1090         case S_IFCHR:
1091                 return SECCLASS_CHR_FILE;
1092         case S_IFIFO:
1093                 return SECCLASS_FIFO_FILE;
1094
1095         }
1096
1097         return SECCLASS_FILE;
1098 }
1099
1100 static inline int default_protocol_stream(int protocol)
1101 {
1102         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1103 }
1104
1105 static inline int default_protocol_dgram(int protocol)
1106 {
1107         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1108 }
1109
1110 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1111 {
1112         switch (family) {
1113         case PF_UNIX:
1114                 switch (type) {
1115                 case SOCK_STREAM:
1116                 case SOCK_SEQPACKET:
1117                         return SECCLASS_UNIX_STREAM_SOCKET;
1118                 case SOCK_DGRAM:
1119                         return SECCLASS_UNIX_DGRAM_SOCKET;
1120                 }
1121                 break;
1122         case PF_INET:
1123         case PF_INET6:
1124                 switch (type) {
1125                 case SOCK_STREAM:
1126                         if (default_protocol_stream(protocol))
1127                                 return SECCLASS_TCP_SOCKET;
1128                         else
1129                                 return SECCLASS_RAWIP_SOCKET;
1130                 case SOCK_DGRAM:
1131                         if (default_protocol_dgram(protocol))
1132                                 return SECCLASS_UDP_SOCKET;
1133                         else
1134                                 return SECCLASS_RAWIP_SOCKET;
1135                 case SOCK_DCCP:
1136                         return SECCLASS_DCCP_SOCKET;
1137                 default:
1138                         return SECCLASS_RAWIP_SOCKET;
1139                 }
1140                 break;
1141         case PF_NETLINK:
1142                 switch (protocol) {
1143                 case NETLINK_ROUTE:
1144                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1145                 case NETLINK_FIREWALL:
1146                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1147                 case NETLINK_INET_DIAG:
1148                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1149                 case NETLINK_NFLOG:
1150                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1151                 case NETLINK_XFRM:
1152                         return SECCLASS_NETLINK_XFRM_SOCKET;
1153                 case NETLINK_SELINUX:
1154                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1155                 case NETLINK_AUDIT:
1156                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1157                 case NETLINK_IP6_FW:
1158                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1159                 case NETLINK_DNRTMSG:
1160                         return SECCLASS_NETLINK_DNRT_SOCKET;
1161                 case NETLINK_KOBJECT_UEVENT:
1162                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1163                 default:
1164                         return SECCLASS_NETLINK_SOCKET;
1165                 }
1166         case PF_PACKET:
1167                 return SECCLASS_PACKET_SOCKET;
1168         case PF_KEY:
1169                 return SECCLASS_KEY_SOCKET;
1170         case PF_APPLETALK:
1171                 return SECCLASS_APPLETALK_SOCKET;
1172         }
1173
1174         return SECCLASS_SOCKET;
1175 }
1176
1177 #ifdef CONFIG_PROC_FS
1178 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1179                                 u16 tclass,
1180                                 u32 *sid)
1181 {
1182         int buflen, rc;
1183         char *buffer, *path, *end;
1184
1185         buffer = (char *)__get_free_page(GFP_KERNEL);
1186         if (!buffer)
1187                 return -ENOMEM;
1188
1189         buflen = PAGE_SIZE;
1190         end = buffer+buflen;
1191         *--end = '\0';
1192         buflen--;
1193         path = end-1;
1194         *path = '/';
1195         while (de && de != de->parent) {
1196                 buflen -= de->namelen + 1;
1197                 if (buflen < 0)
1198                         break;
1199                 end -= de->namelen;
1200                 memcpy(end, de->name, de->namelen);
1201                 *--end = '/';
1202                 path = end;
1203                 de = de->parent;
1204         }
1205         rc = security_genfs_sid("proc", path, tclass, sid);
1206         free_page((unsigned long)buffer);
1207         return rc;
1208 }
1209 #else
1210 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1211                                 u16 tclass,
1212                                 u32 *sid)
1213 {
1214         return -EINVAL;
1215 }
1216 #endif
1217
1218 /* The inode's security attributes must be initialized before first use. */
1219 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1220 {
1221         struct superblock_security_struct *sbsec = NULL;
1222         struct inode_security_struct *isec = inode->i_security;
1223         u32 sid;
1224         struct dentry *dentry;
1225 #define INITCONTEXTLEN 255
1226         char *context = NULL;
1227         unsigned len = 0;
1228         int rc = 0;
1229
1230         if (isec->initialized)
1231                 goto out;
1232
1233         mutex_lock(&isec->lock);
1234         if (isec->initialized)
1235                 goto out_unlock;
1236
1237         sbsec = inode->i_sb->s_security;
1238         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1239                 /* Defer initialization until selinux_complete_init,
1240                    after the initial policy is loaded and the security
1241                    server is ready to handle calls. */
1242                 spin_lock(&sbsec->isec_lock);
1243                 if (list_empty(&isec->list))
1244                         list_add(&isec->list, &sbsec->isec_head);
1245                 spin_unlock(&sbsec->isec_lock);
1246                 goto out_unlock;
1247         }
1248
1249         switch (sbsec->behavior) {
1250         case SECURITY_FS_USE_XATTR:
1251                 if (!inode->i_op->getxattr) {
1252                         isec->sid = sbsec->def_sid;
1253                         break;
1254                 }
1255
1256                 /* Need a dentry, since the xattr API requires one.
1257                    Life would be simpler if we could just pass the inode. */
1258                 if (opt_dentry) {
1259                         /* Called from d_instantiate or d_splice_alias. */
1260                         dentry = dget(opt_dentry);
1261                 } else {
1262                         /* Called from selinux_complete_init, try to find a dentry. */
1263                         dentry = d_find_alias(inode);
1264                 }
1265                 if (!dentry) {
1266                         printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1267                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1268                                inode->i_ino);
1269                         goto out_unlock;
1270                 }
1271
1272                 len = INITCONTEXTLEN;
1273                 context = kmalloc(len+1, GFP_NOFS);
1274                 if (!context) {
1275                         rc = -ENOMEM;
1276                         dput(dentry);
1277                         goto out_unlock;
1278                 }
1279                 context[len] = '\0';
1280                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1281                                            context, len);
1282                 if (rc == -ERANGE) {
1283                         /* Need a larger buffer.  Query for the right size. */
1284                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1285                                                    NULL, 0);
1286                         if (rc < 0) {
1287                                 dput(dentry);
1288                                 goto out_unlock;
1289                         }
1290                         kfree(context);
1291                         len = rc;
1292                         context = kmalloc(len+1, GFP_NOFS);
1293                         if (!context) {
1294                                 rc = -ENOMEM;
1295                                 dput(dentry);
1296                                 goto out_unlock;
1297                         }
1298                         context[len] = '\0';
1299                         rc = inode->i_op->getxattr(dentry,
1300                                                    XATTR_NAME_SELINUX,
1301                                                    context, len);
1302                 }
1303                 dput(dentry);
1304                 if (rc < 0) {
1305                         if (rc != -ENODATA) {
1306                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1307                                        "%d for dev=%s ino=%ld\n", __func__,
1308                                        -rc, inode->i_sb->s_id, inode->i_ino);
1309                                 kfree(context);
1310                                 goto out_unlock;
1311                         }
1312                         /* Map ENODATA to the default file SID */
1313                         sid = sbsec->def_sid;
1314                         rc = 0;
1315                 } else {
1316                         rc = security_context_to_sid_default(context, rc, &sid,
1317                                                              sbsec->def_sid,
1318                                                              GFP_NOFS);
1319                         if (rc) {
1320                                 char *dev = inode->i_sb->s_id;
1321                                 unsigned long ino = inode->i_ino;
1322
1323                                 if (rc == -EINVAL) {
1324                                         if (printk_ratelimit())
1325                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1326                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1327                                                         "filesystem in question.\n", ino, dev, context);
1328                                 } else {
1329                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1330                                                "returned %d for dev=%s ino=%ld\n",
1331                                                __func__, context, -rc, dev, ino);
1332                                 }
1333                                 kfree(context);
1334                                 /* Leave with the unlabeled SID */
1335                                 rc = 0;
1336                                 break;
1337                         }
1338                 }
1339                 kfree(context);
1340                 isec->sid = sid;
1341                 break;
1342         case SECURITY_FS_USE_TASK:
1343                 isec->sid = isec->task_sid;
1344                 break;
1345         case SECURITY_FS_USE_TRANS:
1346                 /* Default to the fs SID. */
1347                 isec->sid = sbsec->sid;
1348
1349                 /* Try to obtain a transition SID. */
1350                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1351                 rc = security_transition_sid(isec->task_sid,
1352                                              sbsec->sid,
1353                                              isec->sclass,
1354                                              &sid);
1355                 if (rc)
1356                         goto out_unlock;
1357                 isec->sid = sid;
1358                 break;
1359         case SECURITY_FS_USE_MNTPOINT:
1360                 isec->sid = sbsec->mntpoint_sid;
1361                 break;
1362         default:
1363                 /* Default to the fs superblock SID. */
1364                 isec->sid = sbsec->sid;
1365
1366                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1367                         struct proc_inode *proci = PROC_I(inode);
1368                         if (proci->pde) {
1369                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1370                                 rc = selinux_proc_get_sid(proci->pde,
1371                                                           isec->sclass,
1372                                                           &sid);
1373                                 if (rc)
1374                                         goto out_unlock;
1375                                 isec->sid = sid;
1376                         }
1377                 }
1378                 break;
1379         }
1380
1381         isec->initialized = 1;
1382
1383 out_unlock:
1384         mutex_unlock(&isec->lock);
1385 out:
1386         if (isec->sclass == SECCLASS_FILE)
1387                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1388         return rc;
1389 }
1390
1391 /* Convert a Linux signal to an access vector. */
1392 static inline u32 signal_to_av(int sig)
1393 {
1394         u32 perm = 0;
1395
1396         switch (sig) {
1397         case SIGCHLD:
1398                 /* Commonly granted from child to parent. */
1399                 perm = PROCESS__SIGCHLD;
1400                 break;
1401         case SIGKILL:
1402                 /* Cannot be caught or ignored */
1403                 perm = PROCESS__SIGKILL;
1404                 break;
1405         case SIGSTOP:
1406                 /* Cannot be caught or ignored */
1407                 perm = PROCESS__SIGSTOP;
1408                 break;
1409         default:
1410                 /* All other signals. */
1411                 perm = PROCESS__SIGNAL;
1412                 break;
1413         }
1414
1415         return perm;
1416 }
1417
1418 /*
1419  * Check permission between a pair of credentials
1420  * fork check, ptrace check, etc.
1421  */
1422 static int cred_has_perm(const struct cred *actor,
1423                          const struct cred *target,
1424                          u32 perms)
1425 {
1426         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1427
1428         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1429 }
1430
1431 /*
1432  * Check permission between a pair of tasks, e.g. signal checks,
1433  * fork check, ptrace check, etc.
1434  * tsk1 is the actor and tsk2 is the target
1435  * - this uses the default subjective creds of tsk1
1436  */
1437 static int task_has_perm(const struct task_struct *tsk1,
1438                          const struct task_struct *tsk2,
1439                          u32 perms)
1440 {
1441         const struct task_security_struct *__tsec1, *__tsec2;
1442         u32 sid1, sid2;
1443
1444         rcu_read_lock();
1445         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1446         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1447         rcu_read_unlock();
1448         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1449 }
1450
1451 /*
1452  * Check permission between current and another task, e.g. signal checks,
1453  * fork check, ptrace check, etc.
1454  * current is the actor and tsk2 is the target
1455  * - this uses current's subjective creds
1456  */
1457 static int current_has_perm(const struct task_struct *tsk,
1458                             u32 perms)
1459 {
1460         u32 sid, tsid;
1461
1462         sid = current_sid();
1463         tsid = task_sid(tsk);
1464         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1465 }
1466
1467 #if CAP_LAST_CAP > 63
1468 #error Fix SELinux to handle capabilities > 63.
1469 #endif
1470
1471 /* Check whether a task is allowed to use a capability. */
1472 static int task_has_capability(struct task_struct *tsk,
1473                                const struct cred *cred,
1474                                int cap, int audit)
1475 {
1476         struct avc_audit_data ad;
1477         struct av_decision avd;
1478         u16 sclass;
1479         u32 sid = cred_sid(cred);
1480         u32 av = CAP_TO_MASK(cap);
1481         int rc;
1482
1483         AVC_AUDIT_DATA_INIT(&ad, CAP);
1484         ad.tsk = tsk;
1485         ad.u.cap = cap;
1486
1487         switch (CAP_TO_INDEX(cap)) {
1488         case 0:
1489                 sclass = SECCLASS_CAPABILITY;
1490                 break;
1491         case 1:
1492                 sclass = SECCLASS_CAPABILITY2;
1493                 break;
1494         default:
1495                 printk(KERN_ERR
1496                        "SELinux:  out of range capability %d\n", cap);
1497                 BUG();
1498         }
1499
1500         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1501         if (audit == SECURITY_CAP_AUDIT)
1502                 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1503         return rc;
1504 }
1505
1506 /* Check whether a task is allowed to use a system operation. */
1507 static int task_has_system(struct task_struct *tsk,
1508                            u32 perms)
1509 {
1510         u32 sid = task_sid(tsk);
1511
1512         return avc_has_perm(sid, SECINITSID_KERNEL,
1513                             SECCLASS_SYSTEM, perms, NULL);
1514 }
1515
1516 /* Check whether a task has a particular permission to an inode.
1517    The 'adp' parameter is optional and allows other audit
1518    data to be passed (e.g. the dentry). */
1519 static int inode_has_perm(const struct cred *cred,
1520                           struct inode *inode,
1521                           u32 perms,
1522                           struct avc_audit_data *adp)
1523 {
1524         struct inode_security_struct *isec;
1525         struct avc_audit_data ad;
1526         u32 sid;
1527
1528         if (unlikely(IS_PRIVATE(inode)))
1529                 return 0;
1530
1531         sid = cred_sid(cred);
1532         isec = inode->i_security;
1533
1534         if (!adp) {
1535                 adp = &ad;
1536                 AVC_AUDIT_DATA_INIT(&ad, FS);
1537                 ad.u.fs.inode = inode;
1538         }
1539
1540         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1541 }
1542
1543 /* Same as inode_has_perm, but pass explicit audit data containing
1544    the dentry to help the auditing code to more easily generate the
1545    pathname if needed. */
1546 static inline int dentry_has_perm(const struct cred *cred,
1547                                   struct vfsmount *mnt,
1548                                   struct dentry *dentry,
1549                                   u32 av)
1550 {
1551         struct inode *inode = dentry->d_inode;
1552         struct avc_audit_data ad;
1553
1554         AVC_AUDIT_DATA_INIT(&ad, FS);
1555         ad.u.fs.path.mnt = mnt;
1556         ad.u.fs.path.dentry = dentry;
1557         return inode_has_perm(cred, inode, av, &ad);
1558 }
1559
1560 /* Check whether a task can use an open file descriptor to
1561    access an inode in a given way.  Check access to the
1562    descriptor itself, and then use dentry_has_perm to
1563    check a particular permission to the file.
1564    Access to the descriptor is implicitly granted if it
1565    has the same SID as the process.  If av is zero, then
1566    access to the file is not checked, e.g. for cases
1567    where only the descriptor is affected like seek. */
1568 static int file_has_perm(const struct cred *cred,
1569                          struct file *file,
1570                          u32 av)
1571 {
1572         struct file_security_struct *fsec = file->f_security;
1573         struct inode *inode = file->f_path.dentry->d_inode;
1574         struct avc_audit_data ad;
1575         u32 sid = cred_sid(cred);
1576         int rc;
1577
1578         AVC_AUDIT_DATA_INIT(&ad, FS);
1579         ad.u.fs.path = file->f_path;
1580
1581         if (sid != fsec->sid) {
1582                 rc = avc_has_perm(sid, fsec->sid,
1583                                   SECCLASS_FD,
1584                                   FD__USE,
1585                                   &ad);
1586                 if (rc)
1587                         goto out;
1588         }
1589
1590         /* av is zero if only checking access to the descriptor. */
1591         rc = 0;
1592         if (av)
1593                 rc = inode_has_perm(cred, inode, av, &ad);
1594
1595 out:
1596         return rc;
1597 }
1598
1599 /* Check whether a task can create a file. */
1600 static int may_create(struct inode *dir,
1601                       struct dentry *dentry,
1602                       u16 tclass)
1603 {
1604         const struct cred *cred = current_cred();
1605         const struct task_security_struct *tsec = cred->security;
1606         struct inode_security_struct *dsec;
1607         struct superblock_security_struct *sbsec;
1608         u32 sid, newsid;
1609         struct avc_audit_data ad;
1610         int rc;
1611
1612         dsec = dir->i_security;
1613         sbsec = dir->i_sb->s_security;
1614
1615         sid = tsec->sid;
1616         newsid = tsec->create_sid;
1617
1618         AVC_AUDIT_DATA_INIT(&ad, FS);
1619         ad.u.fs.path.dentry = dentry;
1620
1621         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1622                           DIR__ADD_NAME | DIR__SEARCH,
1623                           &ad);
1624         if (rc)
1625                 return rc;
1626
1627         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1628                 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1629                 if (rc)
1630                         return rc;
1631         }
1632
1633         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1634         if (rc)
1635                 return rc;
1636
1637         return avc_has_perm(newsid, sbsec->sid,
1638                             SECCLASS_FILESYSTEM,
1639                             FILESYSTEM__ASSOCIATE, &ad);
1640 }
1641
1642 /* Check whether a task can create a key. */
1643 static int may_create_key(u32 ksid,
1644                           struct task_struct *ctx)
1645 {
1646         u32 sid = task_sid(ctx);
1647
1648         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1649 }
1650
1651 #define MAY_LINK        0
1652 #define MAY_UNLINK      1
1653 #define MAY_RMDIR       2
1654
1655 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1656 static int may_link(struct inode *dir,
1657                     struct dentry *dentry,
1658                     int kind)
1659
1660 {
1661         struct inode_security_struct *dsec, *isec;
1662         struct avc_audit_data ad;
1663         u32 sid = current_sid();
1664         u32 av;
1665         int rc;
1666
1667         dsec = dir->i_security;
1668         isec = dentry->d_inode->i_security;
1669
1670         AVC_AUDIT_DATA_INIT(&ad, FS);
1671         ad.u.fs.path.dentry = dentry;
1672
1673         av = DIR__SEARCH;
1674         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1675         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1676         if (rc)
1677                 return rc;
1678
1679         switch (kind) {
1680         case MAY_LINK:
1681                 av = FILE__LINK;
1682                 break;
1683         case MAY_UNLINK:
1684                 av = FILE__UNLINK;
1685                 break;
1686         case MAY_RMDIR:
1687                 av = DIR__RMDIR;
1688                 break;
1689         default:
1690                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1691                         __func__, kind);
1692                 return 0;
1693         }
1694
1695         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1696         return rc;
1697 }
1698
1699 static inline int may_rename(struct inode *old_dir,
1700                              struct dentry *old_dentry,
1701                              struct inode *new_dir,
1702                              struct dentry *new_dentry)
1703 {
1704         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1705         struct avc_audit_data ad;
1706         u32 sid = current_sid();
1707         u32 av;
1708         int old_is_dir, new_is_dir;
1709         int rc;
1710
1711         old_dsec = old_dir->i_security;
1712         old_isec = old_dentry->d_inode->i_security;
1713         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1714         new_dsec = new_dir->i_security;
1715
1716         AVC_AUDIT_DATA_INIT(&ad, FS);
1717
1718         ad.u.fs.path.dentry = old_dentry;
1719         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1720                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1721         if (rc)
1722                 return rc;
1723         rc = avc_has_perm(sid, old_isec->sid,
1724                           old_isec->sclass, FILE__RENAME, &ad);
1725         if (rc)
1726                 return rc;
1727         if (old_is_dir && new_dir != old_dir) {
1728                 rc = avc_has_perm(sid, old_isec->sid,
1729                                   old_isec->sclass, DIR__REPARENT, &ad);
1730                 if (rc)
1731                         return rc;
1732         }
1733
1734         ad.u.fs.path.dentry = new_dentry;
1735         av = DIR__ADD_NAME | DIR__SEARCH;
1736         if (new_dentry->d_inode)
1737                 av |= DIR__REMOVE_NAME;
1738         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1739         if (rc)
1740                 return rc;
1741         if (new_dentry->d_inode) {
1742                 new_isec = new_dentry->d_inode->i_security;
1743                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1744                 rc = avc_has_perm(sid, new_isec->sid,
1745                                   new_isec->sclass,
1746                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1747                 if (rc)
1748                         return rc;
1749         }
1750
1751         return 0;
1752 }
1753
1754 /* Check whether a task can perform a filesystem operation. */
1755 static int superblock_has_perm(const struct cred *cred,
1756                                struct super_block *sb,
1757                                u32 perms,
1758                                struct avc_audit_data *ad)
1759 {
1760         struct superblock_security_struct *sbsec;
1761         u32 sid = cred_sid(cred);
1762
1763         sbsec = sb->s_security;
1764         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1765 }
1766
1767 /* Convert a Linux mode and permission mask to an access vector. */
1768 static inline u32 file_mask_to_av(int mode, int mask)
1769 {
1770         u32 av = 0;
1771
1772         if ((mode & S_IFMT) != S_IFDIR) {
1773                 if (mask & MAY_EXEC)
1774                         av |= FILE__EXECUTE;
1775                 if (mask & MAY_READ)
1776                         av |= FILE__READ;
1777
1778                 if (mask & MAY_APPEND)
1779                         av |= FILE__APPEND;
1780                 else if (mask & MAY_WRITE)
1781                         av |= FILE__WRITE;
1782
1783         } else {
1784                 if (mask & MAY_EXEC)
1785                         av |= DIR__SEARCH;
1786                 if (mask & MAY_WRITE)
1787                         av |= DIR__WRITE;
1788                 if (mask & MAY_READ)
1789                         av |= DIR__READ;
1790         }
1791
1792         return av;
1793 }
1794
1795 /* Convert a Linux file to an access vector. */
1796 static inline u32 file_to_av(struct file *file)
1797 {
1798         u32 av = 0;
1799
1800         if (file->f_mode & FMODE_READ)
1801                 av |= FILE__READ;
1802         if (file->f_mode & FMODE_WRITE) {
1803                 if (file->f_flags & O_APPEND)
1804                         av |= FILE__APPEND;
1805                 else
1806                         av |= FILE__WRITE;
1807         }
1808         if (!av) {
1809                 /*
1810                  * Special file opened with flags 3 for ioctl-only use.
1811                  */
1812                 av = FILE__IOCTL;
1813         }
1814
1815         return av;
1816 }
1817
1818 /*
1819  * Convert a file to an access vector and include the correct open
1820  * open permission.
1821  */
1822 static inline u32 open_file_to_av(struct file *file)
1823 {
1824         u32 av = file_to_av(file);
1825
1826         if (selinux_policycap_openperm) {
1827                 mode_t mode = file->f_path.dentry->d_inode->i_mode;
1828                 /*
1829                  * lnk files and socks do not really have an 'open'
1830                  */
1831                 if (S_ISREG(mode))
1832                         av |= FILE__OPEN;
1833                 else if (S_ISCHR(mode))
1834                         av |= CHR_FILE__OPEN;
1835                 else if (S_ISBLK(mode))
1836                         av |= BLK_FILE__OPEN;
1837                 else if (S_ISFIFO(mode))
1838                         av |= FIFO_FILE__OPEN;
1839                 else if (S_ISDIR(mode))
1840                         av |= DIR__OPEN;
1841                 else if (S_ISSOCK(mode))
1842                         av |= SOCK_FILE__OPEN;
1843                 else
1844                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1845                                 "unknown mode:%o\n", __func__, mode);
1846         }
1847         return av;
1848 }
1849
1850 /* Hook functions begin here. */
1851
1852 static int selinux_ptrace_may_access(struct task_struct *child,
1853                                      unsigned int mode)
1854 {
1855         int rc;
1856
1857         rc = cap_ptrace_may_access(child, mode);
1858         if (rc)
1859                 return rc;
1860
1861         if (mode == PTRACE_MODE_READ) {
1862                 u32 sid = current_sid();
1863                 u32 csid = task_sid(child);
1864                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1865         }
1866
1867         return current_has_perm(child, PROCESS__PTRACE);
1868 }
1869
1870 static int selinux_ptrace_traceme(struct task_struct *parent)
1871 {
1872         int rc;
1873
1874         rc = cap_ptrace_traceme(parent);
1875         if (rc)
1876                 return rc;
1877
1878         return task_has_perm(parent, current, PROCESS__PTRACE);
1879 }
1880
1881 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1882                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1883 {
1884         int error;
1885
1886         error = current_has_perm(target, PROCESS__GETCAP);
1887         if (error)
1888                 return error;
1889
1890         return cap_capget(target, effective, inheritable, permitted);
1891 }
1892
1893 static int selinux_capset(struct cred *new, const struct cred *old,
1894                           const kernel_cap_t *effective,
1895                           const kernel_cap_t *inheritable,
1896                           const kernel_cap_t *permitted)
1897 {
1898         int error;
1899
1900         error = cap_capset(new, old,
1901                                       effective, inheritable, permitted);
1902         if (error)
1903                 return error;
1904
1905         return cred_has_perm(old, new, PROCESS__SETCAP);
1906 }
1907
1908 /*
1909  * (This comment used to live with the selinux_task_setuid hook,
1910  * which was removed).
1911  *
1912  * Since setuid only affects the current process, and since the SELinux
1913  * controls are not based on the Linux identity attributes, SELinux does not
1914  * need to control this operation.  However, SELinux does control the use of
1915  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1916  */
1917
1918 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1919                            int cap, int audit)
1920 {
1921         int rc;
1922
1923         rc = cap_capable(tsk, cred, cap, audit);
1924         if (rc)
1925                 return rc;
1926
1927         return task_has_capability(tsk, cred, cap, audit);
1928 }
1929
1930 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1931 {
1932         int buflen, rc;
1933         char *buffer, *path, *end;
1934
1935         rc = -ENOMEM;
1936         buffer = (char *)__get_free_page(GFP_KERNEL);
1937         if (!buffer)
1938                 goto out;
1939
1940         buflen = PAGE_SIZE;
1941         end = buffer+buflen;
1942         *--end = '\0';
1943         buflen--;
1944         path = end-1;
1945         *path = '/';
1946         while (table) {
1947                 const char *name = table->procname;
1948                 size_t namelen = strlen(name);
1949                 buflen -= namelen + 1;
1950                 if (buflen < 0)
1951                         goto out_free;
1952                 end -= namelen;
1953                 memcpy(end, name, namelen);
1954                 *--end = '/';
1955                 path = end;
1956                 table = table->parent;
1957         }
1958         buflen -= 4;
1959         if (buflen < 0)
1960                 goto out_free;
1961         end -= 4;
1962         memcpy(end, "/sys", 4);
1963         path = end;
1964         rc = security_genfs_sid("proc", path, tclass, sid);
1965 out_free:
1966         free_page((unsigned long)buffer);
1967 out:
1968         return rc;
1969 }
1970
1971 static int selinux_sysctl(ctl_table *table, int op)
1972 {
1973         int error = 0;
1974         u32 av;
1975         u32 tsid, sid;
1976         int rc;
1977
1978         rc = secondary_ops->sysctl(table, op);
1979         if (rc)
1980                 return rc;
1981
1982         sid = current_sid();
1983
1984         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1985                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1986         if (rc) {
1987                 /* Default to the well-defined sysctl SID. */
1988                 tsid = SECINITSID_SYSCTL;
1989         }
1990
1991         /* The op values are "defined" in sysctl.c, thereby creating
1992          * a bad coupling between this module and sysctl.c */
1993         if (op == 001) {
1994                 error = avc_has_perm(sid, tsid,
1995                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1996         } else {
1997                 av = 0;
1998                 if (op & 004)
1999                         av |= FILE__READ;
2000                 if (op & 002)
2001                         av |= FILE__WRITE;
2002                 if (av)
2003                         error = avc_has_perm(sid, tsid,
2004                                              SECCLASS_FILE, av, NULL);
2005         }
2006
2007         return error;
2008 }
2009
2010 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2011 {
2012         const struct cred *cred = current_cred();
2013         int rc = 0;
2014
2015         if (!sb)
2016                 return 0;
2017
2018         switch (cmds) {
2019         case Q_SYNC:
2020         case Q_QUOTAON:
2021         case Q_QUOTAOFF:
2022         case Q_SETINFO:
2023         case Q_SETQUOTA:
2024                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2025                 break;
2026         case Q_GETFMT:
2027         case Q_GETINFO:
2028         case Q_GETQUOTA:
2029                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2030                 break;
2031         default:
2032                 rc = 0;  /* let the kernel handle invalid cmds */
2033                 break;
2034         }
2035         return rc;
2036 }
2037
2038 static int selinux_quota_on(struct dentry *dentry)
2039 {
2040         const struct cred *cred = current_cred();
2041
2042         return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
2043 }
2044
2045 static int selinux_syslog(int type)
2046 {
2047         int rc;
2048
2049         rc = cap_syslog(type);
2050         if (rc)
2051                 return rc;
2052
2053         switch (type) {
2054         case 3:         /* Read last kernel messages */
2055         case 10:        /* Return size of the log buffer */
2056                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2057                 break;
2058         case 6:         /* Disable logging to console */
2059         case 7:         /* Enable logging to console */
2060         case 8:         /* Set level of messages printed to console */
2061                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2062                 break;
2063         case 0:         /* Close log */
2064         case 1:         /* Open log */
2065         case 2:         /* Read from log */
2066         case 4:         /* Read/clear last kernel messages */
2067         case 5:         /* Clear ring buffer */
2068         default:
2069                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2070                 break;
2071         }
2072         return rc;
2073 }
2074
2075 /*
2076  * Check that a process has enough memory to allocate a new virtual
2077  * mapping. 0 means there is enough memory for the allocation to
2078  * succeed and -ENOMEM implies there is not.
2079  *
2080  * Do not audit the selinux permission check, as this is applied to all
2081  * processes that allocate mappings.
2082  */
2083 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2084 {
2085         int rc, cap_sys_admin = 0;
2086
2087         rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
2088                              SECURITY_CAP_NOAUDIT);
2089         if (rc == 0)
2090                 cap_sys_admin = 1;
2091
2092         return __vm_enough_memory(mm, pages, cap_sys_admin);
2093 }
2094
2095 /* binprm security operations */
2096
2097 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2098 {
2099         const struct task_security_struct *old_tsec;
2100         struct task_security_struct *new_tsec;
2101         struct inode_security_struct *isec;
2102         struct avc_audit_data ad;
2103         struct inode *inode = bprm->file->f_path.dentry->d_inode;
2104         int rc;
2105
2106         rc = cap_bprm_set_creds(bprm);
2107         if (rc)
2108                 return rc;
2109
2110         /* SELinux context only depends on initial program or script and not
2111          * the script interpreter */
2112         if (bprm->cred_prepared)
2113                 return 0;
2114
2115         old_tsec = current_security();
2116         new_tsec = bprm->cred->security;
2117         isec = inode->i_security;
2118
2119         /* Default to the current task SID. */
2120         new_tsec->sid = old_tsec->sid;
2121         new_tsec->osid = old_tsec->sid;
2122
2123         /* Reset fs, key, and sock SIDs on execve. */
2124         new_tsec->create_sid = 0;
2125         new_tsec->keycreate_sid = 0;
2126         new_tsec->sockcreate_sid = 0;
2127
2128         if (old_tsec->exec_sid) {
2129                 new_tsec->sid = old_tsec->exec_sid;
2130                 /* Reset exec SID on execve. */
2131                 new_tsec->exec_sid = 0;
2132         } else {
2133                 /* Check for a default transition on this program. */
2134                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2135                                              SECCLASS_PROCESS, &new_tsec->sid);
2136                 if (rc)
2137                         return rc;
2138         }
2139
2140         AVC_AUDIT_DATA_INIT(&ad, FS);
2141         ad.u.fs.path = bprm->file->f_path;
2142
2143         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2144                 new_tsec->sid = old_tsec->sid;
2145
2146         if (new_tsec->sid == old_tsec->sid) {
2147                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2148                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2149                 if (rc)
2150                         return rc;
2151         } else {
2152                 /* Check permissions for the transition. */
2153                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2154                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2155                 if (rc)
2156                         return rc;
2157
2158                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2159                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2160                 if (rc)
2161                         return rc;
2162
2163                 /* Check for shared state */
2164                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2165                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2166                                           SECCLASS_PROCESS, PROCESS__SHARE,
2167                                           NULL);
2168                         if (rc)
2169                                 return -EPERM;
2170                 }
2171
2172                 /* Make sure that anyone attempting to ptrace over a task that
2173                  * changes its SID has the appropriate permit */
2174                 if (bprm->unsafe &
2175                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2176                         struct task_struct *tracer;
2177                         struct task_security_struct *sec;
2178                         u32 ptsid = 0;
2179
2180                         rcu_read_lock();
2181                         tracer = tracehook_tracer_task(current);
2182                         if (likely(tracer != NULL)) {
2183                                 sec = __task_cred(tracer)->security;
2184                                 ptsid = sec->sid;
2185                         }
2186                         rcu_read_unlock();
2187
2188                         if (ptsid != 0) {
2189                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2190                                                   SECCLASS_PROCESS,
2191                                                   PROCESS__PTRACE, NULL);
2192                                 if (rc)
2193                                         return -EPERM;
2194                         }
2195                 }
2196
2197                 /* Clear any possibly unsafe personality bits on exec: */
2198                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2199         }
2200
2201         return 0;
2202 }
2203
2204 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2205 {
2206         const struct cred *cred = current_cred();
2207         const struct task_security_struct *tsec = cred->security;
2208         u32 sid, osid;
2209         int atsecure = 0;
2210
2211         sid = tsec->sid;
2212         osid = tsec->osid;
2213
2214         if (osid != sid) {
2215                 /* Enable secure mode for SIDs transitions unless
2216                    the noatsecure permission is granted between
2217                    the two SIDs, i.e. ahp returns 0. */
2218                 atsecure = avc_has_perm(osid, sid,
2219                                         SECCLASS_PROCESS,
2220                                         PROCESS__NOATSECURE, NULL);
2221         }
2222
2223         return (atsecure || cap_bprm_secureexec(bprm));
2224 }
2225
2226 extern struct vfsmount *selinuxfs_mount;
2227 extern struct dentry *selinux_null;
2228
2229 /* Derived from fs/exec.c:flush_old_files. */
2230 static inline void flush_unauthorized_files(const struct cred *cred,
2231                                             struct files_struct *files)
2232 {
2233         struct avc_audit_data ad;
2234         struct file *file, *devnull = NULL;
2235         struct tty_struct *tty;
2236         struct fdtable *fdt;
2237         long j = -1;
2238         int drop_tty = 0;
2239
2240         tty = get_current_tty();
2241         if (tty) {
2242                 file_list_lock();
2243                 if (!list_empty(&tty->tty_files)) {
2244                         struct inode *inode;
2245
2246                         /* Revalidate access to controlling tty.
2247                            Use inode_has_perm on the tty inode directly rather
2248                            than using file_has_perm, as this particular open
2249                            file may belong to another process and we are only
2250                            interested in the inode-based check here. */
2251                         file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2252                         inode = file->f_path.dentry->d_inode;
2253                         if (inode_has_perm(cred, inode,
2254                                            FILE__READ | FILE__WRITE, NULL)) {
2255                                 drop_tty = 1;
2256                         }
2257                 }
2258                 file_list_unlock();
2259                 tty_kref_put(tty);
2260         }
2261         /* Reset controlling tty. */
2262         if (drop_tty)
2263                 no_tty();
2264
2265         /* Revalidate access to inherited open files. */
2266
2267         AVC_AUDIT_DATA_INIT(&ad, FS);
2268
2269         spin_lock(&files->file_lock);
2270         for (;;) {
2271                 unsigned long set, i;
2272                 int fd;
2273
2274                 j++;
2275                 i = j * __NFDBITS;
2276                 fdt = files_fdtable(files);
2277                 if (i >= fdt->max_fds)
2278                         break;
2279                 set = fdt->open_fds->fds_bits[j];
2280                 if (!set)
2281                         continue;
2282                 spin_unlock(&files->file_lock);
2283                 for ( ; set ; i++, set >>= 1) {
2284                         if (set & 1) {
2285                                 file = fget(i);
2286                                 if (!file)
2287                                         continue;
2288                                 if (file_has_perm(cred,
2289                                                   file,
2290                                                   file_to_av(file))) {
2291                                         sys_close(i);
2292                                         fd = get_unused_fd();
2293                                         if (fd != i) {
2294                                                 if (fd >= 0)
2295                                                         put_unused_fd(fd);
2296                                                 fput(file);
2297                                                 continue;
2298                                         }
2299                                         if (devnull) {
2300                                                 get_file(devnull);
2301                                         } else {
2302                                                 devnull = dentry_open(
2303                                                         dget(selinux_null),
2304                                                         mntget(selinuxfs_mount),
2305                                                         O_RDWR, cred);
2306                                                 if (IS_ERR(devnull)) {
2307                                                         devnull = NULL;
2308                                                         put_unused_fd(fd);
2309                                                         fput(file);
2310                                                         continue;
2311                                                 }
2312                                         }
2313                                         fd_install(fd, devnull);
2314                                 }
2315                                 fput(file);
2316                         }
2317                 }
2318                 spin_lock(&files->file_lock);
2319
2320         }
2321         spin_unlock(&files->file_lock);
2322 }
2323
2324 /*
2325  * Prepare a process for imminent new credential changes due to exec
2326  */
2327 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2328 {
2329         struct task_security_struct *new_tsec;
2330         struct rlimit *rlim, *initrlim;
2331         int rc, i;
2332
2333         new_tsec = bprm->cred->security;
2334         if (new_tsec->sid == new_tsec->osid)
2335                 return;
2336
2337         /* Close files for which the new task SID is not authorized. */
2338         flush_unauthorized_files(bprm->cred, current->files);
2339
2340         /* Always clear parent death signal on SID transitions. */
2341         current->pdeath_signal = 0;
2342
2343         /* Check whether the new SID can inherit resource limits from the old
2344          * SID.  If not, reset all soft limits to the lower of the current
2345          * task's hard limit and the init task's soft limit.
2346          *
2347          * Note that the setting of hard limits (even to lower them) can be
2348          * controlled by the setrlimit check.  The inclusion of the init task's
2349          * soft limit into the computation is to avoid resetting soft limits
2350          * higher than the default soft limit for cases where the default is
2351          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2352          */
2353         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2354                           PROCESS__RLIMITINH, NULL);
2355         if (rc) {
2356                 for (i = 0; i < RLIM_NLIMITS; i++) {
2357                         rlim = current->signal->rlim + i;
2358                         initrlim = init_task.signal->rlim + i;
2359                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2360                 }
2361                 update_rlimit_cpu(rlim->rlim_cur);
2362         }
2363 }
2364
2365 /*
2366  * Clean up the process immediately after the installation of new credentials
2367  * due to exec
2368  */
2369 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2370 {
2371         const struct task_security_struct *tsec = current_security();
2372         struct itimerval itimer;
2373         struct sighand_struct *psig;
2374         u32 osid, sid;
2375         int rc, i;
2376         unsigned long flags;
2377
2378         osid = tsec->osid;
2379         sid = tsec->sid;
2380
2381         if (sid == osid)
2382                 return;
2383
2384         /* Check whether the new SID can inherit signal state from the old SID.
2385          * If not, clear itimers to avoid subsequent signal generation and
2386          * flush and unblock signals.
2387          *
2388          * This must occur _after_ the task SID has been updated so that any
2389          * kill done after the flush will be checked against the new SID.
2390          */
2391         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2392         if (rc) {
2393                 memset(&itimer, 0, sizeof itimer);
2394                 for (i = 0; i < 3; i++)
2395                         do_setitimer(i, &itimer, NULL);
2396                 flush_signals(current);
2397                 spin_lock_irq(&current->sighand->siglock);
2398                 flush_signal_handlers(current, 1);
2399                 sigemptyset(&current->blocked);
2400                 recalc_sigpending();
2401                 spin_unlock_irq(&current->sighand->siglock);
2402         }
2403
2404         /* Wake up the parent if it is waiting so that it can recheck
2405          * wait permission to the new task SID. */
2406         read_lock_irq(&tasklist_lock);
2407         psig = current->parent->sighand;
2408         spin_lock_irqsave(&psig->siglock, flags);
2409         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2410         spin_unlock_irqrestore(&psig->siglock, flags);
2411         read_unlock_irq(&tasklist_lock);
2412 }
2413
2414 /* superblock security operations */
2415
2416 static int selinux_sb_alloc_security(struct super_block *sb)
2417 {
2418         return superblock_alloc_security(sb);
2419 }
2420
2421 static void selinux_sb_free_security(struct super_block *sb)
2422 {
2423         superblock_free_security(sb);
2424 }
2425
2426 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2427 {
2428         if (plen > olen)
2429                 return 0;
2430
2431         return !memcmp(prefix, option, plen);
2432 }
2433
2434 static inline int selinux_option(char *option, int len)
2435 {
2436         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2437                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2438                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2439                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2440                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2441 }
2442
2443 static inline void take_option(char **to, char *from, int *first, int len)
2444 {
2445         if (!*first) {
2446                 **to = ',';
2447                 *to += 1;
2448         } else
2449                 *first = 0;
2450         memcpy(*to, from, len);
2451         *to += len;
2452 }
2453
2454 static inline void take_selinux_option(char **to, char *from, int *first,
2455                                        int len)
2456 {
2457         int current_size = 0;
2458
2459         if (!*first) {
2460                 **to = '|';
2461                 *to += 1;
2462         } else
2463                 *first = 0;
2464
2465         while (current_size < len) {
2466                 if (*from != '"') {
2467                         **to = *from;
2468                         *to += 1;
2469                 }
2470                 from += 1;
2471                 current_size += 1;
2472         }
2473 }
2474
2475 static int selinux_sb_copy_data(char *orig, char *copy)
2476 {
2477         int fnosec, fsec, rc = 0;
2478         char *in_save, *in_curr, *in_end;
2479         char *sec_curr, *nosec_save, *nosec;
2480         int open_quote = 0;
2481
2482         in_curr = orig;
2483         sec_curr = copy;
2484
2485         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2486         if (!nosec) {
2487                 rc = -ENOMEM;
2488                 goto out;
2489         }
2490
2491         nosec_save = nosec;
2492         fnosec = fsec = 1;
2493         in_save = in_end = orig;
2494
2495         do {
2496                 if (*in_end == '"')
2497                         open_quote = !open_quote;
2498                 if ((*in_end == ',' && open_quote == 0) ||
2499                                 *in_end == '\0') {
2500                         int len = in_end - in_curr;
2501
2502                         if (selinux_option(in_curr, len))
2503                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2504                         else
2505                                 take_option(&nosec, in_curr, &fnosec, len);
2506
2507                         in_curr = in_end + 1;
2508                 }
2509         } while (*in_end++);
2510
2511         strcpy(in_save, nosec_save);
2512         free_page((unsigned long)nosec_save);
2513 out:
2514         return rc;
2515 }
2516
2517 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2518 {
2519         const struct cred *cred = current_cred();
2520         struct avc_audit_data ad;
2521         int rc;
2522
2523         rc = superblock_doinit(sb, data);
2524         if (rc)
2525                 return rc;
2526
2527         /* Allow all mounts performed by the kernel */
2528         if (flags & MS_KERNMOUNT)
2529                 return 0;
2530
2531         AVC_AUDIT_DATA_INIT(&ad, FS);
2532         ad.u.fs.path.dentry = sb->s_root;
2533         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2534 }
2535
2536 static int selinux_sb_statfs(struct dentry *dentry)
2537 {
2538         const struct cred *cred = current_cred();
2539         struct avc_audit_data ad;
2540
2541         AVC_AUDIT_DATA_INIT(&ad, FS);
2542         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2543         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2544 }
2545
2546 static int selinux_mount(char *dev_name,
2547                          struct path *path,
2548                          char *type,
2549                          unsigned long flags,
2550                          void *data)
2551 {
2552         const struct cred *cred = current_cred();
2553
2554         if (flags & MS_REMOUNT)
2555                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2556                                            FILESYSTEM__REMOUNT, NULL);
2557         else
2558                 return dentry_has_perm(cred, path->mnt, path->dentry,
2559                                        FILE__MOUNTON);
2560 }
2561
2562 static int selinux_umount(struct vfsmount *mnt, int flags)
2563 {
2564         const struct cred *cred = current_cred();
2565
2566         return superblock_has_perm(cred, mnt->mnt_sb,
2567                                    FILESYSTEM__UNMOUNT, NULL);
2568 }
2569
2570 /* inode security operations */
2571
2572 static int selinux_inode_alloc_security(struct inode *inode)
2573 {
2574         return inode_alloc_security(inode);
2575 }
2576
2577 static void selinux_inode_free_security(struct inode *inode)
2578 {
2579         inode_free_security(inode);
2580 }
2581
2582 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2583                                        char **name, void **value,
2584                                        size_t *len)
2585 {
2586         const struct cred *cred = current_cred();
2587         const struct task_security_struct *tsec = cred->security;
2588         struct inode_security_struct *dsec;
2589         struct superblock_security_struct *sbsec;
2590         u32 sid, newsid, clen;
2591         int rc;
2592         char *namep = NULL, *context;
2593
2594         dsec = dir->i_security;
2595         sbsec = dir->i_sb->s_security;
2596
2597         sid = tsec->sid;
2598         newsid = tsec->create_sid;
2599
2600         if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2601                 rc = security_transition_sid(sid, dsec->sid,
2602                                              inode_mode_to_security_class(inode->i_mode),
2603                                              &newsid);
2604                 if (rc) {
2605                         printk(KERN_WARNING "%s:  "
2606                                "security_transition_sid failed, rc=%d (dev=%s "
2607                                "ino=%ld)\n",
2608                                __func__,
2609                                -rc, inode->i_sb->s_id, inode->i_ino);
2610                         return rc;
2611                 }
2612         }
2613
2614         /* Possibly defer initialization to selinux_complete_init. */
2615         if (sbsec->flags & SE_SBINITIALIZED) {
2616                 struct inode_security_struct *isec = inode->i_security;
2617                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2618                 isec->sid = newsid;
2619                 isec->initialized = 1;
2620         }
2621
2622         if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2623                 return -EOPNOTSUPP;
2624
2625         if (name) {
2626                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2627                 if (!namep)
2628                         return -ENOMEM;
2629                 *name = namep;
2630         }
2631
2632         if (value && len) {
2633                 rc = security_sid_to_context_force(newsid, &context, &clen);
2634                 if (rc) {
2635                         kfree(namep);
2636                         return rc;
2637                 }
2638                 *value = context;
2639                 *len = clen;
2640         }
2641
2642         return 0;
2643 }
2644
2645 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2646 {
2647         return may_create(dir, dentry, SECCLASS_FILE);
2648 }
2649
2650 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2651 {
2652         return may_link(dir, old_dentry, MAY_LINK);
2653 }
2654
2655 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2656 {
2657         return may_link(dir, dentry, MAY_UNLINK);
2658 }
2659
2660 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2661 {
2662         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2663 }
2664
2665 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2666 {
2667         return may_create(dir, dentry, SECCLASS_DIR);
2668 }
2669
2670 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2671 {
2672         return may_link(dir, dentry, MAY_RMDIR);
2673 }
2674
2675 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2676 {
2677         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2678 }
2679
2680 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2681                                 struct inode *new_inode, struct dentry *new_dentry)
2682 {
2683         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2684 }
2685
2686 static int selinux_inode_readlink(struct dentry *dentry)
2687 {
2688         const struct cred *cred = current_cred();
2689
2690         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2691 }
2692
2693 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2694 {
2695         const struct cred *cred = current_cred();
2696
2697         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2698 }
2699
2700 static int selinux_inode_permission(struct inode *inode, int mask)
2701 {
2702         const struct cred *cred = current_cred();
2703
2704         if (!mask) {
2705                 /* No permission to check.  Existence test. */
2706                 return 0;
2707         }
2708
2709         return inode_has_perm(cred, inode,
2710                               file_mask_to_av(inode->i_mode, mask), NULL);
2711 }
2712
2713 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2714 {
2715         const struct cred *cred = current_cred();
2716
2717         if (iattr->ia_valid & ATTR_FORCE)
2718                 return 0;
2719
2720         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2721                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2722                 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2723
2724         return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2725 }
2726
2727 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2728 {
2729         const struct cred *cred = current_cred();
2730
2731         return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2732 }
2733
2734 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2735 {
2736         const struct cred *cred = current_cred();
2737
2738         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2739                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2740                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2741                         if (!capable(CAP_SETFCAP))
2742                                 return -EPERM;
2743                 } else if (!capable(CAP_SYS_ADMIN)) {
2744                         /* A different attribute in the security namespace.
2745                            Restrict to administrator. */
2746                         return -EPERM;
2747                 }
2748         }
2749
2750         /* Not an attribute we recognize, so just check the
2751            ordinary setattr permission. */
2752         return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2753 }
2754
2755 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2756                                   const void *value, size_t size, int flags)
2757 {
2758         struct inode *inode = dentry->d_inode;
2759         struct inode_security_struct *isec = inode->i_security;
2760         struct superblock_security_struct *sbsec;
2761         struct avc_audit_data ad;
2762         u32 newsid, sid = current_sid();
2763         int rc = 0;
2764
2765         if (strcmp(name, XATTR_NAME_SELINUX))
2766                 return selinux_inode_setotherxattr(dentry, name);
2767
2768         sbsec = inode->i_sb->s_security;
2769         if (!(sbsec->flags & SE_SBLABELSUPP))
2770                 return -EOPNOTSUPP;
2771
2772         if (!is_owner_or_cap(inode))
2773                 return -EPERM;
2774
2775         AVC_AUDIT_DATA_INIT(&ad, FS);
2776         ad.u.fs.path.dentry = dentry;
2777
2778         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2779                           FILE__RELABELFROM, &ad);
2780         if (rc)
2781                 return rc;
2782
2783         rc = security_context_to_sid(value, size, &newsid);
2784         if (rc == -EINVAL) {
2785                 if (!capable(CAP_MAC_ADMIN))
2786                         return rc;
2787                 rc = security_context_to_sid_force(value, size, &newsid);
2788         }
2789         if (rc)
2790                 return rc;
2791
2792         rc = avc_has_perm(sid, newsid, isec->sclass,
2793                           FILE__RELABELTO, &ad);
2794         if (rc)
2795                 return rc;
2796
2797         rc = security_validate_transition(isec->sid, newsid, sid,
2798                                           isec->sclass);
2799         if (rc)
2800                 return rc;
2801
2802         return avc_has_perm(newsid,
2803                             sbsec->sid,
2804                             SECCLASS_FILESYSTEM,
2805                             FILESYSTEM__ASSOCIATE,
2806                             &ad);
2807 }
2808
2809 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2810                                         const void *value, size_t size,
2811                                         int flags)
2812 {
2813         struct inode *inode = dentry->d_inode;
2814         struct inode_security_struct *isec = inode->i_security;
2815         u32 newsid;
2816         int rc;
2817
2818         if (strcmp(name, XATTR_NAME_SELINUX)) {
2819                 /* Not an attribute we recognize, so nothing to do. */
2820                 return;
2821         }
2822
2823         rc = security_context_to_sid_force(value, size, &newsid);
2824         if (rc) {
2825                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2826                        "for (%s, %lu), rc=%d\n",
2827                        inode->i_sb->s_id, inode->i_ino, -rc);
2828                 return;
2829         }
2830
2831         isec->sid = newsid;
2832         return;
2833 }
2834
2835 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2836 {
2837         const struct cred *cred = current_cred();
2838
2839         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2840 }
2841
2842 static int selinux_inode_listxattr(struct dentry *dentry)
2843 {
2844         const struct cred *cred = current_cred();
2845
2846         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2847 }
2848
2849 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2850 {
2851         if (strcmp(name, XATTR_NAME_SELINUX))
2852                 return selinux_inode_setotherxattr(dentry, name);
2853
2854         /* No one is allowed to remove a SELinux security label.
2855            You can change the label, but all data must be labeled. */
2856         return -EACCES;
2857 }
2858
2859 /*
2860  * Copy the inode security context value to the user.
2861  *
2862  * Permission check is handled by selinux_inode_getxattr hook.
2863  */
2864 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2865 {
2866         u32 size;
2867         int error;
2868         char *context = NULL;
2869         struct inode_security_struct *isec = inode->i_security;
2870
2871         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2872                 return -EOPNOTSUPP;
2873
2874         /*
2875          * If the caller has CAP_MAC_ADMIN, then get the raw context
2876          * value even if it is not defined by current policy; otherwise,
2877          * use the in-core value under current policy.
2878          * Use the non-auditing forms of the permission checks since
2879          * getxattr may be called by unprivileged processes commonly
2880          * and lack of permission just means that we fall back to the
2881          * in-core context value, not a denial.
2882          */
2883         error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2884                                 SECURITY_CAP_NOAUDIT);
2885         if (!error)
2886                 error = security_sid_to_context_force(isec->sid, &context,
2887                                                       &size);
2888         else
2889                 error = security_sid_to_context(isec->sid, &context, &size);
2890         if (error)
2891                 return error;
2892         error = size;
2893         if (alloc) {
2894                 *buffer = context;
2895                 goto out_nofree;
2896         }
2897         kfree(context);
2898 out_nofree:
2899         return error;
2900 }
2901
2902 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2903                                      const void *value, size_t size, int flags)
2904 {
2905         struct inode_security_struct *isec = inode->i_security;
2906         u32 newsid;
2907         int rc;
2908
2909         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2910                 return -EOPNOTSUPP;
2911
2912         if (!value || !size)
2913                 return -EACCES;
2914
2915         rc = security_context_to_sid((void *)value, size, &newsid);
2916         if (rc)
2917                 return rc;
2918
2919         isec->sid = newsid;
2920         return 0;
2921 }
2922
2923 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2924 {
2925         const int len = sizeof(XATTR_NAME_SELINUX);
2926         if (buffer && len <= buffer_size)
2927                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2928         return len;
2929 }
2930
2931 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2932 {
2933         struct inode_security_struct *isec = inode->i_security;
2934         *secid = isec->sid;
2935 }
2936
2937 /* file security operations */
2938
2939 static int selinux_revalidate_file_permission(struct file *file, int mask)
2940 {
2941         const struct cred *cred = current_cred();
2942         int rc;
2943         struct inode *inode = file->f_path.dentry->d_inode;
2944
2945         if (!mask) {
2946                 /* No permission to check.  Existence test. */
2947                 return 0;
2948         }
2949
2950         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2951         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2952                 mask |= MAY_APPEND;
2953
2954         rc = file_has_perm(cred, file,
2955                            file_mask_to_av(inode->i_mode, mask));
2956         if (rc)
2957                 return rc;
2958
2959         return selinux_netlbl_inode_permission(inode, mask);
2960 }
2961
2962 static int selinux_file_permission(struct file *file, int mask)
2963 {
2964         struct inode *inode = file->f_path.dentry->d_inode;
2965         struct file_security_struct *fsec = file->f_security;
2966         struct inode_security_struct *isec = inode->i_security;
2967         u32 sid = current_sid();
2968
2969         if (!mask) {
2970                 /* No permission to check.  Existence test. */
2971                 return 0;
2972         }
2973
2974         if (sid == fsec->sid && fsec->isid == isec->sid
2975             && fsec->pseqno == avc_policy_seqno())
2976                 return selinux_netlbl_inode_permission(inode, mask);
2977
2978         return selinux_revalidate_file_permission(file, mask);
2979 }
2980
2981 static int selinux_file_alloc_security(struct file *file)
2982 {
2983         return file_alloc_security(file);
2984 }
2985
2986 static void selinux_file_free_security(struct file *file)
2987 {
2988         file_free_security(file);
2989 }
2990
2991 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2992                               unsigned long arg)
2993 {
2994         const struct cred *cred = current_cred();
2995         u32 av = 0;
2996
2997         if (_IOC_DIR(cmd) & _IOC_WRITE)
2998                 av |= FILE__WRITE;
2999         if (_IOC_DIR(cmd) & _IOC_READ)
3000                 av |= FILE__READ;
3001         if (!av)
3002                 av = FILE__IOCTL;
3003
3004         return file_has_perm(cred, file, av);
3005 }
3006
3007 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3008 {
3009         const struct cred *cred = current_cred();
3010         int rc = 0;
3011
3012 #ifndef CONFIG_PPC32
3013         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3014                 /*
3015                  * We are making executable an anonymous mapping or a
3016                  * private file mapping that will also be writable.
3017                  * This has an additional check.
3018                  */
3019                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3020                 if (rc)
3021                         goto error;
3022         }
3023 #endif
3024
3025         if (file) {
3026                 /* read access is always possible with a mapping */
3027                 u32 av = FILE__READ;
3028
3029                 /* write access only matters if the mapping is shared */
3030                 if (shared && (prot & PROT_WRITE))
3031                         av |= FILE__WRITE;
3032
3033                 if (prot & PROT_EXEC)
3034                         av |= FILE__EXECUTE;
3035
3036                 return file_has_perm(cred, file, av);
3037         }
3038
3039 error:
3040         return rc;
3041 }
3042
3043 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3044                              unsigned long prot, unsigned long flags,
3045                              unsigned long addr, unsigned long addr_only)
3046 {
3047         int rc = 0;
3048         u32 sid = current_sid();
3049
3050         if (addr < mmap_min_addr)
3051                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3052                                   MEMPROTECT__MMAP_ZERO, NULL);
3053         if (rc || addr_only)
3054                 return rc;
3055
3056         if (selinux_checkreqprot)
3057                 prot = reqprot;
3058
3059         return file_map_prot_check(file, prot,
3060                                    (flags & MAP_TYPE) == MAP_SHARED);
3061 }
3062
3063 static int selinux_file_mprotect(struct vm_area_struct *vma,
3064                                  unsigned long reqprot,
3065                                  unsigned long prot)
3066 {
3067         const struct cred *cred = current_cred();
3068
3069         if (selinux_checkreqprot)
3070                 prot = reqprot;
3071
3072 #ifndef CONFIG_PPC32
3073         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3074                 int rc = 0;
3075                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3076                     vma->vm_end <= vma->vm_mm->brk) {
3077                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3078                 } else if (!vma->vm_file &&
3079                            vma->vm_start <= vma->vm_mm->start_stack &&
3080                            vma->vm_end >= vma->vm_mm->start_stack) {
3081                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3082                 } else if (vma->vm_file && vma->anon_vma) {
3083                         /*
3084                          * We are making executable a file mapping that has
3085                          * had some COW done. Since pages might have been
3086                          * written, check ability to execute the possibly
3087                          * modified content.  This typically should only
3088                          * occur for text relocations.
3089                          */
3090                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3091                 }
3092                 if (rc)
3093                         return rc;
3094         }
3095 #endif
3096
3097         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3098 }
3099
3100 static int selinux_file_lock(struct file *file, unsigned int cmd)
3101 {
3102         const struct cred *cred = current_cred();
3103
3104         return file_has_perm(cred, file, FILE__LOCK);
3105 }
3106
3107 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3108                               unsigned long arg)
3109 {
3110         const struct cred *cred = current_cred();
3111         int err = 0;
3112
3113         switch (cmd) {
3114         case F_SETFL:
3115                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3116                         err = -EINVAL;
3117                         break;
3118                 }
3119
3120                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3121                         err = file_has_perm(cred, file, FILE__WRITE);
3122                         break;
3123                 }
3124                 /* fall through */
3125         case F_SETOWN:
3126         case F_SETSIG:
3127         case F_GETFL:
3128         case F_GETOWN:
3129         case F_GETSIG:
3130                 /* Just check FD__USE permission */
3131                 err = file_has_perm(cred, file, 0);
3132                 break;
3133         case F_GETLK:
3134         case F_SETLK:
3135         case F_SETLKW:
3136 #if BITS_PER_LONG == 32
3137         case F_GETLK64:
3138         case F_SETLK64:
3139         case F_SETLKW64:
3140 #endif
3141                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3142                         err = -EINVAL;
3143                         break;
3144                 }
3145                 err = file_has_perm(cred, file, FILE__LOCK);
3146                 break;
3147         }
3148
3149         return err;
3150 }
3151
3152 static int selinux_file_set_fowner(struct file *file)
3153 {
3154         struct file_security_struct *fsec;
3155
3156         fsec = file->f_security;
3157         fsec->fown_sid = current_sid();
3158
3159         return 0;
3160 }
3161
3162 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3163                                        struct fown_struct *fown, int signum)
3164 {
3165         struct file *file;
3166         u32 sid = current_sid();
3167         u32 perm;
3168         struct file_security_struct *fsec;
3169
3170         /* struct fown_struct is never outside the context of a struct file */
3171         file = container_of(fown, struct file, f_owner);
3172
3173         fsec = file->f_security;
3174
3175         if (!signum)
3176                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3177         else
3178                 perm = signal_to_av(signum);
3179
3180         return avc_has_perm(fsec->fown_sid, sid,
3181                             SECCLASS_PROCESS, perm, NULL);
3182 }
3183
3184 static int selinux_file_receive(struct file *file)
3185 {
3186         const struct cred *cred = current_cred();
3187
3188         return file_has_perm(cred, file, file_to_av(file));
3189 }
3190
3191 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3192 {
3193         struct file_security_struct *fsec;
3194         struct inode *inode;
3195         struct inode_security_struct *isec;
3196
3197         inode = file->f_path.dentry->d_inode;
3198         fsec = file->f_security;
3199         isec = inode->i_security;
3200         /*
3201          * Save inode label and policy sequence number
3202          * at open-time so that selinux_file_permission
3203          * can determine whether revalidation is necessary.
3204          * Task label is already saved in the file security
3205          * struct as its SID.
3206          */
3207         fsec->isid = isec->sid;
3208         fsec->pseqno = avc_policy_seqno();
3209         /*
3210          * Since the inode label or policy seqno may have changed
3211          * between the selinux_inode_permission check and the saving
3212          * of state above, recheck that access is still permitted.
3213          * Otherwise, access might never be revalidated against the
3214          * new inode label or new policy.
3215          * This check is not redundant - do not remove.
3216          */
3217         return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3218 }
3219
3220 /* task security operations */
3221
3222 static int selinux_task_create(unsigned long clone_flags)
3223 {
3224         return current_has_perm(current, PROCESS__FORK);
3225 }
3226
3227 /*
3228  * detach and free the LSM part of a set of credentials
3229  */
3230 static void selinux_cred_free(struct cred *cred)
3231 {
3232         struct task_security_struct *tsec = cred->security;
3233         cred->security = NULL;
3234         kfree(tsec);
3235 }
3236
3237 /*
3238  * prepare a new set of credentials for modification
3239  */
3240 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3241                                 gfp_t gfp)
3242 {
3243         const struct task_security_struct *old_tsec;
3244         struct task_security_struct *tsec;
3245
3246         old_tsec = old->security;
3247
3248         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3249         if (!tsec)
3250                 return -ENOMEM;
3251
3252         new->security = tsec;
3253         return 0;
3254 }
3255
3256 /*
3257  * set the security data for a kernel service
3258  * - all the creation contexts are set to unlabelled
3259  */
3260 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3261 {
3262         struct task_security_struct *tsec = new->security;
3263         u32 sid = current_sid();
3264         int ret;
3265
3266         ret = avc_has_perm(sid, secid,
3267                            SECCLASS_KERNEL_SERVICE,
3268                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3269                            NULL);
3270         if (ret == 0) {
3271                 tsec->sid = secid;
3272                 tsec->create_sid = 0;
3273                 tsec->keycreate_sid = 0;
3274                 tsec->sockcreate_sid = 0;
3275         }
3276         return ret;
3277 }
3278
3279 /*
3280  * set the file creation context in a security record to the same as the
3281  * objective context of the specified inode
3282  */
3283 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3284 {
3285         struct inode_security_struct *isec = inode->i_security;
3286         struct task_security_struct *tsec = new->security;
3287         u32 sid = current_sid();
3288         int ret;
3289
3290         ret = avc_has_perm(sid, isec->sid,
3291                            SECCLASS_KERNEL_SERVICE,
3292                            KERNEL_SERVICE__CREATE_FILES_AS,
3293                            NULL);
3294
3295         if (ret == 0)
3296                 tsec->create_sid = isec->sid;
3297         return 0;
3298 }
3299
3300 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3301 {
3302         return current_has_perm(p, PROCESS__SETPGID);
3303 }
3304
3305 static int selinux_task_getpgid(struct task_struct *p)
3306 {
3307         return current_has_perm(p, PROCESS__GETPGID);
3308 }
3309
3310 static int selinux_task_getsid(struct task_struct *p)
3311 {
3312         return current_has_perm(p, PROCESS__GETSESSION);
3313 }
3314
3315 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3316 {
3317         *secid = task_sid(p);
3318 }
3319
3320 static int selinux_task_setnice(struct task_struct *p, int nice)
3321 {
3322         int rc;
3323
3324         rc = cap_task_setnice(p, nice);
3325         if (rc)
3326                 return rc;
3327
3328         return current_has_perm(p, PROCESS__SETSCHED);
3329 }
3330
3331 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3332 {
3333         int rc;
3334
3335         rc = cap_task_setioprio(p, ioprio);
3336         if (rc)
3337                 return rc;
3338
3339         return current_has_perm(p, PROCESS__SETSCHED);
3340 }
3341
3342 static int selinux_task_getioprio(struct task_struct *p)
3343 {
3344         return current_has_perm(p, PROCESS__GETSCHED);
3345 }
3346
3347 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3348 {
3349         struct rlimit *old_rlim = current->signal->rlim + resource;
3350
3351         /* Control the ability to change the hard limit (whether
3352            lowering or raising it), so that the hard limit can
3353            later be used as a safe reset point for the soft limit
3354            upon context transitions.  See selinux_bprm_committing_creds. */
3355         if (old_rlim->rlim_max != new_rlim->rlim_max)
3356                 return current_has_perm(current, PROCESS__SETRLIMIT);
3357
3358         return 0;
3359 }
3360
3361 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3362 {
3363         int rc;
3364
3365         rc = cap_task_setscheduler(p, policy, lp);
3366         if (rc)
3367                 return rc;
3368
3369         return current_has_perm(p, PROCESS__SETSCHED);
3370 }
3371
3372 static int selinux_task_getscheduler(struct task_struct *p)
3373 {
3374         return current_has_perm(p, PROCESS__GETSCHED);
3375 }
3376
3377 static int selinux_task_movememory(struct task_struct *p)
3378 {
3379         return current_has_perm(p, PROCESS__SETSCHED);
3380 }
3381
3382 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3383                                 int sig, u32 secid)
3384 {
3385         u32 perm;
3386         int rc;
3387
3388         if (!sig)
3389                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3390         else
3391                 perm = signal_to_av(sig);
3392         if (secid)
3393                 rc = avc_has_perm(secid, task_sid(p),
3394                                   SECCLASS_PROCESS, perm, NULL);
3395         else
3396                 rc = current_has_perm(p, perm);
3397         return rc;
3398 }
3399
3400 static int selinux_task_wait(struct task_struct *p)
3401 {
3402         return task_has_perm(p, current, PROCESS__SIGCHLD);
3403 }
3404
3405 static void selinux_task_to_inode(struct task_struct *p,
3406                                   struct inode *inode)
3407 {
3408         struct inode_security_struct *isec = inode->i_security;
3409         u32 sid = task_sid(p);
3410
3411         isec->sid = sid;
3412         isec->initialized = 1;
3413 }
3414
3415 /* Returns error only if unable to parse addresses */
3416 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3417                         struct avc_audit_data *ad, u8 *proto)
3418 {
3419         int offset, ihlen, ret = -EINVAL;
3420         struct iphdr _iph, *ih;
3421
3422         offset = skb_network_offset(skb);
3423         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3424         if (ih == NULL)
3425                 goto out;
3426
3427         ihlen = ih->ihl * 4;
3428         if (ihlen < sizeof(_iph))
3429                 goto out;
3430
3431         ad->u.net.v4info.saddr = ih->saddr;
3432         ad->u.net.v4info.daddr = ih->daddr;
3433         ret = 0;
3434
3435         if (proto)
3436                 *proto = ih->protocol;
3437
3438         switch (ih->protocol) {
3439         case IPPROTO_TCP: {
3440                 struct tcphdr _tcph, *th;
3441
3442                 if (ntohs(ih->frag_off) & IP_OFFSET)
3443                         break;
3444
3445                 offset += ihlen;
3446                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3447                 if (th == NULL)
3448                         break;
3449
3450                 ad->u.net.sport = th->source;
3451                 ad->u.net.dport = th->dest;
3452                 break;
3453         }
3454
3455         case IPPROTO_UDP: {
3456                 struct udphdr _udph, *uh;
3457
3458                 if (ntohs(ih->frag_off) & IP_OFFSET)
3459                         break;
3460
3461                 offset += ihlen;
3462                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3463                 if (uh == NULL)
3464                         break;
3465
3466                 ad->u.net.sport = uh->source;
3467                 ad->u.net.dport = uh->dest;
3468                 break;
3469         }
3470
3471         case IPPROTO_DCCP: {
3472                 struct dccp_hdr _dccph, *dh;
3473
3474                 if (ntohs(ih->frag_off) & IP_OFFSET)
3475                         break;
3476
3477                 offset += ihlen;
3478                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3479                 if (dh == NULL)
3480                         break;
3481
3482                 ad->u.net.sport = dh->dccph_sport;
3483                 ad->u.net.dport = dh->dccph_dport;
3484                 break;
3485         }
3486
3487         default:
3488                 break;
3489         }
3490 out:
3491         return ret;
3492 }
3493
3494 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3495
3496 /* Returns error only if unable to parse addresses */
3497 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3498                         struct avc_audit_data *ad, u8 *proto)
3499 {
3500         u8 nexthdr;
3501         int ret = -EINVAL, offset;
3502         struct ipv6hdr _ipv6h, *ip6;
3503
3504         offset = skb_network_offset(skb);
3505         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3506         if (ip6 == NULL)
3507                 goto out;
3508
3509         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3510         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3511         ret = 0;
3512
3513         nexthdr = ip6->nexthdr;
3514         offset += sizeof(_ipv6h);
3515         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3516         if (offset < 0)
3517                 goto out;
3518
3519         if (proto)
3520                 *proto = nexthdr;
3521
3522         switch (nexthdr) {
3523         case IPPROTO_TCP: {
3524                 struct tcphdr _tcph, *th;
3525
3526                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3527                 if (th == NULL)
3528                         break;
3529
3530                 ad->u.net.sport = th->source;
3531                 ad->u.net.dport = th->dest;
3532                 break;
3533         }
3534
3535         case IPPROTO_UDP: {
3536                 struct udphdr _udph, *uh;
3537
3538                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3539                 if (uh == NULL)
3540                         break;
3541
3542                 ad->u.net.sport = uh->source;
3543                 ad->u.net.dport = uh->dest;
3544                 break;
3545         }
3546
3547         case IPPROTO_DCCP: {
3548                 struct dccp_hdr _dccph, *dh;
3549
3550                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3551                 if (dh == NULL)
3552                         break;
3553
3554                 ad->u.net.sport = dh->dccph_sport;
3555                 ad->u.net.dport = dh->dccph_dport;
3556                 break;
3557         }
3558
3559         /* includes fragments */
3560         default:
3561                 break;
3562         }
3563 out:
3564         return ret;
3565 }
3566
3567 #endif /* IPV6 */
3568
3569 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3570                              char **_addrp, int src, u8 *proto)
3571 {
3572         char *addrp;
3573         int ret;
3574
3575         switch (ad->u.net.family) {
3576         case PF_INET:
3577                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3578                 if (ret)
3579                         goto parse_error;
3580                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3581                                        &ad->u.net.v4info.daddr);
3582                 goto okay;
3583
3584 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3585         case PF_INET6:
3586                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3587                 if (ret)
3588                         goto parse_error;
3589                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3590                                        &ad->u.net.v6info.daddr);
3591                 goto okay;
3592 #endif  /* IPV6 */
3593         default:
3594                 addrp = NULL;
3595                 goto okay;
3596         }
3597
3598 parse_error:
3599         printk(KERN_WARNING
3600                "SELinux: failure in selinux_parse_skb(),"
3601                " unable to parse packet\n");
3602         return ret;
3603
3604 okay:
3605         if (_addrp)
3606                 *_addrp = addrp;
3607         return 0;
3608 }
3609
3610 /**
3611  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3612  * @skb: the packet
3613  * @family: protocol family
3614  * @sid: the packet's peer label SID
3615  *
3616  * Description:
3617  * Check the various different forms of network peer labeling and determine
3618  * the peer label/SID for the packet; most of the magic actually occurs in
3619  * the security server function security_net_peersid_cmp().  The function
3620  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3621  * or -EACCES if @sid is invalid due to inconsistencies with the different
3622  * peer labels.
3623  *
3624  */
3625 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3626 {
3627         int err;
3628         u32 xfrm_sid;
3629         u32 nlbl_sid;
3630         u32 nlbl_type;
3631
3632         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3633         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3634
3635         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3636         if (unlikely(err)) {
3637                 printk(KERN_WARNING
3638                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3639                        " unable to determine packet's peer label\n");
3640                 return -EACCES;
3641         }
3642
3643         return 0;
3644 }
3645
3646 /* socket security operations */
3647 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3648                            u32 perms)
3649 {
3650         struct inode_security_struct *isec;
3651         struct avc_audit_data ad;
3652         u32 sid;
3653         int err = 0;
3654
3655         isec = SOCK_INODE(sock)->i_security;
3656
3657         if (isec->sid == SECINITSID_KERNEL)
3658                 goto out;
3659         sid = task_sid(task);
3660
3661         AVC_AUDIT_DATA_INIT(&ad, NET);
3662         ad.u.net.sk = sock->sk;
3663         err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3664
3665 out:
3666         return err;
3667 }
3668
3669 static int selinux_socket_create(int family, int type,
3670                                  int protocol, int kern)
3671 {
3672         const struct cred *cred = current_cred();
3673         const struct task_security_struct *tsec = cred->security;
3674         u32 sid, newsid;
3675         u16 secclass;
3676         int err = 0;
3677
3678         if (kern)
3679                 goto out;
3680
3681         sid = tsec->sid;
3682         newsid = tsec->sockcreate_sid ?: sid;
3683
3684         secclass = socket_type_to_security_class(family, type, protocol);
3685         err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL);
3686
3687 out:
3688         return err;
3689 }
3690
3691 static int selinux_socket_post_create(struct socket *sock, int family,
3692                                       int type, int protocol, int kern)
3693 {
3694         const struct cred *cred = current_cred();
3695         const struct task_security_struct *tsec = cred->security;
3696         struct inode_security_struct *isec;
3697         struct sk_security_struct *sksec;
3698         u32 sid, newsid;
3699         int err = 0;
3700
3701         sid = tsec->sid;
3702         newsid = tsec->sockcreate_sid;
3703
3704         isec = SOCK_INODE(sock)->i_security;
3705
3706         if (kern)
3707                 isec->sid = SECINITSID_KERNEL;
3708         else if (newsid)
3709                 isec->sid = newsid;
3710         else
3711                 isec->sid = sid;
3712
3713         isec->sclass = socket_type_to_security_class(family, type, protocol);
3714         isec->initialized = 1;
3715
3716         if (sock->sk) {
3717                 sksec = sock->sk->sk_security;
3718                 sksec->sid = isec->sid;
3719                 sksec->sclass = isec->sclass;
3720                 err = selinux_netlbl_socket_post_create(sock);
3721         }
3722
3723         return err;
3724 }
3725
3726 /* Range of port numbers used to automatically bind.
3727    Need to determine whether we should perform a name_bind
3728    permission check between the socket and the port number. */
3729
3730 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3731 {
3732         u16 family;
3733         int err;
3734
3735         err = socket_has_perm(current, sock, SOCKET__BIND);
3736         if (err)
3737                 goto out;
3738
3739         /*
3740          * If PF_INET or PF_INET6, check name_bind permission for the port.
3741          * Multiple address binding for SCTP is not supported yet: we just
3742          * check the first address now.
3743          */
3744         family = sock->sk->sk_family;
3745         if (family == PF_INET || family == PF_INET6) {
3746                 char *addrp;
3747                 struct inode_security_struct *isec;
3748                 struct avc_audit_data ad;
3749                 struct sockaddr_in *addr4 = NULL;
3750                 struct sockaddr_in6 *addr6 = NULL;
3751                 unsigned short snum;
3752                 struct sock *sk = sock->sk;
3753                 u32 sid, node_perm;
3754
3755                 isec = SOCK_INODE(sock)->i_security;
3756
3757                 if (family == PF_INET) {
3758                         addr4 = (struct sockaddr_in *)address;
3759                         snum = ntohs(addr4->sin_port);
3760                         addrp = (char *)&addr4->sin_addr.s_addr;
3761                 } else {
3762                         addr6 = (struct sockaddr_in6 *)address;
3763                         snum = ntohs(addr6->sin6_port);
3764                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3765                 }
3766
3767                 if (snum) {
3768                         int low, high;
3769
3770                         inet_get_local_port_range(&low, &high);
3771
3772                         if (snum < max(PROT_SOCK, low) || snum > high) {
3773                                 err = sel_netport_sid(sk->sk_protocol,
3774                                                       snum, &sid);
3775                                 if (err)
3776                                         goto out;
3777                                 AVC_AUDIT_DATA_INIT(&ad, NET);
3778                                 ad.u.net.sport = htons(snum);
3779                                 ad.u.net.family = family;
3780                                 err = avc_has_perm(isec->sid, sid,
3781                                                    isec->sclass,
3782                                                    SOCKET__NAME_BIND, &ad);
3783                                 if (err)
3784                                         goto out;
3785                         }
3786                 }
3787
3788                 switch (isec->sclass) {
3789                 case SECCLASS_TCP_SOCKET:
3790                         node_perm = TCP_SOCKET__NODE_BIND;
3791                         break;
3792
3793                 case SECCLASS_UDP_SOCKET:
3794                         node_perm = UDP_SOCKET__NODE_BIND;
3795                         break;
3796
3797                 case SECCLASS_DCCP_SOCKET:
3798                         node_perm = DCCP_SOCKET__NODE_BIND;
3799                         break;
3800
3801                 default:
3802                         node_perm = RAWIP_SOCKET__NODE_BIND;
3803                         break;
3804                 }
3805
3806                 err = sel_netnode_sid(addrp, family, &sid);
3807                 if (err)
3808                         goto out;
3809
3810                 AVC_AUDIT_DATA_INIT(&ad, NET);
3811                 ad.u.net.sport = htons(snum);
3812                 ad.u.net.family = family;
3813
3814                 if (family == PF_INET)
3815                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3816                 else
3817                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3818
3819                 err = avc_has_perm(isec->sid, sid,
3820                                    isec->sclass, node_perm, &ad);
3821                 if (err)
3822                         goto out;
3823         }
3824 out:
3825         return err;
3826 }
3827
3828 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3829 {
3830         struct sock *sk = sock->sk;
3831         struct inode_security_struct *isec;
3832         int err;
3833
3834         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3835         if (err)
3836                 return err;
3837
3838         /*
3839          * If a TCP or DCCP socket, check name_connect permission for the port.
3840          */
3841         isec = SOCK_INODE(sock)->i_security;
3842         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3843             isec->sclass == SECCLASS_DCCP_SOCKET) {
3844                 struct avc_audit_data ad;
3845                 struct sockaddr_in *addr4 = NULL;
3846                 struct sockaddr_in6 *addr6 = NULL;
3847                 unsigned short snum;
3848                 u32 sid, perm;
3849
3850                 if (sk->sk_family == PF_INET) {
3851                         addr4 = (struct sockaddr_in *)address;
3852                         if (addrlen < sizeof(struct sockaddr_in))
3853                                 return -EINVAL;
3854                         snum = ntohs(addr4->sin_port);
3855                 } else {
3856                         addr6 = (struct sockaddr_in6 *)address;
3857                         if (addrlen < SIN6_LEN_RFC2133)
3858                                 return -EINVAL;
3859                         snum = ntohs(addr6->sin6_port);
3860                 }
3861
3862                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3863                 if (err)
3864                         goto out;
3865
3866                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3867                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3868
3869                 AVC_AUDIT_DATA_INIT(&ad, NET);
3870                 ad.u.net.dport = htons(snum);
3871                 ad.u.net.family = sk->sk_family;
3872                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3873                 if (err)
3874                         goto out;
3875         }
3876
3877         err = selinux_netlbl_socket_connect(sk, address);
3878
3879 out:
3880         return err;
3881 }
3882
3883 static int selinux_socket_listen(struct socket *sock, int backlog)
3884 {
3885         return socket_has_perm(current, sock, SOCKET__LISTEN);
3886 }
3887
3888 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3889 {
3890         int err;
3891         struct inode_security_struct *isec;
3892         struct inode_security_struct *newisec;
3893
3894         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3895         if (err)
3896                 return err;
3897
3898         newisec = SOCK_INODE(newsock)->i_security;
3899
3900         isec = SOCK_INODE(sock)->i_security;
3901         newisec->sclass = isec->sclass;
3902         newisec->sid = isec->sid;
3903         newisec->initialized = 1;
3904
3905         return 0;
3906 }
3907
3908 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3909                                   int size)
3910 {
3911         int rc;
3912
3913         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3914         if (rc)
3915                 return rc;
3916
3917         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3918 }
3919
3920 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3921                                   int size, int flags)
3922 {
3923         return socket_has_perm(current, sock, SOCKET__READ);
3924 }
3925
3926 static int selinux_socket_getsockname(struct socket *sock)
3927 {
3928         return socket_has_perm(current, sock, SOCKET__GETATTR);
3929 }
3930
3931 static int selinux_socket_getpeername(struct socket *sock)
3932 {
3933         return socket_has_perm(current, sock, SOCKET__GETATTR);
3934 }
3935
3936 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3937 {
3938         int err;
3939
3940         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3941         if (err)
3942                 return err;
3943
3944         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3945 }
3946
3947 static int selinux_socket_getsockopt(struct socket *sock, int level,
3948                                      int optname)
3949 {
3950         return socket_has_perm(current, sock, SOCKET__GETOPT);
3951 }
3952
3953 static int selinux_socket_shutdown(struct socket *sock, int how)
3954 {
3955         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3956 }
3957
3958 static int selinux_socket_unix_stream_connect(struct socket *sock,
3959                                               struct socket *other,
3960                                               struct sock *newsk)
3961 {
3962         struct sk_security_struct *ssec;
3963         struct inode_security_struct *isec;
3964         struct inode_security_struct *other_isec;
3965         struct avc_audit_data ad;
3966         int err;
3967
3968         isec = SOCK_INODE(sock)->i_security;
3969         other_isec = SOCK_INODE(other)->i_security;
3970
3971         AVC_AUDIT_DATA_INIT(&ad, NET);
3972         ad.u.net.sk = other->sk;
3973
3974         err = avc_has_perm(isec->sid, other_isec->sid,
3975                            isec->sclass,
3976                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3977         if (err)
3978                 return err;
3979
3980         /* connecting socket */
3981         ssec = sock->sk->sk_security;
3982         ssec->peer_sid = other_isec->sid;
3983
3984         /* server child socket */
3985         ssec = newsk->sk_security;
3986         ssec->peer_sid = isec->sid;
3987         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3988
3989         return err;
3990 }
3991
3992 static int selinux_socket_unix_may_send(struct socket *sock,
3993                                         struct socket *other)
3994 {
3995         struct inode_security_struct *isec;
3996         struct inode_security_struct *other_isec;
3997         struct avc_audit_data ad;
3998         int err;
3999
4000         isec = SOCK_INODE(sock)->i_security;
4001         other_isec = SOCK_INODE(other)->i_security;
4002
4003         AVC_AUDIT_DATA_INIT(&ad, NET);
4004         ad.u.net.sk = other->sk;
4005
4006         err = avc_has_perm(isec->sid, other_isec->sid,
4007                            isec->sclass, SOCKET__SENDTO, &ad);
4008         if (err)
4009                 return err;
4010
4011         return 0;
4012 }
4013
4014 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4015                                     u32 peer_sid,
4016                                     struct avc_audit_data *ad)
4017 {
4018         int err;
4019         u32 if_sid;
4020         u32 node_sid;
4021
4022         err = sel_netif_sid(ifindex, &if_sid);
4023         if (err)
4024                 return err;
4025         err = avc_has_perm(peer_sid, if_sid,
4026                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4027         if (err)
4028                 return err;
4029
4030         err = sel_netnode_sid(addrp, family, &node_sid);
4031         if (err)
4032                 return err;
4033         return avc_has_perm(peer_sid, node_sid,
4034                             SECCLASS_NODE, NODE__RECVFROM, ad);
4035 }
4036
4037 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4038                                                 struct sk_buff *skb,
4039                                                 struct avc_audit_data *ad,
4040                                                 u16 family,
4041                                                 char *addrp)
4042 {
4043         int err;
4044         struct sk_security_struct *sksec = sk->sk_security;
4045         u16 sk_class;
4046         u32 netif_perm, node_perm, recv_perm;
4047         u32 port_sid, node_sid, if_sid, sk_sid;
4048
4049         sk_sid = sksec->sid;
4050         sk_class = sksec->sclass;
4051
4052         switch (sk_class) {
4053         case SECCLASS_UDP_SOCKET:
4054                 netif_perm = NETIF__UDP_RECV;
4055                 node_perm = NODE__UDP_RECV;
4056                 recv_perm = UDP_SOCKET__RECV_MSG;
4057                 break;
4058         case SECCLASS_TCP_SOCKET:
4059                 netif_perm = NETIF__TCP_RECV;
4060                 node_perm = NODE__TCP_RECV;
4061                 recv_perm = TCP_SOCKET__RECV_MSG;
4062                 break;
4063         case SECCLASS_DCCP_SOCKET:
4064                 netif_perm = NETIF__DCCP_RECV;
4065                 node_perm = NODE__DCCP_RECV;
4066                 recv_perm = DCCP_SOCKET__RECV_MSG;
4067                 break;
4068         default:
4069                 netif_perm = NETIF__RAWIP_RECV;
4070                 node_perm = NODE__RAWIP_RECV;
4071                 recv_perm = 0;
4072                 break;
4073         }
4074
4075         err = sel_netif_sid(skb->iif, &if_sid);
4076         if (err)
4077                 return err;
4078         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4079         if (err)
4080                 return err;
4081
4082         err = sel_netnode_sid(addrp, family, &node_sid);
4083         if (err)
4084                 return err;
4085         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4086         if (err)
4087                 return err;
4088
4089         if (!recv_perm)
4090                 return 0;
4091         err = sel_netport_sid(sk->sk_protocol,
4092                               ntohs(ad->u.net.sport), &port_sid);
4093         if (unlikely(err)) {
4094                 printk(KERN_WARNING
4095                        "SELinux: failure in"
4096                        " selinux_sock_rcv_skb_iptables_compat(),"
4097                        " network port label not found\n");
4098                 return err;
4099         }
4100         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4101 }
4102
4103 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4104                                        u16 family)
4105 {
4106         int err = 0;
4107         struct sk_security_struct *sksec = sk->sk_security;
4108         u32 peer_sid;
4109         u32 sk_sid = sksec->sid;
4110         struct avc_audit_data ad;
4111         char *addrp;
4112
4113         AVC_AUDIT_DATA_INIT(&ad, NET);
4114         ad.u.net.netif = skb->iif;
4115         ad.u.net.family = family;
4116         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4117         if (err)
4118                 return err;
4119
4120         if (selinux_compat_net)
4121                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4122                                                            family, addrp);
4123         else if (selinux_secmark_enabled())
4124                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4125                                    PACKET__RECV, &ad);
4126         if (err)
4127                 return err;
4128
4129         if (selinux_policycap_netpeer) {
4130                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4131                 if (err)
4132                         return err;
4133                 err = avc_has_perm(sk_sid, peer_sid,
4134                                    SECCLASS_PEER, PEER__RECV, &ad);
4135                 if (err)
4136                         selinux_netlbl_err(skb, err, 0);
4137         } else {
4138                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4139                 if (err)
4140                         return err;
4141                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4142         }
4143
4144         return err;
4145 }
4146
4147 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4148 {
4149         int err;
4150         struct sk_security_struct *sksec = sk->sk_security;
4151         u16 family = sk->sk_family;
4152         u32 sk_sid = sksec->sid;
4153         struct avc_audit_data ad;
4154         char *addrp;
4155         u8 secmark_active;
4156         u8 peerlbl_active;
4157
4158         if (family != PF_INET && family != PF_INET6)
4159                 return 0;
4160
4161         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4162         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4163                 family = PF_INET;
4164
4165         /* If any sort of compatibility mode is enabled then handoff processing
4166          * to the selinux_sock_rcv_skb_compat() function to deal with the
4167          * special handling.  We do this in an attempt to keep this function
4168          * as fast and as clean as possible. */
4169         if (selinux_compat_net || !selinux_policycap_netpeer)
4170                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4171
4172         secmark_active = selinux_secmark_enabled();
4173         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4174         if (!secmark_active && !peerlbl_active)
4175                 return 0;
4176
4177         AVC_AUDIT_DATA_INIT(&ad, NET);
4178         ad.u.net.netif = skb->iif;
4179         ad.u.net.family = family;
4180         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4181         if (err)
4182                 return err;
4183
4184         if (peerlbl_active) {
4185                 u32 peer_sid;
4186
4187                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4188                 if (err)
4189                         return err;
4190                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4191                                                peer_sid, &ad);
4192                 if (err) {
4193                         selinux_netlbl_err(skb, err, 0);
4194                         return err;
4195                 }
4196                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4197                                    PEER__RECV, &ad);
4198                 if (err)
4199                         selinux_netlbl_err(skb, err, 0);
4200         }
4201
4202         if (secmark_active) {
4203                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4204                                    PACKET__RECV, &ad);
4205                 if (err)
4206                         return err;
4207         }
4208
4209         return err;
4210 }
4211
4212 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4213                                             int __user *optlen, unsigned len)
4214 {
4215         int err = 0;
4216         char *scontext;
4217         u32 scontext_len;
4218         struct sk_security_struct *ssec;
4219         struct inode_security_struct *isec;
4220         u32 peer_sid = SECSID_NULL;
4221
4222         isec = SOCK_INODE(sock)->i_security;
4223
4224         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4225             isec->sclass == SECCLASS_TCP_SOCKET) {
4226                 ssec = sock->sk->sk_security;
4227                 peer_sid = ssec->peer_sid;
4228         }
4229         if (peer_sid == SECSID_NULL) {
4230                 err = -ENOPROTOOPT;
4231                 goto out;
4232         }
4233
4234         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4235
4236         if (err)
4237                 goto out;
4238
4239         if (scontext_len > len) {
4240                 err = -ERANGE;
4241                 goto out_len;
4242         }
4243
4244         if (copy_to_user(optval, scontext, scontext_len))
4245                 err = -EFAULT;
4246
4247 out_len:
4248         if (put_user(scontext_len, optlen))
4249                 err = -EFAULT;
4250
4251         kfree(scontext);
4252 out:
4253         return err;
4254 }
4255
4256 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4257 {
4258         u32 peer_secid = SECSID_NULL;
4259         u16 family;
4260
4261         if (skb && skb->protocol == htons(ETH_P_IP))
4262                 family = PF_INET;
4263         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4264                 family = PF_INET6;
4265         else if (sock)
4266                 family = sock->sk->sk_family;
4267         else
4268                 goto out;
4269
4270         if (sock && family == PF_UNIX)
4271                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4272         else if (skb)
4273                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4274
4275 out:
4276         *secid = peer_secid;
4277         if (peer_secid == SECSID_NULL)
4278                 return -EINVAL;
4279         return 0;
4280 }
4281
4282 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4283 {
4284         return sk_alloc_security(sk, family, priority);
4285 }
4286
4287 static void selinux_sk_free_security(struct sock *sk)
4288 {
4289         sk_free_security(sk);
4290 }
4291
4292 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4293 {
4294         struct sk_security_struct *ssec = sk->sk_security;
4295         struct sk_security_struct *newssec = newsk->sk_security;
4296
4297         newssec->sid = ssec->sid;
4298         newssec->peer_sid = ssec->peer_sid;
4299         newssec->sclass = ssec->sclass;
4300
4301         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4302 }
4303
4304 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4305 {
4306         if (!sk)
4307                 *secid = SECINITSID_ANY_SOCKET;
4308         else {
4309                 struct sk_security_struct *sksec = sk->sk_security;
4310
4311                 *secid = sksec->sid;
4312         }
4313 }
4314
4315 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4316 {
4317         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4318         struct sk_security_struct *sksec = sk->sk_security;
4319
4320         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4321             sk->sk_family == PF_UNIX)
4322                 isec->sid = sksec->sid;
4323         sksec->sclass = isec->sclass;
4324 }
4325
4326 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4327                                      struct request_sock *req)
4328 {
4329         struct sk_security_struct *sksec = sk->sk_security;
4330         int err;
4331         u16 family = sk->sk_family;
4332         u32 newsid;
4333         u32 peersid;
4334
4335         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4336         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4337                 family = PF_INET;
4338
4339         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4340         if (err)
4341                 return err;
4342         if (peersid == SECSID_NULL) {
4343                 req->secid = sksec->sid;
4344                 req->peer_secid = SECSID_NULL;
4345                 return 0;
4346         }
4347
4348         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4349         if (err)
4350                 return err;
4351
4352         req->secid = newsid;
4353         req->peer_secid = peersid;
4354         return 0;
4355 }
4356
4357 static void selinux_inet_csk_clone(struct sock *newsk,
4358                                    const struct request_sock *req)
4359 {
4360         struct sk_security_struct *newsksec = newsk->sk_security;
4361
4362         newsksec->sid = req->secid;
4363         newsksec->peer_sid = req->peer_secid;
4364         /* NOTE: Ideally, we should also get the isec->sid for the
4365            new socket in sync, but we don't have the isec available yet.
4366            So we will wait until sock_graft to do it, by which
4367            time it will have been created and available. */
4368
4369         /* We don't need to take any sort of lock here as we are the only
4370          * thread with access to newsksec */
4371         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4372 }
4373
4374 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4375 {
4376         u16 family = sk->sk_family;
4377         struct sk_security_struct *sksec = sk->sk_security;
4378
4379         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4380         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4381                 family = PF_INET;
4382
4383         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4384
4385         selinux_netlbl_inet_conn_established(sk, family);
4386 }
4387
4388 static void selinux_req_classify_flow(const struct request_sock *req,
4389                                       struct flowi *fl)
4390 {
4391         fl->secid = req->secid;
4392 }
4393
4394 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4395 {
4396         int err = 0;
4397         u32 perm;
4398         struct nlmsghdr *nlh;
4399         struct socket *sock = sk->sk_socket;
4400         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4401
4402         if (skb->len < NLMSG_SPACE(0)) {
4403                 err = -EINVAL;
4404                 goto out;
4405         }
4406         nlh = nlmsg_hdr(skb);
4407
4408         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4409         if (err) {
4410                 if (err == -EINVAL) {
4411                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4412                                   "SELinux:  unrecognized netlink message"
4413                                   " type=%hu for sclass=%hu\n",
4414                                   nlh->nlmsg_type, isec->sclass);
4415                         if (!selinux_enforcing || security_get_allow_unknown())
4416                                 err = 0;
4417                 }
4418
4419                 /* Ignore */
4420                 if (err == -ENOENT)
4421                         err = 0;
4422                 goto out;
4423         }
4424
4425         err = socket_has_perm(current, sock, perm);
4426 out:
4427         return err;
4428 }
4429
4430 #ifdef CONFIG_NETFILTER
4431
4432 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4433                                        u16 family)
4434 {
4435         int err;
4436         char *addrp;
4437         u32 peer_sid;
4438         struct avc_audit_data ad;
4439         u8 secmark_active;
4440         u8 netlbl_active;
4441         u8 peerlbl_active;
4442
4443         if (!selinux_policycap_netpeer)
4444                 return NF_ACCEPT;
4445
4446         secmark_active = selinux_secmark_enabled();
4447         netlbl_active = netlbl_enabled();
4448         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4449         if (!secmark_active && !peerlbl_active)
4450                 return NF_ACCEPT;
4451
4452         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4453                 return NF_DROP;
4454
4455         AVC_AUDIT_DATA_INIT(&ad, NET);
4456         ad.u.net.netif = ifindex;
4457         ad.u.net.family = family;
4458         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4459                 return NF_DROP;
4460
4461         if (peerlbl_active) {
4462                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4463                                                peer_sid, &ad);
4464                 if (err) {
4465                         selinux_netlbl_err(skb, err, 1);
4466                         return NF_DROP;
4467                 }
4468         }
4469
4470         if (secmark_active)
4471                 if (avc_has_perm(peer_sid, skb->secmark,
4472                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4473                         return NF_DROP;
4474
4475         if (netlbl_active)
4476                 /* we do this in the FORWARD path and not the POST_ROUTING
4477                  * path because we want to make sure we apply the necessary
4478                  * labeling before IPsec is applied so we can leverage AH
4479                  * protection */
4480                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4481                         return NF_DROP;
4482
4483         return NF_ACCEPT;
4484 }
4485
4486 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4487                                          struct sk_buff *skb,
4488                                          const struct net_device *in,
4489                                          const struct net_device *out,
4490                                          int (*okfn)(struct sk_buff *))
4491 {
4492         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4493 }
4494
4495 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4496 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4497                                          struct sk_buff *skb,
4498                                          const struct net_device *in,
4499                                          const struct net_device *out,
4500                                          int (*okfn)(struct sk_buff *))
4501 {
4502         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4503 }
4504 #endif  /* IPV6 */
4505
4506 static unsigned int selinux_ip_output(struct sk_buff *skb,
4507                                       u16 family)
4508 {
4509         u32 sid;
4510
4511         if (!netlbl_enabled())
4512                 return NF_ACCEPT;
4513
4514         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4515          * because we want to make sure we apply the necessary labeling
4516          * before IPsec is applied so we can leverage AH protection */
4517         if (skb->sk) {
4518                 struct sk_security_struct *sksec = skb->sk->sk_security;
4519                 sid = sksec->sid;
4520         } else
4521                 sid = SECINITSID_KERNEL;
4522         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4523                 return NF_DROP;
4524
4525         return NF_ACCEPT;
4526 }
4527
4528 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4529                                         struct sk_buff *skb,
4530                                         const struct net_device *in,
4531                                         const struct net_device *out,
4532                                         int (*okfn)(struct sk_buff *))
4533 {
4534         return selinux_ip_output(skb, PF_INET);
4535 }
4536
4537 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4538                                                 int ifindex,
4539                                                 struct avc_audit_data *ad,
4540                                                 u16 family, char *addrp)
4541 {
4542         int err;
4543         struct sk_security_struct *sksec = sk->sk_security;
4544         u16 sk_class;
4545         u32 netif_perm, node_perm, send_perm;
4546         u32 port_sid, node_sid, if_sid, sk_sid;
4547
4548         sk_sid = sksec->sid;
4549         sk_class = sksec->sclass;
4550
4551         switch (sk_class) {
4552         case SECCLASS_UDP_SOCKET:
4553                 netif_perm = NETIF__UDP_SEND;
4554                 node_perm = NODE__UDP_SEND;
4555                 send_perm = UDP_SOCKET__SEND_MSG;
4556                 break;
4557         case SECCLASS_TCP_SOCKET:
4558                 netif_perm = NETIF__TCP_SEND;
4559                 node_perm = NODE__TCP_SEND;
4560                 send_perm = TCP_SOCKET__SEND_MSG;
4561                 break;
4562         case SECCLASS_DCCP_SOCKET:
4563                 netif_perm = NETIF__DCCP_SEND;
4564                 node_perm = NODE__DCCP_SEND;
4565                 send_perm = DCCP_SOCKET__SEND_MSG;
4566                 break;
4567         default:
4568                 netif_perm = NETIF__RAWIP_SEND;
4569                 node_perm = NODE__RAWIP_SEND;
4570                 send_perm = 0;
4571                 break;
4572         }
4573
4574         err = sel_netif_sid(ifindex, &if_sid);
4575         if (err)
4576                 return err;
4577         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4578                 return err;
4579
4580         err = sel_netnode_sid(addrp, family, &node_sid);
4581         if (err)
4582                 return err;
4583         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4584         if (err)
4585                 return err;
4586
4587         if (send_perm != 0)
4588                 return 0;
4589
4590         err = sel_netport_sid(sk->sk_protocol,
4591                               ntohs(ad->u.net.dport), &port_sid);
4592         if (unlikely(err)) {
4593                 printk(KERN_WARNING
4594                        "SELinux: failure in"
4595                        " selinux_ip_postroute_iptables_compat(),"
4596                        " network port label not found\n");
4597                 return err;
4598         }
4599         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4600 }
4601
4602 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4603                                                 int ifindex,
4604                                                 u16 family)
4605 {
4606         struct sock *sk = skb->sk;
4607         struct sk_security_struct *sksec;
4608         struct avc_audit_data ad;
4609         char *addrp;
4610         u8 proto;
4611
4612         if (sk == NULL)
4613                 return NF_ACCEPT;
4614         sksec = sk->sk_security;
4615
4616         AVC_AUDIT_DATA_INIT(&ad, NET);
4617         ad.u.net.netif = ifindex;
4618         ad.u.net.family = family;
4619         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4620                 return NF_DROP;
4621
4622         if (selinux_compat_net) {
4623                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4624                                                          &ad, family, addrp))
4625                         return NF_DROP;
4626         } else if (selinux_secmark_enabled()) {
4627                 if (avc_has_perm(sksec->sid, skb->secmark,
4628                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4629                         return NF_DROP;
4630         }
4631
4632         if (selinux_policycap_netpeer)
4633                 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4634                         return NF_DROP;
4635
4636         return NF_ACCEPT;
4637 }
4638
4639 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4640                                          u16 family)
4641 {
4642         u32 secmark_perm;
4643         u32 peer_sid;
4644         struct sock *sk;
4645         struct avc_audit_data ad;
4646         char *addrp;
4647         u8 secmark_active;
4648         u8 peerlbl_active;
4649
4650         /* If any sort of compatibility mode is enabled then handoff processing
4651          * to the selinux_ip_postroute_compat() function to deal with the
4652          * special handling.  We do this in an attempt to keep this function
4653          * as fast and as clean as possible. */
4654         if (selinux_compat_net || !selinux_policycap_netpeer)
4655                 return selinux_ip_postroute_compat(skb, ifindex, family);
4656 #ifdef CONFIG_XFRM
4657         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4658          * packet transformation so allow the packet to pass without any checks
4659          * since we'll have another chance to perform access control checks
4660          * when the packet is on it's final way out.
4661          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4662          *       is NULL, in this case go ahead and apply access control. */
4663         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4664                 return NF_ACCEPT;
4665 #endif
4666         secmark_active = selinux_secmark_enabled();
4667         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4668         if (!secmark_active && !peerlbl_active)
4669                 return NF_ACCEPT;
4670
4671         /* if the packet is being forwarded then get the peer label from the
4672          * packet itself; otherwise check to see if it is from a local
4673          * application or the kernel, if from an application get the peer label
4674          * from the sending socket, otherwise use the kernel's sid */
4675         sk = skb->sk;
4676         if (sk == NULL) {
4677                 switch (family) {
4678                 case PF_INET:
4679                         if (IPCB(skb)->flags & IPSKB_FORWARDED)
4680                                 secmark_perm = PACKET__FORWARD_OUT;
4681                         else
4682                                 secmark_perm = PACKET__SEND;
4683                         break;
4684                 case PF_INET6:
4685                         if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
4686                                 secmark_perm = PACKET__FORWARD_OUT;
4687                         else
4688                                 secmark_perm = PACKET__SEND;
4689                         break;
4690                 default:
4691                         return NF_DROP;
4692                 }
4693                 if (secmark_perm == PACKET__FORWARD_OUT) {
4694                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4695                                 return NF_DROP;
4696                 } else
4697                         peer_sid = SECINITSID_KERNEL;
4698         } else {
4699                 struct sk_security_struct *sksec = sk->sk_security;
4700                 peer_sid = sksec->sid;
4701                 secmark_perm = PACKET__SEND;
4702         }
4703
4704         AVC_AUDIT_DATA_INIT(&ad, NET);
4705         ad.u.net.netif = ifindex;
4706         ad.u.net.family = family;
4707         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4708                 return NF_DROP;
4709
4710         if (secmark_active)
4711                 if (avc_has_perm(peer_sid, skb->secmark,
4712                                  SECCLASS_PACKET, secmark_perm, &ad))
4713                         return NF_DROP;
4714
4715         if (peerlbl_active) {
4716                 u32 if_sid;
4717                 u32 node_sid;
4718
4719                 if (sel_netif_sid(ifindex, &if_sid))
4720                         return NF_DROP;
4721                 if (avc_has_perm(peer_sid, if_sid,
4722                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4723                         return NF_DROP;
4724
4725                 if (sel_netnode_sid(addrp, family, &node_sid))
4726                         return NF_DROP;
4727                 if (avc_has_perm(peer_sid, node_sid,
4728                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4729                         return NF_DROP;
4730         }
4731
4732         return NF_ACCEPT;
4733 }
4734
4735 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4736                                            struct sk_buff *skb,
4737                                            const struct net_device *in,
4738                                            const struct net_device *out,
4739                                            int (*okfn)(struct sk_buff *))
4740 {
4741         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4742 }
4743
4744 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4745 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4746                                            struct sk_buff *skb,
4747                                            const struct net_device *in,
4748                                            const struct net_device *out,
4749                                            int (*okfn)(struct sk_buff *))
4750 {
4751         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4752 }
4753 #endif  /* IPV6 */
4754
4755 #endif  /* CONFIG_NETFILTER */
4756
4757 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4758 {
4759         int err;
4760
4761         err = cap_netlink_send(sk, skb);
4762         if (err)
4763                 return err;
4764
4765         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4766                 err = selinux_nlmsg_perm(sk, skb);
4767
4768         return err;
4769 }
4770
4771 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4772 {
4773         int err;
4774         struct avc_audit_data ad;
4775
4776         err = cap_netlink_recv(skb, capability);
4777         if (err)
4778                 return err;
4779
4780         AVC_AUDIT_DATA_INIT(&ad, CAP);
4781         ad.u.cap = capability;
4782
4783         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4784                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4785 }
4786
4787 static int ipc_alloc_security(struct task_struct *task,
4788                               struct kern_ipc_perm *perm,
4789                               u16 sclass)
4790 {
4791         struct ipc_security_struct *isec;
4792         u32 sid;
4793
4794         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4795         if (!isec)
4796                 return -ENOMEM;
4797
4798         sid = task_sid(task);
4799         isec->sclass = sclass;
4800         isec->sid = sid;
4801         perm->security = isec;
4802
4803         return 0;
4804 }
4805
4806 static void ipc_free_security(struct kern_ipc_perm *perm)
4807 {
4808         struct ipc_security_struct *isec = perm->security;
4809         perm->security = NULL;
4810         kfree(isec);
4811 }
4812
4813 static int msg_msg_alloc_security(struct msg_msg *msg)
4814 {
4815         struct msg_security_struct *msec;
4816
4817         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4818         if (!msec)
4819                 return -ENOMEM;
4820
4821         msec->sid = SECINITSID_UNLABELED;
4822         msg->security = msec;
4823
4824         return 0;
4825 }
4826
4827 static void msg_msg_free_security(struct msg_msg *msg)
4828 {
4829         struct msg_security_struct *msec = msg->security;
4830
4831         msg->security = NULL;
4832         kfree(msec);
4833 }
4834
4835 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4836                         u32 perms)
4837 {
4838         struct ipc_security_struct *isec;
4839         struct avc_audit_data ad;
4840         u32 sid = current_sid();
4841
4842         isec = ipc_perms->security;
4843
4844         AVC_AUDIT_DATA_INIT(&ad, IPC);
4845         ad.u.ipc_id = ipc_perms->key;
4846
4847         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4848 }
4849
4850 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4851 {
4852         return msg_msg_alloc_security(msg);
4853 }
4854
4855 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4856 {
4857         msg_msg_free_security(msg);
4858 }
4859
4860 /* message queue security operations */
4861 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4862 {
4863         struct ipc_security_struct *isec;
4864         struct avc_audit_data ad;
4865         u32 sid = current_sid();
4866         int rc;
4867
4868         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4869         if (rc)
4870                 return rc;
4871
4872         isec = msq->q_perm.security;
4873
4874         AVC_AUDIT_DATA_INIT(&ad, IPC);
4875         ad.u.ipc_id = msq->q_perm.key;
4876
4877         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4878                           MSGQ__CREATE, &ad);
4879         if (rc) {
4880                 ipc_free_security(&msq->q_perm);
4881                 return rc;
4882         }
4883         return 0;
4884 }
4885
4886 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4887 {
4888         ipc_free_security(&msq->q_perm);
4889 }
4890
4891 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4892 {
4893         struct ipc_security_struct *isec;
4894         struct avc_audit_data ad;
4895         u32 sid = current_sid();
4896
4897         isec = msq->q_perm.security;
4898
4899         AVC_AUDIT_DATA_INIT(&ad, IPC);
4900         ad.u.ipc_id = msq->q_perm.key;
4901
4902         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4903                             MSGQ__ASSOCIATE, &ad);
4904 }
4905
4906 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4907 {
4908         int err;
4909         int perms;
4910
4911         switch (cmd) {
4912         case IPC_INFO:
4913         case MSG_INFO:
4914                 /* No specific object, just general system-wide information. */
4915                 return task_has_system(current, SYSTEM__IPC_INFO);
4916         case IPC_STAT:
4917         case MSG_STAT:
4918                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4919                 break;
4920         case IPC_SET:
4921                 perms = MSGQ__SETATTR;
4922                 break;
4923         case IPC_RMID:
4924                 perms = MSGQ__DESTROY;
4925                 break;
4926         default:
4927                 return 0;
4928         }
4929
4930         err = ipc_has_perm(&msq->q_perm, perms);
4931         return err;
4932 }
4933
4934 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4935 {
4936         struct ipc_security_struct *isec;
4937         struct msg_security_struct *msec;
4938         struct avc_audit_data ad;
4939         u32 sid = current_sid();
4940         int rc;
4941
4942         isec = msq->q_perm.security;
4943         msec = msg->security;
4944
4945         /*
4946          * First time through, need to assign label to the message
4947          */
4948         if (msec->sid == SECINITSID_UNLABELED) {
4949                 /*
4950                  * Compute new sid based on current process and
4951                  * message queue this message will be stored in
4952                  */
4953                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4954                                              &msec->sid);
4955                 if (rc)
4956                         return rc;
4957         }
4958
4959         AVC_AUDIT_DATA_INIT(&ad, IPC);
4960         ad.u.ipc_id = msq->q_perm.key;
4961
4962         /* Can this process write to the queue? */
4963         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4964                           MSGQ__WRITE, &ad);
4965         if (!rc)
4966                 /* Can this process send the message */
4967                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4968                                   MSG__SEND, &ad);
4969         if (!rc)
4970                 /* Can the message be put in the queue? */
4971                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4972                                   MSGQ__ENQUEUE, &ad);
4973
4974         return rc;
4975 }
4976
4977 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4978                                     struct task_struct *target,
4979                                     long type, int mode)
4980 {
4981         struct ipc_security_struct *isec;
4982         struct msg_security_struct *msec;
4983         struct avc_audit_data ad;
4984         u32 sid = task_sid(target);
4985         int rc;
4986
4987         isec = msq->q_perm.security;
4988         msec = msg->security;
4989
4990         AVC_AUDIT_DATA_INIT(&ad, IPC);
4991         ad.u.ipc_id = msq->q_perm.key;
4992
4993         rc = avc_has_perm(sid, isec->sid,
4994                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4995         if (!rc)
4996                 rc = avc_has_perm(sid, msec->sid,
4997                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4998         return rc;
4999 }
5000
5001 /* Shared Memory security operations */
5002 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5003 {
5004         struct ipc_security_struct *isec;
5005         struct avc_audit_data ad;
5006         u32 sid = current_sid();
5007         int rc;
5008
5009         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5010         if (rc)
5011                 return rc;
5012
5013         isec = shp->shm_perm.security;
5014
5015         AVC_AUDIT_DATA_INIT(&ad, IPC);
5016         ad.u.ipc_id = shp->shm_perm.key;
5017
5018         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5019                           SHM__CREATE, &ad);
5020         if (rc) {
5021                 ipc_free_security(&shp->shm_perm);
5022                 return rc;
5023         }
5024         return 0;
5025 }
5026
5027 static void selinux_shm_free_security(struct shmid_kernel *shp)
5028 {
5029         ipc_free_security(&shp->shm_perm);
5030 }
5031
5032 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5033 {
5034         struct ipc_security_struct *isec;
5035         struct avc_audit_data ad;
5036         u32 sid = current_sid();
5037
5038         isec = shp->shm_perm.security;
5039
5040         AVC_AUDIT_DATA_INIT(&ad, IPC);
5041         ad.u.ipc_id = shp->shm_perm.key;
5042
5043         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5044                             SHM__ASSOCIATE, &ad);
5045 }
5046
5047 /* Note, at this point, shp is locked down */
5048 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5049 {
5050         int perms;
5051         int err;
5052
5053         switch (cmd) {
5054         case IPC_INFO:
5055         case SHM_INFO:
5056                 /* No specific object, just general system-wide information. */
5057                 return task_has_system(current, SYSTEM__IPC_INFO);
5058         case IPC_STAT:
5059         case SHM_STAT:
5060                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5061                 break;
5062         case IPC_SET:
5063                 perms = SHM__SETATTR;
5064                 break;
5065         case SHM_LOCK:
5066         case SHM_UNLOCK:
5067                 perms = SHM__LOCK;
5068                 break;
5069         case IPC_RMID:
5070                 perms = SHM__DESTROY;
5071                 break;
5072         default:
5073                 return 0;
5074         }
5075
5076         err = ipc_has_perm(&shp->shm_perm, perms);
5077         return err;
5078 }
5079
5080 static int selinux_shm_shmat(struct shmid_kernel *shp,
5081                              char __user *shmaddr, int shmflg)
5082 {
5083         u32 perms;
5084
5085         if (shmflg & SHM_RDONLY)
5086                 perms = SHM__READ;
5087         else
5088                 perms = SHM__READ | SHM__WRITE;
5089
5090         return ipc_has_perm(&shp->shm_perm, perms);
5091 }
5092
5093 /* Semaphore security operations */
5094 static int selinux_sem_alloc_security(struct sem_array *sma)
5095 {
5096         struct ipc_security_struct *isec;
5097         struct avc_audit_data ad;
5098         u32 sid = current_sid();
5099         int rc;
5100
5101         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5102         if (rc)
5103                 return rc;
5104
5105         isec = sma->sem_perm.security;
5106
5107         AVC_AUDIT_DATA_INIT(&ad, IPC);
5108         ad.u.ipc_id = sma->sem_perm.key;
5109
5110         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5111                           SEM__CREATE, &ad);
5112         if (rc) {
5113                 ipc_free_security(&sma->sem_perm);
5114                 return rc;
5115         }
5116         return 0;
5117 }
5118
5119 static void selinux_sem_free_security(struct sem_array *sma)
5120 {
5121         ipc_free_security(&sma->sem_perm);
5122 }
5123
5124 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5125 {
5126         struct ipc_security_struct *isec;
5127         struct avc_audit_data ad;
5128         u32 sid = current_sid();
5129
5130         isec = sma->sem_perm.security;
5131
5132         AVC_AUDIT_DATA_INIT(&ad, IPC);
5133         ad.u.ipc_id = sma->sem_perm.key;
5134
5135         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5136                             SEM__ASSOCIATE, &ad);
5137 }
5138
5139 /* Note, at this point, sma is locked down */
5140 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5141 {
5142         int err;
5143         u32 perms;
5144
5145         switch (cmd) {
5146         case IPC_INFO:
5147         case SEM_INFO:
5148                 /* No specific object, just general system-wide information. */
5149                 return task_has_system(current, SYSTEM__IPC_INFO);
5150         case GETPID:
5151         case GETNCNT:
5152         case GETZCNT:
5153                 perms = SEM__GETATTR;
5154                 break;
5155         case GETVAL:
5156         case GETALL:
5157                 perms = SEM__READ;
5158                 break;
5159         case SETVAL:
5160         case SETALL:
5161                 perms = SEM__WRITE;
5162                 break;
5163         case IPC_RMID:
5164                 perms = SEM__DESTROY;
5165                 break;
5166         case IPC_SET:
5167                 perms = SEM__SETATTR;
5168                 break;
5169         case IPC_STAT:
5170         case SEM_STAT:
5171                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5172                 break;
5173         default:
5174                 return 0;
5175         }
5176
5177         err = ipc_has_perm(&sma->sem_perm, perms);
5178         return err;
5179 }
5180
5181 static int selinux_sem_semop(struct sem_array *sma,
5182                              struct sembuf *sops, unsigned nsops, int alter)
5183 {
5184         u32 perms;
5185
5186         if (alter)
5187                 perms = SEM__READ | SEM__WRITE;
5188         else
5189                 perms = SEM__READ;
5190
5191         return ipc_has_perm(&sma->sem_perm, perms);
5192 }
5193
5194 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5195 {
5196         u32 av = 0;
5197
5198         av = 0;
5199         if (flag & S_IRUGO)
5200                 av |= IPC__UNIX_READ;
5201         if (flag & S_IWUGO)
5202                 av |= IPC__UNIX_WRITE;
5203
5204         if (av == 0)
5205                 return 0;
5206
5207         return ipc_has_perm(ipcp, av);
5208 }
5209
5210 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5211 {
5212         struct ipc_security_struct *isec = ipcp->security;
5213         *secid = isec->sid;
5214 }
5215
5216 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5217 {
5218         if (inode)
5219                 inode_doinit_with_dentry(inode, dentry);
5220 }
5221
5222 static int selinux_getprocattr(struct task_struct *p,
5223                                char *name, char **value)
5224 {
5225         const struct task_security_struct *__tsec;
5226         u32 sid;
5227         int error;
5228         unsigned len;
5229
5230         if (current != p) {
5231                 error = current_has_perm(p, PROCESS__GETATTR);
5232                 if (error)
5233                         return error;
5234         }
5235
5236         rcu_read_lock();
5237         __tsec = __task_cred(p)->security;
5238
5239         if (!strcmp(name, "current"))
5240                 sid = __tsec->sid;
5241         else if (!strcmp(name, "prev"))
5242                 sid = __tsec->osid;
5243         else if (!strcmp(name, "exec"))
5244                 sid = __tsec->exec_sid;
5245         else if (!strcmp(name, "fscreate"))
5246                 sid = __tsec->create_sid;
5247         else if (!strcmp(name, "keycreate"))
5248                 sid = __tsec->keycreate_sid;
5249         else if (!strcmp(name, "sockcreate"))
5250                 sid = __tsec->sockcreate_sid;
5251         else
5252                 goto invalid;
5253         rcu_read_unlock();
5254
5255         if (!sid)
5256                 return 0;
5257
5258         error = security_sid_to_context(sid, value, &len);
5259         if (error)
5260                 return error;
5261         return len;
5262
5263 invalid:
5264         rcu_read_unlock();
5265         return -EINVAL;
5266 }
5267
5268 static int selinux_setprocattr(struct task_struct *p,
5269                                char *name, void *value, size_t size)
5270 {
5271         struct task_security_struct *tsec;
5272         struct task_struct *tracer;
5273         struct cred *new;
5274         u32 sid = 0, ptsid;
5275         int error;
5276         char *str = value;
5277
5278         if (current != p) {
5279                 /* SELinux only allows a process to change its own
5280                    security attributes. */
5281                 return -EACCES;
5282         }
5283
5284         /*
5285          * Basic control over ability to set these attributes at all.
5286          * current == p, but we'll pass them separately in case the
5287          * above restriction is ever removed.
5288          */
5289         if (!strcmp(name, "exec"))
5290                 error = current_has_perm(p, PROCESS__SETEXEC);
5291         else if (!strcmp(name, "fscreate"))
5292                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5293         else if (!strcmp(name, "keycreate"))
5294                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5295         else if (!strcmp(name, "sockcreate"))
5296                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5297         else if (!strcmp(name, "current"))
5298                 error = current_has_perm(p, PROCESS__SETCURRENT);
5299         else
5300                 error = -EINVAL;
5301         if (error)
5302                 return error;
5303
5304         /* Obtain a SID for the context, if one was specified. */
5305         if (size && str[1] && str[1] != '\n') {
5306                 if (str[size-1] == '\n') {
5307                         str[size-1] = 0;
5308                         size--;
5309                 }
5310                 error = security_context_to_sid(value, size, &sid);
5311                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5312                         if (!capable(CAP_MAC_ADMIN))
5313                                 return error;
5314                         error = security_context_to_sid_force(value, size,
5315                                                               &sid);
5316                 }
5317                 if (error)
5318                         return error;
5319         }
5320
5321         new = prepare_creds();
5322         if (!new)
5323                 return -ENOMEM;
5324
5325         /* Permission checking based on the specified context is
5326            performed during the actual operation (execve,
5327            open/mkdir/...), when we know the full context of the
5328            operation.  See selinux_bprm_set_creds for the execve
5329            checks and may_create for the file creation checks. The
5330            operation will then fail if the context is not permitted. */
5331         tsec = new->security;
5332         if (!strcmp(name, "exec")) {
5333                 tsec->exec_sid = sid;
5334         } else if (!strcmp(name, "fscreate")) {
5335                 tsec->create_sid = sid;
5336         } else if (!strcmp(name, "keycreate")) {
5337                 error = may_create_key(sid, p);
5338                 if (error)
5339                         goto abort_change;
5340                 tsec->keycreate_sid = sid;
5341         } else if (!strcmp(name, "sockcreate")) {
5342                 tsec->sockcreate_sid = sid;
5343         } else if (!strcmp(name, "current")) {
5344                 error = -EINVAL;
5345                 if (sid == 0)
5346                         goto abort_change;
5347
5348                 /* Only allow single threaded processes to change context */
5349                 error = -EPERM;
5350                 if (!is_single_threaded(p)) {
5351                         error = security_bounded_transition(tsec->sid, sid);
5352                         if (error)
5353                                 goto abort_change;
5354                 }
5355
5356                 /* Check permissions for the transition. */
5357                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5358                                      PROCESS__DYNTRANSITION, NULL);
5359                 if (error)
5360                         goto abort_change;
5361
5362                 /* Check for ptracing, and update the task SID if ok.
5363                    Otherwise, leave SID unchanged and fail. */
5364                 ptsid = 0;
5365                 task_lock(p);
5366                 tracer = tracehook_tracer_task(p);
5367                 if (tracer)
5368                         ptsid = task_sid(tracer);
5369                 task_unlock(p);
5370
5371                 if (tracer) {
5372                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5373                                              PROCESS__PTRACE, NULL);
5374                         if (error)
5375                                 goto abort_change;
5376                 }
5377
5378                 tsec->sid = sid;
5379         } else {
5380                 error = -EINVAL;
5381                 goto abort_change;
5382         }
5383
5384         commit_creds(new);
5385         return size;
5386
5387 abort_change:
5388         abort_creds(new);
5389         return error;
5390 }
5391
5392 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5393 {
5394         return security_sid_to_context(secid, secdata, seclen);
5395 }
5396
5397 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5398 {
5399         return security_context_to_sid(secdata, seclen, secid);
5400 }
5401
5402 static void selinux_release_secctx(char *secdata, u32 seclen)
5403 {
5404         kfree(secdata);
5405 }
5406
5407 #ifdef CONFIG_KEYS
5408
5409 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5410                              unsigned long flags)
5411 {
5412         const struct task_security_struct *tsec;
5413         struct key_security_struct *ksec;
5414
5415         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5416         if (!ksec)
5417                 return -ENOMEM;
5418
5419         tsec = cred->security;
5420         if (tsec->keycreate_sid)
5421                 ksec->sid = tsec->keycreate_sid;
5422         else
5423                 ksec->sid = tsec->sid;
5424
5425         k->security = ksec;
5426         return 0;
5427 }
5428
5429 static void selinux_key_free(struct key *k)
5430 {
5431         struct key_security_struct *ksec = k->security;
5432
5433         k->security = NULL;
5434         kfree(ksec);
5435 }
5436
5437 static int selinux_key_permission(key_ref_t key_ref,
5438                                   const struct cred *cred,
5439                                   key_perm_t perm)
5440 {
5441         struct key *key;
5442         struct key_security_struct *ksec;
5443         u32 sid;
5444
5445         /* if no specific permissions are requested, we skip the
5446            permission check. No serious, additional covert channels
5447            appear to be created. */
5448         if (perm == 0)
5449                 return 0;
5450
5451         sid = cred_sid(cred);
5452
5453         key = key_ref_to_ptr(key_ref);
5454         ksec = key->security;
5455
5456         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5457 }
5458
5459 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5460 {
5461         struct key_security_struct *ksec = key->security;
5462         char *context = NULL;
5463         unsigned len;
5464         int rc;
5465
5466         rc = security_sid_to_context(ksec->sid, &context, &len);
5467         if (!rc)
5468                 rc = len;
5469         *_buffer = context;
5470         return rc;
5471 }
5472
5473 #endif
5474
5475 static struct security_operations selinux_ops = {
5476         .name =                         "selinux",
5477
5478         .ptrace_may_access =            selinux_ptrace_may_access,
5479         .ptrace_traceme =               selinux_ptrace_traceme,
5480         .capget =                       selinux_capget,
5481         .capset =                       selinux_capset,
5482         .sysctl =                       selinux_sysctl,
5483         .capable =                      selinux_capable,
5484         .quotactl =                     selinux_quotactl,
5485         .quota_on =                     selinux_quota_on,
5486         .syslog =                       selinux_syslog,
5487         .vm_enough_memory =             selinux_vm_enough_memory,
5488
5489         .netlink_send =                 selinux_netlink_send,
5490         .netlink_recv =                 selinux_netlink_recv,
5491
5492         .bprm_set_creds =               selinux_bprm_set_creds,
5493         .bprm_committing_creds =        selinux_bprm_committing_creds,
5494         .bprm_committed_creds =         selinux_bprm_committed_creds,
5495         .bprm_secureexec =              selinux_bprm_secureexec,
5496
5497         .sb_alloc_security =            selinux_sb_alloc_security,
5498         .sb_free_security =             selinux_sb_free_security,
5499         .sb_copy_data =                 selinux_sb_copy_data,
5500         .sb_kern_mount =                selinux_sb_kern_mount,
5501         .sb_show_options =              selinux_sb_show_options,
5502         .sb_statfs =                    selinux_sb_statfs,
5503         .sb_mount =                     selinux_mount,
5504         .sb_umount =                    selinux_umount,
5505         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5506         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5507         .sb_parse_opts_str =            selinux_parse_opts_str,
5508
5509
5510         .inode_alloc_security =         selinux_inode_alloc_security,
5511         .inode_free_security =          selinux_inode_free_security,
5512         .inode_init_security =          selinux_inode_init_security,
5513         .inode_create =                 selinux_inode_create,
5514         .inode_link =                   selinux_inode_link,
5515         .inode_unlink =                 selinux_inode_unlink,
5516         .inode_symlink =                selinux_inode_symlink,
5517         .inode_mkdir =                  selinux_inode_mkdir,
5518         .inode_rmdir =                  selinux_inode_rmdir,
5519         .inode_mknod =                  selinux_inode_mknod,
5520         .inode_rename =                 selinux_inode_rename,
5521         .inode_readlink =               selinux_inode_readlink,
5522         .inode_follow_link =            selinux_inode_follow_link,
5523         .inode_permission =             selinux_inode_permission,
5524         .inode_setattr =                selinux_inode_setattr,
5525         .inode_getattr =                selinux_inode_getattr,
5526         .inode_setxattr =               selinux_inode_setxattr,
5527         .inode_post_setxattr =          selinux_inode_post_setxattr,
5528         .inode_getxattr =               selinux_inode_getxattr,
5529         .inode_listxattr =              selinux_inode_listxattr,
5530         .inode_removexattr =            selinux_inode_removexattr,
5531         .inode_getsecurity =            selinux_inode_getsecurity,
5532         .inode_setsecurity =            selinux_inode_setsecurity,
5533         .inode_listsecurity =           selinux_inode_listsecurity,
5534         .inode_getsecid =               selinux_inode_getsecid,
5535
5536         .file_permission =              selinux_file_permission,
5537         .file_alloc_security =          selinux_file_alloc_security,
5538         .file_free_security =           selinux_file_free_security,
5539         .file_ioctl =                   selinux_file_ioctl,
5540         .file_mmap =                    selinux_file_mmap,
5541         .file_mprotect =                selinux_file_mprotect,
5542         .file_lock =                    selinux_file_lock,
5543         .file_fcntl =                   selinux_file_fcntl,
5544         .file_set_fowner =              selinux_file_set_fowner,
5545         .file_send_sigiotask =          selinux_file_send_sigiotask,
5546         .file_receive =                 selinux_file_receive,
5547
5548         .dentry_open =                  selinux_dentry_open,
5549
5550         .task_create =                  selinux_task_create,
5551         .cred_free =                    selinux_cred_free,
5552         .cred_prepare =                 selinux_cred_prepare,
5553         .kernel_act_as =                selinux_kernel_act_as,
5554         .kernel_create_files_as =       selinux_kernel_create_files_as,
5555         .task_setpgid =                 selinux_task_setpgid,
5556         .task_getpgid =                 selinux_task_getpgid,
5557         .task_getsid =                  selinux_task_getsid,
5558         .task_getsecid =                selinux_task_getsecid,
5559         .task_setnice =                 selinux_task_setnice,
5560         .task_setioprio =               selinux_task_setioprio,
5561         .task_getioprio =               selinux_task_getioprio,
5562         .task_setrlimit =               selinux_task_setrlimit,
5563         .task_setscheduler =            selinux_task_setscheduler,
5564         .task_getscheduler =            selinux_task_getscheduler,
5565         .task_movememory =              selinux_task_movememory,
5566         .task_kill =                    selinux_task_kill,
5567         .task_wait =                    selinux_task_wait,
5568         .task_to_inode =                selinux_task_to_inode,
5569
5570         .ipc_permission =               selinux_ipc_permission,
5571         .ipc_getsecid =                 selinux_ipc_getsecid,
5572
5573         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5574         .msg_msg_free_security =        selinux_msg_msg_free_security,
5575
5576         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5577         .msg_queue_free_security =      selinux_msg_queue_free_security,
5578         .msg_queue_associate =          selinux_msg_queue_associate,
5579         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5580         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5581         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5582
5583         .shm_alloc_security =           selinux_shm_alloc_security,
5584         .shm_free_security =            selinux_shm_free_security,
5585         .shm_associate =                selinux_shm_associate,
5586         .shm_shmctl =                   selinux_shm_shmctl,
5587         .shm_shmat =                    selinux_shm_shmat,
5588
5589         .sem_alloc_security =           selinux_sem_alloc_security,
5590         .sem_free_security =            selinux_sem_free_security,
5591         .sem_associate =                selinux_sem_associate,
5592         .sem_semctl =                   selinux_sem_semctl,
5593         .sem_semop =                    selinux_sem_semop,
5594
5595         .d_instantiate =                selinux_d_instantiate,
5596
5597         .getprocattr =                  selinux_getprocattr,
5598         .setprocattr =                  selinux_setprocattr,
5599
5600         .secid_to_secctx =              selinux_secid_to_secctx,
5601         .secctx_to_secid =              selinux_secctx_to_secid,
5602         .release_secctx =               selinux_release_secctx,
5603
5604         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5605         .unix_may_send =                selinux_socket_unix_may_send,
5606
5607         .socket_create =                selinux_socket_create,
5608         .socket_post_create =           selinux_socket_post_create,
5609         .socket_bind =                  selinux_socket_bind,
5610         .socket_connect =               selinux_socket_connect,
5611         .socket_listen =                selinux_socket_listen,
5612         .socket_accept =                selinux_socket_accept,
5613         .socket_sendmsg =               selinux_socket_sendmsg,
5614         .socket_recvmsg =               selinux_socket_recvmsg,
5615         .socket_getsockname =           selinux_socket_getsockname,
5616         .socket_getpeername =           selinux_socket_getpeername,
5617         .socket_getsockopt =            selinux_socket_getsockopt,
5618         .socket_setsockopt =            selinux_socket_setsockopt,
5619         .socket_shutdown =              selinux_socket_shutdown,
5620         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5621         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5622         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5623         .sk_alloc_security =            selinux_sk_alloc_security,
5624         .sk_free_security =             selinux_sk_free_security,
5625         .sk_clone_security =            selinux_sk_clone_security,
5626         .sk_getsecid =                  selinux_sk_getsecid,
5627         .sock_graft =                   selinux_sock_graft,
5628         .inet_conn_request =            selinux_inet_conn_request,
5629         .inet_csk_clone =               selinux_inet_csk_clone,
5630         .inet_conn_established =        selinux_inet_conn_established,
5631         .req_classify_flow =            selinux_req_classify_flow,
5632
5633 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5634         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5635         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5636         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5637         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5638         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5639         .xfrm_state_free_security =     selinux_xfrm_state_free,
5640         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5641         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5642         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5643         .xfrm_decode_session =          selinux_xfrm_decode_session,
5644 #endif
5645
5646 #ifdef CONFIG_KEYS
5647         .key_alloc =                    selinux_key_alloc,
5648         .key_free =                     selinux_key_free,
5649         .key_permission =               selinux_key_permission,
5650         .key_getsecurity =              selinux_key_getsecurity,
5651 #endif
5652
5653 #ifdef CONFIG_AUDIT
5654         .audit_rule_init =              selinux_audit_rule_init,
5655         .audit_rule_known =             selinux_audit_rule_known,
5656         .audit_rule_match =             selinux_audit_rule_match,
5657         .audit_rule_free =              selinux_audit_rule_free,
5658 #endif
5659 };
5660
5661 static __init int selinux_init(void)
5662 {
5663         if (!security_module_enable(&selinux_ops)) {
5664                 selinux_enabled = 0;
5665                 return 0;
5666         }
5667
5668         if (!selinux_enabled) {
5669                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5670                 return 0;
5671         }
5672
5673         printk(KERN_INFO "SELinux:  Initializing.\n");
5674
5675         /* Set the security state for the initial task. */
5676         cred_init_security();
5677
5678         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5679                                             sizeof(struct inode_security_struct),
5680                                             0, SLAB_PANIC, NULL);
5681         avc_init();
5682
5683         secondary_ops = security_ops;
5684         if (!secondary_ops)
5685                 panic("SELinux: No initial security operations\n");
5686         if (register_security(&selinux_ops))
5687                 panic("SELinux: Unable to register with kernel.\n");
5688
5689         if (selinux_enforcing)
5690                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5691         else
5692                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5693
5694         return 0;
5695 }
5696
5697 void selinux_complete_init(void)
5698 {
5699         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5700
5701         /* Set up any superblocks initialized prior to the policy load. */
5702         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5703         spin_lock(&sb_lock);
5704         spin_lock(&sb_security_lock);
5705 next_sb:
5706         if (!list_empty(&superblock_security_head)) {
5707                 struct superblock_security_struct *sbsec =
5708                                 list_entry(superblock_security_head.next,
5709                                            struct superblock_security_struct,
5710                                            list);
5711                 struct super_block *sb = sbsec->sb;
5712                 sb->s_count++;
5713                 spin_unlock(&sb_security_lock);
5714                 spin_unlock(&sb_lock);
5715                 down_read(&sb->s_umount);
5716                 if (sb->s_root)
5717                         superblock_doinit(sb, NULL);
5718                 drop_super(sb);
5719                 spin_lock(&sb_lock);
5720                 spin_lock(&sb_security_lock);
5721                 list_del_init(&sbsec->list);
5722                 goto next_sb;
5723         }
5724         spin_unlock(&sb_security_lock);
5725         spin_unlock(&sb_lock);
5726 }
5727
5728 /* SELinux requires early initialization in order to label
5729    all processes and objects when they are created. */
5730 security_initcall(selinux_init);
5731
5732 #if defined(CONFIG_NETFILTER)
5733
5734 static struct nf_hook_ops selinux_ipv4_ops[] = {
5735         {
5736                 .hook =         selinux_ipv4_postroute,
5737                 .owner =        THIS_MODULE,
5738                 .pf =           PF_INET,
5739                 .hooknum =      NF_INET_POST_ROUTING,
5740                 .priority =     NF_IP_PRI_SELINUX_LAST,
5741         },
5742         {
5743                 .hook =         selinux_ipv4_forward,
5744                 .owner =        THIS_MODULE,
5745                 .pf =           PF_INET,
5746                 .hooknum =      NF_INET_FORWARD,
5747                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5748         },
5749         {
5750                 .hook =         selinux_ipv4_output,
5751                 .owner =        THIS_MODULE,
5752                 .pf =           PF_INET,
5753                 .hooknum =      NF_INET_LOCAL_OUT,
5754                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5755         }
5756 };
5757
5758 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5759
5760 static struct nf_hook_ops selinux_ipv6_ops[] = {
5761         {
5762                 .hook =         selinux_ipv6_postroute,
5763                 .owner =        THIS_MODULE,
5764                 .pf =           PF_INET6,
5765                 .hooknum =      NF_INET_POST_ROUTING,
5766                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5767         },
5768         {
5769                 .hook =         selinux_ipv6_forward,
5770                 .owner =        THIS_MODULE,
5771                 .pf =           PF_INET6,
5772                 .hooknum =      NF_INET_FORWARD,
5773                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5774         }
5775 };
5776
5777 #endif  /* IPV6 */
5778
5779 static int __init selinux_nf_ip_init(void)
5780 {
5781         int err = 0;
5782
5783         if (!selinux_enabled)
5784                 goto out;
5785
5786         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5787
5788         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5789         if (err)
5790                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5791
5792 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5793         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5794         if (err)
5795                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5796 #endif  /* IPV6 */
5797
5798 out:
5799         return err;
5800 }
5801
5802 __initcall(selinux_nf_ip_init);
5803
5804 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5805 static void selinux_nf_ip_exit(void)
5806 {
5807         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5808
5809         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5810 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5811         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5812 #endif  /* IPV6 */
5813 }
5814 #endif
5815
5816 #else /* CONFIG_NETFILTER */
5817
5818 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5819 #define selinux_nf_ip_exit()
5820 #endif
5821
5822 #endif /* CONFIG_NETFILTER */
5823
5824 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5825 static int selinux_disabled;
5826
5827 int selinux_disable(void)
5828 {
5829         extern void exit_sel_fs(void);
5830
5831         if (ss_initialized) {
5832                 /* Not permitted after initial policy load. */
5833                 return -EINVAL;
5834         }
5835
5836         if (selinux_disabled) {
5837                 /* Only do this once. */
5838                 return -EINVAL;
5839         }
5840
5841         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5842
5843         selinux_disabled = 1;
5844         selinux_enabled = 0;
5845
5846         /* Reset security_ops to the secondary module, dummy or capability. */
5847         security_ops = secondary_ops;
5848
5849         /* Unregister netfilter hooks. */
5850         selinux_nf_ip_exit();
5851
5852         /* Unregister selinuxfs. */
5853         exit_sel_fs();
5854
5855         return 0;
5856 }
5857 #endif